Watch out, hacked Steam accounts used as an attack vector
2.10.2016 securityaffairs
Hacking

Malware researcher discovered a Reddit user which is warning of the existence of hacked Steam accounts used to spread a Remote Access Trojan (RAT).
This week the popular malware researcher Lawrence Abrams from Bleepingcomputer.com has found a worrisome message on Reddit. The Reddit user with the moniker Haydaddict was warning of the existence of compromised Steam accounts spreading a Remote Access Trojan (RAT).

“Quinn Lobdell hacked on Steam. Please be aware if others try to send you sketchy links. Scrub Killa and Jessie affected as well.” reads the post.

The accounts were used to send chat messages containing links to videomeo.pw to watch a video.

Hacked Steam accounts

“When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video.” explained Lawrence Abrams in a blog post.

Hacked Steam accounts

The trick is quite simple and leverages on the user’s curiosity when it downloads and executes the Flash Player installer apparently nothing happens, but in reality the victim has opened its machine to the attacker.

The Flash Player installer executes a PowerShell script (zaga.ps1) that downloads a 7-zip archive, 7-zip extractor, and a CMD script from a remote server (http://zahr[.]pw).

The PowerShell then launches the CMD file, which extracts the sharchivedmngr to the %AppData%\lappclimtfldr folder and configures Windows to automatically start an instance of the NetSupport Manager Remote Control Software, renamed as mcrtvclient.exe, when the victim logs in.

When the victims will log in the infected machine, the NetSupport Manager will connect to the NetSupport gateway at leyv.pw:11678 and await commands, at this point the attacker has complete control over the victim’s machine.

“For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders.” suggests Lawrence Abrams in order to check if the system is compromised.

Every time you visit a link be careful, and make sure to have installed up to date defense solutions.


V srpnu se roztrhl pytel s ransomwarem

1.10.2016 SecurityWorld Viry
Check Point Software Technologies zveřejnil nejnovější Index hrozeb, podle kterého došlo v srpnu k nárůstu variant ransomwaru a počtu malwarových útoků na podnikové sítě.

Zároveň byl zveřejněn i žebříček zemí, které jsou nejčastěji terčem kyberútoků. Česká republika se v srpnu umístila na 88. pozici, což je pokles o 12 míst a posun mezi bezpečnější země. Slovensko se umístilo stejně jako v červenci na 77. pozici. Například Litva se naopak posunula mezi nebezpečnější země z 81. na 39. pozici. Na prvním místě se v Indexu hrozeb umístila druhý měsíc za sebou Paraguay.

Během srpna rostl počet aktivních ransomwarových rodin o 12 procent a počet detekovaných pokusů o ransomwarové útoky se zvýšil dokonce o 30 procent. Dvě třetiny všech zachycených ransomwarových rodin se během srpna posunuly žebříčkem hrozeb, většina z nich nejméně o 100 pozic. Podle Check Pointu je nárůst ransomwaru příznakem relativně snadného masového nasazení jakmile je nějaká varianta vytvořena, a důvodem nárůstu je také počet organizací, které za uvolnění důležitých dat radši zaplatí výkupné.

Pro kyberzločince se tak jedná o lukrativní a atraktivní způsob útoku. Pátý měsíc za sebou byl HummingBad nejběžněji používaným malwarem k útokům na mobilní zařízení, ale počet detekovaných incidentů klesl o více než 50 procent.

Check Point zjistil, že počet unikátních a aktivních malwarových rodin byl podobný jako v předchozím měsíci, takže použití škodlivého kódu zůstává na velmi vysoké úrovni. Conficker byl v srpnu zodpovědný za 14 procent všech detekovaných útoků. Malwarová rodina JBossjmx byla zodpovědná za 9 procent zaznamenaných útoků a Sality také za 9 procent. Celkově bylo Top 10 malwarových rodin zodpovědných za 57 procent všech identifikovaných útoků:

↔ Conficker: Červ umožňuje vzdálené operace a stahování malwaru. Infikovaný počítač je pod kontrolou botnetu a je ve spojení s C&C serverem, aby mohl přijímat další pokyny.
↔JBossjmx: Červ, který se zaměřuje na systémy s nainstalovanou zranitelnou verzí JBoss Application Server. Malware vytváří nebezpečnou JSP stránku na zranitelném systému, která vykoná libovolné příkazy. Navíc jsou vytvořena další zadní vrátka, která přijímají příkazy ze vzdáleného IRC serveru.
↔Sality – Vir, který umožňuje útočníkům vzdálené ovládání, stahování a instalování dalších škodlivých kódů do infikovaných systémů. Sality se snaží maskovacími technikami vyhnout detekci a působit tak v systému co nejdéle.

Mobilní malwarové rodiny představovaly i v srpnu významnou hrozbu pro podniková mobilní zařízení. Tři nejrozšířenější mobilní malwarové rodiny byly:

↔ HummingBad: Malware se zaměřuje na zařízení se systémem Android a vytváří trvalý rootkit na zařízení, instaluje podvodné aplikace a umožňuje další škodlivé aktivity, jako například instalace keyloggeru, krádež přihlašovacích údajů a obcházení šifrování e-mailů pro lepší zachycení podnikových dat.

↔ Ztorg: Trojan, který využívá root oprávnění ke stažení a instalaci aplikací na mobilním telefonu bez vědomí uživatele.
↑Triada: Modulární backdoor pro Android, který poskytuje práva superuživatele pro stažení malwaru a jeho vložení do systémových procesů. Triada také umí vkládat falešné URL odkazy do webového prohlížeče.

„Společnosti čelí v souvislosti s ransomwarem absurdní situaci. Pokud výkupné nezaplatí, mohou přijít o důležitá data a cenná aktiva. A pokud zaplatí, jen povzbudí kyberzločince, aby dále využívali tuto lukrativní útočnou metodu,“ říká Nathan Shuchami, ředitel prevence hrozeb ve společnosti Check Point. „Počet aktivních malwarových rodin je i nadále velmi vysoký, protože útočníci cílí na cenná podniková data. Rozsah problému, kterému organizace čelí při ochraně sítě před kyberzločinci, umocňuje šíře útočných metod používaných různými ransomwarovými rodinami.“

Check Point analyzoval i malware v České republice a znovu je na prvním místě Conficker.

Top 10 malwarových rodin v ČR – srpen 2016

Malwarová rodina

Popis

Conficker

Conficker je počítačový červ, který se zaměřuje na operační systém Windows. Využívá zranitelnosti v operačním systému a zkouší odhadnout administrátorské heslo pro další šíření a vytvoření botnetu. Infekce umožňuje útočníkovi získat přístup k osobním údajům uživatelů, jako jsou bankovní údaje, čísla kreditních karet nebo hesla. Červ původně cílil na uživatele komunikačních stránek, jako jsou Facebook, Skype a e-mailové stránky.

Cryptowall

Cryptowall je hlavní ransomwarový trojan, který šifruje soubory na infikovaném počítači a pak žádá po uživatelích zaplacení výkupného za dešifrování. Šíří se prostřednictvím škodlivých reklamních a phishingových kampaní. Cryptowall se poprvé objevil v roce 2014.

Zeus

Zeus je široce rozšířený trojan zaměřený na Windows a nejčastěji je používá ke krádežím bankovních přihlašovacích údajů. Je-li stroj infikován, malware posílá informace, například přihlašovací údaje k účtu, útočníkům pomocí řetězce C&C serverů. Trojan je také používán k distribuci ransomwaru.

Zeus byl poprvé identifikován v červenci 2007, kdy byl použit ke krádeži informací ze United States Department of Transportation. V průběhu několika příštích let malware infikoval stovky tisíc strojů a stal se jedním z největších světových botnetů. Malware byl distribuován především prostřednictvím e-mailů.

V říjnu 2010 zatkla FBI více než sto lidí na základě obvinění ze spiknutí za účelem spáchání bankovních podvodů a praní špinavých peněz, včetně předpokládaného „mozku“ za celým botnetem - Hamza Bendelladjiho, který byl zatčen v roce 2013. V současné době mnoho kyberzločinců využívá vlastní varianty malwaru Zeus, které se obvykle šíří prostřednictvím phishingu a drive-by downloadem.

Locky

Locky je ransomware, který se zaměřuje na platformu Windows. Malware posílá systémové informace na vzdálený server a přijímá šifrovací klíč pro zašifrování souborů v infikovaném systému. Malware požaduje jako výkupné za odemčení souborů platbu ve formě digitální měny bitcoin. Navíc přidává informaci i do registru, aby jej nebylo možné odstranit restartováním systému.

HackerDefender

HackerDefender je rootkit pro Windows 2000 a Windows XP a může fungovat i na pozdějších verzích Windows NT. Rootkit upravuje různé funkce ve Windows a API, aby se vyhnul detekci bezpečnostním softwarem. HackerDefender je široce rozšířený, protože je volně k dispozici na internetu a lze snadno nainstalovat.

RookieUA

RookieUA je určen ke krádežím informací. Získává informace o uživatelských účtech, jako jsou přihlašovací jména a hesla, a odesílá je na vzdálený server. HTTP komunikace probíhá pomocí neobvyklého uživatelského agenta RookIE/1.0.

CTB-Locker

CTB-Locker je ransomware, který se zaměřuje na platformu Windows. Zašifruje všechna uživatelská data a za dešifrování požaduje platbu. Malware se obvykle šíří jako spam s nebezpečnou přílohou ZIP nebo CAB. Malware je s největší pravděpodobností vyvíjen a distribuován ruskými kyberzločinci a je prodáván většinou také ruským subjektům. Jako označení se používají i další názvy, například Critroni nebo Onion. Písmena CTB ve jméně znamenají „Curve-Tor-Bitcoin“. Elliptic Curve pro šifrování a Tor a Bitcoin pro anonymitu výkupného.

Magnitude

Magnitude EK poprvé plnil titulní stránky novin v říjnu 2013, kdy byli php.net návštěvníky přesměroval na svou stránku. Je aktivní dodnes.

Infekce začíná přesměrováním na stránku malwaru Magnitude.

Vstupní stránka obsahuje maskovaný JavaScript, který zjišťuje zranitelné plug-iny a snaží se je zneužít.

Magnitude zneužívá zranitelnosti ve Flash, Silverlight, PDF a Internet Explorer.

Hotbar

Bepush

Bepush je malwarová rodina, která se skládá ze škodlivých rozšíření pro prohlížeče a nejčastěji se zaměřuje na Google Chrome a Mozilla Firefox. Tato rozšíření se šíří prostřednictvím URL adres na webových stránkách sociálních sítí, které přesměrují prohlížeč na škodlivé stránky obsahující falešný Adobe Flash video plug-iny nebo aktualizace, které infikují oběti malwarem. Rozšíření mohou sledovat, které stránky uživatel navštívil, přesměrovat na nebezpečné webové stránky a zveřejňovat informace na sociálních sítích jménem uživatele.


37-Year-Old 'Syrian Electronic Army' Hacker Pleads Guilty in US court
30.9.2016 thehackernews Hacking

One of the FBI's Most Wanted Hackers who was arrested in Germany earlier this year has pleaded guilty to federal charges for his role in a scheme that hacked computers and targeted the US government, foreign governments, and multiple US media outlets.
Peter Romar, 37, pleaded guilty Wednesday in a federal court in Alexandria to felony charges of conspiring to receive extortion proceeds and to illegally access computers in his role as a member of the infamous hacking group calling itself the Syrian Electronic Army (SEA), the Department of Justice (DoJ) announced.
Romar was previously extradited from Germany on request of the United States.
"Cybercriminals cannot hide from justice," said U.S. Attorney Dana J. Boente for the Eastern District of Virginia. "No matter where they are in the world, the United States will vigorously pursue those who commit crimes against U.S. citizens and hold them accountable for their actions."
In March, the US charged three men it believed were involved in cyber-attacks carried out the Syrian Electronic Army. Romar was already arrested while the other two - Ahmad Umar Agha (aka The Pro), 22 and Firas Dardar (aka The Shadow), 27 - were believed to be in Syria.
The FBI has also offered a reward of $100,000 for any information that leads to the arrest of Agha and Dardar, who were allegedly involved in hacking Associated Press Twitter account in April 2013 and spreading a false rumor claiming that the White House had been bombed, injuring President Obama, which caused a temporary stock market dip.
All three SEA hackers were allegedly engaged in a long-running cyber-propaganda campaign in support of the Syrian President Bashar al‑Assad.
The group used "spear-phishing" tactics to target computer systems of the US government, foreign organizations, media outlets and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government.
Between 2011 and 2013, SEA targeted multiple entities including the Associated Press, Microsoft, Reuters, CNN, Time, The Daily Dot, The Washington Post, Vice, Human Rights Watch, E! Online, Harvard University, NASA, US Marine, and The Onion, among others.
Dardar and Romar are accused of hacking into the computer systems of businesses for their personal profit. They hacked into victims' computers and then threaten them to damage computers, and delete/sell the data unless they were paid a ransom.
"If a victim could not make extortion payments to the conspiracy's Syrian bank accounts due to sanctions targeting Syria, Romar acted as an intermediary in Germany to evade those sanctions," the DoJ said.
Romar faces up to 5 years in prison and is scheduled to be sentenced on 21st October, while co-defendant Dardar still remains at large and is believed to be in Syria.


CVE-2016-6406 – CISCO reported a critical flaw in email security appliances (ESA)
30.9.2016 securityaffairs Vulnerebility

Cisco issued a security advisory about a vulnerability, tracked as CVE-2016-6406, affecting the Email Security Appliance Internal Testing Interface.
Cisco Systems reported the existence a vulnerability (CVE-2016-6406) in the email security appliances that could be exploited by a remote unauthenticated attacker to gain complete control of the security solution.

The vulnerability is related the Cisco IronPort AsyncOS operating system for which the company issued a security bulletin last week. On Wednesday the company provided a software update that fixes the security issue and further information about it.

The flaw is tied to an internal testing and debugging interface implemented by CISCO that is accessible on the IronPort AsyncOS operating system.

“A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device. The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases.” reads the security advisory issued by CISCO.

“An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges,”

cisco-esa

According to CISCO, the Cisco Email Security Appliances (ESA) physical and virtual devices running any of the following software releases are affected by the CVE-2016-6406 vulnerability:

9.1.2-023
9.1.2-028
9.1.2-036
9.7.2-046
9.7.2-047
9.7-2-054
10.0.0-124
10.0.0-125
CISCO explained that in order to determine whether a vulnerable version of Cisco AsyncOS Software is running on a Cisco ESA, it is possible to use the “version” command in the ESA command-line interface (CLI). The following example shows the results for a device running Cisco AsyncOS Software version 8.5.7-044:

Cisco also reported the existence of a workaround that could allow administrators to block the remote access to vulnerable email security appliances.

“The debugging and testing interface can be disabled by rebooting an affected device. In order to reboot an ESA device, issue the reboot command from the CLI. The interface will be permanently disabled and unavailable once the device has finished rebooting.” added CISCO.


CatchApp system can spy on WhatsApp encrypted communications from a backpack

30.9.2016 securityaffairs Social

The Israeli surveillance firm Wintego is offering for sale the system called CatchApp that is able to hack WhatsApp encrypted communications.
The Israeli surveillance firm Wintego is offering for sale a system that is able to hack WhatsApp encrypted communications from mobile devices within close proximity of a hidden Wi-Fi hacking device in a backpack.

CatchApp wintego wint data-extractor

The news has been reported by Forbes that obtained and published brochures of the system called CatchApp. According to the firm, CatchApp is able to intercept the WhatsApp traffic between the app and the WhatsApp server.

“Brochures leaked to FORBES, and published below, revealed a non-public offering from Haifa-based Wintego called CatchApp. It promises an “unprecedented capability” to break through WhatsApp encryption and grab everything from a target’s account.” reported Forbes.

“in theory the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software’s cryptography.” Forbes.

The Wintego brochure is no older than April 2015, the anonymous source who provided the documents to FORBES confirmed that the product works on the most current versions of WhatsApp.

The CatchApp feature can be delivered from Wintego’s WINT Cyber Data Extractor that fits into a backpack.

In reality, the WINT hacking device is a complete surveillance system that could allow attackers to extract the entire contents of the targets’ mobile device, including email accounts, chat sessions, social network profiles, detailed contact lists, calendars, photos, web browsing activity, files, and much more.

The WINT Cyber Data Extractor is able to overcome “the encryption and security measures of many web accounts and apps” to grab those credentials.

WINT accesses to a device by intercepting WiFi communications, even when they are attached to a private encrypted network. It is able to track multiple devices by using four separate Wi-Fi access points.

Security experts have some doubts about the real capabilities of the CatchApp, they consider impossible to break the end-to-end encryption implemented by the popular messaging system.

The popular expert Jonathan Zdziarski believes the CatchApp tech is exploiting security vulnerabilities in the Secure Sockets Layer (SSL) encryption.

“I suspect they’re taking advantage of a number of vulnerabilities in SSL implementations… many systems are susceptible to downgrade attacks and other types of MITMs.”

The popular cryptography expert Matthew Green hypothesized that CatchApp is malware designed to exploit WiFi connections as the attack vector in order to target WhatsApp, anyway, it cannot break WhatsApp cryptography.

“They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.” Matthew Green told FORBES.

“I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar.”

“But the WhatsApp stuff manifestly should not be vulnerable like that. Interesting.”

Wintego is only one of the numerous highly-secretive surveillance firms that sell solutions that could be used to spy on victims, but that in the wrong hands could represent a serious threat for netizens.


Mozilla plans to ban the Chinese CA WoSign due to trust violations
30.9.2016 securityaffairs Security

Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of severe violations that could impact Internet users.
Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of violations, including backdating SHA -1 certificates in order to subvert deprecating certs from being trusted.

According to a report published by Mozilla on Monday, WoSign failed to report its acquisition of SmartCom and has also been accused of mis-issuing digital certificates for GitHub, allowing arbitrary domain names to be securely signed without ever performing any type of validation.

“Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” they went on to add “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.” Reads the report published by Mozilla.
In order to avoid impacting existing users, Mozilla has said that they will only distrust newly issued certificates as both CAs have to date issued a large number of certificates.

“Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust,” Mozilla said. “We believe that the behavior documented here would be unacceptable in any CA, whatever their nationality, business model or position in the market.”

wosign-ca

SHA-1 has been long considered a weak algorithm and most of the major players in the browser market are taking steps to phase out its integration.

Microsoft looks poised to phase out the outdated algorithm on their Edge and Internet Explorer products in February of next year, with Mozilla’s Firefox and Google’s Chrome browsers not trusting any SHA-1 certificates with a notBefore date of January 1st 2016.

Mozilla commented that unscrupulous Certificate Authorities could backdate their certificates in order to bypass this restriction, something that WoSign have been found culpable of on 62 certificates that were issued in 2016.

Their investigation reported that a number of certificates were found containing as issue date of December 20th 2015 which contradicts their typical patterns of assignment during working days.

“We think it is highly unlikely that WoSign employees decided to go to work on that particular Sunday for a marathon 24-hour period and approve an unprecedented number of Type Y certificate requests,” Mozilla said. “We think it is more plausible that for those certificates, the notBefore date does not reflect the actual date of certificate creation, and that these certificates were created in 2016 (or the last day of 2015) and back-dated.”


Útočníci na Facebooku kradou přihlašovací údaje administrátorů stránek a čísla platebních karet

30.9.2016 SecurityWorld Sociální sítě
Podle zjištění společnosti Eset se podvodná aktivita dotkla facebookových stránek v Česku i na Slovensku.

Analytici společnosti Eset zaznamenali podvodné aktivity na Facebooku, které cílí na administrátory stránek. Útočníci se zaměřují na české i slovenské firemní a fanouškovské facebookové profily. Jejich správci jsou varováni, že účet byl ostatními uživateli označen za podezřelý a musí jej obnovit. Falešné varování však obsahuje zároveň odkaz na formulář, díky němuž útočník sbírá přihlašovací údaje a čísla platebních karet svých obětí.

„Pokud na tento odkaz administrátor stránky na Facebooku klikne, čeká ho série kroků, během nichž se ho útočníci snaží přimět k vložení svých přihlašovacích údajů, zodpovězení bezpečnostní otázky a zadání údajů o platební kartě. Po jejich odeslání však veškerá data putují přímo k útočníkovi,“ vysvětluje Miroslav Dvořák, technický ředitel společnosti Eset. „To všechno dělá útočník pod hlavičkou facebookové skupiny nazvané Security, která u oběti vyvolává dojem, že jde o oficiální varování,“ dodává Dvořák.

Útočníci kontaktují administrátory tak, že sdílí statusy vybraných stránek, ke kterým přidají varovný text. Tuto informaci vidí jen administrátoři daných stránek v upozorněních, že jejich status někdo sdílel. Běžní fanoušci vytipovaných stránek proto prvotním cílem útočníka nejsou.

„Motivací útočníka mohou být finanční prostředky z platebních karet nebo prodej získané facebookové stránky s vysokým počtem fanoušků, ke které administrátor ztratil přístup. Prostřednictvím skupin s velkým počtem členů je možné šířit spam, reklamu či hoax, tedy poplašné zprávy, jak jsme informovali už v případě falešných reklam na zlevněné brýle Ray-Ban,“ uzavírá Dvořák.

Jak by se měli chránit administrátoři firemních a fanouškovských stránek na Facebooku:

Neklikejte na podezřelé odkazy ve facebookových zprávách, komentářích a sdíleních příspěvcích. Pokud už jste na takový odkaz klikli, nezadávejte do něj přístupová hesla, osobní údaje nebo údaje o platební kartě. Snažte se používat zdravý rozum.
Administrátoři sociální sítě Facebook mohou mít různé úrovně pravomocí. Pokud je skupina lidí spravujících vaši facebookovou stránku větší, omezte jejím členům tyto pravomoci.
Nezapomínejte chránit všechna zařízení, jejichž prostřednictvím spravujete svoji facebookovou stránku. Pokud jste už nad facebookovou stránkou ztratili kontrolu, kontaktujte Facebook prostřednictvím stránky facebook.com/hacked.


Multiple Backdoors found in D-Link DWR-932 B LTE Router
29.9.2016 thehackernews Vulnerebility

If you own a D-Link wireless router, especially DWR-932 B LTE router, you should get rid of it, rather than wait for a firmware upgrade that never lands soon.
D-Link DWR-932B LTE router is allegedly vulnerable to over 20 issues, including backdoor accounts, default credentials, leaky credentials, firmware upgrade vulnerabilities and insecure UPnP (Universal Plug-and-Play) configuration.
If successfully exploited, these vulnerabilities could allow attackers to remotely hijack and control your router, as well as network, leaving all connected devices vulnerable to man-in-the-middle and DNS poisoning attacks.
Moreover, your hacked router can be easily abused by cybercriminals to launch massive Distributed Denial of Service (DDoS) attacks, as the Internet has recently witnessed record-breaking 1 Tbps DDoS attack that was launched using more than 150,000 hacked Internet-connected smart devices.
Security researcher Pierre Kim has discovered multiple vulnerabilities in the D-Link DWR-932B router that's available in several countries to provide the Internet with an LTE network.
Telnet and SSH Backdoor Accounts
While penetration testing, the researcher found that D-Link wireless router has Telnet and SSH services running by default, with two hard-coded secret accounts (admin:admin and root:1234).
Hackers can simply need these credentials to gain access to vulnerable routers from a command-line shell, allowing them to perform man-in-the-middle attacks, monitor Internet traffic, run malicious scripts and change router settings.
Another Backdoor
If this isn’t enough, D-Link DWR-932B LTE router has another secret backdoor that can be exploited by only sending "HELODBG" string as a secret hard-coded command to UDP port 39889, which in return launch Telnet as root privileges without any authentication.
Vulnerable WPS System
Default WPS PIN:
You might have seen a small push button on your router, labeled WPS, stands for Wi-Fi Protected Setup, a 'so-called' security feature that allows anyone to connect to your wireless network with a PIN, instead of your actual Wi-Fi password.
Bingo! The PIN for the WPS system on D-Link routers is '28296607,' which is hard-coded in the /bin/appmgr program.
Weak WPS PIN Generation:
Users can also temporary generate a new WPS PIN using router's administrative web-interface, but unfortunately, the PIN generation algorithm is flawed and so weak that an attacker can easily predict it.
Remote Firmware-Over-The-Air
Now, if you hope that a firmware upgrade will land soon and save you from these issues, then you are wrong.
It's because the D-Link's remote firmware over-the-air (FOTA) update mechanism is also vulnerable.
The credentials to contact the FOTA server are hard coded in the /sbin/fotad binary. The user/password combinations are qdpc:qdpc, qdpe:qdpe and qdp:qdp.
"It's notable the FOTA daemon tries to retrieve the firmware over HTTPS. But at the date of the writing, the SSL certificate for https://qdp:qdp@fotatest.qmitw.com/qdh/ispname/2031/appliance.xml is invalid for 1.5 years," Kim writes.
Security Removed in UPnP
Due to the security risks involved, there are usually restrictions in place in order to avoid modified new firewall rules from untrusted LAN clients.
However, there is no restriction about the UPnP permission rules in the configuration file for the vulnerable D-Link router, allowing anyone on the LAN to add their own Port forwarding rules from the Internet to other clients located in the LAN.
"An attacker can add a forwarding rule in order to allow traffic from the Internet to local Exchange servers, mail servers, ftp servers, http servers, database servers," Kim writes. "In fact, this lack of security allows a local user to forward whatever they want from the Internet into the LAN."
There are more security issues surrounding the vulnerable router, but Kim points out that the router with a big processor, sizable memory (168 MB) and good free space (235 MB) is so badly secured that it would be trivial for attackers to use this router as an attack vector.
Kim privately reported the security flaws to the Taiwan-based networking equipment manufacturer D-Link in June and received no update from the company. So, he went public with details of the vulnerabilities after obtaining CERT's advice.


Russian hackers spy on Citizen Journalists investigating on Flight MH17 Crash
29.9.2016 securityaffairs Hacking

Researchers at the Bellingcat agency have been hit with spear phishing attacks and account takeover attempts while investigating flight MH17 crash.
Once again cyber security experts warn of a new hacking campaign that this time is targeting Citizen Journalists reporting the crash of the flight MH17 of the Malaysian Airlines. According to the intelligence firm ThreatConnect, reporters from the Bellingcat agency have been targeted by spear phishing messages and suffered account takeover attempts for over a year.

The Bellingcat agency is known for its uncomfortable investigations on strong powers of Governments and organizations worldwide.

Yesterday the Reuters reported the news that the Malaysian flight MH17 was downed by Russian-made missile launched by pro-Russian rebels.

“Malaysia Airlines flight MH17 was shot down by a missile fired from a launcher brought into Ukraine from Russia and located in a village held by pro-Russian rebels, international prosecutors said on Wednesday.” states the post published by the Reuters. “The conclusions were based on thousands of wiretaps, photographs, witness statements and forensic tests during more than two years of inquiries into an incident which led to a sharp rise in tensions between Russia and the West.”

ThreatConnect who investigated the attacks speculates that threat actors have strong ties to the Russian Government, they have targeted a group of citizen journalists for publishing articles critical of Government of Moscow.

Data shared by the Bellingcat’s founder Eliot Higgins indicates the involvement of at least two Russian nation-state groups.

Experts from ThreatConnect claim the involvement of the dreaded Fancy Bear APT group who in the headlines for the attacks against the systems and people involved in the US Presidential election.

“Following our post on DCLeaks as a Russian influence operation, Bellingcat founder Eliot Higgins reached out to us. Bellingcat, a group of citizen investigative journalists, has published articles critical of Russia and has been a key contributor to the international investigation of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in 2014.” states the report published by ThreatConnect.

“Higgins shared data with ThreatConnect that indicates Bellingcat has come under sustained targeting by Russian threat actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR’s tactics, techniques, and procedures.”

According to the experts, the Bellingcat’s agency became a target of the Russian Fancy Bear APT after its reporters investigated the shooting down of the Malaysian Airlines Flight 17 (MH17) occurred in 2014.

The second group behind the attacks is the CyberBerkut, a collective of Ukrainian hackers that are pro-Russia.

The state-sponsored hackers targeted three Bellingcat researchers with a spear phishing campaign between February 2015 and July 2016 for intelligence purposes.

mh17-fancy-bear-attacks-timeline

The attackers used messages themed as Gmail security notices in the attempt to trick victims into clicking on the embedded links, but according to ThreatConnect the attacks failed.

“These spearphishing attempts consist of a variety of spoofed Gmail security notices alerting the target that suspicious activity was detected on their account. The target is prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity.” continues the post.

mh17-fancy-bear-attacks

The report also analyzes activities conducted by the CyberBerkut that defaced the Bellingcat’s website earlier this year and compromised the email account of the government opposition blogger, Ruslan Leviev.

ThreatConnect speculates that Leviev’s email account hosted by the Russian service provider Yandex was compromised with the support of an employee of the company or by the Russian intelligence. In that case the attackers exploited a zero-day in the Yandex service.

“Leviev published a compelling piece of citizen journalism on May 22, 2015 exploring the fate of Russian Spetsnaz soldiers believed to have been killed in combat operations within Ukraine earlier that month. According to Bellingcat founder Higgins, Leviev’s contributor account was compromised and used to post the CyberBerkut message. In an email interview, Leviev makes the following statement regarding the events that led to the compromise of his credentials and the defacement.” continues the analysis.

“In my case, my old email account, which was located on Yandex servers, was hacked. The email account had a long, difficult password, not a word, from various letters, numbers, and special symbols. Plus there was a telephone number bound to the account for second factor authentication.

Exactly how it was hacked — I don’t know.

Either they as employees, or with their active assistance, intercepted the SMS authentication code.
Or they, again, as an officer from the authorities or with their active assistance, gained direct access to the Yandex Mail servers where they seized the email from my old inbox.
Or they know about a vulnerability in Yandex email that nearly nobody else knows about.“
At the time I was writing it is still unclear the relationship between the Fancy Bear and CyberBerkut.

This isn’t the first time that Russian hackers operated to gather sensitive information on the Flight MH17 Crash, in October 2015, according to Trend Micro, the Pawn Storm APT group (aka Fancy Bear) has targeted the Dutch Safety Board to gather information regarding the status of the investigation.

The Dutch Safety Board (known as Onderzoeksraad) became a target of the cyber-espionage group before and after the safety board published their detailed report on the MH17 incident on October 13, 2015. We believe that a coordinated attack from several sides was launched to get unauthorized access to sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities.” reported TrendMicro.


TeamXRat: Brazilian cybercrime meets ransomware
29.9.2016 Kaspersky Virus
Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension “.___xratteamLucked” and asking to pay the ransom.

The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.

Actually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot of copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.

In this post, we’ll explain this new Ransomware family and how Brazilian coders are creating new ransomware from scratch.

The group behind the attack

The group identifies itself as “TeamXRat“and “CorporacaoXRat“.
(Translating from Portuguese to English as “CorporationXRat”)

Their first ransom trojan consisted of using a simple XOR based encryption, described by some victims here (most of the victims are from Brazil). The new version of Xpan Ransomware shows that the cybercriminals behind it have improved the code to make it more complex, also switching the encryption scheme.

The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg. For example, corporacaoxrat@mail2tor.com, xRatTeam@mail2tor.com and xratteam@email.tg providing the public key used by the ransomware to encrypt the files. Older versions of this ransomware also used e-mail accounts from another Email service – Protonmail, such as corporacaoxrat@protonmail.com, currently deactivated.

When the victim gets in touch with the group, they start to negotiate the ransom payment. All communication is in Portuguese and they request 1 btc (about 603 USD) to decrypt the files. The group also claims that the payment is a “donation” arguing that “they exploited flaws in your system and carried out the attack in order to make sure you increase your security”. Finally, the cybercriminals also offer to decrypt one file for free:

 

“For me only the ‘donation’ is important. Not your files. If your files are important to you, I advise you to make the donation; otherwise, you’ll lose all your files”

Xpan, how it works

The sample is UPX packed. Once executed it checks the default language of the infected system set in the following registry key: HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE

In addition, it’s able to query local time and obtain the computer name from the registry using several commands like net.exe, sc.exe, and taskkill.exe. Interestingly, it also deletes any Proxy setting defined in the system, located in: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP.

Since the targets are companies and corporations, the group might use proxies blocking access to certain Web resources. It is highly probable that this technique is used to “set victim’s free” while emailing the attackers or accessing BTC resources online.

After completing its execution, the ransomware displays the following image in the affected system:

 

“All your files were encrypted using a RSA 2048 bits encryption”

The sample is written in C++ and uses STL, being built as a console application. During the lenght of its execution, it logs all its actions to the console, only to clear it once the encryption process has finished.

The operation of this malware is ‘guided’ by the configuration data block stored inside the body of the Trojan:

 

Decrypted configuration block

The configuration contains the following details:

Drive letters which will be processed;
Blacklisted substrings: the files whose path contain any of these strings will not be encrypted;
Ransomware text message for the victim;
Extension of the encrypted files (in this case, .____xratteamLucked);
Name of the file with ransom notes;
Console commands to be executed prior to the process of file encryption;
Console commands to be executed after the encryption;
A public RSA-2048 key in the MSBLOB format.
 

Part of the pseudocode of the main procedure

From Xorist to Xpan

A previous ransomware sample that was believed to be part of the TeamXRat ransomware campaign used a simple encryption algorithm known as TEA (or Tiny Encryption Algorithm). After comparing this original version (dubbed Xorist) against this new Xpan variant, we could observe that now they are using an AES-256 encryption scheme.

 

Xorist ransomware TEA constant

 

Xpan ransomware now has evolved to use AES-256 encryption

Xorist Xpan
Will automatically start when user is logged in. It uses the following registry key for persistence: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run No persistence used.
Tiny Encryption Algorithm AES-256
ASM, MS Linker C++, MinGW compiler
Includes a list of files that are to be encrypted. Will encrypt everything except .exe and .dll files and files with blacklisted substrings in the path.
The developers have clearly shifted their development procedures in the Xpan malware. It’s typical for cybercriminals to evolve their techniques once a decryption method has been found for their ransomware, or that specific variant is widely detected.

 

List of file extensions that Xorist ransomware will search and encrypt

File Encryption

The trojan uses the implementation of cryptographic algorithms provided by MS CryptoAPI. The files are encrypted by AES-256 in CBC mode.

There are 2 known versions of this trojan that can be distinguished by their extensions. The 1st one uses “___xratteamLucked” (3 ‘_’ symbols) and the second one – “____xratteamLucked” (4 ‘_’ symbols).

These 2 versions employ different techniques to encrypt the files, which we will describe in more detail.

Version 1 (3 ‘_’ symbols in the extension)

The trojan generates a single 255-symbol password for all files. This password is encrypted by RSA-2048 and put into the ransom note (concatenated with the public key). Then the trojan produces a 256-bit key from this password using the API CryptDeriveKey; this key will be used to encrypt all files.

When processing each file, the malware adds the string ‘NMoreira’ to the beginning of the original file and encrypts the file content by 245-byte blocks using the AES-256 algorithm in CBC mode. Each block is additionally XOR’ed with a random byte which is stored before the padding of the corresponding block.

Version 2 (4 ‘_’ symbols in the extension)

For each file, the trojan generates a new 255-symbol password, encrypts this password by RSA-2048 and puts this data into the beginning of each encrypted file. Then, the trojan produces a 256-bit key from this password using the API CryptDeriveKey, and uses this key to encrypt the original file content (AES-256 CBC).

File search and encryption is carried out by multiple threads, each thread processes its disk.

 

Ransomware in action: console output inform the files encrypted

After encryption is completed, the malware will change the wallpaper in the desktop and display this file, with the ransom note:

 

The ransom note, in Portuguese

Before encrypting the data in the affected system, the ransomware executes the following commands, aiming to stop popular database services, to be sure that database files will be encrypted as well, so they cause a greater damage to the victim:

echo Iniciando pre comandos

echo Parando Firbird
sc config FirebirdServerDefaultInstance start=disabled
taskkill /IM fb_inet_server.exe /F
net stop FirebirdServerDefaultInstance

echo parando SQL SERVE

taskkill /IM sqlservr.exe /F
sc config MSSQLSERVER start=disabled
sc config MSSQL$SQLEXPRESS start=disabled
net stop MSSQLSERVER
net stop MSSQL$SQLEXPRESS

echo parando poostgree
taskkill /IM pg_ctl.exe /F
sc config postgresql-9.0 start=disabled
net stop postgresql-9.0

After the execution, the ransomware deletes itself from the system, to remove the original infector:

@echo off
goto Delete
:WaitAndDelete
@timeout 5
:Delete
@del “path\sample_name.exe”
if exist “path\sample_name.exe”
goto WaitAndDelete
@del %0

After the encryption has finished, the trojan modifies the registry to add a custom handler for the action of double-clicking on any of the encrypted files. As a result, when the victim clicks on a file with the extension “.____xratteamLucked“, the command stored in the registry is executed, and this command shows the ransom notes in a new window using msg.exe (a standard utility which is a part of Windows distribution).

 

Windows Registry modified by the ransom

How they attack

Most of the attacks performed by TeamXRat are performed manually, installing the ransomware in the hacked server. To achieve that, they perform RDP (Remote Desktop Protocol) brute force attacks. Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy. Once the server is compromised, the attacker manually disables the Antivirus product installed on the server and proceeds with the infection itself.

We are also aware that vulnerabilities such as MS15-067 and MS15-030 in the RDP protocol, which allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system, can be used by cybercriminals if a server is not patched and exposed to attacks.

As we saw in the recent xDedic research, vulnerable servers with exposed RDP connections are very valuable assets in the hands of cybercriminals. Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal.

 

xDedic: compromised Brazilian RDP servers were available in the underground market

Decryption: we can help!

If the victim pays the ransom, the cybercriminals will send this tool to decrypt the files:

 

Decryption tool sent by the bad guy after payment

But the good news is that the Kaspersky Anti-Ransom team was able to break the encryption used by the Xpan Trojan. This effort made possible the decryption of files belonging to a Hospital in Brazil, which was hit by this Ransomware family.

If you’re a victim of this new Ransomware family and need help to decrypt your files, please DON’T PAY the ransom. Instead, contact us via support.

Conclusion

As we can see, Brazilian bad guys are now diversifying their “business” with new ransomware families developed from scratch, abandoning older versions that used XOR encryption and adopting new, more robust encryption algorithms. This is a clear signal that they have started to explore new schemes with new targets and newer types of attacks.

As we forecasted in the beginning of this year, we expect ransomware attacks to gain ground on banking trojans and to transition into other platforms. Ransomware has two advantages over traditional banking threats: direct monetization using an anonymous payment system (usually Bitcoin), and relatively low cost per victim. Certainly, this is very attractive to Brazilian crooks, well-known for their banking trojans development. Brazilian law enforcement is very good at catching criminals (although they are not always convicted and imprisoned) by “following the money”, something that we know it’s not entirely possible for Bitcoin payments.

We detect this new threat as
Trojan-Ransom.Win32.Xpan.a and PDM:Trojan.Win32.Generic.

We’ll keep an eye out or new variants, which surely will appear from same or other threat actors.

MD5 reference: 34260178f9e3b2e769accdee56dac793


Apple Tracks Who You're Chatting Using iMessage — and Shares that Data with Police
29.9.2016 thehackernews Apple
Doing conversations with your friend on iMessage and thinking that they are safe and out of reach from anyone else other than you and your friend? No, it's not.
End-to-end encryption doesn't mean that your iMessages are secure enough to hide your trace because Apple not only stores a lot of information about your iMessages that could reveal your contacts and location, but even share that information with law enforcement via court orders.
According to a new document obtained by The Intercept, Apple records a log of which phone numbers you typed into their iPhone for a message conversation, along with the date and time when you entered those numbers as well as your IP address, which could be used to identify your location.
Actually, every time a user type a phone number into their iPhone for a message conversation, iMessage contacts Apple servers to find out whether to route a given message over the iMessage system.
"Apple records each query in which your phone calls home to see who's in the iMessage system and who's not," The Intercept reports.
Moreover, the company is compelled to turn over this information to law enforcement with a valid court order — generally "pen registers" or "tap and trace devices" warrants that are very easy to obtain.
Pen register warrants are routinely being used to compel telephone companies to provide metadata about customers' phone calls to law enforcement.
Apple Logs Your IP Address (Location)
But it’s surprising that Apple, which has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, hands over its users' information on iMessage contacts under such warrants.
The report also points out that keeping logs of users IP address that could be used to reveal one’s actual location is contrary to Apple's 2013 claim that the company "do not store data related to customers' location."
The Intercept obtained the document, titled 'iMessage FAQ for Law Enforcement,' about Apple's iMessage logs as part of a much larger cache originating from within a state police agency, "The Florida Department of Law Enforcement's Electronic Surveillance Support Team."
The team facilitates mass data collection for law enforcement using controversial tools such as Stingrays, along with the help of conventional techniques like pen registers and tap and trace devices warrants.
Although your iMessages are end-to-end encrypted, it doesn’t mean that all Apple users are enjoying the company's so-called privacy benefit.
If you have enabled iCloud Backup on your Apple devices to keep a backup of your data, the copies of all your messages, photographs and every important data stored on your device, are encrypted on iCloud using a key controlled by Apple, and not you.
So, Apple can still read your end-to-end encrypted iMessages, if it wants.
Even if you trust the company that it won't provide your decrypted data to law enforcement (just don't forget San Bernardino case in which Apple helped the FBI with the iCloud backup of the Shooter's iPhone), anyone who breaks into your iCloud account could see your personal and confidential data.
Apple deliberately Weakens Backup Encryption
Fortunately, it is possible to store your backups locally through iTunes, though it is not such an obvious choice for an average user.
What's even worse is that a recent issue in the local password-protected iTunes backups affects the encryption strength for backups of devices on iOS 10, allowing attackers to brute-force the password for a user's local backup 2,500 faster than was possible on iOS 9.
Apple has already confirmed that the issue exists and that a fix would be included in an upcoming update.
However, in response to the latest report about iMessage logs, Apple provided the following statement:
"When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place."
The Florida Department of Law Enforcement still has to comment on the matter.


Necurs botnet: the resurrection of the monster and the rising of spam
29.9.2016 securityaffairs BotNet

Necurs botnet, the monster is resurrected. Banking Trojans and Ransomware propagated via spam is bring backing the high-volume spam campaign
Botnets are like monsters that surface back after some period of inactivity, this time, the monster it the dreaded Necurs botnet. The Necurs Botnet is one of the world’s largest malicious architectures, used to spread the dreaded threats, that vanished since June 1.

The Necurs Botnet was used by crooks to deliver the Dridex banking malware and the dreaded Locky ransomware, but now many security experts wondered about its end.

“We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet,” Joonho Sa, a researcher for FireEye confirmed to Motherboard.

When it was first spotted earlier 2015, the experts classified the malicious infrastructure used to spread the threat as high-complex and efficient, “a masterpiece of criminality.”

Necurs Botnet

On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware. Experts called it Necurs and confirmed it was the world’s largest botnet.Ba

Back to the present, it’s like watching a sequel to a monster movie where the monster actually resurrected. Normally a sequel is made for profit and sometimes in the case of botnets as well these monsters are brought back to life for sequels as well.

Consider the recent increase in Spam volumes. The average of 200K IP addresses was listed under SpamCop Block list till before 2016. Just this year the list has doubled to 400K IP addresses even spiking to 450K. Yes, we might be seeing a sequel to an old monster flick.

Using obsolete tactic of high-volume spam which is currently well blocked by updated spam filters. Now the tactic of a huge amount of spam in a short interval of time has been replaced by stealthier tactics, but the operators behind the Necurs botnet have changed their attack variation from persistence to speed. To shed better light on the situation lets consider the spam filters as automatic jail doors and spams as convicts trying to escape. The idea is to use the small delay in the jail doors closing to put through as many convicts as possible . In this case, the convicts which make it through are emails which can land malware payloads to the targets.

Experts from the Cisco Talos Labs published an interesting analysis on the “Rising Tides of Spam” that is affordable to the operators of malicious infrastructures, like the Necurs botnet.

“This year, 2016, has seen overall spam volumes creep back up to a level that we have not seen for a very long time. I present to you “Exhibit A”: The ten year volume graph from the Composite Block List (CBL). According to CBL, the last time spam volumes were this high was back in mid-2010.” states the blog post published by the Talos team.

spam-necurs-botnet

It’s more like the short term campaigns are giving better turnover to the attackers.

The Lurk takedown has contributed to some extra prey to the attackers behind the Necurs botnet and has been a win-win for them ever since. Since the campaign has been profitable to the malicious attacker, researchers caution that the attack model maybe would be copied by other botnet operators.

“Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack” explained the Talos Team.

Hence monster movie reboots and sequels are in the forecast. The question is are you buying tickets or preparing your spam protection mechanism.


Why Apple logs your iMessage contacts and other metadata?
29.9.2016 securityaffairs Apple

Every time you type a number to start an iMessage conversation on your iPhone, Apple logs your message contacts and other metadata.
In January 2015, experts claimed that Apple is not able to read messages sent between devices through iMessages, but reported that the company but it is still able to access data in the backups.

Apple has always confirmed that attackers cannot eavesdrop iMessage conversations, but according to a document obtained by The Intercept there is something that user should know.

According to the document, Apple logs contacts’ phone numbers and shares them, alongside with other metadata, with law enforcement.

The Intercept received the document, titled “iMessage FAQ for Law Enforcement,” as part of a cache originating from within the Florida Department of Law Enforcement’s Electronic Surveillance Support Team. The author of the document is not known, such as the final audience, it is designated for “Law Enforcement Sources” and “For Official Use Only.”

When Apple users type a number to start a text conversation, the Messages app contacts the company servers to determine whether to route a given message over the SMS system or over the Apple’s proprietary messaging network.

“Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document.” states The Intercept website. “Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.”

imessage-iphone-logs

The log includes the date and time of the conversation and the user’s IP address, information that could allow identifying the user’s location. The IT giant is compelled to turn over this data via court orders for systems known as “pen registers” or “trap and trace devices.”

Apple told to The Intercept that it only retains these logs for a period of 30 days, but court orders can extend the period of additional 30-day periods.

Below the official statement from Apple:
“When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.”

As explained in the document, and confirmed by Apple, the company is not able to access the content of the conversation, but why the company retails these logs?


Yahoo hledá viníka za únik dat obřích rozměrů: cizí státy?

29.9.2016 SecurityWorld Kriminalita
Firma svalila vinu za nedávný masivní únik dat (500 milionů zasažených uživatelů) na „státem sponzorovanou akci“. Neřekla však, jak k podobnému závěru došla, ani neposkytla žádné důkazy.

Někteří bezpečnostní odborníci uvažují, proč Yahoo k úniku osobních informací neposkytuje detaily, a ani příliš neodpovídá na dotazy.

„Děje se tu něco divného,“ říká Michael Lipinski, hlavní bezpečnostní analytik ve firmě Securonix.

Na žádost o komentář Yahoo neodpovědělo. Společnost vlastní protokoly, které mohou detekovat státem sponzorovaný hacking uživatelských účtů. V příspěvku na blogu z prosince 2015 firma naznačila svou bezpečnostní politiku a napsala, že v takové situaci bude své uživatele varovat.

„Abychom zamezili útočníkům objevit naše detekční metody, veřejně neposkytneme žádné detaily o těchto útocích,“ napsal v té době hlavní bezpečnostní manažer firmy Bob Lord. Dodal, že společnost pošle uživatelům varování o možném útoku pouze „když budeme mít prakticky jistotu.“

Takříkajíc hodit vinu během silně medializovaného úniku dat na státem sponzorované hackery však může být jen pohodlnou a neověřitelnou metodou, jak se chránit před právními kroky i před poškozením pověsti.

„Pokud bych si chtěl ohlídat záda a vypadat, že mám uvěřitelnou výmluvu, státem placení hackeři by mě napadli jako první,“ myslí si Chase Cunningham, ředitel kybernetických operací u bezpečnostní firmy A10 Networks.

Na státem placené hackery je totiž takový pohled, že jsou nezastavitelní a patří k nejlepším na světě, dodal. Cunningham sám hledá vinu spíše u kybernetických zločinců než u elitní skupiny státem podporovaných hackerů.

„Z tohoto prostě není cítit státní aktivita,“ tvrdí. „Vlády zajímá duševní vlastnictví. Emaily a hesla uživatelů Yahoo jim jsou k ničemu.“

Yahoo ovšem může zadržovat informace i kvůli Verizonu, který jej odsouhlasil za 4,8 miliard amerických dolarů odkoupit.

„Nejsem si jistý, zda teď akvizice proběhne,“ říká Lipinski. Verizon by trasakce mohla stát více peněz, když se bude muset postarat i o následky úniku dat.

„Shodit to na státem sponzorovaného hráče jim (Yahoo) může pomoci,“ domnívá se. „Mohou říct ‘není to naše vina, pojištění to pokryje.‘“

Ačkoli Yahoo neposkytlo mnoho důkazů, někteří bezpečnostní odborníci jeho tvrzením věří. Státem sponzorované hackery považují za dosti reálné útočníky; některou z vlád by mohly zajímat např. emailové účty bojovníků za lidská práva.

Další možností je, že za únik dat může zaměstnanec či blízký spolupracovník firmy, který je ve skutečnosti špionem jiné organizace.

Existuje vícero možných důvodu, proč Yahoo zadržuje informace, dodává Vitali Kremez, analytik kyberkriminality u bezpečnostní firmy Flashpoint.

„Bezpečnostní složky státu mohou na věci pracovat a Yahoo nechce ohrozit vyšetřování,“ říká. „Také může připravovat právní kroky.“

Dle vlastních slov se Yahoo o úniku dozvědělo teprve nedávno – ačkoli samotný hack se udál již na konci roku 2014, tedy před téměř dvěma lety. Strůjci útoky tedy měli spoustu času na zneužití, či prodej, dat.

Pokud státem sponzorování hackeři skutečně Yahoo napadli, Kremez se obává, že poškozené mohly být i další firmy – jen o tom nevědí.

„Potřebujeme větší transparentnost,“ dodává. „Všichni bychom rádi věděli, zda toto nezapadá do nějakého většího vzorce.“


Hackeři napadli mobilní telefony amerických demokratů

28.9.2016 Novinky/Bezpečnost Mobilní
Zahraniční hackeři pravděpodobně napadli mobilní telefony některých představitelů americké Demokratické strany. Je o tom přesvědčen Federální úřad pro vyšetřování (FBI), který kvůli tomu požádal demokraty o umožnění přístupu k jejich telefonům, napsala agentura Reuters.
Hackerský útok proti představitelům demokratů, z nichž někteří podle zdrojů Reuters zastávají i volené pozice, se uskutečnil během posledního měsíce. Podle informací z vyšetřování zřejmě za útokem stojí hackeři z Ruska, které američtí představitelé obviňovali i z dřívější krádeže e-mailů z vedení Demokratické strany.

FBI v souvislosti s útokem žádá politiky, jejichž telefon se stal terčem útoku, aby umožnili vyšetřovatelům přístup ke svým zařízením. Chtějí tak zjistit rozsah škod, které mohli hackeři způsobit.

Hackeři v minulých měsících vykradli e-mailové schránky představitelů Demokratické strany. Korespondence, kterou následně zveřejnil server WikiLeaks, vyplynulo, že vedení demokratů dávalo ve stranických primárkách přednost nynější kandidátce na prezidentku Hillary Clintonové před jejím soupeřem Berniem Sandersem. U mnoha Sandersových stoupenců to vyvolalo pobouření.

V srpnu americká média uvedla, že se terčem hackerského útoku stali i republikáni. Útočníci podle médií umístili škodlivý software do počítačů pracovníků kampaně republikánského kandidáta na prezidenta Donalda Trumpa.


Spamu zase přibývá, je ho nejvíc od roku 2010

26.9.2016 Root.cz Spam
Počet rozesílaného spamu se od začátku roku zněkolikanásobil. Důvody nejsou úplně zřejmé. Může jít o změnu techniky i zvýšenou aktivitu botnetů. Past na spam denně pochytá kolem 270 miliónů e-mailů. Talos, výzkumná bezpečnostní divize společnosti Cisco, informuje o zajímavém trendu, který už bychom v roce 2016 asi nečekali. Od jara do léta letošního roku byl zaznamenán opětovný nárůst množství e-mailového spamu. A to až na hodnoty, které byly naposledy zaznamenány v roce 2010. Např. Composite Block List, respektovaná past na spam, v létě přijímala více než tři tisíce spamových e-mailů za sekundu. Ještě na přelomu roku to přitom bylo cca sedmkrát méně. Viz následující graf.

Že nejde o nějakou anomálii nebo chybu měření, ukazují i další statistiky. Data služby SpamCop ukazují, že počet IP adres zapojených v masivním rozesíláním spamu vzrostl na cca 400 tisíc, což představuje přibližně pětinásobek hodnot zaznamenaných na přelomu roku.

Poslat co nejvíc spamu za pár minut
Vysvětlit tento jev není úplně snadné. Podle výzkumníků z Cisco Talos by ho ale, poněkud paradoxně, částečně mohla způsobovat čím dál větší úspěšnost a sofistikovanost spamových filtrů. Ty totiž nový spam obvykle detekují v řádech několika málo minut a spamer má po srandě. Proto se stává efektivnější rozeslání co nejvíce e-mailů v co nejkratším časovém horizontu.

Místo toho, aby spameři své e-maily lépe cílovali nebo používali sněžnicové techniky, aby zůstali pod radarem, z toho udělali závod. Vyšlou co nejvíce e-mailů, jak je jen technicky možné, v co nejkratším čase, a tak po krátkou chvíli mohou úspěšně doručit nevyžádanou poštu do schránek svých obětí, píše Jaeson Schultz, technický šéf Cisco Talos.

Tuto teorii podporuje také fakt, že kolem poloviny denního objemu spamu tvoří vysokoobjemové kampaně, které rozesílají mnoho miliónů e-mailů. Není výjimkou, že e-mail v jednom znění tvoří třeba deset nebo i více procent celkového denního objemu spamu. Také stojí za pozornost, že během víkendů se objem spamu propadne třeba na 20–30 % hodnot pracovního týdne.

Můžou za to botnety?
Je ale nepravděpodobné, že by zmíněné faktory měly na tak vysoký nárůst spamu až takový vliv. V Cisco Talos dále tipují, že jde do jisté míry o práci obrovského botnetu Necurs. Botnety totiž nejsou úplně hloupé a lidé za nimi trochu využívají i techniky sociálního inženýrství.

Aby Necurs skryl skutečnou velikost botnetu, posílá spam pouze z menší části ovládnutých strojů. Napadený stroj může být použit dva nebo tři dny a poté dva nebo tři týdny zase ne. To značně komplikuje práci lidí, kteří reagují na spamové útoky. Mohou si totiž myslet, že daný infikovaný stroj byl nalezen a vyčištěn, ale ve skutečnosti si darebáci z Necursu jen nechávají čas, než zaútočí znovu a znovu, vysvětluje Schultz.

Růst objemu spamu však stále nemá jasné vysvětlení. A i když odpovíme na otázku jak se to děje, tak to ještě neznamená, že budeme znát i odpověď na otázku proč. Důležité je, že spamové filtry fungují dobře a uživatelé nárůst spamu v doručené poště asi příliš neznamenali. Jen provoz filtrů je teď poněkud nákladnější.


Cisco Talos profiled the GozNym botnet after cracking the trojan DGA
28.9.2016 securityaffairs BotNet

The Talos team published a detailed analysis of the GozNym botnet, it was possible because the experts cracked the DGA algorithm used by the malware.
In April 2015, the researchers from the IBM X-Force Research discovered a new banking Trojan dubbed GozNym Trojan that combines best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now experts from Cisco’s Talos team who have analyzed the threat have identified four variants that differ in the usage of the Domain generation algorithm (DGA).

A DGA is an algorithm that allows malware to periodically generate a large number of domain names that are used as rendezvous points with their C&C servers.

The crooks used spear phishing messages containing specially crafted Word documents as an attack vector. Once the victims open the documents and enable the macro, a VBA code download and execute the GozNym.

Once the malware has infected a system, it checks Internet connectivity through a DNS query for google.com and microsoft.com records. In presence of a connection, it contacts the command and control (C&C) domains generated by the DGA via a simple gethostbyname API call or via a complex DNS protocol implementation either 8.8.4.4 or 8.8.8.8 as its server.

The GozNym banking Trojan hijacks victims’ browsing sessions redirecting them to a phishing website.

The experts from the Talos group identified several DGA variants, below the description of one of them published by the malware researchers.

“In the first stage of DGA, a variation of the XORShift Pseudo-Random Number Generator (PRNG) is used to create a list of fifteen domains. The PRNG is seeded with a bit-shifted value of the current day, as well as two hard coded DWORDs. Each domain is between 5 and 12 lowercase letters long, followed by a randomly selected TLD of .net, .com, .in, or .pw. GozNym then uses Google’s DNS server to query each domain, and checks if the IP responses are publicly routable. Once it resolves 2 different IPs, it uses those in the second stage of the DGA.” reads the analysis published by the Talos group.

In the second stage, the malware creates a list of 128 domain names using the same methods of stage 1, but it replaces the hardcoded DWORD seeds with the IP addresses obtained in the first stage. The GozNym DGA is complex, but Cisco researchers have identified flaws that allowed them to predict domain names using brute force.

The researchers from Talos have discovered vulnerabilities in the DGA that allowed them to predict domain names used by the threat, an information that precious for malware hunters that can use DNS sinkholes to analyze the malware.

The experts were able to profile the botnet, the sinkhole server they used, received 23,062 beacons within the first 24 hours. This means that the botnet is roughly composed of 23,062 machines because each of the would only send just one beacon, except the cases of sandboxes, which may beacon out several times from a small set of IPs.

The number of unique IPs belonging to the botnet is 1854.

A loot at the top countries from which beacons were received reveals that most of them are from Germany (47%) and the United States (37%).

goznym-trojan-top-countries

I suggest reading the analysis published by the Talos team that also include some scripts that can be used to analyze the GozNym samples:

DGA_release.py which simulates the DGA used by GozNym.
Extract_parameters_from_http_post.py which extracts parameters from the HTTP POST requests that are sent to C2 servers.
Decrypt_response.py which allows for a decryption of the response payload.


150,000 IoT Devices behind the 1Tbps DDoS attack on OVH

28.9.2016 securityaffairs Attack

The hosting provider OVH continues to face massive DDoS attacks launched by a botnet composed at least of 150000 IoT devices.
Last week, the hosting provider OVH faced 1Tbps DDoS attack, likely the largest one ever seen.
The OVH founder and CTO Octave Klaba reported the 1Tbps DDoS attack on Twitter sharing an image that lists the multiple sources of the attack.

“Last days, we got lot of huge DDoS. Here, the list of “bigger that 100Gbps” only. You can see the simultaneous DDoS are close to 1Tbps !” said Klaba.

Klaba explained that the servers of its company were hit by multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. One of the attacks documented by the OVH reached 93 MMps and 799 Gbps.

OVH 1 Tbps DDoS attack

Klaba speculated the attackers used an IoT botnet composed also of compromised CCTV cameras. Now we have more information on the

Now Klaba added further information on the powerful DDoS attacks, the CTO of the OVH claimed that the botnet used by attackers is powered by more than 150,000 Internet of Things (IoT) devices, including cameras and DVRs.

The overall botnet is capable of launching attacks that exceed 1.5 Tbps.

22 Set
Octave Klaba / Oles @olesovhcom
Last days, we got lot of huge DDoS. Here, the list of "bigger that 100Gbps" only. You can see the
simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6
Segui
Octave Klaba / Oles @olesovhcom
This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.
14:31 - 23 Set 2016
540 540 Retweet 353 353 Mi piace
The bad news for the OVH company is that attacks are still ongoing and the size of the botnet is increasing.

“+6857 new cameras participated in the DDoS last 48H.” added Klaba.

The company was targeted by various types of traffic, including Generic Routing Encapsulation (GRE) traffic, a novelty in the DDoS landscape.

Unfortunately, such kind of DDoS attacks will be even more frequent, it is too easy for hackers gain control of poorly configured, or vulnerable, IoT devices.
Last week experts observed another massive DDoS that targeted the website of the popular cyber security expert Brian Krebs. Krebsonsecurity was targeted by a DDoS attack of 665 Gbps.

The attacks against OVH and Krebsonsecurity are the largest ones reported so far.


Adware Campaign borrows Obfuscation Techniques from Operation Aurora attack
28.9.2016 securityaffairs Virus

Experts from Carbon Black have spotted a new Adware campaign leveraging on sophisticated obfuscation techniques borrowed from Operation Aurora.
Security experts from Carbon Black have spotted a new Adware campaign leveraging on very sophisticated obfuscation techniques.

The Adware campaign was used by crooks to spread ransomware and according to the malware researchers using tactics to similarities to the nation-state attack known as Operation Aurora.

Carbon Black published a report that detailed the complex obfuscation techniques implemented by threat actors behind the campaign.
“Earlier this week, Carbon Black, in conjunction with the Cb User Exchange Community, discovered anomalies related to well-known Adware variants, including OpenCandy and Dealply, and trojanized Chromium, using highly sophisticated evasion techniques (previously observed by Carbon Black associated with nation-state attacks — specifically Operation Aurora, which targeted major companies including Google, Adobe, etc).” reads the report published by Carbon Black”These obfuscation techniques easily evade sandboxing and other intrusion detection techniques due to Binary Fragmentation. “
As explained in the post, the first clue was spotted by the experts casually when the customer noticed unusual use of command line argument activity that was specific of the Operation Aurora attack. The attack was known as “cmdline:cop AND cmdline:/b” as explained in the report.
“Just for fun, I asked my customer to the run the query: cmdline:copy AND cmdline:/b. Cb Response showed they had three hits. I bolted upright in my chair. Three years ago, I stumbled upon this attack vector and I’d never seen it since… until last week.” continues the report.
“As we began to triage the event, we began to see .dat files being joined to form all sorts of unusual file types including .txt, .png, .log, .ico, & .dll files. It was highly irregular”

operation aurora like-attack

“So, now for the ‘stranger’ part. As we began to walk backward up the process tree, we began noticing that the parent processes launching these rather advanced obfuscation techniques were ‘routine’ adware, flagged multiple times by Virus Total.”

The experts from Carbon Black received other similar support requests from their customers that experienced the same attack. According to the malware researchers, the victims from several industries were targeted by variants of adware used to deliver the Enigma ransomware.

According to the lead of the Advanced Consulting Team for Carbon Black, Benjamin Tedesco, the obfuscation techniques borrowed by the Operation Aurora were able to easily evade sandboxing and other detection mechanisms.

Once compromised the target machine, the malware used in the campaign was able to drop more payloads to perform other malicious activities.

This campaign is the demonstration that even behind an adware campaign, it is possible to find a very sophisticated threat.