US Accuses Russian Government of Hacking Infrastructure
19.3.2018 securityweek BigBrothers

The Russian government is behind a sustained hacking effort to take over the control systems of critical US infrastructure like nuclear power plants and water distribution, according to US cyber security investigators.

A technical report released by the Department of Homeland Security on Thursday singled out Moscow as directing the ongoing effort that could give the hackers the ability to sabotage or shut down energy and other utility plants around the country.

It was the first time Washington named the Russian government as behind the attacks which have been taking place for nearly three years.

The allegation added to a series of accusations of political meddling and hacking against Russia that led to Washington announcing fresh sanctions against the country this week.

"Since at least March 2016, Russian government cyber actors ... targeted government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors," the report from the DHS Computer Emergency Readiness Team said.

DHS, together with the Federal Bureau of Investigation, said the Russian hackers targeted two groups -- the infrastructure operators themselves, and also peripheral "staging targets" which could be used as stepping stone into the intended targets.

Staging targets included third party firms supplying services and support to the main targets but may have less secure networks. The hackers had a deep toolbox of methods to enter target systems, they said.

The hacking effort paralleled Russia's alleged operation to interfere with the 2016 US presidential election and continue with online media manipulation throughout 2017.

DHS did not identify specific targets which the Russians broke into. But it said they were able to monitor the behavior of control systems, install their own software, collect the credentials of authorized users, monitor communications, and create administrator accounts to run the systems.

- Sustained attack -

The government has been issuing warnings to operators of US infrastructure -- power producers and distributors, water systems, and others -- about foreign hacking since 2016.

In January a White House report said cyberattacks cost the United States between $57 billion and $109 billion in 2016, and warned that the broader economy could be hurt if the situation worsens. It pointed the finger mainly at attackers from Russia, China, Iran, and North Korea.

Last September the private security firm Symantec outlined hacking efforts focused against US and European energy systems by a high-skilled group it dubbed Dragonfly 2.0.

"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so."

Symantec did not name the origin of the group, but the DHS report included Symantec's Dragonfly analysis in its allegations against Russia.

On Thursday the government announced sanctions against Russia's top spy agencies and more than a dozen individuals, citing both the election meddling and cyberattacks.

"We will continue to call out malicious behavior, impose costs, and build expectations for responsible actions in cyberspace," said Rob Joyce, the cybersecurity coordinator on the White House's National Security Council.

California Bill Seeks to Adopt Strict Net Neutrality Despite FCC Ruling
19.3.2018 securityweek IT

As Americans wait to see whether net neutrality can gain enough support among lawmakers to invoke disapproval via the Congressional Review Act, individual states are not waiting -- several are working on state laws to maintain net neutrality within their own borders.

In December 2017, under the chairmanship of Ajit Pau, the FCC voted 3-2 to remove net neutrality protections by rolling back its earlier Obama-era classification of ISPs as telecommunications service providers (and therefor under FCC purview) to the common carriers as they had been previously classified. This has now happened. It simply means that existing FCC rules can no longer be applied to ISPs because they are not telecommunications services. This ruling won't come into effect until April 23; that is, 60 days after publication of the ruling in the Federal Register.

In the meantime, California has now joined the number of states attempting to preserve local net neutrality regardless of federal preferences. California state senator Scott Wiener has introduced SB 822, a comprehensive proposal that would prevent ISPs from blocking websites, throttling users' services or introducing paid priority services within California. In some ways this new bill imposes even stricter net neutrality than that being dismantled by the FCC, by, for example, imposing conditions on the practice of 'zero rating'.

Coincidentally, the communications regulator in the UK, OFCOM, this month announced investigations into service providers Vodafone and Three. Vodafone operates a zero rating option called Vodafone Passes. "Our Passes allow customers to access their favorite content without fear of running out of data or attracting out-of-bundle charges," says a Vodafone statement. "They are open to any content provider of video, music, chat and social. Twenty-two content providers have signed up so far, ensuring Vodafone customers can enjoy the widest selection of worry-free access to content across the industry."

Opponents of net neutrality claim this is good for the consumer, effectively providing free bandwidth to the user. Proponents suggest it can starve new and smaller websites of the visitors they need.

In the U.S., AT&T offers a sponsored data program that is similarly zero rated on data usage. It seems, however, that the only services actually zero rated are owned by AT&T -- such as DirecTV. This gives DirecTV a huge advantage over rival services such as Hulu and Sling, since potential customers are more likely to use the service that has a zero data cost to them.

This is the whole net neutrality argument writ small. Large, established organizations can afford to starve new innovative organizations of internet traffic by paying a premium to the service providers; and will always -- in a completely free market -- be able to buy more of the available bandwidth.

Knock-on concerns are that in order to guarantee bandwidth availability to the large premium-paying customers, it might be necessary to rein back availability to ordinary users -- and in order to encourage those ordinary users to pay more for their bandwidth, there will be a temptation for providers to throttle what is already available.

The difficulty in policing net neutrality is that lawmakers recognize that some lee-way for 'throttling' (in the form of traffic management) will always be necessary. Europe's net neutrality laws require that any such traffic management must be 'transparent, non-discriminatory and proportionate'.

OFCOM has promised an update of its investigation into Vodafone in June, and it's not possible to predict the outcome. Vodafone claims that its Passes service does not generate any bandwidth throttling, and indeed guarantees full service to the consumer. This may be true with just 22 signed up content providers; but may not necessarily be true with 200 signed up content providers.

In California, Senator Wiener's proposal solves this problem, not by banning zero-rating outright, but by allowing it only for whole classes of content provider. In the AT&T example, AT&T could continue to zero-rate DirecTV only if it also zero-rates all similar content providers including Hulu and Sling.

Without doubt, SB 822 is one of the strongest net neutrality bills yet seen; and it will undoubtedly be disliked by the ISP providers. Jamie Davies, writing in Telecoms.com, considers net neutrality to be a heavy-handed approach to bandwidth problems. "The telcos have to be given the opportunity to make money," he writes. "If the telcos are making less money, they are spending less on tackling the increased consumption of data. This is a net loss in the long-run and we do not think this is a nuance of the argument which has been considered by Weiner and his army of preachers."

SB 822 may never happen. It may not be necessary if the Congressional Review Act can be used to overturn the FCC decision; or it may fail to get enough votes in California. Ironically, however, the FCC won't be able to stop it. Back in December, the FCC barred states from adopting their own net neutrality rules -- however, it will not be able to enforce its own rule.

"While the FCC's 2017 Order explicitly bans states from adopting their own net neutrality laws," writes Barbara van Schewick, Professor of Law at Stanford Law School, "that preemption is invalid. According to case law, an agency that does not have the power to regulate does not have the power to preempt. That means the FCC can only prevent the states from adopting net neutrality protections if the FCC has authority to adopt net neutrality protections itself."

Facebook Suspends Trump Campaign Data Firm Cambridge Analytica
19.3.2018 securityweek Social

Facebook says it has suspended the account of Cambridge Analytica, the data analysis firm hired by Donald Trump's 2016 presidential campaign, amid reports it harvested the profile information of millions of US voters without their permission.

According to the New York Times and Britain's Observer, the company stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box.

Also suspended were the accounts of its parent organization, Strategic Communication Laboratories, as well as those of University of Cambridge psychologist Aleksandr Kogan and Christopher Wylie, a Canadian data analytics expert who worked with Kogan.

Cambridge Analytica was bankrolled to the tune of $15 million by US hedge fund billionaire Robert Mercer, a major Republican donor. The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer.

"In 2015, we learned that ... Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe," Facebook said in a posting late Friday by its vice president and deputy general counsel Paul Grewal.

Kogan also improperly shared the data with Wylie, it said.

Kogan's app, thisisyourdigitallife, offered a personality prediction test, describing itself on Facebook as "a research app used by psychologists."

Some 270,000 people downloaded the app, allowing Kogan to access information such as the city listed on their profile, or content they had "liked."

"However, the app also collected the information of the test-takers' Facebook friends, leading to the accumulation of a data pool tens of millions-strong," the Observer reported.

Facebook later pushed back against the claim of a data breach, issuing a fresh statement on Saturday that suggested the misused data was limited to those who voluntarily took the test.

"People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked," Grewal said.

Cambridge Analytica meanwhile said it was in touch with Facebook "in order to resolve this matter as quickly as possible​."

It blamed the misuse of data on Kogan and said it has since deleted all the data it received from a company he founded, Global Science Research (GSR).

"No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign," it said.

- 'Targeting their inner demons' -

But Wylie, who later became a whistleblower, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on."

Kogan legitimately obtained the information but "violated platform policies" by passing information to SCL/Cambridge Analytica and Wylie, according to Facebook.

Facebook said it removed the app in 2015 when it learned of the violation, and was told by Kogan and everyone who received the data that it had since been destroyed.

"Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted," Grewal wrote.

"We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made.

"We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information."

- British investigation -

Cambridge Analytica, the US unit of British behavioral marketing firm SCL, rose to prominence as the firm that the pro-Brexit group Leave.EU hired for data-gathering and audience-targeting.

The company is facing an investigation by Britain's parliament and regulators over its handling of information.

On Saturday, Britain's information commissioner Elizabeth Denham said: "We are investigating the circumstances in which Facebook data may have been illegally acquired and used.

"It's part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analyzing people's personal information to micro-target voters."

The New York Times meanwhile reported that copies of the data harvested for Cambridge Analytica were still online and that its team had viewed some of the raw data.

Russian Cyberspies Hacked Routers in Energy Sector Attacks
19.3.2018 securityweek CyberSpy

A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday.

The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear.

A warning issued last year by the UK’s National Cyber Security Centre (NCSC) revealed that hackers had targeted the country’s energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims’ passwords.

An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison.

When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States.

When a malicious document is opened using Microsoft Word, it loads a template file from the attacker’s SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user’s domain credentials, basically handing them over to the attackers.

In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources.

According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom.

One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam. Specifically, the IP corresponded to a core Cisco router that had reached end-of-life.

“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” Cylance researchers explained. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them. Analysis is further challenged by the lack of system logs.”

“The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated,” they added.

Dragonfly is not the only cyberespionage group to abuse routers in its attacks. A threat actor named Slingshot, whose members appear to speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.

Cambridge Analytica: Firm at the Heart of Facebook Scandal
19.3.2018 securityweek Social

At the center of a scandal over alleged misuse of Facebook users' personal data, Cambridge Analytica is a communications firm hired by those behind Donald Trump's successful US presidential bid.

An affiliate of British firm Strategic Communication Laboratories (SCL), Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.

Here's the story behind the company using data to fuel political campaigns:

What does Cambridge Analytica do?

The company boasts it can "find your voters and move them to action" through data-driven campaigns and a team including data scientists and behavioural psychologists.

Cambridge Analytica"Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections," with data on more than 230 million American voters, Cambridge Analytica claims on its website.

Speaking to TechCrunch in 2017, CEO Alexander Nix said the firm was "always acquiring more" data. "Every day we have teams looking for new data sets," he told the site.

Who are the company's clients?

As well as working on the election which saw Trump reach the White House, Cambridge Analytica has been involved in political campaigns around the world.

In the US, analysts harnessed data to generate thousands of messages targeting voters through their profiles on social media such as Facebook, Snapchat, or the Pandora Radio streaming service.

British press have credited Cambridge Analytica with providing services to pro-Brexit campaign Leave.EU, but Nix has denied working for the group.

Globally, Cambridge Analytica said it has worked in Italy, Kenya, South Africa, Colombia and Indonesia.

What has the company been accused of?

According to the New York Times and Britain's Observer newspapers, Cambridge Analytica stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box.

University of Cambridge psychologist Aleksandr Kogan created a personality prediction test app, thisisyourdigitallife, which was downloaded by 270,000 people.

The tool allowed Kogan to access information such as content Facebook users had "liked" and the city they listed on their profile, which was then passed to SCL and Cambridge Analytica.

The Observer reported the app also collected information from the Facebook friends of people who had taken the test.

Christopher Wylie, a former Cambridge Analytica employee, worked with Kogan and told Canadian television channel CBC the company used "private data they acquired without consent".

Who else is involved?

US hedge fund billionaire Robert Mercer -- and major Republican party donor -- bankrolled Cambridge Analytica to the tune of $15 million (12 million euros).

The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer.

How has Facebook responded?

Facebook suspended SCL and Cambridge Analytica, as well as Kogan and Wylie. In explaining its decision on Friday, the social media giant said the thisisyourdigitallife app was legitimate, but accused Kogan of subsequently violating Facebook's terms by passing the data on to SCL/Cambridge Analytica.

Facebook said it found out what had happened in 2015 and was told all parties involved had deleted the data.

"The claim that this is a data breach is completely false," Facebook said in a new statement on Saturday, saying app users knowingly provided their information.

DHS and FBI accuse Russian Government of hacking US critical infrastructure
19.3.2018 securityaffairs BigBrothers

Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian
Last week, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

Last week the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it labels the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

The analysis of indicators of compromise (IoCs), the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

On the other side, the Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.

According to the DHS, the Russi-linked APT groups targeted two groups. the infrastructure operators and also peripheral “staging targets” which could be used as stepping stone into the intended targets.

“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert.” continues the alert.

“The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.“”

The alert doesn’t include details of specific targets compromised by Russians hackers.

The Russian hackers were able to compromise the control systems by installing their custom malware to harvest credentials of authorized users, monitor communications, and gain control of the systems.

Only last week, the government announced sanctions against Russia’s top spy agencies and more than a dozen individuals.

Facebook confirms Cambridge Analytica stole its data and used it to influence US voters
19.3.2018 securityaffairs Social
The commercial data analytics company Cambridge Analytica allegedly used data harvested by Facebook to target US voters in the 2016 Presidential election.
A team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica which is a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The news was confirmed by Facebook over the weekend, the researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

Facebook confirmed to have “suspended” any business with Cambridge Analytica (CA) and its holding company.

“Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent.” states the official statement released by Facebook.

“Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.”

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed to collect data from over 50 million users.

Cambridge Analytica tried to clarify its position declaring that it has deleted all data received from GSR when discovered the way they were obtained.

“When it subsequently became clear that the data had not been obtained by GSR in line with Facebook’s terms of service, Cambridge Analytica deleted all data received from GSR,” CA said in a statement.

“No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.”

We refute these mischaracterizations and false allegations, and we are responding — watch our Twitter feed for more.

— Cambridge Analytica (@CamAnalytica) March 17, 2018

According to a report published by The Intercept exactly one year ago, the situation is quite different. The Intercept sustained that Kogan operated on behalf of Strategic Communication Laboratories (SCL), a military contractor that owns the Cambridge Analytics.

Facebook discovered the activity in 2015 thanks to claims from its users and adopted the necessary measures to force the involved parties in deleting the data from their servers.

“Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies.” continues the Facebook statement. “When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.”

Christopher Wylie, a Kogan’s collaborator, confirmed that data has been used in the US presidential election to profile individuals and influence the final vote. Wylie provided evidence to the New York Times and The Guardian that harvested data had not been destroyed.

Facebook also suspended Wylie’s account as confirmed by the whistleblower via Twitter on Sunday.

Suspended by @facebook. For blowing the whistle. On something they have known privately for 2 years. pic.twitter.com/iSu6VwqUdG

— Christopher Wylie (@chrisinsilico) March 18, 2018

Iran-linked group TEMP.Zagros now targets Asia and Middle East regions
19.3.2018 securityaffairs Phishing
Experts at FireEye uncovered a new massive phishing campaign conducted by TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.
Iranian hackers are one of the most active in this period, researchers at FireEye uncovered a new massive phishing campaign targeting Asia and Middle East regions from January 2018 to March 2018.

The group behind the campaign is known as TEMP.Zagros, aka MuddyWater, and according to the experts it is now adopting new tactics, techniques, and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017.” reads the analysis published by the experts at FireEye.

“This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.”

The TEMP.Zagros was first spotted by researchers at PaloAlto Networks in 2017, the hackers targeted various industries in several countries with spear-phishing messages.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

Last week expert at Trend Micro also attributed the new wave of attacks to the MuddyWater threat actor.

“We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia.” states the analysis published by Trend Micro.

According to FireEye report, TEMP.Zagros attackers are adopting a new backdoor dubbed POWERSTATS for backdoors and the reuse of a known technique for lateral movements.

Each of these macro-based documents used similar techniques for code execution, persistence, and communication with the command and control (C2) server.

Hackers re-used the AppLocker bypass and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

“In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets.” continues FireEye.

The campaign started on Jan. 23 involved a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command.

The Base64 encoded PowerShell command will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe.

Attackers used a differed VBS script for each sample, employing different levels of obfuscation and different ways of invoking the next stage of the process tree.

Starting from Feb. 27, 2018, hackers used a new variant of the macro that does not use VBS for PowerShell code execution. The new variant uses a new code execution techniques leveraging INF and SCT files.

Researchers at FireEye also found Chinese strings in the malicious code used by TEMP.Zagros that were left as false flags to make hard the attribution.

“During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:” states FireEye.

Indicators of compromise (IoCs) and other info are included in the report published by FireEye.

Cisco Meraki Offers Up to $10,000 in Bug Bounty Program
19.3.2018 securityweek Security

Cisco Meraki, a provider of cloud-managed IT solutions, announced last week the launch of a public bug bounty program with rewards of up to $10,000 per vulnerability.

Cisco Meraki, which resulted from Cisco’s acquisition of Meraki in late 2012, started with a private bug bounty program on the Bugcrowd platform. The private program led to the discovery of 39 flaws, for which the company paid out an average of roughly $1,100.

The firm has now decided to open its bug bounty program to all the white hat hackers on Bugcrowd and it’s prepared to pay them between $100 and $10,000 per flaw.Cisco Meraki

The initiative covers the meraki.com, ikarem.io, meraki.cisco.com and network-auth.com domains and some of their subdomains, the Meraki Dashboard mobile apps for Android and iOS, and products such as the Cisco Meraki MX Security Appliances, Meraki MS Switches, MR Access Points, MV Security Cameras, MC Phones, Systems Manager, and Virtual Security Appliances.

The highest rewards can be earned for serious vulnerabilities in websites (except meraki.cisco.com), and all hardware and software products. Researchers can receive between $6,000 and $10,000 for remote code execution, root logic, sensitive information disclosure, and device configuration hijacking issues.

There is a long list of security issues that are not covered by the program, including denial-of-service (DoS) attacks, SSL-related problems and ones that require man-in-the-middle (MitM) access, clickjacking, and classic self-XSS.

“We invest heavily in tools, processes and technologies to keep our users and their networks safe, including third party audits, features like two-factor authentication and our out-of-band cloud management architecture,” said Sean Rhea, engineering director at Cisco Meraki. “The Cisco Meraki vulnerability rewards program is an important component of our security strategy, encouraging external researchers to collaborate with our security team to help keep networks safe.”

Meraki says its wireless, switching, security, and communications products are used by more than 230,000 global customers for 3 million devices.

Hacker Adrian Lamo Dies at Age 37
19.3.2018 securityweek Crime

Adrian Lamo, the former hacker best known for breaching the systems of The New York Times and turning in Chelsea Manning to authorities, has died at age 37.

His passing was announced on Friday by his father, Mario Lamo, on the Facebook page of the 2600: The Hacker Quarterly magazine.Adrian Lamo dies

“With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son…” he wrote.

Lamo had been living in Wichita, Kansas, and he was found dead in an apartment on Wednesday. The cause of death is not known, but representatives of local police said they had found nothing suspicious, The Wichita Eagle reported.

Lamo broke into the systems of companies such as Yahoo, AOL, Comcast, Microsoft and The New York Times in an effort to demonstrate that they had been vulnerable to hacker attacks.

He was arrested in 2003 and in early 2004 he pleaded guilty to computer crimes against Microsoft, The New York Times, and data analytics provider LexisNexis. He was sentenced to six months’ detention at the home of his parents.

Lamo drew criticism in 2010 after he reported Chelsea Manning (at the time U.S. Army intelligence analyst Bradley Manning) to the Army for leaking a massive amount of classified documents to WikiLeaks.

Experts discovered remotely exploitable buffer overflow vulnerability in MikroTik RouterOS
19.3.2018 securityaffairs APT
Security experts at Core Security have disclosed the details of a buffer overflow vulnerability that affects MikroTik RouterOS in versions prior to the latest 6.41.3.
MikroTik is a Latvian vendor that produce routers used by many telco companies worldwide that run RouterOS Linux-based operating system.

The vulnerability, tracked as CVE-2018-7445, could be exploited by a remote attacker with access to the service to execute arbitrary code on the system.

“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.” reads the advisory published by the company.

“The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it.”

The researchers published a proof of concept exploit code that works with MikroTik’s x86 Cloud Hosted Router.

Core first reported the flaw to MikroTik on February 19, 2018. MikroTik planned to release a fix in the next release on March 1, 2018 and asked Core to do not reveal the details of the flaw. Even if MikroTik was not able to issue a fix for the estimated deadline 2018, Core waited for the release of the new version the occurred on Monday, March 12, 2018.

In case it is not possible to install an update, MikroTik suggested disabling SMB.

A few days ago, security experts at Kaspersky Lab announced to have spotted a new sophisticated APT group that has been operating under the radar at lease since at least 2012. Kaspersky tracked the group and identified a strain of malware it used, dubbed Slingshot, to compromise systems of hundreds of thousands of victims in the Middle East and Africa.

The researchers have seen around 100 victims of Slingshot and detected its modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

Kenya and Yemen account for the largest number of infections to date. Most of the victims are individuals rather than organizations, the number of government organizations is limited.

The APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.) in routers used by the Latvian network hardware provider Mikrotik to drop a spyware into victims’ computers.
The attackers first compromise the router, then replace one of its DDLs with a malicious one from the file-system, the library is loads in the target’s computer memory when the user runs the Winbox Loader software, a management suite for Mikrotik routers.

The DLL file runs on the victim’s machine and connects to a remote server to download the final payload, the Slingshot malware in the attacks monitored by Kaspersky.

It is not clear if the Slingshot gang also exploited the CVE-2018-7445 vulnerability to compromise the routers.

Now that a proof of concept exploit for vulnerability CVE-2018-7445 is available online customers need to upgrade RouterOS to version 6.41.3 to avoid problems.