Structure of Cyber Risk Perception Survey Could Distort Findings
22.2.2018 securityweek Cyber

CISOs Barely Mentioned in Report on Global Cyber Risk Perception

The purpose of a new report  from cyber insurance firm Marsh, supported by Microsoft's Global Security Strategy and Diplomacy team, is to examine the global state of cyber risk management: "This report provides a lens into the current state of cyber risk management at organizations around the world."

To achieve this, Marsh polled 1,312 senior executives "representing a range of key functions, including information technology, risk management, finance, legal/compliance, senior management, and boards of directors." However, there is no category representing information security, nor any specific indication where a security team fits in the organizational structure.

A reasonable assumption would be cyber security is treated as part of IT, and that if the organization has a CSO or CISO, that position reports directly to the CIO from within the IT structure. That would explain why IT is consistently described as the functional area that is the primary owner and decision-maker for cyber risk management in all companies across all sectors with revenue above $10 million per annum.

But it doesn't reflect reality. While the majority of CISOs might still report to the CIO, this is slowly changing. Some now report directly to the board while others report to the Chief Risk Officer (CRO) or Legal.

Cyber Risk ReportFurthermore, the cyber security function is key to the specification and implementation of any cyber risk mitigation policy (where 'mitigation' equates to risk reduction as opposed to other methods such as risk transfer, which equates to insurance). Human Resources (30 respondents) can help with insider risk definition and response. Procurement can help with security product purchasing (14 respondents). Finance (340 polled) can help with budget planning and financial compliance issues. But none of these will see the full cyber risk threat. While all of these should be involved in cyber risk management, only a dedicated security team is in a position to define and lead it -- and yet there is no cyber security function included in the report.

The decision not to give cyber security its own role, if not the primary role, within the survey has the potential to distort the findings. For example, 41% of the respondents are concerned about financially motivated attacks (which in this survey includes hacktivists), while only 6% are most concerned about politically motivated attacks including state-sponsored attacks.

The question asked was 'With regard to a cyber-attack that delivers destructive malware, which threat actor concerns you the most?" Options on offer included 'Operational error' and 'Human error, such as employee loss of mobile device'; neither of which are commonly associated with the delivery of destructive malware. It is not clear that heads of individual departments would have the nuanced understanding of different cyber threat vectors to provide an accurate view of overall cyber risk.

Another example can be found in the section on reporting. The report states, "53% of chief information security officers, 47% of chief risk officers, and 38% of chief technology/information officers said they provide reports to board members on cyber investment initiatives. Yet only 18% of board members said they receive such information." There is clearly a disconnect between reporting and listening -- and few people in the security industry would question that there is a security information communications problem.

This is the one occurrence of the title 'CISO' in the entire report -- but notice a higher percentage of cyber security officers report on cyber investments than do the IT officers. The implication is that if Security had been separated out from IT, then IT would not so consistently be seen as the primary decision-maker for cyber risk management -- something that most security practitioners might consider worrying given the non-cyber-risk and potentially conflicting business pressures already affecting IT.

This lack of distinction between IT and Security also misses a useful opportunity. The figures show that more reports are delivered by CISOs (percentage-wise) than by CIOs and CTOs. For several years now, CISOs have been on a campaign to improve their own and their security staff's 'soft skills'. Indeed, NIST's National Initiative for Cybersecurity Education (NICE) is this week running a webinar titled, 'Development of Soft Skills That Are in Demand by Cybersecurity Employers'.

NICE states that for cybersecurity employers, "soft skills such as effective communication, problem-solving, creative thinking, resourcefulness, acting as a team player, and flexibility are among the most desirable attributes they are looking for in a new hire." It would be useful if Marsh's figures could show the comparative effectiveness of cyber risk reporting coming from CISOs and CIOs.

Nevertheless, there is useful data and advice within the report. It shows that the majority of companies do not have a method of expressing risk quantitatively (that is, in economic terms). Those that do express their risk tend to do so qualitatively (that is, with capability maturity levels). But understanding the economic effect of different cyber events is essential for both risk mitigation and/or risk transfer. It helps the security team to understand where to concentrate both effort and budget; and it is essential for insurance companies to set realistic insurance premiums.

The figures show that just over half of organizations either have (34%) or plan to buy (22%) cyber insurance. The remainder either have no plans, or specifically plan not to buy insurance -- but a small number (less than 1%) have dropped existing insurance. The primary reason cited for dropping insurance is, "Cyber insurance does not provide adequate coverage for the cost."

The implication is that cyber insurance companies (which include Marsh) have a large potential market Cyber Insurance Market to Top $14 Billion by 2022: Report , but have not yet succeeded in fully making their case. This report does not help by largely ignoring companies' existing cyber risk mitigation specialists.

By not differentiating between the responding company's security function and its IT function, security-specific mitigation is diluted. When SecurityWeek asked Marsh why it hadn't separated the two, Marsh responded, "Don't know exactly what you mean by 'cyber security function' -- a CISO??"

The 'cyber security function' is the work performed by the security team under a variously titled head of cyber security. Although IT and Security must necessarily work together, they have different functions and different priorities, and therefore deserve to be treated separately.

Marsh provided SecurityWeek with a detailed breakdown of the respondents' job functions, answered under the question: "Which functional area most closely describes your position?" The available options were Finance, Risk management, Information technology, Board of directors, Operations, Legal/Compliance/Audit, Human resources, Procurement, and Other. 'Cyber Security' was not an option.

It is the security function that best understands and is most engaged in active risk mitigation. By concentrating the survey on general business leaders with little understanding of, or direct involvement in, cyber risk mitigation, the results inevitably favor the primary alternative; that is 'risk transfer'. Risk transfer is cyber insurance; which is what Marsh provides.


SEC Tells Execs Not to Trade While Investigating Security Incidents
22.2.2018 securityweek BigBrothers

The U.S. Securities and Exchange Commission (SEC) on Wednesday announced updated guidance on how public companies should handle the investigation and disclosure of data breaches and other cybersecurity incidents.

The SEC has advised companies to inform investors in a timely fashion of all cybersecurity incidents and risks – even if the firm has not actually been targeted in a malicious attack. The agency also believes companies should develop controls and procedures for assessing the impact of incidents and risks.

While directors, officers and the people in charge of developing these controls and procedures should be made aware of security risks and incidents, the SEC believes these individuals should refrain from trading securities while in possession of non-public information regarding a significant cybersecurity incident.

SEC Updates Guidance on Data Breach Disclosures

“Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information. In addition, we believe that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material,” the SEC said.

These recommendations follow accusations of insider trading against executives at two major companies recently involved in significant cybersecurity incidents. Last year, questions were raised after four Equifax executives sold stock worth $1.8 million just prior to public disclosure of the hack affecting 145 million customers. Equifax claimed that the execs had been unaware of the breach when they sold shares.

Intel’s CEO, Brian Krzanich, faced similar accusations after it was revealed that he had sold all the stock he was legally allowed to, worth roughly $24 million, just before the Meltdown and Spectre vulnerabilities were disclosed. The chipmaker claimed Krzanich’s decision was not related to the disclosure, but some of the lawsuits filed against Intel over the flaws accuse the company of misleading investors.

“We’re all fighting a cyber arms race. However, some organizations have been operating the cyber war while being cloaked. Organizations determine if damage has been done, and how much damage has been done while not being made public. While these undisclosed investigations are being conducted to determine the extent and potential impact of an attack, it’s simply reckless and inappropriate for executives to trade equities, even if they’re on an automated plan,” said Bill Conner, CEO of SonicWall.

“It is good to see the SEC taking action, even if they are reacting on behalf of shareholders to protect them from the massive, headlining breaches that have come so frequent. There’s more to be done by the SEC with respect to cyber guidelines on disclosure and insider trading rules but, this is a solid step in the right direction,” Conner added.

The SEC’s cybersecurity incident disclosure guidance was first released in 2011 and it has now been updated to reinforce and expand previous recommendations. However, some officials, including SEC commissioners Kara Stein and Robert Jackson, believe the agency could have and should have done more.

“I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy. The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done,” Jackson said on Wednesday.

The SEC itself admitted last year that it was the victim of a cyberattack in 2016 that may have allowed hackers to profit through trading on non-public information obtained from its EDGAR filing system.


Singapore Invites Cyberattacks to Strengthen Defenses
22.2.2018 securityweek BigBrothers

Hundreds of hackers have targeted Singapore's defence ministry –- but the attacks were at the government's invitation in an unusual attempt to strengthen cybersecurity.

Authorities said Wednesday they had paid out US$14,750 in prize money to the best of the 264 so-called "white hat" hackers -- specialists who seek to break into networks to check for vulnerabilities -- involved in the project.

The program, which ran from mid-January to early February, was introduced after an embarrassing breach last year which saw hackers steal personal data from about 850 military servicemen and other employees from a defence ministry web portal.

It was run with cybersecurity network HackerOne, which specializes in coordinating "bug bounty programs" in which hackers are rewarded for spotting weaknesses in computer systems.

The top hacker in the contest was a Cyber Security Manager from Ernst and Young Singapore who gave his name only as Darrel and goes by the online moniker "Shivadagger". He was awarded US$5,000.

A total of 97 vulnerability reports were submitted from 34 participants during the program, with 35 reports deemed valid, according to the defence ministry.

David Koh, the defence ministry's cybersecurity chief, hailed the project. "Our systems are now more secure," he said.

While Singapore has some of the most advanced weaponry in the region, Koh said the ministry was at increasing risk of being targeted, and attackers could range from high-school students in their basements to criminals and state-actors.


Zkontrolujte si, jestli je váš firemní počítač chráněn před chybami Meltdown a Spectre

22.2.2018 SecurityWorld Zranitelnosti
Analytická služba Microsoftu Windows Analytics nyní může prozkoumat podnikové počítače s Windows 10, 8.1 a 7 a určit, zda jsou systémy zranitelné vůči vadám Meltdown a Spectre nacházejícím se v procesorech.

Nová schopnost služby Analytics spadající pod sekci „Upgrade Readiness“, tedy připravenost na aktualizaci, představil Terry Myerson, vrcholný představitel firmy zaměřený právě na operační systém Windows. Myerson zranitelnosti nazval „výzvou pro nás všechny,“ neboť vychází z hardwaru jako takového, nikoli ze softwaru.

„K naší službě Windows Analytics jsme přidali možnost nahlásit stav všech zařízení s Windows, které IT odborníci spravují,“ píše Myerson na blogu Microsoftu.

Windows Analytics je shrnující pojem pro tři různé separátní služby: Upgrade Readiness, Update Compliance a Device Health. Zaměřují se na připravenost počítače na aktualizace a také na samotné „zdraví“ stroje. Vychází z telemetrických dat, která Microsoft z osobních počítačů s Windows získává. Windows Analytics jsou dostupné pouze pro zákazníky s licencí Windows Enterprise.

Služba Upgrade Readiness měla původně odhalovat stroje nejvhodnější k aktualizaci z Windows 7 a 8.1 na Windows 10. Doporučuje také ty systémy, které by měli jako první aktualizovat na nejnovější build, tedy verzi systému.

S aktualizací určenou na ověření zabezpečení vůči zranitelnostem Meltdown a Spectre ukáže služba IT administrátorům, zda je antivirový software počítače kompatibilní s aktualizacemi, které Microsoft vydal minulý týden a které mají lépe zabezpečit počítače vůči oběma zranitelnostem.

Upgrade Readiness také určuje, které systémy jsou již proti Meltdownu a Spectru chráněny a ty PC, které mají aktualizace dočasně deaktivovány. Poskytuje rovněž informace o aktualizacích firmwaru, které ve spolupráci s Microsoftem vydává Intel.

Protože Meltdown i Spectre se nachází přímo v procesoru, je nejlepší obranou právě aktualizace firmwaru (tedy kromě celkové fyzické výměny procesoru). Zpočátku se bude Upgrade Readiness zaměřovat jen na Intel, ale podle Myersona „přidáme i CPU partnerů hned jak budou data o nich dostupné Microsoftu“.

Zack Dvorak, programový manažer Microsoftu však varuje, že uživatelé mohou zprvu vidět množství neznámých nebo prázdných polí při využití služby. „Na vylepšení dat poskytovaných službou Upgrade Readiness pracujeme a nové informace vám zobrazíme hned jak to bude možné.“


Google white hackers disclosed critical vulnerabilities in uTorrent clients
22.2.20218 securityaffairs
Vulnerebility

White hackers at Google Project Zero have discovered two critical remote code execution vulnerabilities in versions of BitTorrent’s web-based uTorrent Web client and uTorrent Classic desktop client.
With dozens of millions of active users a day, uTorrent is one of the most popular torrent client, the vulnerabilities could be easily exploited by the researchers to deliver a malware on the target computer or view the past downloads.

Project Zero hacker Tavis Ormandy published a detailed analysis of the issues because the vulnerabilities were not fixed in a 90-day period according to the disclosure policy.

utorrent security

The flaws are tied to various JSON-RPC issues, or issues related to the way the web-based apps handle JavaScript Object Notations (JSON) as they relate to the company’s remote procedure call (RPC) servers.

“By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.0 reads the technical analysis.”

Both desktop and web-based uTorrent clients use a web interface to display website content, the presence of JSON-RPC issues make possible the attack decribed by Ormandy,

The expert discovered that the issue can allow an attacker to trigger a flaw in the clients by hiding commands inside web pages that interact with uTorrent’s RPC servers.

An attacker can exploit the vulnerability to change the torrent download folder and download a file to any writable location, including the Windows Startup folder and download an executable file, that will be executed on every startup. The attacker could exploit the same flaw to gain access to user’s download activity information.

The researchers explained that a remote exploitation of the flaw requires a DNS rebinding attack that allows a JavaScript code hosted on a website to create a bridge to the local network bypassing the same-origin policy (SOP).

“This requires some simple DNS rebinding to attack remotely, but once you have the (authentication) secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” Ormandy wrote.

“The authentication secret is not the only data accessible within the webroot – settings, crashdumps, logs and other data is also accessible. As this is a complete remote compromise of the default uTorrent web configuration, I didn’t bother looking any further after finding this,” the researcher added.


Tavis Ormandy

@taviso
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. 😩

10:08 PM - Feb 20, 2018
164
54 people are talking about this
Twitter Ads info and privacy
20 Feb

Tavis Ormandy

@taviso
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. 😩


Tavis Ormandy

@taviso
I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.

10:20 PM - Feb 20, 2018
86
28 people are talking about this
Twitter Ads info and privacy
Ormandy released proof-of-concept (PoC) code for the flaws he discovered.

This week, BitTorrent released an official statement on the matter:

“On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).”


Russia-linked Sofacy APT group shift focus from NATO members to towards the Middle East and Central Asia
22.2.20218 securityaffairs APT

Experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.
The Russia-linked APT28 group (aka Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium.) made the headlines again, this time security experts from Kaspersky highlighted a shift focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

“Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017.” states Kaspersky.

The experts analyzed the infections of the Sofacy backdoor tracked as SPLM, CHOPSTICK and X-Agent, the APT group had been increasingly targeting former Soviet countries in Central Asia. The hackers mostly targeted telecoms companies and defense-related organization, primary target were entities in Turkey, Kazakhstan, Armenia, Kyrgyzstan, Jordan and Uzbekistan.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Sofacy APT

“This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants.” states Kaspersky.

“This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.”

The Zebrocy tool was used by attackers to collect data from victims, researchers observed its involvement in attacks on accounting firms, science and engineering centers, industrial organizations, ministries, embassies and consulates, national security and intelligence agencies, press and translation services, and NGOs.

The researchers highlighted that the attack infrastructure used in the last attacks pointed to the Sofacy APT, the group has been fairly consistent throughout even if their TTPs were well documented by security firms across the years. Researchers at Kaspersky expect to see some significant changes this year.

“Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.” continues Kaspersky.

Further details are included in the analysis published by Kaspersky, including Indicators of Compromise (IOCs).


Intel releases Spectre patches for Skylake, Kaby Lake, Coffee Lake
22.2.20218 securityaffairs
Vulnerebility

Intel released a stable microcode update to address the Spectre vulnerability for its Skylake, Kaby Lake, and Coffee Lake processors in all their various variants.
Intel has released microcode to address the CVE-2017-5715 Spectre vulnerability for many of its chips, let’s this time the security updates will not cause further problems.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

Spectre patches

A couple of weeks ago Intel released new microcode for its Skylake processors, now it has announced security updates for Kaby Lake, Coffee Lake and other CPUs.

The microcode is now available for all 6th, 7th, and 8th generation Core processors and also X-series Intel Core products, as well as Xeon Scalable and Xeon D chips.

Intel released the Spectre firmware security updates for the following products:

Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Intel released beta patches for Broadwell, Gladden, Haswell, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors. The beta patches have been provided to OEMs for their final validation.

The patches for the remaining chips are either in pre-beta or planning phase.

Both Intel and AMD confirmed are working on processors that will include protections against attacks such as Spectre and Meltdown.


Global Cybercrime Costs $600 Billion Annually: Study
21.2.2018 securityweek CyberCrime

The annual cost of cybercrime has hit $600 billion worldwide, fueled by growing sophistication of hackers and proliferation of criminal marketplaces and cryptocurrencies, researchers said Wednesday.

A report by the security firm McAfee with the Center for Strategic and International Studies found theft of intellectual property represents about one-fourth of the cost of cybercrime in 2017, and that other attacks such as those involving ransomware are growing at a fast pace.

Russia, North Korea and Iran are the main sources of hackers targeting financial institutions, while China is the most active in cyber espionage, the report found.

Criminals are using cutting-edge technologies including artificial intelligence and encryption for attacks in cyberspace, with anonymity preserved by using bitcoin or other cryptocurrency, the researchers said.

"We are seeing the bad actor community taking advantage of the innovation in the technology industry," Steve Grobman, chief technology officer for McAfee, told a news conference in Washington.

Even though these technologies can offer "tremendous value" when used for legitimate purposes, they also can be adopted by criminals to hide their tracks, Grobman said.

The McAfee-CSIS report suggested cybercrime costs were rising from a 2014 estimate of $445 billion.

"We were hoping it would flatten, but we didn't see that," said CSIS vice president James Lewis.

One of the reasons for the increase, according to Lewis, is that "there's a whole 'dark web' phenomenon that creates a safe space for criminals to operate."

These dark web marketplaces, the report noted, allow hackers and other criminals to offer their services or sell tools which can be used for attacks, and to sell stolen credit card numbers or other valuable data.

- 'Russia is the leader' -

Lewis said meanwhile the geopolitical risks of cybercrime are a key element in these attacks.

"Our research bore out the fact that Russia is the leader in cybercrime, reflecting the skill of its hacker community and its disdain for western law enforcement," Lewis said.

"North Korea is second in line, as the nation uses cryptocurrency theft to help fund its regime, and we're now seeing an expanding number of cybercrime centers, including not only North Korea but also Brazil, India and Vietnam."

The report said there is often a connection between governments and the cybercrime community.

It noted that in a massive attack against US-based Yahoo, "one of the cybercriminals who hacked Yahoo at the behest of Russian intelligence services... also used the stolen data for spam and credit card fraud for personal benefit."

The study did not attempt to measure the cost of all malicious activity on the internet, but focused on the loss of proprietary business data, online fraud and financial crimes, manipulation directed toward publicly traded companies, cyber insurance and reputational damage.

The global research report comes days after the White House released a report showing cyberattacks cost the United States between $57 billion and $109 billion in 2016, while warning of a "spillover" effect for the broader economy if certain sectors are hit.


Google Researcher Finds Critical Flaws in uTorrent Apps
21.2.2018 securityweek
Vulnerebility

Google researcher Tavis Ormandy discovered several critical vulnerabilities in the classic and web-based versions of BitTorrent’s uTorrent application. Patches have been released, but the expert says not all flaws have been fixed properly.

Ormandy found that the uTorrent Classic and the uTorrent Web apps create an HTTP RPC server on ports 10000 and 19575, respectively. These RPC servers and some vulnerabilities allow remote attackers to take control of the apps with little user interaction.

In the case of uTorrent Web, which is accessed by users via their web browser, the application relies on a random token that is included in every request for authentication. The problem, according to Ormandy, is that the token can be easily obtained by an attacker from the web root folder and abused to take control of the service.

A malicious actor can exploit the flaw to change the torrent download folder and download a file to any writable location. For example, a hacker could change the download directory to the Startup folder in Windows and download an executable file, which would run on every startup.

An exploit can be executed remotely using a DNS rebinding attack, which allows JavaScript code hosted on a website to create a bridge to the local network, effectively bypassing the same-origin policy (SOP).

Ormandy noted that the web root folder also contains other data – not just the authentication token – including settings, logs and crash dump files.

In the case of uTorrent Classic, the Google researcher discovered a vulnerability that allows a malicious website to obtain the targeted user’s download history.

The expert also noticed that the application disables the ASLR and GS exploit mitigations, and that the guest account does not disable some features – the app’s documentation says many features are disabled for security reasons.

Finally, Ormandy found a design flaw related to the use of the Mersenne Twister pseudorandom number generator (PRNG) for creating authentication tokens and cookies, session identifiers, and pairing keys.

The vulnerabilities were reported to BitTorrent on November 27 and they were made public on Tuesday. Ormandy released technical details and proof-of-concept (PoC) code for the more serious of the vulnerabilities he discovered.

The latest beta version of uTorrent Classic (3.5.3 build 44352) patches the flaws, but Ormandy noted that it still disables the ASLR mitigation. BitTorrent says the fixes will be delivered automatically to users over the next days.

As for uTorrent Web, BitTorrent has attempted to implement a patch, but the Google Project Zero researcher says he has managed to bypass it.

BitTorrent VP of Engineering Dave Rees told SecurityWeek that the company only learned of the uTorrent Web vulnerability this week. Nevertheless, the company believes that all vulnerabilities discovered by Ormandy it the two products have been addressed.

uTorrent is not the only torrent application found to be vulnerable to DNS rebinding attacks. In January, Ormandy revealed that he had managed to execute arbitrary code via such an attack against the Transmission client.


Hacker Detection Firm Vectra Networks Raises $36 Million
21.2.2018 securityweek IT

Vectra Networks, a cybersecurity firm that helps customers detect “in-progress” cyberattacks, today announced that it has closed a $36 million Series D funding round, bringing the total amount raised to date by the company to $123 million.

The company said the investment would be used to expand sales and marketing, fuel product development of its Cognito threat hunting platform, and open a new research-and-development (R&D) center in Dublin, Ireland.

Vectra describes its flagship Congito platform as a solution that “performs non-stop, automated threat hunting with always-learning behavioral models to quickly and efficiently find hidden and unknown attackers before they do damage.”

Vectra Networks Logo

The Series D funding round was led by growth equity fund Atlantic Bridge, with the Ireland Strategic Investment Fund (ISIF) and Nissho Electronics Corp. Returning investors Khosla Ventures, Accel Partners, IA Ventures, AME Cloud Ventures, DAG Ventures and Wipro Ventures also participated in the funding.

“This is an exciting investment for ISIF that promises significant economic impact for Ireland,” said Fergal McAleavey, head of private equity at ISIF. “It is encouraging to see Ireland leverage its emerging expertise in artificial intelligence by attracting businesses such as Vectra that are on the leading edge of technology. With cybersecurity becoming critical for all organizations, we are confident Vectra will deliver a strong economic return on our investment while creating high-value R&D employment here in Ireland.”

The new Dublin facility is expected to add up to 100 jobs in Ireland over the next five years, the company said.

Vectra also has R&D facilities in San Jose, Calif., Austin, Texas and Cambridge, Mass.


Malicious RTF Persistently Asks Users to Enable Macros
21.2.2018 securityweek
Virus  Vulnerebility

A malicious RTF (Rich Text Format) document has been persistently displaying an alert to ask users to enable macros, Zscaler security researchers have discovered.

As part of this unique infection chain, the malicious document forces the victims to execute an embedded VBA macro designed to download the QuasarRAT and NetWiredRC payloads.

While analyzing the attack, the security researchers discovered that the actor included macro-enabled Excel sheets inside the malicious RTF documents, to trick users into allowing the execution of payloads.

The RTF document features the .doc extension and is opened with Microsoft Word. When that happens, a macro warning popup is displayed, prompting the user to either enable or disable the macro.

However, the malicious RTF document repeatedly displays the warning popups even if the targeted user clicks on the “Disable Macros” button. By persistently displaying the alert, the malicious actor increases the chances for the user giving in and allowing the macro to run.

The analyzed malicious RTF contains 10 embedded Excel spreadsheets, meaning that the warning is displayed 10 times. Users can’t stop these popups unless they click through all of them or force-quit Word, Zscaler notes.

The attack relies on the use of “\objupdate” control for the embedded Excel sheet objects (OLE object). This function would trigger the macro code inside the embedded Excel sheet when the RTF document is being loaded in Microsoft Word, thus causing the multiple macro warning popups to appear.

The same “\objupdate” control was observed being abused in attacks leveraging the CVE-2017-0199 vulnerability that Microsoft patched in April last year. The new attack, however, does not exploit this vulnerability or another Office security flaw.

The actor behind this campaign used two variations of the malicious macro. The code executes a PowerShell command to download intermediate payloads using Schtasks and cmd.exe. By performing registry modifications, the malware would also permanently enable macros for Word, PowerPoint, and Excel.

The macro downloads a malicious VBS file which terminates all running Word and Excel instances, downloads a final payload using the HTTPS protocol and executes the payload.

Next, it enables macros for Office and disables protected view settings in the suite, creates a scheduled task to run the downloaded payload after 200 minutes, deletes the scheduled task, and downloads an additional payload to the same location.

Zscaler observed the attack dropping two Remote Access Trojans (RATs), namely NetwiredRC and QuasarRAT. NetwiredRC can find files, launch remote shell, log keystrokes, capture screen, steal passwords, and more. QuasarRAT is free and open source, and is believed to be an evolution of xRAT. It has features such as remote webcam, remote shell, and keylogging.


Intel Releases Spectre Patches for More CPUs
21.2.2018 securityweek
Vulnerebility

Intel has released firmware updates that fix the Spectre vulnerability for many of its processors and patches for dozens more are nearly ready for use in production environments.

After the first round of microcode updates released by the company caused problems for many users, including more frequent reboots and unstable systems, Intel started working on a new set of patches that should address these issues.

The company first released new firmware updates for its Skylake processors, but on Tuesday it announced that patches are now also available for Kaby Lake, Coffee Lake and other CPUs. This includes 6th, 7th, and 8th generation, and X-series Intel Core products, as well as Xeon Scalable and Xeon D processors used in data center systems.Intel releases microcode updates to patch Spectre

As of February 21, the following products have Spectre firmware patches ready for use in production environments: Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Beta patches, which have been provided to OEMs under NDA for validation, are currently available for Broadwell, Gladden, Haswell, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors.

As for the remaining CPUs, patches are either in pre-beta or planning phase, but pre-mitigation microcode updates, which should be replaced once production fixes are released, are available for many products.

The patches are generally available through OEM firmware updates. Device manufacturers started releasing BIOS updates to patch the Meltdown and Spectre vulnerabilities shortly after their disclosure, but many decided to halt the updates after Intel warned of instability issues. Some vendors have resumed the distribution of firmware updates.

Meltdown attacks are possible due to a vulnerability tracked as CVE-2017-5754, while Spectre attacks are possible due to flaws tracked as CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be patched with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Both Intel and AMD announced recently that they are working on processors that will have built-in protections against Spectre- and Meltdown-like exploits.

In the meantime, Intel faces more than 30 lawsuits, including ones filed by customers and shareholders, over the Meltdown and Spectre vulnerabilities.


North Korea Cyber Threat 'More Aggressive Than China': US Firm
21.2.2018 securityweek BigBrothers

North Korean hackers are becoming more aggressive than their Chinese counterparts, a leading US cybersecurity firm warned Tuesday, as it identified a Pyongyang-linked group as an "advanced persistent threat".

It was the first time that FireEye had used the designation for a North Korean-based group.

Analysts say the isolated and impoverished but nuclear-armed North has stepped up hacking operations partly to raise money for the cash-strapped regime, which is subject to multiple sanctions over its atomic weapons and ballistic missile programs.

North Korea Cyber ThreatNorth Korea has previously been blamed for the WannaCry ransomware that briefly wreaked havoc around the world last year -- an accusation it angrily denies.

FireEye said North Korean operatives had expanded their targets beyond South Korea and mounted increasingly sophisticated attacks, adding it had identified a suspected North Korean cyberespionage group it dubbed "APT37" -- standing for "advanced persistent threat".

APT37 was "primarily based in North Korea", it said, and its choice of targets "aligns with North Korean state interests".

"We assess with high confidence that this activity is carried out on behalf of the North Korean government," it added.

APT37 has been active at least since 2012, it said, previously focused on "government, military, defence industrial base and media sector" in the rival South before widening its range to include Japan, Vietnam and the Middle East last year, and industries ranging from chemicals to telecommunications.

"This group should be taken seriously," FireEye added.

FireEye's first APT was identified in a 2013 report by company division Mandiant, which said that hackers penetrating US newspapers, government agencies and companies "are based primarily in China and that the Chinese government is aware of them".

One group, it said then, was believed to be a branch of the People's Liberation Army in Shanghai called Unit 61398. Five of its members were later indicted by US federal prosecutors on charges of stealing information from US firms, provoking a diplomatic row between Washington and Beijing.

"We have seen both North Korean and Chinese operations range from simplistic to very technically sophisticated," FireEye's director of intelligence analysis John Hultquist told AFP.

"The sharpest difference between the two really lies in the aggressive nature of North Korean operations," he added.

"Whereas Chinese actors have typically favoured quiet espionage, North Korea has demonstrated a willingness to carry out some very aggressive activity, ranging from attack to outright global crime."

But the WannaCry ransomware, he believes, was the work of a different North Korean group. "Thus far, we have only found APT37 doing the quiet espionage but they are a tool the regime can use aggressively."

The North is known to operate an army of thousands of well-trained hackers that have attacked South Korean firms, institutions and even rights groups helping North Korean refugees.

Its cyberwarfare abilities first came to prominence when it was accused of hacking into Sony Pictures Entertainment to take revenge for "The Interview," a satirical film that mocked its leader Kim Jong Un.

More recently, according to analysts, the North's hackers have stepped up campaigns to raise funds by attacking cryptocurrency exchanges as the value of bitcoin and other cybercurrencies soared.


Top Experts Warn Against 'Malicious Use' of AI
21.2.2018 securityweek
Virus

Artificial Intelligence Risks

Artificial intelligence could be deployed by dictators, criminals and terrorists to manipulate elections and use drones in terrorist attacks, more than two dozen experts said Wednesday as they sounded the alarm over misuse of the technology.

In a 100-page analysis, they outlined a rapid growth in cybercrime and the use of "bots" to interfere with news gathering and penetrate social media among a host of plausible scenarios in the next five to 10 years.

"Our report focuses on ways in which people could do deliberate harm with AI," said Seán Ó hÉigeartaigh, Executive Director of the Cambridge Centre for the Study of Existential Risk.

"AI may pose new threats, or change the nature of existing threats, across cyber-, physical, and political security," he told AFP.

The common practice, for example, of "phishing" -- sending emails seeded with malware or designed to finagle valuable personal data -- could become far more dangerous, the report detailed.

Currently, attempts at phishing are either generic but transparent -- such as scammers asking for bank details to deposit an unexpected windfall -- or personalised but labour intensive -- gleaning personal data to gain someone's confidence, known as "spear phishing".

"Using AI, it might become possible to do spear phishing at scale by automating a lot of the process" and making it harder to spot, O hEigeartaigh noted.

In the political sphere, unscrupulous or autocratic leaders can already use advanced technology to sift through mountains of data collected from omnipresent surveillance networks to spy on their own people.

"Dictators could more quickly identify people who might be planning to subvert a regime, locate them, and put them in prison before they act," the report said.

Likewise, targeted propaganda along with cheap, highly believable fake videos have become powerful tools for manipulating public opinion "on previously unimaginable scales".

An indictment handed down by US special prosecutor Robert Mueller last week detailed a vast operation to sow social division in the United States and influence the 2016 presidential election in which so-called "troll farms" manipulated thousands of social network bots, especially on Facebook and Twitter.

Another danger zone on the horizon is the proliferation of drones and robots that could be repurposed to crash autonomous vehicles, deliver missiles, or threaten critical infrastructure to gain ransom.

- Autonomous weapons -

"Personally, I am particularly worried about autonomous drones being used for terror and automated cyberattacks by both criminals and state groups," said co-author Miles Brundage, a researcher at Oxford University's Future of Humanity Institute.

The report details a plausible scenario in which an office-cleaning SweepBot fitted with a bomb infiltrates the German finance ministry by blending in with other machines of the same make.

The intruding robot behaves normally -- sweeping, cleaning, clearing litter -- until its hidden facial recognition software spots the minister and closes in.

"A hidden explosive device was triggered by proximity, killing the minister and wounding nearby staff," according to the sci-fi storyline.

"This report has imagined what the world could look like in the next five to 10 years," Ó hÉigeartaigh said.

"We live in a world fraught with day-to-day hazards from the misuse of AI, and we need to take ownership of the problems."

The authors called on policy makers and companies to make robot-operating software unhackable, to impose security restrictions on some research, and to consider expanding laws and regulations governing AI development.

Giant high-tech companies -- leaders in AI -- "have lots of incentives to make sure that AI is safe and beneficial," the report said.

Another area of concern is the expanded use of automated lethal weapons.

Last year, more than 100 robotics and AI entrepreneurs -- including Tesla and SpaceX CEO Elon Musk, and British astrophysicist Stephen Hawking -- petitioned the United Nations to ban autonomous killer robots, warning that the digital-age weapons could be used by terrorists against civilians.

"Lethal autonomous weapons threaten to become the third revolution in warfare," after the invention of machine guns and the atomic bomb, they warned in a joint statement, also signed by Google DeepMind co-founder Mustafa Suleyman.

"We do not have long to act. Once this Pandora's box is opened, it will be hard to close."

Contributors to the new report -- entitled "The Malicious Use of AI: Forecasting, Prevention, and Mitigation" -- also include experts from the Electronic Frontier Foundation, the Center for a New American Security, and OpenAI, a leading non-profit research company.

"Whether AI is, all things considered, helpful or harmful in the long run is largely a product of what humans choose to do, not the technology itself," said Brundage.


Palo Alto Networks Releases New Rugged Firewall
21.2.2018 securityweek Safety

Palo Alto Networks on Tuesday announced that it has updated its PAN-OS operating system and released a new next-generation firewall designed for use in industrial and other harsh environments.

The new PA-220R is a ruggedized NGFW that can be used by various types of organizations, including power plants, utility substations, oil and gas facilities, manufacturing plants, and healthcare organizations. During beta testing, the product was also used for railway systems, defense infrastructure, and even amusement parks.

Palo Alto Networks PA-220R rugged firewall

The PA-220R is designed to withstand extreme temperatures, vibration, humidity, dust, and electromagnetic interference.

Palo Alto Networks said the product works with various industrial applications and protocols, including OSIsoft PI, Siemens S7, Modbus, DNP3, and IEC 60870-5-104.

“For early-engagement customers and many of our expected users of the PA-220R, the situation is that they have industrial assets in harsh environments that have been modernized or are being modernized as part of their OT digital transformation initiatives,” explained Del Rodillas, director of industrial cybersecurity product marketing at Palo Alto Networks. “In many of these initiatives, the automation piece is cutting-edge, but the provisions for cybersecurity are lagging, leaving these organizations exposed.”

“As additional motivation for the security upgrade, some harsh-environment remote sites have grown in complexity and require local segmentation to improve visibility and control over local traffic. There are also use cases which require direct site-to-site connectivity instead of requiring users to go up through SCADA first in order to get to other sites,” Rodillas added.

The PA-220R firewall runs Palo Alto Networks’ PAN-OS operating system, which the company updated to version 8.1 this week.

According to Palo Alto Networks, PAN-OS 8.1 brings many improvements, including simplified implementation of application-based security policies, streamlined decryption of SSL traffic, better performance thanks to new hardware, new management features, and enhanced threat detection and prevention.


Automated Compliance Testing Tool Accelerates DevSecOps
21.2.2018 securityweek Privacy

Chef Software's InSpec 2.0 Compliance Automation Tool Helps Organizations Maintain an Up-to-Date View of Compliance Status

Software developers are urged to include security throughout the development cycle. This requires testing for compliance with both house rules and regulatory requirements before an application is released. Compliance testing is difficult, time-consuming and often subject to human error.

A January survey by Seattle-based software automation firm Chef Software shows that 74% of development teams assess for software compliance issues manually, and half of them remediate manually. Chef further claims that 59% of organizations do not assess for compliance until the code is running in production, and 58% of organizations need days to remediate issues.

Now Chef has released InSpec version 2.0 of its compliance automation technology. InSpec evolved from technology acquired with the purchase of German startup company VulcanoSec in 2015. The latest version improves performance and adds new routines. Chef claims it offers 90% Windows performance gains (30% on Linux/Unix) over InSpec 1.0. New in version 2.0 is the ability to verify AWS and Azure policies (with the potential to eliminate accidental public access to sensitive data in S3 buckets); and more than 30 new built-in resources.

The S3 bucket compliance problem is an example of InSpec's purpose. Earlier this month, two separate exposed databases were discovered in AWS S3 buckets. Last week, FedEx was added to the growing list, with (according to researchers) a database of "more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc."

In each case -- and the many more examples disclosed during 2017 -- the cause was simple: the databases were set for public access. The potential regulatory compliance effects, however, are complex. Just the EU General Data Protection Regulation (GDPR, coming into effect in May 2018) would have left FedEx liable to a fine of up to 4% of its global revenue if any of the 'international citizens' were citizens of the EU. FedEx revenue for 2017 is approximately $60 billion.

In all cases the cause was most likely simple human error. But this discloses a bigger problem within secure and compliant software development: it involves multiple stakeholders with different priorities and, to a degree, different languages of expression. "Compliance requirements are often specified by high level compliance officers in high level ambiguous Word documents," explains Julian Dunn, Chef's director of product marketing.

"But at the implementation level you have the DevOps folks who are in charge of the systems -- but they don't understand ambiguous Word documents. What they understand is code, computer systems and the applications. There's a failure to communicate because everyone uses different tools to do so -- and that just slows down the process."

InSpec 2.0 can verify AWS and Azure policies (with the potential to eliminate public access to sensitive data in S3 buckets); and more than 30 new built-in resources. It provides a simple easy-to-understand code-like method of defining compliance requirements. These requirements are then regularly checked against the company's infrastructure, both cloud and on-prem. A few lines of this code language would solve the S3 bucket exposure problem: "it { should have_mfa_enabled }" and "it { should_not have_access_key }".

Another example could be a database that compliance requires has access controls. For a Red Hat Linux system, the InSpec code would include, "control "ensure_selinux_installed" do", and "it { should be_installed }".

InSpec then regularly checks the infrastructure and detects whether anything is not compliant or has slipped out of compliance with the specified rules. It is part of the InSpec cycle that Chef describes as 'detect, correct, automate'. Detection provides visibility into current compliance status to satisfy audits and drive decision-making; correction is the remediation of issues to improve performance and security; and automation allows for faster application deployment and continuous code risk management.

"We help the customer in the automate phase with pre-defined profiles around the common regulatory requirements," explains Dunn. "But InSpec is fundamentally a generic toolkit for expressing rules and positive and negative outcomes from those rules -- so it deals with everything from soft compliance (rules of the house) all the way through to GDPR, PCI, SOX and so on."

But there is a further benefit. Software development has embraced the concept of DevOps to avoid siloed software development and deployment. Increasing security compliance regulations are now driving the concept of DevSecOps, to bring the security team into the mix. InSpec automatically involves security and compliance with the code development process -- a fully-functioning DevSecOps environment able to improve rather than inhibit the agility of software development is an automatic byproduct of InSpec 2.0.


Control Flow Integrity, a fun and innovative Javascript Evasion Technique
21.2.2018 securityaffairs Hacking

Javascript evasion technique – Security Expert Marco Ramilli detailed a fun and innovative way to evade reverse-engineering techniques based on Javascript technology.
Understanding the real code behind a Malware is a great opportunity for Malware analysts, it would increase the chances to understand what the sample really does. Unfortunately it is not always possible figuring out the “real code”, sometimes the Malware analyst needs to use tools like disassemblers or debuggers in order to guess the real Malware actions. However when the Sample is implemented by “interpreted code” such as (but not limited to): Java, Javascript, VBS and .NET there are several ways to get a closed look to the “code”.
Unfortunately attackers know what the analysis techniques are and often they implement evasive actions in order to reduce the analyst understanding or to make the overall analysis harder and harder. An evasive technique could be implemented to detect if the code runs over a VM or it could be implemented in order to run the code only on given environments or it could be implemented to avoid debugging connectors or again to evade reverse-engineering operations such as de-obfuscations techniques. Today “post” is about that, I’d like to focus my readers attention on a fun and innovative way to evade reverse-engineering techniques based on Javascript technology.
Javascript is getting day-by-day more important in term of attack vector, it is often used as a dropper stage and its implementation is widely influenced by many flavours and coding styles but as a bottom line, almost every Javascript Malware is obfuscated. The following image shows an example of obfuscated javascript payload (taken from one analysis of mine).

Example: Obfuscated Javascript

As a first step the Malware analyst would try to de-obfuscate such a code by getting into it. Starting from simple “cut and paste” to more powerful “substitution scripts” the analyst would try to rename functions and variables in order to split complexity and to make clear what code sections do. But in Javascript there is a nice way to get the callee function name which could be used to understand if a function name changed over the time. That function is the arguments.callee.caller. By using that function the attacker can create a stack trace where it saves the executed function chaining name list. The attacker would grab function names and use them as the key to dynamically decrypt specific and crafted Javascript code. Using this technique the Attacker would have an implicit control flow integrity because if a function is renamed or if the function order is slightly different from the designed one, the resulting “hash” would be different. If the hash is different the generated key would be different as well and it wont be able to decrypt and to launch specific encrypted code.
But lets take a closer look to what I meant. The following snip shows a clear (not obfuscated) example explaining this technique. I decided to show not obfuscated code up here just to make it simple.
var _ = require("underscore");
function keyCharAt(key, i) {
return key.charCodeAt( Math.floor(i % key.length) );
}

function xor_encrypt(key, data) {
return _.map(data, function(c, i) {
return c.charCodeAt(0) ^ keyCharAt(key, i);
});
}

function xor_decrypt(key, data) {
return _.map(data, function(c, i) {
return String.fromCharCode( c ^ keyCharAt(key, i) );
}).join("");

}

function cow001(){
eval(xor_decrypt(arguments.callee.name,[0,0,25,67,95,93,6,65,27,95,87,25,68,34,22,92,89,82,10,0,2,67,16,114,12,1,3,85,94,69,67,59,5,89,87,86,6,29,4,16,120,84,17,10,87,17,23,24]));
}
function pyth001(){
eval(xor_decrypt(arguments.callee.name,[19,22,3,88,0,1,25,89,66]));
}

function pippo(){
pyth001();

}
pippo();
view rawAntiDeobfuscationJavascriptTechnique.js hosted with ❤ by GitHub
Each internal stage evaluates ( eval() ) a content. On row 21 and 25 the function cow001 and pyth001 evaluates xor decrypted contents. The xor_decrypt function takes two arguments: decoding_key and the payload to be decrypted. Each internal stage function uses as decryption key the name of callee by using the arguments.callee.name function. If the function name is the “designed one” (the one that the attacker used to encrypt the payload) the encrypted content would be executed with no exceptions. On the other side if the function name is renamed (by meaning has been changed by the analyst for his convenience) the evaluation function would fail and potentially the attacker could trigger a different code path (by using a simple try and catch statement).
Before launching the Sample in the wild the attacker needs to prepare the “attack path” by developing the malicious Javascript and by obfuscating it. Once the obfuscation took place the attacker needs to use an additional script (such as the following one) to encrypt the payloads according to the obfuscated function names and to replace the newly encrypted payload to the final and encrypted Javascipt file replacing the encrypted payloads with the one encrypted having as a key the encrypted function names.
"use strict"; var _ = require("underscore");
function keyCharAt(key, i) { return key.charCodeAt( Math.floor(i % key.length) ); }
function xor_encrypt(key, data) { return _.map(data, function(c, i) { return c.charCodeAt(0) ^ keyCharAt(key, i); }); }
function xor_decrypt(key, data)
{ return _.map(data, function(c, i)
{ return String.fromCharCode( c ^ keyCharAt(key, i) ); }).join(""); }

var final_payload = "console.log('Malicious Content Triggers Here !')";
var k_final = "cow001";
var encrypted_final = xor_encrypt(k_final,final_payload);
var decrypted_final = xor_decrypt(k_final, encrypted_final); console.log(encrypted_final.toString()); console.log(decrypted_final); var _1_payload = "cow001();";
var k_1 = "pyth001";
var encrypted_1 = xor_encrypt(k_1,_1_payload);
var decrypted_1 = xor_decrypt(k_1, encrypted_1);

console.log(encrypted_1.toString());
console.log(decrypted_1);
view rawAntiDeobfuscationJavascriptPreparationScrypt.js hosted with ❤ by GitHub
The attacker is now able to write a Javascript code owning its own control flow. If the attacker iterates such a concept over and over again, he would block or control the code execution by hitting a complete reverse-engineering evasion technique.

The original post published by Marco Ramilli on his blog at the following URL:

https://marcoramilli.blogspot.it/2018/02/control-flow-integrity-javascript.html