Report Highlights Challenges of Incident Response
23.2.2018 securityweek Incindent

False Positives Lead to a Surprising Number of Incident Response Investigations

Helsinki, Finland-based security firm F-Secure has analyzed a random sample of incident response investigations conducted by its security consultants. The resulting report (PDF) cannot be considered a scientific analysis of incident response, but nevertheless provides useful observations.

Some of these observations could be expected; others are perhaps surprising. For example, successful attacks are fairly evenly split between opportunistic and targeted, F-Secure found. Since there are far more opportunistic attacks fueled by mass spam and phishing campaigns, the implication is that targeted attacks are, pro rata, very successful.

Within the industry sectors included in the analysis, there are interesting distinctions. For example, successful attacks against the financial and manufacturing sectors are evenly distributed between opportunistic and targeted. Successful attacks against the gaming and public sectors were (within the confines of this report) always targeted; but such attacks against the insurance, media and telecom sectors are always opportunistic.

It would be interesting to conjecture why this might be so. For example, gaming is almost continuously under one form or another of attack, while the public sector is highly regulated. It would be tempting to suggest that a solid security posture can effectively eliminate most opportunistic attacks.

The report notes that targeted attacks use social engineering to a greater extent than opportunistic attacks. This suggests that an important defense against targeted attacks will be user security awareness training.

Opportunistic attacks, however, are more likely to focus on external technology exploits via internet facing services.

"Opportunistic attacks," say the report's authors, "are often initiated with cost-effective target selection techniques, such as mass scanning the internet and attacking a vulnerable service when a new exploit comes out. This can be done in a matter of minutes using tools readily available on the internet." The implication here is that an effective early patching regime will reduce the success of opportunistic attacks.

Another surprise is the high number of insider-instigated successful attacks. While 'internet exploits' tops the list at 21%, this is closely followed by insiders at 20%. Malicious e-mail attachments and phishing attacks (often considered to be the major threats) are at 18% and 16% respectively.

However, one of the biggest surprises in this report is the number of incident response calls that are false positives. False positives are a common problem during network analysis and incident triaging, but it is surprising how many of these false positives result in a call to an incident response specialist firm like F-Secure.

Thirteen percent of F-Secure incident response investigations were false positives; that is, says the report, "were conducted due to IT problems or other issues being misunderstood as security incidents by the reporting organization."

This is nothing like the number of successful attacks that caused actual damage (79%), but more than the meager 8% of investigations into failed attacks.

These figures lead F-Secure to believe that many companies simply do not have adequate internal incident response capabilities, able to detect and stop an incident before it progresses. “Every incident response process begins with the same question: is it an incident? How fast a company can make that determination, how smooth and efficient their processes and procedures are, the quality of their forensics and technology, and how well-trained their staff is, defines the cost of the answer to that question,” says F-Secure principal security consultant Tom Van de Wiele. “Once an organization has the facts based on detection capabilities, and not rumors or assumptions, then the process can continue with the next step which is usually containment and eradication.”

In a related blog post, F-Secure's Adam Pilkey describes three incident response recommendations for companies. The first is that breach evidence can be found in the system logs. "You'll want to collect other evidence too, although exactly what will depend on your organization, infrastructure, threat model, and other factors."

The second is that a method of filtering the collected data will be necessary. Manually will be too time-intensive; and requires expensive expertise. As an example of the volumes to be expected, F-Secure's specialist sensors collected about 2 million events from one customer in one month. Correlation and analytics brought this number down to 25 genuinely suspicious events -- and manual analysis found they contained 15 actual threats.

The third requirement is knowing what to look for. "Anything out of the ordinary should be a potential concern," writes Pilkey. "You should also cross reference your logs against threat intelligence feeds to find any indicators of compromise (such as finding activity from known malicious IPs)."

GitLab Patches Domain Hijacking Vulnerability
23.2.2018 securityweek Vulnerebility

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

White hat hackers noticed that no validation was being performed to ensure that the custom domain added to a user’s Pages site was actually theirs.

A custom domain can be added to GitLab Pages by creating a new DNS A record with an IP address for a Pages server. Since no validation was performed when adding custom domains, an attacker could have identified domains with DNS records pointing to the GitLab Pages server and hijack those domains. When users visited the hijacked domains, they would have been served content from the attacker’s repository.

The attack worked against custom domains that were deleted by users but still had the DNS records for the GitLab server active.

Two researchers reported variations of this issue to GitLab via the company’s bug bounty program on HackerOne. GitLab initially decided not to fix anything, but it started taking action after the second report was submitted.

“Attacker can create fake GitLab account(s) using the email(s) from temporary/anonymous email services. Configure fake email addresses with git for further code commits. Create multiple repositories and add domain name from the vulnerable list. The attacker can then: 1) use the static websites as Command and Control centers for their malware / for other malicious intents, 2) phish the customers / visitors of the legitimate domain owners,” one of the researchers explained in the report submitted via HackerOne.

Proof-of-concept (PoC) exploits created by the researchers revealed that there had been hundreds of vulnerable domains.

GitLab initially disabled the functionality for adding custom domains to GitLab Pages, and this week it rolled out a permanent fix by requiring users to verify ownership when adding a custom domain. Verification is done by adding a DNS TXT record containing a token provided by GitLab to the user’s domain.

Some users pointed out on Hacker News that the problem is similar to the issue that caused Let’s Encrypt last month to disable TLS-SNI-01 validation.

GitHub Enforces Stronger Encryption
23.2.2018 securityweek Safety

GitHub this week permanently disabled a series of weak cryptographic standards across its software development platform in an attempt to better protect users.

As of Feb. 22, 2018, the TLSv1/TLSv1.1 standard is no longer used on HTTPS connections to GitHub. The change affects all web, API, and git connections to https://github.com and https://api.github.com, Patrick Toomey, Application Security Engineer, GitHub, says.

The platform also retired the diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 encryption standards, a move that affects all SSH connections to github.com. This change follows the enabling of the diffie-hellman-group-exchange-sha256 standard on GitHub in September 2017.

The removal of these weak cryptographic standards was initially announced last year, and GitHub has since focused on ensuring that the change won’t have a major impact on its users. At the moment, only a small fraction of traffic uses the deprecated algorithms and clients are expected to automatically transition to the new ones, but some clients are expected to be impacted.

These include older systems that, although no longer maintained, continue to access Git/the GitHub API using the deprecated algorithms. To help mitigate this, the platform disabled support for the old algorithms for one hour on February 8, 2018. This provided a two week grace period for impacted systems to be upgraded.

“As noted above, the vast majority of traffic should be unaffected by this change. However, there are a few remaining clients that we anticipate will be affected. Fortunately, the majority of clients can be updated to work with TLSv1.2,” Toomey notes.

Impacted clients include Git Credential Manager for Windows prior to version 1.14.0, Git clients that shipped with Red Hat 5, 6, and 7 (updating to versions 6.8 and 7.2 or greater should resolve this), JDK releases prior to JDK 8, and Visual Studio (which ships with specific versions of Git for Windows and the Git Credential Manager for Windows).

Newer versions of these programs, however, include support for TLSv1.2 and updating ensures that clients continue to work properly with GitHub even after the deprecation.

Tech Giants Hit by Meltdown, Spectre Respond to Lawmakers
23.2.2018 securityweek Vulnerebility

Intel, AMD, ARM, Apple, Amazon, Google and Microsoft have responded to lawmakers who raised questions last month about the disclosure of the CPU vulnerabilities known as Meltdown and Spectre.

The U.S. House Energy and Commerce Committee announced on January 24 that it had sent letters to the companies hit by the Meltdown/Spectre incident, inquiring about their disclosure process. The tech giants were instructed to respond by February 7 and their responses have now been made public.

The Meltdown and Spectre vulnerabilities, which allow malicious applications to access potentially sensitive data from memory, were discovered independently by researchers at Google and various universities and private companies. Affected vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but it was moved to January 3 after some experts figured out that operating system developers had been preparing patches for what appeared to be critical processor flaws.

The U.S. House Energy and Commerce Committee asked impacted vendors about why and who proposed an embargo, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology firms, the resources and best practices used in implementing the embargo, and lessons learned regarding multi-party coordinated disclosure.

Overall, the companies said Google Project Zero, whose researchers discovered the vulnerabilities, set the embargo after consultations with affected firms. Project Zero typically gives vendors 90 days to release patches, but the deadline was significantly extended due to the “complex nature of the vulnerability and mitigations.”

None of the companies notified US-CERT and CERT/CC of Meltdown and Spectre prior to their public disclosure. The agencies learned about the flaws through the public disclosure on January 3, and US-CERT was contacted by Intel on that day and again two days later.

The companies told lawmakers that the embargo and the disclosure process were consistent with industry standard practices designed to protect the public against attacks exploiting unpatched vulnerabilities.

In response to questions regarding impact on critical infrastructure, Intel noted that “the generally understood characteristics of most [industrial control systems] suggest that risk to these systems is likely low.” Many of the major ICS vendors have published advisories to warn users of the risks associated with these attack methods.

As for lessons learned, the tech giants claim they are evaluating the situation in an effort to improve their process in the future, and many say they are open to discussions on this topic.

Use of Fake Code Signing Certificates in Malware Surges
23.2.2018 securityweek Virus

There has been surge in the use of counterfeit code signing certificates to evade security detection solutions, despite the high cost such certificates come with, a new Recorded Future report shows.

Fake code signing certificates are used as a layered obfuscation technique in malware distribution campaigns, but these aren’t always stolen from legitimate owners, but rather issued upon request. The certificates are created for the specific buyer and registered using stolen corporate credentials, thus rendering traditional network defenses less effective, Recorded Future says.

Counterfeit certificates have been around for over half a decade, but the first offerings for such certificates were observed on the Dark Web only several years ago.

In March 2015, a user known as C@T offered on a prolific hacking messaging board a Microsoft Authenticode that could sign 32-bit/64-bit executable files, along with Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and Silverlight 4 applications. Furthermore, Apple code signing certificates were also available, Recorded Future's researchers say.

The advertiser claimed the certificates were issued by Comodo, Thawte, and Symantec and registered under legitimate corporations. The seller also said each certificate was unique and would only be assigned to a single buyer. The seller suggested the certificates would increase the success rate of malware installations 30% to 50% and claimed to have sold over 60 certificates in less than six months.

What prevented C@T’s offer to appeal to a large client base was the prohibitive cost of certificates, which can surpass $1,000 per certificate in some instances.

Several years later, three new actors started offering such services, primarily in the Eastern European underground, and two remain active, providing counterfeit certificates to Russian-speaking individuals.

One of the actors specializes in Class 3 certificates (they do not include Extended Validation (EV) assurance) and offers them at $600. The other seller has a broad range of products in the offering, the researchers discovered.

Standard Comodo code signing certificates (without SmartScreen reputation rating) cost $295, while the most trusted EV certificates from Symantec cost $1,599 (a 230% premium over the authentic certificate). Buyers looking to make bulk purchases would pay $1,799 for fully authenticated domains with EV SSL encryption and code signing capabilities.

“According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities,” Recorded Future notes.

All certificates are created per the buyer’s request, individually, and have an average delivery time of two to four days.

A trial one of the vendors conducted revealed that detection rate of the payload executable of a previously unreported Remote Access Trojan (RAT) decreased upon signing with a recently issued Comodo certificate. Testing a non-resident version of the payload revealed that only one security product recognized the file as malicious.

“Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates,” the security researchers note.

The counterfeit certificates might have experienced a surge, but they are not expected to become mainstream because of their prohibitive cost when compared to crypting services that are readily available at $10-$30 per each encryption. Nonetheless, more sophisticated attackers and nation-state actors will continue employing code signing and SSL certificates in their operations.

Dozen Flaws Found in Trend Micro Email Encryption Gateway
23.2.2018 securityweek Vulnerebility

Researchers have discovered a dozen vulnerabilities in Trend Micro’s Email Encryption Gateway, including several issues rated critical and high severity. A majority of the flaws have been patched by the vendor.

Core Security revealed this week that its employees found several types of vulnerabilities in the Linux-based email encryption product. The most serious of the security holes can allow a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.

Core Security has published an advisory detailing each of the vulnerabilities it has found. The flaws have been assigned the CVE identifiers CVE-2018-6219 through CVE-2018-6230.

The most serious of the flaws, rated critical based on its CVSS score, is CVE-2018-6223, an issue related to missing authentication. System admins can configure the virtual appliance running Email Encryption Gateway during the deployment process through a registration endpoint. The problem is that this endpoint can be accessed without authentication, allowing attackers to set administrator usernames and passwords and make other configuration changes.

Six of the flaws found in Email Encryption Gateway have been rated “high severity,” including an arbitrary file write issue that can lead to command execution, a couple of cross-site scripting (XSS) vulnerabilities, a command execution flaw related to arbitrary log file locations, and the lack of a validation mechanism for software updates.

Other flaws identified by Core Security researchers include SQL and XML external entity (XXE) injections.

Trend Micro informed customers that the vulnerabilities impact Email Encryption Gateway 5.5 build 1111 and earlier running on a virtual appliance. Patches for ten of the flaws are included in version 5.5 build 1129. It’s worth pointing out that it took the vendor more than half a year to release fixes.

A medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched “due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions.” However, Trend Micro did provide some mitigations.

The company also pointed out that the Email Encryption Gateway will reach end of life (EOL) soon and advised customers to migrate to the InterScan Messaging Security product, which provides similar features and functionality.

This was not the first time Core Security researchers discovered vulnerabilities in a Trend Micro product. Back in December, the company disclosed the details of five security holes found in Trend Micro’s Smart Protection Server product.

U.S. Enters Final Stage of Net Neutrality Debate
23.2.2018 securityweek BigBrothers

The Federal Communications Commission (FCC) published its official order (PDF) repealing net neutrality rules in the Federal Register on Thursday. This follows the December vote by the commissioners -- 3-2 in support of Chairman Ajit Pai's campaign to abandon the Open Internet Order that began in 2005 and was finally approved by the FCC in 2010.

The basic tenet of net neutrality is that internet service providers may not favor one customer over another. ISPs contend that basic business principles should allow them to offer discounts to major customers. Neutrality supporters fear that this could only be achieved by charging small customers at a higher rate -- and that this would inevitably affect innovation by favoring the existing large customers. Side effects would include the ISPs effectively having the ability to block websites.

Although the FCC ruling is now official, it won't come into effect until April 23; that is, 60 days after publication in the Federal Register. It still has hurdles. Led by New York State attorney general Eric Shneiderman, 23 states have immediately petitioned (PDF) for a judicial review of the Order. The petition asks the court of appeals for the district of Columbia to determine that the order is "arbitrary, capricious, and abuse of discretion". They claim it violates both the Constitution and the Communications Act of 1934, and they "request that this Court hold unlawful, vacate, enjoin, and set aside the Order."

At the same time, several of the states are planning their own state-level net neutrality laws -- effectively telling the ISPs that if they operate the new FCC rules, they won't be allowed to do business in their states.

In San Francisco, Mayor Mark Farrell, who chairs the city's Blue Ribbon Panel on Municipal Fiber, released recommendations designed to stop ISPs compromising net neutrality principles. The plan is for San Francisco to own its own high-speed fiber network. "On the day the FCC is releasing its plan to repeal net neutrality and vital consumer protections, I am releasing San Francisco's plan to fight back against this misguided move that will dismantle the Internet as we know it," Farrell said in a statement.

Meanwhile, in January, Sen. Ed Markey, D-Mass. gathered the support of all his Democratic colleagues, plus one Republican (Sen. Susan Collins of Maine) seeking to kill the order under the Congressional Review Act. If the Democrats are able to gain one more vote in the Senate to overcome the Republican majority, they will be able to prevent the FCC repealing net neutrality both now and again in the future. In reality, this is unlikely since it will require the Senate Majority Leader and the House Speaker -- both Republicans -- to schedule a vote before April 23.

A Consumer Reports survey of more than 1000 Americans in 2017 showed consumer support for the existing net neutrality rules. "One main finding," says the report, "was that the majority of Americans -- 57 percent -- support the current net neutrality regulations that ban ISPs from blocking or discriminating against lawful content on the internet." Only 16% opposed the existing rules. "An even larger majority -- 67 percent -- said that ISPs shouldn't be allowed to choose which websites, apps, or streaming services their customers can access."

In a statement yesterday, the Consumers Union said, "We urge Senators to listen to the consumers they represent and vote to restore these critical net neutrality rules to ensure that internet service providers aren't the gatekeepers to the internet."

During the public comment period for the repeal of net neutrality, the FCC received millions of comments. The process was not without its critics. At one point, the FCC's website went off-line, supposedly either under the weight of comments being submitted or an unrelated DDoS attack. Neutrality activists, however, claimed that the FCC took the website offline to hinder the receipt of negative public comments.

Since then Schneiderman's office undertook its own investigation into the public comments. Among the millions received by the FCC, it concluded that around 2 million were fraudulent, being submitted by people posing to be others -- both living and dead.

This may be partly the motivation for FCC commissioner Jessica Rosenworcel's comments. Rosenworcel was one of two FCC commissioners to vote against the repeal. "This agency has failed the American public," she said. "It turned a blind eye to all kinds of corruption in our public record, from Russian intervention to fake comments to stolen identities in our files. As a result of the mess the agency created, broadband systems will now have the power to block websites, throttle services and censor online content. This is not right,"

America has entered the final stage of the net neutrality debate. Ajit Pai's new approach is in the driving seat -- but the next 60 days will decide whether he succeeds or not.

Chaos backdoor, a malicious code that returns from the past targets Linux servers
23.2.2018 securityaffairs Virus

Security experts from GoSecure, hackers are launching SSH brute-force attacks on poorly secured Linux servers to deploy a backdoor dubbed Chaos backdoor.
“This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot,” states the report published by GoSecure.

“We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the ‘sebd’ rootkit that was active around 2013.”

The Chaos backdoor was one of the components of the “sebd” Linux rootkit that appeared in the threat landscape back in 2013, researchers discovered a post on hackforums.net, where a user claims to know how the backdoor was made publicly available.

It seems that the source code of the backdoor was caught by a “researcher” that released it on the forum by changing the name of the backdoor in Chaos to trick members into believing that is was a new threat.

The malicious code is now being used by attackers in the wild to target Linux servers worldwide.

Researchers performed an Internet-wide scan using the handshake extracted from the client in order to determine the number of infected Linux servers and they discovered that this number is quite low, below the 150 marks.

The installation of the Chaos backdoor starts with the attacker downloading a file that pretended to be a jpg from http://xxx.xxx.xxx.29/cs/default2.jpg.

The file was currently a .tar archive containing the Chaos (ELF executable), the client (ELF executable), initrunlevels Shell script, the install Shell script.

“Chaos”, in the tar archive, is the actual backdoor that is installed on the victim’s system and the “Client” file is the client to connect to the installed backdoor.

The backdoor is not sophisticated is doesn’t rely on any exploits, it opens a raw socket on port 8338 on which it listens to commands.

“Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes,” GoSecure experts say. “However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service.”

To check if your system is infected experts suggest to run the following command as root:

1 netstat –lwp
and analyze the list the processes to determine which are legitimate ones that have listening raw sockets open.

“Because chaos doesn’t come alone but with at least one IRC Bot that has remote code execution capabilities, we advise infected hosts to be fully reinstalled from a trusted backup with a fresh set of credentials.” suggest experts to the owner of infected systems.

Cybersecurity – Tips to Protect Small Business from Cyber Attacks
23.2.2018 securityaffairs Cyber

Small Business is a privileged target of attackers, in fact, there is a high risk of having problems with hackers if you are a large company or even a media player.
Do you have a small company? If the answer is yes, and you think that no cyber attack will ever affect you, think again. Small Business is a privileged target of attackers, in fact, there is a high risk of having problems with hackers, if you are a large company or even a media player.

According to recent reports, more than 40% of cyber attacks are targeting companies with fewer than 500 employees. More disturbing studies show that hackers attack every fifth small company. In most cases, these companies shut down because their security plans do not exist or there is a huge gap in providing total protection.

Cybersecurity is the most important way to ensure that your business does not run the risk of malicious attacks, especially if the people behind them do not show up.

Therefore, it is essential to take strong security measures if you do not want to lose your job for life and trust of your valuable customers. Moreover, prominent organizations expect their confidential information to hide under any circumstances. If you find that this is not the case, your customers will turn to other companies.

To avoid this, we would like to share with you how you can protect your small business from cyber attacks or more simply, tips to protect small business from cyber attacks.

Make as Many Backups as Possible

The reserve is significant if you want to protect all confidential data from cyber attacks and hackers who create malicious software and send it to devices that are explicitly used by small employees are inexorable. If you create multiple backups, you can sleep well at night, knowing that these files, presentations, etc. are present safe and sound. It is important not to get stained forever when it comes to malware.

Application of the Most Powerful Antivirus Program

When using a reliable security solution, it is essential to keep your business altogether.

Do not forget to choose the one antivirus software that protects your computer against all types of malware; antivirus program that eventually needs to detect and eliminate spam, spyware, Trojans, phishing attacks, etc. after selecting the best option for your business, but don’t forget to update it regularly.

Training of Employees

The people who work for you need to know that by clicking on the random links that you received through your professional email can cause significant damages to the company and its secret and confidential information.

The same applies to connections to networks that do not use a secure password. These are just two of the most dangerous practices you should stop right away. How can this be done? For example, you can organize training programs or hold meetings, where safety experts advise, give to employees and safe practices in the workplace against cyber crimes discuss. A better option is to implement security policies and procedures regarding online ethics.

Using Different Terminals Networks Every time for Payments

Using the same network for a payment terminal is a practice that must stop. Never connect it to your business. Keep these two parts separately, because only a few authorized employees can contact them. Therefore, the computers in your network protect the confidential content of cyber attacks.

Using Cybersecurity Insurance Policy

We ensure our cars, our homes, etc. Why do not we do this for our company? Cybersecurity is very useful for cyber threats. How? If a malware attack occurs, your company is responsible.

There is demand, so you must pay a significant amount of money as compensation. With the help of cybersecurity insurance, you can guarantee full coverage of all court fees.

Change Passwords Every in Three Months

Many people use the same password on all our devices, social platforms, etc. More than a year ago, small businesses did the same and increased the risk of cyber attacks. We should Change passwords every three months and do not forget to create strong passwords every time you do so.

The most secure passwords consist of 8-16 characters, which contain special characters, numbers, and letters. If you know you do not have a right memory, the password manager simplifies your work.

OMG botnet, the first Mirai variant that sets up proxy servers on vulnerable devices
23.2.2018 securityaffairs BotNet

Researchers at Fortinet have discovered the OMG botnet, the first Mirai variant that sets up proxy servers on the compromised IoT devices.
A new variant of the infamous Mirai botnet appeared in the threat landscape, it was discovered by researchers at Fortinet that referred it as OMG because of strings containing “OOMGA” in the configuration table.

“For this reason, we decided to name this variant OMG.”“The table, originally encrypted, was decrypted using 0xdeadbeef as the cipher key seed, using the same procedure adopted for the original Mirai. The first thing we noticed are the strings /bin/busybox OOMGA and OOMGA: applet not found.” wrote Fortinet.

The name Mirai was given to the Mirai bot because of the strings /bin/busybox MIRAI and MIRAI: applet not found, which are commands to determine if it has successfully brute-forced its way into the targeted IoT device. These strings are similar with other variations such as Satori/Okiru, Masuta, etc.”

The Mirai botnet was first spotted in August 2016 by the security researcher MalwareMustDie, it was specifically designed to compromise vulnerable or poorly protected IoT. Once Mirai malware compromises an IoT device it recruits it into a botnet primarily used for launching DDoS attacks, such as the one that hit Dyn DNS service.

In October 2016, the Mirai source code was leaked and threat actors in the wild started customizing their Mirai botnet.

The OMG botnet includes most of Mirai’s features and modules, including the attack, killer, and scanner modules, but also adds new ones.

According to Fortinet its configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed.

“This variant also adds and removes some configurations that can be found in the original Mirai code. Two notable additions are the two strings that are used to add a firewall rule to allow traffic on two random ports, which we will discuss in the latter part of the article.” continues the analysis.

After initialization, OMG connects to the command and control (C&C) server, the configuration table analyzed in the post contains the CnC server string, ccnew.mm.my, which resolves to 188.138.125.235.

The malware connects to the C&C port 50023, then it sends a defined data message (0x00000000) to the server to identify itself as a new bot.

In response, the server sends a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used as a proxy server, the two options are:

1 for attack
>1 to terminate the connection.
The OMG botnet leverages the open source software 3proxy as its proxy server and during the set up phase the bot adds firewall rules to allow traffic on the two random ports.

“This variant of Mirai uses 3proxy, an open source software, to serve as its proxy server. The set up begins by generating two random ports that will be used for the http_proxy_portand socks_proxy_port. Once the ports are generated, they are reported to the CnC.” continues the analysis.

“For the proxy to work properly, a firewall rule must be added to allow traffic on the generated ports. As mentioned earlier, two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table .”

Fortinet experts believe the operators behind the OMG botnet sell access to the IoT proxy server, they highlighted that this is the first Mirai variant that sets up proxy servers on vulnerable IoT devices.

“With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” concluded Fortinet.

Further details, including IoCs are reported in the blog post published by Fortinet.

Fraud Campaign Targets Accounts Payable Contacts at Fortune 500 Firms
23.2.2018 securityweek Spam

A new business email compromise (BEC) campaign is targeting accounts payable personnel at Fortune 500 companies in an attempt to trick victims into initiating fraudulent wire transactions to attacker-controlled accounts, IBM warns.

As part of BEC scams, attackers take over or impersonate a trusted user’s email account to target other companies and divert funds to their accounts. Based on phishing and social engineering, such attacks are relatively simple to perform and are attractive to cybercriminals, IBM notes.

As part of the recently observed campaign, attackers used well-crafted social engineering tactics and phishing emails to obtain legitimate credentials from their targets. The emails appeared to come from known contacts and mimicked previous conversations, while in some cases the attackers managed to insert themselves into ongoing conversations between business users.

Posing as the known contact from a vendor or associated company, the attackers then requested that payments be sent to a new bank account number or beneficiary.

By creating mail filters, the attackers ensured they would communicate only with the victim. In some cases, they also found and filled out necessary forms or spoofed supervisor emails to provide victim with additional approval.

The group behind the attacks, IBM says, likely operates out of Nigeria, given the spoofed sender email addresses and IP addresses that were used. However, compromised servers and proxies are often used to hide the attackers’ location.

The actors created spoofed DocuSign login pages on over 100 compromised websites in various geographic locations. Targeted companies were identified in the retail, healthcare, financial and professional services industries, including Fortune 500 companies.

To harvest business user credentials, the attackers sent a mass phishing email to the user’s internal and external contacts, often to several hundreds of them. The message included a link supposedly leading to a business document, but instead redirecting the victim to a fraudulent “DocuSign” portal requesting authentication for download.

Next, the attackers filtered out the stolen credentials and only used those from companies that only require a username and password when employees access their email accounts.

“The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts,” IBM notes.

Following a reconnaissance phase, the attackers engaged with the targeted employee and impersonated vendors or associated companies with established relations to the client. The attackers likely conducted extensive research on the target’s organizational structure and engaged into operations such as impersonating victims, finding and spoofing internal documents, and setting up multiple domains and emails to pose as higher-level authorities.

The attackers set up domains that resembled those of the target company’s vendors, either using a hard-to-identify typo change or registering the vendor’s name with a different top-level domain (TLD). They used these domain names to set up email accounts purporting to belong to known employees and used the accounts to send emails directly to the targets.

“Finally, although the attackers made some grammatical and colloquial mistakes, their English skills were proficient and the few mistakes they made could be easily overlooked by the target. The attackers created a false sense of reality around the target and imparted a sense of urgency to pay, resulting in successful scams involving millions of dollars,” IBM explains.

The attackers either created email rules or auto-deleted all emails delivered from within the user’s company to prevent victims from noticing fraudulent correspondence or unusual messages in their inbox. They also auto-forwarded email responses to different addresses to read them without logging into the compromised accounts.

The security researchers say the attackers had “more financial success using shell corporations and corresponding bank accounts based in Hong Kong or China rather than using consumer bank accounts, in which cases financial institutions were more likely to delay or block large or unusual transactions.”

The shell corporations involved in the BEC scams were registered within the past year, some on the same month payments were requested to the account. Wire transfers associated with BEC scams usually end up in accounts at banks located in China and Hong Kong, IBM notes.

Meltdown patch for OpenBSD is available … let’s wait for feedbacks
23.2.2018 securityaffairs Vulnerebility

OpenBSD releases Version 11 code update that addresses the Meltdown vulnerability by implementing the separation between the kernel and the user memory pages.
OpenBSD addresses the Meltdown vulnerability with the release of a Version 11 code. The update implements the separation between the kernel and the user memory pages.

OpenBSD’s Phillip Guenther provided further details on the implementation.

“When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread’s real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.” wrote Guenther.

“Per-CPU page layout mostly inspired by DragonFlyBSD.”

Guenther explained that Per-CPU page layout mostly implemented the approach used in DragonFly BSD.

According to Gunther the impact on performance would be reduced because the approach minimizes the overhead for the management of kernel code and data in the transitions to/from the kernel.

“On Intel CPUs which speculate past user/supervisor page permission checks, use a separate page table for userspace with only the minimum of kernel code and data required for the transitions to/from the kernel.” he added.

“When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread’s real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.”Meltdown OpenBSD

A couple of weeks ago, DTrace expert Brendan Gregg developed a “microbenchmark” to measure the performance degradation introduced by the Linux kernel page table isolation (KPTI) patch for the Meltdown CPU vulnerability. The tests demonstrated a degradation between 0.1 per cent and 6 per cent.

Let’s wait for the tests on OpenBSD.

Further technical details on the approach implemented for OpenBSD are available here.

Hackers compromised a Tesla Internal Servers with a Cryptocurrency miner
23.2.2018 securityaffairs Hacking

Cloud security firm RedLock discovered that hackers have compromised the Tesla cloud computing platform to mine cryptocurrency.
Tesla has confirmed that hackers have compromised its cloud computing platform to mine cryptocurrency, after the incident was discovered by cloud security firm RedLock.

The hackers have breached the Tesla cloud servers and have installed a crypto currency miner, the company fixed the issue exploited by the hackers “within hours.”

The attackers gained access to the Tesla’s Amazon Web Services environment on a Kubernetes console that was reportedly not password-protected. The console is used by companies to manage the infrastructure deployed on the cloud hosting providers.

“According to RedLock, the hackers discovered log-in details to Tesla’s Amazon Web Services environment on a Kubernetes console – a system originally designed by Google to manage applications. The console was reportedly not password-protected.” states the BBC.

RedLock experts discovered a “pod” inside the Kubernetes console that stored login credentials for one of Tesla’s AWS cloud infrastructure.

The security breach happened in 2017, according to the company no customer data had been stolen.

“Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way,” said a Tesla spokesman.

According to RedLock, the exposed AWS buckets contained sensitive information, including telemetry data.

“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.” reads a blog post published by RedLock.

Tesla promptly fixed the problem once RedLock notified its discovery.

RedLock added that the security breach was caused by Tesla engineers that forgot to implement an authentication mechanism to the Kubernetes console.

Because they used a custom mining pool, it is unclear how much money this hacker group made.

RedLock confirmed that other companies left their bucket exposed online last year, including Aviva and Gemalto.

Drupal addressed several vulnerabilities in Drupal 8 and 7
23.2.2018 securityaffairs Vulnerebility

The Drupal development team addressed many vulnerabilities in both Drupal 8 and 7, including some flaws rated as “critical”.
Drupal maintainers have fixed many vulnerabilities in Drupal 7 and 8, including some flaws rated as “critical.”

One of the critical security vulnerabilities is related to partial cross-site scripting (XSS) prevention mechanisms that was addressed with Drupal 8.4.5 and 7.57 versions. The popular CMS uses a JavaScript function that doesn’t completely sanitize the input

“Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML.” reads the advisory. “This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.”

The second vulnerability rated as critical affects Drupal 8, it could be exploited by users who have permission to post comments to view content and comments they should not be able to access. The flaw could also allow users to add comments to the content that should not be able to access.

The Drupal team also fixed two moderately critical vulnerabilities in Drupal 7 and other two in Drupal 8. The flaws in Drupal 7:

A Private file access bypass – Drupal fails to check if a user has access to a file before allowing the user to view or download it when the CMS is using a private file system.
A jQuery cross site scripting vulnerability that is present when making Ajax requests to untrusted domains.
while the vulnerabilities in Drupal 8 are:

A Language fallback can be incorrect on multilingual sites with node access controls. Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.
A Settings Tray access bypass that could be exploited by users to update certain data that they do not have the permissions for.

Stinná stránka umělé inteligence, inteligentní stroje pomáhají kyberzločincům

22.2.2018 Novinky/Bezpečnost Bezpečnost
Mezinárodní experti bijí na poplach před možností zneužití umělé inteligence ze strany „kriminálníků, teroristů či zločineckých států”. Stostránkovou zprávu napsalo 26 odborníků na umělou inteligenci, kyberzločiny a robotiku včetně expertů z univerzit (Cambridge, Oxford, Yale, Stanford) a z neziskového sektoru (společnosti jako OpenAI, Středisko pro novou americkou bezpečnost či Electronic Frontier Foundation).

Ve zprávě píší, že v příštích deseti letech by mohla zvyšující se efektivnost umělé inteligence posílit počítačovou kriminalitu a teroristé by mohli více využívat drony či roboty. Odborníci také zmiňují možnost snadnější manipulace voleb na sociálních sítích prostřednictvím takzvaných internetových botů, což jsou počítačové programy, které pro svého majitele opakovaně vykonávají nějaké rutinní činnosti.

Tito odborníci vyzývají vlády a další vlivové skupiny k omezení těchto možných hrozeb. "Domníváme se, že útoky, které by snadnější přístup k umělé inteligenci mohl umožnit, budou obzvlášť účinné, přesně cílené a těžko odhalitelné," píše se ve zprávě.

Vyprovokované dopravní nehody
Odborníci zmiňují i některé "hypotetické možnosti" zneužití umělé inteligence. Teroristé by například mohli uzpůsobit systémy umělé inteligence používané třeba v dronech či samořiditelných dopravních prostředcích pro vyprovokování srážek a výbuchů.

Odborníci připomínají i možnost zneužití například úklidového robota v nějakém úřadu, který by se mohl dostal mezi jiné roboty, kteří připravují třeba jídlo. Takovýto robotí vetřelec by pak mohl pomocí výbušniny zaútočit na nějakého úředníka poté, co by jej identifikoval.

Podle jednoho z autorů zprávy a ředitele střediska z Cambridgeské univerzity Seána Ó hÉigeartaigha by se mohla "s větším zneužitím umělé inteligence zvýšit zejména počítačová kriminalita".

Větší záběr by mohly představovat i útoky pomocí tzv. spear phishingu, což je podvodná technika používaná na internetu k získávání citlivých údajů (útočník zasílá e-mail konkrétní osobě; pro tradiční phishing je typické rozeslání obrovského množství mailů).

Velké nebezpečí vidí Seán Ó hÉigeartaigh "v možném zneužití umělé inteligence v politice". "Již jsme zažili, jak se jednotlivci či skupiny snažili zasahovat pomocí internetu do demokratických voleb," připomíná a dodává: "Jestliže umělá inteligence umožní, aby byly tyto útoky silné, jednoduché na zopakování a složité na odhalení, mohlo by to znamenat velký problém pro politickou stabilitu."

Umělá inteligence by mohla sloužit třeba i k výrobě falešných a velmi realistických videí, která by pak mohla být použita k diskreditaci politických činitelů. Do rozvoje umělé inteligence by se mohly zapojit i některé autoritářské státy, které by pak mohly s její pomocí snadněji sledovat své občany.

Před zneužitím varoval i Hawking
Není to poprvé, co se upozorňuje na možné zneužití umělé inteligence. V roce 2014 před tím varoval známý astrofyzik Stephen Hawking, k němuž se v poslední době přidal třeba podnikatel Elon Musk a další. Zveřejněny byly také zprávy například o možném užívání zabijáckých dronů.

Tato nová zpráva přináší "nový pohled na část umělé inteligence, která by mohla přinést nové hrozby nebo změnit existující hrozby v oblastech počítačové, politické i lidské bezpečnosti".

Umělá inteligence, která se objevila v 50. letech 20. století, je obor informatiky zabývající se tvorbou strojů vykazujících známky inteligentního chování. V posledních letech bylo dosaženo pokroku v oblastech kupříkladu vnímání, hlasového rozeznávání či obrazové analýzy.

"V současnosti ještě existuje rozdíl mezi rychlostí výzkumu a možnými aplikacemi novinek. Ještě je čas jednat," říká vědec z Oxfordské univerzity Miles Brundage. Právě na jeho pracovišti začala tato zpráva vznikat.

"Na zmírnění těchto hrozeb by měli spolupracovat vědci na umělou inteligenci, vývojáři robotů a dronů i regulační orgány a politici," říká Seán Ó hÉigeartaigh.

Hackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměny
22.2.2018 Novinky/Bezpečnost Hacking

Hackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměny24 FOTOGRAFIÍ
zobrazit galerii
Bezpečnostní společnost RedLock, která se specializuje na kyberútoky a odhalení děr v systémech, objevila hacknutý účet na AWS (Amazon Wev Services) společnosti Tesla.

Tesla používá cloudovou platformu Amazonu na mnoho věcí, kromě sběru dat z automobilů i analýzu a podobně. RedLock odhalil, že jeden z administračních účtů neměl heslo a hackeři přes něj využívali výkon cloudu k těžení kryptoměn.

V rámci odměn za odhalení chyb Tesla vyplatila RedLocku pouze 3 tisíce dolarů, takže lze předpokládat, že nešlo o nějaký kritický účet, který by měl vliv na celou platformu či zabezpečení uživatelských dat. Ostatně podle vyjádření zástupců šlo pouze o testovací účet pro interní automobily Tesla.

Právě bezpečnost celé platformy je pro automobilový průmysl stále kritičtější. Obzvláště s příchodem autonomních systémů, které budou zpracovávat data z obrovského množství vozů a budou pochopitelně obsahovat i soukromá data o jednotlivých jízdách daných uživatelů. Pro hackery mají taková data jistě vysokou cenu a v nejhorším případě by případné hacknutí mohlo ovlivnit i samotnou funkčnost platformy, která bude v nějaké formě udržovat autonomní vozidla neustále připojená a kontrolovaná.

Rakousko chystá vlastního trojského koně. Bude pomáhat v boji s teroristy na internetu

22.2.2018 Novinky/Bezpečnost BigBrother
Rakouská vláda ve středu schválila balíček opatření umožňujících prostřednictvím sledování komunikace odhalovat závažnou kriminalitu a terorismus. Úřadům tak má být do budoucna umožněno nasazovat do počítačů státní sledovací software, neboli takzvaný „Bundestrojaner” (spolkový trojský kůň), informují rakouská média.

Nasazování špionážních programů do komunikačních aplikací jako jsou Skype nebo WhatsApp jsou jen jedním z opatření, která zahrnuje rozsáhlý balíček přijatý novou pravicovou vládou lidovců (ÖVP) a svobodných (FPÖ).

Zostřena má být celková kontrola veřejného prostoru. Úřady mají získat přístup k obrazovým a zvukovým záznamům z monitorovacích zařízení všech veřejných i soukromých subjektů, jako jsou dopravní podniky, letiště nebo nádraží.

Kromě toho bude systém na rozeznávání státních poznávacích značek evidovat údaje o řidiči, SPZ, značce, typu a barvě každého automobilu.

V případě počátečního podezření na trestný čin mohou úřady telekomunikačním společnostem nařídit uchovávání příslušných dat po dobu až jednoho roku.

Hackeři zneužili cloudový systém Tesly k těžbě kryptoměn

22.2.2018 Novinky/Bezpečnost Hacking
Cloudový systém amerického výrobce elektromobilů Tesla napadli hackeři a využili ho k těžbě kryptoměn. Podle sdělení společnosti RedLock, která se zaměřuje na kybernetickou bezpečnost, pronikli do administrativní konzole Kubernetes, která nebyla chráněna heslem. Dopad útoku na bezpečnost vozidel ani dat zákazníků Tesla zatím nezjistila. Jak uvedl server televize CNBC, ohroženy byly účty na úložišti Amazon Web Services (AWS).

Kubernetes je systém navržený společností Google, zaměřený na optimalizaci cloudových aplikací.

Společnost RedLock nesdělila, jaká kryptoměna byla těžena. Obdobné problémy podle ní měly i další přední firmy včetně britské pojišťovny Aviva a nizozemského výrobce SIM karet Gemalto. Průnik do systémů Tesly však byl sofistikovanější a používal několik různých strategií, aby zabránil odhalení hackerů.

Tesla problém po informaci RedLocku okamžitě vyřešila. Automobilka oznámila, že dopad na ochranu dat klientů ani na bezpečnost vozidel nezjistila. Podle mluvčího se kybernetický útok dotkl jen automobilů používaných zaměstnanci firmy.

Z analýz RedLocku je zřejmé, že poskytovatelé cloudových služeb jako Amazon, Microsoft a Google dělají, co mohou, a žádný z velkých útoků v loňském roce se nestal z důvodu jejich nedbalosti, prohlásil představitel společnosti Gaurav Kumar. "Bezpečnost je však společnou odpovědností. Organizace na všech úrovních jsou povinny sledovat infrastrukturu rizikových konfigurací, neobvyklých aktivit uživatelů a podezřelého síťového provozu," zdůraznil.

Kyberšpionážní skupina z KLDR rozšířila pole působnosti

22.2.2018 Novinky/Bezpečnost BigBrother
Severokorejská kyberšpionážní jednotka, která se v minulosti zaměřovala na jihokorejskou vládu a soukromý sektor, loni výrazně zdokonalila svou činnost a rozšířila pole působnosti do Japonska či na Blízký východ. Podle agentury Reuters to vyplývá ze studie americké společnosti FireEye, která se zabývá bezpečností v kybernetickém prostoru.
Kyberšpionážní jednotka ATP37 (Reaper) podle expertů dříve pracovala pod vedením skupiny Lazarus, která je údajně zodpovědná za kybernetické útoky na společnost Sony Pictures z roku 2014 nebo za šíření vyděračského viru WannaCry. Tím se loni infikovaly statisíce počítačů ve 150 zemích světa. Skupina ATP37 zřejmě funguje už od roku 2012, trvalou hrozbu však začala představovat až v loňském roce.

Jednotka ATP37 se dosud ve své činnosti soustřeďovala pouze na jihokorejskou vládu, armádu, média nebo organizace na ochranu lidských práv a severokorejské přeběhlíky. Podle expertů se však loni nově zaměřila i na japonské organizace spojené s misí OSN pro lidská práva a sankcemi vůči KLDR, vietnamské dopravní a obchodní firmy a finanční společnosti na Blízkém východě.

"Myslíme si, že primárním úkolem ATP37 je shromažďovat informace, které by podpořily strategické, vojenské, politické a ekonomické zájmy Severní Koreje," cituje britský list The Guardian závěry odborníků.

Kybernetické útoky, za nimiž podle expertů stojí severokorejský režim, byly v minulosti zaměřeny na letecké, telekomunikační a finanční podniky. Pchjongjang veškerá obvinění důrazně odmítl.

Google našel další díru ve Windows 10. Starší verze Windows nepostihuje

22.2.2018 Novinky/Bezpečnost Zranitelnosti
Microsoft si myslel, že chybu opravil, ale zřejmě se tak nestalo.

Byl to opět Google, kdo našel díru ve Windows a informace o ní zveřejnil. Shodou okolností je to druhý případ ve velmi krátkém období. Zatímco zmíněná díra v Edgi byla vyhodnocena jako střední hrozba, v tomto případě se budeme bavit o vysoké zneužitelnosti. To je hodnocení od Googlu, Microsoft pak díře přisoudil nálepku důležité, nikoli kritické.
V nově objeveném scénáři útoku dochází ke zneužití funkce SvcMoveFileInheritSecurity tak, že se vydává za uživatele či uživatelku. Pomocí funkce MoveFileEx se útočnice či útočník pokusí přesunout soubor do jiného umístění. Po vyvolání funkce dojde o opuštění modelu vydávání se za uživatele a k pokusu o resetování bezpečnostního popisovače nového souboru tak, aby odpovídal zděditelným oprávněním.

Chyba CVE-2018-0826
K problému dochází pouze při práci se soubory s pevnými odkazy. Pakliže je soubor přesunut do adresáře, jenž disponuje dědičnými položkami pro správu přístupu, je krátce řečeno možné, aby byl soubor díky zděděným oprávněním modifikován tím, kdo útok provádí. Podle Googlu byly dokonce nalezeny dvě velmi podobné chyby.

Jednu interně označil číslem 1427. Jedná se o chybu známou též pod označením CVE-2017-11783 a byla opravena na podzim. Týkala se přitom všech do té doby vydaných verzí Windows 10, ale také Windows 8.1. Druhý problém, na který Google upozornil po vypršení lhůty pro opravu, (Microsoft si vyžádal prodloužení oproti standardním 90 dnům, čemuž bylo vyhověno), viz výše, reklamní gigant interně označuje číslem 1428 a je známa též pod označením CVE-2018-0826.

Podle Microsoftu se tato chyba týká jen Windows 10. Výměna informací mezi Googlem a Microsoftem naznačuje, že si firmy zcela nerozumí. Redmondští tvrdí, že chybu opravili v aktualizacích, jež vydali v rámci únorového záplatovacího úterý. Chybu 1427 považovali za duplikát chyby 1428. Jenže podle Googlu byla ve skutečnosti opravena jen chyba 1427, zatímco chyba 1428 v systému zůstala.

Takže nejde o duplikát, jen o podobnou chybu. Zřejmě nás tedy čeká další oprava. Tato chyba by naštěstí neměla být snadno zneužitelná. Tedy, její zneužití je snadné, ale podmínky pro takový útok jsou jen obtížně splnitelné. Např. útok nelze provést vzdáleně, nelze jej provést ze sandboxu, který nabízí aplikace jako Chrome nebo Edge apod.

Google zveřejnil detaily k díře v prohlížeči Edge. Varoval Microsoft předem, ale ten chybu včas neopravil
22.2.2018 Živě.cz Zranitelnosti

Živě.cz v prohlížeči EdgeTmavé téma prohlížeče EdgePodporuje další technologie HTML5, třeba WebRTC 1.0, a jak vidíte, dokáže i takto zobrazit miniatury otevřených stránekKlepnutím na tlačítko nahoře vlevo můžete uložit otevřené panely na pozdějiEdge docela dobře zobrazuje PDF a nově se naučil i EPUB
Google zveřejnil detaily bezpečnostní chyby v prohlížeči Edge. Microsoft přitom o chybě věděl dopředu, ale ve stanovené lhůtě nedostatky neodstranil, informoval web Neowin.net.

Tým Googlu prostřednictvím Projektu Zero odhalil v listopadu minulého roku zranitelnost prohlížeče Microsoft Edge a poskytl Microsoftu 90 dní na opravu. Pro složitost opravy lhůtu prodloužili o 14 dní, ale ani po tomto termínu chyba nebyla odstraněna.

Zranitelnost dovoluje útočníkovi obejít zabezpečení prohlížeče a vložit škodlivý kód do počítače oběti. Chyba byla označena jako středně závažná. Microsoft je přesvědčen, že tuto záležitost vyřeší do 13. března. Proč se tak nestalo doposud však blíže nevysvětlil.

Mirai Variant Sets Up Proxy Servers on Compromised Devices
22.2.2018 securityweek BotNet IoT

A newly observed variant of the infamous Mirai botnet is capable of setting up proxy servers on the infected Internet of Things (IoT) devices, Fortinet warns.

Mirai is a distributed denial of service (DDoS)-capable malware family that emerged in late 2016. Targeting IoT devices to add them to a botnet and launch powerful attacks, Mirai has been involved on some massive incidents right from the start.

Referred to as OMG because of strings containing "OOMGA" it its configuration table, the malware keeps most of Mirai’s capabilities, but also adds its own features to the mix.

Unlike Mirai, the OMG variant’s configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed, Fortinet discovered.

However, the new malware variation keeps Mirai’s original attack, killer, and scanner modules, which means that it is capable of performing all of the operations that Mirai could, such as killing processes (telnet, ssh, http, and other processes related to other bots), telnet brute-force login, and DDoS attacks.

After initialization, OMG connects to the command and control (C&C) server on port 50023. Once the connection has been established, the malware sends a defined data message to the server to identify itself as a new bot.

The server responds with a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used: 0 if it should be used as a proxy server, 1 for attack, and >1 to terminate the connection.

OMG, the security researchers discovered, uses open source software 3proxy as its proxy server. During setup, it generates two random ports for the http_proxy_port and socks_proxy_port, reports them to the C&C, and adds a firewall rule to allow traffic on these ports.

After enabling the firewall rule, the malware sets up 3proxy with the predefined configuration embedded in its code. The researchers believe the attackers sell access to the IoT proxy server (because the C&C server wasn’t active during investigation, the researchers only performed static analysis).

“This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” Fortinet concludes.

Several Vulnerabilities Patched in Drupal
22.2.2018 securityweek Vulnerebility

Updates released on Wednesday for Drupal 7 and 8 patch several vulnerabilities, including issues rated “critical.” No bug fixes are included in the latest releases.

One of the critical security holes patched by Drupal 8.4.5 and 7.57 is related to incomplete cross-site scripting (XSS) prevention mechanisms.

“Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances,” Drupal said in its advisory.

Another critical flaw, which only affects Drupal 8, allows users who have permission to post comments to view content and comments they should not be able to access. The weakness can also be exploited to add comments to the supposedly restricted content.

While these issues are rated “critical,” it’s worth pointing out that Drupal developers use NIST’s Common Misuse Scoring System to determine the risk level, which means that “critical” is second on the severity scale, after “highly critical.”

The latest Drupal 7 update also patches two moderately critical vulnerabilities. One of them, which developers claim only occurs if a site’s configuration is unusual, is an access bypass issue that can allow users to view or download files on the private file system without Drupal checking if they have access to it.

The second moderately critical flaw in Drupal 7 is a jQuery XSS issue when making Ajax requests to untrusted domains. Drupal 8 is not affected as jQuery was updated to a newer version with the release of Drupal 8.4.0.

Two moderately critical security bugs have also been fixed in Drupal 8, including an access bypass vulnerability related to language fallback on multilingual sites, and an access bypass flaw in the Settings Tray module that could allow users to update certain data without having the necessary permissions.

Finally, Drupal 7 patches a “less critical” external link injection vulnerability that can allow an attacker to trick users into navigating to a malicious site.

Drupal developers informed users that version 8.4.5 is the last release of the 8.4.x series. Users will have to update to Drupal 8.5.0, expected to become available on March 7, to receive bug and security fixes.

Cisco Patches Critical Flaws in UCDM, ESC Products
22.2.2018 securityweek Vulnerebility

Updates released by Cisco for its Unified Communications Domain Manager (UCDM) and Elastic Services Controller (ESC) products patch critical vulnerabilities that can be exploited by remote attackers.

According to Cisco, UCDM releases prior to 11.5(2) are affected by a flaw that allows a remote, unauthenticated attacker to bypass security protections, obtain elevated privileges, and execute arbitrary code.

“The vulnerability is due to insecure key generation during application configuration. An attacker could exploit this vulnerability by using a known insecure key value to bypass security protections by sending arbitrary requests using the insecure key to a targeted application,” Cisco said in its advisory.

The security hole is tracked as CVE-2018-0124 and it was discovered by Cisco itself during internal security testing.

A critical vulnerability was also discovered by Cisco during internal security testing in the company’s ESC product, specifically the authentication functionality of the web-based service portal.

The flaw, tracked as CVE-2018-0121, allows a remote attacker to bypass authentication and gain administrator privileges on the service portal. The authentication mechanism can be bypassed by submitting an empty value when prompted to enter an admin password.

The vulnerability affects ESC 3.0.0 and it has been addressed with the release of version 3.1.0. This version also patches a high severity unauthorized access vulnerability caused by the presence of default credentials for the service portal.

Cisco also informed customers on Wednesday of a high severity denial-of-service (DoS) vulnerability in the Interactive Voice Response (IVR) management connection interface of the company’s Unified Customer Voice Portal (CVP) product. A remote attacker can exploit this flaw to cause a DoS condition by initiating a specially crafted connection to the IP address of the targeted device.

Cisco says there is no evidence that any of these vulnerabilities have been exploited in malicious attacks.

Cisco on Wednesday also released advisories for cross-site scripting (XSS), cross-site request forgery (CSRF) and DoS flaws affecting its UCS Director and Integrated Management Controller Supervisor, Unified Communications Manager, Prime Service, Prime Collaboration, Jabber Client Framework, Data Center Analytics Framework, and Unity Connection products, but they have all been assigned a “medium” severity rating.

Do Business Leaders Listen to Their Own Security Professionals?
22.2.2018 securityweek Cyber

Survey Shows a Disconnect Between Business Leaders and Security Professionals

A new research report published this week claims, "A disconnect about cybersecurity is causing tension among leaders in the C-suite -- and may be leaving companies vulnerable to breaches as a result."

The specific disconnect is over the relative importance between anti-malware and identity control -- but it masks a more persistent issue: do business leaders even listen to their own security professionals?

The basis for this assertion comes from two sources: the Verizon 2017 Data Breach Investigations Report (DBIR), and the report's own research. DBIR states, "81% of hacking-related breaches leveraged either stolen and/or weak passwords." The new research (PDF), conducted by Centrify and Dow Jones Customer Intelligence shows that companies' security officers agree with the view, while their CEOs do not. Centrify surveyed 800 senior executives in November 2017.

According to the new research, 62% of CEOs consider malware to be the primary threat to cybersecurity, while only 35% of their technical officers agree. The technical officers agree with the DBIR that most breaches come through failures in identity and access control. "More than two-thirds (68%) of executives from companies that experienced at least one breach with serious consequences say it would most likely have been prevented by either privileged user identity and access management or user identity assurance. That compares with only 8% who point to anti-malware endpoint controls."

The report, published by Centrify (a firm that delivers Zero Trust Security through what it calls 'Next-Gen Access'), found this to be perhaps the most disturbing of a series of mismatches between the views of technical officers and their CEOs. Another example concerns strategy accountability: 81% of CEOs say they are most accountable for the company's security strategy; while 78% of the technical officers believe it is they who are most accountable.

These figures raise two questions: firstly, are the technical officers correct in their assertion that identity control is more important than anti-malware, or are CEOs correct in their insistence on anti-malware; and secondly, if the technical officers are correct, why do they fail to adequately communicate their views to senior management?

There is no simple answer. Not all practitioners accept the survey results. Steve Lentz, CSO and director of information security at Samsung Research America, doesn't automatically accept that identity is a bigger problem than malware. "I really believe it's the unknown malware that is on many employee PCs that leak info." He quoted an example of two employees visiting from abroad and connecting to his network. "Our network defenses immediately alerted my security team and quarantined the two PCs." One had a keylogger while the other had a password stealer. The implication is that since it is impossible to control all identities all the time it is necessary to have adequate anti-malware.

Martin Zinaich, information security leader at the City of Tampa, FL, believes the problem may stem from different priorities between Business and Security. Business leaders often have "a low user-friction tolerance combined with a high-risk appetite." At the same time, questioning whether malware or identity is the biggest problem is a mistake. "Wasn't last year's big breach at Equifax due to an unpatched Apache Struts vulnerability? Too often for security professionals it is the basics that get missed."

To a degree, the malware/identity issue is a chicken and egg problem. Drew Koenig, security solutions architect at Magenic, takes one view. If "you look at incidents in their entirety, malware is the result of identity security failures." While phishing and poor security behavior is one problem, poor password construction, account sharing, and over-privileged accounts are another. Compromised accounts are the delivery mechanism, he suggests, for the malware that accesses databases and steals sensitive data.

But Joseph Carson, chief security scientist at Thycotic, warns that attackers use social engineering to bypass initial identity controls. "One single click on a malicious link, can download malware onto your computer that can immediately lock up data in a 'ransomware' attack." In this scenario, identity controls won't protect you from the effects of malware.

Boris Vaynberg, co-founder and CEO at Solebit agrees. "Most attacks start with an attacker penetrating into the organization. These attackers use various techniques, most of them including use of malware to secure initial control inside the organization. Once the attacker gets control, the second step is lateral movement. Attackers will then attempt to secure the credentials they are seeking in order to obtain an organization's sensitive data."

Brian Kelly, chief information security leader at Quinnipiac University, accepts that malware may be the vector used to compromise the identity, but adds, "I really keep coming back to the idea that identity is the new perimeter. In a world full of clouds and ubiquitous mobile access, identity is the only thing between you and your data."

The implication is that identity control cannot stop malware. But since we know that anti-malware also cannot guarantee to stop all malware, identity and credential control becomes essential to prevent lateral movement and privilege escalation.

"It's overly simplistic to think that if the organization addresses one specific attack vector, it will prevent all major breaches," warns Lenny Zeltser, VP of products at Minerva Labs. "Attackers can follow different pathways to achieve their objectives. They can steal credentials, elevate access, and cause damage even if the company has strong identity management practices. Identity security is important, so is endpoint defense, so are network safeguards, etc. We cannot focus on a single security layer and neglect the others."

The second implication from the Centrify survey is that either security professionals are failing to deliver their message to business leaders, or business leaders are refusing to listen to their security professionals. Again, there is no simple answer.

Mike Weber, VP at Coalfire Labs, believes there is a business reason for business leaders to be reluctant to listen to their security professionals. "The security landscape changes constantly, and those dynamic changes rarely align with fiscal year planning cycles. To be able to quickly react to the latest threats, a CISO may need to resort to 'overselling' a particular need." The problem here is that business leaders face 'oversells' all the time, and are well-versed in ignoring them.

Brian Kelly suggests the basic problem comes from multiple sources of threat information. "The feeling that malware is the greatest risk may be driven more by media reports than the security team's failure to deliver the correct message. Information Security teams are competing for the CEO's attention, but are also struggling to craft a message that makes sense in context."

Perhaps one of the problems is a basic misunderstanding of the purpose of 'security'. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business. "Innovators will tell you the opposite," he says. "It's there to give the driver the confidence to go as fast as possible." In this view, security is the enabler of agile business -- but the implication is that security leaders have failed to adequately explain this function to the business leaders.

Dr. Bret Fund, founder and CEO at SecureSet, suggests that most companies have failed to yet establish the partnership between business and security that is necessary for an agile but secure business. "Security managers need to do a better job understanding the business constraints and how, as a security team, they can provide meaningful solutions inside of those realities. Business managers need to do a better job of understanding that security is everyone's responsibility and NOT just the security teams."

There is little disagreement over a disconnect between business leaders and security professionals. Bridging that disconnect is the problem. Koenig believes that the security team needs to own the problem. "In security," he says, "you have to assume everyone outside your team distrusts you. That's an unfortunate reality. So, to improve your delivery, educate instead of present. Put context around what you are reporting. Help them understand that malware is a valid risk, but most breaches are the result of poor identity controls that allows for the delivery of malware. Ultimately for every security report that is delivered you have to answer the hardest question from a business, 'So What?'. Don't tell, explain."

Centrify's survey demonstrates this mismatch in cyber threat understanding between business leaders and security professionals. The report shows that most security professionals believe that 'identity' is the number one control, while business leaders concentrate on malware. It's a nuanced issue. Identity and credential control, such as that provided by Centrify, won't stop all malware -- but it may prevent a malware incident developing into a major breach. How to get business leaders to listen to security professionals remains a continuing problem.

WhatsApp Co-founder Invests $50 Million in Signal
22.2.2018 securityweek Social

Open Whisper Systems, the organization behind the privacy-focused messaging app Signal, announced on Wednesday the launch of the Signal Foundation, with an initial investment of $50 million from WhatsApp co-founder Brian Acton.

The Signal service is used by millions of people and the Signal protocol is used by billions through its integration into popular applications such as WhatsApp, Facebook Messenger and Google Allo.

Despite the success of its product, the Signal team has never had more than seven members and there have only been an average of 2.3 full-time developers.Signal Foundation launches with $50 million investment

With the launch of the Signal Foundation and the $50 million from Acton, Signal will have the resources necessary to expand and accelerate its mission to make private communications accessible to everyone.

“Starting with an initial $50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions. This means reduced uncertainty on the path to sustainability, and the strengthening of our long-term goals and values,” said Moxie Marlinspike, founder of Open Whisper Systems and CEO of the Signal Foundation. “Perhaps most significantly, the addition of Brian brings an incredibly talented engineer and visionary with decades of experience building successful products to our team.”

The Signal Foundation is a 501(c)(3) nonprofit organization. Up until now, the Freedom of the Press Foundation acted as a fiscal sponsor for Signal.

Acton, who left WhatsApp and Facebook last year, will serve as executive chairman of the Signal Foundation and will be actively involved in operations and product development.

“After over 20 years of working for some of the largest technology companies in the world, I couldn’t be more excited for this opportunity to build an organization at the intersection of technology and the nonprofit world,” said Acton.

“In the immediate future we are focused on adding to our talented-but-small team and improving Signal Messenger. Our long-term vision is for the Signal Foundation to provide multiple offerings that align with our core mission,” he added.

The Global cost of cybercrime jumped up to $600 Billion
22.2.2018 securityaffairs CyberCrime

The tech giants McAfee and Cisco published to reports that providers further info about the global impact of cybercrime.
Which is the cost of cybercrime? It is hard to provide an effective a good estimation of the overall impact of the numerous phenomena that happen every day, including cyber attacks, data breaches, scams and so on.

The tech giants McAfee and Cisco published to reports that providers further info about the global impact of cybercrime.

According to the report was written by McAfee in collaboration with the Center for Strategic and International Studies (CSIS), the global cost is estimated at $600 billion annually, a disconcerting figure that corresponds to 0.8% of the global GDP. The value is jumped from $500 billion in 2014 to $600 billion (+20%).

“In 2014, taking into account the full range of costs, CSIS estimated that cybercrime cost the world between $345 billion and $445 billion. As a percentage of global GDP, cybercrime cost the global economy 0.62% of GDP in 2014. Using the same methods, CSIS now believe the range is now between $445 billion and $600 billion.” states the report.

The jump is mainly caused by the significant increase of theft of intellectual property and business confidential information, intellectual property theft accounts for at least 25% of overall cybercrime costs.

The cost of cybercrime is distributed among all the countries of the world, no one is immune. The report shows variations by region, that are linked to income levels and level of cybersecurity maturity, the countries with greater losses are the richest ones.

According to the report, Russia leads cybercrime activities worldwide, the reports also highlighted the thin line between crime rings and nation-state actors.

“CSIS believes that Russia leads overall in cybercrime, reflecting the skill of its hacker community and its disdain for western law enforcement. The complex and close relationship between the Russian state and Russian organized crime means that Russia provides a sanctuary for the most advanced cybercriminals, whose attention focuses on the financial sector.” continues the report.

Ransomware are a profitable business for the criminal ecosystem, currently, more than 6,000 black marketplaces offer for sale such kind of malware and related services, an overall offer of more than
45,000 different products.

The second report published by Cisco confirmed the worrisome trends for cybercrime activities, the document is based on interviews with 3,600 CISOs. According to Cisco almost any attack will cost to the victims at least $500,000. The cost dramatically increased for 8% of companies in the Cisco report that admitted that cyber attacks had cost them over $5 million, 11% the companies suffered economic losses between $2.5 million and $4.9 million.

Cisco highlighted the risk of attacks aimed to the supply chain of the companies. these attacks have increased in complexity and frequency.

Let me suggest reading both studies, they offer an interesting analysis of criminal ecosystem and of the overall cost of cybercrime.

Ohrožení podnikových sítí ze strany internetu věcí je realitou

22.2.2018 SecurityWorld IoT
V nedávném seriálu BBC zvaném McMafia převzal hacker vládu nad IT sítí bombajského přístavu pomocí prodejního automatu s jen několika málo bezpečnostními údaji. Ač se takový případ může zdát nepravděpodobný, je hrozba ze strany internetu věcí vůči kriticky důležité infrastruktuře velice reálná. Jak se stále více zařízení připojuje k síti a další a další senzory nachází využít napříč průmyslovými odvětvími, stává se zároveň ohrožení podnikových sítí skrze neaktualizovaná zařízení internetu věcí skutečnou hrozbou. Zprávu přináší server SC Magazine. Jaká jsou tedy fakta za obavami z hacknutí důležitých IT systémů skrze internet věcí?

Hrozba je reálná a nezmizí sama od sebe.

Celosvětově stoupá míra využití zařízení internetu věcí. Majorita sítí je ovšem nepřipravena na takto masivní příliv nových zařízení, a ještě méně jsou připraveny na hackery a další jednotlivce, kteří se pokusí získat přístup k podnikovým sítím a uživatelským datům pro zločinné úmysly.

Gartner předpokládá, že zde do konce roku 2020 bude kolem 20,4 miliard k síti připojených zařízení. Je evidentní, že počet propojených zařízení se bude i nadále zvyšovat. To sice přináší spoustu výhod, ale také vzrůstající bezpečnostní riziko. Jak se sítě stávají dynamičtějšími a neustále rostou, je těžší a těžší identifikovat a spravovat všechna zařízení k nim připojená.

Ta hrozba je tu a je velmi reálná. Rok 2016 přinesl jeden z největších DDoS útoků všech dob – botnet Mirai – který vyřadil z provozu mnoho webových stránek. Útok byl možný díky zařízením internetu věcí, unikátním IP adresám hostujícím malware. Zařízení nejvíce se podílející na útoku? Průmyslové kamery.

Nejnovější potomek botnetu Mirai se nazývá Satori a objevil se v letošním roce, specificky cílí na procesory ARC. Hlavním účelem je krást kryptoměnu Ethereum skrze hackování online těžařských hostů a tajnému nahrazení jejich peněženek.

Mirai a Satori plně odhalují potenciál kybernetických zločinců ozbrojených malwarem a velkým množstvím nezabezpečených zařízení internetu věcí. Jak se stále více zařízení dostává na síť, hrozeb bude přibývat. Více zařízení znamená více bodů, skrze které může útočník zařízení infikovat a následně je využívat při DDoS útocích.

Jak bohužel ukazuje výše zmíněný seriál McMafia, právě klíčová IT infrastruktura je obzvláště ohrožena. Některé příklady podobných útoků na nezbytné systémy ukazuje hned několik hacknutých vodních elektráren mezi roky 2011 a 2016 a také elektrárnu ve Spojených státech, která byla infiltrována hned sedmnáctkrát mezi roky 2013 a 2014. Co je horší: jaderná elektrárna částečně hacknutá v roce 2016.

Množství zařízení připojených k podnikové síti je nejen téměř nemožné spravovat, ale někdy ani nelze jejich počet vůbec zaznamenat. Princip BYOD (buy your own device, kdy zaměstnanec nedostane firemní notebook nebo mobil, ale koupí si vlastní) a zařízení internetu věcí vede k většímu rozšíření zařízení s vlastními IP adresami a výkonem – ale často bez pořádného zabezpečení. Právě tato zařízení se poté pro hackery stávají bodem vniku do podnikových sítí.

Nová chytrá zařízení se nyní zvládají na vaše sítě připojovat samy od sebe. Vše od chytrých telefonů až po bezpečnostní kamery. Tyto zařízení nejsou spravována a mohou se stát nezabezpečenými koncovými body, které výrazně zvýší šanci na hacknutí sítě. A právě tato zařízení se také stávají hlavním cílem hackerů a kybernetických zločinců. Ti díky nim mohou využít LAN přístup na servery nebo, ještě častěji, mohou podobná zařízení sloužit k manipulaci s daty a získání přístupu do sítě.

Většina organizací si nemyslí, že mají do své sítě připojena nějaká zařízení internetu věcí, ale dokud je nehledají, nemohou si být jistí.

Mnoho firem se nyní, oprávněně, obává útoků zvenčí, které by do jejich sítí pronikly. Nejnovější firewally, systémy na prevenci proti vniknutí, pokročilé ochranné systémy a další, to vše hraje roli v obraně. Jak se však k síti připojuje stále více zařízení, je nutné hledět i na hrozby z vnitřku.

Pokud společnosti nemají kvalitní infrastrukturu na podporu zařízení internetu věcí, riskují odhalení svých podnikových sítí zločinným aktivitám. To může vést k devastujícím výsledkům, obzvláště pokud hackeři odhalí zranitelnosti v zařízení internetu věcí s přístupem ke klíčové IT infrastruktuře.

Dobrým začátečním bodem pro firmy, které berou svou bezpečnost vážně v dnešním hyperpropojeném světě, je zvýšit povědomí o všech zařízeních v síti a implementovat centralizovaný systémy správy pro zajištění dodržování všech pravidel.

Najděte je, zhodnoťte je, spravujte je. To musí být nová mantra pro ochranu organizací od všech různých zařízení. Žijeme v časech jako z televize a v kybernetickém světě musíme chránit svá aktiva lépe než ti, kteří byli na televizních obrazovkách hacknuti.