Monero Miner Sends Cryptocurrency to North Korean University
8.1.2018 securityweek Hacking
An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.
The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.
Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.
Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu.kp server. The use of this domain reveals that the server is located at Kim Il Sung University, AlienVault says.
AlienVault's security researchers also discovered that the specified address doesn’t resolve, either because the app was designed to run on the university’s network, because the address used to resolve in the past, or because it is only meant to trick security researchers.
“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining,” AlienVault says.
The sample was also found to contain obvious messages printed for debugging as well as fake filenames meant to avoid detection. According to the researchers, if the software author is at the Kim Il Sung University, they might not be North Korean.
“KSU is an unusually open University, and has a number of foreign students and lecturers,” the researchers explain.
North Korean attacks focused on Monero mining have been spotted before, such as those associated with Bluenorroff and Andariel hackers, who are generally considered as being part of the Lazarus group. However, AlienVault hasn’t discovered evidence to link the newly found installer to the previous attacks.
“The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project,” the researchers note.
On the other hand, with the country hit hard by sanctions, crypto-currencies could easily prove highly valuable resources, and a North Korean university’s interest in the area wouldn’t be surprising.
In fact, the Pyongyang University of Science and Technology recently invited foreign experts to lecture on crypto-currencies, and the recently discovered installer might be a product of their endeavors, AlienVault suggests.
Serious Flaws Affect Dell EMC, VMware Data Protection Products
8.1.2018 securityweek Vulnerebility
Data protection products from both Dell EMC and VMware are impacted by three potentially serious vulnerabilities discovered by researchers at Digital Defense.
EMC told customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products have a common component, the Avamar Installation Manager (AVI). This component is affected by vulnerabilities that can be combined to take complete control of a system.
The most serious of the flaws, CVE-2017-15548, allows a remote attacker to bypass authentication and gain root access to the system. The vulnerability is related to the fact that authentication is performed via a POST request that includes the username, password and a parameter named wsUrl.
“The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” Digital Defense explained. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn't require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”
The second vulnerability, CVE-2017-15549, allows an authenticated attacker with low privileges to upload malicious files to the server.
“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘\r’ character,” researchers said. “The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”
The third security hole, CVE-2017-15550, has been described as a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.
“The getFileContents method of the UserInputService class doesn't perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability,” researchers said.
Combining the flaws allows a remote attacker to take complete control of a vulnerable system.
EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x and 7.5.0, EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x and 9.2.x, and EMC Integrated Data Protection Appliance 2.0 are impacted. EMC has released patches for each of the affected products.
Digital Defense told SecurityWeek that there are more than 100 Avamar server instances accessible from the Internet – according to the Shodan search engine – which experts say is unexpected considering that the affected products are backup and deduplication appliances.
While a blog post from Digital Defense and some media reports describe the flaws as “zero-days,” the vendor has released patches prior to disclosure and there is no evidence of exploitation in the wild.
The vulnerabilities also affect VMware’s vSphere Data Protection (VDP) product. VMware informed customers of the issues on January 2, but it did not reference Digital Defense or EMC. Digital Defense told SecurityWeek that VMware’s VDP is a derivative of the EMC product and EMC informed VMware of the security bugs.
Lawsuits Filed Against Intel Over CPU Vulnerabilities
8.1.2018 securityweek Vulnerebility
At least three class action lawsuits have been filed against Intel in the past days over the recently disclosed vulnerabilities that could allow malicious hackers to obtain potentially sensitive information from computers.
The Meltdown and Spectre attack methods uncovered by several independent research teams work not only against Intel processors, but also against CPUs from AMD and ARM. Intel has been hit the hardest – even its stock went down after initial reports claimed only Intel processors were affected – but the company says media reports describing the design flaws are overblown.
The lawsuits, all seeking class action status, have been filed in the Northern District of California, the Southern District of Indiana, and the District of Oregon, and they accuse Intel of violating state consumer protection laws. All complaints demand a jury trial.
In California, Branstetter, Stranch & Jennings of Nashville and Doyle APC of San Diego filed a consumer fraud case, accusing Intel of misleading consumers about the performance and reliability of its processors by selling a product with “fatal” security flaws.
The complaint filed in Indiana alleges that “Intel committed unfair and deceptive acts by representing that the Intel CPUs had performance, characteristics, or benefits which Intel knew or should reasonably have known they did not have.”
The chip giant has also been accused of breaching warranties by selling defective CPUs that it’s not willing to repair or replace free of charge. The Indiana lawsuit also claims the company was negligent in the manufacture and design of its processors.
In Oregon, plaintiffs say they are entitled to restitution based on Intel’s “intentional and knowing failures to disclose material defects.” The complaint claims plaintiffs would have acquired a CPU from an Intel competitor had they known about the flaws and the fact that they will end up with a slower product.
The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps. The bugs that make these attacks possible are said to date back 20 years.
Intel and other major tech companies have started releasing patches and workarounds for the vulnerabilities, and many believe it’s enough for the time being. Some have suggested that Intel may need to recall impacted CPUs, but the vendor says that will not happen considering that the issue can be mitigated at software level.
Significant performance penalties have been observed in some cases, but Intel says most consumers will not experience any problems, and it’s confident that any penalties will be mitigated over time.
AMD has confirmed that some of the flaws also affect its own processors, but claims the risk of attacks is “near zero.” ARM, whose technology is used by Apple and Qualcomm, also confirmed that nearly a dozen of its Cortex CPUs are impacted.
Hardcoded Backdoor Found on Western Digital Storage Devices
8.1.2018 securityweek Vulnerebility
Firmware updates released by Western Digital for its MyCloud family of devices address a series of security issues, including a hardcoded backdoor admin account.
The vulnerabilities were found in WDMyCloud firmware prior to version 2.30.165 and are said to affect devices such as MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100.
Discovered by GulfTech security researcher James Bercegay, the security flaws could be exploited to achieve remote root code execution on the affected WD My Cloud personal cloud storage units (the device is currently the best-selling NAS (network attached storage) device on Amazon).
One of the most important security issues the researcher found was an unrestricted file upload vulnerability created by the “misuse and misunderstanding of the PHP gethostbyaddr() function,” the researcher says.
The vulnerable code in said file allows an attacker to define a remote auth server, which could be an attacker-controlled server. The result should fail if an invalid host is defined, but a series of bugs result in checks being skipped, eventually allowing an attacker to abuse the issue “to upload any file to the server that they want.”
While analyzing CGI binaries on the webserver, the security researcher discovered code where login functionality would specifically look for an admin user named “mydlinkBRionyg” and would accept the password “abc12345cba”.
The researcher then discovered that the backdoor could be turned into a root shell that would allow an attacker to execute any commands as root and gain control of the affected device. Damaging a vulnerable device would be extremely easy and would not require authentication.
“The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.,” Bercegay explains.
In addition to the two critical vulnerabilities, the security researcher discovered a series of other dangerous issues as well in the WDMyCloud firmware. These bugs, however, are not deemed Critical, especially since some of them require authentication to be exploited.
The WDMyCloud web interface was found to lack an effective Cross site request forgery protection and exploitation of the issue is trivial, the researcher says. WDMyCloud is also plagued with a series of command injection issues. An attacker can abuse the language preferences functionality to cause denial of service to the web interface and can dump a list of all users, including detailed user information.
The researcher also discovered that the exact same mydlinkBRionyg backdoor account was found in the D-Link DNS-320L ShareCenter NAS device a while back, supposedly because both devices shared common firmware code. However, the issue was addressed in D-Link DNS-320L with firmware version 1.0.6, released in July 2014.
“It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while. The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates,” Bercegay notes.
The researcher reported all these vulnerabilities to the vendor in June 2017. Firmware release 2.30.174 should address all of these issues.
Microsoft Patches for CPU Flaws Break Windows, Apps
8.1.2018 securityweek Vulnerebility
Users have complained that the updates released by Microsoft last week for the Spectre and Meltdown vulnerabilities cause Windows to break down on some computers with AMD processors.
Several individuals whose computers rely on AMD processors, particularly older Athlon models, say they are unable to start Windows 10 after installing KB4056892, an update released by Microsoft in response to the disclosure of serious flaws affecting Intel, AMD and ARM processors.
The security holes have been dubbed Spectre and Meltdown and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Both local and remote exploitation are possible.
Users have reported that after installing Microsoft’s update the operating system freezes during boot when the Windows logo is displayed. Some users claimed to have had problems reverting to a previous state, and those who did manage to do it warned that the automatic update feature needs to quickly be disabled to prevent the update from being reinstalled.
While a majority of the affected users appear to have older AMD Athlon processors, some devices with AMD Turion CPUs also appear to have been hit.
Microsoft has not shared any information regarding this issue. A Microsoft spokesperson told SecurityWeek that the company is aware of the reports and is investigating.
Users have reported other problems as well after installing KB4056892. Owners of Asus devices say they receive an error message related to an Asus utility after updating.
The Spectre/Meltdown updates appear to break the PulseSecure VPN on both Windows 10 and Windows 8.1 – the patch for Windows 8.1 is included in KB4056898. The VPN vendor has released patches to address the issue.
Some Windows users report that they simply cannot install the patches for the CPU vulnerabilities, and some say their web browsers have started crashing after applying the update.
Shortly after releasing the Meltdown/Spectre updates, Microsoft warned that it had identified some compatibility issues with some antivirus products. The company informed users that if they had not been offered the security updates, they may be running an incompatible antivirus application.
Cybersecurity's Venture Capital and Private Equity Money-go-Round
8.1.2018 securityweek Cyber
Access to Money at the Right Time is Essential for Cybersecurity Firms Given the Volatility of the Market
Security firms bought by and consumed within larger firms can easily lose their way. It happened with McAfee, bought by Intel in 2010 for $7.68 billion, and extracted with a 51% purchase by private equity (PE) firm TPG in April 2017. The extraction valued McAfee at only $4.2 billion.
McAfee will be hoping that it can emulate SonicWall -- which also lost its way after being bought by Dell (from Thoma Bravo) in 2012. In the summer of 2016, Francisco Partners and Elliott Management extracted SonicWall (along with Quest Software) for a price reported by Reuters to around $2 billion. Thoma Bravo did not disclose the price Dell paid for SonicWall, but the Wall Street Journal suggested it was $1.2 billion.
Dell acquired Quest Software for $2.4 billion in 2012 -- making the combined cost of the two firms somewhere in the region of $3.6 billion. In short, the two firms together fell in value from $3.6 billion to just $2 billion in the five years they spent as part of Dell.
Since then, SonicWall has been turned around under PE guidance and the stewardship of CEO Bill Connor. A little over a year after purchasing the two firms, Francisco Partners announced that it had completed a $2 billion debt refinancing, due to the strong operating performance of the firms. The refinancing was significantly oversubscribed, it reduces the operating overheads of the firms, and positions them nicely for further growth.
Private Equity in Cybersecurity
Access to money at the right time (and a few other things like the right management team) is essential for cybersecurity firms given the volatility of the market in both emerging start-ups and changing technology. This means that finding the right backers and understanding the investment market could be fundamental to the prospects of almost any cybersecurity firm. Excluding the unknown potential of the new small-scale crowdfunding options, there are three primary sources of serious money: angel investment, venture capital (VC) and private equity (PE).
'Angels' tend to be individuals -- or possibly collections of individuals -- who invest their own money in promising ideas. They are often important in getting a new company started; but do not normally have sufficient funds to take a growing company to the next level.
That next level of funding generally comes from venture capital (VC). VC funds "like Paladin, Amadeus and others step in to provide capital to entrepreneurs just after their angel or ‘proof of concept' phase of funding," explains Nazo Moosa. Moosa this year formed a new European VC firm called VT Partners, with the express purpose of injecting U.S.-style funding and growth into the under-performing European cybersecurity company market.
The key point for VC is that it funds new companies with new ideas. At this stage they are promising rather than proven; some will succeed, many will fail. Because of the additional risk to the investors, VC money is invested at high interest rates. This is the biggest problem area for the cybersecurity industry -- because of the high interest rates, returns need to be made relatively fast, and/or additional investment found. A company's value is often based on the number of its users, so sales can in many cases be more important than further product development.
Of course, not all VC firms are there just for a quick return. Dan Schiappa, Sophos SVP and GM, explains, "The top echelon investors are not in it for the quick turnaround, but instead they are long-term investors that will add value to a management team and towards building a long term viable company." But he adds, "VCs who look to build a company for acquisition from the get-go are the ones to avoid, as they may drive behaviors that are not beneficial to customers or product quality."
The problem is that cybersecurity attracts both types of VC money, simply because it is hot. "Everybody is under attack all of the time," comments Connor "from other countries, cybercriminals, and hacktivists. So it's a hot area and hot areas tend to attract a lot of opportunity and a lot of money. From that there are a lot of start-ups with new 'silver bullets' that attract VC."
Schiappa believes there is a common cycle for new security companies. Initial idea and development is followed by VC investment. The money enables strong marketing, which effectively makes or breaks the business depending on the inherent strength of the initial product.
"At the end of the day," Schiappa explains, "much of the problem is that tech entrepreneurs follow the logic of getting product out as quickly as possible and gaining feedback. While in some circumstances that is a good and viable strategy, in others, it produces low quality products, that may be innovative, but are not suitable to build a scalable business. Startups get hyped, their innovation gets adopted; but then -- when they hit a scale that goes beyond the business or the product -- they enter the trough of sorrow, where investment is needed to build the product properly. During this period of time, you usually see a pickup in marketing in order to keep the momentum going. It can takes years for a company to exit the trough with the quality product and business operations to scale to a legitimate business."
The problem for the cybersecurity industry is that new ideas do not often have 'years' to spare; they are constantly being supplanted by new and different ideas and technology.
"The hype cycle is where a startup can make it or break it," he continues. "If they are building quality products during the hype cycle, they will withstand the scale and not enter the trough, or enter it very briefly. Those who ship a product that is barely more than a prototype are destined for disaster."
Some VC investors collude in this cycle by insufficiently understanding cybersecurity. "There is a lot of money at play in the security space," warns Connor, "because it's such an interesting area, and an area that's not going to go away -- and there's also a lot of money that doesn't really understand security. It's not necessarily dumb money, but it's at risk in this space."
A good VC is not just a money lender -- it's a mentor who, adds Schiappa, "will guide the company properly and even provide technical advisers who can ensure that the product is built with production quality."
Company founders and private investors usually have one common long-term aim -- to maximize a return on their time and capital. There are three primary routes: sale to a larger company; going public and raising money on a stock exchange; and attracting the next level of private investment. The next level is 'private equity'. It is 'big money' that generally becomes available to companies that have been through the early growth phases of venture capital and have demonstrated the potential for future growth.
PE differs from VC in two primary ways: firstly there is generally more money available than there is in VC; and secondly, PE usually seeks to take a greater stake in the company -- if not actual ownership -- rather than simply investing in it. "PE firms tend to take on more ownership and liability of a company," comments Nathan Wenzler, "and so, they tend to have a stronger motivation to invest in the long term viability of it."
In this way, private equity firms play a different role in the evolution of a company. A PE firm looks for demonstrable potential. It is not interested in firms that have maxed their potential, but in firms that are perhaps slightly under-performing.
"They tend," explains Schiappa, "to acquire a company that has been an established vendor, has meaningful billings and revenues, but might not be operating at its full potential." SonicWall and McAfee both fit this bill. By improving performance, the PE firm will be able to gain its own return through one of two exit strategies: sale to a big security firm (or a larger PE firm); or going public. Unlike the majority of VC firms, PE tends to take a longer term view of the growth of its investment.
One method of improving performance -- beyond simply injecting capital -- is to strengthen the management team. A PE firm, says Schiappa, will "typically bring in professional leaders to guide the company to the public markets or to a larger exit. The PE firm is definitely investing with an exit in mind and their goal is to build value in the asset towards meeting that need. In most cases it is always beneficial to the company and their strategy and operations."
When Francisco Partners acquired SonicWall from Dell, it was because SonicWall was losing its way despite having proven product, and therefor potential. "What Francisco Partners saw," explains Connor, "was a multiple $100m dollar company where the revenue was going down. It was losing money, but some of us -- and that included myself -- knew that the company had been growing before and made money before; both when it was private and public. So we knew it just needed to get restructured, or rebuilt and refocused -- which is what I've done over the last years."
The first thing the PE company did was to bring in Bill Connor as the new CEO. Connor already had successful experience in working with a PE firm, having taken Entrust through its four-year period with Thoma Bravo to its sale to the Datacard Group in 2013; for what he says was six and a half times the PE firm's original investment.
This is the cybersecurity money-go-round. VC firms look for the next silver bullet that could give the investors a high return over a short period. It tends to be new technology or an innovative idea; but there is no company track record. The risks are higher, so the cost of the money is more expensive. This can lead to increased pressure on the company to grow as fast as possible. If that growth can be sustained, the company will succeed; if it cannot, it will fail.
If the company succeeds, it can then become a target for private equity investment. That company now has a track record, but PE is looking for the potential for even greater growth through a combination of additional funds and perhaps improved leadership. There are, and there always will be, casualties -- both in silver bullet companies that prove to lack luster, and buyers of those products. During the hype phase of VC, users can be persuaded to buy a product that under-performs and ultimately fails -- and that could prove costly to the user beyond the price of the product. The PE phase is more stable. PE firms are confident that the product is good and the market is strong.
Overall, the system works. By far the majority of big cybersecurity firms are U.S.-based, with only a handful of European firms reaching a similar scale. It is no coincidence that the U.S. has five times the venture funding as that of Europe. But to use the system profitably, new companies need to choose the right VC investment in their early years. Cybersecurity firms should examine the track record of VC firms just as closely as PE firms examine the track record of the cybersecurity firms.
Incidentally, Dell, which first bought SonicWall and then sold it to PE firms Francisco Partners and Elliott Management, has its own investments history. It started in 1984 with Michael Dell building and selling personal computers while he was a student at the University of Texas at Austin, using $1,000 capital provided by his family. As he proved his worth, his family increased their 'investment' to a loan of $500,000, similar to early stage 'angel' investments.
As his firm grew, Dell did not proceed to the venture capital stage. Instead, he hired a retired merchant banker and venture capitalist, Lee Walker, as president and CEO. Walker helped secure the firm's first serious credit -- a bank's line of credit for $10 million. Dell also skipped the private equity stage, and raised capital in a private placement in 1987 and went public via an initial public offering in 1988. Michel Dell retained a significant position in the company, but no longer had personal control.
During the 1990s, the company continued to prosper, but started to suffer from the increasing commoditization of personal computers after 2000, and the later effect of mobile devices on the PC market. Dell's market dominance declined -- but in 2013 Dell announced that Michael Dell and Silver Lake Partners, together with a $2 billion loan from Microsoft, would take the company private in a $24.4 billion leveraged buyout deal. In essence, Michael Dell used private equity to escape from public ownership rather than the more usual route of using it to prepare for public ownership.
It was the PE-backed Dell that announced the purchase of EMC for $67 billion in October 2015, completing the deal in September 2016. The combined companies became Dell Technologies, the world's largest privately controlled integrated technology company, which also includes security industry pioneeer RSA.
Microsoft KB4056892 Meltdown/Spectre patch bricks AMD Athlon-powered machines
8.1.2017 securityaffairs Vulnerebility
Many users claim the Security Update for Windows KB4056892, the Microsoft Meltdown/Spectre patch, bricks AMD Athlon-powered machines.
Meltdown and Spectre vulnerabilities will continue to create a lot of problems to users and chip vendors.
As you know, tech giants like Apple, Cisco and Microsoft admitted the problem for their products and started rolling out security patched.
While many experts argued that the fixes will have a significant impact on the performance of any devices, Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.
Unfortunately, the problems seem not ended, the fix released by Microsoft for the Meltdown and Spectre attacks (Security Update for Windows KB4056892) is bricking some AMD PCs, in particular, Athlon-powered machines.
Let’s remind that AMD CPUs are not susceptible to the Meltdown attack, but are vulnerable only to Spectre attacks.
amd
In this thread on answers.microsoft.com, many users claim that the Security Update for Windows KB4056892 bricks some AMD-powered PCs and leaves them displaying with the Windows startup logo.
“I have older AMD Athlon 64 X2 6000+, Asus MB, after installation of KB4056892 the system doesn’t boot, it only shows the Windows logo without animation and nothing more. After several failed boots it do roll-back then it shows error 0x800f0845. Unfortunately, it seems it’s not easy to disable the automatic updates without gpedit tweaks, so it tries installing and rolling-back the update over and over. ” reported an angry user.
Athlon-powered systems just after the installation of the patch stopped working, and the worst news is that the fix doesn’t create a recovery point, and rollback is some cases not accessible.
Some users reported that even re-installing Windows 10 doesn’t solve the problem.
Affected users will need to disable Windows Update, but only Microsoft can solve the embarrassing situation for its AMD users.
At the time, the thread did not include any response from Microsoft.
Following recent mass demonstration, Iran Infy group may attempt to target protesters and their foreign contacts
8.1.2017 securityaffairs BigBrothers
Following the recent mass demonstration, the Iran-linked Infy group may attempt to target protesters and their contacts abroad.
The crackdown of Iranian authorities on protesters and dissident could have a wide range and involve anyone in contact with them.
According to cybersecurity firms and researchers, a nation-state actor called Infy is intensifying its attacks against anyone is in contact with protesters.
The state-sponsored hackers target victims with spear-phishing messages that are constantly refined and improved.
According to the experts Palo Alto Networks, the Infy group is active at least since 2007, its malware was involved in attacks in the country and abroad.
The name Infy malware is based on a string used by the VXers in filenames and command and control (C&C) folder names and strings.
The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004.
The malware evolved over the years, the authors improved it by implementing new features such as support for the Microsoft Edge web browser that was introduced in the version 30.
Unlike other Iranian nation-state actors who target foreign organizations, the Infy group appears focused on opponents and dissidents.
Researchers Colin Anderson and Claudio Guarnieri, authors of the research titled “Iran and the Soft War for Internet Dominance,” confirmed that the Infy attackers were responsible for a large number of attempted malware attacks against Iranian civil society since late 2014.
In response to the recent mass demonstrations, the Iran Government also tried to isolate the protests by blocking internet on mobile networks, the authorities blocked Instagram and messaging services like Telegram.
Security experts believe that protesters will be targeted by the Infy actor, its malware will be used against anyone has any kind of relationship with them.
Spear phishing attacks already targeting Pyeongchang Olympic Games
8.1.2017 securityaffairs Phishing
Hackers are already targeting the Pyeongchang Olympic Games with spear phishing attacks aimed at stealing sensitive or financial information.
Security researchers from McAfee reported hackers are already targeting Pyeongchang Olympic Games, many organizations associated with the event had received spear phishing messages.
Most of the targeted organizations is involved with the Olympics either in providing infrastructure or in a supporting role.
“Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).” reported McAfee.
“The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role.”
The campaigns have begun on December 22, attackers used spoofed messages that pretend to come from South Korea’s National Counter-Terrorism Center.
The hackers spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea, the analysis revealed the email was sent from an address in Singapore and referred alleged antiterror drills in the region in preparation for the Olympic Games.
Attackers attempt to trick victims into opening a document in Korean titled “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.”
Initially, the malware was embedded into the malicious document as a hypertext application (HTA) file, then threat actors started hiding the malicious code in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. Researchers also noted that attackers wrote a custom PowerShell code to decode the hidden image and launch the malware.
“When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:
hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php” continues the analysis.
“Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.”
The experts expect more hacking campaigns targeting entities involved in sporting events like Pyeongchang Olympic Games.
“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes,” the McAfee report concluded.
“In similar past cases, the victims were targeted for their passwords and financial information.”
US National Security Agency Director Admiral Mike Rogers to Retire
8.1.2017 securityaffairs BigBrothers
After a four-year term, the National Security Agency Director Admiral Mike Rogers plans to retire, he sent a letter to its staff on Friday informing them that he would depart next spring.
After a four-year term, the National Security Agency chief Admiral Mike Rogers plans to retire within months.
The Admiral Mike Rogers was chosen by President Barack Obama in 2014 when he replaced Gen. Keith Alexander. He was nominated for his significant experience in the cybersecurity field, he was involved in cyber defense and offense policy issues as head of the Fleet Cyber Command.
The news was confirmed by US intelligence sources, the Admiral Mike Rogers who also led the US Cyber Command sent a letter to its staff on Friday informing them that he would depart next spring.
The Rogers’s successor will be nominated by President Donald Trump this month.
Rogers is in opposition to Trump, The Observer reported recently that he has admitted in a private town-hall-style meeting of NSA staffing that Donald Trump did, in fact, collude with the Russians.
Rogers along with other US security chiefs presented a report to Trump on January 6, 2017 saying that Russians had interfered in the 2016 presidential election.
Unfortunately, during his management of the management the agency faced the clamorous and disconcerting leak of its exploits and hacking tools from its arsenal.
Experts found a strain of the Zeus banking Trojan spread through a legitimate developer’s website
8.1.2017 securityaffairs Virus
Malware researchers at Talos group have discovered a strain of Zeus banking Trojan that abuses the legitimate website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM).
The experts discovered that the version of the ZeuS banking Trojan used in this attack is the 2.0.8.9 that was leaked in 2011.
The attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine, but researchers from Talos disclosed details of the attack online now.
Experts found many similarities with the attack vector used in the NotPetya case, hackers. While in the NotPetya attack hackers compromised the supply chain of the software fir M.E.Doc to distribute the malware, in the case of the Zeus banking Trojan threat actors relied on accounting software maker CFM’s website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.
Researchers from Talos were able to register and sinkhole one of the Command and Control (C2) domains used by the attackers, in this way they were able to gather information about the number and the nature of the infected systems.
Attackers used spam emails with a ZIP archive containing a JavaScript file, which was used a downloader. The researchers discovered that one of the domains used to host the malware payload was associated with CFM’s website, attackers used it also to distribute PSCrypt ransomware.
The analysis of the infection process revealed that once executed the malware would first perform a long list of anti-VM checks to determine whether it runs in a virtualized environment. If not, the malicious code achieves persistence by creating a registry entry to ensure execution at system startup.
Then the malware attempts to connect to several C&C servers and experts from Talos discovered that one of them was not registered at the time of the analysis … a gift for the researchers that used it to sinkhole the botnet.
Most of the infected systems were located in Ukraine, followed by the United States.
“Interestingly, most of the systems which beaconed to our sinkhole server were located in Ukraine with United States being the second most affected region. A graph showing the ISPs that were most heavily affected is below:”
“As can be seen in the graph above, PJSC Ukrtelecom was by far the most heavily affected. This ISP is the company governed by the Ministry of Transportation and Communications in Ukraine. In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP address” states the analysis from Talos.
According to Talos hackers are refining their attack techniques and are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers.
Qualcomm Working on Mitigations for Spectre, Meltdown
8.1.2018 securityweek Vulnerebility
Qualcomm has confirmed that some of its products are affected by the recently disclosed Spectre and Meltdown vulnerabilities, but the company says mitigations are being deployed.
The chipmaker has provided few details, but claims it has been working with ARM and others to assess the impact of the flaws. Mitigations have been developed and Qualcomm is in the process of incorporating them into impacted products.
“We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available,” the company stated.
Qualcomm’s processors, used in devices from several major vendors, include CPU, GPU, modem, audio, and camera components. Some of the systems rely on ARM CPU cores that have been confirmed to be affected by the Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.
For example, the Snapdragon 653, 652 and 650 platforms use ARM Cortex-A72 processors, which ARM says are vulnerable to both Spectre exploits and a variant of the Meltdown attack. Moreover, the Snapdragon 845 mobile platform, which Qualcomm unveiled just a few weeks ago, uses a customized version of the Cortex-A75, which is also vulnerable to both Spectre and Meltdown attacks.
Qualcomm is not the only vendor using ARM technology in its products. Apple, whose A-series system-on-a-chip (SoC) also uses ARM processing cores, confirmed that some of its devices are affected.
Raspberry Pis also use ARM cores, but the Raspberry Pi Foundation announced that the models found in its devices – specifically ARM1176, Cortex-A7, and Cortex-A53 – are not impacted by Spectre or Meltdown.
The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps.
Billions of devices using Intel, AMD and ARM processors are affected and researchers believe attacks are not easy to detect. Experts are concerned that we may soon witness remote attacks.
Attacks can be prevented using kernel page table isolation (KPTI) and a mitigation named Retpoline developed by researchers at Google. Intel, Apple, Microsoft, Google, Amazon and others have already started rolling out patches and workarounds.
However, the mitigations can introduce performance penalties of up to 30 percent for affected processors. While Intel said regular users should not notice any difference and several tech giants claimed they had not seen any meaningful performance impact, some AWS customers have reported problems, and tests conducted by Red Hat showed penalties of up to 19% in the case of operations involving highly cached random memory.