Daily Archives: July 5, 2018

BSides Springfield Preview: How To DevOps (While Sneaking in Security)

As companies embrace the DevOps phenomenon in hopes of producing applications at a faster rate, they are also introducing insecure software into the digital ecosystem. DevOps, itself, is a software lifecycle movement which blends developmental and operational tasks together to accelerate application-building in a quick, clean, and repetitive manner for faster time-to-market. In DevOps environments, […]… Read More

The post BSides Springfield Preview: How To DevOps (While Sneaking in Security) appeared first on The State of Security.

Cisco FXOS, NX-OS, and UCS Manager Software Cisco Discovery Protocol Denial of Service Vulnerability

A vulnerability in the Cisco Discovery Protocol (formerly known as CDP) subsystem of devices running, or based on, Cisco NX-OS Software contain a vulnerability that could allow an unauthenticated, adjacent attacker to create a denial of service (DoS) condition.

The vulnerability is due to a failure to properly validate certain fields within a Cisco Discovery Protocol message prior to processing it. An attacker with the ability to submit a Cisco Discovery Protocol message designed to trigger the issue could cause a DoS condition on an affected device while the device restarts.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-cdp

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0331

Cisco FXOS Software and UCS Fabric Interconnect Arbitrary Code Execution Vulnerability

A vulnerability in the CLI parser of Cisco FXOS Software and Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to cause a buffer overflow on an affected device.

The vulnerability is due to incorrect input validation in the CLI parser subsystem. An attacker could exploit this vulnerability by exceeding the expected length of user input. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-ace

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0302

Cisco FXOS Software and UCS Fabric Interconnect Web UI Denial of Service Vulnerability

A vulnerability in the web UI of Cisco FXOS and Cisco UCS Fabric Interconnect Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected system.

The vulnerability is due to incorrect input validation in the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP or HTTPS packet directed to the physical management interface of an affected system. A successful exploit could allow the attacker to cause the process to crash and possibly reload the device, resulting in a denial of service (DoS) condition on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-dos

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0298

Cisco FXOS and NX-OS Software Cisco Discovery Protocol Arbitrary Code Execution Vulnerability

A vulnerability in the Cisco Discovery Protocol component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code as root or cause a denial of service (DoS) condition on the affected device.

The vulnerability exists because of insufficiently validated Cisco Discovery Protocol packet headers. An attacker could exploit this vulnerability by sending a crafted Cisco Discovery Protocol packet to a Layer 2 adjacent affected device. A successful exploit could allow the attacker to cause a buffer overflow that could allow the attacker to execute arbitrary code as root or cause a DoS condition on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-dos

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0303

Cisco FXOS and NX-OS Software Cisco Fabric Services Denial of Service Vulnerability

A vulnerability in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.

The vulnerability exists because the affected software insufficiently validates Cisco Fabric Services packets. An attacker could exploit this vulnerability by sending a crafted Cisco Fabric Services packet to an affected device. A successful exploit could allow the attacker to force a NULL pointer dereference and cause a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-dos

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0305

Cisco NX-OS Software CLI Arbitrary Command Execution Vulnerability

A vulnerability in the CLI parser of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device.

The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device.

Note: This vulnerability requires that any feature license is uploaded to the device. The vulnerability does not require that the license be used.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-execution

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0306

Cisco NX-OS Software Role-Based Access Control Elevated Privileges Vulnerability

A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device.

The vulnerability is due to incorrect RBAC privilege assignment for certain CLI commands. An attacker could exploit this vulnerability by authenticating to a device as a nonadministrative user and executing specific commands from the CLI. An exploit could allow the attacker to run commands that should be restricted to administrative users. These commands could modify the configuration or boot image on the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosrbac

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0293

Cisco NX-OS Software NX-API Arbitrary Code Execution Vulnerability

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to craft a packet to the management interface on an affected system, causing a buffer overflow.

The vulnerability is due to incorrect input validation in the authentication module of the NX-API subsystem. An attacker could exploit this vulnerability by sending a crafted HTTP or HTTPS packet to the management interface of an affected system with the NX-API feature enabled. An exploit could allow the attacker to execute arbitrary code as root.

Note: NX-API is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-bo

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: Critical
CVE: CVE-2018-0301

Cisco FXOS and NX-OS Software Unauthorized Administrator Account Vulnerability

A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device.

The vulnerability exists because the affected software does not properly delete sensitive files when certain CLI commands are used to clear the device configuration and reload a device. An attacker could exploit this vulnerability by logging into an affected device as an administrative user and configuring an unauthorized account for the device. The account would not require a password for authentication and would be accessible only via a Secure Shell (SSH) connection to the device. A successful exploit could allow the attacker to configure an unauthorized account that has administrative privileges, does not require a password for authentication, and does not appear in the running configuration or the audit logs for the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosadmin

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0294

Cisco Firepower 4100 Series Next-Generation Firewall and Firepower 9300 Security Appliance Path Traversal Vulnerability

A vulnerability in the process of uploading new application images to the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance could allow an authenticated, remote attacker using path traversal techniques to create or overwrite arbitrary files on an affected device.

The vulnerability is due to insufficient validation during the application image upload process. An attacker could exploit this vulnerability by creating an application image containing malicious code and installing the image on the affected device using the CLI or web-based user interface (web UI). These actions occur prior to signature verification and could allow the attacker to create and execute arbitrary code with root privileges.

Note: A missing or invalid signature in the application image will cause the upload process to fail, but does not prevent the exploit.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-firepwr-pt

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0300

Cisco NX-OS Software NX-API Arbitrary Command Execution Vulnerability

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a command-injection exploit.

The vulnerability is due to incorrect input validation of user-supplied data to the NX-API subsystem. An attacker could exploit this vulnerability by sending a malicious HTTP or HTTPS packet to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to execute arbitrary commands with root privileges.

Note: NX-API is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-api-execution

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0313

Cisco 5000 Series Enterprise Network Compute System and Cisco UCS E-Series Servers BIOS Authentication Bypass Vulnerability

A vulnerability in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers could allow an unauthenticated, local attacker to bypass the BIOS authentication and execute actions as an unprivileged user.

The vulnerability is due to improper security restrictions that are imposed by the affected system. An attacker could exploit this vulnerability by submitting an empty password value to an affected device's BIOS authentication prompt. An exploit could allow the attacker to have access to a restricted set of user-level BIOS commands.

There is a workaround that addresses this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-encs-ucs-bios-auth-bypass


Security Impact Rating: Medium
CVE: CVE-2018-0362

WordPress Update – 4.9.7 Security & Maintenance Release

WordPress Update – 4.9.7 Security & Maintenance Release

The WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues.

Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.

Are You at Risk?

If you don’t have automatic updates enabled or are using WordPress version 4.9.6 or earlier, your site may be vulnerable to this security issue originally reported by Slavco.

Continue reading WordPress Update – 4.9.7 Security & Maintenance Release at Sucuri Blog.

Announcing New CA Veracode Dynamic Analysis

Effective application security assesses applications across the entire software lifecycle – beyond the development phase and into production. Why is this necessary? If you’ve shifted security left, into the development process, why do you need to shift it right into production? To put it bluntly: Because people aren’t perfect, and bad guys never sleep. With the speed of today’s development processes, it would be foolish to assume that every defect has been found and fixed when an app hits production, and likewise, it would be foolish to assume that cyberattackers are done inventing new ways to access your code. In addition, scanning an app dynamically at runtime will find issues and vulnerabilities you simply can’t identify looking at the app statically. The bottom line is that scanning apps in production with dynamic analysis is a critical piece of an effective application security program. However, dynamic analysis solutions have to work with DevOps processes and keep software secure without slowing or stopping releases.

To help you meet this need to dynamically scan apps in production, while ensuring you keep pace in a DevOps world, we’re launching a new and improved DAST solution, CA Veracode Dynamic Analysis. With its automation, depth of coverage, and unmatched scalability, CA Veracode Dynamic Analysis helps you:

Save time and effort on production scanning

With CA Veracode Dynamic Analysis’ recurring scheduling feature, you don’t have to remember to kick off scans. You can easily set up scans on a schedule that you do not have to continuously monitor. In addition, with the automated pause & resume feature, you don’t have to worry about disrupting IT maintenance windows because Dynamic Analysis will automatically pause at maintenance windows and resume where it left off.

Dynamically scan all your apps quickly and accurately

CA Veracode Dynamic Analysis covers all your applications, even difficult-to-scan web apps, such as single page and large web apps. And we will keep your development teams moving both with the speed at which our solution crawls and audits pages, and with our low false-positive rate (<1%), which keeps your developers from spinning their wheels chasing down non-existent threats.

Easily onboard apps and scale to cover your entire application landscape

You can set up a CA Veracode Dynamic Analysis scan with just the URL; you don’t need to coordinate with the development team to hunt down code or binaries. And when you need to scan multiple applications, you don’t have to upload them one at a time. You simply upload a .csv document to Dynamic Analysis with all of the URLs. In addition, you can schedule a group of applications into a batch scan and assess multiple applications concurrently. No matter the size of your organization, concurrent scanning means you don’t have to wait for a scan to complete before starting the next one.

Get all your testing results in one place

With CA Veracode, you’ll find results from all your AppSec tests – static, dynamic, SCA, pen testing – in one central location. This single view of test results makes it easy to coordinate remediation between multiple teams and track your progress.

Learn more

Keep your code secure across the software lifecycle, without slowing development cycles; get more details on the new CA Veracode Dynamic Analysis.

Ex-NSO Employee Caught Selling Stolen Phone Hacking Tool For $50 Million

A former employee of one of the world's most powerful hacking companies NSO Group has been arrested and charged with stealing phone hacking tools from the company and trying to sell it for $50 million on the Darknet secretly. Israeli hacking firm NSO Group is mostly known for selling high-tech malware capable of remotely cracking into Apple's iPhones and Google's Android devices to

Cloud Security For The Healthcare Industry: A No-Brainer

The healthcare industry has become one of the likeliest to suffer cyber-attacks, and there’s little wonder why. Having the financial and personal information of scores of patients makes it a very appetizing target for attackers.

Just over a year ago, the WannaCry ransomware attack wreaked havoc on the UK National Health Service (NHS), ultimately disrupting a third of its facilities and causing a rash of canceled appointments and operations.

As healthcare organizations face the prospect of increasing attack, their security teams look to cybersecurity experts with comprehensive, tested products to protect the sensitive information they hold. ALYN Woldenberg Family Hospital, Israel’s only pediatric rehabilitation facility, is no exception.

With a database of more than 70,000 patients and a website hosted in four languages and across three different domains; ALYN Hospital’s IT team was concerned that their content management system (CMS) could be vulnerable. The team didn’t feel their cybersecurity vendor was updating the security on their CMS as often as they should, leading them to go looking for a new vendor.

Initially checking out on-premises WAF systems, ALYN’s team kept coming up against the cost of securing their sites and, because of strict government regulations, they were initially hesitant to move to a cloud-based system. Ultimately, however, they decided that the Imperva Incapsula cloud-based WAF was just the thing, as it meets the most stringent enterprise-grade security criteria.

“We looked at community reviews and talked with colleagues at other hospitals and got the impression that Incapsula is one of the best in terms of cost-benefit ratio, which is important to us, in addition to robustness, ease-of-use, and integration, which was very smooth. It all proved to be correct, for which I am very glad,” said Uri Inbar, Director of IT for ALYN Hospital.

Setting up the system took less than a day and ALYN Hospital still manages its servers in-house, with a staff member who is now dedicated to security. Imperva Incapsula has been low maintenance from the start, so, while customer support was with them every step of the way at the beginning, they haven’t needed any for the last few years because the automatic system, managed and tuned by a team of Imperva security experts, has been running smoothly on its own.

“It gives us peace of mind to know that someone has dedicated themselves to the subject and keeps us updated. It’s one less worry to take care of.”

Since making the switch, ALYN Hospital has seen some significant improvements:

  • Increased visibility for monitoring security threats: The Imperva Incapsula dashboard is easy to use and provides information that helps ALYN Hospital keep its systems secure. And for their special projects, they can even see which countries are generating the most traffic.
  • Good cost-benefit ratio: One of the most important aspects of any new security system for ALYN, the costs were reasonable, especially given the security benefits they received from the Incapsula system.
  • Faster content delivery: While no formal studies were done, the IT staff has heard from some users that their CDN is delivering content faster than before.

Imperva Incapsula offers a single stack solution that integrates content delivery, website security, DDoS protection, and load balancing. Incapsula is PCI-compliant, has customizable security rules and offers 24/7 support.

Threat Model Thursdays: Crispin Cowan

Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame.

What are we working on?

One of the places where Crispin goes deeper is definitional. He’s very precise about what a security principal is:

A principal is any active entity in system with access privileges that are in any way distinct from some other component it talks to. Corollary: a principal is defined by its domain of access (the set of things it has access to). Domains of access can, and often do, overlap, but that they are different is what makes a security principal distinct.

This also leads to the definition of attack surface (where principals interact), trust boundaries (the sum of the attack surfaces) and security boundaries (trust boundaries for which the engineers will fight). These are more well-defined than I tend to have, and I think it’s a good set of definitions, or perhaps a good step forward in the discussion if you disagree.

What can go wrong?

His approach adds much more explicit description of principals who own elements of the diagram, and several self-check steps (“Ask again if we have all the connections..”) I think of these as part of “did we do a good job?” and it’s great to integrate such checks on an ongoing basis, rather than treating it as a step at the end.

What are we going to do about it?

Here Crispin has assessing complexity and mitigations. Assessing complexity is an interesting approach — a great many vulnerabilities appear on the most complex interfaces, and I think it’s a useful strategy, similar to ‘easy fixes first’ for a prioritization approach.

He also has “c. Be sure to take a picture of the white board after the team is done describing the system.” “d. Go home and create a threat model diagram.” These are interesting steps, and I think deserve some discussion as to form (I think this is part of ‘what are we working on?’) and function. To function, we already have “a threat model diagram,” and a record of it, in the picture of the whiteboard. I’m nitpicking here for two very specific reasons. First, the implication that what was done isn’t a threat model diagram isn’t accurate, and second, as the agile world likes to ask “why are you doing this work?”

I also want to ask, is there a reason to go from whiteboard to Visio? Also, as Crispin says, he’s not simply transcribing, he’s doing some fairly nuanced technical editing, “Collapse together any nodes that are actually executing as the same security principal.” That means you can’t hand off the work to a graphic designer, but you need an expensive security person to re-consider the whiteboard diagram. There are times that’s important. If the diagram will be shown widely across many meetings; if the diagram will go outside the organization, say, to regulators; if the engineering process is waterfall-like.

Come together

Crispin says that tools are substitutes for expertise, and that (a? the?) best practice is for a security expert and the engineers to talk. I agree, this is a good way to do it — I also like to train the engineers to do this without security experts each time.

And that brings me to the we/you distinction. Crispin conveys the four question frame in the second person (What are you doing, what did you do about it), and I try to use the first person plural (we; what are we doing). Saying ‘we’ focuses on collaboration, on dialogue, on exploration. Saying ‘you’ frames this as a review, a discussion, and who knows, possibly a fight. Both of us used that frame at a prior employer, and today when I consult, I use it because I’m really not part of the doing team.

That said, I think this was a super-interesting post for the definitions, and for showing the diagram evolution and the steps taken from a whiteboard to a completed, colored diagram.

The image is the frontspiece of Leviathan by Thomas Hobbes, with its famous model of the state, made up of the people.

CoinImp Cryptominer and Fully Qualified Domain Names

CoinImp Cryptominer and Fully Qualified Domain Names

We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period).

E.g. “www.example.com”, where “www” is a subdomain, “example” is a second level domain, and “com” is a top-level domain.

However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names.

Continue reading CoinImp Cryptominer and Fully Qualified Domain Names at Sucuri Blog.

CVE-2018-13302 (ffmpeg)

In FFmpeg 4.0.1, improper handling of frame types (other than EAC3_FRAME_TYPE_INDEPENDENT) that have multiple independent substreams in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to a denial of service or possibly unspecified other impact.

CVE-2018-13304 (ffmpeg)

In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistency between the context profile field and studio_profile in libavcodec may trigger an assertion failure while converting a crafted AVI file to MPEG4, leading to a denial of service, related to error_resilience.c, h263dec.c, and mpeg4videodec.c.

CVE-2018-13301 (ffmpeg)

In FFmpeg 4.0.1, due to a missing check of a profile value before setting it, the ff_mpeg4_decode_picture_header function in libavcodec/mpeg4videodec.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service.

CVE-2018-13300 (ffmpeg)

In FFmpeg 4.0.1, an improper argument (AVCodecParameters) passed to the avpriv_request_sample function in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array read while converting a crafted AVI file to MPEG4, leading to a denial of service and possibly an information disclosure.

CVE-2018-13303 (ffmpeg)

In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bits8() in the avpriv_ac3_parse_header function in libavcodec/ac3_parser.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service.

CVE-2018-13305 (ffmpeg)

In FFmpeg 4.0.1, due to a missing check for negative values of the mquant variable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to an information disclosure or a denial of service.

Red Hat Security Advisory 2018-2143-01

Red Hat Security Advisory 2018-2143-01 - Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.0.1 serves as an update to Red Hat Decision Manager 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution and denial of service vulnerabilities.

What Security Pros Will Get Out of Our Summer 2018 Virtual Summit

There has been a fundamental shift in the way code is developed in the past 15 to 20 years. Today, developers do far more re-using of existing code than creating code from scratch. Taking advantage of the millions of open source libraries available has become standard operating procedure. And this new model comes with tremendous benefits – both for developers, and for the business – allowing both to move and innovate with unprecedented speed. Ultimately, with everyone creating code this way, it has become a necessary practice in order to remain competitive.

But what about security? Shouldn’t open source code be more secure because it’s got millions of eyeballs on it? The reality is that it’s becoming increasingly clear that the “eyeball theory” is simply not playing out, and that open source code is just as vulnerable as in-house-developed code. In fact, in many ways, open source code is less secure, if you consider that reusable code means reusable vulnerabilities, and that a breach in one piece of open source code has far-reaching implications. And the bad guys know that attacking open source code gives them the most bang for their buck – one breach, millions affected. In addition, with the pace of open source libraries being generated, vulnerabilities are also being generated faster than anyone can keep track of.

How should security professionals approach this new threat landscape? If stopping open source library use is not an option, how do you secure its use? Our Virtual Summit, The Open Source Library Conundrum: Managing Your Risk, coming up at the end of this month, sets out to tackle this complicated and critical issue. We’re gathering experts across and beyond our company to give you advice and tips on all sides of this issue – the problem, the solutions, the process, and the technology. Of note is the keynote speaker for this summit, OWASP founder Mark Curphey. CA Veracode recently acquired Mark’s company SourceClear, which has a groundbreaking approach to open source library security – centered around the idea that the accuracy of your security testing of open source code is critical. For instance, you may be using a vulnerable open source library, but are you using the vulnerable part of that library? This approach and Mark’s expertise will be woven throughout the Summit.

Attend the Summit this summer to get:

  • A better understanding of today’s threat landscape
  • A clear view into the latest approaches toward the open source security problem
  • Practical tips and advice on using open source libraries securely, from both a technology and process perspective
  • A look at how companies are currently managing their open source library risk

Hope you can join us; get more details on the Summit sessions and how to register here.

New Virus Decides If Your Computer Good for Mining or Ransomware

Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption

Twitter’s Support of U2F Key Highlights Organizations’ Ongoing Challenges With 2FA

Twitter announced in June 2018 that it will now support the use of a Universal Second Factor (U2F) key for two-factor authentication (2FA). This announcement addresses password logging issues that Twitter and other online services have experienced in recent months.

These problems, which can potentially expose customer login details to staff members and external actors, underscore the importance of providing users with the option to implement some form of 2FA.

But even though Twitter has enabled this security feature, not all users have taken advantage of it — and a portion of those that have are not thrilled about the user experience. It’s up to organizations and online services across all industries to make 2FA more approachable to users.

U2F Aims to Squash Password-Leaking Bugs

Twitter unveiled its support of the Fast Identity Online (FIDO) Alliance’s U2F security key for login verifications as part of a broader effort to combat spam and malicious bots.

According to a recent blog post, the social media giant announced plans to:

  • Make suspicious accounts less visible in metrics;
  • Make it more difficult for cybercriminals to register spam accounts;
  • Challenge suspicious accounts to prove their authenticity; and
  • Expand its malicious behavior detection capabilities.

In the meantime, Twitter urged users to protect their login information with a physical U2F security key.

The announcement came less than two months after Twitter discovered a bug in its password storage process. As noted in a company blog post, the glitch caused users’ passwords to be written to an internal log before the hashing process completed — meaning the passwords were stored in plaintext. In response, Twitter disclosed the vulnerability and notified its nearly 340 million users that they should change their passwords.

The social networking service isn’t the only company that has accidentally recorded users’ passwords in plaintext. GitHub detected a similar, yet unrelated, error around the time of Twitter’s discovery, as reported by Bleeping Computer.

These types of bugs often arise for companies that manage complex software. System Overlord reported that the change of an environment variable could theoretically produce a similar type of flaw, noting that code review can’t detect 100 percent of these errors because “releases are cut all the time with a handful of changes that were reviewed in isolation and occasionally have strange interactions.”

2FA Is Met With Resistance

Despite the security benefits, not all users see the utility of 2FA, and even those who have adopted the technology frequently bemoan the user experience. In fact, seven out of eight users who participated in a recent survey cited inconvenience as the main reason for disabling 2FA.

According to a recent Duo Labs’ report, State of the Auth: Experiences and Perceptions of Multi-Factor Authentication, just 28 percent of users said they use two-factor authentication, and only about half of those users (54 percent) said they had implemented the control voluntarily. As a result, it’s not surprising that SecureAuth found that 74 percent of IT decisions have received complaints from 2FA users, with 10 percent stating they “hate it.”

Adapting Authentication to User Needs

To strike a proper balance between security and a streamlined customer experience, companies should consider investing in silent identity and access management (IAM) solutions that work in the background to verify users without adding steps to the authentication process. These systems offer features such as single sign-on (SSO) for the one-password logins users expect and user self-service capabilities for password resets, interrupting the user experience only when malicious activity is detected.

For companies that rely on 2FA to verify user identities, security professionals and business executives must lead by example and enable these controls wherever possible, even if the corporate policy doesn’t require it. These and other identity protection measures are crucial to protect enterprise data from fraudsters looking to exploit stolen credentials.

The post Twitter’s Support of U2F Key Highlights Organizations’ Ongoing Challenges With 2FA appeared first on Security Intelligence.

California Corporation Settles FTC Complaint Regarding EU-U.S. Privacy Shield Compliance Claim

On July 2, 2018, the Federal Trade Commission announced that California company ReadyTech Corporation (“ReadyTech”) agreed to settle FTC allegations that ReadyTech misrepresented it was in the process of being certified as compliant with the EU-U.S. Privacy Shield (“Privacy Shield”) framework for lawfully transferring consumer data from the European Union to the United States.

To join the Privacy Shield, companies must self-certify to the U.S. Department of Commerce compliance with the Privacy Shield Principles and related requirements. The FTC’s administrative complaint against ReadyTech alleged that ReadyTech, which provides online and instructor-led training, falsely claimed on its website to be in the process of complying with the Privacy Shield. The reality, according to the FTC, is that ReadyTech had begun but failed to complete the process.

This is the FTC’s fourth case enforcing the Privacy Shield. ReadyTech’s settlement agreement provides, in part, that ReadyTech will not misrepresent its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization.

IDG Contributor Network: The ostrich security strategy is now very risky

Some potential buyers of security technologies may decline to purchase technologies that detect data breaches because if they don’t know of a breach, they believe they can avoid penalties under the recent regulations, GDPR and the new California Consumer Privacy Act. Such a strategy dooms companies to major breaches and potentially massive fines. Ostrich-minded security, an unintended consequence of GDPR and CCPA, increases cyber risk.

California’s new privacy law

The first step in GDPR-like policies impacting the U.S. is the California Consumer Privacy Act of 2018, which will undoubtedly have a huge impact on tech companies that must now adequately address consumer privacy concerns. Any business that transacts with people, online or offline, is now responsible for changing its relationship with customers, for the better. That act has three core pillars: anyone can opt out of having their data shared or sold, everyone has a fundamental right to know where their personal data is and with whom it is shared, and all have protection from companies who inadequately protect their data.

To read this article in full, please click here

A Closer Look at Security’s Role in a DevSecOps Organization

In February, we hosted a virtual summit titled “Assembling the Pieces of the DevSecOps Puzzle.” The goal of the summit was to provide organizations with tools and information to implement a DevSecOps strategy in their organization—and make the shift from theory into practice. 

In his educational webinar at the summit, Chris Wysopal—CA Veracode’s CTO and co-founder—tackles an important, practical question head-on: If AppSec is shifting left, and the responsibility of testing security now belongs to developers, what does this mean for the security team?

First, it is important to note that DevSecOps does not shift all security responsibility onto the development team. Instead, it requires that the teams integrate “so that they’re working together as one team as opposed to a separate team [development] with an audit function [security],” noted Wysopal.

Therefore, security teams need to shift their thinking and start acting as “builders,” rather than “breakers.” They need to work to integrate security into development, instead of fixing it after the fact. This requires educating developers, forming open means of communication between the teams, and, most importantly, automating as much as possible so that it does not burden development teams.

Automate or batch

Automation is key to shifting security testing left into development. You need to keep developers moving forward, not asking them to stop coding to open another tool and start scanning. But what about testing that simply can’t be automated? For testing like manual testing and threat modeling, make sure you take it out of band of the DevOps pipeline – you don’t want to create gates that hold up the build. Additionally, conduct manual processes in small batch sizes so they don’t hold things up for extended periods of time. For example, conduct threat modeling on a piece of software, rather than the whole application. Or manually test just the pieces of the code that need it, for example, a password reset mechanism. 

Keep in mind that, not only do you want to help developers find the problems, you want to enable strategies for them to fix the vulnerabilities and errors found. You can do this by creating guidelines, checklists, and recipe-style formats so developers know what to do in a particular situation. This way, developers have the necessary information on hand and do not need to waste time calling and searching for help.  

Create security champions

Wysopal also discussed the importance of “security champions,” which Sonali Shah, VP of Product Strategy at CA Veracode, discussed in her summit webinar. Security champions play an increasingly important role with the rise of DevSecOps and the shifting left of security. The security champion acts as a security ambassador on the development team, maintaining consistent communication and knowledge sharing between both groups. In a poll conducted during the webinar, Wysopal found that most AppSec security advisors oversee nearly 200 developers, so it is evident that security officers need liaisons and well-trained security specialists to relay important information.

Have developer empathy

If the security team is going to start working more closely with the development team, they need a better understanding of what developers do. To effectively develop relationships between the development and security teams, Wysopal emphasized the importance of having developer empathy. Essentially, security should understand developers’ goals, incentives, and, most importantly, struggles. This way, security can understand what motivates developers and how to properly integrate security so as to maintain their culture and deadlines.

The security/development relationship still a struggle

At the end of the webinar, Wysopal answered questions from viewers that were very revealing in terms of what organizations are struggling with in the shift toward DevSecOps:

How do I foster a relationship between security and engineering?

Be united: Meet with counterparts and think of yourselves as one team.

Have empathy: What is the other team struggling with? What is the other team’s goals?

Shared accountability: Set common goals and hold each other to them.

What if my security officers don’t want to work with my developers?

Be clear; working with developers is a mandatory part of their role.

Vocalize benefits: It is better for their career going forward since they will gain a breadth of skills, understanding, and experiences.

How do I get my overworked AppSec experts to prioritize helping DevOps teams?

Security champions: Build this program quickly and effectively to alleviate some of the responsibility from overworked security officers

Listen to Chris Wysopal’s full talk here.

CVE-2018-8928 (carddav_server)

Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter.

Recent Extortion Scam Highlights the Need to Address Lingering WannaCry Risks

Law enforcement agencies recently discovered a spam campaign that leverages the threat of WannaCry to extort unsuspecting users, once again highlighting the need for organizations to patch systems and address lingering risks that make them susceptible to ransomware.

Investigators analyzed 300 reports of the campaign between June 21 and 22, 2018, and found that the attackers attempted to cause panic by warning recipients that their devices had been infected with the devastating crypto-ransomware. This same ransomware struck organizations in more than 100 countries in May 2017.

The spam messages claimed the attackers would delete every piece of data on the infected devices sometime during the evening of June 22, 2018. The only way victims could save their data, according to the malicious emails, was to pay 0.1 bitcoin — roughly $650 — to an attacker-controlled wallet and notify the threat group of payment by a certain time on that date.

An Empty Threat Offers a Pregnant Warning

Active Fraud, the U.K. national fraud and cybercrime reporting center that observed the campaign, explained that the emails are in reality a phishing exercise in that they spread fear — nothing more. But although this particular spam campaign doesn’t actually drop WannaCry, it’s conceivable that another operation could.

Supporting this notion is the fact that organizations are not automatically safe from WannaCry just because of the existence of the kill switch. Security firm Kryptos Logic observed approximately 100 million connection attempts from 2.7 million unique IP addresses over the kill switch in March 2018. This discovery indicates that the ransomware attempted to connect to the kill switch domain from millions of infected computers in order to proceed with encryption. It failed because of the registration of the kill switch, but it’s clear that WannaCry is still infecting machines and, by extension, trying to deny users and organizations access to their own data.

“We estimate a wide variety of hundreds of thousands of untreated and dormant Microsoft Windows infections maintain a foothold and are responsible for the residual and continued propagation of WannaCry, which by our data set analysis and estimates reach several (potentially tens of) million systems through an ebb and flow infection cycle every month,” the researchers explained.

The firm then presented scenarios in which the ransomware could still theoretically infect a company. In one scenario, an asset that’s still vulnerable to the EternalBlue Server Message Block (SMB) exploit could lay the foundation for an attack in the presence of dormant infection. Another involves a network segmentation failure.

Tips to Keep WannaCry at Bay

The bottom line: WannaCry still poses a threat to organizations. To mitigate the risk, organizations should scan their environments for vulnerable SMB services and monitor their endpoints for indicators of compromise associated with the ransomware. Users should also continuously update their antivirus software, avoid engaging with fraudsters over email and report suspicious messages to law enforcement.

The post Recent Extortion Scam Highlights the Need to Address Lingering WannaCry Risks appeared first on Security Intelligence.

While no one was looking, California passed its own GDPR

The European Union’s General Data Protection Regulation (GDPR) is widely viewed as a massively expensive and burdensome privacy regulation that can be a major headache and pitfall for American firms doing business in Europe. Many firms, including Facebook, have sought ways around the law to avoid having to deal with the burden of compliance.

Well, there is no weaseling out now. Last week, with no fanfare, California Governor Jerry Brown signed into law AB375, the California Consumer Privacy Act of 2018, the California equivalent of GDPR that mirrors the EU law in many ways.

To read this article in full, please click here

Irish Retailer Reveals It Was Affected by International Data Breach

An Irish retailer revealed that an international data breach might have exposed some of its customers’ personal information. On 4 July, Harvey Norman Ireland sent out a letter to customers informing them of the incident. Its correspondence didn’t disclose the number of customers potentially affected by the breach. But it did identify the types of […]… Read More

The post Irish Retailer Reveals It Was Affected by International Data Breach appeared first on The State of Security.

To crypt, or to mine – that is the question

Way back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family. That was the starting point for this long-lived Trojan family, which is still functioning to this day. During that time the malware writers have changed:

  • the way their Trojans get keys (from locally generated to received from the C&C);
  • the algorithms used (from using only a symmetric algorithm, through a commonly used scheme of symmetric + asymmetric, to 18 symmetric algorithms used simultaneously);
  • the crypto-libraries (LockBox, AESLib, DCPcrypt);
  • the distribution method (from spam to remote execution).

Now the criminals have decided to add a new feature to their creation – a mining capability. In this article we describe a downloader that decides how to infect the victim: with a cryptor or with a miner.

Distribution

Geography of attacks

Geography of Trojan-Downloader.Win32.Rakhni

Top five countries attacked by Trojan-Downloader.Win32.Rakhni (ranked by percentage of users attacked):

Country %*
1 Russian Federation 95.57%
2 Kazakhstan 1.36%
3 Ukraine 0.57%
4 Germany 0.49%
5 India 0.41%

* Percentage of unique users attacked in each country by Trojan-Downloader.Win32.Rakhni, relative to all users attacked by this malware

Infection vector

As far as we know, spam campaigns are still the main way of distributing this malware.

Email with malicious attachment

After opening the email attachment, the victim is prompted to save the document and enable editing.

Attached Word document

The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable.

UAC window shown before the Trojan starts

Downloader

General information

The downloader is an executable file written in Delphi. To complicate analysis, all strings inside the malware are encrypted with a simple substitution cipher.

After execution, the downloader displays a message box with an error text. The purpose of this message is to explain to the victim why no PDF file opened.

Fake error message

To hide the presence of the malicious software in the system the malware developer made their creation look like the products of Adobe Systems. This is reflected in the icon, the name of the executable file and the fake digital signature that uses the name Adobe Systems Incorporated. In addition, before installing the payload the downloader sends an HTTP request to the address www.adobe.com.

Environment checks

After the message box is closed the malware performs a number of checks on the infected machine:

  • Self path check
    • The name should contain the substring AdobeReader
    • The path should contain one of the following substrings:
      • \TEMP
      • \TMP
      • \STARTUP
      • \CONTENT.IE
    • Registry check

Checks that in the registry there is no value HKCU\Software\Adobe\DAVersion and, if so, the malware creates the value HKCU\Software\Adobe\DAVersion = True and continues its work

  • Running processes check
    • Checks that the count of running processes is greater than 26
    • Checks that none of the processes listed in the table below are present.
alive.exe filewatcherservice.exe ngvmsvc.exe sandboxierpcss.exe
analyzer.exe fortitracer.exe nsverctl.exe sbiectrl.exe
angar2.exe goatcasper.exe ollydbg.exe sbiesvc.exe
apimonitor.exe GoatClientApp.exe peid.exe scanhost.exe
apispy.exe hiew32.exe perl.exe scktool.exe
apispy32.exe hookanaapp.exe petools.exe sdclt.exe
asura.exe hookexplorer.exe pexplorer.exe sftdcc.exe
autorepgui.exe httplog.exe ping.exe shutdownmon.exe
autoruns.exe icesword.exe pr0c3xp.exe sniffhit.exe
autorunsc.exe iclicker-release.exe.exe prince.exe snoop.exe
autoscreenshotter.exe idag.exe procanalyzer.exe spkrmon.exe
avctestsuite.exe idag64.exe processhacker.exe sysanalyzer.exe
avz.exe idaq.exe processmemdump.exe syser.exe
behaviordumper.exe immunitydebugger.exe procexp.exe systemexplorer.exe
bindiff.exe importrec.exe procexp64.exe systemexplorerservice.exe
BTPTrayIcon.exe imul.exe procmon.exe sython.exe
capturebat.exe Infoclient.exe procmon64.exe taskmgr.exe
cdb.exe installrite.exe python.exe taslogin.exe
cff explorer.exe ipfs.exe pythonw.exe tcpdump.exe
clicksharelauncher.exe iprosetmonitor.exe qq.exe tcpview.exe
closepopup.exe iragent.exe qqffo.exe timeout.exe
commview.exe iris.exe qqprotect.exe totalcmd.exe
cports.exe joeboxcontrol.exe qqsg.exe trojdie.kvp
crossfire.exe joeboxserver.exe raptorclient.exe txplatform.exe
dnf.exe lamer.exe regmon.exe virus.exe
dsniff.exe LogHTTP.exe regshot.exe vx.exe
dumpcap.exe lordpe.exe RepMgr64.exe winalysis.exe
emul.exe malmon.exe RepUtils32.exe winapioverride32.exe
ethereal.exe mbarun.exe RepUx.exe windbg.exe
ettercap.exe mdpmon.exe runsample.exe windump.exe
fakehttpserver.exe mmr.exe samp1e.exe winspy.exe
fakeserver.exe mmr.exe sample.exe wireshark.exe
Fiddler.exe multipot.exe sandboxiecrypto.exe xxx.exe
filemon.exe netsniffer.exe sandboxiedcomlaunch.exe ZID Updater File Writer Service.exe
  • Computer name check
    • The name of the computer shouldn’t contain any of the following substrings:
      • -MALTEST
      • AHNLAB
      • WILBERT-
      • FIREEYES-
      • CUCKOO
      • RSWT-
      • FORTINET-
      • GITSTEST
    • Calculates an MD5 digest of the computer name in lower case and compares it with a hundred blacklisted values
  • IP address check

Obtains the external IP address of the machine and compares it with hardcoded values.

  • Virtual machine check
    • Checks that the following registry keys don’t exist:
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
      • HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
      • HKLM\SYSTEM\ControlSet002\Enum\VMBUS
      • HKLM\HARDWARE\ACPI\DSDT\VBOX
      • HKLM\HARDWARE\ACPI\DSDT\VirtualBox
      • HKLM\HARDWARE\ACPI\DSDT\Parallels Workstation
      • HKLM\HARDWARE\ACPI\DSDT\PRLS
      • HKLM\HARDWARE\ACPI\DSDT\Virtual PC
      • HKLM\HARDWARE\ACPI\SDT\AMIBI
      • HKLM\HARDWARE\ACPI\DSDT\VMware Workstation
      • HKLM\HARDWARE\ACPI\DSDT\PTLTD
      • HKLM\SOFTWARE\SandboxieAutoExec
      • HKLM\SOFTWARE\Classes\Folder\shell\sandbox
    • Checks that the following registry values don’t exist:
      • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\OpenGLDrivers\VBoxOGL\Dll=VBoxOGL.dll
      • HKLM\\SYSTEM\CurrentControlSet\services\Disk\Enum\0=Virtual
      • HKLM\\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName=VirtualBox
    • Checks that none of the processes listed in the table below are present.
prlcc.exe VGAuthService.exe vmsrvc.exe vmware-tray.exe
prltools.exe vmacthlp.exe vmtoolsd.exe vmware-usbarbitrator.exe
SharedIntApp.exe vmicsvc.exe vmusrvc.exe vmware-usbarbitrator64.exe
TPAutoConnect.exe vmnat.exe vmware-authd.exe vmwaretray.exe
TPAutoConnSvc.exe vmnetdhcp.exe vmware-converter-a.exe vmwareuser.exe
VBoxService.exe vmount2.exe vmware-converter.exe xenservice.exe
VBoxTray.exe VMRemoteGuest.exe vmware-hostd.exe

If at least one of the performed checks fails, the downloader ends the process.

Installation of certificates

The downloader installs a root certificate that’s stored in its resources. All downloaded malicious executables are signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.

Fake Microsoft Corporation certificate

Fake Adobe Systems Incorporated certificate

Certificates are installed using the standard utility CertMgr.exe that’s also stored in the downloader’s resources.

Resources contained in the downloader executable file

Before installing the certificate, the downloader drops the necessary files from the resources to the %TEMP% directory.

Fake certificate and CertMgr.exe utility

It then executes the following command:

CertMgr.exe -add -c 179mqn7h0c.cer -s -r localMachine root

The main decision

The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin. If the folder exists, the downloader decides to download the cryptor. If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component, which is described below in the corresponding part of the article.

Cryptor decision

The Trojan downloads a password-protected archive that contains a cryptor module. The archive will be downloaded to the startup directory (C:\Documents and Settings\username\Start Menu\Programs\Startup) and then the downloader will unpack it using the command line WinRAR tool. The cryptor executable will have the name taskhost.exe.

After execution, the cryptor performs an environment check like the installer; in addition, it will check that it’s running after the downloader decision (by checking the registry value HKCU\Software\Adobe\DAVersion is present).

Interestingly, the cryptor only starts working if the system has been idle for at least two minutes. Before encrypting files, the cryptor terminates the following processes:

1cv7s.exe Foxit Advanced PDF Editor.exe mspaint.exe soffice.exe
1cv8.exe Foxit Phantom.exe mysqld.exe sqlservr.exe
1cv8c.exe Foxit PhantomPDF.exe NitroPDF.exe sqlwriter.exe
7zFM.exe Foxit Reader.exe notepad.exe STDUViewerApp.exe
acad.exe FoxitPhantom.exe OUTLOOK.EXE SumatraPDF.exe
Account.EXE FoxitReader.exe PDFMaster.exe thebat.exe
Acrobat.exe FreePDFReader.exe PDFXCview.exe thebat32.exe
AcroRd32.exe gimp-2.8.exe PDFXEdit.exe thunderbird.exe
architect.exe GSmeta.exe pgctl.exe ThunderbirdPortable.exe
bricscad.exe HamsterPDFReader.exe Photoshop.exe VISIO.EXE
Bridge.exe Illustrator.exe Picasa3.exe WebMoney.exe
CorelDRW.exe InDesign.exe PicasaPhotoViewer.exe WinDjView.exe
CorelPP.exe iview32.exe postgres.exe WinRAR.exe
EXCEL.EXE KeePass.exe POWERPNT.EXE WINWORD.EXE
fbguard.exe Magnat2.exe RdrCEF.exe wlmail.exe
fbserver.exe MSACCESS.EXE SmWiz.exe wordpad.exe
FineExec.exe msimn.exe soffice.bin xnview.exe

In addition, if there is no avp.exe process running, the cryptor removes volume shadow copies.

The cryptor encrypts files with the following extensions:

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”, “.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

After encryption the file extension will be changed to .neitrino.

Files are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is sent to the attacker by email.

In each encrypted directory, the cryptor creates a MESSAGE.txt file with the following contents:

Ransom note

Miner decision

The downloading process of the miner is the same except for the downloading folder – the miner is saved to the path %AppData%\KB<8_random_chars>, where <8_random_chars>, as the name suggests, is a string constructed from alphanumeric characters [0-9a-z].

After downloading and unpacking the archive with the miner, the Trojan does the following:

  • Firstly, it generates a VBS script that will be launched after an OS reboot. The script has the name Check_Updates.vbs. This script contains two commands for mining:
    • the first command will start a process to mine the cryptocurrency Monero;
    • the second command will start a process to mine the cryptocurrency Monero Original. The name of the subfolder where the executable should be located (cuda) may indicate that this executable will use the GPU power for mining.

Content of the Check_Updates.vbs file

  • Then, if there is a file named %AppData%\KB<8_random_chars>\svchost.exe, the Trojan executes it to mine the cryptocurrency Dashcoin.

Process for mining the Dashcoin cryptocurrency

When this analysis was carried out, the downloader was receiving an archive with a miner that didn’t use the GPU. The attacker uses the console version of the MinerGate utility for mining.

Checking the utility for mining

In order to disguise the miner as a trusted process, the attacker signs it with a fake Microsoft Corporation certificate and calls svchost.exe.

Disabling of Windows Defender

Regardless of whether the cryptor or the miner was chosen, the downloader checks if one of the following AV processes is launched:

360DocProtect.exe avgui.exe dwservice.exe McUICnt.exe
360webshield.exe avgwdsvc.exe dwwatcher.exe mcupdate.exe
AvastSvc.exe Avira.OE.ServiceHost.exe egui.exe ProtectionUtilSurrogate.exe
AvastUI.exe Avira.OE.Systray.exe ekrn.exe QHActiveDefense.exe
avgcsrva.exe Avira.ServiceHost.exe kav.exe QHSafeTray.exe
avgemca.exe Avira.Systray.exe LUALL.exe QHWatchdog.exe
avgidsagent.exe avp.exe LuComServer.exe Rtvscan.exe
avgnsa.exe ccApp.exe McCSPServiceHost.exe SMC.exe
avgnt.exe ccSvcHst.exe McPvTray.exe SMCgui.exe
avgrsa.exe Dumpuper.exe McSACore.exe spideragent.exe
avgrsx.exe dwengine.exe mcshield.exe SymCorpUI.exe
avguard.exe dwnetfilter.exe McSvHost.exe

If no AV process was found in the system, the Trojan will run several cmd commands that will disable Windows Defender in the system:

  • cmd /C powershell Set-MpPreference -DisableRealtimeMonitoring $true
  • cmd /C powershell Set-MpPreference -MAPSReporting 0
  • cmd /C powershell Set-MpPreference -SubmitSamplesConsent 2
  • taskkill /IM MSASCuiL.exe
  • cmd /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REGDWORD /d 1 /f
  • cmd /C REG ADD HKCU\Software\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REGDWORD /d 1 /f
  • cmd /C REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REGDWORD /d 1 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v AllowFastServiceStartup /t REGDWORD /d 0 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v ServiceKeepAlive /t REGDWORD /d 0 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableIOAVProtection /t REGDWORD /d 1 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REGDWORD /d 1 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet /v DisableBlockAtFirstSeen /t REGDWORD /d 1 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet /v LocalSettingOverrideSpynetReporting /t REGDWORD /d 0 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet /v SubmitSamplesConsent /t REGDWORD /d 2 /f
  • cmd /C REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v NotificationSuppress /t REGDWORD /d 1 /f

Sending the statistics

During their operation the downloader and cryptor modules send emails with statistics to a hardcoded address. These messages contain information about the current state of infection and other details such as:

  • computer name;
  • victim IP address;
  • path of malware in the system;
  • current date and time;
  • malware build date.

The downloader sends the following states:

Hello Install Sent after the cryptor or miner is downloaded
Hello NTWRK Sent after the downloader attempts to spread through the victim’s network
Error Sent if something goes wrong and contains the error code value

The cryptor sends the following states:

Locked Shows that the cryptor was launched
Final Shows that the cryptor has ended the encryption process

Another interesting fact is that the downloader also has some spyware functionality – its messages include a list of running processes and an attachment with a screenshot.

Worm component

As one of its last actions the downloader tries to copy itself to all the computers in the local network. To do so, it calls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources. For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user.

Self-deleting

Before shutting down the malware creates a batch file that deletes all ‘temporary’ files created during the infection process. This is a common practice for malware. The thing that interested us was the use of the Goto label ‘malner’. Perhaps this is a portmanteau of the words ‘malware’ and ‘miner’ used by the criminal.

Content of the svchost.bat file

Detection verdicts

Our products detect the malware described here with the following verdicts:

  • Downloader: Trojan-Downloader.Win32.Rakhni.pwc
  • Miner: not-a-virus:RiskTool.Win32.BitCoinMiner.iauu
  • Cryptor: Trojan-Ransom.Win32.Rakhni.wbrf

In addition, all the malware samples are detected by the System Watcher component.

IoCs

Malicious document: 81C0DEDFA5CB858540D3DF459018172A

Downloader: F4EC1E3270D62DD4D542F286797877E3

Miner: BFF4503FF1650D8680F8E217E899C8F4

Cryptor: 96F460D5598269F45BCEAAED81F42E9B

URLs

hxxp://protnex[.]pw

hxxp://biserdio[.]pw

Fortnum and Mason hacked, 23,000 customers affected

Fortnum And Mason is an upmarket department store in London with many branches in different states. A cyber attack has led to a huge customer information leak from the website putting data of 23,000 customers at risk.

Department stores getting hacked is not something new, but this is one of the biggest hacks of this year that includes a known department store which is known for its hampers and links to royalty.

The 311-year-old retailer said for the majority of people, only their email address has been exposed, however, home addresses, phone numbers and social media handles of few of the customers have also been accessed. The good thing is that it did not include any financial information.

Data had been gathered through marketing initiatives, survey, competitions and voting activity such as the Fortnum and Mason food and drink awards’ TV personality of the year. The poll had been organised by specialist survey and voting company Typeform. Smaller numbers had their details hacked after they entered a Fortnum-run competition for tickets for an exhibition of Charles I’s art collection or filled in a survey on the Piccadilly store’s concierge service.

Fortnum & Mason chief executive Ewan Venters told the Standard: “As soon as we were alerted over the weekend we spent time with Typeform looking at what exactly could be at risk. Thankfully it’s mostly limited to email addresses. There’s no impact on the core systems at Fortnum or highly sensitive information like bank details.

Typeform is a company that conducts surveys via forms. A third party hacked into their database and downloaded information, however, the company says to have fixed the breach.

“I want to stress that there’s no concern about any banking information or credit card data. We have very vigorous pressure testing on core Fortnum & Mason data services.” The hackers are thought to have accessed Typeform’s backup file. As soon as the breach was detected the link between Fortnum and Typeform was shut down. Mr Venters insisted there was “no suggestion Typeform is not a good, reputable company”.

Samsung phones sending user’s private photos to random contacts


Samsung's privacy policy got a huge setback when threads on Reddit projecting the miseries of Samsung users have seen an upsurge in the past few days.
Troubled Samsung users have been writing to the company's complaint forums and on Reddit regarding a phone glitch that, by the sound of it, seems one of the most potent threats there are to an individual's privacy.
Reportedly, the default text messaging app inbuilt in the sets- Galaxy S9, S9+ and Note 8 has been randomly sending out pictures from users' gallery and premature texts to their contacts without their consent, moreover, the whole action takes place without leaving the traces of the sent messages.
It's only when the receiver responds after acknowledging the received content, the victimized user is made aware of the mishap.
Upon closer inspection of the online complaints by the T-Mobile customers who recently updated Samsung Messages, it is believably deduced that the infamous bug may have been a consequence of the RCS (Rich Communication Services) updates. These updates are supposed to enhance overall texting experience by adding features like reading reports, group chat, video and GIF support, and file and location sharing. As several complaints were regarding the photos been randomly sent to family members, it is likely that the bug affects shared plans.
To ease the concern of their devoted users, Samsung said: "We are aware of the reports regarding this matter and our technical teams are looking into it." Users are welcomed to contact Samsung directly at 1-800- SAMSUNG to seek assistance.
On the instant solution front, users can either switch to an alternate texting app or revoke Samsung Message's permissions to access phone storage. Users are advised to rely on these suggestions until Samsung resolves the bug.
A Reddit user confirms the reliance on alternatives for texting: "Just an FYI, I have an S9+ on T-Mobile, this has not happened to me (at least to my knowledge) and I see nothing unusual in my logs from T-Mobile. I do not use the Samsung messaging app, I use Google's. My Samsung messages app was updated, however, and I thought it was weird when I woke up and it was asking for access to storage out of the blue. I have all permissions for the Messages app off."