Author Archives: Pierluigi Paganini

Google tracks users’ movements even if they have disabled the “Location History” on devices

According to the AP, many Google services on both Android and iPhone store records of user location even if the users have disabled the “Location History”.

According to a recent investigation conducted by the Associated Press, many Google services on both Android and iPhone devices store records of user location data, and the bad news is that they do it even if the users have disabled the “Location History” on devices.

When a user disables the “Location History” from the privacy settings of Google applications, he should prevent Google from stole location data.

Currently, the situation is quite different, experts from AP discovered that even when users have turned off the Location History, some Google apps automatically store “time-stamped location data” without explicit authorization.

“Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)” reads the post published by AP.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,”

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

The AP has used location data from an Android smartphone with ‘Location History’ disabled to desing a map of the movements of Princeton postdoctoral researcher Gunes Acar.

Location History

 

Data plotted on the map includes records of Dr. Acar’s train commute on two trips to New York and visits to the High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem other markers on the map, including Acar’s home address.

“The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” continues the AP.

Google replied to the study conducted by the AP with the following statement:

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web, and App Activity, and through device-level Location Services. We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.” states Google.

Jonathan Mayer, a Princeton researcher and former chief technologist for the FCC’s enforcement bureau, remarked that location history data should be disabled when the users switch off’ the Location History,

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.”

The good news is it is possible to stop Google from collecting your location, it is sufficient to turn off the “Web and App Activity” setting, anyway, Google will continue to store location markers.

Open your web browser, go to myactivity.google.com, select “Activity Controls” and now turn off the “Web & App Activity” and “Location History. features”

For Android Devices:
Go to the “Security & location” setting, select “Privacy”, and tap “Location” and toggle it off.

For iOS Devices:
Google Maps users can access Settings → Privacy Location Services and change their location setting to ‘While Using’ the app.

Pierluigi Paganini

(Security Affairs – Location Data, Google)

The post Google tracks users’ movements even if they have disabled the “Location History” on devices appeared first on Security Affairs.

Security Affairs: ICS-CERT warns of critical flaws in NetComm industrial routers

Security researcher has found two critical vulnerabilities in the industrial routers manufactured by the Australian company NetComm Wireless.

Security researcher Aditya K. Sood has found two critical vulnerabilities in the industrial routers manufactured by the Australian company NetComm Wireless that can be exploited remotely to take control of affected devices. The affected models are NetComm 4G LTE Light industrial M2M routers running firmware version 2.0.29.11 and prior.

Sood reported the flaws to the ICS-CERT in October 2017.

NetComm industrial routers.jpg

The CSRF and XSS flaws have been classified by as “critical,” while the information disclosure issues have been classified as “high severity.”The ICS-CERT published a security advisory that warns of four vulnerabilities that affect the industrial routers. The issues tracked with CVE identifiers CVE-2018-14782 through CVE-2018-14785, are an Information Exposure, a Cross-site Request Forgery, a Cross-site Scripting, an Information Exposure through Directory Listing.

The cross-site request forgery condition could be triggered by a remote attacker to change passwords of the device.

“When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.” reads the security advisory.

The Netcomm industrial routers are vulnerable to several cross-site scripting attacks, a remote attacker can carry out them to run arbitrary code on the device.

“The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.” states the advisory.

The XSS vulnerability is tied with the failure of the application hosted on the embedded web server to filter and sanitize the input.

Another flaw is an Information Exposure Through Directory Listing that could be triggered by an attacker to gain the complete index of all the resources located inside of the directory.

The last issue is an information disclosure issue that can be exploited by an attacker to obtain details on the router’s components.

NetComm has released a firmware update that addresses the security vulnerabilities in mid-May 2018.

Pierluigi Paganini

(Security Affairs – NetComm industrial router, hacking)

The post ICS-CERT warns of critical flaws in NetComm industrial routers appeared first on Security Affairs.



Security Affairs

ICS-CERT warns of critical flaws in NetComm industrial routers

Security researcher has found two critical vulnerabilities in the industrial routers manufactured by the Australian company NetComm Wireless.

Security researcher Aditya K. Sood has found two critical vulnerabilities in the industrial routers manufactured by the Australian company NetComm Wireless that can be exploited remotely to take control of affected devices. The affected models are NetComm 4G LTE Light industrial M2M routers running firmware version 2.0.29.11 and prior.

Sood reported the flaws to the ICS-CERT in October 2017.

NetComm industrial routers.jpg

The CSRF and XSS flaws have been classified by as “critical,” while the information disclosure issues have been classified as “high severity.”The ICS-CERT published a security advisory that warns of four vulnerabilities that affect the industrial routers. The issues tracked with CVE identifiers CVE-2018-14782 through CVE-2018-14785, are an Information Exposure, a Cross-site Request Forgery, a Cross-site Scripting, an Information Exposure through Directory Listing.

The cross-site request forgery condition could be triggered by a remote attacker to change passwords of the device.

“When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.” reads the security advisory.

The Netcomm industrial routers are vulnerable to several cross-site scripting attacks, a remote attacker can carry out them to run arbitrary code on the device.

“The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.” states the advisory.

The XSS vulnerability is tied with the failure of the application hosted on the embedded web server to filter and sanitize the input.

Another flaw is an Information Exposure Through Directory Listing that could be triggered by an attacker to gain the complete index of all the resources located inside of the directory.

The last issue is an information disclosure issue that can be exploited by an attacker to obtain details on the router’s components.

NetComm has released a firmware update that addresses the security vulnerabilities in mid-May 2018.

Pierluigi Paganini

(Security Affairs – NetComm industrial router, hacking)

The post ICS-CERT warns of critical flaws in NetComm industrial routers appeared first on Security Affairs.

Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack

A vulnerability in HP OfficeJet all-in-one inkjet printer can be exploited by attackers to gain control of the printer and use it as entry point into the network environment.

A critical vulnerability potentially exposes millions of HP OfficeJet printers to hack, according to the experts at Check Point the attackers only need to send a fax to the vulnerable printers.

The researchers discovered two critical vulnerabilities in HP’s implementation of a widely used fax protocol implemented in all its OfficeJet all-in-one inkjet printers.

The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.

OfficeJet HP flawCheckpoint experts reported the flaws to HP and shared details for the two vulnerabilities at the DEF CON conference.

The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.

“The below diagram shows the Faxploit attack flow, following which a threat actor could then move laterally across your network to access your organization’s most confidential information.” reads the blog post published by CheckPoint Security. 

“The crucial element to notice is that whereas most attacks today penetrate through an internet connection to enter an organization’s network, using this vulnerability in the fax protocol even a network that is completely detached would be vulnerable. This is due to the attack being channeled through a route that until now was considered to be secure and need not have protection layers applied.”

HP OfficeJet all-in-one inkjet printer 2

Below a video PoC of the exploit.

The experts explained that attackers run several type of attack, such as stealing documents or tampering with the fax content by replacing the documents received with altered versions of them.

The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

Pierluigi Paganini

(Security Affairs – OfficeJet HP flaw, hacking)

The post Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack appeared first on Security Affairs.

Oracle warns of CVE-2018-3110 Critical Vulnerability in Oracle Database product, patch it now!

Last week Oracle disclosed a critical vulnerability in its Oracle Database product, the issue tracked as CVE-2018-3110 has received a CVSS score of 9.9,

On Friday, Oracle released security patches to address a critical vulnerability affecting its Database product, the company is urging install them as soon as possible.

The vulnerability resides in the Java VM component of Oracle Database Server, a remote authenticated attacker can exploit it take complete control of the product and establish a shell access to the underlying server.

The vulnerability, tracked as CVE-2018-3110, affects Oracle Database 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows and 12.1.0.2 running on Unix or Linux.

“Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.” reads the security advisory published by Oracle “Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. “

Oracle CVE-2018-3110

The Version 12.1.0.2 on both Windows and Unix/Linux systems was already addressed with the Oracle July 2018 CPU.

“Due to the nature of this vulnerability, Oracle recommends that customers apply these patches as soon as possible.” reads the blog post published by Oracle.

“This means that:

  • Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows should apply the patches provided by the Security Alert.
  • Customers running version 12.1.0.2 on Windows or any version of the database on Linux or Unix should apply the July 2018 Critical Patch Update if they have not already done so.”

Oracle “strongly recommends that customers take action without delay.”

Pierluigi Paganini

(Security Affairs – CVE-2018-3110, Oracle Database)

The post Oracle warns of CVE-2018-3110 Critical Vulnerability in Oracle Database product, patch it now! appeared first on Security Affairs.

Apple zero-day exposes macOS to Synthetic Mouse-Click attacks

Patrick Wardle, the popular white hat hacker, has discovered a zero-day vulnerability that could allow attackers to carry out synthetic mouse-click attacks

Patrick Wardle, the popular white hat hacker and chief research officer at Digita Security, has discovered a zero-day vulnerability that could allow attackers to mimic mouse-clicks for kernel access.

Wardle presented his discovery during the Def Con 2018 conference in Las Vegas, he explained that by using two lines of code he found an Apple zero-day in the High Sierra operating system that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

Once obtained the Kernel access on a Mac, the attack can fully compromise the system.

Apple has already in place security measures to prevent attackers from mimicking mouse-clicks for approving security prompts presented to the user when attempting to perform tasks that can potentially expose to risks the system.

Patrick Wardle has discovered a flaw that allows attackers to bypass such kind of security measures through Synthetic Mouse-Click attacks.

Wardle recently demonstrated that a local, privileged attacker could leverage vulnerabilities in third-party kernel extensions to bypass Apple’s kernel code-signing requirements.

Malware developers and hackers have started using synthetic mouse-click attacks to bypass this security mechanism and emulate human behavior in approving security warnings.

Apple mitigated the attack devised by Wardle by implementing a new security feature dubbed “User Assisted Kernel Extension Loading,” a measure that force users to manually approve the loading of any kernel extension by clicking the “allow” button in the security settings UI.

The latest macOS versions, including High Sierra introduced a filtering mechanism to ignore synthetic events.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed it’s game over,” Wardle explained.

Synthetic Mouse-Click attacks

Wardle discovered that is it possible to deceive macOS by using two consecutive synthetic mouse “down” events because the operating system wrongly interprets them as a manual approval.

“For some unknown reason the two synthetic mouse ‘down’ events confuse the system and the OS sees it as a legitimate click,” Wardle said. “This fully breaks a foundational security mechanism of High Sierra.”

The expert explained that the operating system confuses a sequence of two-down as mouse “down” and “up.” The OS also confuse the “up” event as an internal event and for this reason, it is not filtered and it can be abused to interact with High Sierra’s user interface allowing to load kernel extensions.

Wardle accident discovered the issue by copying and pasting code for a synthetic mouse down twice.

“I was just kind of goofing around with this feature. I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

“Two lines of code completely break this security mechanism,” he added. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

According to Wardle, the issue only affects High Sierra, because it is the using OS version that implements the Apple’s User Assisted Kernel Extension Loading.

The Wardle’s presentation is available at the following URL:

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Patrick%20Wardle/DEFCON-26-Patrick-Wardle-The-Mouse-Is-Mightier-Synthetic0Reality.pdf

Pierluigi Paganini

(Security Affairs – Synthetic Mouse-Click Attacks, macOS)

The post Apple zero-day exposes macOS to Synthetic Mouse-Click attacks appeared first on Security Affairs.

DNS Hijacking targets Brazilian financial institutions

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by carrying out DNS hijacking.

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.

With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.

The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.

“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.

“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”

Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.

The experts highlighted that the hijacking is performed without any user interaction.

“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet.” reads the alert published by Radware.

“The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.”

Attackers carried out phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Such kind of attack is not a novelty, hackers are using similar techniques since 2014, in 2016, an exploit tool known as RouterHunterBr 2.0 was published online and used the same malicious URLs, but Radware is not aware of currently of abuse originating from this tool.

Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.

DNS hijacking

The malicious URL used in the campaign appear as:

DNS hijacking 2


Several exploits  for multiple DSL routers, mostly D-Link, were available online since February, 2015:

Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.

The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.

Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.

“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.

Pierluigi Paganini

(Security Affairs – DNS hijacking, hacking)

The post DNS Hijacking targets Brazilian financial institutions appeared first on Security Affairs.

Security Affairs newsletter Round 175 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A malware paralyzed TSMC plants where also Apple produces its devices
·      Do Businesses Know When Theyre Using Unethical Data?
·      Russian troll factory suspected to be behind the attack against Italian President Mattarella
·      Salesforce warns of API error that exposed Marketing data
·      Tech Support Scams improved with adoption of Call Optimization Service
·      Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
·      Fortnite APK is coming soon, but it will not be available on the Google Play Store
·      TCM Bank: website misconfiguration exposed applicant data for 16 months
·      ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
·      Duo Security created open tools and techniques to identify large Twitter botnet
·      Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
·      HP releases firmware updates for two critical RCE flaws in Inkjet Printers
·      TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
·      GitHub started warning users when adopting compromised credentials
·      Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
·      Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black botnet
·      Snapchat source Code leaked after an iOS update exposed it
·      BIND DNS software includes a security feature that could be abused to cause DoS condition
·      DeepLocker – AI-powered malware are already among us
·      Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats
·      Security expert discovered a bug that affects million Kaspersky VPN users
·      Social Mapper – Correlate social media profiles with facial recognition
·      The analysis of the code reuse revealed many links between North Korea malware
·      Experts explained how to hack macs in enterprises through MDM
·      Group-IB: The Shadow Market Is Flooded with Cheap Mining Software
·      Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 175 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 175 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A malware paralyzed TSMC plants where also Apple produces its devices
·      Do Businesses Know When Theyre Using Unethical Data?
·      Russian troll factory suspected to be behind the attack against Italian President Mattarella
·      Salesforce warns of API error that exposed Marketing data
·      Tech Support Scams improved with adoption of Call Optimization Service
·      Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
·      Fortnite APK is coming soon, but it will not be available on the Google Play Store
·      TCM Bank: website misconfiguration exposed applicant data for 16 months
·      ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
·      Duo Security created open tools and techniques to identify large Twitter botnet
·      Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
·      HP releases firmware updates for two critical RCE flaws in Inkjet Printers
·      TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
·      GitHub started warning users when adopting compromised credentials
·      Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
·      Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black botnet
·      Snapchat source Code leaked after an iOS update exposed it
·      BIND DNS software includes a security feature that could be abused to cause DoS condition
·      DeepLocker – AI-powered malware are already among us
·      Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats
·      Security expert discovered a bug that affects million Kaspersky VPN users
·      Social Mapper – Correlate social media profiles with facial recognition
·      The analysis of the code reuse revealed many links between North Korea malware
·      Experts explained how to hack macs in enterprises through MDM
·      Group-IB: The Shadow Market Is Flooded with Cheap Mining Software
·      Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 175 – News of the week appeared first on Security Affairs.



Security Affairs

Unsecured AWS S3 Bucket exposed sensitive data on 31,000 GoDaddy servers

UpGuard discovered an unsecured GoDaddy’s Amazon S3 bucket containing sensitive information related to more than 31,000 GoDaddy systems.

Experts at cybersecurity firm UpGuard have reported that another big company was victim of a data leak, it is the domain name registrar and web hosting company GoDaddy.

The popular UpGuard’s risk analyst Chris Vickery discovered an unsecured GoDaddy’s Amazon S3 bucket containing sensitive information related to more than 31,000 GoDaddy systems.

“The UpGuard Cyber Risk Team has discovered and secured a data exposure of documents appearing to describe GoDaddy infrastructure running in the Amazon AWS cloud, preventing any future exploitation of this information.” reads the post published by UpGuard.

“The documents were left exposed in a publicly accessible Amazon S3 bucket which, according to a statement from Amazon, “was created by an AWS salesperson.”

The expert discovered the unsecured AWS bucket named abbottgodaddy on June 19th, 2018. It was containing several versions of a spreadsheet, the latest one named “GDDY_cloud_master_data_1205 (AWS r10).xlsx.

The document was a 17MB Microsoft Excel file with multiple sheets and tens of thousands of rows.

Each sheet contained data related to the large-scale infrastructure running in the Amazon cloud, such as “high-level configuration information” of company systems and pricing facilities for operating them.

“The exposed configuration information included fields for hostname, operating system, “workload” (what the system was used for), AWS region, memory and CPU specs, and more.” continues the post.

“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields. Also included were what appear to be GoDaddy’s discounts from Amazon AWS, usually restricted information for both parties, who must negotiate for rates– as do GoDaddy’s competitors.”

godaddy data leak

The experts pointed out that the availability of the configuration information for the GoDaddy infrastructure could allow attackers to select targets based on their role, probable data, size, and region.

Competitors, vendors, cloud providers, and others, could also use business data exposed in the unsecured Amazon S3 bucket as a competitive advantage for cloud hosting strategy and pricing.

“From operations as large as GoDaddy and Amazon, to small and medium organizations, anyone who uses cloud technology is subject to the risk of unintentional exposure, if the operational awareness and processes aren’t there to catch and fix misconfigurations when they occur,” concludes UpGuard.

This year many other companies have exposed sensitive data in the same way, including Accenture, FedEx, and Walmart. Even though Amazon S3 buckets are configured by default with a secure configuration, many AWS customers turn off security settings for expedience. This particular data leak was caused by an AWS employee.

“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an Amazon spokesperson said. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default, and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”

Pierluigi Paganini

(Security Affairs – GoDaddy, data leak)

The post Unsecured AWS S3 Bucket exposed sensitive data on 31,000 GoDaddy servers appeared first on Security Affairs.

Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

Journalists revealed a new surveillance program that targets US citizens, the program was previously-undisclosed and code named ‘Quiet Skies’.

According to the Transportation Security Administration (TSA), that has admitted the  Quiet Skies, the program has monitored about 5,000 U.S. citizens on domestic flights in recent months.

Quiet Skies was criticized by privacy advocates because the authorities have begun monitoring U.S. citizens that aren’t suspected of a crime or of involvement in terrorist organizations.

The domestic surveillance program aims at collecting extensive information about the movements of the citizens and their behaviour.

“The previously undisclosed program, called ‘Quiet Skies,’” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” states a bulletin issued in March by the TSA.

The Agency is monitoring individuals who have spent a certain amount of time in specific countries, who have visited those counties within a certain period of time, or that have made a reservation which includes email addresses or phone numbers associated to terrorism suspects could trigger monitoring.

Passengers remain on the Quiet Skies watch list “for up to 90 days or three encounters, whichever comes first, after entering the United States,” according to the TSA. Travelers are not notified when they have been added to the watch list.

Every day about 40 to 50 people on domestic flights are selected under the Quiet Skies program and on average, air marshals follow and monitor about 35 of them.

This type of surveillance activity is very expensive and according to the experts it drains resources from other vital activities.

At the time there are no data on the cost of the program or whether it allowed authoritied to neutralize any threat.

“Since this initiative launched in March, dozens of air marshals have raised concerns about the Quiet Skies program with senior officials and colleagues, sought legal counsel, and expressed misgivings about the surveillance program, according to interviews and documents reviewed by the Globe.”

Privacy advocates and experts on civil liberties considers the Quiet Skies program worrisome and potentially illegal:

Further details on the program are reported in the article titled “Quiet Skies– A TSA Surveillance Program Targets Ordinary U.S. Citizens” that I have published on the Infosec Institute website.

Pierluigi Paganini

(Security Affairs – TSA, surveillance)

The post Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens appeared first on Security Affairs.

Group-IB: The Shadow Market Is Flooded with Cheap Mining Software

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.

Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.

Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.

Mining Software darkweb cryptojacking

 

The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.

One cryptocoin after another: what are the dangers of mining?

Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.

Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware.  Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.

What should we do? 

Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – cryptojacking, DarkWeb)

The post Group-IB: The Shadow Market Is Flooded with Cheap Mining Software appeared first on Security Affairs.

Security Affairs: Group-IB: The Shadow Market Is Flooded with Cheap Mining Software

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.

Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.

Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.

Mining Software darkweb cryptojacking

 

The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.

One cryptocoin after another: what are the dangers of mining?

Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.

Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware.  Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.

What should we do? 

Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – cryptojacking, DarkWeb)

The post Group-IB: The Shadow Market Is Flooded with Cheap Mining Software appeared first on Security Affairs.



Security Affairs

Experts explained how to hack macs in enterprises through MDM

Researchers demonstrated how a sophisticated threat actor can hack a brand new Apple Mac computer in enterprise environments through MDM.

A security duo composed by Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, demonstrated at the Black Hat security conference how a persistent attacker could compromise brand new Mac systems in enterprise environments on the first boot.

The experts leverage the Apple mobile device management protocol to retrieve the manifest and install a different application than the one chosen by the victim.

MDM allows administrators in enterprises to remotely manage macOS and iOS devices, it allows to easily install or remove applications, lock devices or securely erase them.

Every time a new device is added in an enterprise, it receives a Configuration Profile, an operation that can be performed automatically using the Device Enrollment Program (DEP).

macOS computers automatically contact the MDM server during the boot or after a factory reset procedure.

The DEP profile sent to the device is created by the MDM server and includes information related to software installation (i.e. server’s URL, pinned certificates).

MDM Apple hack

By using the MDM command InstallApplication, administrators can install a specified application. The command uses a manifest URL that returns an XML file containing all the information needed to install the application.

The experts explained that it is possible to manipulate this manifest to install a specific application by carrying out a man-in-the-middle (MitM) attack.

The attack is not easy to conduct, anyway, a sophisticated nation-state actor or an ISP could carry out it.

The attack can exploit this technique to force the installation of a malicious application as soon as the macOS computers connect to the MDM server.

The security duo reported the hacking technique to Apple in April and early May Apple acknowledged it. Apple addressed the issue in July with the release of macOS version 10.13.6.

“We disclosed the issue to Apple shortly after discovering it. Based on our feedback, a fix was quickly implemented in the form of a new MDM command: InstallEnterpriseApplication, which is now documented publicly” reads the research paper published by the experts.

“This command (available as of macOS 10.13.6) allows MDM vendors to provide specific certificates to pin the request to the ManifestURL (using the new ManifestURLPinningCerts property of said command). It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem. We will take a closer look at how the vulnerability was addressed.”

With the new release, Apple introduced the InstallEnterpriseApplication MDM that allows MDM vendors to provide certificates to pin the request to the manifest URL.

Pierluigi Paganini

(Security Affairs – mobile device management, hacking)

The post Experts explained how to hack macs in enterprises through MDM appeared first on Security Affairs.

The analysis of the code reuse revealed many links between North Korea malware

Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123.

The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code and command and control infrastructure for their malware.

Security researchers when analyzing a hacking campaign attempt to attribute it to a specific threat actor also evaluating the code reuse.

“The following graph presents a high-level overview of these relations. Each node represents a malware family or a hacking tool (“Brambul,” “Fallchill,” etc.) and each line presents a code similarity between two families. A thicker line correlates to a stronger similarity. In defining similarities, we take into account only unique code connections, and disregard common code or libraries. This definition holds both for this graph and our entire research.” reads the analysis published by the experts.

“We can easily see a significant amount of code similarities between almost every one of the attacks associated with North Korea. Our research included thousands of samples, mostly unclassified or uncategorized.”

According to the experts, North Korea-linked groups operated with two main goals, raise money and pursue nationalist aims.

Each state-sponsored hacker was involved in cyber operations with one of the above goals depending on his cyber capabilities.

Financially motivated operations consisting in hacking into financial institutions, hijack gambling sessions or sell pirated and cracked software were conducted by the Unit 180. Operations with nationalist aims are mostly executed by the Unit 121.

The joint research conducted by the experts was focused on the larger-scale nationalism-motivated campaigns, most of which presented a significant code reuse.

The experts analyzed thousands of malware samples, many still unclassified or uncategorized, and discovered many similarities in the source code used in attacks associated with North Korea.

For example, the “Common SMB module” that was part of the WannaCry Ransomware (2017) was similar to the code used the malware Mydoom (2009), Joanap, and DeltaAlfa.

“The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject. These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.” states the analysis published by the experts.

The expert notices many similarities in the source code of three different remote access Trojans, tracked as NavRAT, Gold Dragon, and a DLL that was used in the attack against the South Korean gambling industry. The similarity consists in the  Common file mapping.

“The second example demonstrates code responsible for mapping a file and using the XOR key 0xDEADBEEF on the first four bytes of the file. This code has appeared in the malware families NavRAT and Gold Dragon, plus a certain DLL from the South Korean gambling hacking campaign.” reads the report published by the experts.

The three malware were associated with the APT group tracked as Group 123 (also tracked as Reaper, APT37, and ScarCruft).

The researchers also found a similarity in the source code of the Brambul malware (2009) and KorDllBot (2011).

“The third example, responsible for launching a cmd.exe with a net share, has been seen in 2009’s Brambul, also known as SierraBravo, as well as KorDllBot in 2011. These malware families are also attributed to the Lazarus group.” states the report.

The experts also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples involved in the Operation Troy.

The analysis of the code reuse conducted by the experts confirmed that most of the samples attributed to North Korea-linked APT group Lazarus presented many similarities. The only malware that appears different are the RATs involved in the operations attributed to Group 123 APT group.

“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the researchers concluded.

North Korea code reuse 2

“We clearly saw a lot of code reuse over the many years of cyber campaigns we examined. This indicates the North Koreans have groups with different skills and tools that execute their focused parts of cyber operations while also working in parallel when large campaigns require a mix of skills and tools.” concluded the experts.

Pierluigi Paganini

(Security Affairs – North Korea, malware)

The post The analysis of the code reuse revealed many links between North Korea malware appeared first on Security Affairs.

Social Mapper – Correlate social media profiles with facial recognition

Trustwave developed Social Mapper an Open Source Tool that uses facial recognition to correlate social media profiles across different social networks.

Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology.

The tool was developed to gather intelligence from social networks during penetration tests and are aimed at facilitating social engineering attacks.

Social Mapper facial recognition tool automatically searches for targets across eight social media platforms, including Facebook, Instagram, Twitter, LinkedIn, Google+, VKontakte (The Russian Facebook), and Chinese Weibo and Douban.

An individual could be searcher by providing a name and a picture, the tool allows to conduct an analysis “on a mass scale with hundreds or thousands of individuals” at once.

“Performing intelligence gathering is a time-consuming process, it typically starts by attempting to find a person’s online presence on a variety of social media sites. While this is a easy task for a few, it can become incredibly tedious when done at scale.” Trustwave states in a blog post.

“Introducing Social Mapper an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale. Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients.”

Social Mapper

The Social Mapper search for specific profiles in three stages:

Stage 1—The tool creates a list of targets based on the input you give it. The list can be provided via links in a CSV file, images in a folder or via people registered to a company on LinkedIn.

Stage 2—Once the targets are processed, the second stage of Social Mapper kicks in that automatically starts searching social media sites for the targets online.

This stage can be time-consuming, the search could take over 15 hours for lists of 1,000 people and use a significant amount of bandwidth, for this reason, experts recommend running the tool overnight on a machine with a good internet connection.

Stage 3—The Social Mapper starts generating a variety of output, including a CSV file with links to the profile pages of the target list and a visual HTML report.

Of course, this intelligence-gathering tool could be abused by attackers to collect information to use in highly sophisticated spear- phishing campaigns.

Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.” Attackers can use the results obtained with the tool to:

  • Create fake social media profiles to ‘friend’ the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
  • Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
  • Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
  • View target photos looking for employee access card badges and familiarise yourself with building interiors.

If you want to start using the tool you can find it for free on GitHub.

Trustwave researcher Jacob Wilkin will present Social Mapper at the Black Hat USA conference today.

Pierluigi Paganini

(Security Affairs – Social Mapper, social network)

The post Social Mapper – Correlate social media profiles with facial recognition appeared first on Security Affairs.

Security expert discovered a bug that affects million Kaspersky VPN users

A security issue exists in Kaspersky VPN <=v1.4.0.216 which leaks your DNS Address even after you’re connected to any virtual server. (Tested on Android 8.1.0)

What is a DNS leaks?

In this context, with the term “DNS leak” we indicate an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in the official Google Play Store, however, it was observed that when it connects to any random virtual server still leaks your actual DNS address.

The expert  that discovered the flaw reported it to Kaspersky via Hackerone.

Mishra also published a step-by-step guide to reproduce the problem:

  1. Visit IPleak (Note your actual DNS address).
  2. Now, connect to any random virtual server using Kaspersky VPN.
  3. Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.

Kaspersky VPN

The expert explained that the data leak could threaten the privacy of end-users that want to remain anonymous on the internet.

“I believe this leaks the trace’s of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.” states Mishra.

The expert reported this vulnerability to Kaspersky on Apr 21st via HackerOne, and a fix was pushed for the issue.

Unfortunately, at the time, the researcher was awarded as expected under the company’s bug bounty.

About the Author: Security Researcher

Pierluigi Paganini

(Security Affairs – Kaspersky VPN, privacy)

The post Security expert discovered a bug that affects million Kaspersky VPN users appeared first on Security Affairs.

Security Affairs: Security expert discovered a bug that affects million Kaspersky VPN users

A security issue exists in Kaspersky VPN <=v1.4.0.216 which leaks your DNS Address even after you’re connected to any virtual server. (Tested on Android 8.1.0)

What is a DNS leaks?

In this context, with the term “DNS leak” we indicate an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in the official Google Play Store, however, it was observed that when it connects to any random virtual server still leaks your actual DNS address.

The expert  that discovered the flaw reported it to Kaspersky via Hackerone.

Mishra also published a step-by-step guide to reproduce the problem:

  1. Visit IPleak (Note your actual DNS address).
  2. Now, connect to any random virtual server using Kaspersky VPN.
  3. Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.

Kaspersky VPN

The expert explained that the data leak could threaten the privacy of end-users that want to remain anonymous on the internet.

“I believe this leaks the trace’s of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.” states Mishra.

The expert reported this vulnerability to Kaspersky on Apr 21st via HackerOne, and a fix was pushed for the issue.

Unfortunately, at the time, the researcher was awarded as expected under the company’s bug bounty.

About the Author: Security Researcher

Pierluigi Paganini

(Security Affairs – Kaspersky VPN, privacy)

The post Security expert discovered a bug that affects million Kaspersky VPN users appeared first on Security Affairs.



Security Affairs

Security Affairs: DeepLocker – AI-powered malware are already among us

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.

What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.

Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to conceal its malicious intent until it has infected the specific target.

“IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware.” reads a blog post published by the experts.

“This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.” 

According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.
AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.
The malicious code could be concealed in harmful applications and select the target based on various indicators such as voice recognition, facial recognition, geolocation and other system-level features.

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

deeplocker chart

The researchers shared a proof of concept by hiding the WannaCry ransomware in a video conferencing app and keeping it stealth until the victim is identified through the facial recognition. Experts pointed out that the target can be identified by matching his face with publicly available photos.

“To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.”

“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target,” the researchers added.

“When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.”

The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.

Pierluigi Paganini

(Security Affairs – AI-powered malware, DeepLocker )

The post DeepLocker – AI-powered malware are already among us appeared first on Security Affairs.



Security Affairs

DeepLocker – AI-powered malware are already among us

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.

What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.

Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to conceal its malicious intent until it has infected the specific target.

“IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware.” reads a blog post published by the experts.

“This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.” 

According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.
AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.
The malicious code could be concealed in harmful applications and select the target based on various indicators such as voice recognition, facial recognition, geolocation and other system-level features.

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

deeplocker chart

The researchers shared a proof of concept by hiding the WannaCry ransomware in a video conferencing app and keeping it stealth until the victim is identified through the facial recognition. Experts pointed out that the target can be identified by matching his face with publicly available photos.

“To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.”

“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target,” the researchers added.

“When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.”

The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.

Pierluigi Paganini

(Security Affairs – AI-powered malware, DeepLocker )

The post DeepLocker – AI-powered malware are already among us appeared first on Security Affairs.

BIND DNS software includes a security feature that could be abused to cause DoS condition

The Internet Systems Consortium (ISC) announced the presence of a serious flaw in the BIND DNS software that can be exploited by remote attackers to cause a denial-of-service (DoS) condition.

The vulnerability tracked as CVE-2018-5740 was discovered by Tony Finch of the University of Cambridge. The flaw has been assigned a CVSS score of 7.5, the expert pointed out that the flaw only affects servers that have on a feature called “deny-answer-aliases” enabled. The good news is that this specific feature is disabled by default.

The “deny-answer-aliases” feature is was implemented to help recursive server operators protect users against DNS rebinding attacks. The DNS rebinding arracks allow any website to create a dns name that they are authorized to communicate with, and then make it resolve to localhost. A remote hacker to abuse the targeted user’s browser to directly connect with hosts on the local network and exploit flaws in these systems.

“deny-answer-aliases” is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers.  However, a defect in this feature makes it easy, when the feature is in use, to experience an INSIST assertion failure in name.c.” states the security advisory published by the ISC.

Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients.  Only servers which have explicitly enabled the “deny-answer-aliases” feature are at risk and disabling the feature prevents exploitation.”

BIND DNS software

The vulnerability affects BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2.

The ISC has issued a security patch that is implemented in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. The organization also provided a workaround that consists in disabling the “deny-answer-aliases” feature.

“Most operators will not need to make any changes unless they are using the “deny-answer-aliases” feature (which is described in the BIND 9 Adminstrator Reference Manual section 6.2.)  “deny-answer-aliases” is off by default; only configurations which explicitly enable it can be affected by this defect.” continues the advisory.

“If you are using “deny-answer-aliases”, upgrade to the patched release most closely related to your current version of BIND.

  • 9.9.13-P1
  • 9.10.8-P1
  • 9.11.4-P1
  • 9.12.2-P1″

At the time, there is no news about the exploitation of the flaw in attacks in the wild.

Pierluigi Paganini

(Security Affairs – BIND DNS software, DoS)

The post BIND DNS software includes a security feature that could be abused to cause DoS condition appeared first on Security Affairs.

Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats

WhatsApp has been found vulnerable to multiple security flaws that could allow malicious users to spread fake news through group chats.

WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security flaws that could allow malicious users to intercept and modify the content of messages sent in both private as well as group conversations.

Researchers at security firm Check Point have discovered several vulnerabilities in the popular instant messaging app Whatsapp, the flaws take advantage of a bug in the security protocols to modify the messages.

An attacker could exploit the flaws “to intercept and manipulate messages sent by those in a group or private conversation” as well as “create and spread misinformation”.

The issues affect the way WhatsApp mobile application communicates with the WhatsApp Web and decrypts the messages using the protobuf2 protocol.

The flaws allow hackers to abuse the ‘quote’ feature in a WhatsApp group conversation to change the identity of the sender, or alter the content of members’ reply to a group chat, or send private messages to one of the group members disguised as a group message.

Experts pointed out the that flaws could not be exploited to access the content of end-to-end encrypted messages and in order to exploit them, the attackers must be already part of group conversations.

“Check Point researchers have discovered a vulnerability in WhatsApp that allows a threat actor to intercept and manipulate messages sent by those in a group or private conversation.” reads the blog post published by the experts.

“The vulnerability so far allows for three possible attacks:

  1. Changing a reply from someone to put words into their mouth that they did not say.
  2. Quoting a message in a reply to a group conversation to make it appear as if it came from a person who is not even part of the group.
  3. Sending a message to a member of a group that pretends to be a group message but is in fact only sent to this member. However, the member’s response will be sent to the entire group.”

The experts demonstrated the exploitation of the flaws by changing a WhatsApp chat entry sent by one member of a group.

Below a video PoC of the attack that shows how to modify WhatsApp Chats and implements the three different attacks.

The research team from CheckPoint researchers (Dikla Barda, Roman Zaikin, and Oded Vanunu) developed a custom extension for the popular tool Burp Suite, dubbed WhatsApp Protocol Decryption Burp Tool, to intercept and modify encrypted messages on their WhatsApp Web.

“By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.” states the experts.

The extension is available on Github, it requires the attacker to provide its private and public keys.

“The keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated:” continues the report published by the experts.

“After we take these keys we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:”

whatsapp

Experts demonstrated that using their extension an attacker can:

  • Change the content of a group member’s reply.
  • Change the identity of a sender in a group chat. The attack works even if the attacker is not a member of the group. “Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.”
  • Send a Private Message in a Group, but when the recipient replies the members of the group will see it.

 

The experts reported the flaws to WhatsApp, but the company explained that end-to-end encryption if not broken by the attacks.

“We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote.” WhatsApp said in a statement.

“This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.”

“These are known design trade-offs that have been previously raised in public, including by Signal in a 2014 blog post, and we do not intend to make any change to WhatsApp at this time,” WhatsApp security team replied to the researchers.

Checkpoint experts argue that the flaws could be abused to spread fake news and misinformation, for this reason, it is essential to fix the flaws as soon as possible along with putting limits on the forwarded messages.

Pierluigi Paganini

(Security Affairs – Twitter botnet, social media)

The post Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats appeared first on Security Affairs.

Snapchat source Code leaked after an iOS update exposed it

The post Snapchat source Code leaked after an iOS update exposed it appeared first on Security Affairs.

GitHub started warning users when adopting compromised credentials

In order to improve the security of its users, the popular software code hosting service GitHub is now alerting account holders whenever it detects that a password has been exposed by data breaches on other services.

Last week the popular software code hosting service GitHub has introduced a new feature to protect its users, it will alert them whenever it detects that a password has been compromised in a third-party data breach.

GitHub has teamed with the HaveIBeenPwned.com service, managed by the cybersecurity expert Troy Hunt, to provide implement a feature that allows users to check whether their credentials have been involved in known data breaches.

“Common password advice is to use a long and unique password for each website you have an account with. It’s challenging to remember a strong and unique password for each website without either using a password manager or using a trivially discovered theme. As a result, password reuse is extremely prevalent. Regardless of the strength of a password, a single breach can nullify its security when used elsewhere.” reads the advisory published by GitHub.

“While Troy hosts a service that people and services can use to check for compromised passwords, he also generously made the approximately 517 million record dataset available for download. Using this data, GitHub created an internal version of this service so that we can validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub has developed service that leverages the 517 million record dataset provided by Huntto “validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub account check

The feature will alert users that are using compromised credentials and ask them to change them during login, registration, or during a password change.

The service will store Github the hashed passwords using the bcrypt algorithm.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” continues GitHub.

GitHub encourages the use of two-factor authentication (2FA), those users that have enabled it will receive periodic warnings to review the 2FA setup and recovery options.

“If you have two-factor authentication enabled, GitHub will now periodically remind you to review your 2FA setup and recovery options. We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean.” continues the advisory.

In June, Microsoft announced the acquisition of GitHub for $7.5 billion in Microsoft stock and the hosting service is improving its security by introducing new measures, including the enforcing of SSL/TLS.

Pierluigi Paganini

(Security Affairs – data breach, Troy Hunt)

The post GitHub started warning users when adopting compromised credentials appeared first on Security Affairs.

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, created by Ramnit operators.

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.

A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.

Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.

There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).

“Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.

“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”

According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.

“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.

Ramnit campaign

The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.

In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.

“The following sequence of actions is used for building a hidden service using the Ngioweb botnet:

  1. Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
  2. Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
  3. Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
  4. Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
  5. Bot-B connects to Bot-A.
  6. Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.

Ramnit campaign 3.png

Further details, including the IoC, are reported in the analysis published by Checkpoint.

Pierluigi Paganini

(Security Affairs – cybercrime, Ramnit botnet)

The post Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet appeared first on Security Affairs.

Hacking WiFi Password in a few steps using a new attack on WPA/WPA2

A security researcher has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The security researcher Jens ‘Atom’ Steube, lead developer of the popular password-cracking tool Hashcat, has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The new WiFi hacking technique allows to crack WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The expert was analyzing the recently launched WPA3 security standard when accidentally the new technique.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).” Steube wrote in a post.

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.”

Older attack techniques required capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), that is a network port authentication protocol. The new attack technique, differently from the previous ones, targets the Robust Secure Network Information Element (RSN IE).

The RSN protocol was designed for establishing secure communications over an 802.11 wireless network and it is part of the 802.11i (WPA) standard. Every time it attempts to establish a secure communication channel, the RSN broadcasts an RSN IE message within the network.

The Robust Security Network protocol has the PMKID (Pairwise Master Key Identifier), that is the key needed to establish a connection between a client and an access point.

An attacker can obtain the WPA PSK (Pre-Shared Key) password from the PMKID.

The WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube added.

“We receive all the data we need in the first EAPOL frame from the AP.”

Below the description of the technique step by step:

Step 1 — An attacker can use a tool like hcxdumptool (v4.2.0 or higher) to request the PMKID from the targeted access point and dump the received frame to a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_statusStep 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format accepted by hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password that is the password of the target wireless network.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’The time to crack the password depends on its complexity.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” Steube concluded.

“The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”

If you are searching for a good step by step explanation, give a look at the blog post published by the penetration tester Adam Toscher.

The new attack technique does not work against the recently introduced WPA3 security protocol.

The WPA3 protocol is “much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

Pierluigi Paganini

(Security Affairs – Hacking WiFi, WPA/WPA2)

The post Hacking WiFi Password in a few steps using a new attack on WPA/WPA2 appeared first on Security Affairs.

Security Affairs: Hacking WiFi Password in a few steps using a new attack on WPA/WPA2

A security researcher has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The security researcher Jens ‘Atom’ Steube, lead developer of the popular password-cracking tool Hashcat, has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The new WiFi hacking technique allows to crack WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The expert was analyzing the recently launched WPA3 security standard when accidentally the new technique.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).” Steube wrote in a post.

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.”

Older attack techniques required capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), that is a network port authentication protocol. The new attack technique, differently from the previous ones, targets the Robust Secure Network Information Element (RSN IE).

The RSN protocol was designed for establishing secure communications over an 802.11 wireless network and it is part of the 802.11i (WPA) standard. Every time it attempts to establish a secure communication channel, the RSN broadcasts an RSN IE message within the network.

The Robust Security Network protocol has the PMKID (Pairwise Master Key Identifier), that is the key needed to establish a connection between a client and an access point.

An attacker can obtain the WPA PSK (Pre-Shared Key) password from the PMKID.

The WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube added.

“We receive all the data we need in the first EAPOL frame from the AP.”

Below the description of the technique step by step:

Step 1 — An attacker can use a tool like hcxdumptool (v4.2.0 or higher) to request the PMKID from the targeted access point and dump the received frame to a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_statusStep 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format accepted by hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password that is the password of the target wireless network.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’The time to crack the password depends on its complexity.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” Steube concluded.

“The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”

If you are searching for a good step by step explanation, give a look at the blog post published by the penetration tester Adam Toscher.

The new attack technique does not work against the recently introduced WPA3 security protocol.

The WPA3 protocol is “much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

Pierluigi Paganini

(Security Affairs – Hacking WiFi, WPA/WPA2)

The post Hacking WiFi Password in a few steps using a new attack on WPA/WPA2 appeared first on Security Affairs.



Security Affairs

TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware

TSMC shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware.

Early in August, a malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories, the plants where Apple produces its devices.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

Now the company shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware that hit 200,000 computers across 150 countries in a matter of hours in May 2017.

WannaCry took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The infection caused one of the most severe disruptions suffered by TSMC as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants shut down an entire day of production.

It has been estimated that the overall impact on the revenue of TSMC would be approx $256 million.

Chief Financial Officer Lora Ho confirmed that the infection would have some impact on TSMC’s 2018 profit, but declining to elaborate on further details.

TSMC Apple infection

According to the manufacturer, it wasn’t a targeted attack, instead, the systems were infected “when a supplier installed tainted software without a virus scan” to TSMC’s network.

The malware rapidly spread within the company network and infected more than 10,000 machines in some of the company’s production plants, including Tainan, Hsinchu, and Taichung.

“We are surprised and shocked,” TSMC Chief Executive Officer C. C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened.”

WannaCry infected many other bit companies, the list of victims includes BoeingRenault, and Honda,

TSMC confirmed that customers data were not compromised during the attack, it warned customers that shipment delays are expected.

Pierluigi Paganini

(Security Affairs – WannaCry, Troy Hunt)

The post TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware appeared first on Security Affairs.

Duo Security created open tools and techniques to identify large Twitter botnet

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet.

Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet.

The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter accounts analyzed to date.

“This paper details the techniques and tools we created to both build a large dataset containing millions of public Twitter profiles and content, as well as to analyze the dataset looking for automated accounts.” reads the research paper published by Duo Security.

“By applying a methodical data science approach to analyzing our dataset, we were able to build a classifier that effectively finds bots at a large scale.”

The dataset was composed by using the Twitter’s API, collected records include profile name, tweet and follower count, avatar, bio, the content of tweets, and social network connections.

Practical data science techniques can be used to create a classifier that could help researchers in finding automated Twitter accounts.

The experts defined 20 unique account heuristics to discover the bots, they include the number of digits in a screen name, Entropy of the screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, average hours tweeted per day, and average “distance” of account age in retweets/replies.

The above heuristics are organized in the 3 categories, the “Account attributes,” “Content,” and “Content Metadata.”

The tools and the techniques devised by the researchers could be very useful in investigating fraudulent activities associated with Twitter botnet. The experts first identify the automated bots then they use the tool to monitor the evolution of the botnets they belong.

The experts shared a case study related to the discovery of a sophisticated botnet of at least 15,000 bots involved in a cryptocurrency scam. The analysis of the botnet and the monitoring of the malicious infrastructure over time allowed the expert to discover how bots evolve to evade detection.

The experts reported their findings to Twitter that confirmed it is aware of the problem and that is currently working on implementing new security measure to detect problematic accounts.

Twitter botnet

“Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.” replied Twitter.

“When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”.

Duo Security will release its tools as open source on August 8 during the the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” concluded Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”

Pierluigi Paganini

(Security Affairs – Twitter botnet, social media)

The post Duo Security created open tools and techniques to identify large Twitter botnet appeared first on Security Affairs.

Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.

Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

cryptocurrency exchanges affected

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

cryptocurrency exchanges affected

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

cryptocurrency exchanges affected

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – data leak, cryptocurrency exchanges)

The post Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges appeared first on Security Affairs.

HP releases firmware updates for two critical RCE flaws in Inkjet Printers

HP has released firmware updates that address two critical remote code execution vulnerabilities in some models of inkjet printers.

HP has released firmware updates to address two critical RCE flaws affecting some Inkjet printers. The two flaws, tracked as CVE-2018-5924 and CVE-2018-5925, could be exploited by attackers to trigger stack or static buffer overflow.

An attacker can exploit the vulnerabilities by sending a specially crafted file to the vulnerable inkjet printers.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

The flaws have been assigned a CVSS score of 9.8 and affected roughly 160 models, including PageWide, DesignJet, Officejet, Deskjet, Envy, and Photosmart.

To download the firmware updates, go to the HP Software and Drivers page for your product and find the appropriate firmware update from the list of available software.

Go to the Upgrading Printer Firmware page and follow the instructions provided to install the firmware.

HP inkjet printers hacking

Flaws in the firmware of printers are not a novelty, in NNovember2017, experts from FoxGlove Security firm found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.

Recently HP launched a private bug bounty program that offers up to $10,000 to white hat hackers that will discover serious issues in its printers.

Pierluigi Paganini

(Security Affairs – RCE, Inkjet Printers)

The post HP releases firmware updates for two critical RCE flaws in Inkjet Printers appeared first on Security Affairs.

Fortnite APK is coming soon, but it will not be available on the Google Play Store

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.

Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Fortnite APK

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.

Stay Tuned …

Pierluigi Paganini

(Security Affairs – Fortnite APK, gaming)

The post Fortnite APK is coming soon, but it will not be available on the Google Play Store appeared first on Security Affairs.

Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks

DoE announced the Liberty Eclipse exercise to test the electrical grid ‘s ability to recover from a blackout caused by cyberattacks.

This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks.

We have discussed many times the effects of a cyber attack against an electrical grid, the most scaring scenario sees wide power outage bringing population in the dark.

Is this a feasible scenario for the US critical infrastructure?

The Department of Energy wants to test the resilience of an electrical grid to a cyber attack, so it’s going to launch the first hands-on exercise to test the ability of the operators of such infrastructure in recovering from a blackout caused by a cyber attack.

According to the E&E News website, the Department of Energy plans to conduct a weeklong experiment, dubbed ‘Liberty Eclipse,’ that will take place starting Nov. 1 on a restricted area off the cost of New York called Plum Island.

“The Department of Energy is planning an unprecedented, “hands-on” test of the grid’s ability to bounce back from a blackout caused by hackers, E&E News has learned.” reported the E&E News website.

“The “Liberty Eclipse” exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure. The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.”

This is the first time that the Department of Energy is planning such kind of “hands-on” test of the grid’s ability to restore operations from a blackout caused by a cyber attack. The “Liberty Eclipse” exercise aims at evaluating the response of the infrastructure to coordinated attacks against an electric, oil and natural gas infrastructure. The DOE wants to prepare the infrastructure of the country for threats.

“It’s in our national security interest to continue to protect these sources of energy and to deliver them around the world,” Energy Secretary Rick Perry said at a cybersecurity conference in New York last week.

“Taking care of that infrastructure, from the standpoint of protecting it from cyberattacks — I don’t think it’s ever been more important than it is today.”

electrical grid

The goal of the Liberty Eclipse exercise is to prepare the response to a major incident caused by cyber attacks, that could be frequent events in a short future. Utilities that have to restore electricity following massive blackouts first need to provide initial jump of electricity before they can start generating it.

This operation is done by the operators by using diesel generators and other blackstart sources to choreograph “cranking paths” for restoring the functions of the electrical grid.

“Utilities can’t just flip a few switches to bring the lights on following a major shutdown. In fact, power plants typically need an initial jump of electricity before they can start generating it.” continues the E&E News website. Power companies rely on diesel generators and other blackstart sources to choreograph “cranking paths” for bringing the grid on its feet. Once enough pockets of electricity have been brought online, operators can sync up the islands with the wider grid.”

The entire process is time-consuming and can take many hours to be completed, even under the most favorable circumstances.

The DOE aims at speed up the restoration of the electrical grid by incorporating simulated cranking paths, provided by the Defense Advanced Research Projects Agency, that were designed for this reason.

“Together, [participants] will work to energize a blackstart cranking path by detecting the attack, cleaning malicious influence, and restoring crank path digital systems to operation,” the DOE states in a planning memo from last month.

This is the first exercise that is going to test the “blackstart” cranking paths that were excluded from previous simulations.

Pierluigi Paganini

(Security Affairs – Electrical Grid, hacking)

The post Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks appeared first on Security Affairs.

TCM Bank: website misconfiguration exposed applicant data for 16 months

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018

TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.

“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.

“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”

Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.

The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.

The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.

“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

TCM Bank

Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.

“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.

“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”

Pierluigi Paganini

(Security Affairs – TCM Bank, data leak)

The post TCM Bank: website misconfiguration exposed applicant data for 16 months appeared first on Security Affairs.

ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.

The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

ZombieBoy

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR.  Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Pierluigi Paganini

(Security Affairs – miner, Monero)

The post ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis appeared first on Security Affairs.

Security Affairs: ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.

The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

ZombieBoy

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR.  Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Pierluigi Paganini

(Security Affairs – miner, Monero)

The post ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis appeared first on Security Affairs.



Security Affairs

Tech Support Scams improved with adoption of Call Optimization Service

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.

Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

  • Tracking the source of inbound calls
  • Creation and management of phone numbers
  • Call load balancing
  • Call forwarding
  • Call analytics
  • Call routing
  • Call recording

Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

Tech Support Scam
The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.

The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.

“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec. 

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.

Pierluigi Paganini

(Security Affairs – Call Optimization Services, tech support scams)

The post Tech Support Scams improved with adoption of Call Optimization Service appeared first on Security Affairs.

Security Affairs: Tech Support Scams improved with adoption of Call Optimization Service

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.

Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

  • Tracking the source of inbound calls
  • Creation and management of phone numbers
  • Call load balancing
  • Call forwarding
  • Call analytics
  • Call routing
  • Call recording

Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

Tech Support Scam
The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.

The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.

“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec. 

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.

Pierluigi Paganini

(Security Affairs – Call Optimization Services, tech support scams)

The post Tech Support Scams improved with adoption of Call Optimization Service appeared first on Security Affairs.



Security Affairs

Salesforce warns of API error that exposed Marketing data

The US Cloud-based customer relationship management software giant Salesforce is warning marketing customers of a data leakage caused by an API error.

The US cloud computing company Salesforce is warning marketing customers of a data leakage caused by an API error. The incident could potentially affect a large number of companies, including Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, and Sony.

The error was in production between June 4 to July 18, and potentially affected users of two modules within the broader Marketing Cloud offering, the Email Studio and Predictive Intelligence solutions.

“On July 18, we became aware of an issue that impacted a subset of Marketing Cloud customers using Marketing Cloud Email Studio and Predictive Intelligence.” reads the notice published by Salesforce.

“We resolved the issue on that same day, July 18. Customers who may have been impacted were notified. For additional details, please see the Email Studio and Predictive Intelligence REST API Issue article here: https://sfdc.co/XIbG2”

salesforce marketing-cloud 

The news was first reported by BankInfoSecurity that obtained a copy of the alert distributed by the company via email on Thursday.

Salesforce states that the error involved the company’s REST application programming interface.

“During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer’s account to another inadvertently,” reads the alert issued by Salesforce and published by BankInfoSecurity.

“Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”

The company also warns that some customers may have had their data corrupted, it has also posted a knowledge article on the issue.

The bad news for the customers of the company. is that at the time it is not able to say if data was altered or is attackers maliciously tampered with.

“We have no evidence of malicious behavior associated with this issue,” a Salesforce spokesman told ISMG.

“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”

Pierluigi Paganini

(Security Affairs – Salesforce, data leak)

The post Salesforce warns of API error that exposed Marketing data appeared first on Security Affairs.

Security Affairs newsletter Round 174 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Mysterious snail mail from China sent to US agencies includes Malware-Laden CD
·      Security bug in Swann IoT Camera allowed to access video feeds
·      Underminer Exploit Kit spreading Bootkits and cryptocurrency miners
·      FELIXROOT Backdoor is back in a new fresh spam campaign
·      KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens
·      Tens of flaws in Samsung SmartThings Hub expose smart home to attack
·      Titan Security Keys- Google announced USB-based FIDO U2F Keys
·      A new sophisticated version of the AZORult Spyware appeared in the wild
·      Dixons Carphone Data Breach discovered in June affected 10 Million customers
·      Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread
·      Ransomware attack against COSCO spread beyond its US network to Americas
·      Facebook reported and blocked attempts to influence campaign ahead of midterms US elections
·      Hundreds of apps removed from Google Play store because were carrying Windows malware
·      Reddit discloses a data breach, a hacker accessed user data
·      SamSam Ransomware operators earned more than US$5.9 Million since late 2015
·      Ten years ago someone breached into a server of the Yale University
·      Alleged Iran-linked APT group RASPITE targets US electric utilities
·      Amnesty International employee targeted with NSO group surveillance malware
·      Analyzing the Telegram-based Android remote access trojan HeroRAT
·      Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards
·      CVE-2018-14773 Symfony Flaw expose Drupal websites to hack
·      Google introduced G Suite alerts for state-sponsored attacks
·      Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign
·      Industrial Sector targeted in surgical spear-phishing attacks

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 174 – News of the week appeared first on Security Affairs.

A malware paralyzed TSMC plants where also Apple produces its devices

A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices

A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants will not able to restart before Sunday.

“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.

“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.

This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”

“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.

TSMC Apple infection

The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.

At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”

“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.

“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”

Pierluigi Paganini

(Security Affairs – Taiwan Semiconductor Manufacturing Co, Apple)

The post A malware paralyzed TSMC plants where also Apple produces its devices appeared first on Security Affairs.

Russian troll factory suspected to be behind the attack against Italian President Mattarella

The Russian shadow behind the attack on Italian President Mattarella, a coordinated attack via Twitter involved hundreds of profiles inviting him to resign.

Cybersecurity experts and Italian media believe that the Italian President Sergio Mattarella is the last victim of the Russian troll farm.

On May 27 the late afternoon, thousands of Twitter profiles suddenly started spreading messages against the Italian president asking him to resign.

The messages appeared as a coordinated attack, they were using the hashtag #MattarellaDimettiti (Italian translation: “Mattarella resign”). Messages using this hashtag were rapidly spreading across the Internet, many other legitimate users started using it and it is quite easy to find similar legitimate message today.

But someone has triggered the protest online, someone who has clear interests to destabilize the Italian government.

Actual vice-premier Luigi Di Maio was asking for the indictment of President Mattarella who refused to endorse the choice of a candidate to the Minister of Economy because of his known anti-euro position.

The analysis of social media Twitter revealed that around at two o’clock in the morning there was an anomalous spike in the number of messages against the President Mattarella.

President Mattarella

Were they sleepless Italians or someone was attempting to influence the sentiment of the population on specific topics?

According to the Huffington Post Italy, in just a few minutes there were about 400 new profiles, that were traced back to a single origin, coordinating the misinformation campaign.

The Huffington Post reported that the Italian law enforcement Polizia Postale confirmed that the source of the campaign was one, but due to countermeasures adopted by the attackers was impossible to find the control room and attribute the attack to a specific threat actor.

“It is well known that, with high probability, it should have been created abroad, even if no one is able to say whether the Russian operators involved in disruptive actions in the American election campaign are involved.” states the Huffington Post citing the Italian newspaper Corriere della Sera.

According to the Huffington Post, at least twenty Twitter profiles involved in the attack against Italian President Mattarella belonging to completely unsuspecting Italians had been used one or more times by the Internet Research Agency (Ira) of Saint Petersburg, also known as the Russian troll factory.

The same accounts were involved in other propaganda campaigns in favor of populist parties, sovereignists, and anti-Europeans.

This is the conclusion of an analysis conducted on a sample composed of 67% of the archive related to the activity of the Internet Research Agency (Ira) that was published by the Firethirtyeight website.

The website published 3 Million Russian Troll tweets that were analyzed by the US prosecutor Robert Mueller as part of the investigation of the Russian influence on the 2016 Presidential election.

The huge number of tweets was collected by the researchers Darren Linvill and Patrick Warren from the Clemson University.

The archive includes roughly 16,000 tweets in the Italian language, according to the Italian newspaper Corriere della Sera, some of the accounts were particularly active and were fueling discussions against government representatives.

Now let me close with a simple consideration … the propaganda online attributed to the Internet Research Agency is really very noisy, and I fear it was designed to be so, likely under a wider diversionary strategy.

Involving more sophisticated technologies it is possible to obtain better results, let’s think of the involvement of artificial intelligence.

Putin said several times that the nation that leads in AI ‘will be the ruler of the world,’ and I’m sure that the involvement of machine learning systems in a troll factory can produce results much better than actual ones.

Is the Internet Research Agency itself the result of a bigger troll farm the already leverage artificial intelligence?

Pierluigi Paganini

(Security Affairs – President Mattarella, propaganda)

The post Russian troll factory suspected to be behind the attack against Italian President Mattarella appeared first on Security Affairs.

Do Businesses Know When They’re Using Unethical Data?

Data breaches are costly for businesses that expterience them, this data fuel the black markets and sometime are offered to complanies as legitimate data.

Data breaches are extraordinarily costly for businesses that experience them, both concerning reputational damage and money spent to repair the issues associated with those fiascos. And, on the consumer side of things, the scary thing is hackers don’t just steal data for notoriety. They do it to profit, typically by selling the snatched details online.

But, then, are other businesses aware of times when the data they just bought might have been stolen instead of legally obtained?

People Can Access Most of the Relevant Black Market Sites on Standard Browsers

There was a time when venturing into the world of the online black market typically meant downloading encryption software that hid the identity of users. However, most black market transactions happen on the “open” web so that it’s possible to access the respective sites via browsers like Firefox and Chrome without downloading special software first.

That means business representatives aren’t safe from coming across stolen data if they decide only to browse the internet normally. However, the kind of information advertised on the open web should be enough to raise eyebrows by itself. It often contains credit card information or sensitive medical details — not merely names, email addresses or phone numbers.

Companies can reduce the chances of unknowingly benefiting from stolen data by not proceeding with purchases if they contain private, not readily obtainable details.

Illegitimate Sellers Avoid Giving Payment Details

Even when people seek to profit by peddling stolen data, their desire to make money typically isn’t stronger than their need to remain anonymous. Most criminals who deal with data from illegal sources don’t reveal their names even when seeking payment. They’ll often request money through means that allow keeping their identities secret, such as Bitcoin.

Less Information, More Suspicion

If companies encounter data sellers that stay very secretive about how they get their data and whether it is in compliance with data protection and sharing standards, those are red flags.

However, even when data providers do list information about how they obtain data, it’s a good idea to validate the data on your own. For example, if you get calling data from a third-party provider, you should always check it against current Do Not Call lists.

Dark Web Monitoring Services Exist

As mentioned above, stolen data frequently works its way through the open web rather than the dark web. However, it’s still advisable for companies to utilize monitoring services that search the dark web for stolen data. The market for such information is lucrative, and some clients pay as much as $150,000 annually for such screening measures. If businesses provide data that comes up as originating from the dark web, that’s a strong indicator that it came from unethical sources.

data breaches

Do Legitimate Companies Create the Demand for Stolen Data?

It’s difficult to quantify how many reputable companies might be purchasing stolen data. If they do it knowingly, such a practice breaks the law. And, even if it happens without their knowledge, that’s still a poor reflection on those responsible. It means they didn’t carefully check data sources and sellers before going through with a purchase.

Unfortunately, analysts believe it happens frequently. After data breaches occur, some of the affected companies discover their data being sold online and buy it back. When hackers realize even those who initially had the data seized will pay for it, they realize there’s a demand for their criminal actions.

After suffering data breaches, some companies even ask their own employees to find stolen data and buy it back.

Most use intermediary parties, though representatives at major companies, including PayPal, acknowledge that this process of compensating hackers for the data they took occurs regularly. They say it’s part of the various actions that happen to protect customers — or to prevent them from knowing breaches happened at all.

If companies can find and recover their stolen data quickly enough, customers might never realize hackers had their details. That’s especially likely, since affected parties often don’t hear about breaches until months after companies do, giving those entities ample time to locate data and offer hackers a price for it.

Plus, it’s important to remember that companies pay tens of thousands of dollars to recover their data after ransomware attacks, too.

Should Businesses Bear the Blame?

When companies buy data that’s new to them, they should engage in the preventative measures above to verify its sources and check that it’s not stolen. Also, although businesses justify buying compromised data back from hackers, they have to remember that by doing so, they are stimulating demand — and that makes them partially to blame.

Instead of spending money to retrieve data that hackers take, those dollars would be better spent cracking down on the vulnerabilities that allow breaches to happen so frequently.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

 

 

Pierluigi Paganini

(Security Affairs – stolan data, data breach)

The post Do Businesses Know When They’re Using Unethical Data? appeared first on Security Affairs.

Industrial Sector targeted in surgical spear-phishing attacks

Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.

Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).

Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.

The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.

“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.

“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”

Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.

According to Kaspersky, there was a spike in the number of spear phishing messages in  November 2017 that targeted up to 400 industrial companies located in Russia.

industrial sector spear-phishing

The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.

The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.

“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”

The attackers used both malicious attachments and links to external resources that are used to download the malicious code.

“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.

“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”

The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.

The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.

In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.

When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.

Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.

“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 1.1.1.1” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.

“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”

The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.

“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.

Pierluigi Paganini

(Security Affairs – industrial sector, cybercrime)

The post Industrial Sector targeted in surgical spear-phishing attacks appeared first on Security Affairs.

Google introduced G Suite alerts for state-sponsored attacks

Google announced that has implemented an alerting system for G Suite admins when users have been targeted by state-sponsored attacks.

Google announced it will alert G Suite admins when state-sponsored hackers will target their users.

The new feature will be available in the G Suite Admin console very soon, it confirms the effort spent by the tech giant of protecting its users.

“We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed attack. If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method.” reads the security advisory published by Google.

“It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization.” 

In June 2012, for the first time, the company announced it was going to offer a specific protection service for a restrict number of users that could be the target of state-sponsored attacks.

Google is now implementing the new protection feature within the G Suite Admin console, admins will have the opportunity to receive alerts whenever attacks could be attributed to a nation-state actor.

Every time an attack will be detected, admins can choose to secure the account hit by the hackers and can also opt to alert the victim.

The alerts don’t necessarily imply that the account has been hacked or that the organization has been compromised in a massive attack.

G Suite state sponsored attacks

Google pointed out the alerts will be turned off by default, admins can choose to turn them on in the Admin Console > Reports > Manage Alerts > Government backed attack.

According to Google, the new feature is set to gradually roll out to all G Suite editions, the tech giant plans to make it available for all admins within the next 15 days.

Pierluigi Paganini

(Security Affairs – G Suite alerts, state-sponsored attacks)

The post Google introduced G Suite alerts for state-sponsored attacks appeared first on Security Affairs.

CVE-2018-14773 Symfony Flaw expose Drupal websites to hack

A vulnerability in the Symfony HttpFoundation component tracked as CVE-2018-14773, could be exploited by attackers to take full control of the affected Drupal websites.

Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.

“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.” reads the advisory published by Drupal.

“If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.”

Symfony HttpFoundation component is a third-party library used in the Drupal Core, the flaw affects Drupal 8.x versions before 8.5.6.

Symfony is web application framework that is being used by a lot of projects, this means that the CVE-2018-14773 vulnerability could potentially affect a large number of web applications.

The flaw is due to the Symfony’s support for legacy and risky HTTP headers.

“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.” reads the security advisory published by Symfony.

“The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.” reads the security advisory published Symfony.

A remote attack can trigger the flaw by using specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value.

According to the security advisory published by Symfony, the version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 addressed the flaw.

CVE-2018-14773

The Drupal maintainers also found a similar issue affecting the Zend Feed and Diactoros libraries used in the Drupal Core. The libraries are affected by an ‘URL Rewrite vulnerability,’ anyway the Drupal team confirmed that the Drupal Core does not use the vulnerable functionality.

Administrators of websites that use Zend Feed or Diactoros directly need to patch them as soon as possible.

Drupal administrators need to patch their installs urgently before hackers will start exploiting the CVE-2018-14773 flaw.

Pierluigi Paganini

(Security Affairs – CVE-2018-14773, Drupal)

The post CVE-2018-14773 Symfony Flaw expose Drupal websites to hack appeared first on Security Affairs.

Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign

Experts uncovered a massive cryptojacking campaign that is targeting  MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

Security experts have uncovered a massive cryptojacking campaign that is targeting  MikroTik routers, the hackers aim to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

The campaign was first spotted by the researcher who goes online with the Twitter handle MalwareHunterBR.

According to Catalin Cimpanu from Bleeping Computer, the campaign first started in Brazil, but it is rapidly expanding to other countries targeting MikroTik routers all over the world.

The same campaign was monitored by the experts at Trustwave that confirmed that campaign initially targeted MikroTik routers used by Brazilians.

“On July 31st , just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.” reads the report published by Trustwave.

“After a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.”

The experts noticed that the compromised devices were all using the same CoinHive sitekey, most of them in Brazil, this means that they were targeted by the same attackers.

MikroTik routers compromised

 

According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik router.

“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.” continues the analysis.

The vulnerability was discovered in April and patched by the vendor in just one day.

Technical details for the MikroTik flaw were publicly disclosed in May, public proof-of-concept (PoC) codes for the issue were published on GitHub.

Trustwave pointed out that many users that weren’t using the MikroTik routers were affected too because Internet providers and big organizations leverage MikroTik routers compromised by hackers.

The experts noticed that the threat actors once discovered to have been spotted by the experts switched tactics and injected the Coinhive script only in error pages returned by the routers.

After the initial phase, the campaign was targeting devices outside Brazil, and it has been estimated that roughly 170,000 MikroTik routers were compromised to inject the Coinhive script. The campaign can potentially compromise over a million of MikroTik routers exposed on the Internet.

“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” concludes the experts.

“Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”

Pierluigi Paganini

(Security Affairs – Coinhive script,  MikroTik routers)

The post Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign appeared first on Security Affairs.

Alleged Iran-linked APT group RASPITE targets US electric utilities

According to Dragos firm, the RASPITE cyber-espionage group (aka Leafminer) has been targeting organizations in the United States, Europe, Middle East, and East Asia.

Researchers from security firm Dragos reported that a group operating out of Iran tracked as RASPITE has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group has been active at least since 2017, researchers uncovered operations aimed at government and other types of organizations in the Middle East.

“Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.” read a blog post published by Dragos.

“Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.”

Last week, experts from Symantec who tracked the group as Leafminer published a detailed report on the activity of the cyber espionage team who leveraged both custom-built malware and publicly-available tools in observed campaigns.

According to Symantec, the extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Now researchers from Dragos confirmed that the RASPITE is behind attacks that has been targeting industrial control systems in several states.

According to the experts, the hackers also accessed operations in the electric utility sector in the United States.

The hackers carry on watering hole attacks leveraging compromised websites providing content of interest for the potential victims.

RASPITE attacks appear similar to the ones conducted by other threat actors like DYMALLOY and ALLANITE, the hackers injected in the websites links to a resource to prompt an SMB connection with the intent to gather Windows credentials.

Then, the attackers deploy scripts to install a malware that connects to C&C ad give then attacker the control of the compromised machine.

RASPITE attacks

According to Dragos, even if RASPITE has mainly focused on ICS systems, at the time there is no news about destructive attacks on such kind of devices.

“RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date.” continues Dragos.

“This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.” 

Sergio Caltagirone, Director of Threat Intelligence, Dragos, explained that his firm provided only limited information on the activity of the group to avoid “proliferation of ideas or tradecraft to other activity groups.”

Pierluigi Paganini

(Security Affairs – RASPITE, cyber espionage)

The post Alleged Iran-linked APT group RASPITE targets US electric utilities appeared first on Security Affairs.

Security Affairs: Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards

Three members of the cybercrime group tracked as FIN7 and Carbanak have been indicted and charged with 26 felony counts

Three members of the notorious cybercrime gang known as FIN7 and Carbanak have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The gang stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks and other financial institutions. The three suspects (Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30) are Ukrainians, they were arrested last year in Europe between January and June.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial.  Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain.  The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

According to DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47.

“Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A.” reads the press release published by the DoJ.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. “

FIN7

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski.  “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”

The trio has been accused of targeting hundreds of companies in the United States, and U.S. individuals. The list of victims is long and includes Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, and Arby’s.

According to the European authorities, FIN7 developed sophisticated banking trojan tracked as Cobalt, based on the Cobalt Strike penetration testing tool, that was spread through spear-phishing campaigns aimed at employees at different banks.

Once infected the victims’ PC with Carbanak malware, the hackers attempted to identify key people authorized to transfer money from the banks in order to make transactions to fake accounts or ATMs under the control of the gang.

The three men could face many years in prison if convicted.

Pierluigi Paganini

(Security Affairs – FIN7,  Carbanak)

The post Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards appeared first on Security Affairs.



Security Affairs

Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards

Three members of the cybercrime group tracked as FIN7 and Carbanak have been indicted and charged with 26 felony counts

Three members of the notorious cybercrime gang known as FIN7 and Carbanak have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The gang stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks and other financial institutions. The three suspects (Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30) are Ukrainians, they were arrested last year in Europe between January and June.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial.  Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain.  The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

According to DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47.

“Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A.” reads the press release published by the DoJ.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. “

FIN7

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski.  “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”

The trio has been accused of targeting hundreds of companies in the United States, and U.S. individuals. The list of victims is long and includes Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, and Arby’s.

According to the European authorities, FIN7 developed sophisticated banking trojan tracked as Cobalt, based on the Cobalt Strike penetration testing tool, that was spread through spear-phishing campaigns aimed at employees at different banks.

Once infected the victims’ PC with Carbanak malware, the hackers attempted to identify key people authorized to transfer money from the banks in order to make transactions to fake accounts or ATMs under the control of the gang.

The three men could face many years in prison if convicted.

Pierluigi Paganini

(Security Affairs – FIN7,  Carbanak)

The post Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards appeared first on Security Affairs.

Analyzing the Telegram-based Android remote access trojan HeroRAT

Researchers at CSE Cybsec ZLab analyzed shared published their analysis of the Telegram-based Android RAT tracked as HeroRAT.

In June, researchers from security firm ESET discovered a new family of Android Remote Administration Tool (RAT), dubbed HeroRAT, that leverages the Telegram BOT API to communicate with the attacker.

The use of Telegram API can be considered a new trend in Android RAT landscape, because other RAT families implementing the same functionalities, such as TeleRAT and IRRAT, were discovered in the wild before HeroRAT.

HeroRAT appeared very active in Iran where it was spreading through third-party app stores, through tainted social media and messaging apps.

ESET experts speculate that the HeroRAT borrows the source code of a malware appeared in the hacking community in March 2018, however, it has some characteristics that distinguish it different from IRRAT and TeleRAT. One of these features is the usage of the Xamarin Framework and TeleSharp Library for the development of the RAT.

HeroRAT is offered for sale on a dedicated Telegram channel, the author offers three different variants depending on its functionalities: bronze (25 USD), silver (50 USD) and gold panels (100 USD). The malware author also released a demo video in which explains the RAT functionalities; below we have a screenshot from this demo video, showing the differences between the three variants.

Figure 1 – Differences between the RAT variants

Further details on the RAT analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180802_CSE_HeroRAT.pdf

 

Pierluigi Paganini

(Security Affairs – RAT, Telegram)

The post Analyzing the Telegram-based Android remote access trojan HeroRAT appeared first on Security Affairs.

Amnesty International employee targeted with NSO group surveillance malware

An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.

Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

This SMS message translates to:

“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”

[link]”

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.

“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”

The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:

  • evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
  • a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.

“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]compine-sales[.]com, and ecommerce-ads[.]org.” continues the report.

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.

“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

Country Nexus Reported cases of individuals targeted Year(s) in which spyware infection was attempted
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018

Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

“This is a huge market that’s completely opaque and under-regulated,” he concluded.

Pierluigi Paganini

(Security Affairs – Amnesty International, surveillance)

The post Amnesty International employee targeted with NSO group surveillance malware appeared first on Security Affairs.

Reddit discloses a data breach, a hacker accessed user data

Reddit Warns Users of Data Breach

Reddit is warning its users of a security breach, an attacker broke into the systems of the platform and accessed user data.

Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

reddit data breach

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

  • All Reddit data from 2007 and before including account credentials and email addresses
    • What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
    • How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
  • Email digests sent by Reddit in June 2018
    • What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
    • How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.

Pierluigi Paganini

(Security Affairs – hacking, data breach)

The post Reddit discloses a data breach, a hacker accessed user data appeared first on Security Affairs.

Ten years ago someone breached into a server of the Yale University

Ten years ago someone breached into a server of the Yale University, but because the intrusion happened nearly ten years ago there is much more information about how it occurred.

After ten years, Yale University revealed a security breach that exposed an archive containing personal information of 119,000 people.

Hackers breached into the database of the famous University between April 2008 and January 2009 and apparently accessed a server where it is hosted a single database.

“On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.” reads the security alert published by the Yale University.

yale university

The database contained data of individuals affiliated with the university, the unauthorized access was discovered on June 16, 2018, during a security review.

The hackers accessed names, Social Security numbers, dates of birth, Yale email addresses, and in some cases the physical addresses of individuals associated with the university.

Unfortunately, there is no way to understand how attackers hacked the server either “it is not feasible to determine the identities of the perpetrators.”

The academic institution announced that no financial information was exposed, it sent a notice letter to 97% of affected people in the Yale community.

Unfortunately, there is another disconcerting news for the Yale community, a letter sent by the University to the State of New Hampshire Attorney General, revealed that the same server was hacked a second time between March 2016 and June 2018.

This second intrusion caused the exposure of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale is offering identity monitoring services to all affected U.S. residents through the Kroll security firm. At the time there is no indication that the exposed data has been misused.

Pierluigi Paganini

(Security Affairs – Yale University, hacking)

The post Ten years ago someone breached into a server of the Yale University appeared first on Security Affairs.

Facebook reported and blocked attempts to influence campaign ahead of midterms US elections

Facebook removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the midterm US elections

Facebook has removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the forthcoming midterm US elections.

Facebook midterm US elections

Facebook is shutting down content and accounts “engaged in coordinated inauthentic behavior”

At the time there is no evidence that confirms the involvement of Russia, but intelligence experts suspect that Russian APT groups were behind the operation.

Facebook founder Mark Zuckerberg announced its response to the recently disclosed abuses.

“One of my top priorities for 2018 is to prevent misuse of Facebook,” Zuckerberg said on his own Facebook page.

“We build services to bring people closer together and I want to ensure we’re doing everything we can to prevent anyone from misusing them to drive us apart.”

According to Facebook, “some of the activity is consistent” with Tactics, Techniques and Procedures (TTPs) associated with the Internet Research Agency that is known as the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.

“But we don’t believe the evidence is strong enough at this time to make public attribution to the IRA,” Facebook chief security officer Alex Stamps explained to the reporters.

Facebook revealed that some 290,000 users followed at least one of the blocked pages.

“Resisters” enlisted support from real followers for an August protest in Washington against the far-right “Unite the Right” group.

According to Facebook, fake pages that were created more than a year ago, in some cases the pages were used to promote real-world events, two of them have taken place.

Just after the announcement, the US Government remarked it will not tolerate any interference from foreign states.

“The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation-state or other malicious actors,” deputy press secretary Hogan Gidley told reporters.

The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign.

Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and internet phone services to protect their anonymity.

  • “In total, more than 290,000 accounts followed at least one of these Pages, the earliest of which was created in March 2017. The latest was created in May 2018.
  • The most followed Facebook Pages were “Aztlan Warriors,” “Black Elevation,” “Mindful Being,” and “Resisters.” The remaining Pages had between zero and ten followers, and the Instagram accounts had zero followers.
  • There were more than 9,500 organic posts created by these accounts on Facebook and one piece of content on Instagram.
  • They ran about 150 ads for approximately $11,000 on Facebook and Instagram, paid for in US and Canadian dollars. The first ad was created in April 2017, and the last was created in June 2018.
  • The Pages created about 30 events since May 2017. About half had fewer than 100 accounts interested in attending. The largest had approximately 4,700 accounts interested in attending, and 1,400 users said that they would attend.” said Gleicher.

Facebook announced it would start notifying users that were following the blocked account and users who said would attend events created by one of the suspended accounts and pages

Facebook reported its findings to US law enforcement agencies, Congress, and other tech companies.

“Today’s disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity,” declared the Senate Intelligence Committee’s top Democrat Mark Warner.

Pierluigi Paganini

(Security Affairs – Facebook, midterm US elections)

The post Facebook reported and blocked attempts to influence campaign ahead of midterms US elections appeared first on Security Affairs.

Hundreds of apps removed from Google Play store because were carrying Windows malware

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.

Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store  because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

  • Creates executable and hidden files in Windows system folders, including copying itself
  • Changes Windows registry to auto-start themselves after restarting
  • Attempts to sleep for a long period
  • Has suspicious network connection activities to IP address 87.98.185.184 via port 8829

Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

Google play store infected apps

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” 

Pierluigi Paganini

(Security Affairs – Play Store,  malware)

The post Hundreds of apps removed from Google Play store because were carrying Windows malware appeared first on Security Affairs.

SamSam Ransomware operators earned more than US$5.9 Million since late 2015

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1

SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

  • regularly patch against known vulnerabilities for the applications and operating systems;
  • keep regular backups;
  • use multi-factor authentication;
  • restrict access to RDP(on port 3389);

Pierluigi Paganini

(Security Affairs – ransomware, malware)

The post SamSam Ransomware operators earned more than US$5.9 Million since late 2015 appeared first on Security Affairs.

Security Affairs: SamSam Ransomware operators earned more than US$5.9 Million since late 2015

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1

SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

  • regularly patch against known vulnerabilities for the applications and operating systems;
  • keep regular backups;
  • use multi-factor authentication;
  • restrict access to RDP(on port 3389);

Pierluigi Paganini

(Security Affairs – ransomware, malware)

The post SamSam Ransomware operators earned more than US$5.9 Million since late 2015 appeared first on Security Affairs.



Security Affairs

Security Affairs: Ransomware attack against COSCO spread beyond its US network to Americas

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.

Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.” 

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:

The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Pierluigi Paganini

(Security Affairs – COSCO, ransomware attack)

The post Ransomware attack against COSCO spread beyond its US network to Americas appeared first on Security Affairs.



Security Affairs

Ransomware attack against COSCO spread beyond its US network to Americas

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.

Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.” 

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:

The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Pierluigi Paganini

(Security Affairs – COSCO, ransomware attack)

The post Ransomware attack against COSCO spread beyond its US network to Americas appeared first on Security Affairs.

Dixons Carphone Data Breach discovered in June affected 10 Million customers

Dixons Carphone announced on Monday that the security breach discovered in June affected around 10 million customers, much more than the initial estimate.

Dixons Carphone, one of the largest European consumer electronics and telecommunication retailers, suffered a major data breach in 2017, but new data related to the incident have been shared.

The situation was worse than initially thought, the company announced on Monday that the security breach affected around 10 million customers, much more than the initial estimate.

“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.” reads a statement published by the company.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”

Dixons Carphone discovered in June 2017 an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

Hackers may have accessed personal information of the affected customers including their names, addresses and email addresses last year.

In June it was estimated that hackers accessed data of 1.2 million people and 5.9 million payments cards used at Currys PC World and Dixons Travel were exposed.

Dixons Carphone assured its customers that no financial data was exposed (pin codes, card verification values and authentication data).

“As a precaution, we are choosing to communicate to all of our customers to apologize and advise them of protective steps to minimize the risk of fraud,” continues the statement. “We are continuing to keep the relevant authorities updated.”

Dixons Carphone hack

The company announced further security measure to protect its system and confirmed that all necessary action to lock put the attackers have been taken.

“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring, and testing,” Dixons said.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant.

Pierluigi Paganini

(Security Affairs –Carphone Warehouse, data breach)

The post Dixons Carphone Data Breach discovered in June affected 10 Million customers appeared first on Security Affairs.

A new sophisticated version of the AZORult Spyware appeared in the wild

A new sophisticated version of the AZORult Spyware was spotted in the wild, it was involved in a large email campaign on July 18

Malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Attackers sent out thousands of messages targeting North America. The messages used employment-related subjects such as “About a role” and “Job Application,” while the malicious attached documents used file names in the format of “firstname.surname_resume.doc”.

“AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.” reads the analysis published by ProofPoint.

“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality.”

AZORult spyware

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only now the authors released a substantially updated variant.

The latest version appears more sophisticated than previous ones, it implements the ability to steal histories from browsers (except IE and Edge), it includes a conditional loader that checks certain parameters before running the malicious code, and includes the support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets.

Below the full change log:

  • UPD v3.2
  • [+] Added stealing of history from browsers (except IE and Edge)
  • [+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
  • [+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
  • [+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
  • [+] Reduced the load in the admin panel.
  • [+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
  • [+] Added to the admin panel guest statistics
  • [+] Added to the admin panel a geobase

The conditional loader allows the attackers to infect only systems with specific characteristics, for example, it can check if certain desired cookies or saved passwords from specific sites are present on the victim’s machine,

After the malware has successfully connected the C&C server, it will send back to it the following files:

Next, after the initial exchange between the infected machine and the C&C server, the infected machine sends a report containing the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of  the decoded version is shown in Figure 5. The stolen information is organized into sections:

  • info: basic computer information such as Windows version and computer name
  • pwds: this section contains stolen passwords (not confirmed)
  • cooks: cookies or visited sites
  • file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model,  CPU count,  RAM, video card information, process listing of the infected machine, and software installed on the infected machine.

Once completed this phase, AZORult may download the next-stage payload.

The experts attributed the campaign to the TA516 threat actor that was focused on cryptocurrencies.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products.” said ProofPoint.

“The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.”

Experts noticed that the infection process requests a significant users’ interaction to avoid antivirus. The victims would have to download the document that is password-protected, only after providing the password in a pop-up box included in the body of the email, the attack starts by requesting users to enable macros.

The macros download AZORult, which in turn downloads the Hermes 2.1 ransomware.

“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” concluded the experts.

Pierluigi Paganini

(Security Affairs – AZORult,  hacking)

The post A new sophisticated version of the AZORult Spyware appeared in the wild appeared first on Security Affairs.

Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread

Security experts from Kaspersky Lab have spotted a new cryptocurrency miner dubbed PowerGhost that can spread leveraging a fileless infection technique.

The PowerGhost miner targets large corporate networks, infecting both workstations and servers, it employing multiple fileless techniques to evade detection.

“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.” reads the analysis published by Kaspersky.

“This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation.”

The PowerGhost leverages the NSA-linked EternalBlue exploit to spread, it is obfuscated PowerShell script containing malware’s core code, along with many other add-on modules such as the miner, miner libraries, the Mimikatz post-exploitation too, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.

The victim system is infected remotely using exploits or remote administration tools (Windows Management Instrumentation), experts discovered that during the infection phase a one-line PowerShell script is executed to drop the core of the miner component and execute it, the entire process in the memory of the system.

The first thing that the malware does it to check the command and control (C&C) server and, if a new version is available, it downloads and executes it.

Then the malware uses the Mimikatz tool to get the user account credentials from the machine and use it to attempt lateral movements inside the target network.

Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.” continues the analysis. 

PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (CVE-2017-0144).”

Once infected a machine, the PowerGhost attempts to escalate privileges by using various exploits such as the one for CVE-2018-8120.

In order to establish a foothold in the infected system, the PowerGhost saves all the modules as properties of a WMI class, while miner main body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

The script executes the miner by loading a PE file via reflective PE injection.

Most of the PowerGhost infections were observed in India, Brazil, Columbia, and Turkey.

PowerGhost

Experts discovered also a PowerGhost version that implements DDoS capability, a circumstance that leads Kaspersky into believing that authors attempted to create a DDoS-for-hire service.

Further details, including Indicators of Compromise (IoCs) are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(Security Affairs – PowerGhost, cryptocurrency miner)

The post Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread appeared first on Security Affairs.

Titan Security Keys- Google announced USB-based FIDO U2F Keys

Google will start offering Titan Security Keys to provide a further layer of security to its users and protect them from Phishing and MiTM attacks.

Google announced at Google Cloud Next ’18 convention in San Francisco the launch of the Titan Security Keys,  a USB device that is used as part of its hardware-based two-factor authentication scheme for online accounts.

“Titan Security Key, available now to Cloud customers, and coming soon to the Google Store” states a blog post published by Google.

The hardware-based two-factor authentication scheme is designed to prevent account takeover with phishing and MiTM attacks when the attacker has gained access to user’s credentials.

Titan Security Keys

Google shared data related to the use of physical security keys by its personnel for months, the tech giant confirmed that none of its 85,000 employees that used the hardware-based two-factor authentication key has fallen victim to phishing attacks.

“We have had no reported or confirmed account takeovers since implementing security keys at Google” a Google spokesperson said. 

“Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The authentication through the physical USB security key is more secure compared to other processes.

Titan Security Keys is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.

The Titan Security Key is available in both USB and Bluetooth versions, Google will offer it for sale in the Google’s online store within the next few months.

Log-in to Mobile devices will require a Bluetooth wireless device.

Google did not reveal the price for Titan Security Keys, but rumors say it will be available for around $20 or $30.

The Titan keys will be compatible with major browsers (i.e Chrome, Firefox, and Opera) and many online services, including Dropbox, Facebook, Github.

Pierluigi Paganini

(Security Affairs – Titan Security Keys, authentication)

The post Titan Security Keys- Google announced USB-based FIDO U2F Keys appeared first on Security Affairs.

KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens

ICO platforms are becoming a privileged target for hackers, the last victim in order of time is KickICO, a Blockchain crowdfunding website for ICO.

On Friday, KickICO disclosed a security breach, according to the platform attackers accessed to its wallets and stole over 70 million KICK tokens (roughly $7.7 million at the time).

The incident occurred on July 26, at 09:04 UTC, KickICO CEO Anti Danilevski explained that its staff learned of the security breach from victims who complained to it.

KICKICO hack

“On July 26 at 9:04 (UTC) KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform. The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets.” reads the data breach notification published by the company.

As of Friday, the company announced the situation was under control and the smart contract has been restored. KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email report@kickico.com.

“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said.

The company quickly started an investigation on the security breach, the internal staff discovered that the attackers managed to gain access to the private key of the KickICO platform used by the developers to manage the KICK token smart contract.

Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity.

“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. ” continues the notification.

Fortunately, the community quickly discovered the security breach and helped the platform to mitigate it. KICKICO quickly responded and prevented further losses by replacing the compromised private key with another one associated with the cold storage.

Read more: https://cryptovest.com/news/kickico-suffered-77m-hack-attack-says-will-return-stolen-kicko-tokens/

“After the incident, the KICK token, listed on the 136th position on Coinmarketcap, has lost 1.87% in the last 24 hours. However, the move may be influenced by the bearish mood of the entire crypto market after the SEC rejected a Bitcoin ETF proposed by the Winklevoss twins.” reported the website cryptovest.com.

Pierluigi Paganini

(Security Affairs – KickICO, hacking)

The post KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens appeared first on Security Affairs.

FELIXROOT Backdoor is back in a new fresh spam campaign

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.

The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,” 

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry,  remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Further details, including the IoCs are reported in the analysis published by FireEye.

Pierluigi Paganini

(Security Affairs – FELIXROOT backdoor, malware)

The post FELIXROOT Backdoor is back in a new fresh spam campaign appeared first on Security Affairs.

Security Affairs: FELIXROOT Backdoor is back in a new fresh spam campaign

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.

The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,” 

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry,  remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Further details, including the IoCs are reported in the analysis published by FireEye.

Pierluigi Paganini

(Security Affairs – FELIXROOT backdoor, malware)

The post FELIXROOT Backdoor is back in a new fresh spam campaign appeared first on Security Affairs.



Security Affairs

Tens of flaws in Samsung SmartThings Hub expose smart home to attack

Cisco Talos researchers found tens of flaws in Samsung SmartThings Hub controller that potentially expose smart home devices to attack

Cisco Talos researchers have discovered 20 vulnerabilities in Samsung SmartThings Hub controller that potentially expose any supported third-party smart home devices to cyber attack.

“Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.

“These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.”

The Samsung  SmartThings Hub is a central controller that could be used to manage a broad range of internet-of-things (IoT) devices in a smart home, including smart plugs, LED light bulbs, thermostats, and cameras.

The access to those IoT devices could allow attackers to gather sensitive information managed by the devices within the home and perform unauthorized activities.

Samsung SmartThings Hub runs a Linux-based firmware and allows for communications with various IoT devices using various wireless standards Zigbee, Z-Wave, and Bluetooth.

Talos researchers explained that in order to exploit the flaws, the attacker needs to chain a number of existing vulnerabilities together.

“It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities.” researchers said.

“This is commonly referred to as “chaining.” When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity.”

The experts identified three notable chains, only one of them is a remote code execution (RCE) vulnerability that can be exploited without prior authentication.

RCE Chain – CVE-2018-3911

This RCE chain attack affects the “video core” HTTP server of the hub, it could be exploited by attackers to inject HTTP requests into this process from a network. The flaw is an exploitable HTTP header injection bug that exists within the communications (via Port 39500) between the hub and the remote servers.  The flaw could be exploited by sending specially crafted HTTP requests to vulnerable devices.

“This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution.” states the report.

Samsung SmartThings Hub

Other chains

Other chains identified by the researchers could be exploited only by an authenticated attacker.

The first attack chain is a remote code execution that could be obtained by exploiting the CVE-2018-3879 flaw that allows authorized attackers to execute SQL queries against a database running in the IoT device.

Experts noticed that chaining this flaw, with a string of other memory corruption vulnerabilities (CVE-2018-3880, CVE-2018-3906, CVE-2018-3912 to CVE-2018-3917, and CVE-2018-3919) that affects the Samsung SmartThings Hub it is possible to execute arbitrary code in the network.

Experts highlighted that the CVE-2018-3879 can also be exploited in the final chain attack for remote information leakage. This vulnerability can be used to create an empty file inside the device.

“Remote information leakage: TALOS-2018-0556 can also be used to create an empty file anywhere inside the device. As described in TALOS-2018-0593, the existence of an empty file at path “/hub/data/hubcore/stZigbee” will make the “hubCore” process to crash. Moreover, as described in TALOS-2018-0594, when the “hubCore” process crashes, it triggers an information leak that can be captured from the network.” reads the analysis tublished by Talos.

“By chaining these 3 vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub.”

Talos experts tested and confirmed that the Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17 is affected by the flaws.

Samsung has addressed the flaw and security updates have been pushed out automatically.

“Talos recommends that these devices are updated as quickly as possible. As Samsung pushes updates out to devices automatically, this should not require manual intervention in most cases. It is important to verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable. Samsung has released a firmware update that resolves these issues. An advisory related to these vulnerabilities can be found here.” concludes Talos.

Pierluigi Paganini

(Security Affairs – Samsung SmartThings Hub, hacking)

The post Tens of flaws in Samsung SmartThings Hub expose smart home to attack appeared first on Security Affairs.

Mysterious snail mail from China sent to US agencies includes Malware-Laden CD

Several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden CD

Crooks and cyberspies attempt to exploit any attack vector to compromise the targeted computers and the case we are going to discuss demonstrate it.

The popular security expert Brian Krebs reported that several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden compact discs (CDs).

The list of recipients that received the malicious snail mail includes State Archives, State Historical Societies, and a State Department of Cultural Affairs.

KrebsOnSecurity reported having learned that the strange mail is apparently sent from China.

“This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”” reads the post published by Brian Krebs.

Snail Mail Malware-Laden CD

The attackers clearly attempt to exploit the curiosity of the potential victims that may be enticed into seeing the content of the CD.

According to the experts at MS-ISAC who analyzed the CDs, the media support contain Mandarin language Microsoft Word documents, some of which including malicious scripts.

All the letters received by the organizations appear to be addressed specifically to them.

“It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.” continues Krebs.

“I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.”

A similar attack technique has been already observed in the wild, in September 2016 the Police in the Australian State of Victoria issued a warning to the local population of malware-laden USB drives left in letterboxes.

In August 2016, at Black Hat USA, the security researcher Elie Bursztein demonstrated the dangers of found USB drive and how to create a realistic one.

The expert dropped 297 USB drives on the University of Illinois Urbana-Champaign campus in six different locations, the devices are able to take over the PC of the unaware user that will find the key.

48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within.

Social engineering attacks demonstrate that humans are the weakest link in the security chain, and attacks leveraging malware-laden CD leverage bad habit.

Pierluigi Paganini

(Security Affairs – Malware-Laden CD Sent, hacking)

The post Mysterious snail mail from China sent to US agencies includes Malware-Laden CD appeared first on Security Affairs.

Security Affairs newsletter Round 173 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

 

·      Ecuador to withdraw asylum for Julian Assange in coming weeks or days
·      TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT
·      CSE Malware ZLab – Chinese APT27 s long-term espionage campaign in Syria is still ongoing
·      Experts believe US Cyber Command it the only entity that can carry out ‘hack backs
·      Experts warn of new campaigns leveraging Mirai and Gafgyt variants
·      The source code of the Exobot Android banking trojan has been leaked online
·      Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency
·      CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic
·      DHS – Russian APT groups are inside US critical infrastructure
·      Sony addresses remotely exploitable flaws in Sony IPELA E Network Cameras
·      SpectreRSB – new Spectre CPU side-channel attack using the Return Stack Buffer
·      Apache Software Foundation fixes important flaws in Apache Tomcat
·      Hide ‘N Seek botnet also includes exploits for home automation systems
·      Korean Davolink routers are easy exploitable due to poor cyber hygene
·      The Death botnet grows targeting AVTech devices with a 2-years old exploit
·      Experts discovered a Kernel Level Privilege Escalation in Oracle Solaris
·      Kronos Banking Trojan resurrection, new campaigns spotted in the wild
·      ProtonMail launches Address Verification and full PGP support
·      Ransomware attack disrupted some systems of the shipping giant COSCO in the US
·      US-CERT warns of ongoing cyber attacks aimed at ERP applications
·      Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution
·      Leafminer cyber espionage group targets Middle East
·      NetSpectre is a remote Spectre attack that allows stealing data over the network
·      Parasite HTTP RAT implements a broad range of protections and evasion mechanims
·      Parasite HTTP RAT implements a broad range of protections and evasion mechanisms
·      Google bans cryptocurrency mining apps from the official Play Store
·      Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor
·      Russian APT28 espionage group targets democratic Senator Claire McCaskill
·      Twitter removed more than 143,000 apps from the messaging service

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 173 – News of the week appeared first on Security Affairs.

Security bug in Swann IoT Camera allowed to access video feeds

Security experts have discovered a security glitch in Swann IoT camera that could be exploited by attackers to access video feeds.

Security experts from Pen Test Partners (Andrew Tierney, Chris Wade and Ken Munro) along with security researchers Alan Woodward, Scott Helme and Vangelis Stykas have discovered a security glitch in Swann IoT camera that could be exploited to access video feeds.

The experts reported the issue to the vendor that has patched the vulnerability.

The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.

The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.

The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.

Swann IoT camera

Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.

The server, in turn, provides a list containing the devices associated with the account.

The researchers analyzed the requests and attempted to manipulate the serial number parameter.

Swann IoT camera request

The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.

“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.

“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”

The experts demonstrated that it is possible to access the camera stream for another serial number.

“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.

The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.

“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”

The serial number if composed of the string ‘swn’ plus 9 hex chars. The researcher Vangelis (@evstykas of the Tapplock API vulnerability fame) analyzed the API and discovered that it was possible to enumerate them with the following request:

1.1/osn/deviceIsOwned

1.1/osn/AccountAddDevice – this will throw an error if the camera is already paired, this means that using this trick it is possible to enumerate the entire keyspace searching for existing cameras.

“We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API.” concluded the researchers.

“So, one could now access arbitrary cameras.”

Pierluigi Paganini

(Security Affairs – IoT camera, Swann)

The post Security bug in Swann IoT Camera allowed to access video feeds appeared first on Security Affairs.

Security Affairs: Security bug in Swann IoT Camera allowed to access video feeds

Security experts have discovered a security glitch in Swann IoT camera that could be exploited by attackers to access video feeds.

Security experts from Pen Test Partners (Andrew Tierney, Chris Wade and Ken Munro) along with security researchers Alan Woodward, Scott Helme and Vangelis Stykas have discovered a security glitch in Swann IoT camera that could be exploited to access video feeds.

The experts reported the issue to the vendor that has patched the vulnerability.

The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.

The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.

The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.

Swann IoT camera

Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.

The server, in turn, provides a list containing the devices associated with the account.

The researchers analyzed the requests and attempted to manipulate the serial number parameter.

Swann IoT camera request

The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.

“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.

“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”

The experts demonstrated that it is possible to access the camera stream for another serial number.

“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.

The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.

“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”

The serial number if composed of the string ‘swn’ plus 9 hex chars. The researcher Vangelis (@evstykas of the Tapplock API vulnerability fame) analyzed the API and discovered that it was possible to enumerate them with the following request:

1.1/osn/deviceIsOwned

1.1/osn/AccountAddDevice – this will throw an error if the camera is already paired, this means that using this trick it is possible to enumerate the entire keyspace searching for existing cameras.

“We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API.” concluded the researchers.

“So, one could now access arbitrary cameras.”

Pierluigi Paganini

(Security Affairs – IoT camera, Swann)

The post Security bug in Swann IoT Camera allowed to access video feeds appeared first on Security Affairs.



Security Affairs

Underminer Exploit Kit spreading Bootkits and cryptocurrency miners

New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.

“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).

Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.

The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.

The Underminer EK includes functionalities also employed by other exploit kits, including:

  • browser profiling and filtering;
  • preventing of client revisits;
  • URL randomization;
  • asymmetric encryption of payloads;

The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.

In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.

The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.

Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:

  • CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
  • CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
  • CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.

All the above flaws have been exploited by other EKs in the past.

Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.

Pierluigi Paganini

(Security Affairs – Underminer Exploit Kit, hacking)

The post Underminer Exploit Kit spreading Bootkits and cryptocurrency miners appeared first on Security Affairs.

Security Affairs: Underminer Exploit Kit spreading Bootkits and cryptocurrency miners

New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.

“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).

Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.

The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.

The Underminer EK includes functionalities also employed by other exploit kits, including:

  • browser profiling and filtering;
  • preventing of client revisits;
  • URL randomization;
  • asymmetric encryption of payloads;

The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.

In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.

The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.

Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:

  • CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
  • CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
  • CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.

All the above flaws have been exploited by other EKs in the past.

Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.

Pierluigi Paganini

(Security Affairs – Underminer Exploit Kit, hacking)

The post Underminer Exploit Kit spreading Bootkits and cryptocurrency miners appeared first on Security Affairs.



Security Affairs

Twitter removed more than 143,000 apps from the messaging service

On Tuesday, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative.

Last week, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative aimed at “malicious” activity from automated accounts.

The social media giant was restricting the access to its application programming interfaces (APIs) that allows developers to automate the interactions with the platform (i.e. Tweet posting).

Spam and abuse issues are important problems for the platform, every day an impressive number of bots is used to influence the sentiment on specific topics or to spread misinformation or racism content.

“We’re committed to providing access to our platform to developers whose products and services make Twitter a better place,” said Twitter senior product management director Rob Johnson.

“However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.”

Twitter says the apps “violated our policies,” although it wouldn’t say how and it did not share details on revoked apps.

“We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter,” he added.

“We’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently.”

Cleaning up Twitter it a hard task, now since Tuesday, Twitter deployed a new application process for developers that intend to use the platform API.

Twitter is going to ask them for details of how they will use the service.

“Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.”Johnson added.

“We’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service,” 

Twitter messaging service

Anyway, there are many legitimate applications that used Twitter APIs to automate several processes, including emergency alerts.

Twitter also announced the introduction of new default app-level rate limits for common POST endpoints to fight the spamming through the platform.

“Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale.” concludes Twitter.

Pierluigi Paganini

(Security Affairs – Twitter, messaging service)

The post Twitter removed more than 143,000 apps from the messaging service appeared first on Security Affairs.

Security Affairs: Twitter removed more than 143,000 apps from the messaging service

On Tuesday, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative.

Last week, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative aimed at “malicious” activity from automated accounts.

The social media giant was restricting the access to its application programming interfaces (APIs) that allows developers to automate the interactions with the platform (i.e. Tweet posting).

Spam and abuse issues are important problems for the platform, every day an impressive number of bots is used to influence the sentiment on specific topics or to spread misinformation or racism content.

“We’re committed to providing access to our platform to developers whose products and services make Twitter a better place,” said Twitter senior product management director Rob Johnson.

“However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.”

Twitter says the apps “violated our policies,” although it wouldn’t say how and it did not share details on revoked apps.

“We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter,” he added.

“We’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently.”

Cleaning up Twitter it a hard task, now since Tuesday, Twitter deployed a new application process for developers that intend to use the platform API.

Twitter is going to ask them for details of how they will use the service.

“Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.”Johnson added.

“We’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service,” 

Twitter messaging service

Anyway, there are many legitimate applications that used Twitter APIs to automate several processes, including emergency alerts.

Twitter also announced the introduction of new default app-level rate limits for common POST endpoints to fight the spamming through the platform.

“Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale.” concludes Twitter.

Pierluigi Paganini

(Security Affairs – Twitter, messaging service)

The post Twitter removed more than 143,000 apps from the messaging service appeared first on Security Affairs.



Security Affairs

Google bans cryptocurrency mining apps from the official Play Store

Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.

Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.

Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.

“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.

Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.

Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.

In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.

mining apps

Last month, Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.

Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.

Pierluigi Paganini

(Security Affairs – mining apps, Google)

The post Google bans cryptocurrency mining apps from the official Play Store appeared first on Security Affairs.

Russian APT28 espionage group targets democratic Senator Claire McCaskill

The Russia-linked APT28 group targets Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.

The Russian APT group tracked as Fancy Bear (aka APT28Pawn StormSofacy GroupSednit, and STRONTIUM), that operated under the Russian military agency GRU, continues to target US politicians.

This time the target is Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.

The news was reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in the cyberspace. McCaskill has repeatedly accused the Russian Government of “cyber warfare against our democracy,” she defined President Vladimir Putin as a “thug” and a “bully.”

Russian cyberspies launched spear-phishing attacks against the member of the staff aimed at stealing their credentials, a tactic already used against Hillary Clinton campaign manager John Podesta in 2016.

The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.

“The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.” reads the report published by The Daily Beast.

“The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.”

democratic Senator Claire McCaskill

In July, Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.

The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.

“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”

Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”

“In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants.” continues the report.

Microsoft made sinkholing of the website, in this way it was able to track victims of the attacks that were redirected to the phishing attack.

The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.

Microsoft attributed the attacks to Russian APT28 group.

McCaskill released a statement confirming that cyberattack was unsuccessful.

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said.

“While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

Pierluigi Paganini

(Security Affairs – McCaskill, APT28)

The post Russian APT28 espionage group targets democratic Senator Claire McCaskill appeared first on Security Affairs.

Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor

Microsoft revealed that hackers attempted to compromise the supply chain of an unnamed maker of PDF software.

The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.

The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.

Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.

The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.

The compromise lasted between January and March 2018, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.

This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.

“A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case.” reads the analysis published by Microsoft.

“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”

Supply chain attack-diagram-3

The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.

The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.

Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.

Below the multi-tier attack described by Microsoft:

  1. Attackers recreated the software partner’s infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server.

The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.

The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.

The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.

Pierluigi Paganini

(Security Affairs – supply chain, hacking)

The post Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor appeared first on Security Affairs.

Security Affairs: NetSpectre is a remote Spectre attack that allows stealing data over the network

Researchers discovered a new variant of the Spectre attack, dubbed NetSpectre, that allows to steal data over the network from the target system.

A group of researchers has devised a new variant of the Spectre attack, dubbed NetSpectre, that could allow an attacker to steal data over the network from the target system.

NetSpectre is described as a remote side-channel attack that like the Spectre variant 1 (CVE-2017-5753) exploit a flaw in the speculative execution mechanism.  The technique could bypass address-space layout randomization on the remote system and allow the attackers to execute code on the vulnerable system.

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The researchers that discovered the NetSpectre attack explained that the technique leverages the AVX-based covert channel to capture data at a deficient speed of 60 bits per hour from the target system.

“we present NetSpectre, a generic remote Spectre variant 1 attack. ” reads the research paper.

“Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high performance AVX-based covert channel that we use in our cachefree Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system”

An attacker could carry out the Netspectre attack to read arbitrary memory from the systems that have a network interface exposed on the network and that contain the required Spectre gadgets.

“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” continues the paper.

“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.

NetSpectre

An attacker just needs to send a series of specially crafted requests to the target machine and observe the timing difference in the network packet response time to leak a secret value from the machine’s memory.

“In contrast to local Spectre attacks, where a single measurement can already be sufficient, NetSpectre attacks require a large number of measurements to distinguish
bits with a certain confidence” continues the paper.

The expert reported the NewSpectre attack to Intel in March and the tech giant addressed the issue with the first set of security patches it has released.

Pierluigi Paganini

(Security Affairs – NetSpectre, Intel)

The post NetSpectre is a remote Spectre attack that allows stealing data over the network appeared first on Security Affairs.



Security Affairs

NetSpectre is a remote Spectre attack that allows stealing data over the network

Researchers discovered a new variant of the Spectre attack, dubbed NetSpectre, that allows to steal data over the network from the target system.

A group of researchers has devised a new variant of the Spectre attack, dubbed NetSpectre, that could allow an attacker to steal data over the network from the target system.

NetSpectre is described as a remote side-channel attack that like the Spectre variant 1 (CVE-2017-5753) exploit a flaw in the speculative execution mechanism.  The technique could bypass address-space layout randomization on the remote system and allow the attackers to execute code on the vulnerable system.

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The researchers that discovered the NetSpectre attack explained that the technique leverages the AVX-based covert channel to capture data at a deficient speed of 60 bits per hour from the target system.

“we present NetSpectre, a generic remote Spectre variant 1 attack. ” reads the research paper.

“Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high performance AVX-based covert channel that we use in our cachefree Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system”

An attacker could carry out the Netspectre attack to read arbitrary memory from the systems that have a network interface exposed on the network and that contain the required Spectre gadgets.

“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” continues the paper.

“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.

NetSpectre

An attacker just needs to send a series of specially crafted requests to the target machine and observe the timing difference in the network packet response time to leak a secret value from the machine’s memory.

“In contrast to local Spectre attacks, where a single measurement can already be sufficient, NetSpectre attacks require a large number of measurements to distinguish
bits with a certain confidence” continues the paper.

The expert reported the NewSpectre attack to Intel in March and the tech giant addressed the issue with the first set of security patches it has released.

Pierluigi Paganini

(Security Affairs – NetSpectre, Intel)

The post NetSpectre is a remote Spectre attack that allows stealing data over the network appeared first on Security Affairs.

Parasite HTTP RAT implements a broad range of protections and evasion mechanims

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.

The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.

“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.

“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”

The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint

In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.

“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine  why the malware did not run properly and crashed. ” continues the analysis.

Experts observed the malware using code from a public repository for sandbox detection.

The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.

The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.

The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT

The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.

It also implements plugin support and dynamic API calls support.

Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.

The experts highlighted that the Parasite HTTP RAT  includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.

Pierluigi Paganini

(Security Affairs – Parasite HTTP RAT, malware)

The post Parasite HTTP RAT implements a broad range of protections and evasion mechanims appeared first on Security Affairs.

Security Affairs: Parasite HTTP RAT implements a broad range of protections and evasion mechanims

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.

The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.

“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.

“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”

The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint

In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.

“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine  why the malware did not run properly and crashed. ” continues the analysis.

Experts observed the malware using code from a public repository for sandbox detection.

The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.

The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.

The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT

The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.

It also implements plugin support and dynamic API calls support.

Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.

The experts highlighted that the Parasite HTTP RAT  includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.

Pierluigi Paganini

(Security Affairs – Parasite HTTP RAT, malware)

The post Parasite HTTP RAT implements a broad range of protections and evasion mechanims appeared first on Security Affairs.



Security Affairs

Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.

The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

  • Ensure your system software and antivirus definitions are up-to-date.
  • Avoid visiting suspicious websites.
  • Regularly backup your important files to a separate drive or storage that are only temporarily connected.
  • Be on high alert for pop-ups, spam, and unexpected email attachments.

Pierluigi Paganini

(Security Affairs –   CoinVault Ransomware, cybercrime)

The post Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution appeared first on Security Affairs.

Security Affairs: Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.

The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

  • Ensure your system software and antivirus definitions are up-to-date.
  • Avoid visiting suspicious websites.
  • Regularly backup your important files to a separate drive or storage that are only temporarily connected.
  • Be on high alert for pop-ups, spam, and unexpected email attachments.

Pierluigi Paganini

(Security Affairs –   CoinVault Ransomware, cybercrime)

The post Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution appeared first on Security Affairs.



Security Affairs

Leafminer cyber espionage group targets Middle East

Hackers belonging an Iran-linked APT group tracked as ‘Leafminer’ have targeted government and various organizations in the Middle East.

An Iran-linked APT group tracked as ‘Leafminer’ has targeted government and businesses in the Middle.

According to the experts from Symantec, the Leafminer group has been active at least since early 2017.

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. ” reads the analysis published by Symantec.

The experts detected malicious code and hacking tools associated with the cyber espionage group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries.

The extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Most of the targets were in the financial, government and energy sectors.

Leafminer targets

The hackers used publicly available tools and custom-malware in their attacks.

“On a broad level, it has followed the recent trend among targeted attack groups for “living off the land”—using a mixture of publicly available tools alongside its own custom malware.” continues the report.

“More specifically, it mimicked Dragonfly’s use of a watering hole to harvest network credentials. It also capitalized on the Shadow Brokers release of Inception Framework tools, making use of the leaked Fuzzbunch framework by developing its own exploit payloads for it.”

Researchers discovered that hackers used three main techniques for initial intrusion of target networks:

  • Compromised web servers used for watering hole attacks
  • Scans/exploits for vulnerabilities of network services
  • Dictionary attacks against logins of network services

leafminer

While analyzing the attacks conducted by the group, the experts discovered a download URL for a malware payload used to compromise the victims. The URL pointed out to a compromised web server on the domain e-qht[.]az that had been used to distribute Leafminer malware, payloads, and tools within the group and make them available for download from victim machines.

“As of early June 2018, the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers. In addition to malware and tools, the served files also included uploads of log files seemingly originating from vulnerability scans and post-compromise tools.” continues the report.

“The web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to the (deleted) domain magiccoder.ir. Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army.”

Symantec discovered two custom malware used by the Leafminer group, tracked as Trojan.Imecab and Backdoor.Sorgu, the former provides persistent access with a hardcoded password, the latter implements classic backdoor features.

The group also leveraged a modified version of the popular Mimikatz post-exploitation tool. To avoid detection, the group used a technique dubbed Process Doppelgänging, discovered in December 2017 by researchers from Ensilo security firm.

The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.

“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” concludes Symantec.

Pierluigi Paganini

(Security Affairs – Leafminer, hacking)

The post Leafminer cyber espionage group targets Middle East appeared first on Security Affairs.

Security Affairs: Leafminer cyber espionage group targets Middle East

Hackers belonging an Iran-linked APT group tracked as ‘Leafminer’ have targeted government and various organizations in the Middle East.

An Iran-linked APT group tracked as ‘Leafminer’ has targeted government and businesses in the Middle.

According to the experts from Symantec, the Leafminer group has been active at least since early 2017.

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. ” reads the analysis published by Symantec.

The experts detected malicious code and hacking tools associated with the cyber espionage group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries.

The extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Most of the targets were in the financial, government and energy sectors.

Leafminer targets

The hackers used publicly available tools and custom-malware in their attacks.

“On a broad level, it has followed the recent trend among targeted attack groups for “living off the land”—using a mixture of publicly available tools alongside its own custom malware.” continues the report.

“More specifically, it mimicked Dragonfly’s use of a watering hole to harvest network credentials. It also capitalized on the Shadow Brokers release of Inception Framework tools, making use of the leaked Fuzzbunch framework by developing its own exploit payloads for it.”

Researchers discovered that hackers used three main techniques for initial intrusion of target networks:

  • Compromised web servers used for watering hole attacks
  • Scans/exploits for vulnerabilities of network services
  • Dictionary attacks against logins of network services

leafminer

While analyzing the attacks conducted by the group, the experts discovered a download URL for a malware payload used to compromise the victims. The URL pointed out to a compromised web server on the domain e-qht[.]az that had been used to distribute Leafminer malware, payloads, and tools within the group and make them available for download from victim machines.

“As of early June 2018, the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers. In addition to malware and tools, the served files also included uploads of log files seemingly originating from vulnerability scans and post-compromise tools.” continues the report.

“The web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to the (deleted) domain magiccoder.ir. Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army.”

Symantec discovered two custom malware used by the Leafminer group, tracked as Trojan.Imecab and Backdoor.Sorgu, the former provides persistent access with a hardcoded password, the latter implements classic backdoor features.

The group also leveraged a modified version of the popular Mimikatz post-exploitation tool. To avoid detection, the group used a technique dubbed Process Doppelgänging, discovered in December 2017 by researchers from Ensilo security firm.

The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.

“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” concludes Symantec.

Pierluigi Paganini

(Security Affairs – Leafminer, hacking)

The post Leafminer cyber espionage group targets Middle East appeared first on Security Affairs.



Security Affairs

US-CERT warns of ongoing cyber attacks aimed at ERP applications

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis.

US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.

The report published by the US-CERT reference analysis conducted by Digital Shadows and Onapsis, titled “ERP Applications Under Fire.

“Digital Shadows Ltd. and Onapsis Inc. have released a report describing an increase in the exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. ERP applications help organizations manage critical business processes—such as product lifecycle management, customer relationship management, and supply chain management.” reads the US-CERT bulletin.

“An attacker can exploit these vulnerabilities to obtain access to sensitive information.”

Unfortunately, there is an impressive number of systems exposed online without necessary security measures, it is quite easy for attackers to find online exploits that could be used to hack them.

“The findings shed light into how nation-state actors, cybercriminals and hacktivist groups are actively attacking these applications and what organizations should
do to mitigate this critical risk.” states the report.

“We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web. This goes in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.”

Below the key findings of the report:

Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.

The experts uncovered at least nine operations carried out by hacktivist groups that targeted ERP applications, including SAP and Oracle ERP. The attackers aimed at sabotaging of the applications and compromising business-critical applications.

Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.

Malware authors have improved their code to target ERP applications to steal SAP user credentials and use them in cyber espionage campaigns.

Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.

Experts collected captured evidence of cyberattacks attributed to nation-state actors.

There has been a dramatic increase in the interest in exploits for SAP
applications, including SAP HANA, in dark web and cybercriminal forums.

Experts observed a spike in the interest in exploits for SAP applications in the Dark Web.

Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.

Threat actors leverage continues to prefer well-known vulnerabilities instead of using zero-day exploits for their attacks.

Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

Researchers have identified more than 17,000 SAP and Oracle ERP applications exposed on the internet, most of them operated by world’s largest commercial and government organizations.

ERP applications security report

“Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk.” states the report.

Leaked information by third parties and employees can expose internal ERP applications.
Researchers discovered over 500 SAP configuration files on insecure file repositories exposed online, as well as employees sharing ERP login credentials in public forums. Such kind of information is a precious gift for hackers.

Experts recommend organizations to carefully review configurations for known vulnerabilities, change default passwords and enforce strong passwords for users.

Pierluigi Paganini

(Security Affairs – ERP applications, hacking)

The post US-CERT warns of ongoing cyber attacks aimed at ERP applications appeared first on Security Affairs.

ProtonMail launches Address Verification and full PGP support

Address Verification allows you to be sure you are securely communicating with the right person, while PGP support adds encrypted email interoperability.

Starting with the latest release of ProtonMail on web (v3.14), iOS and Android (v1.9), and the latest versions of the ProtonMail IMAP/SMTP Bridge, ProtonMail now supports Address Verification, along with full PGP interoperability and support. In this article, we’ll discuss these two new features in detail, and how they can dramatically improve email security and privacy.

Address Verification

When ProtonMail first launched in 2014, our goal was to make email encryption ubiquitous by making it easy enough for anybody to use. This is no easy feat, and that’s probably why it had never been done before. Our guiding philosophy is that the most secure systems in the world don’t actually benefit society if nobody can use them, and because of this, we made a number of design decisions for the sake of better usability.

One of these decisions was to make encryption key management automatic and invisible to the user. While this made it possible for millions of people around the world to start using encrypted email without any understanding of what an encryption key is, the resulting architecture required a certain level of trust in ProtonMail.

While a certain level of trust is always necessary when you use online services, our goal is to minimize the amount of trust required so that a compromise of ProtonMail doesn’t lead to a compromise of user communications. This is the philosophy behind our use of end-to-end encryption and zero-access encryption, and it is also the philosophy behind Address Verification.

Prior to the introduction of Address Verification, if ProtonMail was compromised, it would be possible to compromise user communications by sending to the user a fake public encryption key. This could cause email communications to be encrypted in a way that an attacker, holding the corresponding fake private key, could intercept and decrypt the messages (this is also known as a Man-in-the Middle attack, or MITM), despite the fact that the encryption takes place client side.

Address Verification provides an elegant solution to this problem. We consider this to be an advanced security feature and probably not necessary for the casual user, but as there are journalists and activists using ProtonMail for highly sensitive communications, we have made adding Address Verification a priority.

How Address Verification works

Address Verification works by leveraging the Encrypted Contacts feature that we released previously. Starting with the latest version of ProtonMail, when you receive a message from a ProtonMail contact, you now have the option (in the ProtonMail web app) to Trust Public Keys for this contact. Doing so saves the public key for this contact into the encrypted contacts, and as contacts data is not only encrypted, but also digitally signed, it is not possible to tamper with the public encryption key once it has been trusted.

This means that when sending emails to this contact, it is no longer possible for a malicious third party (even ProtonMail) to trick you into using a malicious public key that is different from the one you have trusted. This allows for a much higher level of security between two parties than is possible with any other encrypted email service. You can learn more about using Address Verification in our knowledge base article.

PGP Support

At the same time as Address Verification, we are also launching full support for PGP email encryption. As some of you may know, ProtonMail’s cryptography is already based upon PGP, and we maintain one of the world’s most widely used open source PGP libraries. PGP support is also an advanced feature that we don’t expect most users to use. If you need secure email, the easiest and most secure way to get it is still to get both you and your contact on ProtonMail, or if you are an enterprise, to migrate your business to ProtonMail.

However, for the many out there who still use PGP, the launch of full PGP support will make your life a lot easier. First, any ProtonMail user can now send PGP encrypted emails to non-ProtonMail users by importing the PGP public keys of those contacts. Second, it is also possible to receive PGP email at your ProtonMail account from any other PGP user in the world. You can now export your public key and share it with them.

Therefore, your ProtonMail account can in fact fully replace your existing PGP client. Instead of sharing your existing PGP public key, you can now share the PGP public key associated with your ProtonMail account and receive PGP encrypted emails directly in your ProtonMail account.

If you are an existing PGP user and you would like to keep your existing custom email address (e.g. john@mydomain.com), we’ve got you covered there, too. It is possible to move your email hosting to ProtonMail and import your existing PGP keys for your address, so you don’t need to share new keys and a new email address with your contacts.

If you are using PGP for sensitive purposes, this might actually be preferable to continuing to use your existing PGP client. For one, PGP is fully integrated into ProtonMail, encryption/decryption is fully automated, and the new Address Verification feature is used to protect you against MITM attacks. More importantly though, ProtonMail is not susceptible to the eFail class of vulnerabilities, which have impacted many PGP clients, and our PGP implementations are being actively maintained.

You can find more details about using PGP with ProtonMail here.

Introducing ProtonMail’s public key server

Finally, we are formally launching a public key server to make key discovery easier than ever. If your contact is already using ProtonMail, then key discovery is automatic (and you can use Address Verification to make it even more secure if you want). But if a non-ProtonMail user (like a PGP user) wants to email you securely at your ProtonMail account, they need a way to discover your public encryption key. If they don’t get it from your public profile or website, they are generally out of luck.

Our public key server solves this problem by providing a centralized place to look up the public key of any ProtonMail address (and non-ProtonMail addresses hosted at ProtonMail).

Our public key server can be found at hkps://api.protonmail.ch (!! This link is used for HKP requests and cannot be accessed with a browser. However, if you want to download the public key of a ProtonMail users, simply replace the “username@protonmail.com” with the address you’re looking for and copy/paste the following link into your browser: https://api.protonmail.ch/pks/lookup?op=get&search=username@protonmail.com)

Concluding thoughts on open standards and federation

Today, ProtonMail is the world’s most widely used email encryption system, and for most of our users the addition of Address Verification and PGP support will not change how you use ProtonMail. In particular, setting up PGP (generating encryption keys, sharing them, and getting your contacts to do the same) is simply too complicated, and it is far easier for most people to simply create a ProtonMail account and benefit from end-to-end encryption and zero-access encryption without worrying about details like key management.

Still, launching PGP support is important to us. The beauty of email is that it is federated, meaning that anybody can implement it. It is not controlled by any single entity, it is not centralized, and there is not a single point of failure. While this does constrain email in many ways, it has also made email the most widespread and most successful communication system ever devised.

PGP, because it is built on top of email, is therefore also a federated encryption system. Unlike other encrypted communications systems, such as Signal or Telegram, PGP doesn’t belong to anybody, there is no single central server, and you aren’t forced to use one service over another. We believe encrypted communications should be open and not a walled garden. ProtonMail is now interoperable with practically ANY other past, present, or future email system that supports the OpenPGP standard, and our implementation of this standard is also itself open source.

ProtonMail PGP support

We still have a long way to go before we can make privacy accessible to everyone, and in the coming months and years we will be releasing many more features and products to make this possible. If you would like to support our mission, you can always donate or upgrade to a paid plan.

About the Author: The ProtonMail Team

You can read the ProtonMail press release here.

Pierluigi Paganini

(Security Affairs – ProtonMail, privacy)

The post ProtonMail launches Address Verification and full PGP support appeared first on Security Affairs.

Ransomware attack disrupted some systems of the shipping giant COSCO in the US

The Chinese shipping giant COSCO was reportedly hit by a ransomware based attack, the attack occurred in the American region.

According to COSCO a “local network breakdown” disrupted some systems in the United States.

Media confirmed the incident was the result of a ransomware attack and quoted a company spokesman as the source.

“The China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyberattack on Tuesday, July 24.” states local media.

“A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said that the company’s operations outside the United States were not affected.”

cosco ransomware

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations.” reads the security advisory published by COSCO.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,”

The Journal of Commerce, citing COSCO Vice President Howard Finkel, reported communications between the carrier’s U.S. operations and its customers has been slowed due to the cyber attack. Digital communications were disrupted and the communications were going on via telephone.

Port of Long Beach spokesman Lee Peterson confirmed the attack and added that it is monitoring the situation.

According to the popular security expert Kevin Beaumont‏, the ransomware has infected a portion of the infrastructure that hosts the company website (cosco-usa.com), phone and email systems, and WAN and VPN gateways.

At the time of writing the affected U.S. systems still appear to be offline.

The good news is that the attack doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Pierluigi Paganini

(Security Affairs – COSCO,  Ransomware)

The post Ransomware attack disrupted some systems of the shipping giant COSCO in the US appeared first on Security Affairs.

Experts discovered a Kernel Level Privilege Escalation in Oracle Solaris

Security expert discovered Kernel Level Privilege Escalation vulnerability in the Availability Suite Service component of Oracle Solaris 10 and 11.3

Security researchers from Trustwave have discovered a new high severity vulnerability, tracked as CVE-2018-2892, that affected the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The flaw could be exploited by a remote authenticated attacker to execute code with elevated privileges.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation.” reads the security advisory published by the company.

“The issue is the result of a signedness bug in the bounds checking of the ‘SDBC_TEST_INIT’ ioctl code sent to the ‘/dev/sdbc‘ device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

The experts discovered that the flaw was first discovered in 2007 and it was publicly disclosed in 2009 during the CanSecWest security conference.

The vulnerability is the result of a combination of several arbitrary memory dereference issued and an unbounded memory write vulnerability.

“The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html).” reads the analysis published by Trustwave. “The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin().”

oracle solaris

Oracle also rolled out a security patch after the issue was disclosed, but evidently the problem was not totally addressed.

“Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.” continues Trustwave.

According to the experts, the flaw is still present in the solution due to the introduction of additional code used for testing purposes.

Oracle addressed this flaw as a part of the July CPU security updates

Pierluigi Paganini

(Security Affairs – Oracle Solaris, Kernel Level Privilege Escalation)

The post Experts discovered a Kernel Level Privilege Escalation in Oracle Solaris appeared first on Security Affairs.

Kronos Banking Trojan resurrection, new campaigns spotted in the wild

Researchers from Proofpoint have discovered a new variant of the infamous Kronos banking Trojan that was involved in several attacks in the recent months.

The infamous Kronos banking Trojan is back, and according to the experts from Proofpoint it was involved in several attacks in the last months.

The malware was first spotted in 2014 by researchers at security firm Trusteer that discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.

 Kronos banking trojan

The new variant was discovered in at least three distinct campaigns targeting Germany, Japan, and Poland respectively.

The new variants share many similarities with older versions:

  • Extensive code overlap
  • Same Windows API hashing technique and hashes
  • Same string encryption technique
  • Extensive string overlap
  • Same C&C encryption mechanism
  • Same C&C protocol and encryption
  • Same webinject format (Zeus format)
  • Similar C&C panel file layout

“Some of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and keylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version of Kronos.” continues the analysis.

“The ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked sample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be short for “Osiris”.”

Since April 2018, experts discovered new samples of a new variant of the Kronos banking Trojan in the wild. The most important improvement is represented by the command and control (C&C) mechanism that leverages the Tor anonymizing network.

“There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.” states the analysis published by Proofpoint.

A first campaign was observed on June 27, the malware was targeting German users with weaponized documents attached to spam emails. The macros included in the document was used as downloader for the payload, in some cases, the SmokeLoader downloader.

A second campaign was uncovered on July 13, the victims were infected through a malvertising campaign. The malicious ads pointed out to a website that thanks to JavaScript injections redirected visitors to the RIG exploit kit, that delivered SmokeLoader. The downloader would deliver the Kronos onto the compromised machines.

A third campaign was observed since July 15 and sees victims receiving fake invoice emails carrying weaponized documents that attempted to exploit the CVE-2017-11882 vulnerability to deliver and execute the Kronos Trojan.

The experts highlighted that the malware leveraged webinjects in the German and Japanese campaigns, but they weren’t involved in the attacks on Poland.

The fourth campaign started on July 20 and according to the experts it is still ongoing.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.” Proofpoint concludes.

“While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,”

Pierluigi Paganini

Security Affairs –  (Kronos, banking)

The post Kronos Banking Trojan resurrection, new campaigns spotted in the wild appeared first on Security Affairs.

Hide ‘N Seek botnet also includes exploits for home automation systems

Security experts from Fortinet have discovered that the Hide ‘N Seek botnet is now targeting vulnerabilities in home automation systems.

The Hide ‘N Seek botnet was first spotted on January 10th when it was targeting home routers and IP cameras.

It was first spotted on January 10th by malware researchers from Bitdefender then it disappeared for a few days, and appeared again a few week later infecting in less than a weeks more than 20,000 devices.

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

In May the botnet infected over 90,000 unique devices, recently researchers from Qihoo 360’s NetLab discovered the bot was also targeting AVTECH webcams, Cisco Linksys routers, OrientDB and CouchDB database servers.

Hide ‘N Seek timeline

Fortinet experts have compared three different versions of the bot across the time.

The security firm reports that the latest version of the bot has a configuration composed up of 110 entries and 9 exploits.

“We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using.states Fortinet.

“The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits.”

Hide ‘N Seek authors recently included an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability, the malicious code allows the botnet to target devices in smart homes controller by the HomeMatic central unit.

The bot also includes the exploit for an RCE issue in the Belkin NetCam devices.

The experts believe the author of the Hide ‘N Seek botnet will continue to improve the bot by adding new exploits to target a broad range of devices.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits

“HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet concludes.

“With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.”

Pierluigi Paganini

(Security Affairs – Hide ‘N Seek, hacking)

The post Hide ‘N Seek botnet also includes exploits for home automation systems appeared first on Security Affairs.

Koran Davolink routers are easy exploitable due to poor cyber hygene

Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.

The story started in 2018 when Anubhav noticed a very basic flaw the routers of the Korean vendor Davolink.

These Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected.

Analyzing the code of the page the expert has noticed a function named “clickApply” that included the password in standard base 64 coding.

function clickApply(sel) 
{ 
var user_passwd="YWRtaW4="; 
var super_passwd="(null)"; 
document.forms[0].http_passwd.value = encode(document.forms[0].tmp_http_passwd.value);

Davolink dvw
Scanning the Internet for similar devices using the search engine Zoomeye, he discovered more than 50 routers in Korea are exposed only and are accessible providing the hardcoded password.
Davolink

The expert reported the issue to the vendor that quickly acknowledged it and responded that they have discontinued the product. The vendor added that a working patch is already available.

The expert published the exploit code on exploit-db.

“Many IoT vendors are not doing the basics right as keeping the password in the HTML source, it is a very basic security issue” concluded Anubhav

“and it is a relevant issue as users in Korea are using it”

Pierluigi Paganini

(Security Affairs – Davolink, hacking)

The post Koran Davolink routers are easy exploitable due to poor cyber hygene appeared first on Security Affairs.

Security Affairs: The Death botnet grows targeting AVTech devices with a 2-years old exploit

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.

A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”

Stay tuned.

Pierluigi Paganini

(Security Affairs – Death botnet,  hacking)

The post The Death botnet grows targeting AVTech devices with a 2-years old exploit appeared first on Security Affairs.



Security Affairs

The Death botnet grows targeting AVTech devices with a 2-years old exploit

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.

A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”

Stay tuned.

Pierluigi Paganini

(Security Affairs – Death botnet,  hacking)

The post The Death botnet grows targeting AVTech devices with a 2-years old exploit appeared first on Security Affairs.

Apache Software Foundation fixes important flaws in Apache Tomcat

The Apache Software Foundation has rolled out security updates for the Tomcat application server that address several flaws.

The Apache Software Foundation has released security updates for the Tomcat application server that address several vulnerabilities, including issues that trigger a denial-of-service (DoS) condition or can lead to information disclosure.

Apache Tomcat is an open-source Java Servlet Container that implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

It has been estimated that Tomcat has a market share of over 60 percent.

The first flaw addressed by the Apache Software Foundation is the CVE-2018-8037, it is an important bug in the tracking of connection closures that can lead to reuse of user sessions in a new connection.

The flaw affects Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Tomcat 9.0.10 and 8.5.32 releases address the vulnerabilities.

Another important issue addressed by the Foundation is the CVE-2018-1336, it is an improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder triggering a Denial of Service condition.

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x.

Versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90 addresses the vulnerability.

apache tomcat

The Apache Software Foundation also fixed a low severity security constraints bypass tracked as  CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the security advisory.

The vulnerability has been addressed with the release of the latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x versions.

The US-CERT has released a security alert that urges users to apply security updates.

“The Apache Software Foundation has released security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.” reads the security advisory published by the US-CERT.

“NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates.”

Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .

Pierluigi Paganini

(Security Affairs – Apache Software Foundation,  hacking)

The post Apache Software Foundation fixes important flaws in Apache Tomcat appeared first on Security Affairs.

CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic

Security researchers have found a high severity flaw (CVE-2018-5383) affecting some Bluetooth implementations that allow attackers to manipulate traffic.

Security researchers at the Israel Institute of Technology have found a high severity vulnerability affecting some Bluetooth implementations that could be exploited by an unauthenticated remote attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.

The issue tracked as CVE-2018-5383 affects the Secure Simple Pairing and LE Secure Connections features, it affects firmware or drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm.

The Bluetooth specifications recommend that devices supporting the above features validate the public key exchanged during the pairing process.

Experts from Bluetooth Special Interest Group (SIG), the group that oversees the development of Bluetooth standards, explained that some vendors do not implement public key validation.

Basically, a nearby attacker can launch a man-in-the-middle (MitM) attack and obtain the encryption key, then it can monitor and manipulate the traffic exchanged by the devices.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.” reads the advisory published by the Bluetooth SIG explained.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,”

CVE-2018-5383 Bluetooth

The Bluetooth SIG has addressed the vulnerability by updating the specification, now it is mandatory for products to implement public key validation during the pairing process.

Moreover, the Bluetooth SIG has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC published a security advisory on the flaw that includes technical details.

“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.” reads the advisory published by the CERT/CC.

According to the Bluetooth SIG, there is no evidence that the CVE-2018-5383 flaw has been exploited attacks in the wild.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” added the Bluetooth SIG.

Both Apple and Intel have rolled out security patches to address the CVE-2018-5383 vulnerability.

According to Intel, the vulnerability affects the Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families.

The vendor has already rolled out both software and firmware updates to fix the issue.

According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be impacted, it also added that security fixes were already provided to OEM customers.

Pierluigi Paganini

(Security Affairs – CVE-2018-5383,  hacking)

The post CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic appeared first on Security Affairs.

Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency

It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.

In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.

Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.

The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.

In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.

According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

ADBPort debugging tools

The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server,  then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.

It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.

The Trend Micro researchers offer a few suggestions to reduce your risk:

  • On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
  • Apply recommended patches and updates from the vendor
  • Perform a factory reset to erase the malware if you feel you are infected
  • Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device

The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting and is a frequent speaker on ICS, IoT and Blockchain risk topics. He is currently Global CISO for the ATCO Group of companies.

Pierluigi Paganini

(Security Affairs – debugging tools, hacking)

The post Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency appeared first on Security Affairs.

DHS – Russian APT groups are inside US critical infrastructure

The US Government is warning of continuous intrusions in National critical infrastructure and it is blaming the Kremlin for the cyber attacks.

According to the US Department of Homeland Security, Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and are still targeting them.

These attacks could have dramatic consequence, an attack against a power grid could cause a massive power outage.

It isn’t a sci-fi, it has already happened in Ukraine and security experts blamed Russian APT groups tracked as Dragonfly and Energetic Bear.

According to the government experts, hackers were able to penetrate also air-gapped networks.

The Wall Street Journal quoted Homeland Security officials reporting various attacks.

“Hackers working for Russia claimed “hundreds of victims” last year in a long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said.” states the WSJ.

The officials sustain that the Energetic Bear APT has already penetrated “hundreds” of systems in national power grids.

The DHS issued several alerts related to the APT attacks and shared technical details about their TTPs, including Indicators of Compromise (IOCs) to detect their presence in the IT infrastructure.

Cyber intrusions of critical infrastructure are part of long-term information warfare strategy.

Russians APT Groups carried out spear-phishing attacks against utilities’ equipment vendors and sub subtractors to gather intelligence and collect information to penetrate the infrastructure.

Hackers aim at the exploitation of the accesses into the utilities used by equipment makers and suppliers for ordinary maintenance and telemetry. Their accesses could allow them to deploy malware into the facilities.

Unfortunately, the attacks are still ongoing, many critical infrastructure are operated by private companies with pour cyber hygiene.

Unfortunately, in many cases, the operators totally ignore the presence of the attackers into their networks.

“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.

Pierluigi Paganini

(Security Affairs – US critical infrastructure, hacking)

The post DHS – Russian APT groups are inside US critical infrastructure appeared first on Security Affairs.

SpectreRSB – new Spectre CPU side-channel attack using the Return Stack Buffer

Researchers from the University of California, Riverside (UCR) have devised a new Spectre CPU side-channel attack called SpectreRSB.

SpectreRSB leverage the speculative execution technique that is implemented by most modern CPUs to optimize performance.

Differently, from other Spectre attacks, SpectreRSB recovers data from the speculative execution process by targeting the Return Stack Buffer (RSB).

“rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return
addresses.” reads the research paper.

“We show that both local attacks (within the same process such as Spectre 1) and attacks on SGX are possible by constructing proof of concept attacks”

The experts demonstrated that they could pollute the RSB code to control the return address and poison a CPU’s speculative execution routine.

The experts explained that the RSB is shared among hardware threads that execute
on the same virtual processor enabling inter-process, or even inter-vm, pollution of the RSB

The academics proposed three attack scenarios that leverage the SpectreRSB attack to pollute the RSB and gain access to data they weren’t authorized to view.

In two attacks, the experts polluted the RSB to access data from other applications running on the same CPU. In the thirds attack they polluted the RSB to cause a misspeculation that exposes data outside an SGX compartment.

“an attack against an SGX compartment where a malicious OS pollutes the RSB
to cause a misspeculation that exposes data outside an SGX compartment. This attack bypasses all software and microcode patches on our SGX machine” continues the paper.

Researchers said they reported the issue to Intel, but also to AMD and ARM. Researchers only tested the attack on Intel CPUs, but it is likely that both AMD and ARM processors are affected because they both use RSBs to predict return addresses.

According to the researchers, current Spectre patches are not able to mitigate the SpectreRSB attacks.

“Importantly, none of the known defenses including Retpoline and Intel’s microcode patches stop all SpectreRSB attacks,” wrote the experts.

“We believe that future system developers should be aware of this vulnerability and consider it in developing defenses against speculation attacks. “

SpectreRSB

The good news is that Intel has already a patch that stops this attack on some CPUs, but wasn’t rolled out to all of its processors.

“In particular, on Core-i7 Skylake and newer processors (but not on Intel’s Xeon processor line), a patch called RSB refilling is used to address a vulnerability when the RSB underfills” continues the researchers.

“This defense interferes with SpectreRSB’s ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.”

A spokesperson for Intel told El Reg the Xeon maker believes its mitigations do thwart SpectreRSB side-channel shenanigans:

“SpectreRSB is related to Branch Target Injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner. We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers.”

Pierluigi Paganini

(Security Affairs – SpectreRSB, hacking)

The post SpectreRSB – new Spectre CPU side-channel attack using the Return Stack Buffer appeared first on Security Affairs.

Sony addresses remotely exploitable flaws in Sony IPELA E Network Cameras

Sony fixed 2 remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code.

Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices.

The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Camera.

The vulnerability was reported by the researchers Cory Duplantis and Claudio Bozzato from Cisco Talos. An attacker could execute arbitrary code by sending specially crafted HTTP  GET request to vulnerable devices.

“An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The experts explained that the devices fail to check on the server address while parsing the input measurement string. The attacker can provide any string as the server address and it will be executed via system.

“While parsing the input measurement string, there isn’t a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” continues the experts.

Sony IPELA E

The second issue, tracked as CVE-2018-3938, is a stack buffer overflow that resides in the 802dot1xclientcert.cgi functionality of the Sony IPELA E Series Camera products.

“An exploitable stack buffer overflow vulnerability exists in the “802dot1xclientcert.cgi” functionality of Sony IPELA E Series Camera. A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The vulnerability could be exploited by sending specially crafted POST request.

“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” continues the experts.

The 802dot1xclientcert.cgi component is “designed to handle everything related to certificate management for 802.1x.”

The system fails to check the strlen length of the incoming data that is directly copied to a local buffer via memcpy. This means that the attacker can provide content to trigger the stack-based buffer overflow that could allow the attacker to remotely execute commands on the affected device.

Both vulnerabilities effects Sony IPELA E series G5 firmware 1.87.00, the tech giant released an update last week to address them.

Pierluigi Paganini

(Security Affairs – Sony IPELA E,  hacking)

The post Sony addresses remotely exploitable flaws in Sony IPELA E Network Cameras appeared first on Security Affairs.

Experts warn of new campaigns leveraging Mirai and Gafgyt variants

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.

Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network. 

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis. 

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

mirai okane

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Experts warn of new campaigns leveraging Mirai and Gafgyt variants appeared first on Security Affairs.

The source code of the Exobot Android banking trojan has been leaked online

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog post published by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

According to the experts, the source code for the Exobot Android banking Trojan is now being distributed on a few underground hacking forums, this means that threat actors can now work on their own version and also offer it with a malware-as-a-service model.

“In the coming months, we may see Android malware devs slowly migrating their campaigns from BankBot to Exobot, as few will decline a “free upgrade” to a better code.” concluded Bleeping Computers.

Pierluigi Paganini

(Security Affairs – Android,  banking Trojan)

The post The source code of the Exobot Android banking trojan has been leaked online appeared first on Security Affairs.

CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.

A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria

 

The folder was found on a compromised website at the following URL:

hxxp://chatsecurelite.uk[.]to

This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf

 

Pierluigi Paganini

(Security Affairs – APT27, Syria)

The post CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing appeared first on Security Affairs.

Security Affairs: CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.

A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria

 

The folder was found on a compromised website at the following URL:

hxxp://chatsecurelite.uk[.]to

This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf

 

Pierluigi Paganini

(Security Affairs – APT27, Syria)

The post CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing appeared first on Security Affairs.



Security Affairs

Security Affairs: Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector.

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

The three experts with experience in the private sector, intelligence community and military, agreed that the private organization victims of cyber attacks have to delegate the response against the attackers to the US Cyber Command.

“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer.

The experts highlighted that private companies have no intelligence abilities to attribute the attacks to a specific threat actor and have no specific offensive capabilities to conduct hack backs.

Private companies not only have no capabilities to conduct hack backs, they are not legally authorized to do it.

“The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.reported CyberScoop.

“The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.”

Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, approached the problem of cyber attacks against critical infrastructure that in most of the cases are owned by private entities.

The response of attacks against critical infrastructure operated by private organizations must be delegated to the US Government.

In the majority of the cases, attacks against critical infrastructure are powered by persistent attackers and for this reason, a response requests specific cyber skills and the US CYBERCOM has them.

Speaking of the CYBERCOM Bolling said it is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,” 

Hack backs the Air Force

Private companies cannot carry out hack backs if we want to avoid a digital far west. A private company that decides to target its attackers is anyway a serious threat to the overall digital community.

“For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.” continues CyberScoop.

According to Edward Amoroso, CEO of Tag Cyber, the US CYBERCOM should isolate the specific target to hit and attack it limiting the risk of any collateral damage.

“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.

Experts warn of the risk of hack back non-responsible party due to a wrong attribution of the attack.

Of course, every threat must be properly approached especially the ones that daily target the U.S. private sector. The three experts urge a proper cyber hygiene to mitigate the risks of cyber attacks and limit the necessity to carry out hack backs.

Pierluigi Paganini

(Security Affairs – hack backs, hacking)

The post Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’ appeared first on Security Affairs.



Security Affairs

Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector.

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

The three experts with experience in the private sector, intelligence community and military, agreed that the private organization victims of cyber attacks have to delegate the response against the attackers to the US Cyber Command.

“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer.

The experts highlighted that private companies have no intelligence abilities to attribute the attacks to a specific threat actor and have no specific offensive capabilities to conduct hack backs.

Private companies not only have no capabilities to conduct hack backs, they are not legally authorized to do it.

“The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.reported CyberScoop.

“The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.”

Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, approached the problem of cyber attacks against critical infrastructure that in most of the cases are owned by private entities.

The response of attacks against critical infrastructure operated by private organizations must be delegated to the US Government.

In the majority of the cases, attacks against critical infrastructure are powered by persistent attackers and for this reason, a response requests specific cyber skills and the US CYBERCOM has them.

Speaking of the CYBERCOM Bolling said it is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,” 

Hack backs the Air Force

Private companies cannot carry out hack backs if we want to avoid a digital far west. A private company that decides to target its attackers is anyway a serious threat to the overall digital community.

“For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.” continues CyberScoop.

According to Edward Amoroso, CEO of Tag Cyber, the US CYBERCOM should isolate the specific target to hit and attack it limiting the risk of any collateral damage.

“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.

Experts warn of the risk of hack back non-responsible party due to a wrong attribution of the attack.

Of course, every threat must be properly approached especially the ones that daily target the U.S. private sector. The three experts urge a proper cyber hygiene to mitigate the risks of cyber attacks and limit the necessity to carry out hack backs.

Pierluigi Paganini

(Security Affairs – hack backs, hacking)

The post Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’ appeared first on Security Affairs.

Security Affairs newsletter Round 172 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
·      FBI: Overall BEC/EAC losses between Oct 2013 and May 2018 result in $12 billion
·      Trump might ask Putin to extradite the 12 Russian intelligence officers
·      Update CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
·      Code hosting service GitHub can now scan also for vulnerable Python code
·      Director of National Intelligence warns of devastating cyber threat to US infrastructure
·      ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs
·      Crooks deployed malicious ESLint packages that steal software registry login tokens
·      Cyber Defense Magazine – July 2018 has arrived
·      Researchers show how to manipulate road navigation systems with low-cost devices
·      Trump – Putin meeting: I dont see any reason for Russia to interfere with the US presidential election
·      Cyber espionage campaign targets Samsung service centers in Italy
·      How crooks conduct Money Laundering operations through mobile games
·      QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
·      US Biggest Blood Testing Laboratories LabCorp suffered a security breach
·      ‘IT system issue caused cancellation of British Airways cancelled flights at Heathrow
·      Cisco fixes critical and high severity flaws in Policy Suite and SD-WAN products
·      Expert discovered RoboCent AWS S3 bucket containing US voters records exposed online
·      Thousands of Mega account credentials leaked online, it is credential stuffing
·      Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours
·      Experts disclose dangerous flaws in robotic Dongguan Diqee 360 smart vacuums
·      Experts discloses dangerous flaws in robotic Dongguan Diqee 360 smart vacuums
·      Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates
·      MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank
·      SingHealth, largest healthcare group in Singapore, suffered a massive data breach
·      Experts discovered Calisto macOS Trojan, the member of Proton RAT family
·      Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 172 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 172 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
·      FBI: Overall BEC/EAC losses between Oct 2013 and May 2018 result in $12 billion
·      Trump might ask Putin to extradite the 12 Russian intelligence officers
·      Update CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
·      Code hosting service GitHub can now scan also for vulnerable Python code
·      Director of National Intelligence warns of devastating cyber threat to US infrastructure
·      ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs
·      Crooks deployed malicious ESLint packages that steal software registry login tokens
·      Cyber Defense Magazine – July 2018 has arrived
·      Researchers show how to manipulate road navigation systems with low-cost devices
·      Trump – Putin meeting: I dont see any reason for Russia to interfere with the US presidential election
·      Cyber espionage campaign targets Samsung service centers in Italy
·      How crooks conduct Money Laundering operations through mobile games
·      QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
·      US Biggest Blood Testing Laboratories LabCorp suffered a security breach
·      ‘IT system issue caused cancellation of British Airways cancelled flights at Heathrow
·      Cisco fixes critical and high severity flaws in Policy Suite and SD-WAN products
·      Expert discovered RoboCent AWS S3 bucket containing US voters records exposed online
·      Thousands of Mega account credentials leaked online, it is credential stuffing
·      Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours
·      Experts disclose dangerous flaws in robotic Dongguan Diqee 360 smart vacuums
·      Experts discloses dangerous flaws in robotic Dongguan Diqee 360 smart vacuums
·      Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates
·      MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank
·      SingHealth, largest healthcare group in Singapore, suffered a massive data breach
·      Experts discovered Calisto macOS Trojan, the member of Proton RAT family
·      Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 172 – News of the week appeared first on Security Affairs.



Security Affairs

Ecuador to withdraw asylum for Julian Assange in coming weeks or days

According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”

In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Now Ecuador is planning to withdraw its political asylum, likely next week, this means that Assange will leave the embassy and British authorities will catch him.

“Sources close to Assange said he himself was not aware of the talks but believed that America was putting ‘significant pressure’ on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy,” reported RT.

The newly-elected President of Ecuador Lenín Moreno arrived in London on Friday, officially the motivation of his travel is the participation at the Global Disability Summit on 24 July 2018, but media reports suggest he was reaching an agreement with UK government to withdraw the asylum protection of Assange.

ECUADOR’S PRESIDENT Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 2018 Global Disabilities Summit (Moreno has been using a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.” wrote Glenn Greenwald on the Intercept.

In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

Julian Assange

Three months ago, Ecuador blocked Assange from accessing the internet, mainly to avoid that he could express support to Catalonia and its dispute with the Spanish Government for the independence.

According to Ecuador, Assange had violated the agreement to refrain from interfering in other states’ politics.

Which are current charges against Assange in the UK?

The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

This charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence.

Stay Tuned …

 

 

Pierluigi Paganini

(Security Affairs – Chelsea Manning, Obama)

The post Ecuador to withdraw asylum for Julian Assange in coming weeks or days appeared first on Security Affairs.

TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT

Proofpoint uncovered a massive malspam campaign leveraging emails delivering weaponized PDF documents containing malicious SettingContent-ms files.

Security experts from Proofpoint have uncovered a massive malspam campaign, crooks sent hundreds of thousands of emails delivering weaponized PDF documents containing malicious SettingContent-ms files.

Experts attributed the malspam campaign to the cybercriminal group tracked as TA505, the attackers are spreading the FlawedAmmyy RAT.

The SettingContent-ms file format was implemented in Windows 10 to allows a user to create “shortcuts” to various Windows 10 setting pages.

Thi file opens the Control Panel for the user [control.exe], experts noticed that it includes the  <DeepLink> element in the schema.

SettingContent-ms files

This element takes any binary with parameters and executes it, this means that an attacker can substitute ‘control.exe’ with a malicious script that could execute any command, including cmd.exe and PowerShell, without user interaction.

“After countless hours reading file specifications, I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.” wrote experts from Specterops.

“The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?”

Experts noticed that maliciously SettingContent-ms file can bypass Windows 10 security mechanisms such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

In June experts from SpecterOps monitored several campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but only a few days ago Proofpoint experts noticed threat actors leveraging PDF documents.

“Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.” reads the analysis published by Proofpoint.

“We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.”

SettingContent-ms files campaign

 

Once the victim has opened the PDF file, Adobe Reader will display a warning message asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Experts noticed that the warning message is displayed for any file format embedded within a PDF, not only for SettingContent-ms files.

If the victim clicks the “OK” prompt, the PowerShell command included in the <DeepLink> element downloads and execute the FlawedAmmyy RAT.

The FlawedAmmyy RAT has been active since 2016, it borrows the code of the Ammyy Admin remote access Trojan.

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService, and much more.

Experts attributed the malspam campaign to the TA505  threat actor based on email messages, as well as the payload.

The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.

“Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain.” concludes Proofpoint researchers, “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale.”

Pierluigi Paganini

(Security Affairs – TA505 ,  SettingContent-ms file)

The post TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT appeared first on Security Affairs.

Expert discovered it was possible to delete all projects in the Microsoft Translator Hub

Microsoft has addressed a serious vulnerability in the Microsoft Translator Hub that could be exploited to delete any or all the projects hosted by the service.

Microsoft has fixed a severe vulnerability in the Microsoft Translator Hub that could be exploited to delete any or all projects hosted by the service.

The Microsoft Translator Hub “empowers businesses and communities to build, train, and deploy customized automatic language translation systems—-”. 

The vulnerability was discovered by the security expert Haider Mahmood that was searching for bugs on the Translator Hub, he discovered that is was possible to remove a project by manipulating the “projectid” parameter in an HTTP request.

“POST request with no content and parameter in the URL (its kinda weird isn’t it?) the “projectid” parameter in the above request is the ID of the individual project in the database, which in this case is “12839“, by observing the above HTTP request, a simple delete project query could be something like:-” wrote the expert in a blog post.

The expert also discovered a Cross-Site Request Forgery (CSRF) vulnerability that could be used by an attacker to impersonate a legitimate, logged in user and perform actions on its behalf.

An attacker with the knowledge of the ProjectID of a logged user just needs to trick victims into clicking a specifically crafted URL that performs the delete action on behalf of the user. Another attack scenario sees the attacker including the same URL in a page that once visited by the victim will allow the project to be removed.

“Wait a minute, if you take a look at the Request, first thing to notice is there is no CSRF protection. This is prone to CSRF attack.” continues the expert. “In simple words, CSRF vulnerability allows attacker to impersonate legit logged in user, performing actions on their behalf. Consider this:-

  • Legit user is logged in.
  • Attacker includes the URL in a page. (img tag, iframe, lots of possibilities here) “http://hub.microsofttranslator.com/Projects/RemoveProject?projectId=12839”
  • Victim visits the page, above request will be sent from their browser.
  • Requirement is that one should know the ProjectID number of logged in victim.
  • As it has no CSRF projection like antiCSRF tokens it results in the removal of the project.
  • Even if it has Anti-CSRF projection, here are ways to bypass CSRF Token protections.”

Further analysis allowed the expert to discover the worst aspect of the story.

Mahmood discovered an Indirect Object Reference vulnerability, which could be exploited by an attacker to set any ProjectID in the HTTP request used to remove project.

Theoretically, an attacker can delete all projects in Microsoft Translator Hub by iterating through project IDs starting from 0 to 13000.

“The project whose projectID I used in the HTTP request got deleted. Technically this vulnerability is called Indirect Object Referencenow if I just loop through the values starting from 0 to 13000 (last project), I’m able to delete all projects from the database.” continues the expert. “The vulnerability could have been avoided using simple checks, either the project that the user requested is owned by the same user, associating the project owner with the project is another way, but its Microsoft so….” 

Microsoft Translator Hub SecurityBulletin-1024x307

Mahmood reported the flaw to Microsoft in late February 2018 that addressed it is a couple of weeks,

Pierluigi Paganini

(Security Affairs – gaming, money laundering)

The post Expert discovered it was possible to delete all projects in the Microsoft Translator Hub appeared first on Security Affairs.

Security Affairs: Expert discovered it was possible to delete all projects in the Microsoft Translator Hub

Microsoft has addressed a serious vulnerability in the Microsoft Translator Hub that could be exploited to delete any or all the projects hosted by the service.

Microsoft has fixed a severe vulnerability in the Microsoft Translator Hub that could be exploited to delete any or all projects hosted by the service.

The Microsoft Translator Hub “empowers businesses and communities to build, train, and deploy customized automatic language translation systems—-”. 

The vulnerability was discovered by the security expert Haider Mahmood that was searching for bugs on the Translator Hub, he discovered that is was possible to remove a project by manipulating the “projectid” parameter in an HTTP request.

“POST request with no content and parameter in the URL (its kinda weird isn’t it?) the “projectid” parameter in the above request is the ID of the individual project in the database, which in this case is “12839“, by observing the above HTTP request, a simple delete project query could be something like:-” wrote the expert in a blog post.

The expert also discovered a Cross-Site Request Forgery (CSRF) vulnerability that could be used by an attacker to impersonate a legitimate, logged in user and perform actions on its behalf.

An attacker with the knowledge of the ProjectID of a logged user just needs to trick victims into clicking a specifically crafted URL that performs the delete action on behalf of the user. Another attack scenario sees the attacker including the same URL in a page that once visited by the victim will allow the project to be removed.

“Wait a minute, if you take a look at the Request, first thing to notice is there is no CSRF protection. This is prone to CSRF attack.” continues the expert. “In simple words, CSRF vulnerability allows attacker to impersonate legit logged in user, performing actions on their behalf. Consider this:-

  • Legit user is logged in.
  • Attacker includes the URL in a page. (img tag, iframe, lots of possibilities here) “http://hub.microsofttranslator.com/Projects/RemoveProject?projectId=12839”
  • Victim visits the page, above request will be sent from their browser.
  • Requirement is that one should know the ProjectID number of logged in victim.
  • As it has no CSRF projection like antiCSRF tokens it results in the removal of the project.
  • Even if it has Anti-CSRF projection, here are ways to bypass CSRF Token protections.”

Further analysis allowed the expert to discover the worst aspect of the story.

Mahmood discovered an Indirect Object Reference vulnerability, which could be exploited by an attacker to set any ProjectID in the HTTP request used to remove project.

Theoretically, an attacker can delete all projects in Microsoft Translator Hub by iterating through project IDs starting from 0 to 13000.

“The project whose projectID I used in the HTTP request got deleted. Technically this vulnerability is called Indirect Object Referencenow if I just loop through the values starting from 0 to 13000 (last project), I’m able to delete all projects from the database.” continues the expert. “The vulnerability could have been avoided using simple checks, either the project that the user requested is owned by the same user, associating the project owner with the project is another way, but its Microsoft so….” 

Microsoft Translator Hub SecurityBulletin-1024x307

Mahmood reported the flaw to Microsoft in late February 2018 that addressed it is a couple of weeks,

Pierluigi Paganini

(Security Affairs – gaming, money laundering)

The post Expert discovered it was possible to delete all projects in the Microsoft Translator Hub appeared first on Security Affairs.



Security Affairs

Experts discovered Calisto macOS Trojan, the member of Proton RAT family

Security experts from Kaspersky Lab have discovered a precursor of the infamous Proton macOS malware that was named Calisto.

Malware researchers from Kaspersky Lab have discovered a malware, tracked as Calisto, that appears to be to the precursor of the Proton macOS malware.

“We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.” reads the analysis published by Kaspersky.

“Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:”

The malicious code seems to have been developed in 2016, while Proton was first spotted in 2017.

According to the experts, the malware was uploaded on VirusTotal in 2016 but none noticed it until May 2018. Kaspersky has no information about the way the threat was propagated, they immediatelly noticed that some features implemented by Calisto were still under development.

The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac.

The analysis published by Kaspersky revealed that many features implemented in Proton malware were not present in Calisto.

Proton malware was first discovered in March 2017, threat actors were offering for sale it on an underground hacking forum for a price ranging from $1,200 to $830,000 for the entire project.

A few weeks later the malware was involved in attacks in the wild for the first time, threat actors hacked the website of the HandBrake app and poisoned the official app with it.

In October 2017 attackers distributed the Proton RAT poisoning legitimate applications, such as the popular Elmedia Player and download manager Folx developed by the Elmedia Player.

Both Proton RAT and Calisto are remote access Trojan (RAT) that once infected a system give the attackers full control over it.

Calisto allows remote control of infected Macs, below some of the features it implements:

  • Enables remote login
  • Enables screen sharing
  • Configures remote login permissions for the user
  • Allows remote login to all
  • Enables a hidden “root” account in macOS and sets the password specified in the Trojan code

Static analysis conducted by the experts revealed unfinished functionality, including:

  • Loading/unloading of kernel extensions for handling USB devices
  • Data theft from user directories
  • Self-destruction together with the OS

Experts pointed out that Calisto was developed before Apple rolled out the SIP (System Integrity Protection) security mechanism for this reason it is not able to bypass it.

“Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions.” researchers explained. “Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.” 

This implies that Calisto cannot infect modern macOS versions, anyway below a few recommendations to protect against Calisto, Proton, and similar threats:

  • Always update