Category Archives: Breaking News

Drupal dev team fixed Remote Code Execution flaws in the popular CMS

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.

The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.

Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,

“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”

Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.

The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.

The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.

Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

The post Drupal dev team fixed Remote Code Execution flaws in the popular CMS appeared first on Security Affairs.

Splunk addressed several vulnerabilities in Enterprise and Light products

Splunk recently addressed several vulnerabilities in Enterprise and Light products, some of them have been rated “high severity.”

Splunk Enterprise solution allows organizations to aggregate, search, analyze, and visualize data from various sources that are critical to business operations.

The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” reads the advisory published by Splunk.

The most severe issue fixed by the company is a high severity cross-site scripting (XSS) flaw in the Web interface, tracked as CVE-2018-7427, that received the CVSS score of 8.1.

Another severe vulnerability is a DoS flaw tracked as CVE-2018-7432 that could be exploited using malicious HTTP requests sent to Splunkd that is the system process that handles indexing, searching and forwarding. This issue was tracked as “medium severity” by the company.

The company also addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-7429, that could be exploited by an attacker by sending a specially crafted HTTP request to Splunkd.

The last flaw addressed by the vendor, tracked as CVE-2018-7431, is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app. The vulnerability has been rated “medium severity.”

Below the affected versions:

  • Cross Site Scripting in Splunk Web (CVE-2018-7427)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Denial of Service (CVE-2018-7432)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Path Traversal Vulnerability in Splunk Django App (CVE-2018-7431)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Splunkd Denial of Service via Malformed HTTP Request (CVE-2018-7429)
  • Affected Product Versions: Splunk Enterprise versions 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14 and Splunk Light before 6.5.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.

The vendor declared it has found no evidence that these vulnerabilities have been exploited in attacks in the wild.

Pierluigi Paganini

(Security Affairs – XSS, hacking)

The post Splunk addressed several vulnerabilities in Enterprise and Light products appeared first on Security Affairs.

Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew

Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada.

The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1.

“McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report.

“We have named this threat Operation Oceansalt based on its similarity to the earlier malware Seasalt, which is related to earlier Chinese hacking operations. Oceansalt reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.”

APT1 cyberespionage group, aka Comment Crew, was first discovered in 2013 by experts from Mandiant firm. The evidence collected by the security experts links APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398), experts believe the group has been active since 2006 and targeted hundreds of organizations in multiple industries.

According to McAfee, Operation Oceansalt was not conducted by APT1, attackers leverage the Oceansalt implant that borrows the code from the APT1 tool dubbed Seasalt.

Both malware uses similar command handler and index table, and exactly the same response codes associated with command execution.

Oceansalt contains the following strings that are part of Seasalt:

  • Upfileer
  • Upfileok

Both implants have a high degree of similarity in code sharing and functions. A few of their commonalities follow.”

According to the researchers, the implant is only a first-stage component that allows operators to perform various actions on the infected systems and to downloads additional components.

Oceansalt implements a dozen commands, including extract drive information, send information about a specific file, execute a command line using WinExec(), delete file, create file, get information on the running processes, terminate process, create/operate/terminate reverse shell, and test receive and send capabilities.

Operation Oceansalt

At the time of the analysis, it was still unclear who is behind the campaign, the only certainty was that the attackers in someway have access to the APT1’s source code even if it was never publicly disclosed.

The Oceansalt implant was used in at least five campaigns and was customized to the specific targets.

In the first two waves of attacks, threat actors used spear-fishing emails with weaponized Korean-language Microsoft Excel documents to download the implant. In the third campaign hackers leveraged on weaponized Microsoft Word documents, while the remaining waves of attacks targeted a small number of entities outside of South Korea, including the U.S. and Canada.

The attackers used several command and control (C&C) servers, their analysis revealed the Operation Oceansalt campaign is active in Canada, Costa Rica, the United States, and the Philippines.

“Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown.” McAfee concludes.

“However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous researchfrom the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. ” 

Pierluigi Paganini

(Security Affairs – APT1, hacking)

The post Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew appeared first on Security Affairs.

Security Affairs: GreyEnergy cyberespionage group targets Poland and Ukraine

Security researchers from ESET published a detailed analysis of a recently discovered cyber espionage group tracked as GreyEnergy.

Security experts from ESET published a detailed analysis of a recently discovered threat actor tracked as GreyEnergy, its activity emerged in concurrence with BlackEnergy operations.

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the not Petya wiper to the Industroyer ICS malware.

Experts from ESET speculate the BlackEnergy threat actor evolved into two separate APT groups, namely TeleBots and GreyEnergy.

“Following this attack, the BlackEnergy group evolved into at least two subgroups:
TeleBots and GreyEnergy. ”  reads the report.

“The main goal of the TeleBots group is to perform cybersabotage attacks on Ukraine, which are achieved through computer network attack (CNA) operations.”

GreyEnergy conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.

The APT group leverage the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules.

“Like many complex threats, the GreyEnergy malware has a modular architecture. The functionality of the malware can be easily extended with additional modules. A GreyEnergy module is a DLL file that gets executed by calling the function with the first ordinal. Each module, including the main GreyEnergy module, accepts text commands with various parameters.” continues the analysis.

The list of available modules includes components for file extraction, screenshot capturing, keylogging, password, and credential stealing, and of course a backdoor.

Experts pointed out that they haven’t found modules that specifically target Industrial Control Systems software or devices. ESET pointed out that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers.

In one case, hackers used a disk-wiping component to disrupt operating processes on the target systems.

GreyEnergy attackers in one case also used a valid digital certificate, likely stolen from Taiwanese company Advantech, to sign a sample.

“One of the most intriguing details discovered during our research is that one of the GreyEnergy samples we found was signed with a valid digital certificate that had likely been stolen from a Taiwanese company that produces ICS equipment. In this respect, the GreyEnergy group has literally followed in Stuxnet’s footsteps.” states ESET.

Attackers spread the malware by carryout both spear phishing campaigns and compromised self-hosted web services, in this latter case attackers hack into public-facing web services running on a server that is connected to an internal network. In this was attackers will attempt to compromise the server and make lateral movements in the internal network.

GreyEnergy also used other backdoors, mostly PHP backdoors, and malware implementing several layers of obfuscation and encryption to hide the malicious code.

The spear-phishing messages first drop a lightweight first-stage backdoor tracked as GreyEnergy mini (aka FELIXROOT) to gather information on the target network and gather admin credentials using tools such as Nmap and Mimikatz.

The stolen credentials are used to deploy the main GreyEnergy malware into the target network with administrator privileges.

The malware is written in C and compiled using Visual Studio, it is deployed two ways:

  • in-memory-only mode without implementing persistence;
  • Service DLL persistence;

ESET experts also discovered a worm dubbed Moonraker Petya that is similar to NotPetya, they speculate it is a predecessor of the infamous wiper.

GreyEnergy

Moonraker Petya has limited spreading capabilities and like NotPetya it is able to make machines unbootable, the malware was used against a small number of organizations.

Moonraker Petya may be the result of a collaboration between TeleBots and GreyEnergy APT groups.

“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi,” ESET concludes.

Pierluigi Paganini

(Security Affairs – GreyEnergy, APT)

The post GreyEnergy cyberespionage group targets Poland and Ukraine appeared first on Security Affairs.



Security Affairs

GreyEnergy cyberespionage group targets Poland and Ukraine

Security researchers from ESET published a detailed analysis of a recently discovered cyber espionage group tracked as GreyEnergy.

Security experts from ESET published a detailed analysis of a recently discovered threat actor tracked as GreyEnergy, its activity emerged in concurrence with BlackEnergy operations.

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the not Petya wiper to the Industroyer ICS malware.

Experts from ESET speculate the BlackEnergy threat actor evolved into two separate APT groups, namely TeleBots and GreyEnergy.

“Following this attack, the BlackEnergy group evolved into at least two subgroups:
TeleBots and GreyEnergy. ”  reads the report.

“The main goal of the TeleBots group is to perform cybersabotage attacks on Ukraine, which are achieved through computer network attack (CNA) operations.”

GreyEnergy conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.

The APT group leverage the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules.

“Like many complex threats, the GreyEnergy malware has a modular architecture. The functionality of the malware can be easily extended with additional modules. A GreyEnergy module is a DLL file that gets executed by calling the function with the first ordinal. Each module, including the main GreyEnergy module, accepts text commands with various parameters.” continues the analysis.

The list of available modules includes components for file extraction, screenshot capturing, keylogging, password, and credential stealing, and of course a backdoor.

Experts pointed out that they haven’t found modules that specifically target Industrial Control Systems software or devices. ESET pointed out that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers.

In one case, hackers used a disk-wiping component to disrupt operating processes on the target systems.

GreyEnergy attackers in one case also used a valid digital certificate, likely stolen from Taiwanese company Advantech, to sign a sample.

“One of the most intriguing details discovered during our research is that one of the GreyEnergy samples we found was signed with a valid digital certificate that had likely been stolen from a Taiwanese company that produces ICS equipment. In this respect, the GreyEnergy group has literally followed in Stuxnet’s footsteps.” states ESET.

Attackers spread the malware by carryout both spear phishing campaigns and compromised self-hosted web services, in this latter case attackers hack into public-facing web services running on a server that is connected to an internal network. In this was attackers will attempt to compromise the server and make lateral movements in the internal network.

GreyEnergy also used other backdoors, mostly PHP backdoors, and malware implementing several layers of obfuscation and encryption to hide the malicious code.

The spear-phishing messages first drop a lightweight first-stage backdoor tracked as GreyEnergy mini (aka FELIXROOT) to gather information on the target network and gather admin credentials using tools such as Nmap and Mimikatz.

The stolen credentials are used to deploy the main GreyEnergy malware into the target network with administrator privileges.

The malware is written in C and compiled using Visual Studio, it is deployed two ways:

  • in-memory-only mode without implementing persistence;
  • Service DLL persistence;

ESET experts also discovered a worm dubbed Moonraker Petya that is similar to NotPetya, they speculate it is a predecessor of the infamous wiper.

GreyEnergy

Moonraker Petya has limited spreading capabilities and like NotPetya it is able to make machines unbootable, the malware was used against a small number of organizations.

Moonraker Petya may be the result of a collaboration between TeleBots and GreyEnergy APT groups.

“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi,” ESET concludes.

Pierluigi Paganini

(Security Affairs – GreyEnergy, APT)

The post GreyEnergy cyberespionage group targets Poland and Ukraine appeared first on Security Affairs.

Security Affairs: Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million

Group-IB has estimated that crypto exchanges suffered a total loss of $882 million due to targeted attacks between 2017 and 2018.

Group-IB, an international company that specializes in preventing cyber attacks,has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534million in crypto was stolen.

This data was included in the annual Hi-Tech Crime Trends 2018 report, presented by Group-IB CTO, Dmitry Volkov, at the sixth international CyberСrimeCon conference. A separate report chapter is dedicated to the analysis of hackers’ and fraudsters’ activity in crypto industry.

Crypto exchanges: in the footsteps of Lazarus 

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement. One successful attack could bring hackers tens of millions of dollars in crypto funds, whilst reducing the risks of being caught to a minimum:  the anonymity of transactions allows cybercriminals to withdraw stolen funds without putting themselves at greater risk.

Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam: they send an email containing a fake CV with the subject line “Engineering Manager for Crypto Currency job” or the file «Investment Proposal.doc» in attachment, that has a malware embedded in the document.

In the last year and a half, the North-Korean state-sponsored Lazarus group attacked at least five cryptocurrency exchanges: Yapizon, Coins, YouBit, Bithumb, Coinckeck. After the local network is successfully compromised, the hackers browse the local network to find workstations and servers used working with private cryptocurrency wallets.

crypto exchanges

“Last year we warned that hackers competent enough to carry out a targeted attack might have a new target – cryptocurrency exchanges,” — reminded Dmitry Volkov, Group-IB CTO.

“In the last couple of years, crypto exchanges suffered many attacks. Some of the exchanges went bankrupt after the hacks, i.e. Bitcurex, YouBit, Bitgrail. At the beginning of 2018 hackers’ interest in cryptocurrency exchanges ramped up. The most likely cryptocurrency exchange attackers now are Silence, MoneyTaker, and Cobalt.”

ICO: more than 56% of funds were stolen through phishing attacks

Hackers cause serious damage to ICOs: they attack founders, community members, and platforms. In 2017 more than 10% of funds raised through ICOs were stolen, while 80% of projects disappeared with the money without fulfilling any obligations towards their investors.

Yet despite the pessimistic forecasts, the number of funds invested in ICOs increased significantly. In H1 of 2018 alone, ICO projects raised almost $14 billion, which is twice as much as during the entire 2017 ($5,5 billion) — according to CVA and PwC studies. Therefore, cybercriminals can steal more funds in one successful attack.

In 2018, hackers attacked ICOs conducting private funding rounds. For instance, cyber criminals targeted TON project, founded by Pavel Durov, through phishing and managed to steal $35,000 in Ethereum. The worst generally happens on the first day of token sales: a set of DDoS attacks simultaneous with an influx of users, the eruption of Telegram and Slack messages, mailing list spamming.

Phishing remains one of the major vectors of attacks on ICOs: approximately 56% of all funds stolen from ICOs were siphoned off as a result of phishing attacks. On the rise of “the crypto-fever” everyone is striving to purchase tokens, often sold at a significant discount, as fast as possible without paying attention to fine details such as fake domain names. One beg phishing group is capable of stealing roughly $1 million a month.

Phishing attacks against ICO projects are not always aimed at stealing money. This year, there were several cases of investor database theft. This information can be later re-sold on the darknet or used for blackmail.

A relatively new method of fraud on the ICO market was stealing a White Paper of an ICO project and presenting an identical idea under a new brand name. Fraudsters build a website to feature a new brand and a new team using the stolen project description and announce an ICO.

Pierluigi Paganini

(Security Affairs – crypto exchanges, hacking)

The post Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million appeared first on Security Affairs.



Security Affairs

Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million

Group-IB has estimated that crypto exchanges suffered a total loss of $882 million due to targeted attacks between 2017 and 2018.

Group-IB, an international company that specializes in preventing cyber attacks,has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534million in crypto was stolen.

This data was included in the annual Hi-Tech Crime Trends 2018 report, presented by Group-IB CTO, Dmitry Volkov, at the sixth international CyberСrimeCon conference. A separate report chapter is dedicated to the analysis of hackers’ and fraudsters’ activity in crypto industry.

Crypto exchanges: in the footsteps of Lazarus 

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement. One successful attack could bring hackers tens of millions of dollars in crypto funds, whilst reducing the risks of being caught to a minimum:  the anonymity of transactions allows cybercriminals to withdraw stolen funds without putting themselves at greater risk.

Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam: they send an email containing a fake CV with the subject line “Engineering Manager for Crypto Currency job” or the file «Investment Proposal.doc» in attachment, that has a malware embedded in the document.

In the last year and a half, the North-Korean state-sponsored Lazarus group attacked at least five cryptocurrency exchanges: Yapizon, Coins, YouBit, Bithumb, Coinckeck. After the local network is successfully compromised, the hackers browse the local network to find workstations and servers used working with private cryptocurrency wallets.

crypto exchanges

“Last year we warned that hackers competent enough to carry out a targeted attack might have a new target – cryptocurrency exchanges,” — reminded Dmitry Volkov, Group-IB CTO.

“In the last couple of years, crypto exchanges suffered many attacks. Some of the exchanges went bankrupt after the hacks, i.e. Bitcurex, YouBit, Bitgrail. At the beginning of 2018 hackers’ interest in cryptocurrency exchanges ramped up. The most likely cryptocurrency exchange attackers now are Silence, MoneyTaker, and Cobalt.”

ICO: more than 56% of funds were stolen through phishing attacks

Hackers cause serious damage to ICOs: they attack founders, community members, and platforms. In 2017 more than 10% of funds raised through ICOs were stolen, while 80% of projects disappeared with the money without fulfilling any obligations towards their investors.

Yet despite the pessimistic forecasts, the number of funds invested in ICOs increased significantly. In H1 of 2018 alone, ICO projects raised almost $14 billion, which is twice as much as during the entire 2017 ($5,5 billion) — according to CVA and PwC studies. Therefore, cybercriminals can steal more funds in one successful attack.

In 2018, hackers attacked ICOs conducting private funding rounds. For instance, cyber criminals targeted TON project, founded by Pavel Durov, through phishing and managed to steal $35,000 in Ethereum. The worst generally happens on the first day of token sales: a set of DDoS attacks simultaneous with an influx of users, the eruption of Telegram and Slack messages, mailing list spamming.

Phishing remains one of the major vectors of attacks on ICOs: approximately 56% of all funds stolen from ICOs were siphoned off as a result of phishing attacks. On the rise of “the crypto-fever” everyone is striving to purchase tokens, often sold at a significant discount, as fast as possible without paying attention to fine details such as fake domain names. One beg phishing group is capable of stealing roughly $1 million a month.

Phishing attacks against ICO projects are not always aimed at stealing money. This year, there were several cases of investor database theft. This information can be later re-sold on the darknet or used for blackmail.

A relatively new method of fraud on the ICO market was stealing a White Paper of an ICO project and presenting an identical idea under a new brand name. Fraudsters build a website to feature a new brand and a new team using the stolen project description and announce an ICO.

Pierluigi Paganini

(Security Affairs – crypto exchanges, hacking)

The post Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million appeared first on Security Affairs.

The author of the LuminosityLink RAT sentenced to 30 Months in Prison

The author of the infamous LuminosityLink RAT, Colton Grubbs (21), was sentenced to 30 months in federal prison.

Colton Grubbs, 21, of Stanford, Kentucky, the author of the infamous LuminosityLink RAT, was sentenced to 30 months in federal prison,

In February, the Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Luminosity RAT

In September 2016, the UK law enforcement arrested Colton Grubbs, the man admitted to designing, marketing, and selling LuminosityLink.

Grubbs offered for sale the malware for $39.99 to more than 6,000 customers, he also helped them to hack computers worldwide.

“Grubbs previously admitted to designing, marketing, and selling a software, called
LuminosityLink, that Grubbs knew would be used by some customers to remotely access and control their victims’ computers without the victims’ knowledge or consent. Among other malicious features, LuminosityLink allowed Grubbs’ customers to record the keys that victims pressed on their keyboards, surveil victims using their computers’ cameras and microphones, view and download the computers’ files, and steal names and passwords used to access websites.” reads the DoJ’s sentence.
“Directly and indirectly, Grubbs offered assistance to his customers on how to use LuminosityLink for unauthorized computer intrusions through posts and group chats on websites such as HackForums.net. “

Grubbs will serve 85% of his prison sentence, then he will be released under supervision of the United States Probation Office for a term of three years.

Grubbs must forfeit the proceeds of his crimes, including 114 Bitcoin that was seized by the Federal Bureau of Investigation.

“Our modern society is dependent on computers, mobile devices, and the use of the internet. It is essential that we vigorously prosecute those who erode that confidence and illicitly gain access to computer systems and the electronic information of others. Everyone benefits when this deceitful conduct is discovered, investigated, and prosecuted,” Robert M. Duncan, Jr., United States Attorney for the Eastern District of Kentucky, said.

The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.

Pierluigi Paganini

(Security Affairs – Luminosity RAT, cybercrime)

The post The author of the LuminosityLink RAT sentenced to 30 Months in Prison appeared first on Security Affairs.

Chaining three critical vulnerabilities allows takeover of D-Link routers

Researchers from the Silesian University of Technology in Poland discovered several flaws that could be exploited to take over some D-Link routers.

A group of researchers from the Silesian University of Technology in Poland has discovered three vulnerabilities in some models of D-Link routers that could be chained to take full control over the devices.

The flaws are a Directory Traversal (CVE-2018-10822), Password stored in plaintext (CVE-2018-10824), and a Shell command injection (CVE-2018-10823).

“I have found multiple vulnerabilities in D-Link router httpd server. These vulnerabilities are present in multiple D-Link types of routers. All three taken together allow to take a full control over the router including code execution.” reads the security advisory.

The vulnerabilities reside in the httpd server of some D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.

Researchers found a directory traversal vulnerability, tracked as CVE-2018-10822, that could be exploited by remote attackers to read arbitrary files using an HTTP request.

The issue was initially reported to D-Link as CVE-2017-6190, but the vendor did not correctly fix the flaw.

This flaw could be exploited to gain access to a file that stores the admin password for the device in clear text.

The storage of password in clear text is tracked as CVE-2018-10824, to avoid abuses the experts did not reveal the path of the files

Researchers also reported another flaw, tracked as CVE-2018-10823, that could be exploited by an authenticated attacker to execute arbitrary commands and take over the device.

Below a video that shows how the flaws could be chained to takeover a device:

The experts reported the flaws to D-Link in May but the vendor still hasn’t addressed them, then the experts publicly disclosed the vulnerabilities.

Waiting for a patch to address the vulnerabilities, users can make their devices not accessible from the Internet.

Pierluigi Paganini

(Security Affairs – D-Link, hacking)

The post Chaining three critical vulnerabilities allows takeover of D-Link routers appeared first on Security Affairs.

MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry

Yoroi security firm uncovered a targeted attack against one of the most important companies in the Italian Naval Industry leveraging MartyMcFly Malware.

Today I’d like to share an interesting analysis of a Targeted Attack found and dissected by Yoroi (technical details are available here). The victim was one of the most important leaders in the field of security and defensive military grade Naval ecosystem in Italy. Everything started from a well-crafted email targeting the right office asking for naval engine spare parts prices. The mail was quite clear, written in a great language within detailed spare parts matching the real engine parts. The analyzed email presented two attachments to the victim:
  • A company profile, aiming to present the company who was asking for spare parts
  • A Microsoft.XLSX where (apparently) the list of the needed spare parts was available

The attacker asked for a quotation of the entire spare part list available on the spreadsheet. In such a way the victim needed to open-up the included Microsoft spreadsheet in order to enumerate the “fake customer” needs. Opening up The Excel File it gets infected.

Let’s go deep into that file and see what is happening there. At a first sight, the office document had an encrypted content available on OleObj.1 and OleObj.2. Those objects are real Encrypted Ole Objects where the Encrypted payload sits on “EncryptedPackage” section and information on how to decrypt it are available on “EncryptionInfo” xml descriptor. However, in that time, the EncryptionInfo was holding the encryption algorithm and additional information regarding the payload but no keys were provided. The question here was disruptive. How Microsoft Excel is able to decrypt such a content if no password is requested to the end user?  In another way, if the victim opens the document and he/she is not aware of “secret key” how can he/she get infected? And why the attacker used an encrypted payload if the victim cannot open it?

 

Stage1: Encrypted Content
Using an encrypted payload is quite a common way to evade Antivirus, since the encrypted payload changes depending on the used key. But what is the key?
Well, on Microsoft Excel there is a common way to open documents called “Read Only”. In “Read Only” mode the file could be opened even if encrypted. Microsoft excel asks the user a decryption key only if the user wants to save, to print or to modify the content. In that case, Microsoft programmers used a special and static key to decrypt the “Read Only” documents. Such a key sees the following value: “VelvetSweatshop” (a nice old article on that). Let’s try to use this “key” to try to decrypt the content! The following image shows a brand new stage where a valid extracted xlsx file wraps more objects, we define it as Stage2.

 

Stage2: OleOBj inclusion (click to expand it)
A quick analysis of the Stage2 exposes a new object inclusion. (as shown in picture Stage2: OleOBJ inclusion). That object was crafted on 2018-10-09 but it was seen only on 2018-10-12. At this time the extracted object is clear text and not encrypted content was find at all. The following image shows the extracted object from Stage2.
Stage2: extracted Payload

 

It’s not hard to see what the payload does (CVE-2017-11882 ), but if you run it on a dynamic engine you would probably have more chances to prove it. The Payload exploits CVE-2017-11882 by spawning the Equation Editor, dropping and executing an external PE file. We might define the Equation Editor dropping and executing as the Stage3. The following image shows the connection to a dropping website performed by EquationEditor (click to magnify it).

 

Stage3: Equation Editor Spawned and connecting to Dropping URL
Evidence of what dissected is shown on the following image (Introducing Stage4) where the EquationEditor network trace is provided. We are introducing a new stage: the Stage4. GEqy87.exe(Stage4) is a common windows PE. It’s placed inside an unconventional folder (js/jquery/file/… ) into a compromised and thematic website. This placement usually has a double target: (a) old school or un-configured IDS bypassing (b) hiding malicious software an into well-known and trusted folder structure in order to persist over website upgrades.

 

Introducing Stage4. PE file dropped and executed
Stage4 is pretty interesting per-se. It’s a nice piece of software written in Borland Delphi 7. According to VirusTotal the software was “seen in the Wild” in 2010 but submitted only on 2018-10-12! This is pretty interesting, isn’t it? Maybe hash collision over multiple years? Maybe a buggy variable on VirusTotal? Or maybe not, something more sophisticated and complex is happening out there.

 

Stage4: According to Virus Total

Looking into GEqy87 is quite clear that the sample was hiding an additional windows PE. On one, hand it builds up the new PE directly on memory by running decryption loops (not reversed here). On the other, hand it fires up 0xEIP to pre-allocated memory section in order to reach new available code section.

Stage5: Windows PE hidden into GEqy87.exe
Stage5 deploys many evasion tricks such as GetLastInputIn, SleepX, and GetLocalTime to trick debuggers and SandBoxes. It makes an explicit date control check to 0x7E1 (2017). If the current date is less or equals to 0x7E1 it ends up by skipping the real behavior while if the current date is, for example, 2018, it runs its behavior by calling “0xEAX”  (typical control flow redirection on memory crafted).
For more technical details, please have a look here. What it looks very interesting, at least in my personal point of view, are the following evidence:
  • Assuming there were no hash collisions over years
  • Assuming VirusTotal: “First Seen in The Wild” is right (and not bugged)
We might think that: “we are facing a new threat targeting (as today) Naval Industry planned in 2010 and run in 2018″.

The name MartyMcFly comes pretty naturally here since the “interesting date-back from Virus Total”. I am not confident about that date, but I can only assume VirusTotal is Right.

For IoC please visit the analysis from here.

Further details on the MartyMcFly malware are reported in the original analysis published by Marco Ramilli on his blog.

Yoroi also launched his a new blog where it is possible to find several interesting analysis, including the one on the MartyMcFly malware.

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MartyMcFly, malware)

The post MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry appeared first on Security Affairs.

Thousands of servers easy to hack due to a LibSSH Flaw

The Libssh library is affected by a severe flaw that could be exploited by attackers to completely bypass authentication and take over a vulnerable server.

The Secure Shell (SSH) implementation library, the Libssh, is affected by a four-year-old severe vulnerability that could be exploited by attackers to completely bypass authentication and take over a vulnerable server without requiring a password.

The flaw is an authentication-bypass vulnerability that was introduced in Libssh version 0.6 released in 2014,

The issue tracked as CVE-2018-10933 was discovered by Peter Winter-Smith from NCC Group, it ties a coding error in Libssh.

The exploitation of the flaw is very trivial, an attacker only needs to send an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.” reads the security advisory.

The library fails to validate if the incoming “successful login” packet was sent by the server or the client, and also fails to check if the authentication process has been successfully completed.

This means that if a remote attacker sends the “SSH2_MSG_USERAUTH_SUCCESS” response to libssh, the library considers that the authentication has been successfully completed.

Thousands of vulnerable servers are exposed online, by querying the Shodan search engine we can see that more than 6,500 servers are affected by the issue.

But before you get frightened, you should know that neither the widely used OpenSSH nor Github’s implementation of libssh was affected by the vulnerability.

The Libssh maintainers addressed the flaw with the release of the libssh versions 0.8.4 and 0.7.6.

Experts pointed out that GitHub and OpenSSH implementations of the libssh library are not affected by the flaw.

Pierluigi Paganini

(Security Affairs – Libssh, CVE-2018-10933)

The post Thousands of servers easy to hack due to a LibSSH Flaw appeared first on Security Affairs.

Brazil expert discovers Oracle flaw that allows massive DDoS attacks

Oracle has just released a security update to prevent 2.3 million servers running the RPCBIND service from being used in amplified DDoS attacks.

The flaw was discovered by the Brazilian researcher Mauricio Corrêa, founder of Brazilian security company XLabs. The exploitation of this vulnerability could cause major problems on the Internet.

“A proof of concept (POC) made in only one XLabs server generated a traffic of 69 gigabits per second,” Mauricio told Cibersecurity.net.br.

At the time of the discovery, the expert queried Shodan and found that there were nearly 2.6 million servers running RPCBIND on the Internet. The multiplication of this exploit in a 2.6 million server farm leads to a frightening conclusion.

RPCBIND is software that provides client programs with the information they need about server programs available on a network. It runs on port 111 and responds with universal addresses of the server programs so that client programs can request data through RPCs (remote procedure calls).

These addresses are formed by the server IP pool plus port. Since its launch, RPCBIND has been receiving updates that cover several failures, including security. This, however, is the most serious finding so far.

The discovery of the crash began on June 11 this year. On that day, one of the web application firewalls (WAFs) installed in the XLabs SOC (security operations center) detected an abnormal pattern of network traffic that caught the eye of Mauricio.

The data showed that a DDoS attack was in progress, coming from port 111 of several servers, all from other countries.

“We then decided to open a server with port 111 exposed on the Internet, with the same characteristics as those who were attacking us and we were monitoring that server for weeks. We found that he was receiving requests to generate attacks, ” he explained. 

After further analysis of the subject, it was possible to reproduce the attack in the laboratory.

“By analyzing the servers exposed at Shodan, the extent of the problem was confirmed,” continues Mauricio.

The problem discovered by Mauricio is worse than Memcrashed, detected in February of this year. In this type of distributed denial of service (DDoS) attack, the malicious traffic generated with the technique is greater than the once associated with the use of memcached, a service that does not require authentication but has been exposed on the internet by inexperienced system administrators. The service runs on UDP port 11211 and its exploitation by cybercriminals has already generated 260GB traffic according to Cloudflare company measurements.

After developing the POC, Maurício reported the problem to Oracle’s security team, since RPCBIND is a solution originating from Sun, which was acquired by the company in 2010.

He sent the information to Oracle so that the experts of the company could confirm and evaluate the problem. The confirmation arrived by email (see image), with the announcement of the publication date of the patch. It was on Tuesday, October 16, 2019 at 5:00 p.m., Brasília time, 1:00 p.m. in San Francisco, California.

The Brazilian version of the post is available on the author’s blog.

About the Author: Paulo Brito

Pierluigi Paganini

(Security Affairs – hacking, virtualization)

The post Brazil expert discovers Oracle flaw that allows massive DDoS attacks appeared first on Security Affairs.

VMware addressed Code Execution Flaw in its ESXi, Workstation, and Fusion products

VMware has addressed a critical arbitrary code execution flaw affecting the SVGA virtual graphics card used by its ESXi, Workstation, and Fusion products.

VMware has released security updated to fix a critical arbitrary code execution vulnerability (CVE-2018-6974) in the SVGA virtual graphics card used by its ESXi, Workstation, and Fusion solutions.

The issue in the VMware products is an out-of-bounds read vulnerability in the SVGA virtual graphics card that could be exploited by a local attacker with low privileges on the system to execute arbitrary code on the host.

“VMware ESXi, Fusion and Workstation contain an out-of-bounds read vulnerability in SVGA device. This issue may allow a guest to execute code on the host.” reads the security advisory published by the company.

VMware credited an anonymous researcher for reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

According to the ZDI’s own advisory, the vulnerability was reported to VMware in mid-June.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the guest system in order to exploit this vulnerability.” read the ZDI’s advisory.

“The specific flaw exists within the handling of virtualized SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

VMware classified the issue as “medium” severity and assigned it a CVSS score of 6.9.

The same anonymous expert also reported an out-of-bounds write vulnerability in the e1000 virtual network adapter, tracked as CVE-2018-6973, used by Workstation and Fusion.

The CVE-2018-6973 flaw could be exploited by a local attacker to execute arbitrary code, VMware addressed this flaw in September.

This flaw is similar to the previous one, an attacker requires at low-privileged access to the exploit the issue on the target system.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the guest system in order to exploit this vulnerability.” states ZDI’s advisory,

“The specific flaw exists within the handling of the virtualized e1000 device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The cloud computing and platform virtualization company classified also assigned this flaw a CVSS score of 6.9.

In June, the company fixed a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.

Pierluigi Paganini

(Security Affairs – hacking, virtualization)

The post VMware addressed Code Execution Flaw in its ESXi, Workstation, and Fusion products appeared first on Security Affairs.

A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence

A water utility in the US state of North Carolina suffered a severe ransomware attack in the week after Hurricane Florence hit the East Coast of the U.S.

According to the Onslow Water and Sewer Authority (aka ONWASA) some internal systems were infected with the Emotet malware, but the regular water service was not impacted.

According to ONWASA, the infections would require several of the main databases to be completely recreated, fortunately, no customer information was compromised.

“We are in the middle of another disaster following Hurricane Florence and tropical storm Michael,” CEO Jeff Hudson said employees in a video posted on Facebook,

“With a very sophisticated attack they penetrated our defenses, just as they penetrated the city of Atlanta and Mecklenburg county.”

hurricane florence

ONWASA CEO Jeffrey Hudson confirmed the ransomware attack began on October 4, the IT staff initially thought to have locked out the threat, however, on October 13 the malware started dropping the Ryuk ransomware into the infected systems.

“An ONWASA IT staff member was working was working at 3am and saw the attack,” ONWASA said.

“IT staff took immediate action to protect system resources by disconecting ONWASA from the internet, but the crypto-virus spread quickly along the network encrypting databases and files.”

Operators at the utility did not pay the ransom and opted out to recreate the infected systems.

“Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries,” ONWASA reasoned. “Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks.”

The incident response had a significant impact on the operations of the utility in a critical moment, the aftermath of the Hurricane Florence.

ONWASA estimates it will take several weeks to rebuild all of the damaged systems, it will not possible for customers to pay the bill online and major delays will affect the service provided by the utility.

The effects of the Hurricane Florence on the Onslow county were important, schools are still closed and local authorities are still working to clean up debris from the massive storm. It has been estimated that costs to restore the ordinary situation will hit $125m.

Pierluigi Paganini

(Security Affairs – Hurricane Florence, ransomware)

The post A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence appeared first on Security Affairs.

Russia-linked APT group DustSquad targets diplomatic entities in Central Asia

Kaspersky experts published a detailed analysis of the attacks conducted by the Russian-linked cyber espionage group DustSquad.

Earlier October, security experts from ESET shared details about the operations of a cyber espionage group tracked as Nomadic Octopus, a threat actor focused on diplomatic entities in Central Asia.

The group has been active since at least 2015, ESET researchers presented their findings at the Virus Bulletin conference.

“ESET researchers recently discovered an interesting cyber espionage campaign active in several countries of Central Asia. We attribute these attacks to a previously undocumented APT group that we have named Nomadic Octopus.” states the blog post published by Virus Bulletin.

“Our findings suggest that this APT group has been active since at least 2015. The main goal of Nomadic Octopus appears to be cyber espionage against high-value targets, including diplomatic missions in the region”

The experts presented their findings at the Virus Bulletin conference.

Now Kaspersky experts published a detailed analysis of the attacks conducted by the group, tracked by the Russian firm as DustSquad, and the tools they used.

Kaspersky is monitoring the activity of the group for the last two years, DustSquad is a Russian-language cyberespionage group particularly active in Central Asian.

“For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware.” states the analysis published by Kaspersky Lab.

“The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. “

The group targeted the victims with spear-phishing emails, the threat actors use Russian malware filenames.

Kaspersky tracked a campaign conducted by the group back to 2014 when hackers targeted entities in the former Soviet republics of Central Asia, plus Afghanistan.

In April 2018, the researchers discovered a new Octopus sample developed to target Windows systems, the malicious code had been disguised as a Russian version of the Telegram app used by the Democratic Choice (DVK) opposition party in Kazakhstan.

Attackers attempted to exploit the threaten of the Kazakhstan government to block Telegram over its use by the DVK.

DustSquad fake Telegram

The Octopus Trojan is written in Delphi, the same programming language used by Russian-linked APT group Sofacy for the development of the Zebrocy backdoor.

The malicious code backdoor features, including the ability to execute commands, upload and download files, take screenshots, and finding *.rar archives on the host.

Experts noticed that even if they found malware used by both  DustSquad and Sofacy APT on the compromised machines, the two cyber espionage groups are not linked.

Kaspersky pointed out that many components of the Octopus malware are still unfinished, likely attackers created the malicious code in a hurry and not implemented certain features such as communication functionalities.

“Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware),” continues the Kaspersky report.

“Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally.”

Additional technical details are reported in the analysis, including IoCs.

Pierluigi Paganini

(Security Affairs – DustSquad, Russia)

The post Russia-linked APT group DustSquad targets diplomatic entities in Central Asia appeared first on Security Affairs.

Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone

iOS passionate Jose Rodriguez disclosed a new passcode bypass bug that could be to access photos and contacts on a locked iPhone XS.

The security passionate Jose Rodriguez has discovered a new passcode bypass bug that could be exploited on the recently released iOS 12.0.1.

A few weeks ago, Rodriguez discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

Now the expert discovered a similar flaw that is very easy to execute by a physical attacker to access photo album of a locked device. The bug allows the attacker to select photos and send them to anyone using Apple Messages.

The new passcode bypass attack works on all current iPhone models, including iPhone X and XS devices, running the latest version of iOS 12 to 12.0.1 version.

The new hack devised by Rodriguez leverage Siri assistant and VoiceOver screen reader to bypass the passcode.

Below the step-by-step procedure for the passcode bypass discovered by Rodriguez:

  1. Call the target phone from any other phone.
  2. Instead of answering the call, click on “Message” in the call window.
  3. Select “Custom” to reply via text message. That will open the Messages input screen.
  4. Invoke Siri to activate VoiceOver, the iOS feature that helps sight-impaired users use an iPhone.
  5. Click on the camera icon.
  6. Invoke Siri with the iPhone’s home button while you double-tap the display. The screen will turn black. This is where the bug kicks in and iOS gets confused.
  7. From here, click on the home button again while the screen remains black.
  8. Swipe up to the upper left corner while the screen remains black. VoiceOver will tell you what you have selected.
  9. Keep swiping to the top left corner until VoiceOver tells you that you can select the Photo Library (“Fototeca” in Rodriguez’ video).
  10. Tap to select Photo Library.
  11. After selecting the Photo Library, iOS will take you back to the message screen, but you’ll see a blank space where the keyboard should be. The blank space is actually an invisible Photo Library.
  12. Click on the shelf handle on top of the blank space to activate the Photo Library.
  13. Now you only have to swipe and double tap to start grabbing photos. Each photo will be pasted in your input field, ready to be sent to any number.
Waiting for a patch it is possible to mitigate the issue by disabling Siri from the lockscreen (Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked).

Pierluigi Paganini

(Security Affairs – passcode bypass, hacking)

The post Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone appeared first on Security Affairs.

35 million US voter records available for sale in a hacking forum

Millions of voter records are available for sale on the Dark Web, experts discovered over 35 million US voter records for sale in a hacking forum.

Millions of voter records are available for sale on the Dark Web, experts from Anomali and Intel 471 discovered 35 million US voter records for sale in a hacking forum.

Researchers have analyzed a sample of voter records and determined the data to be valid with a high degree of confidence.

Records in the voter registration database include personal and voting history information of US residents.

“Certain states require the seller to personally travel to locations in-state to receive the updated voter information.” reads the post published by Anomali.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,” 

The seller only provided the number of records for the lists of voters belonging to three states asking for prices between $1,300 and $12,500.

  • Louisiana (3 million);
  • Wisconsin (6 million);
  • Texas (14 million);

us voter records

The seller also claims to have lists of voters for other states, including Montana, Iowa, Utah, Oregon, South Carolina, Wisconsin, Kansas, Georgia, New Mexico, Minnesota, Wyoming, Kentucky, Idaho, South Carolina, Tennessee, South Dakota, Mississippi, and West Virginia.

According to the seller, voting lists are weekly updated with the help of people in the state governments.

“Certain states require the seller to personally travel to locations in-state to receive the updated voter information.” reads a report published by Anomali Labs.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,” 

This kind of information it a precious commodity for threat actors, members of the forum already expressed their interest in the huge trove of data.

“With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large scale identity theft,” explained Hugh Njemanze, chief executive officer of Anomali

The persistent access to voters records claimed by the seller represents a serious threat to US voters and for the US politics.

“Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state.” concludes.

“These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression.”

Pierluigi Paganini

(Security Affairs – voter records, Dark Web)

The post 35 million US voter records available for sale in a hacking forum appeared first on Security Affairs.

How Cybercriminals are Targeting free Wi-Fi Users?

Free Wi-Fi is convenient, but it is also unsafe and puts users at great risk. Here’s how the cybercriminals attack user on these open networks.

The free Wi-Fi is one of the catchiest things for the users in today’s world. This is the main reason why so many free public Wi-Fi can be found without much of a problem. It is not only free but convenient to use these open networks. However, many might not be aware of the fact that these free open Wi-Fi hotspots are actually unsafe and they put the users at great risk.

There are multiple ways in which many cybercriminals are targeting the users of these free Wi-Fi hotspots. Many of these users are at least aware that the open networks they connect are actually unsafe. But what they do not know are various ways in which they are being targeted by the cybercriminals and hackers on these open networks.

Ways in which Hackers Target free Wi-Fi Users

The open for all nature of the free public Wi-Fi networks makes them unsafe for all the users. All the cybercriminals are always on the lookout to get their hands on users’ personal or financial data or they look for vulnerabilities to get access to their devices. These free networks give the cybercriminals the perfect opportunity to fulfill their purpose. The following are some of the common ways how cybercriminals target the free Wi-Fi users.

free Wi-Fi

  1. Man in the middle attack

The man in the middle attack is one of the most commonly used attacks where the cybercriminal places himself between the user and the router. This way, all the requests by the user actually routes through the hacker. This way, the hacker can actually have full control over the network, and he or she can easily get what they want from the user.

Carrying this attack successfully is so easy that it took 10 minutes to a 7 years old girl to hack into public Wi-Fi network and access stranger’s laptop. It was a real experiment and the girl who attempted and successfully hacked the network in 10 minutes was Betsy Davies. So, if a 7 years old can do it in 10 minutes, imagine what a pro can do in a matter of minutes.

  1. Fake Wi-Fi Access Points

It is also easily possible for the cybercriminals to make fake Wi-Fi access points in public spaces. They can setup rouge Wi-Fi networks, which gives them all the data and the access to users’ device or system. It is fairly easy to create as the cybercriminals set up this rouge network as a bait and name it something very general. They wait for the user to connect to this rouge network and they can have them connected.

As soon as the web connection of the user is made on this rouge network, there are plenty of ways in which the attacker can carry out the attack. One way is that the cybercriminal may direct the user to a malicious website where he or she will be forced to download a malware on their system. The second is the spoofed banking page where the attacker would want the user to enter their banking detail and financial data so they can easily capture this sensitive information.

  1. Fake Honeypots

The fake honeypots are quite similar to the fake Wi-Fi access points, but the only difference is that the honeypot is set in a more sophisticated manner. This increases the chances of more users’ falling for the trap that has been set by the cybercriminals.

Imagine connecting to an airport’s Wi-Fi network where you saw two options with similar names and even passwords. It is certain that one of these is a honeypot which is there to capture users’ data and use their sensitive information in the wrong way.

Intercepting your data and credentials

Another very brutal attack is the interception of users’ internet data when they are on these unsecured public Wi-Fi hotspots. The internet data transmitted on these networks is not encrypted. Since these networks are unsafe, it makes it easy for hackers to sniff and intercept that data which can have the login credentials of the user.

Due to this method, the cybercriminals easily get their hands on users’ data which includes their private information as well. Since this data is not encrypted, the hackers do not have to do much to use that data for their evil purposes.

So, these are some of the common attacks which are being used by the cybercriminals to target the users on the free Wi-Fi networks. There definitely is a way to stay protected on these public Wi-Fi hotspots and we are discussing it below.

How to stay protected with VPN on Public Wi-Fi Networks?

The best and the most advanced way to stay protected on these unsafe public Wi-Fi hotspots is to use a decent VPN service. There are some ace VPN providers who offer strong security and encryption which makes it extremely hard for the cybercriminals to get access to users’ accounts and data.

The VPN does not only encrypt all of users’ data to protect their privacy on the web, but it also creates a secure tunnel between the user’s device and the VPN server which is hard to break in. It is because the tunnel is also encrypted and the encrypted data goes through this tunnel. The cybercriminals cannot easily get their hands on users’ data if they are using one of the best VPN services.

Even if they get their hands on users’ data, then all they will get it gibberish, because all the top VPN providers offer strong encryption which is not only hard to break but also takes years to decrypt even if the hacker chooses to use some automatic tools.

Final Words

If you use the free public Wi-Fi hotspots a lot at different places like malls, cafes, restaurants, or any other public space, then you should be aware that these open networks are actually unsafe and it can put you in great danger. If you wish to use these free open Wi-Fi networks then you need to get a decent VPN service and connect it before surfing the web on these networks.

About Author:

Susan Alexandra is a small business owner, traveler, and investor of cryptocurrencies. She is just another creative writer helping to create the kind of information that young people want.

Pierluigi Paganini

(Security Affairs – free Wi-Fi, hacking)

The post How Cybercriminals are Targeting free Wi-Fi Users? appeared first on Security Affairs.

A simple message containing certain symbols could crash the Sony PlayStation 4

PlayStation 4 gaming consoles could crash when they receive messages containing certain symbols from fellow gamers.

The consoles could freeze on while the owners are playing their preferred games, the DoS condition is triggered while the devices are parsing symbols in messages received.

“There is a new glitch that basically bricks your console and forces you to factory reset it. Even deleting the message from the mobile app doesn’t work. It happened to me during Rainbow Six: Siege. A player from the other team used a dummy account to send the message and crashed my entire team. We all have had to factory reset. Only one of our guys wasn’t affected and he has his messages private.” reads a thread on Reddit.

Many users reported the glitch in the PlayStation 4, even deleting the message from the mobile app the problem persists. Some users fixed the issue by restoring the gaming console to factory settings, but in this way, they have lost data related to their game if they did not subscribe to PS Plus service that backs them up automatically to Sony cloud.

PlayStation 4 parser error

According to the Reddit thread, some gamers playing online multiplayer games sent the malicious message to the members of the opposing team, causing them crashing.

The error triggered by the message was tracked as with the PS4 code CE-36329-3.

Fortunately, the issue could be easily fixed by deleting the crashing message from the mobile app.

Experts recommend to rebuild the database of the console to completely fix the problem, below the step-by-step procedure:

  1. Turn off the PS4 system by pressing the power button on the front panel. The power indicator will blink for a few moments before turning off.
  2. Once the PS4 system is off, press and hold the power button again. Release it after you hear the second beep: one beep will sound when you first press, and another seven seconds later.
  3. Connect the DUALSHOCK 4 with the USB cable and press the PS button on the controller.
  4. Select the Rebuild Database option

 

  1. Go to Settings > Account Management > Privacy Settings
  2. Enter your password
  3. Select Personal Info | Messaging
  4. Set Messages to either Friends or No

Pierluigi Paganini

(Security Affairs – PlayStation 4, hacking)

The post A simple message containing certain symbols could crash the Sony PlayStation 4 appeared first on Security Affairs.

Security Affairs: Online market for counterfeit goods in Russia has reached $1,5 billion

Group-IB: The online market for counterfeit goods in Russia has reached $1,5 billion, while the number of phishing attacks has surpassed 1,200 daily

Group-IB, an international company that specialises in the prevention of cyber attacks, has estimated that online sales of counterfeit goods are now worth $1.5 billion. This information was first made public by experts from Group-IB’s Brand Protection team at the CyberCrimeCon 2018 international cybersecurity conference.

According to Group-IB, the online market for counterfeit goods in Russia has increased by 23% in a year and totaled more than $1.5 billion in 2017, compared to $1.2 billion in 2016.  Fraudsters use their websites to sell household appliances and computer equipment, clothing and footwear, jewelry, accessories, cosmetics, medicinal products, and much more, often at hugely discounted prices – up to 80% off. According to Group-IB’s statistics, every fifth counterfeit product was bought online. On average, Russians spend $78 per year on counterfeit goods.

“For large organisations, the actions of online fraudsters mean not only a direct loss in revenue, but also damaged customer loyalty, brand abuse, and fewer shoppers,” says Andrey Busargin, Director of Brand Protection at Group-IB. “It also leads to a decrease in what we call the psychological price, i.e. the cost that customers are willing to pay for a product from the official retailer. Around 64% of users stop buying a company’s goods after a negative experience.”

 Counterfeit goods are not the only threat to popular brands on the Internet. Scammers create fake websites of known brands, fraudulent promotional campaigns, and fake accounts on social media. In recent years, an often-used fraud method has been fake mobile applications: 36% of users are unable to distinguish between genuine and fake apps, and 60% of the latter request access to the user’s personal data. 

Fraudsters use various ways to deceive users: phishing websites, fake mobile apps, accounts and groups on social media. Phishing remains one of the most common online fraud. According to the experts from Group-IB Brand Protection, around 1,270 phishing attacks are carried out daily. The main goals of phishing resources are stealing money from bank cards and obtaining login credentials to personal accounts.

Scammers do not simply copy a company’s website, brand, logos, and colors in addition to registering a similar domain name; they also use the same promotional methods as the legal resources. To secure the traffic they need, scammers ensure that their websites appear at the top of search engine results: 96% of users click on links found on the first page displayed by search engines. Only 35% of them are official resources, however.

Contextual advertising also plays a role: for only $15, it is possible to buy 100 guaranteed visits to a phishing website. Scammers also buy banner ads, use search engine optimisation (SEO), and social media promotion (every day, around 150 social media users are deceived by fraudsters on average). In addition to technological ways of attracting traffic by using bots that target opinion leaders, scammers do not shy away from the classic tactic of mass email blasts purporting to be from popular brands, with 20% of users opening emails that contain content that is characteristic of malware or phishing.

Given that users blindly trust influencers (68% of people choose goods or services based on feedback on social media), scammers create fake accounts. For example, a fake account in Pavel Durov’s name brought in more than $50000 in only a couple of hours after being created. According to Group-IB, 43% of celebrities and 31% of politicians have fake accounts that use their names.

“Fighting online fraudsters and counterfeiting requires adopting serious countermeasures,” warns AndreyBusargin.

“We advise companies to continuously track phishing resources and monitor references to their brand in domain name databases, search engine results, social media, messengers, and context ads so as to identify scammers hiding behind the company’s brand. It is also important to monitor mobile applications, in both official and unofficial stores, in addition to forums, search engine results, social media, and websites where they might be found. To effectively fight against scammers and fraudsters, it is important to detect and block all the resources connected with a fraudulent website. Fraudsters usually create several phishing websites at once, which can be detected using correlation and website affiliation analysis.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – counterfeit goods, cybercrime)

The post Online market for counterfeit goods in Russia has reached $1,5 billion appeared first on Security Affairs.



Security Affairs

Online market for counterfeit goods in Russia has reached $1,5 billion

Group-IB: The online market for counterfeit goods in Russia has reached $1,5 billion, while the number of phishing attacks has surpassed 1,200 daily

Group-IB, an international company that specialises in the prevention of cyber attacks, has estimated that online sales of counterfeit goods are now worth $1.5 billion. This information was first made public by experts from Group-IB’s Brand Protection team at the CyberCrimeCon 2018 international cybersecurity conference.

According to Group-IB, the online market for counterfeit goods in Russia has increased by 23% in a year and totaled more than $1.5 billion in 2017, compared to $1.2 billion in 2016.  Fraudsters use their websites to sell household appliances and computer equipment, clothing and footwear, jewelry, accessories, cosmetics, medicinal products, and much more, often at hugely discounted prices – up to 80% off. According to Group-IB’s statistics, every fifth counterfeit product was bought online. On average, Russians spend $78 per year on counterfeit goods.

“For large organisations, the actions of online fraudsters mean not only a direct loss in revenue, but also damaged customer loyalty, brand abuse, and fewer shoppers,” says Andrey Busargin, Director of Brand Protection at Group-IB. “It also leads to a decrease in what we call the psychological price, i.e. the cost that customers are willing to pay for a product from the official retailer. Around 64% of users stop buying a company’s goods after a negative experience.”

 Counterfeit goods are not the only threat to popular brands on the Internet. Scammers create fake websites of known brands, fraudulent promotional campaigns, and fake accounts on social media. In recent years, an often-used fraud method has been fake mobile applications: 36% of users are unable to distinguish between genuine and fake apps, and 60% of the latter request access to the user’s personal data. 

Fraudsters use various ways to deceive users: phishing websites, fake mobile apps, accounts and groups on social media. Phishing remains one of the most common online fraud. According to the experts from Group-IB Brand Protection, around 1,270 phishing attacks are carried out daily. The main goals of phishing resources are stealing money from bank cards and obtaining login credentials to personal accounts.

Scammers do not simply copy a company’s website, brand, logos, and colors in addition to registering a similar domain name; they also use the same promotional methods as the legal resources. To secure the traffic they need, scammers ensure that their websites appear at the top of search engine results: 96% of users click on links found on the first page displayed by search engines. Only 35% of them are official resources, however.

Contextual advertising also plays a role: for only $15, it is possible to buy 100 guaranteed visits to a phishing website. Scammers also buy banner ads, use search engine optimisation (SEO), and social media promotion (every day, around 150 social media users are deceived by fraudsters on average). In addition to technological ways of attracting traffic by using bots that target opinion leaders, scammers do not shy away from the classic tactic of mass email blasts purporting to be from popular brands, with 20% of users opening emails that contain content that is characteristic of malware or phishing.

Given that users blindly trust influencers (68% of people choose goods or services based on feedback on social media), scammers create fake accounts. For example, a fake account in Pavel Durov’s name brought in more than $50000 in only a couple of hours after being created. According to Group-IB, 43% of celebrities and 31% of politicians have fake accounts that use their names.

“Fighting online fraudsters and counterfeiting requires adopting serious countermeasures,” warns AndreyBusargin.

“We advise companies to continuously track phishing resources and monitor references to their brand in domain name databases, search engine results, social media, messengers, and context ads so as to identify scammers hiding behind the company’s brand. It is also important to monitor mobile applications, in both official and unofficial stores, in addition to forums, search engine results, social media, and websites where they might be found. To effectively fight against scammers and fraudsters, it is important to detect and block all the resources connected with a fraudulent website. Fraudsters usually create several phishing websites at once, which can be detected using correlation and website affiliation analysis.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – counterfeit goods, cybercrime)

The post Online market for counterfeit goods in Russia has reached $1,5 billion appeared first on Security Affairs.

Security Affairs: Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies

The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.

The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.

“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.

BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.

According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.

SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.

The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.

The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website

“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.

Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.

Pierluigi Paganini

(Security Affairs – Security Service of Ukraine, Russia-linked APT group)

The post Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies appeared first on Security Affairs.



Security Affairs

Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies

The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.

The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.

“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.

BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.

According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.

SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.

The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.

The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website

“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.

Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.

Pierluigi Paganini

(Security Affairs – Security Service of Ukraine, Russia-linked APT group)

The post Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies appeared first on Security Affairs.

Branch.io Flaws may have affected as many as 685 million individuals

More than 685 million users may have been exposed to XSS attacks due to a flaw in Branch.io service used by Tinder, Shopify, and many others.

Security Affairs was the first to publish the news of a DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and other dating application.

The flaws were disclosed a few days ago by the researchers at vpnMentor who explained that an attacker could have been exploited them to access Tinder users’ profiles.

“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”

Tinder’s security team immediately launched an investigation and discovered that the go.tinder.com domain was actually an alias for Branch.io-owned custom.bnc.lt.

The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels.

A large number of major firms uses an alias to point the same custom.bnc.lt,  including Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com and Cuvva, vpnMentor said.

According to vpnMentor, the flaws may have affected as many as 685 million individuals using the vulnerable services.

The DOM-based XSS discovered by the experts would have been easy to exploit in many web browsers, researchers pointed out that Branch.io’s failed to use a Content Security Policy (CSP).

Branch.io flaw

The experts urge users to change their passwords as a precaution.

“Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.” continues the experts.

“While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Additional technical details are included in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – Branch.io, hacking)

The post Branch.io Flaws may have affected as many as 685 million individuals appeared first on Security Affairs.

Security Affairs: Branch.io Flaws may have affected as many as 685 million individuals

More than 685 million users may have been exposed to XSS attacks due to a flaw in Branch.io service used by Tinder, Shopify, and many others.

Security Affairs was the first to publish the news of a DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and other dating application.

The flaws were disclosed a few days ago by the researchers at vpnMentor who explained that an attacker could have been exploited them to access Tinder users’ profiles.

“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”

Tinder’s security team immediately launched an investigation and discovered that the go.tinder.com domain was actually an alias for Branch.io-owned custom.bnc.lt.

The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels.

A large number of major firms uses an alias to point the same custom.bnc.lt,  including Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com and Cuvva, vpnMentor said.

According to vpnMentor, the flaws may have affected as many as 685 million individuals using the vulnerable services.

The DOM-based XSS discovered by the experts would have been easy to exploit in many web browsers, researchers pointed out that Branch.io’s failed to use a Content Security Policy (CSP).

Branch.io flaw

The experts urge users to change their passwords as a precaution.

“Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.” continues the experts.

“While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Additional technical details are included in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – Branch.io, hacking)

The post Branch.io Flaws may have affected as many as 685 million individuals appeared first on Security Affairs.



Security Affairs

A Russian cyber vigilante is patching outdated MikroTik routers exposed online

A Russian-speaking hacker, who goes by the name of Alexey, claims to have hacked into over 100,000 MikroTik routers with a specific intent, disinfect them.

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting  MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

In September thousands of unpatched MikroTik Routers were involved in new cryptocurrency mining campaigns.

Threat actors also exploited the exploit code for the CVE-2018-14847 vulnerability in MikroTik routers to recruit them in botnets such as Mirai and VPNFilter.

Alexey is a Russian-speaking cyber vigilante that decided to fix the MikroTik routers and he claims to be e system administrator.

Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.

“I added firewall rules that blocked access to the router from outside the local network,” Alexey wrote.

“In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

Alexey changed settings for over 100,000 users, but only 50 users contacted his via Telegram but of them were angry for the intrusion.

According to the researcher Troy Mursch, currently, there are over 420,000 MikroTik routers exposed only that have been abused in cryptocurrency-mining campaigns.

MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique was recently discovered by experts at Tenable Research and it could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Mikrotik routers vulnerable

Just to be clear, despite Alexey has broken into the infected routers to sanitize them, this action is technically considered a cybercrime.

The bad aspect of the story is that even if security patches have been available for months, ISPs and owners of the home routers still have installed them.

Pierluigi Paganini

(Security Affairs – MikroTik routers, hacking)

The post A Russian cyber vigilante is patching outdated MikroTik routers exposed online appeared first on Security Affairs.

Security Affairs: A Russian cyber vigilante is patching outdated MikroTik routers exposed online

A Russian-speaking hacker, who goes by the name of Alexey, claims to have hacked into over 100,000 MikroTik routers with a specific intent, disinfect them.

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting  MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

In September thousands of unpatched MikroTik Routers were involved in new cryptocurrency mining campaigns.

Threat actors also exploited the exploit code for the CVE-2018-14847 vulnerability in MikroTik routers to recruit them in botnets such as Mirai and VPNFilter.

Alexey is a Russian-speaking cyber vigilante that decided to fix the MikroTik routers and he claims to be e system administrator.

Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.

“I added firewall rules that blocked access to the router from outside the local network,” Alexey wrote.

“In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

Alexey changed settings for over 100,000 users, but only 50 users contacted his via Telegram but of them were angry for the intrusion.

According to the researcher Troy Mursch, currently, there are over 420,000 MikroTik routers exposed only that have been abused in cryptocurrency-mining campaigns.

MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique was recently discovered by experts at Tenable Research and it could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Mikrotik routers vulnerable

Just to be clear, despite Alexey has broken into the infected routers to sanitize them, this action is technically considered a cybercrime.

The bad aspect of the story is that even if security patches have been available for months, ISPs and owners of the home routers still have installed them.

Pierluigi Paganini

(Security Affairs – MikroTik routers, hacking)

The post A Russian cyber vigilante is patching outdated MikroTik routers exposed online appeared first on Security Affairs.



Security Affairs

Microsoft fixed the Zero-Day for JET flaw, but the fix is incomplete

Experts from 0Patch revealed that the Microsoft Zero-Day Patch for JET Database Engine vulnerability (CVE-2018-8423) is incomplete.

The vulnerability was discovered by the researcher Lucas Leong of the Trend Micro Security Research team that publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows.

The flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

Experts highlighted that the exploitation of the flaw requires user interaction, the attackers have to trick victims into opening a malicious file that would trigger the bug.

The specially crafted file has to contain data stored in the JET database format.

Lucas Leong reported the flaw to Microsoft in early May 2018, he expected the flaw would have been fixed with the September 2018 Patch Tuesday set of security updates, but Microsoft did not fix it.

“Today, we are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline” stated the blog post published by ZDI.

“An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.”

zero-day

At the end of September, 0patch community released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative-

Last week Microsoft addressed the flaw as part of its Patch Tuesday updates.

0patch now issued another micropatch to correct the official Microsoft patch that according to the experts is incomplete.

The root cause of the problem resides in the Window’s core dynamic link libraries “msrd3x40.dll.”

“As expected, the update brought a modified msrd3x40.dll binary: this is the binary with the vulnerability, which we had micropatched with four CPU instructions (one of which was just for reporting purposes).” wrote Mitja Kolsek, a researcher with the 0patch team.

“The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course its cryptographic hash also changed – which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll.”

Experts pointed out that the official patch doesn’t fix the vulnerability, but only limited it. The micropatch works on fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, as well as other Windows versions that share the same version of msrd3x40.dll.

“So we BinDiff-ed the patched msrd3x40.dll to its vulnerable version and reviewed the differences. At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it.” continues Kolsek.

“We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”

0patch reported the problem to Microsoft and it plans to publish the official proof-of-concept code after the tech giant will fix it.

Pierluigi Paganini

(Security Affairs – CVE-2018-8423, hacking)

The post Microsoft fixed the Zero-Day for JET flaw, but the fix is incomplete appeared first on Security Affairs.

Security Affairs: Microsoft fixed the Zero-Day for JET flaw, but the fix is incomplete

Experts from 0Patch revealed that the Microsoft Zero-Day Patch for JET Database Engine vulnerability (CVE-2018-8423) is incomplete.

The vulnerability was discovered by the researcher Lucas Leong of the Trend Micro Security Research team that publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows.

The flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

Experts highlighted that the exploitation of the flaw requires user interaction, the attackers have to trick victims into opening a malicious file that would trigger the bug.

The specially crafted file has to contain data stored in the JET database format.

Lucas Leong reported the flaw to Microsoft in early May 2018, he expected the flaw would have been fixed with the September 2018 Patch Tuesday set of security updates, but Microsoft did not fix it.

“Today, we are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline” stated the blog post published by ZDI.

“An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.”

zero-day

At the end of September, 0patch community released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative-

Last week Microsoft addressed the flaw as part of its Patch Tuesday updates.

0patch now issued another micropatch to correct the official Microsoft patch that according to the experts is incomplete.

The root cause of the problem resides in the Window’s core dynamic link libraries “msrd3x40.dll.”

“As expected, the update brought a modified msrd3x40.dll binary: this is the binary with the vulnerability, which we had micropatched with four CPU instructions (one of which was just for reporting purposes).” wrote Mitja Kolsek, a researcher with the 0patch team.

“The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course its cryptographic hash also changed – which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll.”

Experts pointed out that the official patch doesn’t fix the vulnerability, but only limited it. The micropatch works on fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, as well as other Windows versions that share the same version of msrd3x40.dll.

“So we BinDiff-ed the patched msrd3x40.dll to its vulnerable version and reviewed the differences. At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it.” continues Kolsek.

“We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”

0patch reported the problem to Microsoft and it plans to publish the official proof-of-concept code after the tech giant will fix it.

Pierluigi Paganini

(Security Affairs – CVE-2018-8423, hacking)

The post Microsoft fixed the Zero-Day for JET flaw, but the fix is incomplete appeared first on Security Affairs.



Security Affairs

Ex-NASA contractor pleaded guilty for cyberstalking crimes

A former NASA contractor has pleaded guilty for a cyberstalking scheme, the man blackmailed seven women threatening to publish their nude pictures.

Richard Bauer (28), an ex-NASA contractor has pleaded guilty for a cyberstalking, the man allegedly threatened to publish nude pictures of the women unless they sent him other explicit pictures.

Richard Bauer of Los Angeles, who worked at NASA’s Armstrong Flight Research Center in Southern California, pleaded guilty for stalking, computer hacking, and aggravated identity theft.

Cyberstalking

The man acknowledged having targeted friends, co-workers, and family members, he used social engineering tricks and also used malware to compromise victims’ systems.

“Bauer acknowledged victimizing friends, family members, high school and college acquaintances and co-workers.” states the Associated Press.

“Bauer, pretending to ask questions on Facebook for a class, got some victims to reveal information he used to reset their online passwords and harvest photos. He got other victims to install computer malware allowing him to access their computers.”

Bauer allegedly threatened to post nude pictures of the victims that he stolen unless they sent more photos.

Pierluigi Paganini

(Security Affairs – cyberstalking, hacking)

The post Ex-NASA contractor pleaded guilty for cyberstalking crimes appeared first on Security Affairs.

Security Affairs: Ex-NASA contractor pleaded guilty for cyberstalking crimes

A former NASA contractor has pleaded guilty for a cyberstalking scheme, the man blackmailed seven women threatening to publish their nude pictures.

Richard Bauer (28), an ex-NASA contractor has pleaded guilty for a cyberstalking, the man allegedly threatened to publish nude pictures of the women unless they sent him other explicit pictures.

Richard Bauer of Los Angeles, who worked at NASA’s Armstrong Flight Research Center in Southern California, pleaded guilty for stalking, computer hacking, and aggravated identity theft.

Cyberstalking

The man acknowledged having targeted friends, co-workers, and family members, he used social engineering tricks and also used malware to compromise victims’ systems.

“Bauer acknowledged victimizing friends, family members, high school and college acquaintances and co-workers.” states the Associated Press.

“Bauer, pretending to ask questions on Facebook for a class, got some victims to reveal information he used to reset their online passwords and harvest photos. He got other victims to install computer malware allowing him to access their computers.”

Bauer allegedly threatened to post nude pictures of the victims that he stolen unless they sent more photos.

Pierluigi Paganini

(Security Affairs – cyberstalking, hacking)

The post Ex-NASA contractor pleaded guilty for cyberstalking crimes appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 184 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      APT28 group return to covert intelligence gathering ops in Europe and South America.
·      D-Link fixed several flaws in Central WiFiManager access point management tool
·      Expert presented a new attack technique to compromise MikroTik Routers
·      Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it
·      Kaspersky shed lights on the overlap of operations conducted by Turla and Sofacy
·      The Git Project addresses a critical arbitrary code execution vulnerability in Git
·      WECON PI Studio HMI software affected by code execution flaws
·      BEC scams, hacked accounts available from $150 up to $5,000
·      How Secure Are Bitcoin Wallets, Really?
·      Project Strobe, what will change after the Google security breach?
·      Researchers presented an improved version of the WPA KRACK attack
·      CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East
·      GAO report reveals new Pentagon weapon systems vulnerable to hack
·      Group-IB: $49.4 million of damage caused to Russias financial sector from cyber attacks
·      Hackers can compromise your WhatsApp account by tricking you into answering a video call
·      Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature
·      Exaramel Malware Links Industroyer ICS malware and NotPetya wiper
·      Juniper Networks provides dozens of fix for vulnerabilities in Junos OS
·      New Gallmaker APT group eschews malware in cyber espionage campaigns
·      SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years
·      DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More
·      Facebook Data Breach Update: attackers accessed data of 29 Million users
·      Fitmetrix fitness software company may have exposed millions of customer records
·      Five Eyes Intelligence agencies warn of popular hacking tools
·      Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor
·      Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update
·      NHS is still assessing the cost of WannaCry one year later
·      Pentagon Defense Department travel records data breach

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 184 – News of the week appeared first on Security Affairs.

Expert released PoC Code Microsoft Edge Remote Code Execution flaw

Security expert published the PoC exploit code for the recently fixed critical remote code execution flaw in Edge web browser tracked as CVE-2018-8495.

The October 2018 Patch Tuesday addressed 50 known vulnerabilities in Microsoft’s products, 12 of them were labeled as critical. One of the issues is a critical remote code execution vulnerability in Edge web browser tracked as CVE-2018-8495.

“A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka “Windows Shell Remote Code Execution Vulnerability.” This affects Windows Server 2016, Windows 10, Windows 10 Servers.” reads the description for the flaw.

The security researcher Abdulrahman Al-Qabandi who discovered the flaw, was investigating the way it is possible to launch the default mail client from the browser by clicking on a URL that looks like ‘mailto:test@test.test‘.

Once clicked on the link in Microsoft Edge browser, a prompt will be displayed to the user whether to switch applications.

The expert examined the simple response to the ‘mailto’ URI scheme in Microsoft Edge and noticed that Outlook would launch with a certain parameter.

Microsoft Edge RCE 1

By searching for executables that accepted user-defined commands in Windows Registry, the expert found Windows Script Host (‘WScript.exe’), which can execute scripts in multiple languages.

“A URI scheme that passes user tainted arguments directly to 'WScript.exe'. In case you don’t know: “Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.” Let’s see what happens if a user navigates to wshfile:test’ from Edge.” states the expert.

The expert tested the URI scheme ‘wshfile:test‘ in Microsoft Edge, the underlying operating system asks the user for an app to handle the procedure and Windows Script Host (WSH) is the default handler.

Al-Qabandi attempted to execute file located in a certain patch he passed to ‘WScript.exe,’ for example ‘C:\WINDOWS\system32\wshfile:test’, but it does not exist.

He discovered that it was the possibility to use a path traversal trick the would have WSH load a VBScript from an arbitrary location.

“Awesome! We can now point to any file in any directory and so long as we can drop a file in a predictable location, we will have RCE,” the researcher explained

“But that is easier said than done, looked like most if not all cached files from Edge go into a salted directory location. In other words, we could plant files but we can’t predict their location. “

To predict the location of the files planted in the system the expert used findings of a previous research by Matt Nelson that showed how to do it using a particular signed VBScript that suffered from “WSH Injection.”

Al-Qabandi’s searched for every single VBS file in Windows that accepts any parameters like ‘SyncAppvPublishingServer.vbs.’

'C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.17134.48_none_c60426fea249fc02\SyncAppvPublishingServer.vbs'

it can also execute commands via PowerShell without filtering them.

The user will only see the result of the command because PowerShell runs in hidden mode (command line argument ‘-WindowStyle Hidden’).

“This specific script takes in a few arguments and passes them into a powershell.exe shell execution without filtering it, allowing us to inject arbitrary commands.” continues the expert.

psCmd = "powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{" & syncCmd & "}"

“And we can influence the value of ‘syncCmd‘ but not only that, Edge also does not sanitize quotation marks, so we can pass as many parameters to ‘WScript.exe’ as we want. Again, conveniently this powershell will run hidden as indicated by ‘-WindowStyle Hidden’ which makes this a perfect WSH injection vector”

Al-Qabandi published a proof-of-concept (PoC) script for the Microsoft Edge Remote Code Execution vulnerability.

Microsoft Edge RCE 2.png

He reported the poc code privately to Microsoft through Trend Micro’s Zero Day Initiative program, below a video PoC shared by the expert with BleepingComputer.

 

Pierluigi Paganini

(Security Affairs – Microsoft Edge, Remote Code Execution)

The post Expert released PoC Code Microsoft Edge Remote Code Execution flaw appeared first on Security Affairs.

Security Affairs: Expert released PoC Code Microsoft Edge Remote Code Execution flaw

Security expert published the PoC exploit code for the recently fixed critical remote code execution flaw in Edge web browser tracked as CVE-2018-8495.

The October 2018 Patch Tuesday addressed 50 known vulnerabilities in Microsoft’s products, 12 of them were labeled as critical. One of the issues is a critical remote code execution vulnerability in Edge web browser tracked as CVE-2018-8495.

“A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka “Windows Shell Remote Code Execution Vulnerability.” This affects Windows Server 2016, Windows 10, Windows 10 Servers.” reads the description for the flaw.

The security researcher Abdulrahman Al-Qabandi who discovered the flaw, was investigating the way it is possible to launch the default mail client from the browser by clicking on a URL that looks like ‘mailto:test@test.test‘.

Once clicked on the link in Microsoft Edge browser, a prompt will be displayed to the user whether to switch applications.

The expert examined the simple response to the ‘mailto’ URI scheme in Microsoft Edge and noticed that Outlook would launch with a certain parameter.

Microsoft Edge RCE 1

By searching for executables that accepted user-defined commands in Windows Registry, the expert found Windows Script Host (‘WScript.exe’), which can execute scripts in multiple languages.

“A URI scheme that passes user tainted arguments directly to 'WScript.exe'. In case you don’t know: “Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.” Let’s see what happens if a user navigates to wshfile:test’ from Edge.” states the expert.

The expert tested the URI scheme ‘wshfile:test‘ in Microsoft Edge, the underlying operating system asks the user for an app to handle the procedure and Windows Script Host (WSH) is the default handler.

Al-Qabandi attempted to execute file located in a certain patch he passed to ‘WScript.exe,’ for example ‘C:\WINDOWS\system32\wshfile:test’, but it does not exist.

He discovered that it was the possibility to use a path traversal trick the would have WSH load a VBScript from an arbitrary location.

“Awesome! We can now point to any file in any directory and so long as we can drop a file in a predictable location, we will have RCE,” the researcher explained

“But that is easier said than done, looked like most if not all cached files from Edge go into a salted directory location. In other words, we could plant files but we can’t predict their location. “

To predict the location of the files planted in the system the expert used findings of a previous research by Matt Nelson that showed how to do it using a particular signed VBScript that suffered from “WSH Injection.”

Al-Qabandi’s searched for every single VBS file in Windows that accepts any parameters like ‘SyncAppvPublishingServer.vbs.’

'C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.17134.48_none_c60426fea249fc02\SyncAppvPublishingServer.vbs'

it can also execute commands via PowerShell without filtering them.

The user will only see the result of the command because PowerShell runs in hidden mode (command line argument ‘-WindowStyle Hidden’).

“This specific script takes in a few arguments and passes them into a powershell.exe shell execution without filtering it, allowing us to inject arbitrary commands.” continues the expert.

psCmd = "powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{" & syncCmd & "}"

“And we can influence the value of ‘syncCmd‘ but not only that, Edge also does not sanitize quotation marks, so we can pass as many parameters to ‘WScript.exe’ as we want. Again, conveniently this powershell will run hidden as indicated by ‘-WindowStyle Hidden’ which makes this a perfect WSH injection vector”

Al-Qabandi published a proof-of-concept (PoC) script for the Microsoft Edge Remote Code Execution vulnerability.

Microsoft Edge RCE 2.png

He reported the poc code privately to Microsoft through Trend Micro’s Zero Day Initiative program, below a video PoC shared by the expert with BleepingComputer.

 

Pierluigi Paganini

(Security Affairs – Microsoft Edge, Remote Code Execution)

The post Expert released PoC Code Microsoft Edge Remote Code Execution flaw appeared first on Security Affairs.



Security Affairs

Security Affairs: Pentagon Defense Department travel records data breach

Pentagon – Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The Pentagon revealed that the Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The data breach could have happened some months ago and could have affected as many as 30,000 workers. The security breach was notified to the leaders on October 4.

“According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.” reads the post published by the Associated Press.

“The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.”

Pentagon

Lt. Col. Joseph Buccino, a Pentagon spokesman, declared the Defense is still investigating the incident, the security breach affected a still unidentified commercial vendor that provided service to Defense Department.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

The department is not identifying the vendor for security reason, it is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.”

Pierluigi Paganini

(Security Affairs – Travel Records, data breach)

The post Pentagon Defense Department travel records data breach appeared first on Security Affairs.



Security Affairs

Pentagon Defense Department travel records data breach

Pentagon – Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The Pentagon revealed that the Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The data breach could have happened some months ago and could have affected as many as 30,000 workers. The security breach was notified to the leaders on October 4.

“According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.” reads the post published by the Associated Press.

“The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.”

Pentagon

Lt. Col. Joseph Buccino, a Pentagon spokesman, declared the Defense is still investigating the incident, the security breach affected a still unidentified commercial vendor that provided service to Defense Department.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

The department is not identifying the vendor for security reason, it is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.”

Pierluigi Paganini

(Security Affairs – Travel Records, data breach)

The post Pentagon Defense Department travel records data breach appeared first on Security Affairs.

Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.

A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

 

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

 “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Pierluigi Paganini

(Security Affairs – fake Adobe Flash update, hacking)

The post Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update appeared first on Security Affairs.

Security Affairs: Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.

A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

 

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

 “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Pierluigi Paganini

(Security Affairs – fake Adobe Flash update, hacking)

The post Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update appeared first on Security Affairs.



Security Affairs

Security Affairs: NHS is still assessing the cost of WannaCry one year later

The UK’s Department of Health and Social Care provided an update on the efforts to secure the NHS IT infrastructure, with a focus on WannaCry overall costs.

The UK’s Department of Health and Social Care provided an update on the spent to secure the IT infrastructure in a report titled “Securing cyber resilience in
health and care“. One year later the massive WannaCry ransomware attack the NHS is still facing problems caused by the infections.

NHS WannaCrypt ransomware

WannaCry cost the NHS £92m, giving a look at the expense details we can observe item of £19m for lost output and an estimate of £73m of IT cost to fix affected assets.

According to the report, the attack directly impacted over 19,000 patients whose appointments were canceled due to the attack.

The estimate in the report considers the financial costs in  two time periods:

  • during the attack between 12 and 18 May 2017;
  • during the recovery period in the immediate aftermath to June-July 2017;

The analysis focus on two categories of cost are:

  1. Direct impact – lost output of patient care caused by reduced access to information and systems required for care leading to cancelled appointments etc.
  2. Additional IT support provided by NHS organisations or IT consultants to restore data and systems affected by the attack.

“The WannaCry attack disrupted services across one-third of hospital trusts and around 8% of GP practices. This had a knock-on impact on patients with over 19,000 appointments cancelled.” reads the report.

“While this may only be a small proportion of overall NHS activity, it represents disruption to the care of a significant number of patients.”

The attack highlighted the inefficiency of the antiquated NHS IT systems, Microsoft was charged to update the entire infrastructure with a three-year deal of £150m deal.

The report includes a case study related a “large NHS mental health trust” that was protected with Advanced Threat Protection that allowed to repeal a phishing email attack with a weaponized excel spreadsheet attachment.

IBM was also hired by the NHS to deliver the new Cyber Security Operations Centre (CSOC) aimed at increasing the capability to monitor, detect and respond to
a variety of security risks and threats across the organization.

NHS signed a three-year strategic partnership with IBM (£30m) to improve NHS Digital’s Cyber Security Operations Centre (CSOC)

The goal is the compliance with the Cyber Essentials Plus standard in June 2021, as recommended in February’s lessons-learned report.

Currently, only 10 sites will “aim” to reach this goal next March.

Pierluigi Paganini

(Security Affairs – WannaCry, hacking)

The post NHS is still assessing the cost of WannaCry one year later appeared first on Security Affairs.



Security Affairs

NHS is still assessing the cost of WannaCry one year later

The UK’s Department of Health and Social Care provided an update on the efforts to secure the NHS IT infrastructure, with a focus on WannaCry overall costs.

The UK’s Department of Health and Social Care provided an update on the spent to secure the IT infrastructure in a report titled “Securing cyber resilience in
health and care“. One year later the massive WannaCry ransomware attack the NHS is still facing problems caused by the infections.

NHS WannaCrypt ransomware

WannaCry cost the NHS £92m, giving a look at the expense details we can observe item of £19m for lost output and an estimate of £73m of IT cost to fix affected assets.

According to the report, the attack directly impacted over 19,000 patients whose appointments were canceled due to the attack.

The estimate in the report considers the financial costs in  two time periods:

  • during the attack between 12 and 18 May 2017;
  • during the recovery period in the immediate aftermath to June-July 2017;

The analysis focus on two categories of cost are:

  1. Direct impact – lost output of patient care caused by reduced access to information and systems required for care leading to cancelled appointments etc.
  2. Additional IT support provided by NHS organisations or IT consultants to restore data and systems affected by the attack.

“The WannaCry attack disrupted services across one-third of hospital trusts and around 8% of GP practices. This had a knock-on impact on patients with over 19,000 appointments cancelled.” reads the report.

“While this may only be a small proportion of overall NHS activity, it represents disruption to the care of a significant number of patients.”

The attack highlighted the inefficiency of the antiquated NHS IT systems, Microsoft was charged to update the entire infrastructure with a three-year deal of £150m deal.

The report includes a case study related a “large NHS mental health trust” that was protected with Advanced Threat Protection that allowed to repeal a phishing email attack with a weaponized excel spreadsheet attachment.

IBM was also hired by the NHS to deliver the new Cyber Security Operations Centre (CSOC) aimed at increasing the capability to monitor, detect and respond to
a variety of security risks and threats across the organization.

NHS signed a three-year strategic partnership with IBM (£30m) to improve NHS Digital’s Cyber Security Operations Centre (CSOC)

The goal is the compliance with the Cyber Essentials Plus standard in June 2021, as recommended in February’s lessons-learned report.

Currently, only 10 sites will “aim” to reach this goal next March.

Pierluigi Paganini

(Security Affairs – WannaCry, hacking)

The post NHS is still assessing the cost of WannaCry one year later appeared first on Security Affairs.

Security Affairs: Facebook Data Breach Update: attackers accessed data of 29 Million users

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.

Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access  did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook data breach

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.

Pierluigi Paganini

(Security Affairs – Facebook data breach, hacking)

The post Facebook Data Breach Update: attackers accessed data of 29 Million users appeared first on Security Affairs.



Security Affairs

Facebook Data Breach Update: attackers accessed data of 29 Million users

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.

Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access  did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook data breach

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.

Pierluigi Paganini

(Security Affairs – Facebook data breach, hacking)

The post Facebook Data Breach Update: attackers accessed data of 29 Million users appeared first on Security Affairs.

Fitmetrix fitness software company may have exposed millions of customer records

Fitmetrix fitness software company exposed customer data online, a 119GB archive containing name, gender, email address, birth date, height, weight and more

A fitness software company Fitmetrix may have exposed a database hosted on AWS  containing millions of customer records. The exposed records included name, gender, email address, birth date, home and work phone, height, weight and much more.

The huge trove of data was discovered by the expert Bob Diachenko using a simple Shodan query for unsecured Elasticsearch installs.

Fitmetrix

The expert discovered an archive of 119GB exposed by Fitmetrix on a cloud storage, the noticed two sets of data one of with was labeled as “compromised” that contained a ransom note.

“On October 5th, a member of Hacken security team has been browsing through Shodan looking for exposed Elasticsearch instances which recently could become targets in another spread of ransomware campaigns.” reads a blog post published by Diachenko.

“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note. This script sometimes fails and the data is still available to the user even though a ransom note is created.”

The database includes daily FitMetrix platform audit data in the period between July 15th and Sept 19th 2018. The total number of records in ‘platformaudit’ indexes was 122,869,970, not all containing customer data.

Diachenko estimated that “millions” other accounts were still likely to have been affected.

Mindbody, who owns FitMetrix, secured the database five days after he was informed of the data leak, on October 10.

Pierluigi Paganini

(Security Affairs – FitMetrix, data breach)

The post Fitmetrix fitness software company may have exposed millions of customer records appeared first on Security Affairs.

Security Affairs: Fitmetrix fitness software company may have exposed millions of customer records

Fitmetrix fitness software company exposed customer data online, a 119GB archive containing name, gender, email address, birth date, height, weight and more

A fitness software company Fitmetrix may have exposed a database hosted on AWS  containing millions of customer records. The exposed records included name, gender, email address, birth date, home and work phone, height, weight and much more.

The huge trove of data was discovered by the expert Bob Diachenko using a simple Shodan query for unsecured Elasticsearch installs.

Fitmetrix

The expert discovered an archive of 119GB exposed by Fitmetrix on a cloud storage, the noticed two sets of data one of with was labeled as “compromised” that contained a ransom note.

“On October 5th, a member of Hacken security team has been browsing through Shodan looking for exposed Elasticsearch instances which recently could become targets in another spread of ransomware campaigns.” reads a blog post published by Diachenko.

“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note. This script sometimes fails and the data is still available to the user even though a ransom note is created.”

The database includes daily FitMetrix platform audit data in the period between July 15th and Sept 19th 2018. The total number of records in ‘platformaudit’ indexes was 122,869,970, not all containing customer data.

Diachenko estimated that “millions” other accounts were still likely to have been affected.

Mindbody, who owns FitMetrix, secured the database five days after he was informed of the data leak, on October 10.

Pierluigi Paganini

(Security Affairs – FitMetrix, data breach)

The post Fitmetrix fitness software company may have exposed millions of customer records appeared first on Security Affairs.



Security Affairs

Five Eyes Intelligence agencies warn of popular hacking tools

Security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia and New Zealand) have released a joint report that details some popular hacking tools.

Experts from cybersecurity agencies from Five Eyes intelligence alliance have issued a report that provides technical details on most popular hacking tool families and the way to detect and neutralizes attacks involving them.

The report was realized with the contribute of the researchers from the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

“This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]” reads the report published by the experts.

“In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

  1. Remote Access Trojan: JBiFrost
  2. Webshell: China Chopper
  3. Credential Stealer: Mimikatz
  4. Lateral Movement Framework: PowerShell Empire
  5. C2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.”

The report provides technical details on remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C&C) obfuscators.

The experts analyzed the JBiFrost RAT, that is a variant of Adwind backdoor, that was used by almost any kind of attackers from nation-state hackers to low-skilled crooks.

JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.” states the report.

“JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.”

The report also describes the popular postexploitation tool Mimikatz that was used by many threat actors and the lateral movement framework PowerShell Empire, this latter is used by attackers to elevate privileges, harvest credentials, find nearby hosts, and move laterally across the target network.

The experts at Five Eyes agencies also detailed the China Chopper web shell, a code injection web shell that executes Microsoft .NET code within HTTP POST commands.

The China Chopper is a tiny shell  (4K) widely used in attacks in the wild since 2012, early this year the China-linked APT group Leviathan. aka TEMP.Periscope, used it in attacks on engineering and maritime entities over the past months.

Another hacking tool described in the report is HUC Packet Transmitter (HTran), that could be exploited by attackers to obfuscate communications with the intent bypass security controls and evade detection.

“The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.” states the report.

“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.”

Pierluigi Paganini

(Security Affairs – Five Eyes, hacking)

The post Five Eyes Intelligence agencies warn of popular hacking tools appeared first on Security Affairs.

Security Affairs: Five Eyes Intelligence agencies warn of popular hacking tools

Security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia and New Zealand) have released a joint report that details some popular hacking tools.

Experts from cybersecurity agencies from Five Eyes intelligence alliance have issued a report that provides technical details on most popular hacking tool families and the way to detect and neutralizes attacks involving them.

The report was realized with the contribute of the researchers from the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

“This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]” reads the report published by the experts.

“In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

  1. Remote Access Trojan: JBiFrost
  2. Webshell: China Chopper
  3. Credential Stealer: Mimikatz
  4. Lateral Movement Framework: PowerShell Empire
  5. C2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.”

The report provides technical details on remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C&C) obfuscators.

The experts analyzed the JBiFrost RAT, that is a variant of Adwind backdoor, that was used by almost any kind of attackers from nation-state hackers to low-skilled crooks.

JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.” states the report.

“JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.”

The report also describes the popular postexploitation tool Mimikatz that was used by many threat actors and the lateral movement framework PowerShell Empire, this latter is used by attackers to elevate privileges, harvest credentials, find nearby hosts, and move laterally across the target network.

The experts at Five Eyes agencies also detailed the China Chopper web shell, a code injection web shell that executes Microsoft .NET code within HTTP POST commands.

The China Chopper is a tiny shell  (4K) widely used in attacks in the wild since 2012, early this year the China-linked APT group Leviathan. aka TEMP.Periscope, used it in attacks on engineering and maritime entities over the past months.

Another hacking tool described in the report is HUC Packet Transmitter (HTran), that could be exploited by attackers to obfuscate communications with the intent bypass security controls and evade detection.

“The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.” states the report.

“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.”

Pierluigi Paganini

(Security Affairs – Five Eyes, hacking)

The post Five Eyes Intelligence agencies warn of popular hacking tools appeared first on Security Affairs.



Security Affairs

Security Affairs: Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor

A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers.

Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3, to install a backdoor on the infected systems and tack full control of the hosted platforms.

According to the IBM experts, this last wave of attacks is conducted by hackers financially motivated and attempt to exploit the lack of patch management in many Drupal websites.

“In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.” states the post published by IBM.

“This appears to be a financially motivated effort to mass-compromise websites.”

The expert observed a large number of HTTP POST requests being sent by the same IP address as part of a widespread cyber-attack. The requests were used by the attackers to download a Perl script to launch the Shellbot backdoor that leverages an Internet Relay Chat (IRC) channel as C&C.

Drupal attacks

The bot included multiple tools to carry out distributed denial-of-service (DDoS) attacks and scan for SQL injection weaknesses and other vulnerabilities, including privilege escalation issues.

The bot was designed to automate scanning a large number of websites and fully compromise the vulnerable ones.

Experts pointed out that the Shellbot code first appeared in 2005 and is being used by several threat groups, it was also used in the massive crypto-mining campaign that was exploiting the CVE-2017-5638 Apache Struts vulnerability (CVE-2017-5638) in March 2017.

It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

The post Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor appeared first on Security Affairs.



Security Affairs

Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor

A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers.

Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3, to install a backdoor on the infected systems and tack full control of the hosted platforms.

According to the IBM experts, this last wave of attacks is conducted by hackers financially motivated and attempt to exploit the lack of patch management in many Drupal websites.

“In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.” states the post published by IBM.

“This appears to be a financially motivated effort to mass-compromise websites.”

The expert observed a large number of HTTP POST requests being sent by the same IP address as part of a widespread cyber-attack. The requests were used by the attackers to download a Perl script to launch the Shellbot backdoor that leverages an Internet Relay Chat (IRC) channel as C&C.

Drupal attacks

The bot included multiple tools to carry out distributed denial-of-service (DDoS) attacks and scan for SQL injection weaknesses and other vulnerabilities, including privilege escalation issues.

The bot was designed to automate scanning a large number of websites and fully compromise the vulnerable ones.

Experts pointed out that the Shellbot code first appeared in 2005 and is being used by several threat groups, it was also used in the massive crypto-mining campaign that was exploiting the CVE-2017-5638 Apache Struts vulnerability (CVE-2017-5638) in March 2017.

It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

The post Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor appeared first on Security Affairs.

Security Affairs: DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More

Our team of security researchers was researching dating apps client-side security, and one of the main focus targets was the social search mobile app Tinder.

After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.

We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.

Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.

While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.

Details:

DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM. It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment. In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.

Can you spot the vulnerabilities?

Tinder

The fact that branch.io wasn’t using CSP made these vulnerabilities easy to exploit in any browser we like.

1. DOM XSS

For example, our initial finding was the endpoint https://go.tinder.com/amp-iframe-redirect was prone to multiple vulnerabilities (scheme_redirect & redirect_strategy GET parameters control the div content).

redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” from the code above.

This meant that by modifying redirect_strategy to a dom-xss payload, it was possible to execute client-side code in the context of a Tinder domain in any browser:
https://go.tinder.com/amp-iframe-redirect?scheme_redirect=http://google.com&redirect_strategy=1)%7B%0Aalert(1)%3B//
will render in the DOM as:

if (1){ alert(1);// && “INJECTIONA”) {

var parser = document.createElement(‘a’);

parser.href = “INJECTIONA”;

var protocol = parser.protocol.toLowerCase();

Tinder

 

2. validateProtocol() and validate() Bypass

Also notice how validateProtocol() uses indexOf to check the schemes – the indexOf() method returns the position of the first occurrence of a specified value in a string. This method returns -1 if the value to search for never occurs. However, it can be tricked by using javascript://%0aalert(0)//good.com/https:// — both the validate functions can be bypassed because indexOf will find “https://“

var parser = document.createElement(‘a’);

parser.href = url;

var protocol = parser.protocol.toLowerCase();

if ((‘javascript:’, ‘vbscript:’, ‘data:’).indexOf(protocol) < 0) {

return url;

}

….

return null;

if ([‘http:’, ‘https:’].indexOf(protocol) < 0) {

window.top.location = validate(“http://google.com”);

}

So, how did this bug affect more than Tinder?

go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it.

To name a few websites affected by this vulnerability: RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Thanks to the fast response we got from Branch’s security team, this vulnerability has now been fixed for everyone’s domains.

Other recent studies of ours:

Is Panama-based NordVPN actually an American company called CloudVPN?

Critical RCE Vulnerability Found in Over a Million GPON Home Routers

About the author Paulos Yibelo

Original post @ https://www.vpnmentor.com/blog/dom-xss-bug-affecting-tinder-shopify-yelp/

Pierluigi Paganini

(Security Affairs – Tinder, hacking)

The post DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More appeared first on Security Affairs.



Security Affairs

DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More

Our team of security researchers was researching dating apps client-side security, and one of the main focus targets was the social search mobile app Tinder.

After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.

We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.

Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.

While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.

Details:

DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM. It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment. In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.

Can you spot the vulnerabilities?

Tinder

The fact that branch.io wasn’t using CSP made these vulnerabilities easy to exploit in any browser we like.

1. DOM XSS

For example, our initial finding was the endpoint https://go.tinder.com/amp-iframe-redirect was prone to multiple vulnerabilities (scheme_redirect & redirect_strategy GET parameters control the div content).

redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” from the code above.

This meant that by modifying redirect_strategy to a dom-xss payload, it was possible to execute client-side code in the context of a Tinder domain in any browser:
https://go.tinder.com/amp-iframe-redirect?scheme_redirect=http://google.com&redirect_strategy=1)%7B%0Aalert(1)%3B//
will render in the DOM as:

if (1){ alert(1);// && “INJECTIONA”) {

var parser = document.createElement(‘a’);

parser.href = “INJECTIONA”;

var protocol = parser.protocol.toLowerCase();

Tinder

 

2. validateProtocol() and validate() Bypass

Also notice how validateProtocol() uses indexOf to check the schemes – the indexOf() method returns the position of the first occurrence of a specified value in a string. This method returns -1 if the value to search for never occurs. However, it can be tricked by using javascript://%0aalert(0)//good.com/https:// — both the validate functions can be bypassed because indexOf will find “https://“

var parser = document.createElement(‘a’);

parser.href = url;

var protocol = parser.protocol.toLowerCase();

if ((‘javascript:’, ‘vbscript:’, ‘data:’).indexOf(protocol) < 0) {

return url;

}

….

return null;

if ([‘http:’, ‘https:’].indexOf(protocol) < 0) {

window.top.location = validate(“http://google.com”);

}

So, how did this bug affect more than Tinder?

go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it.

To name a few websites affected by this vulnerability: RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Thanks to the fast response we got from Branch’s security team, this vulnerability has now been fixed for everyone’s domains.

Other recent studies of ours:

Is Panama-based NordVPN actually an American company called CloudVPN?

Critical RCE Vulnerability Found in Over a Million GPON Home Routers

About the author Paulos Yibelo

Original post @ https://www.vpnmentor.com/blog/dom-xss-bug-affecting-tinder-shopify-yelp/

Pierluigi Paganini

(Security Affairs – Tinder, hacking)

The post DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More appeared first on Security Affairs.

Exaramel Malware Links Industroyer ICS malware and NotPetya wiper

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware.

A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper.

In June 2017, researchers at antivirus firm ESET discovered a new strain of malware, dubbed Industroyer, that was designed to target power grids.

Industroyer was involved in the December 2016 attack aimed at an electrical substation in Ukraine that caused significant power outages.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are StuxnetBlackEnergy, and Havex.

Now experts found a link between the 2016 Industroyer attack and Russia-linked APT groups tracked as BlackEnergy, TeleBots, Sandworm, and Electrum.

“That said, we have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group.” reads the analysis published by ESET.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya)  – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

Telebots Industroyer Exaramel

The NotPetya Wiper was linked by experts to BlackEnergy and the KillDisk malware that was used the 2015 attack in Ukraine.

In April 2018, ESET discovered a new backdoor tracked as Exaramel that definitively links Industroyer to TeleBots.

Researchers noticed that the configuration data  in XML format written by the dropper of Exaramel in the Windows registry includes the security solution used on the compromised system, something similar with Industroyer.

“the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.” continues the analysis.

Experts also found many similarities in the code used for the implementation of the commands in the Exaramel malware and a backdoor from the Industroyer toolset.

Both malware relies on a report file for storing the result output of executed shell commands and launched processes.

The main difference between the backdoor from the Industroyer toolset and the Exaramel backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.

“Along with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer (internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.” continues the analysis.

“The CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and many FTP clients.”

ESET observed only one attack based on the Exaramel that targeted an organization in Ukraine, experts also discovered a Linux backdoor, racked as Linux/Exaramel.A.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics.” concludes ESET.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

 

The post Exaramel Malware Links Industroyer ICS malware and NotPetya wiper appeared first on Security Affairs.

Security Affairs: Exaramel Malware Links Industroyer ICS malware and NotPetya wiper

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware.

A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper.

In June 2017, researchers at antivirus firm ESET discovered a new strain of malware, dubbed Industroyer, that was designed to target power grids.

Industroyer was involved in the December 2016 attack aimed at an electrical substation in Ukraine that caused significant power outages.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are StuxnetBlackEnergy, and Havex.

Now experts found a link between the 2016 Industroyer attack and Russia-linked APT groups tracked as BlackEnergy, TeleBots, Sandworm, and Electrum.

“That said, we have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group.” reads the analysis published by ESET.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya)  – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

Telebots Industroyer Exaramel

The NotPetya Wiper was linked by experts to BlackEnergy and the KillDisk malware that was used the 2015 attack in Ukraine.

In April 2018, ESET discovered a new backdoor tracked as Exaramel that definitively links Industroyer to TeleBots.

Researchers noticed that the configuration data  in XML format written by the dropper of Exaramel in the Windows registry includes the security solution used on the compromised system, something similar with Industroyer.

“the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.” continues the analysis.

Experts also found many similarities in the code used for the implementation of the commands in the Exaramel malware and a backdoor from the Industroyer toolset.

Both malware relies on a report file for storing the result output of executed shell commands and launched processes.

The main difference between the backdoor from the Industroyer toolset and the Exaramel backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.

“Along with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer (internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.” continues the analysis.

“The CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and many FTP clients.”

ESET observed only one attack based on the Exaramel that targeted an organization in Ukraine, experts also discovered a Linux backdoor, racked as Linux/Exaramel.A.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics.” concludes ESET.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

 

The post Exaramel Malware Links Industroyer ICS malware and NotPetya wiper appeared first on Security Affairs.



Security Affairs

Security Affairs: Juniper Networks provides dozens of fix for vulnerabilities in Junos OS

Juniper Networks has released security updates to address serious vulnerabilities affecting the Junos operating system.

This week, Juniper Networks has patched dozens of serious security provided security patches for each of them, the security advisories are available on the company website.

The most severe flaw is probably the  CVE-2018-0049, which could be exploited by an attacker to crash the Junos kernel by sending specially crafted MPLS packets.

Juniper reported that a single specially crafted MPLS packet could trigger a DoS condition while sending more packets it is possible to crash the device.

“A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition.  Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition.” reads the security advisory.

As a possible workaround, the company suggests to Remove MPLS configuration stanza from interfaces at risk.

At the time of the provisioning of the patch, there is no news about exploitation of the flaw in the wild, anyway, Juniper is aware of “possible malicious network probing which may have triggered this issue.

Another severe flaw fixed by Juniper affecting the Juniper NFX series devices could be exploited by a remote attacker to gain access to the system by using accounts with blank passwords.

The patched provided by the company no more allow empty passwords.

Juniper also provided fixes for several vulnerabilities affecting the NTP daemon. The company addressed several flaws in RDP most of them could be exploited to cause a DoS condition.

Two issues can be exploited to crash the routing protocol daemon (RPD) and potentially allow remote code execution.

Giving a look at the list of advisories we can find a fix a high-risk vulnerability in Junos Space Network Management Platform and a DoS flaw in the SIP application layer gateway (ALG) in Junos. This latter issue could be exploited by an attacker to crash several processes.

Experts also fixed a high-risk flaw in the RSH service that could allow a remote and unauthenticated attacker to gain root access to affected devices.

The company also fixed dozen of DoS and XSS flaws rated as “medium risk.”

Pierluigi Paganini

(Security Affairs – Junos, hacking)

The post Juniper Networks provides dozens of fix for vulnerabilities in Junos OS appeared first on Security Affairs.



Security Affairs

Juniper Networks provides dozens of fix for vulnerabilities in Junos OS

Juniper Networks has released security updates to address serious vulnerabilities affecting the Junos operating system.

This week, Juniper Networks has patched dozens of serious security provided security patches for each of them, the security advisories are available on the company website.

The most severe flaw is probably the  CVE-2018-0049, which could be exploited by an attacker to crash the Junos kernel by sending specially crafted MPLS packets.

Juniper reported that a single specially crafted MPLS packet could trigger a DoS condition while sending more packets it is possible to crash the device.

“A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition.  Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition.” reads the security advisory.

As a possible workaround, the company suggests to Remove MPLS configuration stanza from interfaces at risk.

At the time of the provisioning of the patch, there is no news about exploitation of the flaw in the wild, anyway, Juniper is aware of “possible malicious network probing which may have triggered this issue.

Another severe flaw fixed by Juniper affecting the Juniper NFX series devices could be exploited by a remote attacker to gain access to the system by using accounts with blank passwords.

The patched provided by the company no more allow empty passwords.

Juniper also provided fixes for several vulnerabilities affecting the NTP daemon. The company addressed several flaws in RDP most of them could be exploited to cause a DoS condition.

Two issues can be exploited to crash the routing protocol daemon (RPD) and potentially allow remote code execution.

Giving a look at the list of advisories we can find a fix a high-risk vulnerability in Junos Space Network Management Platform and a DoS flaw in the SIP application layer gateway (ALG) in Junos. This latter issue could be exploited by an attacker to crash several processes.

Experts also fixed a high-risk flaw in the RSH service that could allow a remote and unauthenticated attacker to gain root access to affected devices.

The company also fixed dozen of DoS and XSS flaws rated as “medium risk.”

Pierluigi Paganini

(Security Affairs – Junos, hacking)

The post Juniper Networks provides dozens of fix for vulnerabilities in Junos OS appeared first on Security Affairs.

Security Affairs: New Gallmaker APT group eschews malware in cyber espionage campaigns

A previously unknown cyber espionage group, tracked as Gallmaker, has been targeting entities in the government, military and defense sectors since at least 2017.

A new cyber espionage group tracked as Gallmaker appeared in the threat landscape. According to researchers from Symantec, who first spotted the threat actor, the group has launched attacks on several overseas embassies of an unnamed Eastern European country, and military and defense organizations in the Middle East.

Gallmaker is a politically motivated APT group that focused its surgical operations on the government, military or defense sectors.

Gallmaker been active since at least December 2017, researchers observed a spike in its operations in April and most recent attacks were uncovered in June.

Gallmaker activity

The experts speculate the threat a nation-state actor, it is interesting to note that the APT is relying entirely on code scraped from the public internet.

“This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign,” reads the analysis published by Symantec.

“The most interesting aspect of Gallmaker’s approach is that the group doesn’t use malware in its operations. Rather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools.”

Gallmaker uses spear phishing messages using a weaponized Office document that uses the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device.

“These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective.” continues Symantec.

“By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.”

Once the attackers gain access to a target machine, they use various tools including the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.

Experts discovered that Gallmaker APT is using three primary IP addresses for its C&C infrastructure, they also noticed the attackers use to delete some of its tools from compromised machines once it is completed the attack, likely to hide traces of their activity.

“The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect. We have written extensively about the increasing use of LotL tools and publicly available hack tools by cyber criminals.” concluded Symantec. “One of the primary reasons for the increased popularity of these kinds of tools is to avoid detection; attackers are hoping to “hide in plain sight”, with their malicious activity hidden in a sea of legitimate processes.” 

Pierluigi Paganini

(Security Affairs – Gallmaker, cyber espionage)

The post New Gallmaker APT group eschews malware in cyber espionage campaigns appeared first on Security Affairs.



Security Affairs

New Gallmaker APT group eschews malware in cyber espionage campaigns

A previously unknown cyber espionage group, tracked as Gallmaker, has been targeting entities in the government, military and defense sectors since at least 2017.

A new cyber espionage group tracked as Gallmaker appeared in the threat landscape. According to researchers from Symantec, who first spotted the threat actor, the group has launched attacks on several overseas embassies of an unnamed Eastern European country, and military and defense organizations in the Middle East.

Gallmaker is a politically motivated APT group that focused its surgical operations on the government, military or defense sectors.

Gallmaker been active since at least December 2017, researchers observed a spike in its operations in April and most recent attacks were uncovered in June.

Gallmaker activity

The experts speculate the threat a nation-state actor, it is interesting to note that the APT is relying entirely on code scraped from the public internet.

“This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign,” reads the analysis published by Symantec.

“The most interesting aspect of Gallmaker’s approach is that the group doesn’t use malware in its operations. Rather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools.”

Gallmaker uses spear phishing messages using a weaponized Office document that uses the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device.

“These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective.” continues Symantec.

“By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.”

Once the attackers gain access to a target machine, they use various tools including the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.

Experts discovered that Gallmaker APT is using three primary IP addresses for its C&C infrastructure, they also noticed the attackers use to delete some of its tools from compromised machines once it is completed the attack, likely to hide traces of their activity.

“The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect. We have written extensively about the increasing use of LotL tools and publicly available hack tools by cyber criminals.” concluded Symantec. “One of the primary reasons for the increased popularity of these kinds of tools is to avoid detection; attackers are hoping to “hide in plain sight”, with their malicious activity hidden in a sea of legitimate processes.” 

Pierluigi Paganini

(Security Affairs – Gallmaker, cyber espionage)

The post New Gallmaker APT group eschews malware in cyber espionage campaigns appeared first on Security Affairs.

Security Affairs: SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years.

SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes.

The patches include 15 notes, 2 rated Hot News and one of which is the first note for SAP BusinessObjects in over five years.

“SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks.” reads a blog post published by ERPScan.

The remaining notes include 4 High priority and 9 Medium priority, in October Information Disclosure is the largest group in terms of the number of vulnerabilities.

businessObjects sap-notes-october-2018-types-1

The most important note (CVSS score of 9.8) addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client tracked as CVE-2018-2471.

“Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.” reads the security advisory.

The second Hot News in the October 2018 set of patches is an update to Security Note released on April 2018, it provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws addressed by SAP in October are:

2699726 [CVE-2018-2475Missing network isolation in Gardener 
Product – project “Gardener”; Versions – 0.12.2
High 8.5
2674215 Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity 
Related CVEs – CVE-2018-12585CVE-2018-12086
Product – SAP Plant Connectivity; Versions – 15.0, 15.1, 15.2
High 8.2
2392860 Update to Security Note released on February 2017 Patch Day:
Leveraging privileges by customer transaction code

Product – SAP Records Management; Versions – 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
High 8.0
2681207 Update to Security Note released on September 2018 Patch Day: 
[CVE-2018-2465Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0
High 7.5

Experts from security firm ERPScan noticed that chaining the missing network isolation in Gardener theoretically can lead to compromise of clusters in the application context

The others SAP security notes address vulnerabilities in in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

This patch update also addresses 5 Support Package Notes.

Pierluigi Paganini

(Security Affairs – BusinessObjects, SAP)

The post SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years appeared first on Security Affairs.



Security Affairs

SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years.

SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes.

The patches include 15 notes, 2 rated Hot News and one of which is the first note for SAP BusinessObjects in over five years.

“SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks.” reads a blog post published by ERPScan.

The remaining notes include 4 High priority and 9 Medium priority, in October Information Disclosure is the largest group in terms of the number of vulnerabilities.

businessObjects sap-notes-october-2018-types-1

The most important note (CVSS score of 9.8) addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client tracked as CVE-2018-2471.

“Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.” reads the security advisory.

The second Hot News in the October 2018 set of patches is an update to Security Note released on April 2018, it provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws addressed by SAP in October are:

2699726 [CVE-2018-2475Missing network isolation in Gardener 
Product – project “Gardener”; Versions – 0.12.2
High 8.5
2674215 Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity 
Related CVEs – CVE-2018-12585CVE-2018-12086
Product – SAP Plant Connectivity; Versions – 15.0, 15.1, 15.2
High 8.2
2392860 Update to Security Note released on February 2017 Patch Day:
Leveraging privileges by customer transaction code

Product – SAP Records Management; Versions – 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
High 8.0
2681207 Update to Security Note released on September 2018 Patch Day: 
[CVE-2018-2465Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0
High 7.5

Experts from security firm ERPScan noticed that chaining the missing network isolation in Gardener theoretically can lead to compromise of clusters in the application context

The others SAP security notes address vulnerabilities in in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

This patch update also addresses 5 Support Package Notes.

Pierluigi Paganini

(Security Affairs – BusinessObjects, SAP)

The post SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years appeared first on Security Affairs.

Security Affairs: GAO report reveals new Pentagon weapon systems vulnerable to hack

According to a new report published by the Government Accountability Office (GAO) almost any new weapon systems in the arsenal of the Pentagon is vulnerable to hack.

The new generation of weapon systems developed by the Pentagon is heavily computerized and for this reason more exposed to cyber attacks.

weapon systems GAO

According to a new 50-page report published by the GAO revealed that the presence of several vulnerabilities in the weapon systems that were never fixed.

“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.” reads the report published by the GAO.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.

The report was committed by the Senate Armed Services Committee that requested to review the way the Pentagon was securing its weapons systems.

GAO experts found several major security issued in the Pentagon arsenal, including easy-to-guess passwords, or weapon system still using factory settings.

In order to identify flaws in weapon systems under development, experts at GAO reviewed cybersecurity assessment reports from selected weapon systems that were tested between 2012 and 2017.

Despite the DOD plans to spend about $1.66 trillion to develop its cyber arsenal, it is continuing to lack cyber security for weapon systems.

“In some cases, system operators were unable to effectively respond to the hacks.” continues the report.

“Furthermore, DOD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication.”

The situation is embarrassing if we consider that a persistent attacker like an APT group can employ much more of simple tools in a long interval of time.

“Cybersecurity test reports that we reviewed showed that test teams were able to gain unauthorized access and take full or partial control of these weapon systems in a short amount of time using relatively simple tools and techniques.” continues the report.

“We saw widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover.”

In one case the GAO testers were able to guess an administrator password in only 9 seconds

“Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.” continues the GAO.

“Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.”

Experts also reported that in some cases simply scanning the weapon systems caused the shut down of their components.

“For example, one test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected.” continues the report.

GAO reported that the majority of the vulnerabilities identified in the past were often left unresolved. The GAO cites a test report in which only 1 of 20 vulnerabilities that were previously found had been addressed.

The DoD replied to aware of the flaws but blamed the contractor for the failure in fixing them.

GAO also wars of the loss of key personnel who leave the Government to work in the private sector once they’ve gained cybersecurity experience.

The salary offered by private organizations greatly exceeds DOD’s pay scale.

“To address these challenges and improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD’s weapon systems cybersecurity efforts. ” concludes the report.

Pierluigi Paganini

(Security Affairs – weapon system, hacking)

The post GAO report reveals new Pentagon weapon systems vulnerable to hack appeared first on Security Affairs.



Security Affairs

GAO report reveals new Pentagon weapon systems vulnerable to hack

According to a new report published by the Government Accountability Office (GAO) almost any new weapon systems in the arsenal of the Pentagon is vulnerable to hack.

The new generation of weapon systems developed by the Pentagon is heavily computerized and for this reason more exposed to cyber attacks.

weapon systems GAO

According to a new 50-page report published by the GAO revealed that the presence of several vulnerabilities in the weapon systems that were never fixed.

“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.” reads the report published by the GAO.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.

The report was committed by the Senate Armed Services Committee that requested to review the way the Pentagon was securing its weapons systems.

GAO experts found several major security issued in the Pentagon arsenal, including easy-to-guess passwords, or weapon system still using factory settings.

In order to identify flaws in weapon systems under development, experts at GAO reviewed cybersecurity assessment reports from selected weapon systems that were tested between 2012 and 2017.

Despite the DOD plans to spend about $1.66 trillion to develop its cyber arsenal, it is continuing to lack cyber security for weapon systems.

“In some cases, system operators were unable to effectively respond to the hacks.” continues the report.

“Furthermore, DOD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication.”

The situation is embarrassing if we consider that a persistent attacker like an APT group can employ much more of simple tools in a long interval of time.

“Cybersecurity test reports that we reviewed showed that test teams were able to gain unauthorized access and take full or partial control of these weapon systems in a short amount of time using relatively simple tools and techniques.” continues the report.

“We saw widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover.”

In one case the GAO testers were able to guess an administrator password in only 9 seconds

“Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.” continues the GAO.

“Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.”

Experts also reported that in some cases simply scanning the weapon systems caused the shut down of their components.

“For example, one test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected.” continues the report.

GAO reported that the majority of the vulnerabilities identified in the past were often left unresolved. The GAO cites a test report in which only 1 of 20 vulnerabilities that were previously found had been addressed.

The DoD replied to aware of the flaws but blamed the contractor for the failure in fixing them.

GAO also wars of the loss of key personnel who leave the Government to work in the private sector once they’ve gained cybersecurity experience.

The salary offered by private organizations greatly exceeds DOD’s pay scale.

“To address these challenges and improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD’s weapon systems cybersecurity efforts. ” concludes the report.

Pierluigi Paganini

(Security Affairs – weapon system, hacking)

The post GAO report reveals new Pentagon weapon systems vulnerable to hack appeared first on Security Affairs.

CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.

The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.

The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.

CVE-2018-8453 Win 0day

Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.

Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Experts believe FruityArmor´s activity has been slowly increasing during the last two years.

The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.

The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”

“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”

The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.

The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.

The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.

Further technical details are reported by Kaspersky experts in their analysis.

Pierluigi Paganini

(Security Affairs – FruityArmor, CVE-2018-8453)

The post CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East appeared first on Security Affairs.

Security Affairs: CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.

The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.

The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.

CVE-2018-8453 Win 0day

Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.

Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Experts believe FruityArmor´s activity has been slowly increasing during the last two years.

The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.

The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”

“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”

The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.

The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.

The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.

Further technical details are reported by Kaspersky experts in their analysis.

Pierluigi Paganini

(Security Affairs – FruityArmor, CVE-2018-8453)

The post CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East appeared first on Security Affairs.



Security Affairs

Security Affairs: Hackers can compromise your WhatsApp account by tricking you into answering a video call

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.

WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

The post Hackers can compromise your WhatsApp account by tricking you into answering a video call appeared first on Security Affairs.



Security Affairs

Hackers can compromise your WhatsApp account by tricking you into answering a video call

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.

WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

The post Hackers can compromise your WhatsApp account by tricking you into answering a video call appeared first on Security Affairs.

Security Affairs: Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature

Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature, a gift for APT groups and cyber crime syndicates

Security experts from security firm SEC Consult have identified over 100 companies that buy and re-brand video surveillance equipment (surveillance cameras, digital video recorders (DVRs), and network video recorders (NVRs)) manufactured by the Chinese firm Hangzhou Xiongmai Technology Co., Ltd.(Xiongmai hereinafter) that are open to hack.

Millions of devices are affected by security vulnerabilities that can be easily exploited by a remote attacker to take over devices. The flaws could be exploited to spy on camera feeds of unaware users.

The flaws reside in a feature named the “XMEye P2P Cloud” that is enabled by default which is used to connect surveillance devices to the cloud infrastructure.

“From a usability perspective, this makes it easier for users to interact with the device, since the user does not have to be in the same network (e.g. the same Wi-Fi network) in order to connect to the device. Additionally, no firewall rules, port forwarding rules, or DDNS setup are required on the router, which makes this option convenient also for non-tech-savvy users.” reads the report published by SEC Consult.!However, this approach has several security implications:

  • The cloud server provider gets all the data (e.g. video streams that are viewed). Open questions:
    • Who runs these servers?
    • Who controls these servers? Where are they located?
    • Do they comply with local jurisdiction?
    • Does the service comply with EU GDPR?
  • If the data connection is not properly encrypted (spoiler alert: it’s not, we’ve checked!), anyone who can intercept the connection is able to monitor all data that is exchanged.
  • The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now, attackers cannot only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach), but a large number of devices that are exposed via the “P2P Cloud”.”

Each device has a unique ID, called cloud ID or UID (i.e. 68ab8124db83c8db) that allows users to connect to a specific device through one of the supported apps.

Unfortunately, the cloud ID is not sufficiently random and complex to make guessing correct cloud IDs hard because the analysis of the Xiongmai firmware revealed it is derived from the device’s MAC address.

According to SEC Consult experts, an attacker can guess account IDs and access the feed associated with other IDs,

Experts found many other security issues, for example, all new XMEye accounts use a default admin username of “admin” with no password and the worst aspect is that the installation process doesn’t require users to change it.

The experts also discovered an undocumented user with the name “default” and password “tluafed.”

“In addition to the admin user, by default there is an undocumented user with the name “default”. The password of this user is “tluafed” (default in reverse).” continues the analysis.

“We have verified that this user can be used to log in to a device via the XMEye cloud (checked via custom client using the Xiongmai NetSDK). This user seems to at least have permissions to access/view video streams.”

Experts also discovered that it is possible to execute arbitrary code on the device through a firmware update.

Firmware updates are not signed, this means that an attacker carries out a MITM attack and impersonate the XMEye cloud to tainted firmware version.

Xiongmai devices were involved in IoT botnets in the last months, both Mirai and Satori bots infected a huge number of devices manufactured by the Chinese firm.

“We have worked together with ICS-CERT to address this issue since March 2018. ICS-CERT made great efforts to get in touch with Xiongmai and the Chinese CNCERT/CC and inform them about the issues. Although Xiongmai had seven months’ notice, they have not fixed any of the issues.”

“The conversation with them over the past months has shown that security is just not a priority to them at all.” concludes SEC Consult.

Pierluigi Paganini

(Security Affairs – Xiongmai, hacking)

The post Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature appeared first on Security Affairs.



Security Affairs

Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature

Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature, a gift for APT groups and cyber crime syndicates

Security experts from security firm SEC Consult have identified over 100 companies that buy and re-brand video surveillance equipment (surveillance cameras, digital video recorders (DVRs), and network video recorders (NVRs)) manufactured by the Chinese firm Hangzhou Xiongmai Technology Co., Ltd.(Xiongmai hereinafter) that are open to hack.

Millions of devices are affected by security vulnerabilities that can be easily exploited by a remote attacker to take over devices. The flaws could be exploited to spy on camera feeds of unaware users.

The flaws reside in a feature named the “XMEye P2P Cloud” that is enabled by default which is used to connect surveillance devices to the cloud infrastructure.

Each device has a unique ID, called cloud ID or UID (i.e. 68ab8124db83c8db) that allows users to connect to a specific device through one of the supported apps.

Unfortunately, the cloud ID is not sufficiently random and complex to make guessing correct cloud IDs hard because the analysis of the Xiongmai firmware revealed it is derived from the device’s MAC address.

According to SEC Consult experts, an attacker can guess account IDs and access the feed associated with other IDs,

Experts found many other security issues, for example, all new XMEye accounts use a default admin username of “admin” with no password and the worst aspect is that the installation process doesn’t require users to change it.

The experts also discovered an undocumented user with the name “default” and password “tluafed.”

“In addition to the admin user, by default there is an undocumented user with the name “default”. The password of this user is “tluafed” (default in reverse).” continues the analysis.

“We have verified that this user can be used to log in to a device via the XMEye cloud (checked via custom client using the Xiongmai NetSDK). This user seems to at least have permissions to access/view video streams.”

Experts also discovered that it is possible to execute arbitrary code on the device through a firmware update.

Firmware updates are not signed, this means that an attacker carries out a MITM attack and impersonate the XMEye cloud to tainted firmware version.

Xiongmai devices were involved in IoT botnets in the last months, both Mirai and Satori bots infected a huge number of devices manufactured by the Chinese firm.

“We have worked together with ICS-CERT to address this issue since March 2018. ICS-CERT made great efforts to get in touch with Xiongmai and the Chinese CNCERT/CC and inform them about the issues. Although Xiongmai had seven months’ notice, they have not fixed any of the issues.”

“The conversation with them over the past months has shown that security is just not a priority to them at all.” concludes SEC Consult.

Pierluigi Paganini

(Security Affairs – Xiongmai, hacking)

The post Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature appeared first on Security Affairs.

Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector

Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder.  “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one   financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – financial sector, cybercrime)

The post Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks appeared first on Security Affairs.

Security Affairs: Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector

Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder.  “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one   financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – financial sector, cybercrime)

The post Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks appeared first on Security Affairs.



Security Affairs

Researchers presented an improved version of the WPA KRACK attack

Security researchers who devised last year the Key Reinstallation Attack, aka KRACK attack,  have disclosed new variants of the attack.

Security researchers Mathy Vanhoef and Frank Piessens who devised last year the Key Reinstallation Attack against WPA, aka KRACK attack,  have disclosed new variants of the attack.

Last year, boffins discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).

WPA2 was compromised, the flaws, in fact, reside in the Wi-Fi standard itself, and not in the numerous implementations.

he KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.

According to the researchers, the KRACK attack works against:

  • Both WPA1 and WPA2,
  • Personal and enterprise networks,
  • Ciphers WPA-TKIP, AES-CCMP, and GCMP

The bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.

Now the experts presented a new variant of the attack technique  at the Computer and Communications Security (CCS) conference

The new attacks no longer rely on hard-to-win race conditions and involved a new method to carry out man-in-the-middle (MitM) attacks.

“First, we generalize attacks against the 4-way handshake so they no longer rely on hard-to-win race conditions, and we employ a more practical method to obtain the required man-in-the-middle (MitM) position.” reads the research paper.

“Second, we systematically investigate the 802.11 standard for key reinstallation vulnerabilities, and show that the Fast Initial Link Setup (FILS) and Tunneled directlink setup PeerKey (TPK) handshakes are also vulnerable to key reinstallations. These handshakes increase roaming speed, and enable direct connectivity between clients, respectively. Third, we abuse Wireless Network Management (WNM) power-save features to trigger reinstallations of the group key”

KRACK attack 2

Experts explained that they achieved the multi-channel MitM position by forging Channel Switch Announcements (CSAs) to trick clients into switching to the desired (rouge) channel.

“We propose a more practical method to obtain the MitM, which works based on Channel Switch Announcements (CSAs). In this method, the adversary forges CSAs to trick clients into switching to the desired (rouge) channel [27, 46].” continues the paper. “This is more reliable then jamming certain channels, and does not require special Wi-Fi equipment. We successfully tested this approach against Android and Chromium”

The security duo also discovered that it is possible to delay the delivery of message 3, which transports the group key to the client after it has been captured. In this way, the key reinstallation will no be immediately triggered allowing to the delay the attack and increasing the potential impact.

Experts successfully tested the delay on Linux, Android, iOS, and macOS, and is also works with encrypted messages.

“Our results show that preventing key reinstallations is harder than initially assumed. We believe the main reason vulnerabilities are still present is because the Wi-Fi standard is large, is continually being expanded with new features, and requires domain-specific knowledge to understand,” the researchers conclude.

“These obstacles can be overcome by having high-level descriptions (or formal models) of all security-related features of Wi-Fi. Additionally, we believe the Wi-Fi Alliance should not only test products for interoperability, but also fuzz them for vulnerabilities,” 

Pierluigi Paganini

(Security Affairs – KRACK attack, WPA)

The post Researchers presented an improved version of the WPA KRACK attack appeared first on Security Affairs.

Security Affairs: Researchers presented an improved version of the WPA KRACK attack

Security researchers who devised last year the Key Reinstallation Attack, aka KRACK attack,  have disclosed new variants of the attack.

Security researchers Mathy Vanhoef and Frank Piessens who devised last year the Key Reinstallation Attack against WPA, aka KRACK attack,  have disclosed new variants of the attack.

Last year, boffins discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).

WPA2 was compromised, the flaws, in fact, reside in the Wi-Fi standard itself, and not in the numerous implementations.

he KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.

According to the researchers, the KRACK attack works against:

  • Both WPA1 and WPA2,
  • Personal and enterprise networks,
  • Ciphers WPA-TKIP, AES-CCMP, and GCMP

The bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.

Now the experts presented a new variant of the attack technique  at the Computer and Communications Security (CCS) conference

The new attacks no longer rely on hard-to-win race conditions and involved a new method to carry out man-in-the-middle (MitM) attacks.

“First, we generalize attacks against the 4-way handshake so they no longer rely on hard-to-win race conditions, and we employ a more practical method to obtain the required man-in-the-middle (MitM) position.” reads the research paper.

“Second, we systematically investigate the 802.11 standard for key reinstallation vulnerabilities, and show that the Fast Initial Link Setup (FILS) and Tunneled directlink setup PeerKey (TPK) handshakes are also vulnerable to key reinstallations. These handshakes increase roaming speed, and enable direct connectivity between clients, respectively. Third, we abuse Wireless Network Management (WNM) power-save features to trigger reinstallations of the group key”

KRACK attack 2

Experts explained that they achieved the multi-channel MitM position by forging Channel Switch Announcements (CSAs) to trick clients into switching to the desired (rouge) channel.

“We propose a more practical method to obtain the MitM, which works based on Channel Switch Announcements (CSAs). In this method, the adversary forges CSAs to trick clients into switching to the desired (rouge) channel [27, 46].” continues the paper. “This is more reliable then jamming certain channels, and does not require special Wi-Fi equipment. We successfully tested this approach against Android and Chromium”

The security duo also discovered that it is possible to delay the delivery of message 3, which transports the group key to the client after it has been captured. In this way, the key reinstallation will no be immediately triggered allowing to the delay the attack and increasing the potential impact.

Experts successfully tested the delay on Linux, Android, iOS, and macOS, and is also works with encrypted messages.

“Our results show that preventing key reinstallations is harder than initially assumed. We believe the main reason vulnerabilities are still present is because the Wi-Fi standard is large, is continually being expanded with new features, and requires domain-specific knowledge to understand,” the researchers conclude.

“These obstacles can be overcome by having high-level descriptions (or formal models) of all security-related features of Wi-Fi. Additionally, we believe the Wi-Fi Alliance should not only test products for interoperability, but also fuzz them for vulnerabilities,” 

Pierluigi Paganini

(Security Affairs – KRACK attack, WPA)

The post Researchers presented an improved version of the WPA KRACK attack appeared first on Security Affairs.



Security Affairs

Project Strobe, what will change after the Google security breach?

Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network, these are the measures in response to the incident.

Yesterday Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network.

Security experts and privacy advocated criticized the company because it did not disclose the flaw in the Google+ when it first discovered the issue in March because it feared regulatory scrutiny and reputational damage.

.Now the company in order to prevent potential leakage of sensitive data to third-party app developers implemented significant changes to give users a granular control over the data they allow to share with each app.

Google has updated its Account Permissions system in order to allow users to grant individual permission rather than grant a full set of permissions at once.

Google project-strobe privacy

The company introduced several changes as a result of the work of its internal group Project Strobe, an internal task force charged of conducting a companywide audit of the company’s APIs in recent months.

The team reviewed the third-party developers access to Google account and Android device data, the IT giant has changed the way permissions are approved for Android apps to prevent the abuse and potential leakage of sensitive call and text log data by third-party developers.

While the apps are only supposed to request permission those are required for functioning properly, any Android app can ask permission to access your phone and SMS data unnecessarily.

The new rule is part of the Google Play Developer Policy and aims to prevent the abuse of  Call Log and SMS permission usage to your “default” phone or SMS apps only.

“Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions.” reads a blog post published by Google on the Project Strobe.

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.),” 

Google has also limited access to Gmail API only for apps expressly developed to improve/implement email features, including email clients and email backup services.

The measure aims at limiting APIs access to data from your Gmail email account.

What will happen from today?

The developers will have to update their application in compliance with the new policy within January 6th, 90 days from now.

Pierluigi Paganini

(Security Affairs – Google, Project Strobe)

The post Project Strobe, what will change after the Google security breach? appeared first on Security Affairs.

BEC scams, hacked accounts available from $150 up to $5,000

Security experts from Digital Shadows have conducted an interesting study about the technique adopted by crooks to infiltrate company emails, so-called BEC scam.

According to the FBI, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

Business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018, in the same period overall BEC/EAC losses result in $12 billion.

Experts from Digital Shadows highlighted the availability of huge archive online that could be used by crooks to target the companies. It is quite easy to find online AWS buckets containing backups of email archives, the same data could be found on publicly-accessible rsync, FTP, SMB, and NAS drives.

The experts estimated that some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information have been exposed online.

“Digital Shadows detected 33,568 email addresses of finance departments exposed through third party compromises. Eighty-three percent (27,992) of these emails had passwordsassociated with them. If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.” reads the report published by Digital Shadows.

Experts found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores.

In some cases, the compromised email archives included also passport scans. According to the report, crooks use to search for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.

Company credentials are a valuable commodity in the cybercrime underground, they are offered up to $5,000 for a single username and password pair.

BEC

The growing interest of cybercriminals in BEC scams has driven the growth of BEC-as-a-Service,  this kind of services is widely available for as little as $150.

“It’s possible to outsource this work to online actors, who will acquire company credentials for a set fee or percentage of earnings. The price will vary depending on the type of mail service, but services are available from as little as $150.” continues the report.

Experts warn that BEC attacks are a global problem, email archives are exposed predominantly across the European Union (5.2 million), North America (2.9 million), and Asia-Pacific (2 million).

In order to reduce the risk, Digital Shadows experts recommend the following measures to organizations:

  • Update security awareness training content to include the Business Email Compromise (BEC) scenario
  • Include BEC within incident response/business continuity planning
  • Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
  • Continuously monitor for exposed credentials. This is particularly important for finance department emails
  • Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
  • Prevent email archives being publicly exposed
  • Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

Below the key findings of the report:

  • Corporate email accounts can be compromised for as little as $150
  • A look inside the planning of a targeted Business Email Compromise campaign
  • More than 33,000 accounting email credentials are exposed
  • 12.5 million email archive files are exposed across online file stores
  • The risks of BEC can be mitigated with a range of security measures

Pierluigi Paganini

(Security Affairs – WECON, SCADA)

The post BEC scams, hacked accounts available from $150 up to $5,000 appeared first on Security Affairs.

Security Affairs: BEC scams, hacked accounts available from $150 up to $5,000

Security experts from Digital Shadows have conducted an interesting study about the technique adopted by crooks to infiltrate company emails, so-called BEC scam.

According to the FBI, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

Business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018, in the same period overall BEC/EAC losses result in $12 billion.

Experts from Digital Shadows highlighted the availability of huge archive online that could be used by crooks to target the companies. It is quite easy to find online AWS buckets containing backups of email archives, the same data could be found on publicly-accessible rsync, FTP, SMB, and NAS drives.

The experts estimated that some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information have been exposed online.

“Digital Shadows detected 33,568 email addresses of finance departments exposed through third party compromises. Eighty-three percent (27,992) of these emails had passwordsassociated with them. If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.” reads the report published by Digital Shadows.

Experts found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores.

In some cases, the compromised email archives included also passport scans. According to the report, crooks use to search for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.

Company credentials are a valuable commodity in the cybercrime underground, they are offered up to $5,000 for a single username and password pair.

BEC

The growing interest of cybercriminals in BEC scams has driven the growth of BEC-as-a-Service,  this kind of services is widely available for as little as $150.

“It’s possible to outsource this work to online actors, who will acquire company credentials for a set fee or percentage of earnings. The price will vary depending on the type of mail service, but services are available from as little as $150.” continues the report.

Experts warn that BEC attacks are a global problem, email archives are exposed predominantly across the European Union (5.2 million), North America (2.9 million), and Asia-Pacific (2 million).

In order to reduce the risk, Digital Shadows experts recommend the following measures to organizations:

  • Update security awareness training content to include the Business Email Compromise (BEC) scenario
  • Include BEC within incident response/business continuity planning
  • Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
  • Continuously monitor for exposed credentials. This is particularly important for finance department emails
  • Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
  • Prevent email archives being publicly exposed
  • Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

Below the key findings of the report:

  • Corporate email accounts can be compromised for as little as $150
  • A look inside the planning of a targeted Business Email Compromise campaign
  • More than 33,000 accounting email credentials are exposed
  • 12.5 million email archive files are exposed across online file stores
  • The risks of BEC can be mitigated with a range of security measures

Pierluigi Paganini

(Security Affairs – WECON, SCADA)

The post BEC scams, hacked accounts available from $150 up to $5,000 appeared first on Security Affairs.



Security Affairs

How Secure Are Bitcoin Wallets, Really?

Purchasers of Bitcoin wallets usually have one priority topping their lists: security. What’s the truth about the security of these wallets?

When buying conventional wallet coins and paper money, people often prioritize characteristics like the size, color, shape, and number of compartments.

However, purchasers of Bitcoin wallets — the software programs that facilitate storing someone’s cryptocurrency-related wealth — usually have one priority topping their lists: security.

So, the companies behind those wallets wisely emphasize why their products are more secure than what competitors offer and why that’s the case. But, beyond the marketing language, what’s the truth about the security of these wallets?

Guessing an Individual Bitcoin Wallet Key Is Tremendously Unlikely, Crypto Expert Says

People appreciate comparisons when thinking about the likelihood something might happen. Brian Liotti of the website Crypto Aquarium had that in mind when he carried out research and found the probability of guessing a Bitcoin key for one wallet is as likely as winning the Powerball nine times in a row.

So, that’s undoubtedly comforting to people who raise their eyebrows at the prospect of using a digital method to store their cryptocurrency investments.

A Wallet Owner Gets Locked out for Months

There’s also the detailed account of Mark Frauenfelder, who owned a Trezor wallet and couldn’t access it for several traumatizing months after misplacing the PIN that served as recovery words for the software. His tale of woe proves a hacker couldn’t contact a Bitcoin wallet manufacturer, masquerade as a wallet owner and get the goods for access.

A Teenager Hacked a Tamper-Proof Wallet

Ledger, a French company that sells Bitcoin wallets, found itself receiving unwanted publicity when a British teenager disclosed a proof of concept that allowed him to break into the Ledger Nano S, a wallet the company had advertised as unhackable. The hack focuses on the device’s microcontrollers.

One of them stores the wallet’s private key and the other acts as a proxy. The proxy microcontroller is reportedly so insecure it cannot differentiate between authentic firmware and that which a cybercriminal creates.

This case study, as well as others associated with less-than-locked-down Bitcoin wallets, emphasizes how people should not get too comfortable after buying a Bitcoin wallet, even one considered as being among the best of the best. The same goes for storing other types of money: Following best practices is always the ideal approach.

If a person owns collector coins, it’s essential to learn how to protect them from potential sources of damage — such as temperature extremes, acids and humidity. Although they exist in the cyber-realm, Bitcoins need safeguards of their own concerning hackers, especially as even the most high-tech options show they need improvement.

Alleged Break-Ins to McAfee’s Wallet

The Bitfi Bitcoin wallet, backed by cybersecurity executive John McAfee, offered a $250,000 bounty to anyone who could successfully hack it. And, in August 2018, a security research firm called OverSoft NL claimed success. The company behind the wallet then issued a second bounty in an attempt to find the weaknesses.

People in the cybersecurity sector expressed their frustrations about the reward, since participants have to abide by the company’s rules. In other words, if cybersecurity experts hacked the wallet in a way the company didn’t specify, they would not win the reward.

But, hacks carried out by malicious players never seem to follow such parameters. Often, they involve unusual methods that exploit vulnerabilities the manufacturer never fathomed. Other people said they had hacked the wallet before OverSoft NL, but not per the company’s rules.

Even representatives from the cybersecurity firm expressed doubts that they’d actually receive the money, believing the bounty to be nothing more than a marketing ploy. The bounty program has since become discontinued, with the company promising to launch another soon.

The Marketing Language Could Tempt Hackers

Whenever something in the tech industry gets presented as impossible to infiltrate, both ethical and malicious hackers frequently see a challenge to try and prove otherwise.

As John McAfee spoke of his wallet on Twitter, the tone could easily come across as overconfident and cocky: “For all you naysayers who claim that ‘nothing is unhackable’ & who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it…” And indeed, hackers got to work and accepted the challenge.

Cryptocurrency Wallet Owners Cannot Be Too Careful

Although we’ve seen here how research shows Bitcoin wallet hacks are unlikely and that a wallet owner himself couldn’t even get access to his funds after losing the PIN, case studies show hacks are still possible.

People should always perform adequate research about security measures built into individual wallets but also use them intelligently by following good cyber security habits and never assuming a wallet couldn’t get hacked.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

 

 

Pierluigi Paganini

(Security Affairs – Bitcoin, cybercrime)

The post How Secure Are Bitcoin Wallets, Really? appeared first on Security Affairs.

Security Affairs: How Secure Are Bitcoin Wallets, Really?

Purchasers of Bitcoin wallets usually have one priority topping their lists: security. What’s the truth about the security of these wallets?

When buying conventional wallet coins and paper money, people often prioritize characteristics like the size, color, shape, and number of compartments.

However, purchasers of Bitcoin wallets — the software programs that facilitate storing someone’s cryptocurrency-related wealth — usually have one priority topping their lists: security.

So, the companies behind those wallets wisely emphasize why their products are more secure than what competitors offer and why that’s the case. But, beyond the marketing language, what’s the truth about the security of these wallets?

Guessing an Individual Bitcoin Wallet Key Is Tremendously Unlikely, Crypto Expert Says

People appreciate comparisons when thinking about the likelihood something might happen. Brian Liotti of the website Crypto Aquarium had that in mind when he carried out research and found the probability of guessing a Bitcoin key for one wallet is as likely as winning the Powerball nine times in a row.

So, that’s undoubtedly comforting to people who raise their eyebrows at the prospect of using a digital method to store their cryptocurrency investments.

A Wallet Owner Gets Locked out for Months

There’s also the detailed account of Mark Frauenfelder, who owned a Trezor wallet and couldn’t access it for several traumatizing months after misplacing the PIN that served as recovery words for the software. His tale of woe proves a hacker couldn’t contact a Bitcoin wallet manufacturer, masquerade as a wallet owner and get the goods for access.

A Teenager Hacked a Tamper-Proof Wallet

Ledger, a French company that sells Bitcoin wallets, found itself receiving unwanted publicity when a British teenager disclosed a proof of concept that allowed him to break into the Ledger Nano S, a wallet the company had advertised as unhackable. The hack focuses on the device’s microcontrollers.

One of them stores the wallet’s private key and the other acts as a proxy. The proxy microcontroller is reportedly so insecure it cannot differentiate between authentic firmware and that which a cybercriminal creates.

This case study, as well as others associated with less-than-locked-down Bitcoin wallets, emphasizes how people should not get too comfortable after buying a Bitcoin wallet, even one considered as being among the best of the best. The same goes for storing other types of money: Following best practices is always the ideal approach.

If a person owns collector coins, it’s essential to learn how to protect them from potential sources of damage — such as temperature extremes, acids and humidity. Although they exist in the cyber-realm, Bitcoins need safeguards of their own concerning hackers, especially as even the most high-tech options show they need improvement.

Alleged Break-Ins to McAfee’s Wallet

The Bitfi Bitcoin wallet, backed by cybersecurity executive John McAfee, offered a $250,000 bounty to anyone who could successfully hack it. And, in August 2018, a security research firm called OverSoft NL claimed success. The company behind the wallet then issued a second bounty in an attempt to find the weaknesses.

People in the cybersecurity sector expressed their frustrations about the reward, since participants have to abide by the company’s rules. In other words, if cybersecurity experts hacked the wallet in a way the company didn’t specify, they would not win the reward.

But, hacks carried out by malicious players never seem to follow such parameters. Often, they involve unusual methods that exploit vulnerabilities the manufacturer never fathomed. Other people said they had hacked the wallet before OverSoft NL, but not per the company’s rules.

Even representatives from the cybersecurity firm expressed doubts that they’d actually receive the money, believing the bounty to be nothing more than a marketing ploy. The bounty program has since become discontinued, with the company promising to launch another soon.

The Marketing Language Could Tempt Hackers

Whenever something in the tech industry gets presented as impossible to infiltrate, both ethical and malicious hackers frequently see a challenge to try and prove otherwise.

As John McAfee spoke of his wallet on Twitter, the tone could easily come across as overconfident and cocky: “For all you naysayers who claim that ‘nothing is unhackable’ & who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it…” And indeed, hackers got to work and accepted the challenge.

Cryptocurrency Wallet Owners Cannot Be Too Careful

Although we’ve seen here how research shows Bitcoin wallet hacks are unlikely and that a wallet owner himself couldn’t even get access to his funds after losing the PIN, case studies show hacks are still possible.

People should always perform adequate research about security measures built into individual wallets but also use them intelligently by following good cyber security habits and never assuming a wallet couldn’t get hacked.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

 

 

Pierluigi Paganini

(Security Affairs – Bitcoin, cybercrime)

The post How Secure Are Bitcoin Wallets, Really? appeared first on Security Affairs.



Security Affairs

Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it

This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers.

As a consequence of the data exposure, the company is going to shut down the social media network Google+.

The root cause of the data breach is a security vulnerability affecting one of Google+ People APIs that allowed third-party developers to access data for more than 500,000 users.

Exposed data include including usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

The worse aspect of the story is that the company did not disclose the flaw in the Google+ when it first discovered the issue in this spring because it feared regulatory scrutiny and reputational damage.

“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” reported the Wall Street Journal.

“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”

Google declared that its experts immediately addressed this vulnerability in March 2018 and that they have found no evidence that any developer has exploited the flaw to access users data. The flaw was present in the Google+ People APIs since 2015.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” reads a blog post published by Google.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

Google_Plus

The choice of not disclosing the vulnerability was probably influenced by the Cambridge Analytica scandal that was occurring in the same period.

“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” continues the WSJ.

Experts believe that the vulnerability in Google+ is similar to the one recently discovered in Facebook API.

Google will maintain Google+ only for Enterprise users starting from August 2019.

Google also provided information about the Project Strobe program that has seen a privacy internal task force conducting a companywide audit of the company’s APIs in recent months.

“In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.” concludes the WSJ.
“The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.”

Pierluigi Paganini

(Security Affairs – Google Plus flaw, hacking)

The post Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it appeared first on Security Affairs.

WECON PI Studio HMI software affected by code execution flaws

Security experts discovered several vulnerabilities in WECON’s PI Studio HMI software, the company has verified the issues but has not yet released patches.

Researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software, a software widely used in critical manufacturing, energy, metallurgy, chemical, and water and wastewater sectors.

Both experts have reported the flaw under the Trend Micro’s Zero Day Initiative,

WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

The list of flaws discovered by the experts includes a critical stack-based buffer overflow vulnerability, tracked as CVE-2018-14818, that could lead to remote code execution.

Another flaw tracked as CVE-2018-14810 is a high severity out-of-bounds write bug which may allow code to be executed in the context of an administrator,

The remaining issues are two medium severity information disclosure flaws tracked as CVE-2018-17889 and CVE-2018-14814.

“Successful exploitation of these vulnerabilities may allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.” reads the security advisory published by the ICS-CERT.

WECON has confirmed the vulnerabilities, but it has not revealed when it will release security patches.

WECON PI Studio 2

Below the list of mitigation provided by the ICS-CERT:

“WECON has verified the vulnerabilities but has not yet released an updated version.” continues the security advisory.

“NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”

Pierluigi Paganini

(Security Affairs – WECON, SCADA)

The post WECON PI Studio HMI software affected by code execution flaws appeared first on Security Affairs.

Expert presented a new attack technique to compromise MikroTik Routers

Experts from Tenable Research have devised a new attack technique to fully compromise MikroTik Routers.

MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique discovered by experts at Tenable Research could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Mikrotik routers vulnerable

The vulnerability was rated medium in severity was discovered in April, it affects the Winbox, that is a management console for MikroTik’s RouterOS software.

In the past months, MikroTik devices running RouterOS were targeted by malicious code that includes the exploit for the Chimay-Red vulnerability.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Now Tenable Research devised a new attack technique that exploits the same CVE-2018-14847 issue to execute arbitrary code on the target device.

“The vulnerabilities include CVE-2018-1156 — an authenticated remote code execution (RCE) — as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The most critical of these vulnerabilities is the authenticated RCE, which would allow attackers to potentially gain full system access. They were tested against RouterOS 6.42.3 (release date: 05-25-2018) using the x86 ISO.” reads a blog post published by Tenable Research.

“All of these vulnerabilities require authentication (essentially legitimate credentials). If the authenticated RCE vulnerability (CVE-2018-1156) is used against routers with default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router.”

Jacob Baines, the Tenable researcher who devised the attack technique, also made a proof of concept of the attack, he explained that it is possible to trigger  a stack buffer overflow in the sprintf function of the licupgr binary.

“The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

MikroTik routers poc

“Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,” explained the expert.

What’s expected now?

MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 in August to address the flaws, users have to upgrade their devices and change the default credentials.

Unfortunately, the experts revealed that only approximately 30 percent of vulnerable modems have been patched, this means that roughly 200,000 routers could be hacked.

The good news is that currently, experts are not aware of the technique being exploited in the wild.

“Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version.” concludes Tenable Research.

Pierluigi Paganini

(Security Affairs – MikroTik routers, hacking)

The post Expert presented a new attack technique to compromise MikroTik Routers appeared first on Security Affairs.

Kaspersky shed lights on the overlap of operations conducted by Turla and Sofacy

Researchers from Kaspersky Lab collected evidence that demonstrates overlaps between the activity of Russian APT groups Turla and Sofacy. 

In March, during the Kaspersky Security Analyst Summit held in Cancun, Kurt Baumgartner, Kaspersky principal security researcher, revealed the activity associated with Sofacy APT group appears to overlap with campaigns conducted by other cyber espionage groups.

Baumgartner explained that the Sofacy’s Zebrocy malware was found on machines in Europe and Asia that were also infected with the Mosquito backdoor associated with the Russia-linked Turla APT.

 

The researchers discovered that the delivery of the Turla’s KopiLuwak malware is leverage a code identical to that previously observed in campaign distributing the Zebrocy tool.

The delivery vector used in the recent spear-phishing campaigns conducted by Turla uses Windows shortcut (.LNK) that contained PowerShell code almost identical to that used in Zebrocy attacks.

In mid-2018 a very small number of systems in Syria and Afghanistan being targeted with this new delivery vector.

KopiLuwak was first spotted in 2016 while the APT was delivering it to at least one victim leveraging a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus.

The KopiLuwak uses multiple JavaScript layers to avoid detection, the malicious code gain persistence on the targeted machine by creating a registry key. Once infected a system, the malicious code is able executes a series of commands to collect information and exfiltrate data. Stolen data are temporarily stored in a file that is deleted after it’s encrypted and stored in memory.

The KopiLuwak JavaScript malware is controlled through a collection of compromised websites, the IP address of those websites are hardcoded into the malicious code.

The C&C can send arbitrary commands to the infected system using Wscript.shell.run().

Since 2016, the KopiLuwak JavaScript backdoor evolved and Kaspersky shared technical details on its changes.

Experts also detailed the evolution of the Turla’s Carbon backdoor and in the Meterpreter and Mosquito malware delivery techniques.

Experts believe Turla will continue to improve its arsenal, they believe the nation-state actor could target organizations in Central Asia and related remote locations.

“It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” Kaspersky concludes.

“From the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer alignments between Mosquito and Carbon activity.”

Pierluigi Paganini

(Security Affairs – Turla, Sofacy)

The post Kaspersky shed lights on the overlap of operations conducted by Turla and Sofacy appeared first on Security Affairs.

Security Affairs: The Git Project addresses a critical arbitrary code execution vulnerability in Git

The Git Project released a new version of the Git client, Github Desktop, or Atom. that addressed a critical remote code execution vulnerability in the Git.

The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom.

The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.

A malicious repository can create a .gitmodules file that contains an URL that starts with a dash.

The usage of a dash when Git clones a repository using the –recurse-submodules argument, will trigger the command to interpret the URL as an option, making possible for an attacker to perform remote code execution on the computer.

“When running “git clone –recurse-submodules”, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a “git clone” subprocess.  If the URL field is set to a string that begins with a dash, this “git clone” subprocess interprets the URL as an option.  This can lead to executing an arbitrary script shipped in the superproject as the user who ran “git clone”.”

In addition to fixing the security issue for the user running “clone”, the 2.17.2, 2.18.1 and 2.19.1 releases have an “fsck” check which can be used to detect such malicious repository content when fetching or accepting a push. See “transfer.fsckObjects” in git-config(1).

This flaw has been addressed in Git v2.19.1, GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3.

Users have to upgrade their installs to the latest version of the Git clientGithub Desktop, or Atom.

Pierluigi Paganini

(Security Affairs – Git Project, hacking)

The post The Git Project addresses a critical arbitrary code execution vulnerability in Git appeared first on Security Affairs.



Security Affairs

The Git Project addresses a critical arbitrary code execution vulnerability in Git

The Git Project released a new version of the Git client, Github Desktop, or Atom. that addressed a critical remote code execution vulnerability in the Git.

The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom.

The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.

A malicious repository can create a .gitmodules file that contains an URL that starts with a dash.

The usage of a dash when Git clones a repository using the –recurse-submodules argument, will trigger the command to interpret the URL as an option, making possible for an attacker to perform remote code execution on the computer.

“When running “git clone –recurse-submodules”, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a “git clone” subprocess.  If the URL field is set to a string that begins with a dash, this “git clone” subprocess interprets the URL as an option.  This can lead to executing an arbitrary script shipped in the superproject as the user who ran “git clone”.”

In addition to fixing the security issue for the user running “clone”, the 2.17.2, 2.18.1 and 2.19.1 releases have an “fsck” check which can be used to detect such malicious repository content when fetching or accepting a push. See “transfer.fsckObjects” in git-config(1).

This flaw has been addressed in Git v2.19.1, GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3.

Users have to upgrade their installs to the latest version of the Git clientGithub Desktop, or Atom.

Pierluigi Paganini

(Security Affairs – Git Project, hacking)

The post The Git Project addresses a critical arbitrary code execution vulnerability in Git appeared first on Security Affairs.

APT28 group return to covert intelligence gathering ops in Europe and South America.

Experts from Symantec collected evidence that APT28 group returns to covert intelligence gathering operations in Europe and South America.

APT28 state-sponsored group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) seems to have shifted the focus for its operations away from election interference to cyber espionage activities.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

According to experts from Symantec, the group is now actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.

Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering.” reads the analysis published by Symantec.

“The organizations targeted by APT28 during 2017 and 2018 include:

  • A well-known international organization
  • Military targets in Europe
  • Governments in Europe
  • A government of a South American country
  • An embassy belonging to an Eastern European country”

APT28 back espionage

The cyberespionage group used several malware and hacking tools from its arsenal, including the Sofacy backdoor, the in composed of two main components; the Trojan.Sofacy (aka Seduploader) used for basic reconnaissance and the Backdoor.SofacyX (aka X-Agent) which was used as a second stage info-stealing malware.

The APT group is also using the recently discovered Lojax UEFI rootkit that allows the attackers to maintain persistence on the infected machine even if the operating system is reinstalled and the hard drive is replaced.

Symantec researchers also highlighted possible links to other espionage operations, including the Earworm that has been active since at least May 2016 and is involved intelligence-gathering operations against military targets in Europe, Central Asia, and Eastern Asia.

The Earworm group carried out spear-phishing campaigns aimed at delivering the Trojan.Zekapab downloader and the Backdoor.Zekapab.

Experts noticed some overlap with the command and control infrastructures used by Earworm and APT28.

“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group.” continues the report.

The information gathered by Symantec demonstrates that APT28 is still very active and continues to change Techniques, Tactics, and Procedures (TTPs) to remain under the radar.

Pierluigi Paganini

(Security Affairs – APT28, hacking)

The post APT28 group return to covert intelligence gathering ops in Europe and South America. appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 183 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company
·      FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)
·      Attackers chained three bugs to breach into the Facebook platform
·      Cyber Defense Magazine – October 2018 has arrived. Enjoy it!
·      Expert demonstrated how to access contacts and photos from a locked iPhone XS
·      GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers
·      Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
·      Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical
·      FCA fines Tesco Bank £16.4m over 2016 cyber attack
·      Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical
·      The ‘Gazorp Azorult Builder emerged from the Dark Web
·      Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!
·      Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
·      Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide
·      New Danabot Banking Malware campaign now targets banks in the U.S.
·      Researchers associated the recently discovered NOKKI Malware to North Korean APT
·      Z-LAB Report – Analyzing the GandCrab v5 ransomware
·      APT38 is behind financially motivated attacks carried out by North Korea
·      Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?
·      China planted tiny chips on US computers for cyber espionage
·      CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
·      US offers its cyber warfare defense capabilities to NATO
·      Canada blames Russia for cyber attacks against its structures
·      DHS issued an alert on attacks aimed at Managed Service Providers
·      Experts warns of a new extortion campaign based on the Breach Compilation archive
·      Sales intel firm Apollo data breach exposed more than 200 million contact records
·      US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations
·      Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison
·      Sony Bravia Smart TVs affected by a critical vulnerability
·      Windows 10 October 2018 Update could cause CCleaner stop working

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 183 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 183 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company
·      FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)
·      Attackers chained three bugs to breach into the Facebook platform
·      Cyber Defense Magazine – October 2018 has arrived. Enjoy it!
·      Expert demonstrated how to access contacts and photos from a locked iPhone XS
·      GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers
·      Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
·      Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical
·      FCA fines Tesco Bank £16.4m over 2016 cyber attack
·      Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical
·      The ‘Gazorp Azorult Builder emerged from the Dark Web
·      Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!
·      Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
·      Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide
·      New Danabot Banking Malware campaign now targets banks in the U.S.
·      Researchers associated the recently discovered NOKKI Malware to North Korean APT
·      Z-LAB Report – Analyzing the GandCrab v5 ransomware
·      APT38 is behind financially motivated attacks carried out by North Korea
·      Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?
·      China planted tiny chips on US computers for cyber espionage
·      CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
·      US offers its cyber warfare defense capabilities to NATO
·      Canada blames Russia for cyber attacks against its structures
·      DHS issued an alert on attacks aimed at Managed Service Providers
·      Experts warns of a new extortion campaign based on the Breach Compilation archive
·      Sales intel firm Apollo data breach exposed more than 200 million contact records
·      US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations
·      Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison
·      Sony Bravia Smart TVs affected by a critical vulnerability
·      Windows 10 October 2018 Update could cause CCleaner stop working

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 183 – News of the week appeared first on Security Affairs.

D-Link fixed several flaws in Central WiFiManager access point management tool

D-Link addresses several remote code execution and XSS vulnerabilities affecting the Central WiFiManager access point management tool.

D-Link issued security patches to address several remote code execution and cross-site scripting (XSS) vulnerabilities affecting the Central WiFiManager access point management tool.

The vulnerabilities have been reported by researchers at SecureAuth/CoreSecurity

D-Link Central WiFiManager software controller helps network administrators streamline their wireless access point (AP) management workflow. It leverages a centralized server to remotely allow the management and the monitoring of wireless APs on a network.

The software can be deployed both locally and in the cloud.

The researchers discovered four potentially serious flaws in Central WiFiManager for Windows  (version 1.03 and others) that can be exploited for arbitrary code execution.

The most severe flaw, tracked as CVE-2018-17440, is related to the presence of default credentials (admin/admin) in the FTP server running on port 9000 of the web app.

An attacker can use it to credentials to connect the server and upload a specially crafted PHP file that once requested will lead to arbitrary code execution.

“The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution.” reads the security advisory

Central WiFiManager access point management tool

Another flaw discovered by researchers tracked as CVE-2018-17442 is an authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type.

The Central WiFiManager access point management tool allows users to upload RAR archives and an authenticated attacker could exploit this feature by uploading an archive that includes a PHP file whose content will be executed in the context of the web application.

“When the .rar is uploaded is stored in the path ‘\web\captivalportal’ in a folder with a timestamp created by the PHP time() function. In order to know what is the web server’s time we request an information file that contains the time we are looking for. After we have the server’s time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one,” continues the advisory. 

The remaining issued include two stored XSS flaws in the “UpdateSite” (CVE-2018-17443) and “addUser” (CVE-2018-17441) functionality, specifically the sitename and usernameparameters, respectively.

The vulnerabilities were reported to D-Link in on June 4, and the company addressed them with the version 1.03R0100-Beta1.

Pierluigi Paganini

(Security Affairs – D-LinK, Central WiFiManager access point)

The post D-Link fixed several flaws in Central WiFiManager access point management tool appeared first on Security Affairs.

Sony Bravia Smart TVs affected by a critical vulnerability

Experts at FortiGuard Labs team discovered three vulnerabilities in eight Sony Bravia smart TVs, one of them rated as critical.

Patch management is a crucial aspect for IoT devices, smart objects are surrounding us and represent a privileged target for hackers.

Experts at FortiGuard Labs team discovered three vulnerabilities (a stack buffer overflow, a directory traversal, and a command-injection issue) in eight Sony Bravia smart TVs, one of them rated as critical.

Affected Sony Bravia models include R5C, WD75, WD65, XE70, XF70, WE75, WE6 and WF6.

The most severe vulnerability tracked as CVE-2018-16593 is a command-injection flaw that resides in the Sony application Photo Sharing Plus that allows users to share multimedia content from their mobile devices via Sony Smart TVs.

An attacker needs to share on the same wireless network as the Sony TV in order to trigger the vulnerability.

“This application handles file names incorrectly when the user uploads a media file. An attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code execution with root privilege.” reads the blog post published by Fortinet.
“Fortinet previously released IPS signature Sony.SmartTV.Remote.Code.Execution for this specific vulnerability to proactively protect our customers.”

Sony bravia

Remaining bugs also affect the Sony’s Photo Sharing Plus application running on Sony Bravia. The stack buffer overflow (CVE-2018-16595) is a “memory corruption vulnerability that is tied to the lack of sanitization of user input.

“This is a memory corruption vulnerability that results from insufficient size checking of user input. With a long enough HTTP POST request sent to the corresponding URL, the application will crash.” continues the advisory.
Fortinet previously released IPS signature Sony.SmartTV.Stack.Buffer.Overflow for this specific vulnerability to proactively protect our customers.”

The third flaw directory-traversal vulnerability tracked as  CVE-2018-16594 that relates to the way the Photo Sharing Plus app handles file names.

“The application handles file names incorrectly when receiving a user’s input file via uploading a URL. A attacker can upload an arbitrary file with a crafted file name (e.g.: ../../) that can then traverse the whole filesystem.” reads the blog post.
“Fortinet previously released IPS signature Sony.SmartTV.Directory.Traversal for this specific vulnerability to proactively protect our customers.” 

Sony has provided over-the-air patch updated to address the flaws, the fixes need to be approved by the user.

“If your television is set to automatically receive updates when connected to the internet, it should have already been updated. This is the default setting for the affected models.” reads the security advisory published by Sony.

“To verify that your television has been updated, please visit the Downloads section of your model’s product page. Click the Firmware update link for details about how to check the software version. If your television has not already been updated, please follow the instructions to download and install the update.”

Pierluigi Paganini

(Security Affairs – Sony Bravia, hacking)

The post Sony Bravia Smart TVs affected by a critical vulnerability appeared first on Security Affairs.

Windows 10 October 2018 Update could cause CCleaner stop working

Users are reporting problems with the CCleaner software that appears to be partially broken after the installation of Windows 10 October 2018 Update

Many Windows users are reporting problems after the installation of Windows 10 October 2018 Update, a few days ago a Reddit user discovered the Task Manager tool was showing inaccurate CPU usage after the upgrade.

Other users discovered that some files on their machines were deleted after the Windows 10 October 2018 Update was installed.

Now users are reporting problems with the CCleaner software that appears to be partially broken after the installation of Windows 10 October 2018 Update (version 1809).

ccleaner

Some users claim that the certain features have stopped working after upgrading their Operating System. Some users reported that CCleaner failed to clean recent files and documents in File Explorer.

According to the member crizal of the official Piriform forum, CCleaner 5.47.6716 no longer cleans the following:

  • Recent files/documents in File Explorer
  • Reliability History
  • Windows Event Logs (CCleaner shows they’re cleaned but they’re still there)
  • Registry Cleaner keeps finding the same Application Paths Issue after every reboot (System32\DriverStore\FileRepository)
  • CCleaner must force close Edge browser prior to every cleaning, even if the browser has been closed (not that big a deal to me)

Piriform plan to fix the issue very soon.

“Thank you for reporting. We are aiming to fix this for the next release. Keep your eyes on the Beta Releases forum as we may publish it there first to get the fix out more quickly,” said a forum moderator.

Pierluigi Paganini

(Security Affairs – Windows 10 October 2018 Update)

The post Windows 10 October 2018 Update could cause CCleaner stop working appeared first on Security Affairs.

Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison

Gary Davis, one of the admins and moderators of the notorious Silk Road black marketplace, pleaded guilty to drug trafficking charges.

Gary Davis is an Irish national (20) who was one of the admins and moderators of the notorious Silk Road black marketplace, on Friday he pleaded guilty to drug trafficking charges.

“Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that GARY DAVIS, a/k/a “Libertas,” pled guilty today to conspiring to distribute massive quantities of narcotics, a charge arising out of his role as a member of the small administrative staff of “Silk Road.”  ” reads the DoJ press release.

“Manhattan U.S. Attorney Geoffrey S. Berman said:  “Silk Road was a secret online marketplace for illegal drugs, hacking services, and a whole host of other criminal activity.  As he admitted today, Gary Davis served as an administrator who helped run the Silk Road marketplace.  Davis’s arrest, extradition from Ireland, and conviction should send a clear message: the purported anonymity of the dark web is not a protective shield from prosecution.”

Silk Road

 

The man, who is also known as Libertas, could face a maximum sentence of 20 years in prison. Davis also provided customer support to Silk Road users in 2013, for this job he received a weekly salary.

“From May 2013 up to June 2013, DAVIS served as a forum moderator for Silk Road.  From June 2013 up to October 2, 2013, DAVIS worked as a site administrator on Silk Road. ” continues the press release.

“In his role as a site administrator, DAVIS’s responsibilities included (1) responding to customer support requests from Silk Road users who needed assistance with their buyer or seller accounts on the marketplace; (2) serving as an arbitrator by resolving disputes that arose between drug dealers and buyers on the site; and (3) enforcing the rules for doing business on Silk Road, which had been set by Ulbricht. “

Silk Road was seized by law enforcement in 2013 and his founder Ross William Ulbricht (aka Dread Pirate Roberts) was arrested, later it was sentenced to life in prison after being convicted on multiple counts related to the Silk Road activity.

According to FBI, between February of 2011 and July 2013, Silk Road managed $1.2 billion worth of transactions for 957,079 users, the total earning for Ulbricht was nearly $80 million.

According to the DoJ press release, more than $200 million worth of illegal drugs and other contraband were sold through the black market.

The FBI also seized about $33.6 million worth of Bitcoin that were sold by authorities in a series of auctions.

In November 2013, after the seizure of the original Silk Road, a new version of the popular black market was launched, so-called Silk Road 2.0, and Libertas was one of the administrators, but it is not clear is the pseudonymous was still used by Davis at the time.

Davis was identified and arrested in Ireland in January 2014, he made opposition to the extradition in the U.S. due to his mental health and fearing for his life. He was arguing that the extradition and consequent incarceration in the U.S. were violating his fundamental rights.

Davis was extradited to the United States in July 2014, he is expected to be sentenced on 17 January 2019 by Judge Furman.
“DAVIS, 30, of Wicklow, Ireland, pled guilty to one count of conspiracy to distribute narcotics, which carries a maximum sentence of 20 years in prison.” concludes the DoJ. “The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.  DAVIS is scheduled to be sentenced by Judge Furman on January 17, 2019 at 3:30 p.m.”

Pierluigi Paganini

(Security Affairs – Tor, cybercrime)

The post Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison appeared first on Security Affairs.

Sales intel firm Apollo data breach exposed more than 200 million contact records

The sales intelligence firm Apollo is the last victim of a massive data breach that exposed more than 200 million contact records.

Apollo collects a lot of its information from public sources, including names, email addresses, and company contact information, it also gathers data by scraping Twitter and LinkedIn.

The company already notified the security breach to its customers last week, the incident occurred on 23 Jul 2018.

“On discovery, we took immediate steps to remediate our systems and confirmed the issue could not lead to any future unauthorized access,” co-founder and CEO Tim Zheng wrote.

“We can appreciate that this situation may cause you concern and frustration.”

The company, formerly known as ZenProspect, allows salespeople to connect with potential buyers using its database of 200 million contacts at 10 million companies.

Affected customers received a data breach notification email, below a copy obtained by TechCrunch.

The data breach notification said the breach was discovered weeks after system upgrades in July.

“We have confirmed that the majority of exposed information came from our publicly gathered prospect database, which could include name, email address, company names, and other business contact information,” reads the data breach notification email sent to the customers.

“Some client-imported data was also accessed without authorization,”

Exposed data includes email addresses, employers, geographic locations, job titles, names, phone numbers, salutations, social media profiles.

The good news is that exposed data doesn’t include Social Security numbers, financial data or email addresses and passwords.

Apollo data breach

Apollo chief executive Tim Zheng confirmed the investigation is still ongoing, but he did not say if the company has informed state authorities of the security breach.

Apollo co-founder and CTO Ray Li told WIRED that the company is investigating the breach and has reported it to law enforcement.

Experts warn that the company may face sanctions under the European GDPR.

Even if no sensitive data has been exposed, such kind of incident expose users to the risk of fraud, spam, or other even harmful actions.

Troy Hunt has already included the record in its data breach tracking service HaveIBeenPwned.

“It’s just a staggering amount of data. There were 125,929,660 unique email addresses in total. This will probably be the most email notifications HaveIBeenPwned has ever sent for one breach,” Hunt explained. “Clearly this is all about ‘data enrichment,’ creating comprehensive profiles of individuals that can then be used for commercial purposes. As such, the more data an organization like Apollo can collect, the more valuable their service becomes.”

Pierluigi Paganini

(Security Affairs – Apollo, data breach)

The post Sales intel firm Apollo data breach exposed more than 200 million contact records appeared first on Security Affairs.

US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations

US DoJ indicted seven defendants working for the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

The news of the day is that a US DoJ indicted seven defendants working for the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

The defendants are Aleksei Sergeyevich Morenets, Evgenii Mikhaylovich, Serebriakov, Ivan Sergeyevich Yermakov, Artem Andreyevich Malyshev, and Dmitriy Sergeyevich Badin, who work for the Military Unit 26165, and GRU officers Oleg Mikhaylovich Sotnikov and Alexey Valerevich Minin.

The hackers were involved in a cyber operation aimed at discrediting the international anti-doping organizations and officials that revealed athlete doping program sustained by Moscow.

The GRU officers hacked into the accounts of officials at the anti-doping organizations to steal confidential data and spread them to and delegitimize them.

According to prosecutors, defendants also attempted to spread the fake news on doping programs followed by athletes from other countries.

“According to the indictment, beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.” reads the DoJ press release.

“State-sponsored hacking and disinformation campaigns pose serious threats to our security and to our open society, but the Department of Justice is defending against them,” said Attorney General Jeff Sessions. “Today we are indicting seven GRU officers for multiple felonies each, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program. The defendants in this case allegedly targeted multiple Americans and American entities for hacking, from our national anti-doping agency to the Westinghouse Electric Company near Pittsburgh. We are determined to achieve justice in these cases and we will continue to protect the American people from hackers and disinformation.”

The Russian state-sponsored hackers have spread fake news via social media accounts and other infrastructure acquired and maintained by GRU Unit 74455 in Russia.

The cyber spies were operating under the name of a false hacktivist group calling itself the “Fancy Bears’ Hack Team.”

“As part of its influence and disinformation efforts, the Fancy Bears’ Hack Team engaged in a concerted effort to draw media attention to the leaks through a proactive outreach campaign,” continues the press release.

“The conspirators exchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the exposure and effect of their message.”

The indictments of the seven GRU members is the latest in a string of similar actions against Russian agents involved in hacking activities.

In July, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Pierluigi Paganini

(Security Affairs – GRU, Russian hackers)

The post US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations appeared first on Security Affairs.

Experts warns of a new extortion campaign based on the Breach Compilation archive

Cybaze ZLab spotted a new scam campaign that is targeting some of its Italian customers, crooks leverage credentials in Breach Compilation archive.

Security experts from Cybaze ZLab have spotted a new scam campaign that is targeting some of its Italian customers.

Crooks attempted to monetize the availability of a huge quantity of credentials available in the underground market to target unaware netizens in a new extortion scheme.

The number of spam messages associated with this campaign is rapidly increasing, the attackers behind this campaign used the credentials collected in the infamous database dubbed ‘Breach Compilation’.

This Breach Compilation archive contains about 1.4 Billion of clear text credentials gathered in a series of data breaches.

At the time it is still unclear if the attackers have created a pool of emails used in the spam campaign or are exploiting credential stuffing attack to attempt to access email accounts of unaware users and use them to send out spam messages.

The credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

In the following image is reported as an example, one of the messages used in this campaign.

The message is a classical email scam used by cyber criminals to threaten the victim to reveal to the public that he watches porn videos. Crooks claim to have the recording of the victim while watching the videos, but it is absolutely false.

Crooks blackmail the victims and request the payment of a fee in Bitcoin to avoid spreading the video.

To be more convincing and trick victims into paying the fee, the hackers include in the body of the email the password used by the victim as a proof of the attack. This password was extracted from the Breach Compilation archive.

Experts from Cybaze have analyzed several samples of email belonging to this campaign, most of them in English. One of their customers received a scam message in a poor Italian-writing.

Crooks ask the victims to pay a fee of $3000 worth of Bitcoin, while the message written in Italian ask for $350, a circumstance that suggests that other threat actors are using the same technique.

The attackers may have implemented an automated mechanism to send scam emails to the addresses in the archive and create for each of them a Bitcoin wallet.

Experts from Cybaze have analyzed a couple of wallets associated with the scam messages, in one case they found a number of transactions that suggest victim made the payment.

The Bitcoin address with associated 9 transactions is 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk

It is essential to share awareness about this campaign to avoid that other victims will fail victims of this type of extortion.

As usual, let me suggest to avoid use same credentials across multiple web services, you can check if your email is involved in a data breach by querying the free service

https://haveibeenpwned.com/

Pierluigi Paganini

(Security Affairs – Breach Compilation, scam campaign)

The post Experts warns of a new extortion campaign based on the Breach Compilation archive appeared first on Security Affairs.

DHS issued an alert on attacks aimed at Managed Service Providers

The United States Department of Homeland Security (DHS) is warning of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

The DHS issued an alert on ongoing attacks aimed at global managed service providers (MSPs) that are carried out by an advanced APT group.

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.

The use of MSP is increasing the attack surface for attackers, the DHS’ alert TA18-276B, is related to activity that was uncovered by DHS’ National Cybersecurity and Communications Integration Center (NCCIC) in April 2017.

“The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” reads the alert issued by DHS.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”

Security firms attributed the attacks to a Chinese threat actor referred as APT10 (aka menuPass and Stone Panda).

managed service

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The ANEL malware was already seen in the previous attack as a beta version or release candidate. In September, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The hackers used a broad range of malware in their campaigns, including PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler, and ZeroT.

DHS alert also provides technical information on detection, response and mitigation for this specific threat.

Pierluigi Paganini

(Security Affairs – China, managed service)

The post DHS issued an alert on attacks aimed at Managed Service Providers appeared first on Security Affairs.

Security Affairs: DHS issued an alert on attacks aimed at Managed Service Providers

The United States Department of Homeland Security (DHS) is warning of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

The DHS issued an alert on ongoing attacks aimed at global managed service providers (MSPs) that are carried out by an advanced APT group.

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.

The use of MSP is increasing the attack surface for attackers, the DHS’ alert TA18-276B, is related to activity that was uncovered by DHS’ National Cybersecurity and Communications Integration Center (NCCIC) in April 2017.

“The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” reads the alert issued by DHS.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”

Security firms attributed the attacks to a Chinese threat actor referred as APT10 (aka menuPass and Stone Panda).

managed service

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The ANEL malware was already seen in the previous attack as a beta version or release candidate. In September, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The hackers used a broad range of malware in their campaigns, including PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler, and ZeroT.

DHS alert also provides technical information on detection, response and mitigation for this specific threat.

Pierluigi Paganini

(Security Affairs – China, managed service)

The post DHS issued an alert on attacks aimed at Managed Service Providers appeared first on Security Affairs.



Security Affairs

Canada blames Russia for cyber attacks against its structures

The Government of Canada blamed the GRU, the Russian military’s intelligence agency, for cyber attacks at the Montreal-based World Anti-Doping Agency.

“The government of Canada assesses with high confidence that the Russian military’s intelligence arm, the GRU, was responsible” for these cyber attacks, the foreign ministry said in a statement.

[cyber attacks are] “part of a broader pattern of activities by the Russian government that lie well outside the bounds of appropriate behavior, demonstrate a disregard for international law and undermine the rules-based international order.”

“all those who value this order to come together in its defence.”

Canada and its allies accused Russia of its aggressive cyber strategy that continuously attempts to interfere in the politic of foreign states. The allies

Allies blamed the Kremlin of being responsible for cyber attacks that an April aimed at the official networks of the Organisation for the Prohibition of Chemical Weapons (OPCW).

In September the Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger reported the Dutch intelligence services arrested two alleged Russian spies working for Russia’s GRU military intelligence service on suspicion of planning to hack the Spiez laboratory near Bern.

The laboratory conducts investigations for a global chemical arms watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), its researchers were investigating the poisoning of agent Sergei Skripal and his daughter in Salisbury.

The two agents carried equipment to hack into the network of the laboratory to spy on the activity of its researchers.

The Netherlands expelled four alleged agents, while the United States charged seven Russian agents with hacking the World Anti-Doping Agency (WADA) in 2016.

The foreign ministry added that in the same period the Canadian Centre for Ethics in Sport was “compromised by malware enabling unauthorized access to the Centre’s network,”

Britain and Australia also accused the Russian military intelligence of running a massive espionage campaign.

Pierluigi Paganini

(Security Affairs – Canada, Russia)

The post Canada blames Russia for cyber attacks against its structures appeared first on Security Affairs.

Security Affairs: China planted tiny chips on US computers for cyber espionage

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information.

According to a report published by Bloomberg News, China used tiny chips implanted on computer equipment manufactured for US companies and government agencies, including Amazon and Apple, to steal secret information.

The tiny chips have a size of a grain of rice, they were discovered after an investigation that is still ongoing and that that started three years ago.

“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.” reads the report.

tiny chips spy China

The tiny chips were used as a “stealth doorway” into computer equipment, a hardware backdoor very hard to detect.

According to unnamed US officials cited in the report, the spying hardware was designed by a unit of the People’s Liberation Army and was inserted on equipment manufactured in China for US-based Super Micro Computer Inc.

Amazon discovered the tiny chips when it acquired software firm Elemental and conducted a security assessment of equipment made for Elemental by California-based Supermicro.

Elemental manufactured equipment for Department of Defense data centers, the CIA’s drone operations, and onboard networks of Navy warships.

“Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government.” continues the report.

“Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.”

The tiny chips were designed to be implanted directly on the motherboards, the backbone for computer equipment used in data centers of the major US firms.

Amazon confirmed that it was not aware of the supply chain compromise.

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote.

Apple denied having found the spy chips on his equipment.

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote.

Pierluigi Paganini

(Security Affairs – China, hardware backdoor)

The post China planted tiny chips on US computers for cyber espionage appeared first on Security Affairs.



Security Affairs

China planted tiny chips on US computers for cyber espionage

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information.

According to a report published by Bloomberg News, China used tiny chips implanted on computer equipment manufactured for US companies and government agencies, including Amazon and Apple, to steal secret information.

The tiny chips have a size of a grain of rice, they were discovered after an investigation that is still ongoing and that that started three years ago.

“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.” reads the report.

tiny chips spy China

The tiny chips were used as a “stealth doorway” into computer equipment, a hardware backdoor very hard to detect.

According to unnamed US officials cited in the report, the spying hardware was designed by a unit of the People’s Liberation Army and was inserted on equipment manufactured in China for US-based Super Micro Computer Inc.

Amazon discovered the tiny chips when it acquired software firm Elemental and conducted a security assessment of equipment made for Elemental by California-based Supermicro.

Elemental manufactured equipment for Department of Defense data centers, the CIA’s drone operations, and onboard networks of Navy warships.

“Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government.” continues the report.

“Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.”

The tiny chips were designed to be implanted directly on the motherboards, the backbone for computer equipment used in data centers of the major US firms.

Amazon confirmed that it was not aware of the supply chain compromise.

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote.

Apple denied having found the spy chips on his equipment.

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote.

Pierluigi Paganini

(Security Affairs – China, hardware backdoor)

The post China planted tiny chips on US computers for cyber espionage appeared first on Security Affairs.

CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops

Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple did not disable Intel Manufacturing Mode in its laptops

Experts from security firm Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple forgot did not lock it in laptops.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The team also published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year, experts from the Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

This week, researchers Maxim Goryachy and Mark Ermolov published a blog post that revealed Chipzilla’s ME contains an undocumented Manufacturing Mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” states the security duo.

“However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

The only way to access the Intel Manufacturing Mode is using a utility included in Intel ME System Tools software, that anyway isn’t available to the public. The software allows to configure platform settings in one-time programmable memory called Field Programming Fuses (FPF), an operation that is usually made before the shipment, and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

On older systems, prior to Apollo Lake, Intel maintained access rights for th Intel Management Engine, Gigabit Ethernet, and CPU separate.

In newer systems, the SPI controllers implement the Master Grant feature that could override the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

Experts pointed out that device makers cannot disable the Manufacturing Mode opening the door to cyber attacks by a local attacker.

Ironically one of the major Intel customer, Apple, left Manufacturing Mode enabled, the issue was tracked as CVE-2018-4251.

Apple addressed the problem in June and fixed it with the release of macOS High Sierra 10.13.5 update.

The security experts published a Python code on GitHub to allow Intel to check whether Manufacturing Mode is enabled.

“Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even “bricking” of hardware.” concludes the experts.
“We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.”

Pierluigi Paganini

(Security Affairs – Intel Manufacturing Mode, Apple)

The post CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops appeared first on Security Affairs.

Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?

The Canadian restaurant chain Recipe Unlimited that operates over 20 restaurant brands has suffered a major IT outage over the weekend in a “malware outbreak.”

The company operates nearly 1,400 restaurants under 19 different brands in Canada,

Recipe Unlimited has suffered a major malware-based attack that impacted several of its brands.

On Monday the company Monday confirmed that a malware is the root cause of a partial network outage at nine of its franchises, including Swiss Chalet, Harvey’s, East Side Mario’s, and Kelseys.

Recipe discovered the malware outbreak on September 28 and immediately started the incident response procedure. A number of systems have been taken offline, and all the locations infected by the ransomware were isolated from the Internet.

The affected locations continued to process card transactions manually,

The infections have caused the closure of a “small number” of restaurants for a “temporary period of time.”

“A limited number of Recipe Unlimited restaurants are currently experiencing a partial network outage. Only certain restaurants under the Swiss Chalet, Harvey’s, Milestones, KelseysMontana’s, Bier Markt, East Side Mario’s, The Landing Group of Restaurants and Prime Pubs brands have been impacted.” reads a statement published by the company.

“We learned of the malware outbreak on Friday, September 28 and immediately initiated steps to prevent any further spread and take appropriate precautionary measures. As a result, we have taken a number of our systems offline and suspended internet access to affected locations as a precaution. This caused some of our restaurants to experience some service delay related issues, including being unable to process credit and debit card transactions. However, all of those restaurants are able to manually process credit card charges. A smaller number of affected restaurants have decided to close for a temporary period of time to avoid inconvenience to guests due to service issues.”

According to the CBC News, the Recipe was the victim of a ransomware attack, the media also shared a copy of a ransom note that was provided by a worker at one of the affected restaurants.

“All of our computer systems crashed,” said a worker on shift at the time at an affected location. “The ransom note appeared under the file, ‘read me‘ in a WordPad format. We were all really in a state of shock.”

The hackers claim that they encrypted the files using “the strongest military algorithms,” at the time there is no info related to an amount of bitcoin requested to the victims.

The amount requested by the crooks will increase with the time.

“The final price depends on how fast you write to us,” warns the ransom note. “Every day of delay will cost you additional +0.5 BTC.”

Recipe Unlimited denies it was victim of a ransomware attac, because it conducts regular system backups to promptly mitigate such kind of attacks.

“We maintain appropriate system and data security measures,” said spokesperson Maureen Hart in an email.

Canadian restaurant chain Recipe

According to Hart, the ransom note published online is a “generic” statement associated with a virus called Ryuk, and other copies of the note can be found via a Google search.

The ransom note is associated with Ryuk ransomware, a threat discovered by security experts at Check Point in August. At the time, the ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Pierluigi Paganini

(Security Affairs – Recipe, ransomware)

The post Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack? appeared first on Security Affairs.

US offers its cyber warfare defense capabilities to NATO

The United States will offer its offensive cyber capabilities to NATO to strengthen its defenses against threat actors like Russian ones.

The United States is expected to announce to provide cyber warfare capabilities to NATO to strengthen its defenses against threat actors like Russian ones.

The announcement is expected today at a meeting of defence ministers in Brussels, the decision follows the public commitment of Britain and Denmark in providing cyber resources to NATO.

According to NATO chief Jens Stoltenberg, cyber attacks against members of the alliance are increasing in frequency and complexity, for this reason, it is essential to approach them with joint effort and mutual collaboration.

Attackers are able to interfere with the political processes of the countries, it has already happened during the 2016 Presidential election, and threaten critical infrastructure worldwide.

[cyber attacks on NATO countries were becoming] “more frequent… more sophisticated… more coercive” [and any contribution of cyber capabilities was welcome.] said Stoltenberg.

“We see cyber being used to meddle in domestic political processes, attacks against critical infrastructure, and cyber will be an integral part of any future military conflict,” Stoltenberg said.

NATO

The critical infrastructure of Lithuania, Latvia and Estonia are under incessant attacks that they attribute to Russia.

Russia-linked APR groups are blamed of interference in some European elections and 2018 US midterm election

The US intelligence accused the Kremlin of conducting a disinformation campaign in Macedonia through social media aimed at sabotage referendum on changing the country’s name that could open the door of the NATO alliance to the country.

Pierluigi Paganini

(Security Affairs – NATO, Russia)

The post US offers its cyber warfare defense capabilities to NATO appeared first on Security Affairs.

APT38 is behind financially motivated attacks carried out by North Korea

Security experts from FireEye published a report on the activity of financially motivated threat actors, tracked as APT38, linked to the North Korean government.

The attacks aimed at financial institutions, FireEye estimates APT38 has stolen at least a hundred million dollars from banks worldwide.

APT38 appears to be a North Korea-linked group separate from the infamous Lazarus group, it has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries.

APT38

The report attributed the string of attacks against the SWIFT banking system to the APT38, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018.

“APT38 is a financially motivated group linked to North Korean cyber espionage operators, renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware.” reads the report published by FireEye.

“Attribution to both the “Lazarus” group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations. Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.”

According to FireEye, the APT38 was targeting banks worldwide to allows the North Korean government to obtain new cash bypassing sanctions imposed on Pyongyang by foreign states.

“Based on observed activity, we judge that APT38’s primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime. Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime’s continued weapons development and testing.” continues the report.

“The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang.”

Experts believe the activity of the group will continue in the future, likely adopting new sophisticated tactics to avoid detection.

“Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future,” concludes FireEye.

“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.” 

Pierluigi Paganini

(Security Affairs – APT38, North Korea)

The post APT38 is behind financially motivated attacks carried out by North Korea appeared first on Security Affairs.

Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!

We hope you enjoy our Cyber Defense Magazine Annual Global Edition for 2018 including our Global Awards Winners for 2018…packed with over 75+ pages of excellent content.

Cyber Defense Magazine

Global Edition for 2018 has arrived.

Global Awards Winners Announced!

Sponsored By: TrendMicro

cyber defense emagazine global

 

InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

 

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards have arrived – Winners are listed here:  https://www.cyberdefensemagazine.com/cdga-winners-2018/

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

 

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it! appeared first on Security Affairs.

Security Affairs: Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!

We hope you enjoy our Cyber Defense Magazine Annual Global Edition for 2018 including our Global Awards Winners for 2018…packed with over 75+ pages of excellent content.

Cyber Defense Magazine

Global Edition for 2018 has arrived.

Global Awards Winners Announced!

Sponsored By: TrendMicro

cyber defense emagazine global

 

InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

 

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards have arrived – Winners are listed here:  https://www.cyberdefensemagazine.com/cdga-winners-2018/

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

 

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it! appeared first on Security Affairs.



Security Affairs

Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack

Experts discovered nine vulnerabilities affecting NAS devices that could be exploited by unauthenticated attackers to access protected content.

Nine flaws affecting NAS devices could be exploited by unauthenticated attackers to access protected content.

The vulnerabilities are traked as CVE-2018-9074CVE-2018-9075CVE-2018-9076CVE-2018-9077CVE-2018-9078CVE-2018-9079CVE-2018-9080CVE-2018-9081 and CVE-2018-9082.

According to Lenovo, the flaws affect 20 models of network attached storage (NAS) devices sold by the company, including Lenovo-branded  NAS devices, LenovoEMC, and Iomega.

The list of vulnerable devices includes eight LenovoEMC NAS (PX) models, nine Iomega StoreCenter (PX and IX) models and the Lenovo branded devices; ix4-300d, ix2 and EZ Media and Backup Center.

The flaws have been discovered as a part of a research project conducted by ISE Labs focused on the security of embedded devices.

Lenovo NAS

Most of the devices audited by the researchers were affected by some sort of OS command injection vulnerability that could be exploited by remote attackers to take over the targeted system via root shell.

Chaining different vulnerabilities it is possible to gain full access to the device, experts noticed for example that the availability of the user’s access token and a session cookie-like identifier ( “__c parameter”) could allow the attackers to reach the goal. A typical attack scenario to gain this information sees attackers to luring an authenticated NAS user by tricking it into visiting a specially crafted malicious website.

“If we want to exploit this OS command injection we are going to need to figure out how these tokens are generated or access to the victim’s iomegaUserCookie (__c) token. Whenever I think about stealing some type of value stored in the user’s browser I think about cross-site scripting (XSS).” states the researchers.

The experts found a cross-site scripting vulnerability that allowed them to access the information, then used stored browser data to execute commands on the vulnerable devices.

Once obtained a target’s NAS access token and “_c parameter” it is possible to target the storage device by knowing its static IP address, a joke for attackers.

Summarizing, chaining command injection vulnerability with privilege escalation issues the attacker could execute commands on the devices on behalf of legitimate users.

The experts reported the vulnerabilities to Lenovo on August 3 and the company issued patches for vulnerable systems on Sept. 20 and publicly disclosed the vulnerabilities on September 30.

The list of CVEs include: CVE-2018-9074CVE-2018-9075CVE-2018-9076CVE-2018-9077CVE-2018-9078CVE-2018-9079CVE-2018-9080CVE-2018-9081 and CVE-2018-9082.

Lenovo confirmed that firmware versions 4.1.402.34662 and earlier are vulnerable, users have to download firmware version 4.1.404.34716 (or later).

The company suggests removing any public shares and using the device only on trusted networks in case it is not possible to immediately update the firmware.

Pierluigi Paganini

(Security Affairs – Lenovo, NAS)

The post Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack appeared first on Security Affairs.

New Danabot Banking Malware campaign now targets banks in the U.S.

According to malware researchers from Proofpoint, DanaBot attackers launched a new campaign aimed at banks in the United States.

A couple of weeks ago, security experts at ESET observed a surge in activity of DanaBot banking Trojan that was targeting Poland, Italy, Germany, Austria, and as of September 2018, Ukraine.

DanaBot is a multi-stage modular banking Trojan written in Delphi, the malware allows operators to add new functionalities by adding new plug-ins.

When it was analyzed by Proofpoint, its experts speculated the threat has been under active development.

The banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine.

According to Proofpoint, now DanaBot attackers launched a new campaign aimed at banks in the United States as well. Experts monitored different campaigns using a different ID found in server communications, a circumstance that suggests the DanaBot is being offered through the malware-as-a-service model.

ProofPoint has identified 9 different actors distributing the Trojan to a specific region,  experts highlighted that only Australia was targeted by two different groups of attackers.

“Based on distribution methods and targeting, we have been grouping DanaBot activity using an “affiliate ID” that we have observed in various part of the C&C protocol (e.g., offset 0xc of the 183-byte binary protocol header). ” reads the report published by ProofPoint.

The campaign against North America uses spam messages that pretend to be digital faxes from eFax received by the recipients.

Danabot Banking Malware

When the recipient clicks on the download button included in the content of the message, it will download a weaponized Word document that poses as an eFax.

Is the recipient enables the macros to properly view the fax, the malicious code executes the embedded Hancitor malware that downloads two versions of Pony stealer and the DanaBot banking malware

“The emails used an eFax lure (Figure 1) and contained a URL linking to the download of a document containing malicious macros (Figure 2). The macros, if enabled by the user, executed the embedded Hancitor malware [3], which, in turn, received tasks to download two versions of Pony stealer and the DanaBot banking malware.” continue the analysis.

Experts from Proofpoint highlighted that each affiliate id is utilizing different distribution methods, some actors leverage the Fallout Exploit Kit, others web injects or malspam campaigns. Researchers also found similarities between how DanaBot and the CryptXXX Ransomware that was using a custom command and control protocol on TCP port 443.

Proofpoint speculates DanaBot’s C&C traffic is an evolution of this protocol that uses AES encryption in addition to the Zlib compression.

The researchers believe that the developers created DanaBot as part of an evolution of CryptXXX.

“Thus it would seem that Danabot follows in a long line of malware from one particular group. This family began with ransomware, to which stealer functionality was added in Reveton.” concludes Proofpoint.

“The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.”

Pierluigi Paganini

(Security Affairs – DanaBot, hacking)

The post New Danabot Banking Malware campaign now targets banks in the U.S. appeared first on Security Affairs.

Security Affairs: Researchers associated the recently discovered NOKKI Malware to North Korean APT

Security experts from Palo Alto Networks have collected evidence that links the recently discovered NOKKI malware to North Korea-Linked APT.

Researchers from Palo Alto Networks have spotted a new variant of the KONNI malware, tracked as NOKKI. that was attributed to North Korea-linked attackers.

NOKKI borrows the code from the KONNI malware, the latter is a remote access Trojan (RAT) used in targeted attacks on organizations linked to North Korea, while NOKKI was used to target politically-motivated victims in Eurasia and Southeast Asia.

KONNI,” was undetected for more than 3 years, it was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

The NOKKI variant has been in use since at least January 2018, experts attributed it to the Reaper group.

“Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’.” reads the analysis published by the Palo Alto Networks.

“The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.”

NOKKI is able to gather a broad range of data (i.e. IP address, Hostname, Username, Drive Information, Operating System Information, Installed Programs) from the infected systems, it is also able to fetch and execute a payload, as well as to drop and open decoy documents.

The malicious code writes the collected information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.

In January, the researchers observed several attacks involving the NOKKI malware that targeted Cambodian speakers with an interest in Cambodian political matters and Russia with documents written Cyrillic featuring content related to local political issues.

A few days ago, researchers from Palo Alto Networks published another report that associated the NOKKI malware with the DOGCALL backdoor attributed to the Reaper group.

 

The analysis of the macros included in the Microsoft Word decoy documents revealed that they were designed to drop the NOKKI malware, they employed a deobfuscation technique that was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

“Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.” reads the report published by Palo Alto Networks.

NOKKI vs WordCup malware

“While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”

The VBScript file used the same deobfuscation routine and fetches and executes a dropper tracked as Final1stspy that in turn downloads a strain of the DOGCALL malware.

The malware implements backdoor features, can take screenshots, log keystrokes, enable the microphone, collect victim information, collect files of interest, and download and execute additional payloads.

The malware connects the command and control (C&C) via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group.” Palo Alto Networks concludes.

“Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” 

Pierluigi Paganini

(Security Affairs – NOKKI malware, North Korea)

The post Researchers associated the recently discovered NOKKI Malware to North Korean APT appeared first on Security Affairs.



Security Affairs

Researchers associated the recently discovered NOKKI Malware to North Korean APT

Security experts from Palo Alto Networks have collected evidence that links the recently discovered NOKKI malware to North Korea-Linked APT.

Researchers from Palo Alto Networks have spotted a new variant of the KONNI malware, tracked as NOKKI. that was attributed to North Korea-linked attackers.

NOKKI borrows the code from the KONNI malware, the latter is a remote access Trojan (RAT) used in targeted attacks on organizations linked to North Korea, while NOKKI was used to target politically-motivated victims in Eurasia and Southeast Asia.

KONNI,” was undetected for more than 3 years, it was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

The NOKKI variant has been in use since at least January 2018, experts attributed it to the Reaper group.

“Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’.” reads the analysis published by the Palo Alto Networks.

“The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.”

NOKKI is able to gather a broad range of data (i.e. IP address, Hostname, Username, Drive Information, Operating System Information, Installed Programs) from the infected systems, it is also able to fetch and execute a payload, as well as to drop and open decoy documents.

The malicious code writes the collected information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.

In January, the researchers observed several attacks involving the NOKKI malware that targeted Cambodian speakers with an interest in Cambodian political matters and Russia with documents written Cyrillic featuring content related to local political issues.

A few days ago, researchers from Palo Alto Networks published another report that associated the NOKKI malware with the DOGCALL backdoor attributed to the Reaper group.

 

The analysis of the macros included in the Microsoft Word decoy documents revealed that they were designed to drop the NOKKI malware, they employed a deobfuscation technique that was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

“Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.” reads the report published by Palo Alto Networks.

NOKKI vs WordCup malware

“While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”

The VBScript file used the same deobfuscation routine and fetches and executes a dropper tracked as Final1stspy that in turn downloads a strain of the DOGCALL malware.

The malware implements backdoor features, can take screenshots, log keystrokes, enable the microphone, collect victim information, collect files of interest, and download and execute additional payloads.

The malware connects the command and control (C&C) via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group.” Palo Alto Networks concludes.

“Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” 

Pierluigi Paganini

(Security Affairs – NOKKI malware, North Korea)

The post Researchers associated the recently discovered NOKKI Malware to North Korean APT appeared first on Security Affairs.

Security Affairs: Z-LAB Report – Analyzing the GandCrab v5 ransomware

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0.

Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users. GandCrab operates like a classic ransomware, it encrypts all user files and drops some ransom notes on the infected machine.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

The ransom note contains some information related to the infection: an ID (“fed0a66240f8743f”, in the image below), a “GANDCRAB KEY”, required to restore the original files, and some encrypted information about the infected system such as the username, the PC name, the domain, the operative system and the language.

GandCrab 5

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

GandCrab 5

The payment process is implemented through the hidden service associated with the Tor address:

hxxp://gandcrabmfe6mnef[.]onion, which is the same used by previous versions of the malware.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf

 

Pierluigi Paganini

(Security Affairs – ransomare, cybercrime)

The post Z-LAB Report – Analyzing the GandCrab v5 ransomware appeared first on Security Affairs.



Security Affairs

Z-LAB Report – Analyzing the GandCrab v5 ransomware

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0.

Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users. GandCrab operates like a classic ransomware, it encrypts all user files and drops some ransom notes on the infected machine.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

The ransom note contains some information related to the infection: an ID (“fed0a66240f8743f”, in the image below), a “GANDCRAB KEY”, required to restore the original files, and some encrypted information about the infected system such as the username, the PC name, the domain, the operative system and the language.

GandCrab 5

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

GandCrab 5

The payment process is implemented through the hidden service associated with the Tor address:

hxxp://gandcrabmfe6mnef[.]onion, which is the same used by previous versions of the malware.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf

 

Pierluigi Paganini

(Security Affairs – ransomare, cybercrime)

The post Z-LAB Report – Analyzing the GandCrab v5 ransomware appeared first on Security Affairs.

Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical

Foxit Software released a security update for its Foxit Reader product that addresses over 100 vulnerabilities, 18 of them rated as critical.

Foxit Software released a security update for its Foxit Reader product that addresses over 100 vulnerabilities, some of them that could be exploited by a remote attacker to execute arbitrary code.

Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files, it has hundreds of millions of installations.

Foxit has released Reader 9.3 and Foxit PhantomPDF 9.3 to address security and stability issues.

Foxit Reader 9.3 addressed a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs.

The updates fix a total of 116 vulnerabilities, 18 of them are rated as “critical” and have been discovered by the researchers at Cisco Talos group.

The flaws affect the JavaScript engine of the Foxit Reader, an attacker could exploit the vulnerabilities by creating specially crafted web pages or PDF documents that could trigger these vulnerabilities.

The updates were issued a couple of days before Adobe released security patches for 86 flaws in Mac and Windows version of Adobe Acrobat and Adobe Reader, 46 of them rated as critical.

Pierluigi Paganini

(Security Affairs – Reader, hacking)

The post Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical appeared first on Security Affairs.

Security Affairs: The ‘Gazorp’ Azorult Builder emerged from the Dark Web

Checkpoint experts discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.

Security researchers from Checkpoint have discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to easily create customized binaries for the Azorult info-stealing malware.

The Gazorp builder allows generating for free the malicious code to steal passwords, payment information, cryptocurrency wallet data and more.

“On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, ” states CheckPoint.

“Furthermore, the Gazorp service is provided free of charge and gives threat actors the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address. This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”

Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.

Experts at CheckPoint have tried the Gazorp builder and successfully generated working samples of Azorult version 3.0.

Gazorp Azorult Builder

This version of the malware was observed in the wild five months ago, since then, it was updated two times, experts discovered the versions, 3.1 and 3.2 in live attacks.

Azorult has been around since at least 2016, malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Experts also noted that Gazorp’s emergence on the Dark Web was the result of the leak of the code for the Azorult’s panel (for versions 3.1 and 3.2).

The availability of the code allows anyone to easily create its own version of the Azorult C&C panel, the experts added that the leak also contained a builder for the latest version of the malware. This builder isn’t the original one used by the authors, “it merely encoded and placed the C&C address string given to it as an argument by the user to a particular field in a ready-made binary.”

“It is possible then that the simple mechanism and the overall delivery of the recent versions to the public inspired Gazorp’s authors to introduce it online.” continues the analysis.

The online builder links to a Telegram channel used by the authors to update users on their activity and to share updates on the project.

Gazorp authors plan to implement future extensibility with a “modules” section, the ability to configure the panel and export the various databases to a file.

Experts believe we can soon assist at a spike of campaigns leveraging the Azorult info-stealer generated with the Gazorp builder.

“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code. However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” concludes CheckPoint.

“Given that the service is free, it is also possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild. We will keep monitoring this threat and provide any insights on our research blog when such will come up.”

Pierluigi Paganini

(Security Affairs – Gazorp builder, malware)

The post The ‘Gazorp’ Azorult Builder emerged from the Dark Web appeared first on Security Affairs.



Security Affairs

The ‘Gazorp’ Azorult Builder emerged from the Dark Web

Checkpoint experts discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.

Security researchers from Checkpoint have discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to easily create customized binaries for the Azorult info-stealing malware.

The Gazorp builder allows generating for free the malicious code to steal passwords, payment information, cryptocurrency wallet data and more.

“On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, ” states CheckPoint.

“Furthermore, the Gazorp service is provided free of charge and gives threat actors the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address. This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”

Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.

Experts at CheckPoint have tried the Gazorp builder and successfully generated working samples of Azorult version 3.0.

Gazorp Azorult Builder

This version of the malware was observed in the wild five months ago, since then, it was updated two times, experts discovered the versions, 3.1 and 3.2 in live attacks.

Azorult has been around since at least 2016, malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Experts also noted that Gazorp’s emergence on the Dark Web was the result of the leak of the code for the Azorult’s panel (for versions 3.1 and 3.2).

The availability of the code allows anyone to easily create its own version of the Azorult C&C panel, the experts added that the leak also contained a builder for the latest version of the malware. This builder isn’t the original one used by the authors, “it merely encoded and placed the C&C address string given to it as an argument by the user to a particular field in a ready-made binary.”

“It is possible then that the simple mechanism and the overall delivery of the recent versions to the public inspired Gazorp’s authors to introduce it online.” continues the analysis.

The online builder links to a Telegram channel used by the authors to update users on their activity and to share updates on the project.

Gazorp authors plan to implement future extensibility with a “modules” section, the ability to configure the panel and export the various databases to a file.

Experts believe we can soon assist at a spike of campaigns leveraging the Azorult info-stealer generated with the Gazorp builder.

“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code. However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” concludes CheckPoint.

“Given that the service is free, it is also possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild. We will keep monitoring this threat and provide any insights on our research blog when such will come up.”

Pierluigi Paganini

(Security Affairs – Gazorp builder, malware)

The post The ‘Gazorp’ Azorult Builder emerged from the Dark Web appeared first on Security Affairs.

Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical

Adobe has released security updates to fix 86 vulnerabilities in Mac and Windows version of Adobe Acrobat and Adobe Reader, 46 of them rated as critical.

Adobe has released security updates to address 86 vulnerabilities affecting Mac and Windows version of Adobe Acrobat and Adobe Reader. The security updates fix 47 vulnerabilities classified as ‘critical’ and 39 flaws classified as ‘important’.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

46 critical vulnerabilities could be exploited by attackers to execute arbitrary code on the vulnerable systems, the remaining one is a privileges escalation bug. All the 39 flaws classified as ‘important’ are information disclosure.

Users can update their installations manually by choosing Help > Check for Updates, the full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

Adobe Acrobat and Adobe Reader users should install the latest versions as soon as possible (Acrobat DC and Acrobat Reader DC version 2019.008.20071, Acrobat 2017 and Acrobat Reader DC version 2017.011.30105, Acrobat DC 2015 and Acrobat Reader DC 2015 versions 2015.006.30456).

The security advisory includes the full list of patched vulnerabilities and organizations or experts that reported them,

Pierluigi Paganini

(Security Affairs – Adobe security updates, arbitrary execution vulnerability)

The post Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical appeared first on Security Affairs.

FCA fines Tesco Bank £16.4m over 2016 cyber attack

Tesco Bank agreed to pay £16.4m as part of a settlement with the Financial Conduct Authority following the 2016 security breach.

The Financial Conduct Authority (FCA) has assigned a £16.4m fine to Tesco Bank for the vulnerabilities in its systems that were exploited by hackers to steal millions of pounds from customers’ online accounts in 2016.

In November 2016, Tesco Bank halted all online transactions after a cyber heist affected thousands of its customers. An investigation is ongoing.

The measure was announced by the chief executive Benny Higgins, at the time the bank admitted that 40,000 of 136,000 current banking customers had their accounts hacked, and 50 percent of them have lost money.

According to the financial institution, hackers stole £2.26m from 9,000 customers accounts for over 48 hours. Most of the transactions were made in Brazil and relied on magnetic strip rules.

tesco

The bank was fined because it was not able to demonstrate “due skill, care and diligence” in protecting customers’ accounts from cyber attacks.

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.said Mark Steward, the executive director of enforcement and market oversight at the FCA.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”

“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack.”

Tesco Bank was alerted by Visa one year before the cyber attack, but failed to apply the necessary countermeasures.

According to the FCA, Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:

  • Design and distribute its debit card.
  • Configure specific authentication and fraud detection rules.
  • Take appropriate action to prevent the foreseeable risk of fraud.
  • Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency. 

According to the FCA, hackers used an algorithm to generate valid debit card numbers that were involved in fraudulent transactions.

Tesco Bank provided all the necessary support to the FCA and fully compensated customers, it was also able to halt a significant percentage of unauthorized transactions.

The efforts of the bank in limiting the exposure of its customers in post-incident were praised by the FCA granted the bank 30% credit for mitigation. Tesco Bank also agreed to an early settlement which qualified it for a 30% (Stage 1) discount under the FCA’s executive settlement procedure

“Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.” continues the FCA.

“In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”

Pierluigi Paganini

(Security Affairs – Tesco cyber heist,  cybercrime)

The post FCA fines Tesco Bank £16.4m over 2016 cyber attack appeared first on Security Affairs.

Security Affairs: GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module:  The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini

(Security Affairs – GhostDNS, IoT)

The post GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers appeared first on Security Affairs.



Security Affairs

GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module:  The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini

(Security Affairs – GhostDNS, IoT)

The post GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers appeared first on Security Affairs.

Cyber Defense Magazine – October 2018 has arrived. Enjoy it!

Cyber Defense Magazine October 2018 Edition has arrived.

Sponsored by: Bosch

We hope you enjoy this month’s edition…packed with 100+ pages of excellent content.  InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

We hope you enjoy this month’s edition…packed with 100+ pages of excellent content.  InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

CDM October Cyber Defense magazine

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards – CLOSED!  Winners will be announced in just a few days and our Global Print Edition will be out on the 3rd of October and we’ll release an electronic edition as well…

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine – October 2018 has arrived. Enjoy it! appeared first on Security Affairs.

Attackers chained three bugs to breach into the Facebook platform

Facebook has revealed additional details about the cyber attack that exposed personal information of 50 million accounts.

Last week, Facebook announced that attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

The “View As” feature allows users to see how others see their profile, it was implemented under the privacy section to help users to check that only intended data is visible for their public profile.

Facebook noticed a traffic spike on September 16 but determined that is was under attack on September 25, when it also discovered the way attackers breached the platform. The incident was disclosed on September 27.

Facebook disabled the “View As” feature in response to the incident, the company reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts.

Attackers also accessed data of the Facebook founder Mark Zuckerberg and the COO Sheryl Sandberg. Facebook is notifying users whose tokens have been compromised.

According to Facebook, the vulnerability is the result of the chaining of three flaws affecting the “View As” feature and the Facebook’s video uploader.

The company clarified that the version of the video uploader interface affected by the vulnerability was introduced in July 2017.

  1. Experts noticed that the “View As” allows displaying the profile as a read-only interface. but the platform fails to validate the content submitted through text box that allows people to wish happy birthday to their friends(this is the first bug). The experts discovered that it is possible to post a video through this field.
  2. The second issue is related to the fact that the video uploader generated an access token that had the permissions of the Facebook mobile app when posting a video in the text box.
  3. The third bug is that the token generated was not for the user who had been using “View As” but for the one whose profile was being viewed, this means that attackers could obtain the token from the page’s HTML code and use it to take over a targeted user’s account.

It is interesting to note that an attacker would first hack into a friends’ account and move target other accounts connected to it.

“It was the combination of these three bugs that became a vulnerability: when using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.explained Guy Rosen, VP of Product Management.

“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.” added edro Canahuati, VP of Engineering, Security and Privacy at Facebook.

According to Facebook, the attackers queried the APIs to access profile information, but no private information (private messages or credit card data) seems to have been accessed.

Another aspect that was underestimated is that the exposed tokens can be used to access third-party apps that allow the authentication using Facebook profile. The token reset also mitigated this risk.

Experts also warn that users who have linked Facebook to an Instagram account will need to unlink and re-link their accounts due to the reset of the tokens.

Based on the info shared by Facebook, the attack was probably carried out by advanced attackers.

In the next weeks, we will a clear picture of the impact of the hack on the company, the company could face $1.63 billion EU fine under EU GDPR.

Rumors of a class action lawsuit are circulating online.

Pierluigi Paganini

(Security Affairs – Facebook hack, hacking)

The post Attackers chained three bugs to breach into the Facebook platform appeared first on Security Affairs.

Expert demonstrated how to access contacts and photos from a locked iPhone XS

Expert discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited to access photos, contacts on a locked iPhone XS .

The Apple enthusiast and “office clerk” Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited by an attacker (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).

The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.

An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.

Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.

The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.

A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.

iPhone passcode bypass issues are not uncommon, in September 2015, Jose Rodriguez discovered that the iOS 9.0.1 Update failed to address a lock screen bypass vulnerability.

In November 2017, experts discovered a flaw in iOS 8 and newer versions of the Apple OS that allowed bypassing the iPhone Passcode protection, even when Touch ID was properly configured, and access photos and messages stored on the device.

Pierluigi Paganini

(Security Affairs – iPhone XS, hacking)

The post Expert demonstrated how to access contacts and photos from a locked iPhone XS appeared first on Security Affairs.

Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls

CVE-2018-17780 – Security researcher Dhiraj Mishra discovered that Telegram default configuration would expose a user’s IP address when making a call.

Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end-user private and public IP address while making calls.

Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from “Settings > Privacy and security > Calls > peer-to-peer” to other available options.

The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting “P2P > nobody” in tdesktop and telegram for windows.

PS: Even telegram for Android will also leak your IP address if you have not set “Settings > Privacy and security > Calls > peer-to-peer >nobody” (But Peer-to-Peer settings for call option already exists in Telegram for android).

To view this in action in tdesktop:

1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
cve-2018-17780 telegram

Other scenario:
1. Open tdesktop in Ubuntu and login with user A

2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.

cve-2018-17780 telegram 2

Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your “P2P to Nobody/My contacts”, Later CVE-2018-17780 was assign to this vulnerability.

CVE-2018-17780 Telegram

This bug was awarded €2000 by Telegram security team. (Sweeet..)

About the Author: Security Researcher Dhiraj Mishra ()

Original post at https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html

Pierluigi Paganini

(Security Affairs – Telegram CVE-2018-17780 flaw, data leak)

The post Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls appeared first on Security Affairs.

Security Affairs: Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls

CVE-2018-17780 – Security researcher Dhiraj Mishra discovered that Telegram default configuration would expose a user’s IP address when making a call.

Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end-user private and public IP address while making calls.

Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from “Settings > Privacy and security > Calls > peer-to-peer” to other available options.

The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting “P2P > nobody” in tdesktop and telegram for windows.

PS: Even telegram for Android will also leak your IP address if you have not set “Settings > Privacy and security > Calls > peer-to-peer >nobody” (But Peer-to-Peer settings for call option already exists in Telegram for android).

To view this in action in tdesktop:

1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
cve-2018-17780 telegram

Other scenario:
1. Open tdesktop in Ubuntu and login with user A

2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.

cve-2018-17780 telegram 2

Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your “P2P to Nobody/My contacts”, Later CVE-2018-17780 was assign to this vulnerability.

CVE-2018-17780 Telegram

This bug was awarded €2000 by Telegram security team. (Sweeet..)

About the Author: Security Researcher Dhiraj Mishra ()

Original post at https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html

Pierluigi Paganini

(Security Affairs – Telegram CVE-2018-17780 flaw, data leak)

The post Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls appeared first on Security Affairs.



Security Affairs

Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company

Estonian sues Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017.

Estonian authorities sue the security firm Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017.

“Estonian police are seeking to recover 152 million euros ($178 mln) in a lawsuit filed on Thursday against digital security firm Gemalto, following a recall last year when security flaws were found in citizen ID cards produced by the firm.” reported the Reuters.

“The vulnerabilities to hacker attacks found in government- issued ID cards supplied by the Franco-Dutch company marked an embarrassing setback for Estonia, which has billed itself as the world’s most digitalised “e-government”.”

In November 2017, Estonia announced that it would suspend security digital certificates for up to 760,000 state-issued electronic ID-cards that are using the buggy chips to mitigate the risk of identity theft.

The decision comes after IT security researchers recently discovered a vulnerability in the chips used in the cards manufactured by the Gemalto-owned company Trub AG that open the doors to malware-based attacks.

Estonia cyber

At the time, Estonia had issued 1.3 million electronic ID cards offering citizens online access to a huge number of services through the “e-government” state portal. The Estonian electronic ID cards have been manufactured by the Swiss company Trub AG and its successor Gemalto AG since 2001.

According to Estonia’s Police and Border Guard Board (PPA), Gemalto failed to protect private keys with card’s chip exposing the government IDs vulnerable to cyber attack.

“It turned out that our partner had violated this principle for years, and we see this as a very serious breach of contract,” said PPA’s deputy director-general Krista Aas.

Estonia replaced Gemalto and its predecessor for the supply of ID cards since 2002, with the company Idemia.

“The PPA also said it planned to file separate claims for other breaches of the contract. Estonia had used Gemalto and its predecessor for its ID cards since 2002, but replaced the manufacturer with Idemia after it found serious security flaws last year.“continues the Reuters.

Gemalto hasn’t yet commented the news.

Pierluigi Paganini

(Security Affairs – electronic ID-cards, Estonia)

The post Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company appeared first on Security Affairs.

Security Affairs: Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company

Estonian sues Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017.

Estonian authorities sue the security firm Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017.

“Estonian police are seeking to recover 152 million euros ($178 mln) in a lawsuit filed on Thursday against digital security firm Gemalto, following a recall last year when security flaws were found in citizen ID cards produced by the firm.” reported the Reuters.

“The vulnerabilities to hacker attacks found in government- issued ID cards supplied by the Franco-Dutch company marked an embarrassing setback for Estonia, which has billed itself as the world’s most digitalised “e-government”.”

In November 2017, Estonia announced that it would suspend security digital certificates for up to 760,000 state-issued electronic ID-cards that are using the buggy chips to mitigate the risk of identity theft.

The decision comes after IT security researchers recently discovered a vulnerability in the chips used in the cards manufactured by the Gemalto-owned company Trub AG that open the doors to malware-based attacks.

Estonia cyber

At the time, Estonia had issued 1.3 million electronic ID cards offering citizens online access to a huge number of services through the “e-government” state portal. The Estonian electronic ID cards have been manufactured by the Swiss company Trub AG and its successor Gemalto AG since 2001.

According to Estonia’s Police and Border Guard Board (PPA), Gemalto failed to protect private keys with card’s chip exposing the government IDs vulnerable to cyber attack.

“It turned out that our partner had violated this principle for years, and we see this as a very serious breach of contract,” said PPA’s deputy director-general Krista Aas.

Estonia replaced Gemalto and its predecessor for the supply of ID cards since 2002, with the company Idemia.

“The PPA also said it planned to file separate claims for other breaches of the contract. Estonia had used Gemalto and its predecessor for its ID cards since 2002, but replaced the manufacturer with Idemia after it found serious security flaws last year.“continues the Reuters.

Gemalto hasn’t yet commented the news.

Pierluigi Paganini

(Security Affairs – electronic ID-cards, Estonia)

The post Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 182 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Hackers target Port of Barcelona, maritime operations had not affected
·      New Virobot malware combines ransomware and botnet capabilities
·      A bug in Twitter Account Activity API exposed users messages to wrong developers
·      Critical flaw affects Cisco Video Surveillance Manager
·      Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems
·      Firefox DoS issue crashes the browser and sometimes the Windows OS
·      Akamai Report: Credential stuffing attacks are a growing threat
·      Bitcoin Core Team fixes a critical DDoS flaw in wallet software
·      SHEIN Data breach affected 6.42 million users
·      White hat hacker found a macOS Mojave privacy bypass 0-day flaw on release day
·      Crooks leverages Kodi Media Player add-ons for malware distribution
·      Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak
·      Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled
·      oPatch community released micro patches for Microsoft JET Database Zero-Day
·      Mutagen Astronomy Linux Kernel vulnerability affects Red Hat, CentOS, and Debian distros
·      Pangu hackers are back, they realized the iOS 12 Jailbreak
·      Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild
·      Talos experts published technical details for other seven VPNFilter modules
·      Uber agrees to pay $148 million in massive 2016 data breach settlement
·      CVE-2018-1718 -Google Project Zero reports a new Linux Kernel flaw
·      CVE-2018-17182 -Google Project Zero reports a new Linux Kernel flaw
·      Facebook hacked – 50 Million Users Data exposed in the security breach
·      Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona